Fake 'Payment', Fake DHL, Fake 'Notice to appear in Court' SPAM
FYI...
Fake 'Payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/paymen...sheet-malware/
25 Mar 2015 - "'Payment 1142' pretending to come from James Dudley <James.Dudley@ hitec .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Payment sheet attached.
James
T 01353 624023
F 01353 624043
E james.dudley@ hitec .co.uk
Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE
This message has been scanned for viruses and malicious content by Green Duck SpamLab
25 February 2015 : Payment 1142.doc - Current Virus total detections: 2/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1427270267/
- http://blog.dynamoo.com/2015/03/malw...es-dudley.html
25 Mar 2015 - "This spam email is yet another forgery pretending to be from a wholly legitimate company. It is one of a series of emails spoofing Cambridgeshire firms, and it comes with a malicious attachment.
From: James Dudley [James.Dudley@ hitec .co.uk]
Date: 25 March 2015 at 09:38
Subject: Payment 1142
Payment sheet attached.
James
T 01353 624023
F 01353 624043
Hitec Ltd
23 Regal Drive
Soham
Ely
Cambs
CB7 5BE
This message has been scanned for viruses and malicious content by Green Duck SpamLab
I have only seen a single sample of this, with an attachment Payment 1142.doc which has a VirusTotal detection rate of 5/57*. It contains this malicious macro... which attempts to download a component from:
http ://madasi.homepage .t-online .de/dbcfg/32.exe
..which is then saved as %TEMP%\sollken1.2.8.exe, this has a detection rate of 12/57**. Automated analysis of this binary is pending, but is so far inconclusive...
MD5s:
8f79a24970d9e7063ffcedc9a8d23429
02cfa3e6fdb4301528e5152de76b2abf
UPDATE: this interesting new tool from Payload Security[1] gives some insight as to what the malware does. In particular, it phones home to:
50.31.1.21 (Steadfast Networks, US)
87.236.215.103 (OneGbits, Lithuania)
2.6.14.246 (Orange S.A., France)
14.96.207.127 (Tata Indicom, India)
95.163.121.178 (Digital Networks aka DINETHOSTING, Russia)
Recommended blocklist:
50.31.1.21
87.236.215.103
2.6.14.246
14.96.207.127
95.163.121.0/24 "
* https://www.virustotal.com/en/file/4...is/1427293393/
** https://www.virustotal.com/en/file/7...is/1427293399/
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
___
Fake Citi SPAM - PDF malware
- http://myonlinesecurity.co.uk/citi-m...e-pdf-malware/
25 Mar 2015 - "'Citi Merchant Services statements – 05721901-6080' ( random numbers) pretending to come from user <noreply@ efsnb-archive .com> with a zip attachment is another one from the current bot runs... The email looks like:
Attached is your Merchant Statement. It is secured so that only an
authorized recipient can open it. To open, click on the attachment.
In order to view
the attached PDF file, you need Adobe Acrobat Reader Version 8.0
installed.
Click on the following link:
<http ://www.adobe .com/products/acrobat/readstep2.html> to complete a free
install or re-install if you have an older version.
Visit Microsoft’s self
help website at www .microsoft .com or contact your ISP if you do not
receive the attachment.
Delivering your statements directly to your desktop is just one
more way we’ve increased the speed of business. Thanks again for
choosing CTS Holdings, LLC as your merchant processor. CTS Holdings, LLC, you can
count on us!
This is a post-only mailing. Please do not respond. To change
preferences please contact Customer Service at 1-800-238-7675.
25 March 2015 : random zip name : Extracts to: Merchant.exe - Current Virus total detections: 6/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1427293896/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
46.249.3.66: https://www.virustotal.com/en/ip-add...6/information/
134.249.63.46: https://www.virustotal.com/en/ip-add...6/information/
- http://threattrack.tumblr.com/post/1.../citibank-spam
Mar 25, 2015
Malicious File Name and MD5:
Merchant.exe (4007601E07343ADD409490F572F97D46)
Tagged: Citibank, Upatre
___
Fake 'Invoice ID' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malw...2ab34-123.html
25 Mar 2015 - "This terse spam has a malicious attachment:
From: Gerry Carpenter
Date: 25 March 2015 at 12:58
Subject: Invoice ID:34bf33
123
There is an Excel attachment with the same semi-random reference number as the subject (in the sample I saw it was 34bf33.xls) which currently has -zero- detections*. Unlike most recent document-based attacks, this does -not- contain a macro, but instead has an embedded OLE object that will run a VBscript if clicked, the spreadsheet itself is designed to get the victim to click-and-run that object.
> https://1.bp.blogspot.com/-erquBHy1O.../excel-ole.png
Automated analysis doesn't show very much, but it does show the screenshots [1] [2]... the downloaded file is actually an EXE file all along so nothing is done to it. This file has a detection rate of 7/56**, and the Payload Security report shows it communicating with the following IPs:
92.63.88.83 (MWTV, Latvia)
82.151.131.129 (DorukNet, Turkey)
121.50.43.175 (Tsukaeru.net, Japan)
The payload is most likely Dridex.
Recommended blocklist:
92.63.88.0/24
82.151.131.129
121.50.43.175
MD5s:
ce130212d67070459bb519d67c06a291
461689d449c7b5a905c8404d3a464088 "
* https://www.virustotal.com/en/file/a...is/1427298940/
** https://www.virustotal.com/en/file/f...is/1427296948/
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
2] https://malwr.com/analysis/NTI5ODY2Z...QwNDcxMDBkZjc/
___
Fake 'ACH failure' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ach-te...e-pdf-malware/
25 Mar 2015 - "'ACH technical failure' pretending to come from The Electronic Payments Association <June.Parks@ nacha .org> [random names nacha .org] at with a link to a zip attachment is another one from the current bot runs... Other subjects in this series of spam malicious emails on the nacha theme are:
Transaction system failure
ACH transfer error
ACH technical failure
Your transfer failed due to technical failure ...
The email looks like:
ACH PAYMENT REJECTED
The ACH Payment (ID: 53213740992857), recently sent from your savings account (by you or any other person), was REJECTED by other financial institution.
Rejection Reason: See details in the report below
Payment Report: report_53213740992857.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association
The link once again goes to a cubby user content site...
25 March 2015: Secure_Message.zip: Extracts to: Secure_Message.exe
Current Virus total detections: 11/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1427301251/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
46.249.3.66: https://www.virustotal.com/en/ip-add...6/information/
134.249.63.46: https://www.virustotal.com/en/ip-add...6/information/
___
Fake DHL SPAM - malware
- http://myonlinesecurity.co.uk/dhl-aw...pment-malware/
25 Mar 2015 - "'DHL AWB# 34 5673 0015 / shipment' pretending to come from DHL Express <info@ dhl .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear customer,
The following 1 piece(s) have been sent by a Customer via DHL Express on 22-03-2015 via AWB# 34 5673 0015
Find attached Scanned copy of the shipping documents and more information about the parcel and confirm if the address is correct for shipment.
Thank you.
25 March 2015: DOCUMENTS.zip: Extracts to: DOCUMENTS.exe - Current Virus total detections: 7/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1427286243/
... Behavioural information
TCP connections
66.171.248.172: https://www.virustotal.com/en/ip-add...2/information/
UDP communications
134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Notice to appear in Court' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/03/malw...notice-to.html
24 Mar 2015 - "These two emails come with a malicious attachment:
From: County Court [lester.hicks@ whw0095 .whservidor .com]
Date: 24 March 2015 at 16:45
Subject: AERO, Notice to Appear
This is to inform you to appear in the Court on the March 31 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Yours faithfully,
Lester Hicks,
Court Secretary.
-------------
From: District Court [cody.bowman@ p3nw8sh177 .shr.prod.phx3 .secureserver .net]
Date: 24 March 2015 at 16:44
Subject: AERO, Notice to appear in Court #0000310657
Dear Aero,
This is to inform you to appear in the Court on the March 28 for your case hearing.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: If you do not come, the case will be heard in your absence.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Cody Bowman,
District Clerk.
In these two case the attachments were named Court_Notification_0000310657.zip and Notice_to_Appear_000283436.zip containing the malicious scripts Court_Notification_0000310657.doc.js [VirusTotal 7/57*]... and Notice_to_Appear_000283436.doc.js [VirusTotal 6/57**]... respectively. These scripts attempt to download malicious code... Details in the download locations vary, but are in the format:
ilarf .net/document.php?rnd=1161&id=
gurutravel .co .nz/document.php?rnd=3022&id=
This leads to a randomly-named file with a GIF extension which is actually one of two malicious EXE files, with detection rates of 6/57*** and 4/56****. One of those produces a valid Malwr report, the other smaller EXE doesn't seem to do anything. The executable that seems to do something POSTs to a Turkish server at 176.53.125.25 (Radore Veri Merkezi Hizmetleri A.S.). Various Malwr reports... indicate badness on at least the following IPs:
176.53.125.20
176.53.125.21
176.53.125.22
176.53.125.23
176.53.125.24
176.53.125.25
I would suggest blocking at least those IPs, or perhaps 176.53.125.16/28 or if you don't mind blocking access to a few legitimate Turkish sites you could perhaps block 176.53.125.16/24. I am not 100% certain of the payload, however some servers in that cluster have been fingered for serving the Trapwot fake anti-virus[5] software.
MD5s:
2d65371ac458c7d11090aca73566e3d4
da63f87243a971edca7ecd214e6fdeb1
77d8670f80c3c1de81fb2a1bf05a84b5
d48ef4bb0549a67083017169169ef3ee "
* https://www.virustotal.com/en/file/2...is/1427221635/
** https://www.virustotal.com/en/file/d...is/1427221612/
*** https://www.virustotal.com/en/file/b...is/1427222714/
**** https://www.virustotal.com/en/file/d...is/1427223237/
5] http://www.microsoft.com/security/po...:Win32/Trapwot
:fear::fear: :mad:
Fake 'scanned' results, 'Invoice' SPAM, 'Free' gaming 'codes' ...
FYI...
Fake 'scanned' results SPAM - PDF malware
- http://myonlinesecurity.co.uk/lou-an...e-pdf-malware/
26 Mar 2015 - "'Lou Ann Davis Indus Precision Mfg scanned' pretending to come from user <louann@ indusmfg .com> with a zip attachment is another one from the current bot runs... The email looks like:
–
Thank you,
Lou Ann Davis
Office Administrator
Indus Precision Mfg., Inc.
www .indusmfg .com
Main: (845)268-0782
Fax: (845)268-2106
26 March 2015 : Random zip name : Extracts to: scan.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1427372574/
___
Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/yarde-...e-pdf-malware/
26 Mar 2015 - "'Yarde Metals Invoice' pretending to come from email.invoice <email.invoice@ yarde .com> with a zip attachment is another one from the current bot runs... The email looks like:
Thank you for your order.
Attached is your original invoice. If you would
like to pay for
your order with a wire transfer please contact Angela Palmer
at 860-406-6311 for bank details.
Friendly reminder:
Yarde Metals terms
are 1/2% 10, Net 30. We appreciate your prompt payment.
26 March 2015: random zip name: Extracts to: 221324.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1427380401/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
46.249.3.66: https://www.virustotal.com/en/ip-add...6/information/
46.160.125.167: https://www.virustotal.com/en/ip-add...7/information/
91.194.239.126: https://www.virustotal.com/en/ip-add...6/information/
93.123.40.17: https://www.virustotal.com/en/ip-add...7/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-add...8/information/
___
BoA 'Over Limit' Spam
- http://threattrack.tumblr.com/post/1...ver-limit-spam
Mar 26, 2015 - "Subjects Seen
Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
A check exceeded your requested alert limit
We’re letting you know a check written from your account went over the limit you set for this alert.
For more details please check attached file
Malicious File Name and MD5:
report_77076291400.scr (6B6E3D3FDE233FE75F64B517F2351D97)
.
___
Steam Codes and Countdowns - 'something for nothing'
- https://blog.malwarebytes.org/privac...nd-countdowns/
March 26, 2015 - "... 'something for nothing' makes a reappearance in the land of -gaming- with a twist designed to get would-be winners sending messages to their online friends as fast as they possibly can. The site we’re going to examine is located at: steamcode(dot)org
... which claims they have $20 Steam Codes to give away, as the “We’re the people who give away free $20 Steam Codes!” makes clear on the frontpage. We could have an interesting philosophical debate about when free means free, but we could also just chalk it up as “free, as long as you send some links and fill in a bunch of stuff”. Here’s the nicely designed frontpage:
> https://blog.malwarebytes.org/wp-con.../03/stmcd1.jpg
Clicking the button reveals two things – a tantalizing glimpse of half a code, and the reveal that you must share a link with 15 people in 45 minutes or else the code will expire. If you don’t have Under Pressure on your playlist, you might want to go dig it out now:
> https://blog.malwarebytes.org/wp-con.../03/stmcd2.jpg
Sites don’t normally place a timer on link sending, because not many people immediately whip out a list of likely candidates to start spamming when confronted with a rapidly diminishing timer. Indeed, start quickfiring identikit messages to all and sundry and you may find more than a few of them either think you’ve been hacked or turned into a spambot for the day. Should the required amount of referrals be reached, the end result is a selection of survey pages for the would-be $20 code recipient... There’s -no- guarantee the full code will be released even with a completed survey – the only person who has anything to lose in this situation is the individual filling in whatever forms are presented, working on the basis that they’re simply hoping the website will hand over a code at the end of the process. Freebie sites offering up items such as vouchers, gift cards and game codes typically resort to surveys at some point in the chain – it’s just how they roll. Displaying a portion of the code and adding in a time sensitive instruction to send URLs to all and sundry focuses on the “So near, yet so far” pressure point, and is a great way to ensure people desperate for free game codes start yelling “How high?” before jumping."
:fear: :mad:
Fake 'Vistaprint Invoice', 'ADP invoice', 'Quotation' SPAM
FYI...
Fake 'Vistaprint Invoice' SPAM - pdf malware
- http://myonlinesecurity.co.uk/vistap...e-pdf-malware/
30 Mar 2015 - "'Vistaprint VAT Invoice' (random number) pretending to come from Vistaprint <VistaPrint-cc@ vistaprint .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...AT-Invoice.png
30 March 2015: Random Attachment zip name: Extracts to: Invoice_1.exe
Current Virus total detections: 1/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1427714331/
___
Fake 'ADP invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/adp-in...e-pdf-malware/
30 Mar 2015 - "'ADP invoice for week ending 30/03/2015' pretending to come from Wilbert.Downs@ adp .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...eek-ending.png
30 March 2015: invoice_285699291.zip: Extracts to: invoice_285699291.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1427728309/
___
Fake 'PDF SWIFT TT COPY' SPAM – PDF malware
- http://myonlinesecurity.co.uk/pdf-sw...e-pdf-malware/
30 Mar 2015 - "'PDF SWIFT TT COPY' pretending to come from soumiya@ ulckuwait .com with a zip attachment is another one from the current bot runs... The email looks like:
Hello,
Regarding payments for the outstanding, our accounting department have
approved immediate payment to your accounts.
Please attached is the Payment confirmation slip ,Kindly help reply
urgently to confirm to us
Best Regards,
Kosta Curic
EVRO – TURS DOO
Po?e?ka 80, Beograd, Srbija
Jenneth Setu
Purchase Manager
30 March 2015: Payment Confirmation pdf.zip: Extracts to: Payment Confirmation pdf.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1427732925/
___
Fake 'Quotation' SPAM - PDF malware
- http://myonlinesecurity.co.uk/mark-k...e-pdf-malware/
30 Mar 2015 - "'Quotation qzVNVm: (random characters)' pretending to come from Mark Kemsley <mark.kemsley@ energy-solutions .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con.../quotation.png
30 March 2015 : random Attachment zip name: Extracts to: Quotation.exe
Current Virus total detections: 5/50* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1427738877/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
141.105.141.87: https://www.virustotal.com/en/ip-add...7/information/
79.133.196.204: https://www.virustotal.com/en/ip-add...4/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-add...8/information/
:fear: :mad:
Fake 'PO', 'Latest Docs' SPAM
FYI...
Fake 'PO' SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/your-p...sheet-malware/
31 Mar 2015 - "'Your PO: SP14619' pretending to come from Sam S. <sales@ alicorp .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...PO-SP14619.png
31 March 2015 : APIPO1.doc - Current Virus total detections: 3/52* | 5/57**
... at least one of the macros downloads http ://probagep.sandbox.proserver .hu/54/78.exe (Virus Total***)... previous campaigns over the last few weeks have delivered 2 or 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1427789087/
** https://www.virustotal.com/en/file/9...is/1427789118/
*** https://www.virustotal.com/en/file/8...is/1427788227/
- http://blog.dynamoo.com/2015/03/malw...619-sam-s.html
31 Mar 2015
... Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165
95.163.121.178 "
___
Fake 'Latest Docs' SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/your-l...sheet-malware/
31 Mar 2015 - "'Your Latest Documents from RS Components' coming from random names at random companies from with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...Components.png
31 March 2015: G-A7835690138927462557376-1.doc - Current Virus total detections: 0/56*
... only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1427798514/
- http://blog.dynamoo.com/2015/03/malw...ur-latest.html
31 Mar 2015
... Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169 "
___
Fake 'Passport Copy' SPAM - doc or xls malware
- http://myonlinesecurity.co.uk/fw-pas...sheet-malware/
31 Mar 2015 - "FW: Passport copy pretending to come from salim@ humdsolicitors .co.uk with what is supposed to be a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...sport-copy.png
31 March 2015 : passport.doc ...
- http://blog.dynamoo.com/2015/03/malw...port-copy.html
31 Mar 2015 - "This fake legal spam comes with a malicious attachment. It appears to be a forwarded message from a solicitors office, but it is just a simple forgery... The attachment is named passport.doc. It is exactly the -same- malicious payload as the one used in this spam run earlier today*, and it drops the Dridex banking trojan on the victim's PC."
* http://blog.dynamoo.com/2015/03/malw...619-sam-s.html
___
Fake 'Debit Note' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/debit-...sheet-malware/
31 Mar 2015 - "'Debit Note [random numbers]' information attached to this email coming from random name and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely -blank- body...
31 March 2015 : random name .doc - Current Virus total detections: 0/56* | 0/56** | 0/56*** ..."
* https://www.virustotal.com/en/file/b...is/1427808913/
** https://www.virustotal.com/en/file/7...is/1427807988/
*** https://www.virustotal.com/en/file/c...is/1427808948/
- http://blog.dynamoo.com/2015/03/malw...ote-12345.html
31 Mar 2015 - "This fake financial spam comes with a malicious attachment. There is -no- body text... The executable downloaded is identical to the one used in this spam run* also taking place today. The payload is the Dridex banking trojan."
* http://blog.dynamoo.com/2015/03/malw...ur-latest.html
___
Fake 'Your returns label' SPAM – PDF malware
- http://myonlinesecurity.co.uk/collec...e-pdf-malware/
31 Mar 2015 - "'CollectPlus :: Your returns label' pretending to come from info <info@ collectplus .co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...urns-label.png
31 March 2015 : Random Attachment zip name: Extracts to: Reference.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1427800182/
___
World Back Up Day ...
- https://blog.malwarebytes.org/news/2...-safety-first/
Mar 31, 2015 - "If your response to the question “When did you last back up?” is something to do with parking your car, then you should really take note of World Back Up Day*...
* http://www.worldbackupday.com/en/
According to the World Back Up Day statistics:
• 30% of people have never backed up their data.
• 113 phones are stolen / lost every minute (Ouch. You may want to invest in some remote wipe technology too).
• 29% of data deletion disasters are caused by accident..."
:fear: :mad:
Fake 'Tax Refund', 'Delivery Note' SPAM, VBS script attachments, More crypto-ransom
FYI...
Fake 'Tax Refund' SPAM - malware
- http://blog.dynamoo.com/2015/04/malw...on-office.html
1 Apr 2015 - "This fake tax notification spam leads to malware hosted on Cubby.
From: Australian Taxation Office [noreply@ ato .gov .au]
Date: 1 April 2015 at 00:51
Subject: Australian Taxation Office - Refund Notification
IMPORTANT NOTIFICATION
Australian Taxation Office - 31/03/2015
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.
To view/download your tax notification please click here or follow the link below :
https ://www .ato .gov .au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003
Laurence Thayer, Tax Refund Department Australian Taxation Office
The names and the numbers -change- from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent .com (e.g. https ://www.cubbyusercontent .com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download. In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57*. Automated analysis tools... show that it downloads components from:
ebuyswap .co.uk/mandoc/muz3.rtf
eastmountinc .com/mandoc/muz3.rtf
It then attempts to phone home to:
141.105.141.87:13819/3103us13/HOME/41/7/4/
That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip .dyndns .org. Although this is benign, monitoring for it can be a good indicator of infection. These URL requests are typical of the Upatre downloader. According to the Malwr report it drops another binary jydemnr66.exe with a detection rate of 11/55** plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.
Recommended blocklist:
141.105.140.0/22
ebuyswap .co.uk
eastmountinc .com "
* https://www.virustotal.com/en/file/7...is/1427874847/
** https://www.virustotal.com/en/file/0...is/1427876163/
___
Fake 'Delivery Note' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/cih-de...sheet-malware/
1 Apr 2015 - "'CIH Delivery Note 0051037484' pretending to come from Batchuser BATCHUSER <ecommsupport@ cihgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD
1 April 2015 :CIH Delivery Note 0051037484.doc
Current Virus total detections: 0/56* | 0/56** | 0/56*** | 0/56****
So far I have seen 4 versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1427875359/
** https://www.virustotal.com/en/file/8...is/1427875359/
*** https://www.virustotal.com/en/file/1...is/1427875320/
**** https://www.virustotal.com/en/file/6...is/1427875511/
- http://blog.dynamoo.com/2015/04/malw...batchuser.html
1 Apr 2015 - "The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment...
Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249 "
___
Fake 'Sales_Order' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/sales_...sheet-malware/
1 Apr 2015 - "'Sales_Order_6100152' pretending to come from Hazel Gough <hazel.gough@ kosnic .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...er_6100152.png
1 April 2015 : Sales_Order_6100152.doc ... same malware although renamed as today’s CIH Delivery Note 0051037484 – word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/cih-de...sheet-malware/
___
Fake 'Unpaid Invoice' SPAM - vbs malware
- http://myonlinesecurity.co.uk/unpaid...s-vbs-malware/
1 Apr 2015 - "'Unpaid Invoice [ID:99846] or This is your Remittance Advice [ID:98943]' (all random ID numbers) coming from -random- email addresses, persons and companies with a zip attachment is another one from the current bot runs... The attachments on these are so tiny at less than 1kb in size, that users will be easily fooled into thinking that they are harmless. The zips contain an encoded vbs script... The email body is totally -blank- ...
1 April 2015: Random Attachment zip name: Extracts to: 83JHE76328475243920_1a.doc.vbs
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1427886418/
- http://blog.dynamoo.com/2015/04/malw...ice-09876.html
1 Apr 2015 - "... has -no- body text and comes from random senders... It has a ZIP attachment which contains... a malicious VBS script... very similar to the VBA macro used in this spam run yesterday:
> http://blog.dynamoo.com/2015/03/malw...ur-latest.html
This binary has a detection rate of 4/55*..."
* https://www.virustotal.com/en/file/c...is/1427886150/
... Behavioural information
TCP connections
188.120.225.17: https://www.virustotal.com/en/ip-add...7/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-add...5/information/
___
Fake 'Remittance' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-r...sheet-malware/
1 Apr 2015 - "'Your Remittance Advice NB PRIVATE EQUITY PARTNERS LTD' (the company name is totally random but matches the name in the body) coming from random email addresses from with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The attachment name matches the advice in the body and looks like:
Dear sir or Madam,
Please find attached a remittance advice (ZL147QNXM.doc) for your information.
Should you need any further information, please do not hesitate to contact us.
Best regards
NB PRIVATE EQUITY PARTNERS LTD
1 April 2015 : ZL147QNXM.doc - Current Virus total detections: 1/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
* https://www.virustotal.com/en/file/5...is/1427895461/
- http://blog.dynamoo.com/2015/04/malw...ce-advice.html
1 Apr 2015 - "... Recommended blocklist:
188.120.225.17
45.55.154.235
188.126.72.179
1.164.114.195
46.19.143.151
79.149.162.117
5.135.28.104/29
31.41.45.175
91.242.163.78 "
___
Fake 'o/s invoices' SPAM – PDF malware
- http://myonlinesecurity.co.uk/van-sw...e-pdf-malware/
1 Apr 2015 - "'Van Sweringen o/s invoices' pretending to come from Lisa Anderson <landerson@ homewatchcaregivers .com> with a zip attachment is another one from the current bot runs... The email looks like:
Outstanding invoices attached!
Thank you!
Lisa
Lisa J. Anderson/Office Manager
Homewatch CareGivers of
23811 Chagrin Blvd. Suite 114
Beachwood, OH 44122 ...
1 Ap[ril 2015: 6100_NULGE.zip : Extracts to: en_en.exe
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1427902354/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
141.105.141.87: https://www.virustotal.com/en/ip-add...7/information/ <<<
94.23.6.64: https://www.virustotal.com/en/ip-add...4/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-add...5/information/ <<<
___
Xtube Exploit leads to Cryptowall Malware
- https://blog.malwarebytes.org/intell...owall-malware/
31 Mar 2015 - "We wrote about the adult site xtube .com being compromised -redirecting- visitors to a landing page for the Neutrino Exploit kit last week*... The malware that dropped from the exploit was found here** and was called xtube.exe... All user files are encrypted using “RSA-2048″ encryption. In order to pay the -ransom- victims are instructed to visit paytoc4gtpn5cz12.torconnectpay .com. A separate address is also provided over the tor network:
> https://blog.malwarebytes.org/wp-con...LP_DECRYPT.png
... 'always good to remember that highly ranked websites (including adult content) are a prime target for hackers due to the traffic they get..."
* https://blog.malwarebytes.org/exploi...a-neutrino-ek/
** https://www.virustotal.com/en/file/c...1357/analysis/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustotal.com/en/ip-add...4/information/
93.185.106.78: https://www.virustotal.com/en/ip-add...8/information/
- http://blog.trendmicro.com/trendlabs...s-for-1q-2015/
April 1, 2015 - "Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were -not- limited to that region; Turkey, Italy, and France were also affected by this malware. We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware. These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price..."
(More detail at the trendmicro URL above.)
:fear::fear: :mad:
Fake 'Scanned Invoice', 'calcs attachments' SPAM
FYI...
Fake 'Scanned Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/scanne...sheet-malware/
3 Apr 2015 - "'Scanned Invoice [89412268] from FLYBE GROUP PLC' pretending to come from Warren Horn <Moses.3a@ tcl. net .in> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Location: 1st Floor Office
File Extension: DOC (Medium)
Resolution: 300dpi x 300dpi
Attached file is scanned document in DOC format.
Warren Horn , FLYBE GROUP PLC
3 April 2015: 89412268.doc - Current Virus total detections: 0/56*
This downloads http ://75.150.62.121 :8080/bz1gs9/kansp1.jpg and then renames it to %temp%\dfsdfff.exe and runs without any further user interaction (VirusTotal**) ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1428054150/
** https://www.virustotal.com/en/file/e...is/1428057630/
... Behavioural information
TCP connections
151.252.48.36: https://www.virustotal.com/en/ip-add...6/information/
185.35.77.12: https://www.virustotal.com/en/ip-add...2/information/
199.201.121.169: https://www.virustotal.com/en/ip-add...9/information/
193.255.201.86: https://www.virustotal.com/en/ip-add...6/information/
188.226.129.49: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-add...5/information/
75.150.62.121: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'calcs attachments' SPAM - PDF malware
- http://myonlinesecurity.co.uk/all-am...e-pdf-malware/
3 Apr 2015 - "'All American C&E/ Nardin' pretending to come from office <office@ energycalcs .net> with a zip attachment is another one from the current bot runs... The email looks like:
Your completed calcs are attached.
The first attachment is your Manual J&S Load calcs.
The second is your Form 405-10 Energy code compliance calc.
If you have any questions, feel free to call.
Thank you so much for your business!
Ed Wolfe- Office Manager
Energycalcs.net, Inc ...
3 April 2015: Random Attachment zip name: Extracts to: iDocs.exe
Current Virus total detections: 4/56* . The attachment with this All American C&E/ Nardin email is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1428054460/
:fear: :mad:
Fake Barclays SPAM – PDF malware
FYI...
Fake Barclays SPAM – PDF malware
- http://myonlinesecurity.co.uk/barcla...pdf-malware-3/
6 Apr 2015 - "'Barclays – Important Update, read carefully!' pretending to come from Barclays Online Bank <security-update@ Barclays. co.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...-carefully.png
6 April 2015: Form.zip: Extracts to: Form.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...is/1428321955/
... Behavioural information
TCP connections
216.146.39.70: https://www.virustotal.com/en/ip-add...0/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-add...8/information/
- http://threattrack.tumblr.com/post/1...nt-update-spam
Apr 6, 2015
:fear: :mad:
Fake 'EBOLA INFO', 'Invoice Maid of London' SPAM
FYI...
Fake 'EBOLA INFO' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malw...formation.html
7 Apr 2015 - "This fake medical email contains a malicious attachment...
From: noreply@ ggc-ooh .net
Reply-To: noreply@ ggc-ooh .net
Date: 7 April 2015 at 08:58
Subject: EBOLA INFORMATION
This email is generated from an unmanned mailbox. Dr N J Gaw can be contacted via noreply@ ggc-ooh .net
PLEASE SEE THE ATTACHED CORRESPONDENCE FOR YOUR INFORMATION.
THANK YOU.
Attached is a file 30.03.15 Ebola Virus (2).doc which contains this malicious macro... which is contains a lot of girls names as variables ... When decoded the macro downloads a component from:
http ://deosiibude .de/deosiibude.de/220/68.exe
VirusTotal submissions seem to be down at the moment, so I can't tell you what the detection rate is. Automated analysis tools... show it phoning home to the following IPs...:
37.140.199.100 (Reg.Ru Hosting, Russia)
46.228.193.201 (Aqua Networks Ltd, Germany)
130.241.92.141 (Goteborgs Universitet, Sweden)
46.101.49.125 (Digital Ocean Inc, UK)
122.167.6.68 (ABTS, India)
5.100.249.215 (O.M.C. Computers & Communications Ltd, Israel)
85.255.173.109 (Satnet Ltd, Bulgaria)
217.37.39.235 (BT Broadband, UK)
81.190.50.232 (Multimedia Polska S. A., Poland)
89.228.15.18 (Multimedia Polska S. A., Poland)
According to the Malwr report it drops a whole load of files including what is probably a Dridex DLL.
Recommended blocklist:
37.140.199.100
46.228.193.201
130.241.92.141
46.101.49.125
122.167.6.68
85.255.173.109
5.100.249.215
217.37.39.235
81.190.50.232
46.228.193.201
89.228.15.18
MD5s:
E4CC002A95CAAF4481CB7140BBE96C58
C86A9D012E372D0C3A82B14978FFA1F0
F98A674A5FA473AC9BF738636FF6374E "
___
Fake 'Invoice Maid of London' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/march-...sheet-malware/
7 Apr 2015 - "'March 2015 Invoice' pretending to come from Accounts @ Maid of London <accounts@ maidoflondon .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...-of-London.png
7 April 2015 : March invoice 811.doc - Current Virus total detections: 0/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1428403055/
___
Fake 'legal claim' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malw...as-issued.html
7 Apr 2015 - "This fake legal spam comes with a malicious attachment:
From: Isiah Mosley [Rosella.e6@ customer .7starnet .com]
Date: 7 April 2015 at 14:09
Subject: Schroders has issued the claim against you and passed for consideration to HM Courts [VM1993LVW]
Schroders,Isiah Mosley
The company name is randomly chosen. In the above example the attachment was called VM1993LVW.doc which matched the reference in the subject. The Word document contains a malicious macro... Along with an alternate macro, I can see download locations from:
http ://185.39.149.178 /aszxmy/image04.gif
http ://148.251.87.253 /aszxmy/image04.gif
For the record, 185.39.149.178 is OOO A.S.R.in Russia and 148.251.87.253 is Hetzner in Germany. The downloaded .GIF file is definitely not a GIF and is instead an executable that gets saved as %TEMP%\dfsdfff.exe. This has a VirusTotal detecton rate of 2/56*. Automated analysis tools... show the malware phoning home to:
151.252.48.36 (Vautron Serverhousing, Germany)
According to the Malwr report, it drops a DLL with a detection rate of 2/56* which is most likely a Dridex DLL.
Recommended blocklist:
151.252.48.36
148.251.87.253
185.39.149.178
MD5s:
a4e14c88da9e1a74cd7c26ded99b6a0a
c86a9d012e372d0c3a82b14978ffa1f0"
* https://www.virustotal.com/en/file/5...0281/analysis/
___
Fake 'Chase Card Services' SPAM – malware
- http://myonlinesecurity.co.uk/chase-...yment-malware/
7 Apr 2015 - "'Thank you for scheduling your online payment' pretending to come from Chase Card Services <no-reply@ alertsp .chase .com> with a zip attachment is another one from the current bot runs...
Dear Thank you for scheduling your recent credit card payment as an attachment. Your payment in the amount of 3898.96 will be credited to your credit card account (CREDIT CARD) ending in 2143 on 04/07/2015.
Now that you’re making your payment online, are you aware of all the convenient ways you can manage your account online?
See statements – Choose to stop receiving paper statements, and see up to six years of your statements online.
See automatic payments – Set up monthly payments to be made automatically.
Transfer a balance – Transfer a balance to your credit card account.
Go to Personalized Alerts – Schedule Alerts to remind you of key account activity.
You can also see past payments you’ve made online by logging on to www.chase.com/creditcards and clicking “See/cancel payments” under “I’d like to …”
If you have questions, please call the Customer Service number on the back of your credit card.
Thanks again for using online payments.
Sincerely,
Cardmember Services ...
7 April 2015: payment-2143-wiqr_BSFMN.zip: Extracts to: payment.exe
Current Virus total detections: 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF or image file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1428417618/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
141.105.141.87: https://www.virustotal.com/en/ip-add...7/information/
162.252.57.88: https://www.virustotal.com/en/ip-add...8/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-add...8/information/
:fear::fear: :mad: