Fake 'Upcoming Payment', 'New Payment Received', '50 transactions' SPAM
FYI...
Fake 'Upcoming Payment' SPAM - JS malware delivers Dridex
- https://myonlinesecurity.co.uk/upcom...livers-dridex/
6 May 2016 - "An email with the subject of 'Upcoming Payment – 1 Month Notice' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Dridex. In exactly the same way as THIS[1] earlier Malspam run, the encrypted JavaScript file contains a long list of compromised sites that the Dridex banking Trojan is downloaded from...
1] https://myonlinesecurity.co.uk/someo...ads-to-dridex/
One of the emails looks like:
From: Mona Gates <GatesMona02@ ideadigitale .org>
Date: Thu 05/05/2016 23:20
Subject: Upcoming Payment – 1 Month Notice
Attachment: user_data_37776.zip
Please, be informed regarding the upcoming payment ID:30724, which must be paid in full until the June 1st, 2016.
Additional information is enclosed in the file down below.
6 May 2016: user_data_37776.zip: Extracts to: details_uQG07BLH189.js - Current Virus total detections 1/56*
.. MALWR** shows a download of Dridex banking trojan from a long list of sites (VirusTotal 7/55***). Sites discovered listed inside the encrypted js file include: (other versions of this might well include other sites):
http ://fashionpoppers .com/adm.exe - 66.147.244.66
http ://sky-hero .com/adm.exe - 213.186.33.171
http ://wbsrainwater .com/adm.exe - 91.146.109.184
http ://burnspots .com/adm.exe - 160.153.32.229
http ://wholesalejaipurkurti .com/adm.exe - 46.166.163.195
http ://bedbugsurvivalguide .com/adm.exe - 54.241.22.111
http ://clearancezone .com.au/adm.exe - 184.164.156.210
http ://asiandukan .co.uk/adm.exe - 192.186.200.169
http ://ribastiendaonline .com/adm.exe - 185.92.247.46
http ://hogcustom .co.uk/adm.exe - 213.246.109.8
http ://shopnutri .com.br/adm.exe - 177.12.173.166
http ://metersdirect .com.au/adm.exe - 52.64.39.102
http ://buyemergencylight .com/adm.exe - 192.117.12.154
http ://lcdistributing .com/adm.exe - 192.249.113.43
http ://liftmaxthailand .com/adm.exe - 119.59.120.32
http ://millersportsaspen .com/adm.exe - 23.235.220.84
http ://hkautosports .com/adm.exe - 205.134.241.120
http ://syntechcs .co.uk/adm.exe - 188.65.114.122
http ://presspig .com/adm.exe - 70.40.220.100
http ://lojaturbo .com.br/adm.exe - 81.19.185.200
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1462487086/
** https://malwr.com/analysis/MjUxNzY0N...JjMWJmNDc1OGQ/
Hosts
213.246.109.8
213.186.33.171
192.117.12.154
185.92.247.46
81.19.185.200
52.64.39.102
177.12.173.166
184.164.156.210
91.146.109.184
119.59.120.32
192.249.113.43
70.40.220.100
188.65.114.122
66.147.244.66
192.186.200.169
23.235.220.84
54.241.22.111
46.166.163.195
160.153.32.229
205.134.241.120
*** https://www.virustotal.com/en/file/c...is/1462507119/
___
Fake 'New Payment Received' SPAM - JS malware delivers Dridex
- https://myonlinesecurity.co.uk/new-p...livers-dridex/
6 May 2016 - "Continuing with the overnight Malspam runs is yet another -Dridex- dropper with a long list of sites embedded inside the encrypted JavaScript file. This is an email with the subject of 'New Payment Received' pretending to come from random senders and email addresses with a zip attachment containing an encrypted JavaScript file... One of the emails looks like:
From: Kathie Miller <MillerKathie8660@ fixed-189-252-187-189-252-125 .iusacell .net>
Date: Fri 06/05/2016 02:01
Subject: New Payment Received
Attachment: caution_rob_522737.zip
You have just received a new payment! Trans number 97407. For more information please review the transaction report enclosed.
6 May 2016: caution_rob_522737.zip: Extracts to: cash_q9rTBHi225.js - Current Virus total detections 1/56*
.. MALWR** shows a download of Dridex banking Trojan from the same list of sites in THIS[1] post.
1] https://myonlinesecurity.co.uk/upcom...livers-dridex/
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1462497274/
** https://malwr.com/analysis/ZmVhZjIyM...JlYjc4NmI1Zjk/
Hosts
213.246.109.8
213.186.33.171
192.117.12.154
185.92.247.46
81.19.185.200
52.64.39.102
177.12.173.166
184.164.156.210
91.146.109.184
119.59.120.32
192.249.113.43
70.40.220.100
188.65.114.122
66.147.244.66
192.186.200.169
23.235.220.84
54.241.22.111
46.166.163.195
160.153.32.229
205.134.241.120
___
Fake '50 transactions' SPAM - JS malware delivers Locky
- https://myonlinesecurity.co.uk/i-hav...elivers-locky/
6 May 2015 - "An email with the subject of 'Re: ' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Helen Velazquez <VelazquezHelen20082@ sas-pt .com>
Date: Fri 06/05/2016 09:46
Subject: Re:
Attachment: spreadsheet_98B.zip
Good evening driver,
As promised, I have attached the spreadsheet contains last 50 transaction and your account actual balance.
Regards,
Helen Velazquez
6 May 2016: spreadsheet_98B.zip: Extracts to: transactions 11791799.js - Current Virus total detections 23/56*
.. MALWR doesn’t shows any downloads but a manual analysis gives me a download from
http ://girls.web-planet .su/hs93jaks (VirusTotal 3/55**).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/
** https://www.virustotal.com/en/file/f...is/1462525419/
TCP connections
185.22.67.108: https://www.virustotal.com/en/ip-add...8/information/
girls.web-planet .su: 217.107.34.231: https://www.virustotal.com/en/ip-add...1/information/
:fear::fear: :mad:
Fake 'KPN', 'IMPORTANT TRANSACTION' SPAM, Malvertising Blogspot
FYI...
Fake KPN SPAM - CTB-Locker Ransomware
- https://blog.malwarebytes.org/cyberc...ker-infection/
May 9, 2016 - "... an email claiming to be from KPN – a Dutch provider of internet, television, and phone – claiming an amount so high that it should raise questions or at least your blood pressure. We can safely assume that it is intended to peak the receivers curiosity enough to get them to click-one-of-the-links in the mail:
> https://blog.malwarebytes.org/wp-con...16/05/mail.png
... The spam template is an exact replica of mail KPN sends out to clients. But the “From” address is “KPN-betaalafspraak[AT]kpn[DOT]com” where real ones should come from... The three links all point to the same web address www2[DOT]uebler-gmbh[DOT]de, which is a site that belongs to a German job coaching firm. We informed them of the fact that their site is being used for this, but haven’t heard back yet. We have also informed the Dutch provider KPN through the normal channels, which probably means we will only get an automated response. Clicking-the-links in the mail will result in the download of a zip file containing a file called “Factuur 00055783-63845853.PDF.exe” showing up with a PDF icon. This is a well-known trick to deceive users that have file extensions set to “Hide extensions for known file types” into thinking that they are about to open a (harmless) document... Double-clicking the file will result in the start of the CTB locker ransomware. It creates a copy of the executable with a different name (here hlbvlli.exe) in the %Temp% folder and the creation of a Scheduled Task that will trigger that copied file every time the compromised system boots... After encryption, users are presented with the below ransom note:
> https://blog.malwarebytes.org/wp-con.../CTBlocker.png
... these tricks as ransomware is becoming a bigger and more prevalent threat -every- day..."
www2[DOT]uebler-gmbh[DOT]de: 217.114.79.125: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/d7...a6db/analysis/
___
Fake 'IMPORTANT TRANSACTION' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fwdim...endout-review/
9 May 2016 - "An email that appears to come from Western Union with the subject of 'FWD:IMPORTANT TRANSACTION SENDOUT REVIEW' pretending to come from InternationalOperations@ ababank .com <spil@ tim .spil .co.id> with a zip attachment is another one from the current bot runs which delivers malware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...T-1024x533.png
9 May 2016: Sendout-Transaction.zip: Extracts to: -2- identical files GRACE..jar and GRACE. MTCN9863521938- Copy.jar - Current Virus total detections 21/57*.. MALWR** ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1462811540/
** https://malwr.com/analysis/ODkxZWZlY...ZlN2Q4ZTY3Njk/
___
Locky gets clever
- https://www.fireeye.com/blog/threat-...ts_clever.html
May 9 2016 - "... Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor. FireEye Labs recently observed a new development in the way this ransomware communicates with its control server. Recent samples of Locky are once again being delivered via “Invoice”-related email campaigns, as seen in Figure 1.
1] https://www.fireeye.com/content/dam/...0Jain/Fig1.png
When the user runs the attached JavaScript, the JavaScript will attempt to download and execute the Locky ransomware payload from hxxp :// banketcentr .ru/v8usja. This new Locky variant was observed to be highly evasive in its network communication. It uses both symmetric and asymmetric encryption – unlike previous versions that use custom encoding – to communicate with its control server... Crimeware authors are constantly improving their malware. In this case, we see them evolving to protect their malware while maximizing its infection potential. Locky has moved from using simple encoding to obfuscate its network traffic to a complex encryption algorithm using hardware instructions that are very hard to crack. These types of advancements highlight the importance of remaining vigilant against suspicious emails and using advanced technologies to prevent infections..."
banketcentr .ru: 81.177.141.15: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/f8...7324/analysis/
___
Malvertising Blogspot: Scams, Adult Content and EK's
- https://blog.malwarebytes.org/threat...-exploit-kits/
May 9, 2016 - "... malvertising can and does target free blogging platforms as well. Just this morning, our friends at Virus Bulletin Martijn Grooten and Adrian Luca wrote about some sites hosted on Google’s Blogspot service pushing tech support scams:
> https://www.virusbulletin.com/blog/2...-support-scam/
We also caught some malicious activity on the Blogger platform this past week via the PLYmedia ad network. Some Blogspot websites clearly abuse the platform and stuff ads everywhere:
> https://blog.malwarebytes.org/wp-con...logger_ads.png
When browsing that Blogspot site, we were automatically -redirected- to an adult page, which is definitely not good if you have kids around:
> https://blog.malwarebytes.org/wp-con...05/match99.png
... There were also some -redirections- to the Angler-exploit-kit via -fake- advertisers using the fingerprinting technique:
Ad network: wafra.adk2x .com/ul_cb/imp?p=70368645&size=300×250&ct=html&ap=1300&u=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&r=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&iss=0&f=1
Rogue ad server: advertising.servometer .com/pagead/re136646/ad.jsp?click=%2F%2Fwafra.adk2x.com%2{redacted}
Google Open Referer: bid.g.doubleclick .net/xbbe/creative/click?r1=http%3A%2F%2Fstewelskoensinkeike.loanreview24.com%2FScKOygTMtj_rlf_qIEgRYCq.aspx
Angler EK landing: stewelskoensinkeike.loanreview24 .com/?k=pREU&o=gQ1U2eo&f=&t=MHl&b=O83rsW&g=&n=9rYB42&h=&j=aCYeE9iDym_Ao_T25Uhszm
... We have alerted Google about this issue and contacted PLYmedia to let them know about that rogue advertiser."
wafra.adk2x .com: 104.154.33.56
130.211.124.223
104.197.69.2
104.197.148.20
104.197.4.140
146.148.73.59
146.148.57.82
130.211.160.193
146.148.47.149
104.197.27.39
104.154.52.119
130.211.124.66
advertising.servometer .com: 51.255.17.36
stewelskoensinkeike.loanreview24 .com: Could not find an IP address for this domain name.
___
Hooplasearch and nt. hooplasearch .com Ads
- http://www.bleepingcomputer.com/viru...oplasearch-ads
May 6, 2016 - "'Hoopla Search' is a browser hijacker program from the Adware.BrowseFox family that hijacks your browser's default search engine and installs addons and extensions that inject advertisements in web pages and search results. 'Hoopla Search' uses these addons or extensions to -inject- advertisements into the search results on search engines such as Google and Yahoo. When the extension is installed, it will also display its own Hoopla Search page instead of your default home page..."
(Removal instructions at the bleepingcomputer URL above.)
:fear::fear: :mad:
Fake 'Draft Receipt', 'RE: ', 'credit card statement' SPAM
FYI...
Fake 'Draft Receipt' SPAM - malicious doc attachment
- https://myonlinesecurity.co.uk/malwa...draft-receipt/
10 May 2016 - "An email pretending to be a receipt containing terrible spelling or typing mistakes with the subject of 'Re:Draft Receipt' pretending to come from Awad S.Yafie <yinengchem@ yeah .net> with a malicious word doc attachment is another one from the current bot runs...
Screenshot: https://myonlinesecurity.co.uk/wp-co...t-1024x614.png
The malicious word doc shows a blurred image that contains an embedded OLE object that will drop and run a file if you are unwise enough to follow their suggestion to double click to see content:
> https://myonlinesecurity.co.uk/wp-co...y-1024x535.png
10 May 2016: Draft-MSK-001.docx - Current Virus total detections 15/56*
.. MALWR** which contains an embedded OLE object ..Properly.exe (VirusTotal 21/56***).. MALWR[4]
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1462832094/
** https://malwr.com/analysis/NmM1YTQzM...hjYjNlOTNmM2I/
*** https://www.virustotal.com/en/file/5...is/1462830481/
4] https://malwr.com/analysis/NWYyMTE1Z...U0OWIyNjY3ZTU/
___
Fake 'RE: ' SPAM - js malware downloads Locky
- https://myonlinesecurity.co.uk/malwa...eads-to-locky/
10 May 2016 - "An email with the subject of 'RE: ' pretending to come from random senders with a zip attachment is another one from the current bot runs... One of the emails looks like:
From: Therese Slater <SlaterTherese8877@ pldt .net>
Date: Tue 10/05/2016 09:42
Subject: RE:
Attachment: wire_xls_AA8.zip
hi rob,
As I promised, the information you requested is attached.
Regards,
Therese Slater
10 May 2016: wire_xls_AA8.zip: Extracts to: transactions 30248504.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky ransomware from
http ://jediff .com/fgh7hd (VirusTotal 7/57***) MALWR[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1462870370/
** https://malwr.com/analysis/ODEwNGEwN...ExODY0ZWI4YzI/
Hosts
160.153.76.133: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/86...3f55/analysis/
185.82.202.170: https://www.virustotal.com/en/ip-add...0/information/
*** https://www.virustotal.com/en/file/6...is/1462871373/
4] https://malwr.com/analysis/NjY5OGI4M...ZiZTM4YTYyOTY/
Hosts
193.124.185.87: https://www.virustotal.com/en/ip-add...7/information/
jediff .com: 160.153.76.133
- http://blog.dynamoo.com/2016/05/malw...ument-you.html
10 May 2016 - "This fairly brief spam has a malicious attachment:
From: Alexandra Nunez
Date: 10 May 2016 at 21:10
Subject: Re:
hi [redacted],
As promised, the document you requested is attached
Regards,
Alexandra Nunez
The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:
4hotdeals .com.au/j47sfe
stationerypoint .com.au/cnb3kjd
floranectar .com.au/er5tsd
togopp .com/vbg5gf
printjuce .com/rt5tdf
designitlikeal .com/cvb3ujd
There are probably many more download locations. The typical detection rate for these binaries is about 12/56 [1] [2]... and automated analysis [6] [7]... shows network traffic to:
5.34.183.40 (ITL, Ukraine)
185.82.202.170 (Host Sailor, United Arab Emirates / Romania)
185.14.28.51 (ITL, Netherlands)
92.222.71.26 (OVH, France)
88.214.236.11 (Overoptic Systems, UK / Russia)
The payload is Locky ransomware
Recommended blocklist:
5.34.183.40
185.82.202.170
185.14.28.51
92.222.71.26
88.214.236.11 "
1] https://www.virustotal.com/en/file/c...46ba/analysis/
TCP connections
92.222.71.26
2] https://www.virustotal.com/en/file/9...c5a5/analysis/
TCP connections
185.82.202.170
6] https://malwr.com/analysis/ZGU3YjYxN...c1N2Q1NjkzZTY/
Hosts
185.82.202.170
7] https://malwr.com/analysis/NGY1YzE1M...dmMGM0ZTIyZDU/
Hosts
185.14.28.51
___
Fake 'credit card statement' SPAM - malicious attachment leads to Locky
- https://myonlinesecurity.co.uk/malwa...o-this-e-mail/
10 May 2016 - "An email with the subject of 'FW: 'pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking Trojan...
Update: according to Payload Security[6] the dropped malware is Locky...
This set of emails has a zip attachment that extracts to an HTA file which is an Internet explorer specific scripting file wrapped inside a standard HTML file that the browser runs. It probably can run however in Chrome, Firefox and any other browser in use. This HTA file is -obscufated- and encodes a long list of malware URLs inside it... One of the emails looks like:
From: Roselia Bellgrove <BellgroveRoselia914@ digicable .in>
Date: Tue 10/05/2016 10:05
Subject: FW:
Attachment: bruxner_copy_873488.zip
Please find your monthly credit card statement attached to this e-mail.
We would also like to let you know that your negative balance has reached a maximum limit.
10 May2016: bruxner_copy_873488.zip: Extracts to: details_v35xnsfc24.hta - Current Virus total detections 0/57*
.. MALWR** doesn’t show any downloads BUT JSUnpack[3] gives me the list of download locations, some of which are live and some are not responding, giving me 403 errors (VirusTotal 2/57[4]) MALWR[5]...
sky-hero .com/ad.exe - 213.186.33.171
buyemergencylight .com/ad.exe - 192.117.12.154
ribastiendaonline .com/ad.exe - 185.92.247.46
clearancezone .com.au/ad.exe - 184.164.156.210
zanvair .co.uk/ad.exe - 82.165.151.207
myfashionfavourites .com/ad.exe - 185.66.171.8
anustyle .co.uk/ad.exe - 46.30.212.102
metersdirect .com.au/ad.exe - 52.64.39.102
atlfitness .com.br/ad.exe - 179.107.83.250
shopnutri .com.br/ad.exe - 177.12.173.166
homesdreams .com/ad.exe - 188.40.28.173
liftmaxthailand .com/ad.exe - 119.59.120.32
new-exhibitions.heckfordclients .co.uk/ad.exe - 95.142.152.194
airconditioning-outlet .co.uk/ad.exe - 87.106.53.6
shoppingsin .com/ad.exe - 142.4.49.157
magnumautomotivo .com.br/ad.exe - 186.202.153.10
melodyderm .com/ad.exe - 23.235.196.128
metersdirect .com.au:80/ad.exe - 52.64.39.102
outletsmarcas .com/ad.exe - 67.20.76.133
shoesmackers .com/ad.exe - 74.220.207.142
store.pinkupcape .com/ad.exe - 67.231.106.60
vizyt-shop .com/ad.exe - 136.243.204.62
warehousestudiochicago .com/ad.exe - 166.62.10.30
mikronjoalheria .com.br/ad.exe - 162.213.193.150
getdattee .com/ad.exe - 50.63.119.14
videale .com.br/ad.exe —– 403 error / 186.202.126.233
pgkdistribution .co.uk/ad.exe - 160.153.50.192
aw-store .com/ad.exe - 160.153.33.104
gmdengineering .com.au/ad.exe - 103.38.10.109
lyintl .com/ad.exe - 23.229.242.166
fashionpoppers .com/ad.exe - 66.147.244.66
cenasuniformes .com.br/ad.exe - 200.98.197.36
merlindistribuidora .com.br/ad.exe - 186.202.153.108
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1462871863/
** https://malwr.com/analysis/OWE3ODYzY...Y4NGRlY2UwYzU/
3] http://jsunpack.jeek.org/?report=9d6...e81e80a5f0df22
4] https://www.virustotal.com/en/file/5...is/1462872640/
5] https://malwr.com/analysis/ZTM4Y2NlM...QxMWY1NjA2ZDA/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
217.12.199.94: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/14...0ebe/analysis/
:fear::fear: :mad:
Fake 'Emailing: Photo', 'attached document' SPAM
FYI...
Fake 'Emailing: Photo' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spam-...elivers-locky/
11 May 2016 - "An email with the subject of 'Emailing: Photo 05-11-2016, 82 95 82' [random numbers] pretending to come from Your-own-email-address with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... One of the emails looks like:
From: your own email address
Date: Wed 11/05/2016 10:10
Subject: Emailing: Photo 05-11-2016, 82 95 82
Attachment: Photo 05-11-2016, 82 95 82.zip
Your message is ready to be sent with the following file or link
attachments:
Photo 05-11-2016, 82 95 82
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
11 May 2016: Photo 05-11-2016, 82 95 82.zip: Extracts to: Photo 05-11-2016, 42 11 82.js
Current Virus total detections 2/56* | Hybrid analysis** | MALWR*** shows a download of Locky ransomware from
http ://gesdes .com/87yg7yyb (VirusTotal 5/57[4]) MALWR[5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...is/1462957811/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.229.156.225
88.214.236.11
5.34.183.40
*** https://malwr.com/analysis/YWYwNmEzN...I0YTE1M2NhNjQ/
Hosts
23.229.156.225
4] https://www.virustotal.com/en/file/5...is/1462958159/
5] https://malwr.com/analysis/YzkzOWNkN...E5MjJhN2NkY2I/
gesdes .com: 23.229.156.225: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/91...8232/analysis/
- http://blog.dynamoo.com/2016/05/malw...5-11-2016.html
11 May 2016 - "This spam comes with a malicious attachment:
From: victim@ victimdomain .tld
To: victim@ victimdomain .tld
Date: 11 May 2016 at 12:39
Subject: Emailing: Photo 05-11-2016, 03 26 04
Your message is ready to be sent with the following file or link
attachments:
Photo 05-11-2016, 03 26 04
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
It appears to come from the sender's own email address, but this is a simple forgery (explained here*). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
match the references in the email). It contains a .js file with a similar name.
* http://blog.dynamoo.com/2011/09/why-...self-spam.html
Trusted third-party analysis (thank you!) shows the various scripts downloading from:
51941656 .de.strato-hosting .eu/87yg7yyb
67.222.43.30 /87yg7yyb
developinghands .com/87yg7yyb
gesdes .com/87yg7yyb
helpcomm .com/87yg7yyb
neihan8 .tk/87yg7yyb
oldtimerfreunde-pfinztal .de/87yg7yyb
otakutamashi .cl/87yg7yyb
sarikamisotelleri .com/87yg7yyb
This drops a file with a detection rate of 3/56*. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to:
185.82.202.170 (Host Sailor, United Arab Emirates)
88.214.236.11 (Overoptic Systems, UK / Russia)
5.34.183.40 (ITL, Ukraine)
According to a DeepViz report**, this sample has identical characteristics.
Recommended blocklist:
185.82.202.170
88.214.236.11
5.34.183.40 "
* https://www.virustotal.com/en/file/b...is/1462969284/
** https://sandbox.deepviz.com/report/h...5990d77a918a7/
___
Fake 'attached document' SPAM - JS attachment leads to malware
- https://myonlinesecurity.co.uk/spam-...elivers-locky/
11 May 2016 - "A series of emails with random subjects pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs... UPDATE: none of the automatic analysers are actually showing Locky, so it might be Dridex... Some of the subjects seen include:
Re: employees
Re: paychecks
Re: other names
Re: company
Re: Items
Re: build assemblies
Re: transfers
Re: credit memos
Re: checks
Re: estimates
Re: Chart of Accounts
Re: receive payments
Re: credit card charges
Re: item receipts
Re: Vendors ...
One of the emails looks like:
From: Nelda Morton <MortonNelda80048@ static .vnpt.vn>
Date: Wed 11/05/2016 10:34
Subject: Re: employees
Attachment:
hello [ recipients name]
You may refer to the attached document for details.
Regards,
Nelda Morton
11 May 2016: vendors_0A591E.zip: Extracts to: -3- identical .js files - urgent 802194.js
Current Virus total detections 4/57* | Payload Security** | MALWR*** shows a download of Locky Ransomware from
http ://compfixuk .co.uk/uy3hds (VirusTotal 11/57[4]) MALWR[/5] | Payload Security[6]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1462960440/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.14.28.51
88.214.236.11
185.82.202.170
*** https://malwr.com/analysis/OWJmYWMxM...JmMjE3MWU4YWE/
Hosts
81.201.141.119
92.222.71.26
4] https://www.virustotal.com/en/file/5...is/1462960706/
5] https://malwr.com/analysis/OGVmOWM2Z...IyMTUyNGFlNmQ/
Hosts
185.14.28.51
88.214.236.11
6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
92.222.71.26
compfixuk .co.uk: 81.201.141.119: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/e4...56fb/analysis/
:fear::fear: :mad:
Separate 0-day vulns under attack, Tech Support Imposters
FYI...
Separate 0-day vulns under attack
- http://arstechnica.com/security/2016...ows-and-flash/
5/10/2016 - "... something that doesn't happen every day: the disclosure of -two- zero-day vulnerabilities, one in the Microsoft operating system[1] and the other in Adobe's Flash Player[2]. The Windows bug is being actively exploited in the wild, making it imperative that users install fixes that Microsoft released today as part of its May Patch Tuesday. Cataloged as CVE-2016-0189*, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites...
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-0189
Last revised: 05/11/2016 - '... Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site...'
7.6 HIGH
... Separately, Adobe officials warned that a newly discovered Flash** vulnerability also gives attackers the ability to remotely hijack machines. It was first reported by researchers from security firm FireEye, and exploits exist in the wild...
** https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-4117
Last revised: 05/13/2016 - '... Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016...'
10.0 HIGH
... in-the-wild attacks reported by Symantec[3]... FireEye published a blog post[4]... that described how attackers managed to infect-more-than-100-organizations in North America using a zero-day vulnerability. The bug, however, was CVE-2016-0167, a privilege escalation flaw that Microsoft fixed*** in -last- month's Patch Tuesday..."
*** https://technet.microsoft.com/en-us/.../ms16-039.aspx
1] http://technet.microsoft.com/security/bulletin/MS16-051
May 10, 2016
- https://technet.microsoft.com/library/security/ms16-053
May 10, 2016 - Applies to:
Windows Server 2008 R2 Service Pack 1
Windows Server 2008 Service Pack 2
Windows Vista Service Pack 2
2] https://helpx.adobe.com/security/pro...apsb16-15.html
May 12, 2016
3] http://www.symantec.com/connect/blog...ks-south-korea
10 May 2016
4] https://www.fireeye.com/blog/threat-...ent-cards.html
May 11, 2016
___
Tech Support Imposters ...
- https://blog.malwarebytes.org/cyberc...-are-they-now/
May 13, 2016 - "... Fraud is still fraud, no matter how long your disclaimer is. Takedowns have been sent, and Malwarebytes will continue to monitor for the next time this group tries again. For more information on what you should know about tech support scammers to defend yourself, please check out the article here."
> https://blog.malwarebytes.org/tech-support-scams/
:fear::fear: :mad:
Fake 'Attached Picture', 'spreadsheet', 'Anti-Fraud' SPAM, Lloyds, Capital One -Phish
FYI...
Fake 'Attached Picture' SPAM - attachment leads to malware
- https://myonlinesecurity.co.uk/spam-...email-address/
16 May 2016 - "Another empty-blank-email email with the subject of 'Attached Picture' pretending to come from copier/scanner/[random numbers] @ your-own-email-address with a zip attachment is another one from the current bot runs which downloads what is likely to be Dridex... One of the emails looks like:
From: copier [random numbers] @ your own email address
Date: Mon, 16 May 2016 10:05:40
Subject: Attached Picture
Attachment: mandy@ ... _0779_436592056.zip
Body content: Blank/Empty
11 May 2016: Current Virus total detections 23/56* - MALWR** shows a download of an -unknown- malware from
http ://www.puertasjoaquin .com/987t5t7g?VOoIYjOJwN=BpMuEo (VirusTotal 2/57***) MALWR[4] | Payload Security[5]
None of the auto analysers are able to give a definite result as to what the malware is. It is more likely to be Dridex banking Trojan rather than Locky ransomware, when this happens... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/
** https://malwr.com/analysis/Y2M1NGNmO...RkZTNhNDc5MzY/
Hosts
81.88.48.79
*** https://www.virustotal.com/en/file/e...is/1463394033/
4] https://malwr.com/analysis/ODkwM2E4Z...YxODFkMTUyMTE/
5] https://www.hybrid-analysis.com/samp...ironmentId=100
puertasjoaquin .com: 81.88.48.79: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/6e...f547/analysis/
___
Fake 'spreadsheet' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/05/malw...d-revised.html
16 May 2016 - "This spam has a malicious attachment:
From: Britney Hart
Date: 16 May 2016 at 13:15
Subject: Re:
hi [redacted]
I have attached a revised spreadsheet contains customers. Please check if it's correct
Regards,
Britney Hart
Other variations of the body text seen so far:
I have attached a revised spreadsheet contains general journal entries. Please check if it's correct
I have attached a revised spreadsheet contains estimates. Please check if it's correct
Attached is a ZIP file with three identical malicious .js files. The ones I have seen so far download from
fundaciontehuelche .com.ar/897kjht4g34
thetestserver .net/fg45g4g
technobuz .com/876jh5g4g4
There are probably other download locations. Each one downloads a slightly different binary (VirusTotal prognosis [1] [2]..) and automated analysis [5] [6].. shows the malware phoning home to:
188.127.231.124 (SmartApe, Russia)
31.184.197.72 (Petersburg Internet Network, Russia)
92.222.71.26 (RunAbove / OVH, France)
149.202.109.202 (Evgenij Rusachenko aka lite-host.in, Russia / OVH, France)
The payload is Locky ransomware.
Recommended blocklist:
188.127.231.124
31.184.197.72
92.222.71.26
149.202.109.202 "
1] https://www.virustotal.com/en/file/7...is/1463401158/
2] https://www.virustotal.com/en/file/a...is/1463401746/
5] https://malwr.com/analysis/ZjhlNGNjM...IzZjIxNjgyYmY/
6] https://malwr.com/analysis/Zjc1MWFhN...FmMDY3MTU5MjY/
___
Fake 'Anti-Fraud' SPAM - delivers Locky ransomware
- https://myonlinesecurity.co.uk/spam-...elivers-locky/
16 May 2016 - "An email that pretends to alert you to strange activity on your credit card, with the subject of 'Anti-Fraud System-332571' [random numbered] pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Mirabel Orton <OrtonMirabel31@ une .net.co>
Date: Mon 16/05/2016 17:10
Subject: Anti-Fraud System-332571
Attachment: bruxner_data_332571.zip
We have noticed a strange activity. Please, confirm the transaction made from your card and listed in the document attached.
16 May 2016: bruxner_data_332571.zip: Extracts to: post_scan_rhgzp.js - Current Virus total detections 23/56*
.. MALWR** shows a download of Locky ransomware from
http ://steeldrill .com.au/Cs0St6.exe (VirusTotal 6/57***) MALWR[4] | Payload Security[/5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/ PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/
** https://malwr.com/analysis/M2ZlYjk2M...IxODc0ZjFjY2U/
Hosts
203.143.85.203
*** https://www.virustotal.com/en/file/e...is/1463415891/
4] https://malwr.com/analysis/YWQ0Nzg4O...VlNzM3ZDZkY2E/
5] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
217.12.199.151: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/5e...e18e/analysis/
steeldrill .com.au: 203.143.85.203: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/f5...6b0e/analysis/
___
Fake 'Security report' SPAM - malicious attachment
- https://myonlinesecurity.co.uk/spam-...curity-report/
16 May 2016 - "An email with the subject of 'Security report' pretending to come from random senders with a zip attachment is another one from the current bot runs... Looks like Locky... One of the emails looks like:
From: Gwennie Patron <PatronGwennie32083@ babygate .net>
Date: Mon 16/05/2016 18:55
Subject: Security report
Attachment:
Hello ,due to the technical problems associated with our security system, we kindly ask our customers to review the recent report in order to approve your last transactions. Thanks
16 May 2016: securityx062CBD2.zip: Extracts to: data_xe2q2mizervx.js - Current Virus total detections 2/57*
.. Payload security** shows a download from one of these 3 locations
mantisputters .com/s7LUXu.exe | blueoxaladdin .com/pArFOY.exe | produtosvivabem .com.br/51aIMi.exe
(VirusTotal 3/57[3]) MALWR[4] | Payload Security [5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1463421357/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
52.4.223.98
65.23.141.248
186.202.59.80
3] https://www.virustotal.com/en/file/0...is/1463422004/
4] https://malwr.com/analysis/OTY2M2VlZ...lkMmJhZmUyNTc/
5] https://www.hybrid-analysis.com/samp...ironmentId=100
mantisputters .com: 52.4.223.98: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/16...42e0/analysis/
blueoxaladdin .com: 65.23.141.248: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/fd...98f2/analysis/
produtosvivabem .com.br: 186.202.59.80: https://www.virustotal.com/en/ip-add...0/information/
___
Lloyds bank - Phish
- https://myonlinesecurity.co.uk/why-p...works-so-well/
16 May 2016 - "... the phishers use domain names that are so believable and the registrars allow them to register the domains...
Screenshot: https://myonlinesecurity.co.uk/wp-co...h-1024x786.png
The link in the email goes to http ://bank-update .com/personal/logon/ ... It even has the Lloyds bank icon in url bar. All they needed to do to make it 100% believable was either add a cheap or free SSL certificate or use a padlock symbol as an icon instead of the Lloyds black horse icon:
> https://myonlinesecurity.co.uk/wp-co...e-1024x588.png
This asks you for your user name & password and then 3 characters from your secret information ( as does the genuine Lloyds bank) then full secret information and phone number, then secret information, phone number and password, then -bounces- you to genuine Lloyds bank site."
bank-update .com: 66.225.198.23: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/a5...e67b/analysis/
104.128.234.224: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/e6...1bb4/analysis/
___
Capital One - Phish
- https://myonlinesecurity.co.uk/phish...pital-one-360/
16 May 2016 - "... more difficult to detect phishing attempt this time... Many card companies and banks do send PDF files as attachments with credit card statements. Some no doubt will have links to the bank website. Starts with a Blank email.
Screenshot: https://myonlinesecurity.co.uk/wp-co...al_one_pdf.png
The link in the PDF goes to http ://demelos .com.au/classes/commons/config/actionnn.htm which sends you on to http ://https-secure-capitalone360 .com-myaccount-banking.demelos .com.au/e8ea76f546cb0ea35cc83e95d7ae37eb/
where you see this webpage and it goes on to atypical phishing page asking for loads of personal & private details that compromise you completely.":
> https://myonlinesecurity.co.uk/wp-co...h-1024x656.png
demelos .com.au: 27.121.64.122: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/e1...858b/analysis/
>> https://www.virustotal.com/en/url/d7...0e77/analysis/
___
The Million-Machine 'Clickfraud' Botnet
- http://www.computerworld.com/article...computers.html
May 16, 2016 - "... The click-fraud botnet earns its creators money through Google's AdSense for Search program, according to researchers from security firm Bitdefender*. The affiliate program, intended for website owners, allows them to place a Google-powered custom search engine on their websites to generate revenue when users click on ads displayed in the search results... Strategies have changed dramatically in the past few years, with new approaches... this botnet's operators -intercept- Google, Bing, and Yahoo searches performed by users on their own computers and replace the legitimate results with those generated by their custom search engine. They do this using a malware program that Bitdefender products detect as Redirector.Paco. Since mid-September 2014, Redirector.Paco has infected more than 900,000 computers worldwide, mainly from India, Malaysia, Greece, the U.S., Italy, Pakistan, Brazil, and Algeria, the Bitdefender researchers said in a blog post Monday*..."
* https://labs.bitdefender.com/2016/05...kfraud-botnet/
:fear::fear: :mad:
Multiple Locky ransomware emails/attachments; TechSupportScams - phone extortion
FYI...
Fake Multiple subjects SPAM - attachments delivering Locky ransomware
- https://myonlinesecurity.co.uk/spam-...ky-ransomware/
17 May 2016 - "... Locky ransomware emails overnight with varying subjects all pretending to come from random senders with either zip attachments or word doc macro attachments... Some of the subjects seen include:
Your .pdf document is attached
Re:
Hedy Castaneda
Dara Keith
The word doc ones have a subject that matches the alleged sender. One of the emails with a word doc attachment looks like:
From: Dara Keith <admin@ hk-mst .com>
Date: Tue 17/05/2016 04:49
Subject: Dara Keith
Attachment: 706-d4390-lncnvy.dotm
Hello
Please find the report attached to this message. The Payment should appear in 1-2 days.
Dara Keith
Alternative body content
Please review the report attached to this email. The Transfer will be posted within one day.
Best regards
17 May 2016: 706-d4390-lncnvy.dotm - Current Virus total detections 2/57* 2/56[1] 2/57[2].. MALWR [a] [b1].. doesn’t show any downloads. It is likely that the download sites will match the other Locky downloaders using zip attachments. I am waiting for full analysis...
Update: finally got an analysis from Payload security[7] of 1 of the word doc files which shows a download from
xlstrategy .com/ch.jpg?Ux=43 which is a genuine jpg, however the jpg contains malware -embedded- inside it, which is extracted via the malicious-macro and a VBS file that the macro creates (VirusTotal 4/57[8]). This actually is Dridex banking trojan not Locky.
7] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
107.180.20.71: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/2b...5ac2/analysis/
8] https://www.virustotal.com/en/file/5...is/1463492903/
* https://www.virustotal.com/en/file/d...is/1463461891/
1] https://www.virustotal.com/en/file/d...is/1463467476/
2] https://www.virustotal.com/en/file/3...is/1463467521/
a] https://malwr.com/analysis/MzQwN2Y1M...E1M2UxMTAyOWY/
b1] https://malwr.com/analysis/MGE2MjA1Z...FlNDc3OWM2ZDQ/
One of the emails with a zip attachment looks like:
From: Your own email address
Date: Tue 17/05/2016 01:38
Subject: Your .pdf document is attached
Attachment: D948699.zip
Body content: Blank/Empty email body
17 May 2016: D948699.zip: extracts to 20160516_38064087_27108995.js - Current Virus total detections 9/57[3]
.. downloads from hrlpk .com/7834hnf34?XrkJSbPOxS=klrLzHBbOX (VirusTotal 11/56[4])
3] https://www.virustotal.com/en/file/6...is/1463459479/
4] https://www.virustotal.com/en/file/d...is/1463457732/
TCP connections
217.12.199.151: https://www.virustotal.com/en/ip-add...1/information/
hrlpk .com: 203.124.43.226: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/43...3020/analysis/
Another one of the emails with a zip attachment looks like:
From: Ryan Solomon <SolomonRyan332@ cparsons .net>
Date: Tue 17/05/2016 01:42
Subject: Re:
Attachment: sales orders_BEA6B3A2.zip
hi vbygry
Please refer to the attached document contains sales orders
Let me know if it’s correct
Regards,
Ryan Solomon
17 May 2016: sales orders_BEA6B3A2.zip: extracts to history 8426558.js - Current Virus total detections 6/57[5]
.. downloads from http ://fundacionbraun .com/gh567jj56 (VirusTotal 11/57[6]) The zip attachment here contains 3 identical copies of the .js file all padded with loads of //// to confuse analysis and make them look much bigger than they are...
5] https://www.virustotal.com/en/file/5...is/1463462139/
6] https://www.virustotal.com/en/file/d...is/1463447956/
TCP connections
188.127.231.124: https://www.virustotal.com/en/ip-add...4/information/
fundacionbraun .com: 209.126.254.163: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/ae...5ac4/analysis/
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
___
Fake 'car booking' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spam-...elivers-locky/
17 May 2016 - "... an email with the subject of 'FW: ' pretending to be a notification of a car booking and also pretending to come from random senders with a zip attachment containing a nemucod javascript downloader is also another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Jo-Ann Crowe <CroweJo-Ann0223@ londonrelax .co.uk>
Date: Tue 17/05/2016 07:54
Subject: FW:
Attachment: copy-20160517122213.zip
Thank you for booking you car with us, we hope you enjoy our service. Rental agreement is enclosed to this e-mail.
17 May 2016: copy-20160517122213.zip: Extracts to: data_vevbypapxx.js - Current Virus total detections 4/57*
.. MALWR** shows a download of Locky ransomware from
http ://myfloralkart .com/MwtBk1.exe (VirusTotal 21/56***).... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1463468058/
** https://malwr.com/analysis/ODhmNDNmY...Q5MDc4NWY4ZmM/
Hosts
198.57.205.1: https://www.virustotal.com/en/ip-add...1/information/
128.199.120.158
176.58.99.126: https://www.virustotal.com/en/ip-add...6/information/
*** https://www.virustotal.com/en/file/0...is/1463463109/
myfloralkart .com: 128.199.120.158: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/60...eb16/analysis/
___
Fake 'contract' SPAM - downloads Locky
- https://myonlinesecurity.co.uk/spam-...tract-with-us/
17 May 2016 - "... email with the subject of 'FW: ' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Susann Faitele <FaiteleSusann335@ webtravelmarket .com>
Date: Tue 17/05/2016 11:34
Subject: FW:
Attachment: security-20160517160422.zip
Thanks for choosing our company and signing a contract with us, we’re sending you a copy as promised.
17 May 2016: security-20160517160422.zip: Extracts to -2- different files data_veivommzha.js
Current Virus total detections 4/57* and archive_doctomjjz.js (VirusTotal 4/56**) - MALWR [1] [2] shows a download of Locky ransomware from one of these sites (VirusTotal 4/56[3])
http ://soco-care .be/zcHRd8.exe
http ://delicadinha .com.br/MSr7Uy.exe
http ://pro.monbento .com/8Uya5I.exe
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1463481488/
** https://www.virustotal.com/en/file/9...is/1463481291/
1] https://malwr.com/analysis/ZmFjZWI2M...Q4MTIyN2Q0Y2Y/
Hosts
201.94.232.185: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/78...e960/analysis/
79.174.131.11: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/f2...1bd0/analysis/
188.165.125.141: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/6c...09b0/analysis/
2] https://malwr.com/analysis/MGEwMTk5N...VhMmQ4NDJmYjg/
Hosts
201.94.232.185
79.174.131.11
188.165.125.141
3] https://www.virustotal.com/en/file/5...is/1463485442/
___
Fake 'Per E-Mail' SPAM - malicious attachment is Locky ransomware
- http://blog.dynamoo.com/2016/05/malw...il-senden.html
17 May 2016 - "This German-language -spam- comes with a malicious attachment. It appears to come from the victim themselves, but this is just a simple-forgery.
From: victim@ victimdomain .tld
Date: 17 May 2016 at 13:28
Subject: Per E-Mail senden: DOC0000329040
Folgende Dateien oder Links können jetzt als Anlage mit Ihrer Nachricht
gesendet werden:
DOC0000329040
Attached is a ZIP file that matches the reference number in the subject and body text. I have only seen one sample, downloading a binary from:
katyco .net/0uh8nb7
The VirusTotal detection rate is 4/57*, the comments in that report indicate that this is Locky ransomware and the C&C servers are at:
188.127.231.124 (SmartApe, Russia)
176.53.21.105 (Radore Veri Merkezi Hizmetleri, Turkey)
217.12.199.151 (ITL, Ukraine)
107.181.174.15 (Total Server Solutions, US)
Recommended blocklist:
188.127.231.124
176.53.21.105
217.12.199.151
107.181.174.15 "
* https://www.virustotal.com/en/file/4...65d5/analysis/
Comments:
> https://myonlinesecurity.co.uk/spam-...elivers-locky/
17 May 2016
>> https://malwr.com/analysis/NmZiZmZhO...U2NjViZDNhM2Q/
Hosts
203.162.53.112: https://www.virustotal.com/en/ip-add...2/information/
katyco .net: 203.162.53.112
___
Fake 'BILL' SPAM - downloads Locky
- https://myonlinesecurity.co.uk/spam-...-mills-co-ltd/
17 May 2016 - "An email with the subject of 'BILL' pretending to come from Store-Nellimarla Jute Mills Co Ltd. <yfstore857@ slsenterprise .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs downloading Locky... The email looks like:
From: . <yfstore857@ slsenterprise .com>
Date:
Subject: BILL
Attachment:
Sir,
Please find the attached file.
17 May 2016: Bill_481575758.xls - Current Virus total detections 6/57*
.. MALWR** shows a download from
http ://seahawkexports .com/89yg67no (VirusTotal ***).. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1463496996/
** https://malwr.com/analysis/M2VmM2ZjO...k0MGFkYzk4MjE/
Hosts
43.242.215.197: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/01...6167/analysis/
*** https://www.virustotal.com/en/file/b...is/1463500609/
seahawkexports .com: 43.242.215.197
___
Tech Support Scammers - 'Screen Lockers'
- https://blog.malwarebytes.org/cyberc...creen-lockers/
May 17, 2016 - "... -bogus- browser locks and -fake- AV alerts which are mostly an annoyance and can somewhat easily be disabled... But things have been changing with more serious malware-like techniques to force people into calling rogue tech support call centres. We previously saw a case of fake Blue Screen Of Death (BSOD) actually locking-up people’s desktops and now there is a growing demand for such ‘products’. Below is a Facebook post advertising a 'locker' specifically designed for tech support scams. It tricks users into thinking their Windows license has expired and blocks them from using their computer:
> https://blog.malwarebytes.org/wp-con...FB_posting.png
To be clear, this is -not- a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will -not- get rid of it. There is an entire ecosystem to distribute these tech support lockers, which includes bundling them into affiliate (Pay Per Install) applications. What you -thought- was a PC optimizer or Flash-Player-update turns out to be a bunch of useless toolbars and, in some cases, one of these lockers. Another reason yet, if there weren’t enough already to -stay-away- from-adware-supported-programs... This is a -fake- Windows update but the average user will probably not see the difference. More troubling is the next screen that comes up and effectively -disables-the-computer- because of an expired license key. The message looks legitimate with the license key and computer name being retrieved from the victim’s actual computer:
> https://blog.malwarebytes.org/wp-con...016/05/key.png
The only recourse it seems is to call the toll-free number for assistance. As you can imagine, these fake Windows programs are great leads for tech support call centres waiting to collect the credit card numbers of unsuspecting users. We called the number (1-844-872-8686) provided on the locked screen and after much back and forth, the technician revealed a hidden functionality to this locker... However, the rogue ‘Microsoft technician’ would not proceed any further until we paid the $250 fee to unlock the computer, which we weren’t going to... these Windows lockers are a real pain to get rid of and until you do so, your computer is completely unusable. Just in the past few days we have noticed more and more users complaining about these new lockers. This increased sophistication means that people can no longer simply rely on common sense or avoid the typical cold calls from ‘Microsoft’. Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone..."
:fear::fear: :mad:
Fake 'DOC', 'Invoice', 'DHL shipment', 'Remittance Advice' SPAM
FYI...
Fake 'DOC' SPAM - JS malware
- https://myonlinesecurity.co.uk/spam-...email-address/
18 May 2015 - "Another email with the subject of 'Emailing: DOC 05-18-2016, 04 49 68' [random numbered] pretending to come from your own email address with a zip attachment is another one from the current bot runs... slightly different subjects all with random numbers after the date
Emailing: Picture 05-18-2016, 34 57 55
Emailing: DOC 05-18-2016, 04 49 68
Emailing: Image 05-18-2016, 12 20 14
Emailing: photo 05-18-2016, 60 93 51
... One of the emails looks like:
From: Your own email address
Date: Wed 18/05/2016 11:31
Subject: Emailing: DOC 05-18-2016, 04 49 68
Attachment: DOC 05-18-2016, 04 49 68.zip
Your message is ready to be sent with the following file or link
attachments:
DOC 05-18-2016, 04 49 68
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
18 May 2016: DOC 05-18-2016, 04 49 68.zip: Extracts to: HWC4703756.js - Current Virus total detections 6/57*
.. MALWR** shows a download from feedconsumer.upfrontjournal .com/erg54g4?ooGXPymBM=fNULIh (VirusTotal 3/56***)
Payload security[4] shows this downloads a further file from diolrilk .at/files/cyAOiY.exe (virustotal 1/57[5])
which makes this more likely to be Dridex banking Trojan rather than a ransomware version... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1463568343/
** https://malwr.com/analysis/OTM4NTg0N...I1NzVlYzBhYmQ/
Hosts
173.236.177.29: https://www.virustotal.com/en/ip-add...9/information/
*** https://www.virustotal.com/en/file/a...is/1463567581/
TCP connections
109.235.139.64: https://www.virustotal.com/en/ip-add...4/information/
31.8.133.98: https://www.virustotal.com/en/ip-add...8/information/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
109.235.139.64: https://www.virustotal.com/en/ip-add...4/information/
5.105.221.126: https://www.virustotal.com/en/ip-add...6/information/
5] https://www.virustotal.com/en/file/7...is/1463569252/
___
Fake 'Invoice' SPAM - JS malware drops Dridex
- https://myonlinesecurity.co.uk/spam-...-drops-dridex/
18 May 2016 - "An email with the subject of 'Invoice 1723-812595' [random numbered] pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which contains what looks like the embedded Dridex binary inside the 274 kb .JS file in a base 64 encoded section... One of the emails looks like:
From: Vasquez.Jaspero@ hcrltd .com.br
Date: Wed 18/05/2016 11:54
Subject: Invoice 1723-812595
Attachment: Invoice 1723-812595.zip
Hi,
Please find attached copy of invoice SN04359806 as requested. I would be grateful if you could reply to this email to ensure I have sent it to the correct address.
Kind Regards, Jasper Vasquez
18 May 2016: Invoice 1723-812595.zip: Extracts to: invoice_6126.js - Current Virus total detections 1/57*
.. MALWR** shows no downloads but shows the dropped bin file in base64 encoding (VirusTotal 3/57***)
.. Payload security[4] gives some more information, but not much... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1463569142/
** https://malwr.com/analysis/ZmNmZGE1N...UzM2MzZjU2Nzk/
*** https://www.virustotal.com/en/file/1...is/1463570330/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
___
Fake 'DHL shipment' SPAM - doc malware
- https://myonlinesecurity.co.uk/spam-...ation-re-send/
18 May 2016 - "An email with the subject of 'shipment address confirmation (re-send)' pretending to come from info <info@ dhl-services .com> with a zip attachment that extracts to a malicious word doc is another one from the current bot runs... The email looks like:
From: info <info@ dhl-services .com>
Date: Wed 18/05/2016 14:25
Subject: shipment address confirmation (re-send)
Attachment: dhl shipment #000516.zip
Dear all
After reviewing your shipment BL container number; we need to confirm, did your company change shipment address? If yes, attach you can find the information to re-confirm your shipment address.
We require your quick confirmation and reply to this development
Regards.
Alice M. York,
5/17/2016
Oversea Frieght Information Manager,
WorldWide Delivery Services DHL ...
18 May 2016: dhl shipment #000516.zip: extracts to shipment details.doc - Current Virus total detections 12/55*
.. MALWR** didn’t show any download but a manual analysis showed a download from
http ://revery.5gbfree .com/rollas/wanfile.exe which is saved to %APPDATA%\flash.exe and autorun (VirusTotal 8/57***)
MALWR[4].. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1463526808/
** https://malwr.com/analysis/MjU5MjkwO...FlZjBkMWFmNjY/
*** https://www.virustotal.com/en/file/d...is/1463526879/
4] https://malwr.com/analysis/NmQ1MmU0Z...I1MTg3MzM2YTI/
Hosts
23.94.151.38: https://www.virustotal.com/en/ip-add...8/information/
revery.5gbfree .com: 209.90.88.138: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/d2...265d/analysis/
___
Fake 'Remittance Advice' SPAM - doc malware
- https://myonlinesecurity.co.uk/spam-...ed-ole-object/
18 May 2016 - "An email with the subject of 'Remittance Advice' pretending to come from random senders and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Diana Raveche <Diana@ lappgroup .com>
Date: Tue 17/05/2016 15:33
Subject: Remittance Advice
Attachment: 59350_Copy_PS13149_(1).docx
Dear Sirs,
Please find attached remittance advice(s) for reconciliation.
Should you have any queries, kindly contact the address below
Best regards
Daniel Sefah
Treasurer
Manganese Company Limited
18 May 2016: 59350_Copy_PS13149_(1).docx - Current Virus total detections 16/56*
.. MALWR** contains an embedded OLE object that when extracted gives 'Double Click on file to view clear Swift' copy.exe (VirusTotal 14/56***) MALWR[4] which shows a connection to
http ://cf34064.tmweb .ru/cgi-bin/eke/gate.php which gave a 404 when I tried, which might mean it has been taken down or it insists on a referrer from the actual word doc or the extracted malware which several antiviruses detect as a fareit password stealer Trojan. Payload security doesn’t give much more useful info either...
> https://myonlinesecurity.co.uk/wp-co...y-1024x549.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1463574035/
** https://malwr.com/analysis/MTE2MDQ5Y...Q3YTlhNGNhMjc/
*** https://www.virustotal.com/en/file/d...is/1463574066/
4] https://malwr.com/analysis/MTc2Y2QxN...E2MDUwMzIzZjM/
Hosts
92.53.118.64: https://www.virustotal.com/en/ip-add...0/information/
:fear::fear: :mad:
Fake 'Thank you', 'WhatsApp', 'Scanned image' SPAM, TeslaCrypt master key
FYI...
Fake 'Thank you' SPAM - JS malware attachment
- https://myonlinesecurity.co.uk/spam-...dom-companies/
19 May 2016 - "An email with the subject of 'Thank you!' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads some unknown malware... One of the emails looks like:
From: Stevie Fry <FryStevie3913@ divtec .ch>
Date: Thu 19/05/2016 10:49
Subject: Thank you!
Attachment: webmaster_order_04FDEC03.zip
Hello webmaster,
Please find enclosed invoice no. 871824
Thank you for your order.
We look forward to doing business with you again.
Regards,
Stevie Fry
Pioneer Natural Resources Company
19 May 2016: webmaster_order_04FDEC03.zip: Extracts to: -4- identical copies of history_048.js
Current Virus total detections 6/56*. MALWR** shows a download from
http ://dub3tv .com/2e22dfs (VirusTotal 2/56***). Payload Security[4] | Malwr[5]. Nothing so far is actually telling us what the payload is, but it is likely to be either Locky or Dridex... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1463654399/
** https://malwr.com/analysis/N2I1ZjkzM...k4MWVhYmRmNWU/
Hosts
184.168.107.21: https://www.virustotal.com/en/ip-add...1/information/
*** https://www.virustotal.com/en/file/d...is/1463654794/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
5] https://malwr.com/analysis/MTNlNzQwY...kxYTc5MGU1ZjU/
___
Fake 'WhatsApp' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spam-...elivers-locky/
19 May 2016 - "An email with the subject of 'You got a voice message!' pretending to come from WhatsApp <Cleo477@ gmx .de> with a zip attachment is another one from the current bot runs which downloads Locky Ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x522.png
19 May 2016: MSG0002959373787821.wav.zip: Extracts to: MSG00033066464574474.wav.js
Current Virus total detections 8/56*. MALWR** shows a download of Locky from
http ://denzil .com.au/grh5444tg?WKInfNTzzF=VQkztyPupI (VirusTotal 4/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine WAV/DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1463652406/
** https://malwr.com/analysis/OTRlNmU0Z...NmMmNiMzVlMmY/
Hosts
223.130.27.201
89.108.84.155
92.63.87.48
*** https://www.virustotal.com/en/file/5...is/1463653169/
TCP connections
92.63.87.48: https://www.virustotal.com/en/ip-add...8/information/
denzil .com.au: 223.130.27.201: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/a4...71b5/analysis/
___
Fake 'Scanned image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scann...elivers-locky/
19 May 2016 - "Another email pretending to come from your-own-email-domain with the subject of 'Scanned image' pretending to come from admin <southlandsxxxx@ victimdomain .tld> with a zip (rar) attachment is another one from the current bot runs which downloads Locky Ransomware... One of the emails looks like:
From: admin <southlandsxxxx@ victimdomain .tld>
Date: Thu 19/05/2016 19:52
Subject: Scanned image
Attachment: MSG00087072.rar
Image data in PDF format has been attached to this email.
19 May 2016: MSG00087072.rar: Extracts to: MSG0004219280705535.js - Current Virus total detections 9/57*
.. MALWR** shows a download of Locky ransomware from
freesource .su/437gfinw2 (VirusTotal 3/56***)
Other sites found include:
freesource .su/437gfinw2 - 136.243.176.66
der-werbemarkt .de/437gfinw2 - 85.158.182.96
criticalcontactinfo .com/437gfinw2 - 192.73.242.42
empiredeckandfence .com/437gfinw2 - 192.185.225.43
... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1463686171/
** https://malwr.com/analysis/ZjBjOTNmO...EzMzQyMDYwYjU/
Hosts
92.63.87.48
*** https://www.virustotal.com/en/file/a...is/1463684566/
TCP connections
92.63.87.48: https://www.virustotal.com/en/ip-add...8/information/
freesource .su: 136.243.176.66: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/62...14ab/analysis/
der-werbemarkt .de: 85.158.182.96: https://www.virustotal.com/en/ip-add...6/information/
criticalcontactinfo .com: 192.73.242.42: https://www.virustotal.com/en/ip-add...2/information/
empiredeckandfence .com: 192.185.225.43: https://www.virustotal.com/en/ip-add...3/information/
___
White hats bake TeslaCrypt master key into universal decryptor
Ransomware authors appear to have given up...
- http://www.theregister.co.uk/2016/05...sal_decryptor/
19 May 2016 - "The authors of the TeslaCrypt ransomware have handed over their master keys in what appears to be a decision to kill off the net menace. An Eset researcher noticed the gradual decline of TeslaCrypt and, posing as a victim, asked the malware authors for a key. The authors surprisingly offered a free master key and the security wonk quickly produced a free universal decryption tool*. It means victims of two of the worst ransomware tools can decrypt their files for free, with Kaspersky white hats producing a decryption tool yesterday** for the Cryptxxx malware..."
* http://download.eset.com/special/ESE...tDecryptor.exe
** http://www.theregister.co.uk/2016/05...xxx_decrypted/
- http://support.eset.com/kb6051/
Last Revised: May 19, 2016
Identify the ransomware you’re dealing with...
> https://id-ransomware.malwarehunterteam.com/index.php
"This service currently detects 87 different ransomwares..."
Updated 05/19/2016
> http://www.bleepingcomputer.com/news...ecryption-key/
May 18, 2016
:fear::fear: :mad: