Fake 'Tax Invoice', 'Sales Invoice', 'PHS docs' SPAM, Dridex botnet
FYI...
Fake 'Tax Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/mbie-c...e-pdf-malware/
26 Oct 2015 - "An email with the subject of 'MBIE Companies Office Tax Invoice' pretending to come from revenue@ med.govt .nz with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x557.png
26 October 2015: Notification20151026_MCX79GF[_var=nSYMBOL]-54.zip: Extracts to: Notification20151026-AUNK7401f-26.exe
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1445819602/
___
Fake 'Sales Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...r-norwich.html
26 Oct 2015 - "This -fake- financial spam does not come from Norwich Camping but is instead a simple -forgery- with a malicious attachment:
From "Norwich Camping" [sales@ norwichcamping .co.uk]
Date Mon, 26 Oct 2015 13:43:14 +0430
Subject #NC-242455-Zmj Your Norwich Camping Order has shipped!
You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
payment method has now been charged.
Kind regards,
The Norwich Camping & Leisure
Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55*. The document contains this malicious macro... which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe ... it is most likely that it downloads the Dridex banking trojan.
UPDATE: According to this Hybrid Analysis report** version of the malicious document downloads an executable from:
img1.buyersbestfriend. com/76r56e87y8/65df78.exe
This has a VirusTotal detection rate of 5/55***. That report indicates malicious traffic to:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
I recommend that you block traffic to that IP."
* https://www.virustotal.com/en/file/e...is/1445854612/
** https://www.hybrid-analysis.com/samp...nvironmentId=2
*** https://www.virustotal.com/en/file/2...is/1445857776/
... Behavioural information
TCP connections
195.154.251.123: https://www.virustotal.com/en/ip-add...3/information/
88.221.14.130: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'PHS docs' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...ments-are.html
26 Oct 2015 - "This spam does not come from PHSOnline, but is instead a simple -forgery- with a malicious attachment.
From "PHSOnline" [documents@ phsonline .co.uk]
Date Mon, 26 Oct 2015 20:28:50 +0700
Subject Your new PHS documents are attached
I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in -three- different versions... containing a macro... which downloads a malicious binary from one of the following locations:
tranquilosurf .com/~info/76r56e87y8/65df78.exe
masaze-rumburk .cz/76r56e87y8/65df78.exe
img1.buyersbestfriend .com/76r56e87y8/65df78.exe
The Hybrid Analysis reports those those documents are here: [1] [2] [3]. The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55[4]. The Hybrid Analysis report for this binary[5] shows it downloading from the following location:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the -same- as the one use in this earlier attack*, but the payload has now changed."
* http://blog.dynamoo.com/2015/10/malw...r-norwich.html
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
2] https://www.hybrid-analysis.com/samp...nvironmentId=2
3] https://www.hybrid-analysis.com/samp...nvironmentId=2
4] https://www.virustotal.com/en/file/a...is/1445868517/
5] https://www.hybrid-analysis.com/samp...nvironmentId=1
___
Despite takedown, the Dridex botnet is running again
- http://www.computerworld.com/article...ing-again.html
Oct 26, 2015 - " Spam emails containing the Dridex malware are being seen almost daily despite the arrest of one of its key operators in August. The finding confirms that while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations... Dridex, also referred to as Cridex or Bugat, is advanced malware that collects financial login details and other personal information that can be used to drain bank accounts. The U.S. and U.K. said the Dridex botnet - or the collection of computers infected with the malware - had been disrupted following their operations. Two weeks before the DOJ's announcement, Palo Alto Networks wrote* that it noticed a drop in Dridex activity but that it resumed again around the start of October. Much of that activity has now resumed, wrote Brad Duncan, a security researcher with Rackspace, on the Internet Storm Center blog**... there appear to be more files labeled as Dridex on VirusTotal... Although some of the samples be could mislabeled, it backs up what Palo Alto noticed..."
* http://researchcenter.paloaltonetwor...geting-the-uk/
Oct 1, 2015
** https://isc.sans.edu/diary/Botnets+s...l+active/20295
Last Updated: 2015-10-24
- http://www.secureworks.com/cyber-thr...ver-operation/
13 Oct 2015 - "... The malware... steals credentials, certificates, cookies, and other sensitive information from a compromised system, primarily to commit Automated Clearing House (ACH) and wire fraud. As of this publication, authorities have linked the botnet to an estimated £20 million (approximately $30.5 million) in losses in the UK, and at least $10 million in losses in the United States. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex) but is distinct from previous Bugat variants, particularly with respect to its modular architecture and its use of a hybrid peer-to-peer (P2P) network to mask its backend infrastructure and complicate takedown attempts..."
:fear::fear: :mad:
Fake 'Payslip', 'BACS Remittance', 'VeriFone', 'RBS' SPAM
FYI...
Fake 'Payslip' SPAM – PDF malware
- http://myonlinesecurity.co.uk/dataco...e-pdf-malware/
27 Oct 2015 - "An email with the subject of 'Payslip for period ending 27/Oct/2015' pretending to come from Datacom Pay Systems <powerpay@ datacom .co.nz> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...g-1024x677.png
27 October 2015: Payslip 27Oct2015.zip: Extracts to: Payslip 27Oct2015.scr
Current Virus total detections 12/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1445921468/
- http://threattrack.tumblr.com/post/1...m-payslip-spam
27 Oct 2015 - "Subjects Seen
Payslip for period ending 27/Oct/2015
Typical e-mail details:
Dear Customer,
Attached is your payslip for period ending 27/Oct/2015.
Please note the attached payslip is password protected - the password is the same as your employee self service login password.The content of this email and its attachments are confidential. If you are not the intended recipient of this message please contact Datacom on 0800 856 856 or +64 9 366 1150.This email message has been sent from an unmanned account. Please do not reply to this address...
Screenshot: https://41.media.tumblr.com/73f75ce9...r6pupn_500.png
Malicious File Name and MD5:
payslip (1CE90078C006CFEE77248E8EDFD68BD2)
Tagged: Datacom, Upatre
___
Fake 'BACS Remittance' SPAM - PDF malware
- http://myonlinesecurity.co.uk/cyngor...e-pdf-malware/
27 Oct 2015 - "An email with the subject of 'Cyngor Sir Ddinbych – Taliad BACS / Denbighshire CC – BACS Remittance' pretending to come from credbills@ denbighshire .gov.uk > <credbills@ denbighshire .gov.uk> with a zip attachment is another one from the current bot runs... The content of the email says :
Gweler manylion taliad BACS yn atodedig
Please see attached Bacs Remittance ...
The information contained in this e-mail message and any files transmitted with it is intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately. The contents of this e-mail represents the views of the individual(s) named above and do not necessarily represent the views of Denbighshire County Council. However, as a Public Body, Denbighshire County Council may be required to disclose this e-mail [or any response to it] under legislative provisions...
27 October 2015: DenbighshireCC.zip: Extracts to: DenbighshireCC.zip
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1445942099/
New_Cardholder_Application_scr
- http://blog.dynamoo.com/2015/10/malw...ch-taliad.html
27 Oct 2015 - "I've never had malware spam in Welsh before.. this is not from Denbighsire County Council, but is instead a simple -forgery- with a malicious attachment:
From "credbills@ denbighshire .gov.uk" [credbills@ denbighshire .gov.uk]
Date Tue, 27 Oct 2015 17:46:01 +0530
Subject Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance
Gweler manylion taliad BACS yn atodedig
Please see attached Bacs Remittance ...
Mae'r wybodaeth a gynhwysir yn yr e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag
o wedi eu bwriadu yn unig ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Os ydych
wedi derbyn yr e-bost hwn drwy gamgymeriad, hysbyswch yr anfonwr ar unwaith os gwelwch
yn dda...
Attached is a file DenbighshireCC.zip which contains a malicious executable DenbighshireCC.scr. This has a VirusTotal detection rate of 5/55*. The Hybrid Analysis report** shows characterstics common to the Upatre/Dyre banking trojan. In particular it identifies traffic to a know bad IP:
197.149.90.166 (Cobranet, Nigeria)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/1...is/1445953248/
** https://www.hybrid-analysis.com/samp...nvironmentId=2
___
Fake 'VeriFone' SPAM – PDF malware
- http://myonlinesecurity.co.uk/verifo...e-pdf-malware/
27 Oct 2015 - "An email with the subject of 'VeriFone Services UK and Ireland Ltd' pretending to come from donotreply_invoices@ verifone .com with a zip attachment is another one from the current bot runs... The content of the email says :
Please see attached Invoice(s).
Thanks and Regards,
VeriFone Services UK and Ireland Ltd
Confidentiality Note: This email message contains information that is confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this message is prohibited. If you have received this message or attachment in error, please notify us immediately by email and delete the original. Thank you.
While we use standard virus checking software, we accept no responsibility for viruses or anything similar in this email or any attachments. We also do not accept any responsibility for any changes to, or interception of, this email or any attachment after it leaves our information system. This electronic message, including attachments, is intended only for the use of the individual or company named above or to which it is addressed. The information contained in this message shall be considered confidential and proprietary...
27 October 2015: 20151027104526.zip: Extracts to: 20151027104526.scr
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1445943801/
___
Fake 'RBS' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sunder...e-pdf-malware/
27 Oct 2015 - "An email appearing to come from Sunderland City Council with the subject of 'RBS Cardholder Application Form' pretending to come from Hester Knapp <Hester.Knapp@ sunderland .gov.uk> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...l-1024x540.png
27 October 2015: New_Cardholder_Application_Hester_Knapp.zip: Extracts to: New_Cardholder_Application_Hester_Knapp.scr
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1445943801/
- http://blog.dynamoo.com/2015/10/malw...plication.html
27 Oct 2015 - "This -fake- financial spam does not come from Sunderland City Council, but is instead a simple -forgery- with a malicious attachment:
From "Wm Palmer" [Wm.Palmer@ sunderland .gov.uk]
Date Tue, 27 Oct 2015 18:39:34 +0700
Subject RBS Cardholder Application Form
Dear Customer,
We now have the go ahead from Corporate Procurement to apply to RBS for your Corporate
Purchase Card. Please find attached the RBS application form which requires your
signature as cardholder on page 2. Also please add the date. Once done can you scan
the document and email it back to me or alternatively post it back to me c/o Purchase
Card Administration Team, Transactional Finance, Room 1.34, Civic Centre, Sunderland
SR2 7DN.
Kind regards,
Wm.
Wm Palmer
Purchase Ordering Officer ...
Attached is a file New_Cardholder_Application_Wm_Palmer.zip containing a malicious executable New_Cardholder_Application.scr - which is exactly the -same- malware as used in this other fake council spam run today*."
* http://blog.dynamoo.com/2015/10/malw...ch-taliad.html
:fear::fear: :mad:
MySQL servers -DDoS bots, Fake 'Ikea', 'eFax', 'ADP', 'résumé' SPAM
FYI...
Attackers are turning -MySQL- servers into DDoS bots
- http://net-security.org/malware_news.php?id=3134
28.10.2015 - "Someone has been compromising MySQL servers around the world and using them to mount DDoS attacks. The latest targets of these attacks are an (unnamed) US hosting provider and a Chinese IP address. Most of the servers affected in this campaign are located in India, China, Brazil and the Netherlands, but others can be found around the globe:
> http://www.net-security.org/images/a...e-28102015.jpg
"We believe that the attackers compromised MySQL servers to take advantage of their large bandwidth. With these resources, the attackers could launch bigger DDoS campaigns than if they used traditional consumer targets," Symantec researchers explained*. "MySQL is also the second most popular database management system in the world, giving the attackers a wide range of potential targets." The researchers didn't say how many servers in total were compromised. The attackers used a variant of the Chickdos Trojan to make the servers listen to their commands. The variant is very similar to the initial Chickdos Trojan first spotted by cyber defenders in December 2013. The attackers perform an SQL injection attack in order to install a malicious user-defined function (UDF) on the target server, which is then loaded into MySQL and executed... The researchers advised admins -never- to run SQL servers with administrator privileges (if possible), and to regularly patch apps** that use them..."
* http://www.symantec.com/connect/app#...m-ddos-attacks
28 Oct 2015 - "... identified active command-and-control (C&C) servers for Chikdos are as follows:
•183.60.202.16: 10888
•61.160.247.7: 10991
•103.17.118.124: 10991 ..."
** http://www.oracle.com/technetwork/to...l#AppendixMSQL
"... contains -30- new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication..."
Trojan.Chikdos: https://www.symantec.com/security_re...121708-1045-99
___
Fake 'Ikea' SPAM - doc malware
- http://myonlinesecurity.co.uk/ikea-t...d-doc-malware/
28 Oct 2015 - "An email with the subject of 'Thank you for your order!' pretending to come from DoNotReply@ ikea .com with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x479.png
28 October 2015 : IKEA receipt 607656390.doc - Current Virus total detections 4/55* .
.. Downloads looks like Dridex banking malware from experassistance .fr/4f67g7/d6f7g8.exe
(VirusTotal 2/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1446022494/
** https://www.virustotal.com/en/file/0...is/1446023464/
- http://blog.dynamoo.com/2015/10/this...come-from.html
28 Oct 2015 - "This -fake- order spam does not come from IKEA but is instead a simple -forgery- with a malicious attachment.
From: DoNotReply@ ikea .com
Date: 28 October 2015 at 08:57
Subject: Thank you for your order
Order acknowledgement:
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015 ...
Attached is a file IKEA receipt 607656390.doc which contains this malicious macro and which has a VirusTotal detection rate of 4/55*...
UPDATE 1: The reverse .it analysis** of the first sample shows a download from:
alvarezsantos .com/4f67g7/d6f7g8.exe
This dropped binary has a detection rate of just 2/55*. Two further samples have now been seen (VT results [1] [2]) and according to the analysis of one them, it downloads from:
experassistance .fr/4f67g7/d6f7g8.exe
... Two further samples have now been seen (VT results [1] [2]) and according to the analysis[3] of one them, it downloads from:
experassistance.fr/4f67g7/d6f7g8.exe
... UPDATE 2: A further reverse .it analysis[4] shows another download location of:
www .retrogame .de/4f67g7/d6f7g8.exe ..."
* https://www.virustotal.com/en/file/9...is/1446023495/
** https://www.hybrid-analysis.com/samp...nvironmentId=2
1] https://www.virustotal.com/en/file/0...is/1446024071/
2] https://www.virustotal.com/en/file/2...is/1446024082/
3] https://www.hybrid-analysis.com/samp...nvironmentId=1
4] https://www.hybrid-analysis.com/samp...nvironmentId=1
___
Fake 'eFax' SPAM - doc malware
- http://myonlinesecurity.co.uk/efax-m...d-doc-malware/
28 Oct 2015 - "An email with the subject of 'eFax message' from “Booking.com – HylaFa” – 1 page(s), Caller-ID: 031207944200 pretending to come from eFax <message@ inbound .efax .com> with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...a-1024x640.png
28 October 2015 : FAX_20151028_1445421437_89.doc - Current Virus total detections 4/55*
... downloads -same- malware from the -same- locations as described in today’s earlier malspam run involving word docs**..."
* https://www.virustotal.com/en/file/9...is/1446026859/
** http://myonlinesecurity.co.uk/ikea-t...d-doc-malware/
- http://blog.dynamoo.com/2015/10/malw...sage-from.html
28 Oct 2015 - "This fake fax spam comes with a malicious attachment:
From: eFax [message@ inbound .efax .com]
Date: 28 October 2015 at 10:08
Subject: eFax message from "Booking.com - HylaFa" - 1 page(s), Caller-ID: 031207944200
Fax Message [Caller-ID: 031207944200]
You have received a 1 page fax at 2015-10-28 08:57:17 GMT.
* The reference number for this fax is lon1_did14-1445421403-1407880525-89.
View this fax using your Microsoft Word...
The attachment FAX_20151028_1445421437_89.doc is the -same- as used in this spam run* and the payload is the Dridex banking trojan."
* http://blog.dynamoo.com/2015/10/this...come-from.html
___
Fake 'ADP' SPAM - PDF malware
- http://myonlinesecurity.co.uk/adp-pa...e-pdf-malware/
28 Oct 2015 - "An email with the subject of 'ADP Payroll Invoice' pretending to come from ADPClientServices@ adp .com <billing.address.updates@ adp .com> with a password protected zip attachment is another one from the current bot runs... The content of the email says :
Your ADP Payroll invoice is attached for your review. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Important: Please open the attached file using your temporary password. Your temporary password is: 941VAX332ED
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Thank you for choosing ADP Payroll.
Please do not respond to this message. It comes from an unattended mailbox.
28 October 2015: invoice381624185029.zip: Extracts to: invoice381624185029.exe
Current Virus total detections 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1446048560/
___
Fake 'résumé' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...8myresume.html
27 Oct 2015 - "This fake résumé spam comes with a malicious attachment. It seems that the names are randomly-generated from a list.
From: Trinh [zhanxing1497kcuo@ 163 .com]
Date: 27 October 2015 at 18:30
Subject: id:9828_My_Resume
Signed by: 163 .com
Good afternoon!!! my name is Bobette Gloster. my resume is doc file.
I would appreciate your immediate attention to this matter.
Yours faithfully
Bobette Gloster
In this case the attachment was named Bobette_resume_1817.doc however this will vary. The VirusTotal analysis of the document gives a detection rate of 8/55*, mostly detecting a generic macro downloader... the Hybrid Analysis** of the document shows traffic coming FROM 46.30.41.150 (EuroByte LLC, Russia) and being POSTED to the following:
all-inclusiveresortstravel .com
designtravelagency .com
bigboattravel .com
cpasolutiononline .com
ciiapparelblog .com
The first three are on 108.167.140.175 and the second two are on 192.185.101.210 which are both allocated to WebSiteWelcome customers. I would assume that those two servers are completely -compromised-. The Hybrid Analysis report** shows that the malware has some characteristics that make it look like -ransomware-.
Recommended blocklist:
46.30.41.150: https://www.virustotal.com/en/ip-add...0/information/
108.167.140.175: https://www.virustotal.com/en/ip-add...5/information/
192.185.101.210: https://www.virustotal.com/en/ip-add...0/information/
UPDATE: This Tweet*** indicates that the payload is Cryptowall."
* https://www.virustotal.com/en/file/6...is/1445972310/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
*** https://twitter.com/Techhelplistcom/...38278746685440
:fear::fear: :mad:
Fake 'Doc Scan', 'eBay Invoice', 'Your Invoice', 'FedEx Label' SPAM
FYI...
Fake 'Doc Scan' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...eview-and.html
29 Oct 2015 - "This -fake- document scan email has a malicious attachment:
From: Sarah [johnson@ jbrakes .com]
Date: 29 October 2015 at 08:27
Subject: Documents for Review and Comments
Hi Morning,
Attached are the return documents.
Call me if you need anything.
See you soon.
Sarah
The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55*. According to various automated analysis tools [1] [2] [3] it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54**. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:
eyeseen .net/swift/gate.php
This is hosted on a SoftLayer IP of 198.105.221.5 in Singapore. A quick look at VirusTotal*** indicates a lot of badness on this IP address, so it is probably one worth blocking. The payload is Pony / Fareit, which is basically a password stealer."
* https://www.virustotal.com/en/file/9...is/1446107638/
** https://www.virustotal.com/en/file/4...is/1446108516/
*** https://www.virustotal.com/en/ip-add...5/information/
1] https://www.virustotal.com/en/file/9...is/1446107638/
2] https://www.hybrid-analysis.com/samp...nvironmentId=2
3] https://malwr.com/analysis/MGQ1ZDcyM...U4YjgwODY5YTE/
___
Fake 'eBay Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-e...pdf-malware-2/
29 Oct 2015 - "An email with the subject of 'Your eBay Invoice is Ready' pretending to come from eBay <ebay@ ebay .com> with a zip attachment is another one from the current bot runs... The content of the email says :
PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
Dear Customer,
Please open the attached file to view invoice.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download this attachment. If you require Adobe Acrobat Reader this is available at no cost...
This email has been scanned by the Symantec Email Security.cloud service.
This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.
29 October 2015: ebay_591278156712819_291015.zip: Extracts to: ebay_591278156712819_291015.exe
Current Virus total detections 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1446114782/
___
Fake 'Your Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/heathe...d-doc-malware/
29 Oct 2015 - "An email with the subject of 'Your Invoice I0000040777' pretending to come from Heather Crawford <h.crawford@ barclaycomms .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
Dear Customer. Please find attached your Invoice. Invoice Number: 0000040777 Invoice Date: 28/10/2015 Invoice Total: 78.40 Invoice Description: Barclay Fresh Direct Debit 1 V (x1.00000)
This e-mail, and any attachment, is confidential. If you have received it in error, please delete it from your system, do not use or disclose the information in any way, and notify me immediately. The contents of this message may contain personal views which are not the views of Barclay Communications, unless specifically stated.
29 October 2015: I0000040777.doc - Current Virus total detections 3/55*
... Downloads Dridex banking malware from
0319225577 .com/46435/087965.exe (VirusTotal 0/55**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... Many versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content. Do NOT enable Macros... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1446115712/
** https://www.virustotal.com/en/file/f...is/1446114950/
0319225577 .com: 180.182.51.81: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'FedEx Label' SPAM - doc malware
- http://myonlinesecurity.co.uk/confir...d-doc-malware/
29 Oct 2015 - "An email about Walmart .com Returns with the subject of 'Confirmation from FedEx Email/Online Label' pretending to come from FedEx Email/Online Label NoReply <no-reply@ packagetrackr .com> with a malicious word doc is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...l-1024x589.png
29 October 2015: label_737929223.doc - Current Virus total detections 2/55* . Analysis via Payload Security hybrid analysis** tells me that it downloads writeonlabels .biz/media/system/m.exe
(VirusTotal 0/55***) and posts some information to dethetear .ru/sliva/gate.php. This looks a bit like the behaviour of the new Shifu banking malware which combines the worse elements of Dridex, Zeus, Pony and all the other information stealers... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1446133593/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
*** https://www.virustotal.com/en/file/8...is/1446135044/
:fear::fear: :mad:
Fake 'Purchase Order', 'Domain Suspension Notice' SPAM
FYI...
Fake 'Purchase Order' SPAM - doc malware
- http://myonlinesecurity.co.uk/clare-...d-doc-malware/
30 Oct 2015 - "An email with the subject of 'Purchase Order 0000035394 customer 09221' pretending to come from Clare Harding <purchasing@ carterspackaging .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...1-1024x727.png
30 October 2015: Purchase Order 0000035394.DOC - Current Virus total detections 4/55*
... Downloads ankarasogukhavadepo .com/45y3f34f/7jh4wqd.exe which appears to be Dridex banking malware (VirusTotal 1/55**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1446197496/
** https://www.virustotal.com/en/file/5...is/1446198752/
- http://blog.dynamoo.com/2015/10/malw...000035394.html
30 Oct 2015 - "This -fake- financial spam does not come from Carters Packaging Ltd but is instead a simple forgery with a malicious attachment... Carters Packaging are on the ball and have put a big notice on their site, which is nice work:
>> https://4.bp.blogspot.com/-kH6ud4vSu...-packaging.png "
___
Fake 'Domain Suspension Notice' SPAM - Cryptowall ransomware payload
- http://blog.dynamoo.com/2015/10/malw...uspension.html
29 Oct 2015 - "There appear to be many versions of this spam, aimed at domain owners and apparently coming from the actual registrar of the domain. For added authenticity, the owner's name is included in the spam...
From: ENOM, INC. [abuse@ enom.com .org]
Date: 30 October 2015 at 04:11
Subject: Domain ... Suspension Notice
Dear Sir/Madam,
The following domain names have been suspended for violation of the ENOM, INC. Abuse Policy ...
Click here and download a copy of complaints we have received...
... clicking on the link goes to edecisions .com/abuse_report.php?LAPTOP-MEMORY.COM and downloads a file LAPTOP-MEMORY.COM_copy_of_complaints.pdf.scr - it looks more authentic because the domain name is in the file download, but in fact you can specify -any- domain name and it gives a matching file. Before we look at the analysis of the downloaded executable, let's look at the domain name edecisions .com. It looks like the sort of domain that might contain abuse reports, but in fact it is a -hijacked- GoDaddy domain hosted on 65.78.174.100 and a quick look at VirusTotal* indicates that one of the other 4 sites on the same server was also -compromised- and was serving up malware in 2013. This is definitely a good candidate to block... several compromised domains on the same server, indicating that the entire box has been popped..."
* https://www.virustotal.com/en/ip-add...0/information/
... UPDATE: The payload appears to be the Cryptowall ransomware."
(More detail and IP's to block at the dynamoo URL above.)
edecisions .com: 65.78.174.100: https://www.virustotal.com/en/url/95...6f20/analysis/
>> http://support.melbourneit.com.au/ar...h-October-2015
27 Oct 2015 - "... advise that any customer that receives the email is to -delete- it immediately. If you are unsure of the validity of your emails please check the email headers to determine the source and return path for the email address..."
:fear::fear: :mad:
Fake 'Purchase Order', 'American Airlines' SPAM
FYI...
Fake 'Purchase Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malw...37087-por.html
2 Nov 2015 - "This -fake- financial spam does not come from K. Stevens (Leicester) Ltd but is instead a simple -forgery- with a malicious attachment.
From Margaret Wimperis [MargaretWimperis@ biasbinding .com]
Date Mon, 02 Nov 2015 18:28:23 +0700
Subject Purchase Order 37087-POR
Hi
Please confirm receipt of order
Kind regards
Margaret
K. Stevens (Leicester) Ltd. Portishead Road, Leicester LE5 0JL Reg. No. 3125088
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited...
Attached is a file PORDER.DOC which comes in three different versions (although I only have two samples [1] [2]) containing a malicious macro... which download a binary from the following locations:
saltup .com/34g3f3g/68k7jh65g.exe
landprosystems .com/34g3f3g/68k7jh65g.exe
jambidaily .com/34g3f3g/68k7jh65g.exe
This binary has a detection rate of 4/55* and according that that VirusTotal report, this reverse.it report** this Malwr report*** it contacts the following IP:
128.199.122.196 (DigitalOcean, Singapore)
I strongly recommend that you -block- that IP. The payload is likely to be the Dridex banking trojan..."
1] https://www.virustotal.com/en/file/b...is/1446464337/
2] https://www.virustotal.com/en/file/d...is/1446464348/
* https://www.virustotal.com/en/file/f...is/1446464493/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
128.199.122.196: https://www.virustotal.com/en/ip-add...6/information/
*** https://malwr.com/analysis/ZmJlZDJlM...Q5MjdhMzU5NDY/
- http://myonlinesecurity.co.uk/purcha...d-doc-malware/
2 Nov 2015
"... 2 November 2015: PORDER.DOC - Current Virus total detections 3/55*
... Downloads Dridex banking malware from one of these locations:
saltup .com/34g3f3g/68k7jh65g.exe (VirusTotal 4/55**)
landprosystems .com/34g3f3g/68k7jh65g.exe
jambidaily .com/34g3f3g/68k7jh65g.exe ..."
* https://www.virustotal.com/en/file/b...is/1446470703/
** https://www.virustotal.com/en/file/f...is/1446464493/
___
Fake 'American Airlines' SPAM - doc malware
- http://myonlinesecurity.co.uk/americ...d-doc-malware/
2 Nov 2015 - "An email appearing to be an American Airlines E-Ticket with the subject of 'E-Ticket Confirmation' pretending to come from American Airlines@ aa .com <notify@ hvacprofessional .net> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...1-1024x553.png
2 November 2015 : ticket_AA77799543.doc - Current Virus total detections 4/55*
... Contains an embedded ole object that drops a pony malware pu .exe (VirusTotal 2/55**), posts -stolen- information to
- http ://wicytergo .ru/sliva/gate.php
- http ://unlaccothe .ru/sliva/gate.php
- http ://thetedrenre .ru/sliva/gate.php
... Which in turn downloads Dyreza banking malware from one of these 3 sites:
- http ://eextensions .co/m.exe
- http ://www.10203040 .at/m.exe
- http ://www.eshtari .me/m.exe (VirusTotal 2/55***)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1446486517/
** https://www.virustotal.com/en/file/a...is/1446486884/
*** https://www.virustotal.com/en/file/8...is/1446487008/
:fear::fear: :mad:
Fake 'Delivery Confirmation', 'New Invoice', 'Dispatch order' SPAM, EK notes...
FYI...
Fake 'Delivery Confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/delive...d-doc-malware/
3 Nov 2015 - "An email with the subject of 'Delivery Confirmation: 0068352929' pretending to come from ACUVUE_DEL <ship-confirm@ acuvue .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
Attached is a pdf file containing items that have shipped
Please contact us if there are any questions or further assistance we can provide
3 November 2015: Advance Shipping Notification 0068352929.DOC - Current Virus total detections 3/54*
... Downloads http ://goalaskatours .com/45gce333/097j6h5d.exe looks like Dridex banking malware (VirusTotal 4/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1446542730/
** https://www.virustotal.com/en/file/b...is/1446544379/
... Behavioural information
TCP connections
128.199.122.196: https://www.virustotal.com/en/ip-add...6/information/
191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/
- http://blog.dynamoo.com/2015/11/malw...firmation.html
3 Nov 2015 - "... this Hybrid Analysis report* show network communications to the following IPs:
128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
198.74.58.153 (Linode, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
The payload is most likely to be the Dridex banking trojan.
Recommended blocklist:
128.199.122.196
75.99.13.123
198.74.58.153
221.132.35.56 "
* https://www.hybrid-analysis.com/samp...nvironmentId=1
___
Fake 'New Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/new-in...e-pdf-malware/
3 Nov 2015 - "An email with the subject of 'New Invoice from Documents Online' pretending to come from Documents Online Limited <sales@ documentsonline .co.uk> with a zip attachment is another one from the current bot runs... The content of the email says :
Dear Customer,
This is a notice that an invoice has been generated against your account, details of the invoice are as follows:
Invoice #241
Amount Due: 90.00GBP
Due Date: 01/12/2015
Payment Method: Bank Transfer
Invoice Items
... 75.00GBP
Sub Total: 75.00GBP
20.00% UK VAT: 15.00GBP
Credit: 0.00GBP
Total: 90.00GBP
Please find attached a copy of this invoice in PDF format for your records.
IMPORTANT: Please open the attached file using your temporary password. Your temporary password is: UCZ941QXO941 ...
3 November 2015: Invoice-241.zip: Extracts to: Invoice-241.exe
Current Virus total detections 0/53* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1446550339/
- http://blog.dynamoo.com/2015/11/malw...documents.html
3 Nov 2015 - "... Attached is a password-protected ZIP file Invoice-241.zip.. which in turn contains a malicious executable Invoice-241.zip.exe ...
UPDATE: This Hybrid Analysis report* shows traffic consistent with Upatre dropping the Dyre banking trojan, including traffic to the well known bad IP of:
197.149.90.166 (Cobranet, Nigeria)"
* https://www.hybrid-analysis.com/samp...nvironmentId=1
___
Fake 'Dispatch order' SPAM - PDF malware
- http://myonlinesecurity.co.uk/josh-c...e-pdf-malware/
3 Nov 2015 - "An email with the subject of 'Dispatch order – 19579282466206' pretending to come from Josh Carr <Josh.Carr@ imstransport .com> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...6-1024x660.png
3 November 2015: 5969141.zip: Extracts to: 0810121.scr
Current Virus total detections 0/41* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1446564559/
___
Angler -and- Nuclear EK's integrate Pawn Storm Flash Exploit
- http://blog.trendmicro.com/trendlabs...flash-exploit/
Nov 3, 2015 - "... We found -two- vulnerabilities that were now being targeted by exploit kits, with one being the recent Pawn Storm Flash zero-day. Starting on October 28, we found that these two vulnerabilities were being targeted by the Angler and Nuclear exploit kits. (The second vulnerability was a Flash vulnerability that worked on versions up to 18.0.0.232; we are currently working with Adobe to confirm the CVE number for this exploit)... Our latest research confirms that the two exploit kits abusing the Diffie-Hellman key exchange, with some minor differences from the previous usage. This is being done to hide their network traffic and to get around certain security products. The changes are an attempt to make analysis of their key exchange by researchers more difficult. The Angler EK has made the following changes to its usage of the Diffie-Hellman protocol. They add some obfuscation to what had previously been a relatively clear and obvious process... activity for the Angler exploit kit was higher in the earlier weeks of October; perhaps the addition of these vulnerabilities is an attempt to raise the traffic levels of the exploit back to the earlier levels. Users in Japan, the United States, and Australia were the most affected..."
Current Flash version - 19,0,0,226
Test here: https://www.adobe.com/software/flash/about/
:fear::fear: :mad:
Fake 'Document from AL-KO', 'Billing', 'subpoena', 'PayPal' SPAM, Adware, Phish...
FYI...
Fake 'Document from AL-KO' SPAM - doc malware
- http://myonlinesecurity.co.uk/docume...d-doc-malware/
5 Nov 2015 - "An email with the subject of 'Document from AL-KO' pretending to come from info@ alko .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
This document is DOC created by Osiris OSFAX(R) V3.5.
It can be viewed and printed with Microsoft Word(R)
5 November 2015: Document from AL-KO.doc - Current Virus total detections 0/54*.
... Downloads Dridex banking malware from:
www .mazzoni-hardware .de/f75f9juu/009u98j9.exe
deklompjes .nl/~maurice/f75f9juu/009u98j9.exe
members.dodo .com.au/~mfranklin17/f75f9juu/009u98j9.exe
www .www .www.enhancedpixel .com/f75f9juu/009u98j9.exe (VirusTotal 3/54**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1446722835/
** https://www.virustotal.com/en/file/1...is/1446723789/
... Behavioural information
TCP connections
75.99.13.123: https://www.virustotal.com/en/ip-add...3/information/
23.62.99.160: https://www.virustotal.com/en/ip-add...0/information/
- http://blog.dynamoo.com/2015/11/malw...rom-al-ko.html
5 Nov 2015 - "... detection rate of 4/54*... Other automated analyses [5] [6] show network traffic to:
128.199.122.196 (Digital Ocean, Singapore)
75.99.13.123 (Cablevision, US)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
128.199.122.196
75.99.13.123 "
* https://www.virustotal.com/en/file/1...is/1446729564/
5] https://www.hybrid-analysis.com/samp...nvironmentId=2
6] https://malwr.com/analysis/MTNjODQ1M...FiYzg0MzY2ZWE/
128.199.122.196: https://www.virustotal.com/en/ip-add...6/information/
___
Fake 'Billing' SPAM – PDF malware
- http://myonlinesecurity.co.uk/monthl...e-pdf-malware/
5 Nov 2015 - "An email with the subject of 'Monthly Billing 920493380924127516 – e-Online Data – amerikicks' coming from random companies, email addresses and names with a zip attachment is another one from the current bot runs... The content of the email says :
Amerikick Studios
Invoice #: 920493380924127516
Please use the HelpDesk for all problems/questions/suggestions. It is located at the bottom of the admin pages.
A full report in the attachment.
Billing for Nov 2015
This is your Payment Gateway monthly invoice...
5 November 2015: Final overdue bill order document.zip: Extracts to: 745348208.exe
Current Virus total detections 1/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1446738837/
___
Fake 'subpoena' attachment SPAM - doc malware
- http://myonlinesecurity.co.uk/i-got-...d-doc-malware/
5 Nov 2015 - "An email saying 'I got this subpoena in my mail box today' with the subject of 'sued used' pretending to come from dlittle@ cardataconsultants .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Nobody is being sued. Nobody is actually sending a subpoena to you by email. The email looks like:
I got this subpoena in my mail box today, saying that I have been sued by you.
I am sorry but I don’t even know what this is.
I am attaching a scanned copy , please let me know what this is about
Doug Little
Special Services Co-ordinator
CarDATA Consultants
Phone 289-981-2733 ...
5 November 2015 : subpoena.doc - Current Virus total detections 2/54*
This malicious word doc has -2- copies of a RTF file embedded inside it (MALWR**) that when extracted deliver an embedded fareit password stealing malware pm3.exe (VirusTotal 2/55***) that posts information to http ://littonredse .ru/gate.php
These malicious word docs normally also drop an Upatre downloader that in turn downloads a Dyreza banking malware... the macro inside the word doc seems to indicate that it should...
Update: somewhere along the line it also downloads:
- http ://s.teamzerostudio .com/x1.exe (VirusTotal[4])...
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...fff6/analysis/
** https://malwr.com/analysis/NTY3ZjEwM...E5ODhmMTliYTI/
*** https://www.virustotal.com/en/file/6...is/1446742200/
... Behavioural information
TCP connections
80.78.251.32: https://www.virustotal.com/en/ip-add...2/information/
119.81.144.82: https://www.virustotal.com/en/ip-add...2/information/
4] https://www.virustotal.com/en/file/e...is/1446746740/
___
PayPal Spam
- http://threattrack.tumblr.com/post/1...98/paypal-spam
Nov 5, 2015 - "Subjects Seen:
Your PayPal Invoice is Ready
Typical e-mail details:
Dear PayPal Customer,
Please open the attached file to view invoice.
Your monthly account statement is available anytime; just log in to your account. To correct any errors, please contact us through our Help Centre.
Malicious File Name and MD5:
paypal_955154675414192_110515.exe (2364e385b3fe22c9381e20a72ce520e5)
Screenshot: https://40.media.tumblr.com/d36cf5a5...r6pupn_500.png
Tagged: PayPal, Upatre
___
Trojanized adware; 20K popular apps caught in the crossfire
- https://blog.lookout.com/blog/2015/1...anized-adware/
Nov 4, 2015 - "Auto-rooting adware is a worrying development in the Android ecosystem in which malware roots the device automatically after the user installs it, embeds itself as a system application, and becomes nearly impossible to remove. Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware... detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others..."
- http://net-security.org/malware_news.php?id=3144
05.11.2015
- http://arstechnica.com/security/2015...ble-to-remove/
Nov 4, 2015
___
Instagram 'free $50 Xbox cards' - Phish ...
- https://blog.malwarebytes.org/online...ode-generator/
Nov 5, 2015
> https://blog.malwarebytes.org/wp-con...a1-300x261.jpg
"... This tiled effect is achieved by uploading pieces of the larger image one by one, and could well help to attract attention from anybody interested in free $50 Xbox cards... it’s certainly a lot better looking than most similar promo splashes we see elsewhere... It claims to be a code generator, and wants visitors to enter an email-address-to-proceed after having selected their chosen reward. After hitting the 'Generate Code' button, the would-be recipient of free Xbox goodness sees one of those “We’re doing hacking stuff, honest” boxes pop up in the middle of the screen complete with regulation standard green text on black background:
> https://blog.malwarebytes.org/wp-con...xboxinsta3.jpg
... convincing people to fill in surveys has been around for many years, yet they continue to bring in those hopeful of a little free console cash. I’ve seen pretty much every variation of the above there is, and have yet to see a single supposed code generator which actually did just that. All you’ll get for your time and trouble is handing over personal information to marketers and / or potentially unwanted downloads. And after you’ve done all of that, there’s still no guarantee you’ll get anything at the end of it. Our advice is -not- to bother with offers such as these – no matter how nice their Instagram page looks."
:fear::fear: :mad:
Fake 'Invoice', 'Order Notification' SPAM, Cryptowall 4.0
FYI...
Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malw...4232-from.html
6 Nov 2015 - "This -fake- invoice does not come from Timber Solutions but is instead a simple -forgery- with a malicious attachment:
From: Kes [kerryadamson@ bigpond .com]
Date: 6 November 2015 at 11:07
Subject: Invoice #00004232; From Timber Solutions
Hi, please find attached our invoice for goods ordered under Order
No. 11146, which will be delivered tomorrow. Please pay into the
account, details of which are at the foot of the invoice. Kes
Attached is a file ESale.xls which I have seen just a single variant of across multiple emails. This has a VirusTotal detection rate of 3/54* and contains this malicious macro... which (according to this Hybrid Analysis report**) downloads a binary from:
advancedgroup .net .au/~incantin/334g5j76/897i7uxqe.exe
..this is saved as %TEMP%\tghtop.exe and has a detection rate of... zero***. Automated analysis of this binary [1] [2] shows network traffic to:
89.108.71.148 (Agava Ltd, Russia)
I strongly recommend that you -block- traffic that that IP. The payload is most likely to be the Dridex banking trojan."
* https://www.virustotal.com/en/file/5...is/1446810013/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
*** https://www.virustotal.com/en/file/9...is/1446810177/
... Behavioural information
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
88.221.14.163: https://www.virustotal.com/en/ip-add...3/information/
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
2] https://malwr.com/analysis/NGE4ZDEzN...UyM2UxZDM0OGY/
___
Fake 'Order Notification' SPAM - PDF malware
- http://myonlinesecurity.co.uk/order-...e-pdf-malware/
5 Nov 2015 - "An email appearing to come from the 'London housing foundation' about tickets for a conference with the subject of 'Order Notification 72742018 for Opportunities Beyond Obstacles 2015 – Complimentary Registration' pretending to come from jayk@ lhf .org.uk with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...n-1024x546.png
5 November 2015: barf vermilion.zip: Extracts to: 018648187082.exe
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1446759940/
___
Cryptowall 4.0 released ...
- http://net-security.org/malware_news.php?id=3145
06.11.2015 - "Cryptowall 4 (although the number is not mentioned in the new, changed ransom note) is not drastically different from version 3. According to malware researcher Nathan Scott*, it uses the same encryption, installation method, Decrypt Service site, communication method, C&C server, and ransom payment domains.
* http://www.bleepingcomputer.com/news...ed-file-names/
... Palo Alto Networks researchers have so far spotted** -ten- unique instances of CryptoWall version 4, and have provided SHA256 hashes for each sample they analyzed... performing regular backups of important files is highly advised - in the case that you fall for the scheme, you wont have to pay the ransom because your files can be restored."
** http://researchcenter.paloaltonetwor...liance-report/
Nov 5, 2015
> http://researchcenter.paloaltonetwor...11/crypto2.png
- http://www.hotforsecurity.com/blog/c...guy-12985.html
Nov 5, 2015
___
DirectRev Ad loads Flash Exploit, CryptoWall...
- https://blog.malwarebytes.org/malver...it-cryptowall/
Nov 5, 2015 - "We have been observing a series of -malvertising- attacks using an unusual but familiar delivery method recently... instead of relying on an exploit kit to compromise the victims’ machines, this technique simply relies on a disguised Flash advert that downloads its own exploit and payload. We previously encountered this attack pattern on two occasions, one for a Sparta Ad and another that involved RTB platform DirectRev. This latest attack features various ad platforms leading to a booby-trapped DirectRev ad...
> https://blog.malwarebytes.org/wp-con...Final_flow.png
... The Flash exploit is hosted on sensentive[.]com... The malware payload, CryptoWall, is retrieved from gearsmog[.]com... Both domains were created only a few seconds apart but reside on different IP addresses: 80.240.135.208 and 178.62.150.20..."
80.240.135.208: https://www.virustotal.com/en/ip-add...8/information/
178.62.150.20: https://www.virustotal.com/en/ip-add...0/information/
:fear::fear: :mad: