Fake 'confirmation' SPAM, Phish - distributing ransomware
FYI...
Fake 'confirmation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-l...cro-word-docs/
25 Apr 2017 - "... another 2 mass malspam onslaughts with different email subjects. The first is 'confirmation_12345678.pdf' (random numbers) pretending to come from info@ random .tld with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware. The second is a -blank- email with the subject of 'paper', coming from random names, companies and email addresses. In all cases the alleged sending address is -spoofed- ... In both campaigns the PDF appears totally to be a -blank- page but still contains the embedded macro word doc that will infect you when opened. These macro enabled word docs embedded into PDF files can easily infect you, -IF- you have default PDF settings set in Adobe Reader. See HERE[1] for safe settings to stop these working...
1] https://myonlinesecurity.co.uk/embed...ly-infect-you/
... 2 distinct malspam approaches today. First coming from 'scanner' (or other MFD, like scan, Epson, Printer, canon etc ) @ your-own-email-domain with a subject of 'scan data'. The second comes from totally random names @ your-own-email-domain with a subject of '12345678.pdf' (random numbers) and has a completely -empty- email body...
Screenshot1: https://myonlinesecurity.co.uk/wp-co...nfirmation.png
Screenshot2: https://myonlinesecurity.co.uk/wp-co...ocky_paper.png
6446165b2.pdf - Current Virus total detections 13/56*. Payload Security** drops 216616.docm downloads from
http ://parallelsolutions .nl/jhg67g which is converted by the macro to pitupi2.exe
(VirusTotal 23/59***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1493096091/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
159.253.0.19
*** https://www.virustotal.com/en/file/a...is/1493096408/
pitupi2.exe
4] https://www.hybrid-analysis.com/samp...ironmentId=100
parallelsolutions .nl: 159.253.0.19: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/6d...c163/analysis/
___
Phish attacks responsible for 3/4 of all malware
- https://www.helpnetsecurity.com/2017...tacks-malware/
April 25, 2017 - "With phishing now widely used as a mechanism for distributing ransomware, a new NTT Security reveals that 77% of all detected ransomware globally was in four main sectors – business & professional services (28%), government (19%), health care (15%) and retail (15%):
> https://www.helpnetsecurity.com/imag...y-042017-2.jpg
While technical attacks on the newest vulnerabilities tend to dominate the media, many attacks rely on less technical means. According to the GTIR, phishing attacks were responsible for nearly three-quarters (73%) of all malware delivered to organizations, with government (65%) and business & professional services (25%) as the industry sectors most likely to be attacked at a global level. When it comes to attacks by country, the U.S. (41%), Netherlands (38%) and France (5%) were the top three sources of phishing attacks. The report also reveals that just 25 passwords accounted for nearly 33% of all authentication attempts against NTT Security honeypots last year. Over 76% of log on attempts included a password known to be implemented in the Mirai botnet – a botnet comprised of IoT devices, which was used to conduct, what were at the time, the largest ever distributed denial of service (DDoS) attacks. DDoS attacks represented less than 6% of attacks globally, but accounted for over 16% of all attacks from Asia and 23% of all attacks from Australia. Finance was the most commonly attacked industry globally, subject to 14% of all attacks. The finance sector was the only sector to appear in the top three across all of the geographic regions analysed, while manufacturing appeared in the top three in five of the six regions. Finance (14%), government (14%) and manufacturing (13%) were the top three most commonly attacked industry sectors:
> https://www.helpnetsecurity.com/imag...y-042017-1.jpg
... NTT Security summarizes data from over 3.5 -trillion- logs and 6.2 -billion- attacks for the 2017 Global Threat Intelligence Report (GTIR)*..."
* https://www.nttcomsecurity.com/us/gtir-2017/
___
Phish: PayPal Credit Service Security Check
- https://security.intuit.com/index.ph...security-check
24 April 2017 - "People are reporting receiving -fake- emails as found below. Please be aware that the From address as well as the Subject line may change; however, the content with in the body of the email will stay the same with the exception of a change to the malicious URL link, which may have many different variations. Below is an example of the email people are receiving:
> https://security.intuit.com/images/2...4_14-51-41.png
... end of the -fake- email..."
:fear::fear: :mad:
Fake 'DHL' SPAM, JavaScript Malspam Campaigns
FYI...
Fake 'DHL' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/fake-...known-malware/
26 Apr 2017 - "... email with the subject of 'DHL Shipment Notification: 1104749373' pretending to come from DHL Customer Support <support@ dhl .com> with a semi-random named zip attachment in the format of Pickup EXPRESS.Date2017-04-26.zip which delivers or tries to deliver some sort of malware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...1104749373.png
Pickup EXPRESS.Date2017-04-26.zip: Extracts to: Pickup DOMESTIC EXPRESS Date2017-04-26.pdf.js
Current Virus total detections 4/57*. Payload Security** | JoeSandbox*** all of which do show a connection to 47.91.74.140 80 horcor .com which looks to be connected to or hosted by Chinese online company Alibaba.
Payload Security shows an attempt to contact http ://horcor .com/gate.php?ff1 (ff1 – ff12) in turn via get requests BUT only when you expand the wscript.exe section and examine the script calls... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1493200305/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
47.91.74.140
*** https://jbxcloud.joesecurity.org/analysis/259442/1/html
horcor .com: 47.91.74.140: https://www.virustotal.com/en/ip-add...0/information/
___
JavaScript Malspam Campaigns
Multiple malicious JavaScript spam campaigns active in the wild
- https://www.zscaler.com/blogs/resear...spam-campaigns
April 25, 2017 - "... multiple active malspam campaigns with links to malicious JavaScript payloads in the wild. These JavaScript files when opened by the end user will trigger download and execution of malware executables belonging to various Dropper and Backdoor Trojan families. We have seen over 10,000 instances of malicious JavaScript payloads from these campaigns in last two weeks. The JavaScript files are highly obfuscated to avoid detection and on first look shared similarity to Angler EK's landing page. Two URL formats are commonly being used at this time, one with just alphanumeric characters in path and the other with string ‘.view’ in the path. The examples for these URLs are seen below:
http ://yountstreetglass [.]com/TRucDEpdoO4jsaFaF4wCTxl8h/
http ://unbunt [.]com/view-report-invoice-0000093/w0ru-bb26-w.view/
The javascript files have names which try to masquerade as bills and receipts of various services like DHL, UPS and Vodafone to name a few... When we opened the JavaScript, we observed that it was heavily obfuscated with random strings and numbers assigned to variables, which makes very little sense...
Conclusion: We should always be cautious when clicking on links or handling e-mail attachments received from an unknown sender. Threat actors keep changing their obfuscation techniques in an attempt to evade detection methods used by security engines. It is increasingly important to have multiple security layers to block these kinds of attacks..."
(More detail at the zscaler URL above.)
yountstreetglass .com: 107.180.2.25: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/67...64d9/analysis/
unbunt .com: 5.153.24.46: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/17...3e79/analysis/
:fear::fear: :mad:
Fake 'Secure email' SPAM, Intrusions - Multiple Victims/Sectors, Mac's - OSX malware
FYI...
Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-...alspam-emails/
28 Apr 2017 - "An email with the subject of 'Secure email communication' pretending to come from HM Revenue & Customs <GSRPCommunication@ govsecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine HMRC domains... So far we have found
govsecure .co.uk
gov-secure .co.uk
... they are registered via Godaddy as registrar and the emails are sent via City Network Hosting AB Sweden 89.46.82.3, 89.46.82.2, 89.42.141.46, 89.40.217.178, 89.40.217.179, 89.40.217.185 ...
Screenshot: https://myonlinesecurity.co.uk/wp-co...munication.png
Unsuccessful_Payments_Documents.doc - Current Virus total detections 3/56*. Payload Security** shows a download via powershell from http ://elevationstairs .ca/fonts/60c5776c175c54d2.png which of course is
-not- an image file but a renamed .exe (VirusTotal 8/61***) (Payload Security [4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1493381297/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
70.33.246.140
107.22.214.64
184.160.113.13
217.31.111.153
*** https://www.virustotal.com/en/file/f...is/1493382383/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
elevationstairs .ca: 70.33.246.140: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/e8...c048/analysis/
___
Intrusions - Multiple Victims across Multiple Sectors
- https://www.us-cert.gov/ncas/alerts/TA17-117A
April 27, 2017 - "... Overview:
The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.
Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.
NCCIC will update this document as information becomes available.
For a downloadable copy of this report and listings of IOCs, see:
> https://www.us-cert.gov/sites/defaul...7-093-01C.xlsx
IOCs (.xlsx)
61.97.241.239 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
103.208.86.129 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
109.237.108.202 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
109.237.111.175 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...5/information/
109.248.222.85 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...5/information/
95.47.156.86 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
162.243.6.98 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
160.202.163.78 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
86.106.102.3 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
110.10.176.181 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
185.133.40.63 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
185.14.185.189 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
95.183.52.57 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...7/information/
185.117.88.78 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
185.117.88.77 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...7/information/
185.117.88.82 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
109.237.108.150 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
211.110.17.209 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
81.176.239.56 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
151.236.20.16 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
107.181.160.109 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
151.101.100.73 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
158.255.208.170 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
158.255.208.189 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
158.255.208.61 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
160.202.163.79 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
160.202.163.82 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
160.202.163.90 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
160.202.163.91 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
185.117.88.81 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
185.141.25.33 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
31.184.198.23 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
31.184.198.38 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
92.242.144.2 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
183.134.11.84 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...4/information/
> https://www.helpnetsecurity.com/2017...tack-campaign/
April 28, 2017
___
Mac's - OSX.Dok malware intercepts web traffic
> https://blog.malwarebytes.com/threat...s-web-traffic/
April 28, 2017 - "Most Mac malware tends to be unsophisticated. Although it has some rather unpolished and awkward aspects, a new piece of Mac malware, dubbed 'OSX.Dok', breaks out of that typical mold. OSX.Dok, which was discovered by Check Point*, uses sophisticated means to monitor — and potentially alter — all HTTP and HTTPS traffic to and from the infected Mac. This means that the malware is capable, for example, of capturing account credentials for any website users log into, which offers many opportunities for theft of cash and data. Further, OSX.Dok could modify the data being sent and received for the purpose of -redirecting- users to malicious websites in place of legitimate ones...
* http://blog.checkpoint.com/2017/04/2...https-traffic/
Distribution method: OSX.Dok comes in the form of a file named Dokument.zip, which is found being -emailed- to victims in -phishing- emails. Victims primarily are located in Europe...
Removal: Removal of the malware can be accomplished by simply removing the two aforementioned LaunchAgents files, but there are many leftovers and modifications to the system that -cannot- be as easily reversed...
Consumers: Malwarebytes Anti-Malware for Mac will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.
Businesses: The impact on business could be much more severe, as it could expose information that could allow an attacker to gain access to company resources. For example, consider the potential damage if, while infected, you visited an internal company page that provided instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server. If you have been infected by this malware in a business environment, you should consult with your IT department, so they can be aware of the risks and begin to mitigate them."
(More detail at the malwarebytes -and- checkpoint URL's above.)
:fear::fear: :mad:
Fake 'DHL', 'Secure email' SPAM, Cerber Ransomware - evolution
FYI...
Fake 'DHL' SPAM - js script
- http://blog.dynamoo.com/2017/05/malw...878382814.html
2 May 2017 - "... another -fake- DHL message leading to an evil .js script.
From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
To: [redacted]
Subject: DHL Shipment 458878382814 Delivered
You can track this order by clicking on the following link:
https ://www .dhl .com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother
Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.
All weights are estimated.
The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.
This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.
Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.
In this case the link goes to parkpaladium .com/DHL24/18218056431/ and downloads a file
DHL-134843-May-02-2017-55038-8327373-1339347112.js . According to Malwr* and Hybrid Analysis** the script downloads a binary from
micromatrices .com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38 - UK2, UK) and then subsequently attempts communication with
75.25.153.57 (AT&T, US)
79.170.95.202 (XL Internet Services, Netherlands)
87.106.148.126 (1&1, Germany)
78.47.56.162 (Mediaforge, Germany)
81.88.24.211 (dogado GmbH, Germany)
92.51.129.235 (Host Europe, Germany)
74.50.57.220 (RimuHosting, US)
The dropped binary has a VirusTotal detection rate of 10/60***.
Recommended blocklist:
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220 "
* https://malwr.com/analysis/ODdmNWU5Y...QyOTA1ZjM3MjM/
Hosts
77.92.78.38
79.170.95.202
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220
*** https://virustotal.com/en/file/33f31...is/1493719562/
mlgih3wgw.exe
___
Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
2 May 2017 - "An email with the subject of 'Secure email message' pretending to come from Companies House but actually coming from a look alike domain <noreply@ cp-secure-message .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...re-message.png
SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** shows a download from
http ://gestionbd .com/fr/QMjJrcCrHGW9sb6uF.png which of course is -not- an image file but a renamed .exe file that gets renamed to Epvuyf.exe and autorun (VirusTotal 8/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1493724795/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86
*** https://www.virustotal.com/en/file/c...is/1493725297/
Epvuyf.exe
gestionbd .com: 216.138.226.110: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/60...5290/analysis/
___
Cerber Ransomware - evolution
- http://blog.trendmicro.com/trendlabs...are-evolution/
May 2, 2017 - "... enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries:
Top countries affected by Cerber:
> https://blog.trendmicro.com/trendlab.../cerber6-1.jpg
Infection chain of Cerber Version 6:
> https://blog.trendmicro.com/trendlab.../cerber6-2.jpg
Adding a time delay in the attack chain enables Cerber to elude traditional sandboxes, particularly those with time-out mechanisms or that wait for the final execution of the malware. Other JS files we saw ran powershell.exe (called by wscript.exe) whose parameter is a PowerShell script — the one responsible for downloading the ransomware and executing it in the system:
Sample Cerber 6-carrying spam email posing as a public postal service agency:
> https://blog.trendmicro.com/trendlab.../cerber6-4.jpg
... Cerber was updated with the capability to integrate the infected system into botnets, which were employed to conduct distributed denial of service (DDoS) attacks. By July, a spam campaign was seen abusing cloud-based productivity platform Office 365 through Office documents embedded with a malicious macro that downloads and helps execute the ransomware. Exploit kits are also a key element in Cerber’s distribution. Cerber-related malvertising campaigns were observed in 2016 diverting users to Magnitude, Rig, and Neutrino — which has since gone private — exploit kits that target system or software vulnerabilities. This year, we’re seeing relatively new player Sundown exploit kit joining the fray... Cerber’s distribution methods remain consistent, we’ve seen newer variants delivered as self-extracting archives (SFX package) containing malicious Visual Basic Script (.VBS) and Dynamic-link library (.DLL) files that execute a rather intricate attack chain compared to other versions... it’s one of the signs of things to come for Cerber. It is not far-fetched for Cerber to emulate how Locky constantly changed email file attachments in its spam campaigns by expanding arrival vectors beyond JS files and PowerShell scripts — from JScript to HTML Application (.HTA) and compressed binary files (.BIN) — and exploiting file types that aren’t usually used to deliver malware... we’re currently seeing .HTA files being leveraged by a campaign that uses Cerber as payload. Our initial analysis indicates that the campaign, which we began monitoring by the third week of April, appears to be targeting Europe. We also found the same campaign attacking two Latin American countries. This campaign is notable for displaying Cerber’s ransom note in the local language of the infected system. It uses an .HTA file to show the online message/ransom note as well as detect the local language to be displayed...
Cerber’s evolution reflects the need for organizations and end users to be aware of today’s constantly evolving threats. End users risk losing money and their important personal files to ransomware; it also threatens organizations’ business operations, reputation, and bottom line. While there is no silver bullet against ransomware, keeping systems up-to-date, taking caution against unsolicited and suspicious emails, regularly backing up important files, and cultivating a culture of cybersecurity in the workplace are just some of the best practices for defending against ransomware. IT/system administrators and information security professionals can further defend their organization’s perimeter by incorporating additional layers of security against suspicious files, processes, applications, and network activity that can be exploited and leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers..."
(More detail at the trendmicro URL above.)
:fear::fear: :mad:
Fake 'PAYMENT', 'document', 'BACs Documents' SPAM, Trojan via js files
FYI...
Fake 'PAYMENT' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...-link-exploit/
4 May 2017 - "An email with the subject of 'PAYMENT FOR YAREED' (I am assuming random names) coming from random names and email addresses with a malicious word doc attachment delivers some sort of malware via the CVE-2017-0199 word/rtf embedded ole -link- exploit...
Screenshot: https://myonlinesecurity.co.uk/wp-co...for-yareed.png
PO NO- YAREED-2017.doc (30kb) - Current Virus total detections 16/56*. Payload Security** shows a download of an hta file from
http ://alguemacultural .com/enessss.hta (VirusTotal 0/52***) (Payload Security[4])
The smaller second word doc also contacts the -same- location & downloads the -same- file
PO NO- YAREED-2017.doc (7kb) - Current Virus total detections 16/55[5] | Payload Security[6]
... The hta file is an executable html file that internet explorer -will- run... which is an encoded powershell script... which when decoded looks like this which downloads the genuine putty.exe from
https ://the.earth .li/~sgtatham/putty/0.68/w32/putty.exe which is -renamed- to nextobad.exe and autorun...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1493869646/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
174.136.152.24
*** https://www.virustotal.com/en/file/9...is/1493870176/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
46.43.34.31
5] https://www.virustotal.com/en/file/8...is/1493869660/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
174.136.152.24
alguemacultural .com: 174.136.152.24: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/fc...dfbf/analysis/
the.earth .li: 46.43.34.31: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/87...faa1/analysis/
___
Fake 'document' SPAM - delivers malware
- https://myonlinesecurity.co.uk/open-...de-of-malware/
4 May 2017 - "... An email with the subject using -random- characters pretending to come from somebody that the recipient knows with a-link-to -download- a malicious word doc that delivers some sort of multi-stage malware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...Q-03681348.png
ZPDML-36-45320-document-May-04-2017.doc - Current Virus total detections 7/56*. Payload Security** shows a download from -numerous- different locations via powershell which gives 23905.exe (VirusTotal ***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1493873579/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
188.65.115.184
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
*** https://www.virustotal.com/en/file/9...is/1493852073/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220
139.59.33.202
___
Fake 'BACs Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
4 May 2017 - "An email with the subject of 'Important BACs Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <secure@ lloydsbankdocuments .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-documents.png
BACs.doc - Current Virus total detections 6/56*. Payload Security** shows a download from
http ://www .247despatch .co.uk/grabondanods.png which of course is -not- an image file but a renamed .exe file that gets renamed to Gehsp.exe and autorun (VirusTotal 12/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1493896398/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
91.102.64.132
50.19.97.123
200.116.206.58
91.247.36.80
91.219.28.71
91.247.36.79
*** https://www.virustotal.com/en/file/1...is/1493896665/
247despatch .co.uk: 91.102.64.132: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/89...6ed9/analysis/
___
Fake multiple subjects/attachments SPAM - delivers Trojan via js files
- https://myonlinesecurity.co.uk/massi...-via-js-files/
4 May 2017 - "... There have been numerous -different- subjects and campaign themes... some of them here:
'Our reference: 733092244' pretending to come from Eli Murchison <Hughchaplin@ yahoo .de>
'Hotel booking confirmation (Id:022528)' pretending to come from Booking <noreply@ sgs.bookings .com>
'DHL Shipment Notification : 0581957002' pretending to come from DHL Customer Support <support@ dhl .com>
'Re: img' pretending to come from seisei-1@ yahoo .de
'scan' pretending to come from stephen@ arrakis .es
Some of the file attachment names, -all- extracting to .js files, include:
reservation details 9I2XIIWTM.zip (VirusTotal [1]| Payload Security[2])
info-DOMESTIC_EXPRESS Pickup Date2017-05-04.zip (VirusTotal [3]| Payload Security[4])
img-A34401586965107279 jpeg.zip (VirusTotal [5]| Payload Security[6])
CCPAY9196902168.zip (VirusTotal [7]| Payload Security[8])
Scan P.1 0967945763.zip which is slightly different because it extracts -2- different .js files
(VirusTotal[9]| Payload Security[10]) (VirusTotal[11]| Payload Security[12])
Screenshots[1]: https://myonlinesecurity.co.uk/wp-co...-Id-022528.png
2] https://myonlinesecurity.co.uk/wp-co...-733092244.png
3] https://myonlinesecurity.co.uk/wp-co...0581957002.png
4] https://myonlinesecurity.co.uk/wp-co.../05/re_img.png
5] https://myonlinesecurity.co.uk/wp-co...birch_scan.png
-All- of these download the -same- malware from
http ://horcor .com/ese.tf -or-
http ://www .nemcicenadhanou .cz/nvdtime.prs which are -renamed- .exe files that are -renamed- to an .exe file and autorun (VirusTotal[13]| Payload Security[14])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/4...is/1493904287/
2] https://www.hybrid-analysis.com/samp...ironmentId=100
13] https://www.virustotal.com/en/file/c...is/1493900783/
14] https://www.hybrid-analysis.com/samp...ironmentId=100
horcor .com: 47.91.92.64: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/aa...d426/analysis/
Malicious site
nemcicenadhanou .cz: Could not find an IP address for this domain name. [May have been taken down...]
:fear::fear: :mad:
Fake 'Payment Advice' SPAM, 'update your mailbox' - phish
FYI...
Fake 'Payment Advice' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
8 May 2017 - "... an email with the subject of 'FW: Payment Advice – Advice Ref:[G32887529930] / Priority payment / Customer Ref:[03132394]' pretending to come from HSBC Advising Service <050717.advisingservice@ mail .com>....
Screenshot: https://myonlinesecurity.co.uk/wp-co...vice-email.png
Payment_Advice.zip: Extracts to: Payment_Advice.scr - Current Virus total detections 32/62*. MALWR**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1494218279/
** https://malwr.com/analysis/ZGM1MWIxN...QwYTlmZGRkMzQ/
___
Fake 'update your mailbox' - phish
- https://myonlinesecurity.co.uk/fake-...phishing-scam/
8 May 2017 - "... pretends to be a message from 'Email Support' to 'Update Your Mailbox'. Of course these do -not- come from Microsoft or Live .com but are -spoofed- to appear to come from them...
Screenshot: https://myonlinesecurity.co.uk/wp-co...hing-email.png
If you follow the link inside the email you see a webpage looking like this:
http ://www.mir-holoda .by/pic/fanc/en-gb/?email=jeremiah@ thespykiller .co.uk (where the email address the email was sent to is automatically inserted):
> https://myonlinesecurity.co.uk/wp-co...5/mailbox1.png
After you input your password, you first get get told “checking details” then “incorrect details” and forwarded to an almost identical looking page where you can put it in again:
> https://myonlinesecurity.co.uk/wp-co...5/mailbox2.png
> https://myonlinesecurity.co.uk/wp-co...5/mailbox3.png
> https://myonlinesecurity.co.uk/wp-co...5/mailbox4.png
... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."
mir-holoda .by: 91.149.189.125: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/5d...8c26/analysis/
:fear::fear: :mad:
Fake 'pdf attachment', 'DHL Statements', 'nm.pdf', DHL, 'invoice' SPAM
FYI...
Fake 'pdf attachment' SPAM - delivers Locky/Dridex
- https://myonlinesecurity.co.uk/more-...f-attachments/
11 May 2017 - "... well used email template with subjects varying from with literally hundreds if not thousands of subjects. These generally deliver either Locky ransomware or Dridex banking Trojan.
File_69348406
PDF_9859
Scan_2441975
Document_11048
Copy_9762
They -all- have a pdf attachment that drops a word doc with macros... all downloads from these locations which delivers an encrypted txt file that should be converted by the macro to a working.exe file but Payload security.... doesn’t seem able to convert it...
wipersdirect .com/f87346b
tending .info/f87346b
julian-g .ro/f87346b
I am being told this is a -new- ransomware called jaff ransomware*...
* https://twitter.com/siri_urz/status/862586080507424769
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
wipersdirect .com: 108.165.22.125: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/4a...9ec3/analysis/
tending .info: 80.75.98.151: https://www.virustotal.com/en/ip-add...1/information/
julian-g .ro: 86.35.15.215: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/46...2654/analysis/
___
Fake 'DHL Statements' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
11 May 2017 - "... an email with the subject of '6109175302 Statements x Requests Required' (random numbers) pretending to come frombgyhub@ dhl .com with a zip attachment containing -2- differently named .js files which delivers some sort of malware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...s-Required.png
TYPE OF GOODS_DECLARATION.zip: Extracts to: DECLARATION (FORM).PDF.js -and- TYPE OF GOODS DOC.pdf.js
Current Virus total detections [1] [2]: Payload Security [3] [4] shows a download from one or both of these locations:
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs which is renamed and autorun by the script (VirusTotal [5]) (Payload Security[6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/3...is/1494487534/
2] https://www.virustotal.com/en/file/a...is/1494487531/
3] https://www.hybrid-analysis.com/samp...ironmentId=100
4] https://www.hybrid-analysis.com/samp...ironmentId=100
5] https://www.virustotal.com/en/file/2...is/1494488118/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/45...c5ce/analysis/
wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/5d...680e/analysis/
___
Malware spam with 'nm.pdf' attachment
- http://blog.dynamoo.com/2017/05/malw...ttachment.html
11 May 2017 - "Currently underway is a malicious spam run with various subjects, for example:
Scan_5902
Document_10354
File_43359
Senders are random, and there is -no- body text. In -all- cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED -or- 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].
The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58[5].
Putting the .docm file back into Hybrid Analysis and Malwr [6] [7] shows the same sort of results, namely a download from:
easysupport .us/f87346b ...
UPDATE: A contact pointed out this Hybrid Analysis[X] which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which -matches- this Tweet[8] about something called "Jaff ransomware".
That report also gives two other locations to look out for:
trialinsider .com/f87346b
fkksjobnn43 .org/a5/
This currently gives a recommended blocklist of:
47.91.107.213
trialinsider .com
easysupport .us "
1] https://virustotal.com/en/file/e148f...is/1494492097/
2] https://virustotal.com/en/file/0ee0b...is/1494492251/
3] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us
- https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/23...e188/analysis/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us
5] https://virustotal.com/en/file/60446...is/1494492613/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
198.58.93.28 - easysupport .us
> https://www.virustotal.com/en/url/23...e188/analysis/
7] https://malwr.com/analysis/NjE5YjEyN...Y1NjU5ZDViNzk/
8] https://twitter.com/malwrhunterteam/...97006363152385
X] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
107.154.168.227 - trialinsider .com
47.91.107.213 - fkksjobnn43 .org
trialinsider .com: 107.154.161.227: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/5c...291a/analysis/
107.154.168.227: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/5c...291a/analysis/
fkksjobnn43 .org: 47.91.107.213: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/71...e012/analysis/
___
Fake 'DHL' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/more-...anking-trojan/
11 May 2017 - "... an email with the subject of 'Fwd: DHL Redelivery Confirmation #574068024996' (random numbers) pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Ursnif banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...redelivery.png
request-redelivery-2017053299810.pdf.js - Current Virus total detections 1/57*. Payload Security** shows a download from one of both of these locations
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
which is -renamed- and autorun by the script (VirusTotal 9/62***) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1494500118/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/2...is/1494488118/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/45...c5ce/analysis/
wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/5d...680e/analysis/
___
Fake 'invoice' SPAM - using docs with embedded ole objects
- https://myonlinesecurity.co.uk/ursni...d-ole-objects/
11 May 2017 - "... banking Trojans. This one is using a different delivery method to try to throw us off track... this has a word docx attachment that contains an embedded ole object that when you click on the blurry image in the word doc, thinking you are opening an invoice you actually open & run the embedded hidden .js file. This pretends to be an invoice coming from random senders:
> https://myonlinesecurity.co.uk/wp-co...ole-object.png
Screenshot: https://myonlinesecurity.co.uk/wp-co...zi-invoice.png
7398219046.docx - Current Virus total detections 2/58*. Payload Security** shows the dropped .js file but doesn’t make it available for download. I had to get that manually (VirusTotal 1/55***) (Payload Security[4]) which shows
the same connections and download from one or both of these locations
http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
which is renamed and autorun by the script (VirusTotal 9/62[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1494509580/
** https://www.hybrid-analysis.com/samp...ironmentId=100
** https://www.virustotal.com/en/file/6...is/1494508789/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
5] https://www.virustotal.com/en/file/2...is/1494488118/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/45...c5ce/analysis/
wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/5d...680e/analysis/
___
New ‘Jaff’ ransomware via Necurs ...
- https://blog.malwarebytes.com/cyberc...sks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malwarebytes.com/wp-con...7/05/email.png
...
> https://blog.malwarebytes.com/wp-con...Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malwarebytes.com/wp-con.../encrypted.png
... the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
:fear::fear: :mad:
Fake 'Scanned image' SPAM, Necurs botnet, U.K. Hospitals Hit - Ransomware
FYI...
Fake 'Scanned image' SPAM - delivers jaff ransomware
- https://myonlinesecurity.co.uk/scann...ff-ransomware/
12 May 2017 - "An email with the subject of 'Scanned image' coming or pretending to come from random email addresses with a pdf attachment that contains an embedded malicious word doc delivers jaff ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-image_pdf.png
20170512605164.pdf - which drops N5OSUHX.docm - Current Virus total detections [pdf*] [docm**]:
Payload Security [pdf...] [docm(4)] shows a download of an encrypted txt file from
http ://trebleimp .com/77g643 which is converted to by the macro to ratchet20.exe ... It also shows a connection to
http ://h552terriddows .com/a5/ which gives a created message...
>> Update: managed to get the ratchet20.exe file via:
> https://jbxcloud.joesecurity.org/analysis/268338/1/html - (VirusTotal [5]) (Payload Security[6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1494559929/
** https://www.virustotal.com/en/file/4...is/1494562144/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
27.254.44.204
47.91.107.213
5] https://www.virustotal.com/en/file/0...is/1494559081/
6] https://www.hybrid-analysis.com/samp...ironmentId=100
trebleimp .com: 27.254.44.204: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/69...c8ba/analysis/
h552terriddows .com: 47.91.107.213: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/52...cafd/analysis/
___
New ‘Jaff’ ransomware via Necurs ...
- https://blog.malwarebytes.com/cyberc...sks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malwarebytes.com/wp-con...7/05/email.png
...
> https://blog.malwarebytes.com/wp-con...Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malwarebytes.com/wp-con.../encrypted.png
... the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
___
U.K. Hospitals Hit - Widespread Ransomware Attack
- https://krebsonsecurity.com/2017/05/...omware-attack/
May 12, 2017 - "At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware... there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft:
Ransom note left behind on computers infected with the Wanna Decryptor ransomware strain.
Image: BleepingComputer
> https://krebsonsecurity.com/wp-conte...na-580x285.png
In a statement*, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks... According to CCN-CERT, that flaw is MS17-010**, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another..."
* https://www.digital.nhs.uk/article/1...S-cyber-attack
** https://technet.microsoft.com/en-us/.../ms17-010.aspx
March 14, 2017
:fear::fear: :mad: