Fake 'USPS, UPS, DHL, FEDEX' SPAM, Kelihos Botnet takedown
FYI...
Fake 'USPS, UPS, DHL, FEDEX' SPAM - delivers mole ransomware
- https://myonlinesecurity.co.uk/more-...le-ransomware/
12 Apr 2017 - "... USPS, UPS, DHL, FEDEX and all the other delivery companies being spoofed and emails pretending to be from them delivering all sorts of malware, usually via zip attachments containing JavaScript files. I saw this post on Sans Security blog*... and expected that I would soon see them...they started to flood in today.
* https://isc.sans.edu/diary.html?storyid=22290
There are a multitude of different subjects. Some of then ones I received today are:
' Official notice regarding your order
IMPORTANT USPS MONEYBACK INFO IN REGARDS TO YOUR PARCEL
AUTOMATED notice in regards to your parcel’s status
WARNING: INFO ABOUT A LATEST REFUND '
These subjects today are different to the unusual subjects we see listed in the sans blog post.
Typical senders -imitating- USPS include:
USPS Delivery <huo4@ doverealty .net>
USPS Express Delivery <ooyyomq57575452@ avensonline .org>
USPS Priority Parcels <rejunwuj75324281@ vki-interiors .com>
USPS Ground Support <heyluogf13136286@ parcerianet .com.br> ...
... these -all- use various subdomains of ideliverys .com... you see what looks like a word online website and you are invited to download then latest 'plugin' version to read the documents online:
> https://myonlinesecurity.co.uk/wp-co...ine-plugin.png
plugin.exe - Current Virus total detections 29/60**. Payload Security***.. I assume this is the same mole ransomware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/8...7b11/analysis/
*** https://www.hybrid-analysis.com/samp...ironmentId=100
ideliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/16...9d0f/analysis/
- https://myonlinesecurity.co.uk/chang...ering-malware/
13 Apr 2017 - "... USPS, UPS, DHL, FEDEX SPAM... a -hybrid- campaign mixing elements of all the previous campaigns...
Screenshot: https://myonlinesecurity.co.uk/wp-co...EFUND-INFO.png
... These all use various subdomains of maildeliverys .com to divert to
http ://tramplinonline .ru/counter/1.htm where you see what looks like a word online website and you are invited to download then -latest- 'plugin' version to read the documents online:
> https://myonlinesecurity.co.uk/wp-co...trampoline.png
... this is where the hybrid element comes into play. Once you press download, you get a zip file plugin.zip which extracts to plugin.js ... starts with the first site in the array (var ll) and then downloads these (if the first site cannot be contacted or the file is missing) it moves on to next site and so on, eventually giving -3- malware files.
/counter/exe1.exe (mole ransomware) VirusTotal 6/62[1]
/counter/exe2.exe delivers kovter/powerliks VirusTotal 7/62[2]
/counter/exe3.exe VirusTotal 0/61[3] | VirusTotal 3/62[4] (first one possibly corrupt)
Today’s sites are:
forum-turism .org.ro/images/layout
boorsemsport .be/templates/yoo_aurora/less/uikit
eurostandard .ro/pics/size1
alita .kz/tmp/installation/language/cs-CZ
sportbelijning .be/libraries/joomla/application/web
tramplinonline .ru
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/3...is/1492102514/
2] https://www.virustotal.com/en/file/2...is/1492110707/
3] https://www.virustotal.com/en/file/9...is/1492110713/
4] https://www.virustotal.com/en/file/b...is/1492109005/
maildeliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/71...b637/analysis/
tramplinonline .ru: 92.242.42.146: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/aa...991e/analysis/
___
Kelihos.E Botnet – Takedown
- http://blog.shadowserver.org/2017/04/12/kelihos-e/
April 12, 2017 - "On Monday April 10th 2017, The US Department of Justice (DOJ) announced* a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator. The Kelihos botnet (and its predecessor Waledec) was one of the most active spamming botnets. Earlier versions of the malware were also involved in delivering trojan horses, stealing user credentials and crypto currency wallets, and in crypto currency mining. The Kelihos botnet was made up of a network of tens of thousands of infected Windows hosts worldwide. It used its own peer-to-peer (P2P) protocol, along with backup DNS domains, to provide resilient command and control (C2) facilities... The Kelihos.E botnet takedown occurred on Friday April 8th 2017, with 100% of the peer-to-peer network being successfully taken over by law enforcement and C2 traffic redirected to our sinkholes, C2 backend server infrastructure being seized/disrupted, as well as multiple fallback DNS domains being successfully sinkholed under US court order..."
* https://www.justice.gov/opa/pr/justi...lihos-botnet-0
April 10, 2017 - "The Justice Department today announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software..."
:fear::fear: :mad:
Fake 'order proforma invoice' SPAM
FYI...
Fake 'order proforma invoice' SPAM - delivers 'RAT'
- https://myonlinesecurity.co.uk/reque...ty-link-r-a-t/
16 Apr 2017 - "... -fake- 'Request for 1st new order proforma invoice' -scam- delivers luminosity link Remote Access Tool Trojan* which is being heavily misused...
* http://researchcenter.paloaltonetwor...configuration/
Screenshot: https://myonlinesecurity.co.uk/wp-co...ma-invoice.png
... The -link-in-the-email-body- goes to
http ://bit .ly/2oWFVzK which directs to
http ://www .internationalconfirmation .com/re-direct-live.php which downloads the malware from
http ://redbulconfirm .host/LIST%20OF%20ORDERS%20FOR%20PROFORMA%20INVOICE .JPG .com...
LIST OF ORDERS FOR PROFORMA INVOICE.JPG .com - Current Virus total detections 16/60*. Payload Security** which is describing it as luminosity link Trojan... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1492341398/
** https://www.reverse.it/sample/c67e5f...ironmentId=100
Contacted Hosts
192.166.218.230
internationalconfirmation .com: 69.65.33.119: https://www.virustotal.com/en/ip-add...9/information/
redbulconfirm .host: 68.65.122.167: https://www.virustotal.com/en/ip-add...7/information/
:fear::fear: :mad:
Fake 'ftc refund' SPAM, Many PayPal Phish
FYI...
Fake 'ftc refund' SPAM - leads to malware
- http://blog.dynamoo.com/2017/04/malw...tc-refund.html
17 Apr 2017 - "This -fake- FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC -fine- but this is almost definitely a coincidence:
From: Federal Trade Commission [secretary@ ftccomplaintassistant .com]
Date: 17 April 2017 at 15:25
Subject: RE: RE: ftc refund
It seems we can claim a refund from the FTC.
Check this out and give me a call.
https ://www .ftc .gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
Thank you
James Newman
Senior Accountant
secretary@ ftccomplaintassistant .com ...
The link-in-the-email actually goes to a URL beginning http ://thecomplete180 .com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 ... this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56*. The Word document itself tries to persuade victims to 'enable macros', which would be a -bad- idea:
> https://3.bp.blogspot.com/-ory5Evv0t.../fake-word.png
* https://www.virustotal.com/en/file/c...is/1492451191/
Automated analysis [1] [2] shows network traffic:
1] https://malwr.com/analysis/YTBlYzI1M...E3OTUxNzYwN2I/
Hosts
54.235.135.158
212.116.113.108
186.202.127.62
87.118.126.207
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (18)
... This gives us a pretty useful minimum blocklist:
178.170.189.254
185.146.1.4
185.48.56.63
185.80.53.76
188.127.237.232
193.105.240.2
194.1.239.63
195.54.163.94
212.116.113.108
46.148.26.87
47.90.202.88
77.246.149.100
87.118.126.207
88.214.236.158
91.230.211.67
93.189.43.36 "
___
Many PayPal Phish
- https://myonlinesecurity.co.uk/dont-...ypal-phishing/
17 Apr 2017 - "... -lots- of phishing attempts for Paypal login account credentials... These definitely do
-not- come from a “Trusted Sender”. The spelling and grammar mistakes in the email are more than enough to raise red flags...
Screenshot: https://myonlinesecurity.co.uk/wp-co...be-blocked.png
... If you follow-the-link when you use Internet Explorer you start with:
http : //www .asclepiade .ch/sites/default/files/languages/red.html which -redirects- you to:
https: //indimedia .co.uk/kasfolio/iceage3overlay/english/pp/
you see a webpage looking like this:
> https://myonlinesecurity.co.uk/wp-co...bitchboots.png
BUT if you use Firefox or Google Chrome, then you get:
http ://www .asclepiade .ch/sites/default/files/languages/red.html which -redirects- you to:
https ://indimedia .co.uk/kasfolio/iceage3overlay/english/pp/ which -redirects- to:
https ://indimedia .co.uk/kasfolio/iceage3overlay/english/pp/login?cmd=_signin&dispatch=8b262247e1b6f7c468c785df9&locale=en_GB and gives the typical PayPal phishing page
(you get a different random dispatch= number each time):
> https://myonlinesecurity.co.uk/wp-co...a-pp_phish.png
... Where pressing 'continue' takes you to the usual 'give me your credit card, bank account, address, phone number' and any other information they can think of, to be able to totally steal your identity and all financial accounts..."
indimedia .co.uk: 216.222.194.4: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/b6...184e/analysis/
> https://www.virustotal.com/en/url/29...b0f8/analysis/
asclepiade .ch: 213.221.153.48: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/90...830a/analysis/
:fear::fear: :mad:
'Protected View Mode' for MS Word docs
FYI...
'Protected View Mode' for MS Word docs
> https://www.askwoody.com/2017/what-e...ge-of-malware/
April 17, 2017 - "... 'Protected View Mode' is enabled by default in Word 2010 and later, but Word 2007 and earlier -don’t- have Protected View... See screenshot:
> https://www.askwoody.com/wp-content/...iew-768x45.jpg
If you click 'Enable Editing', the malware fires automatically — you don’t need to do anything more.
If you open an attached DOC from Gmail, it’s harmless, -unless- you download the file, -then- open the DOC in Word and -then- click 'Enable Editing'. Moral of the story: Use Gmail*. Failing that, don’t click 'Enable Editing'..."
* https://mail.google.com/mail/#inbox
>> https://www.howtogeek.com/302740/how...-being-hacked/
April 13, 2017
:fear::fear:
Fake 'USPS', 'invoice' SPAM, Malicious Excel Sheets
FYI...
Fake 'USPS' SPAM - delivers Zbot via fake Word online sites
- https://myonlinesecurity.co.uk/more-...-online-sites/
19 Apr 2017 - "... Today they have changed slightly again and now just have a link-to-a-site where you download a single executable file that pretends to be a plugin that allows you to read the documents online. Today (so far) are all Zbot/Panda Banking Trojans
plugin_office_update_KB093211.exe (VirusTotal 7/61*) | Payload Security**...
* https://www.virustotal.com/en/file/b...is/1492568116/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Typical senders imitating USPS include:
USPS Ground Support <zmesat742@ hetaudabazar .com>
USPS Support Management <cykobezr0@ okamacr .com>
USPS TechConnect <oysvuadv78382@ thewons .com>
USPS Delivery <yrok10507057@ taviexport .com>
USPS Support Management <gywer6@ nicolasprioux .com>
USPS TechConnect <kapifa78036@ hashmkt .com>
USPS Home Delivery <vyfhob22148305@ seedtech .co.in>
USPS Priority Parcels <lameipgo65@ mtpub .com>
USPS Priority <yhqez882670@ affection .org>
There are a multitude of different subjects. Some of the ones I received today are:
WARNING: TROUBLE WITH YOUR ITEM
ATTENTION REQUIRED: DETAILS ABOUT A IMPENDING REFUND
URGENT USPS MONEYBACK INFORMATION CONCERNING YOUR PARCEL
WARNING: you’re legally obliged to review the status of your parcel
URGENT: notification of delay of your parcel
Official letter concerning your order
Major problems reported to the USPS customer support
WARNING: INFORMATION ON YOUR IMPENDING REFUND
IMMEDIATE ACTION REQUIRED: your shipment’s been postponed
URGENT USPS MONEYBACK INFO CONCERNING YOUR SHIPMENT
AUTOMATED letter regarding your shipment’s location
OFFICIAL USPS REFUND INFO
Official notice from USPS
WARNING: ISSUES WITH YOUR SHIPMENT
USPS USER URGENT NEW INFO CONCERNING YOUR PACKAGE
WARNING: PROBLEMS WITH YOUR ORDER
OFFICIAL USPS system statement
USPS official notice: major trouble with your parcel
USPS customer support team notice: your shipment has been postponed
Screenshots: https://myonlinesecurity.co.uk/wp-co...SPS-email1.png
> https://myonlinesecurity.co.uk/wp-co...SPS-email2.png
> https://myonlinesecurity.co.uk/wp-co...SPS-email3.png
All have links-in-the-email body to a -fake- word online website and you are invited to download the latest plugin version to read the documents online:
> https://myonlinesecurity.co.uk/wp-co...ine-plugin.png
... The basic rule is NEVER open any attachment (or -link-) in an email, unless you are expecting it..."
___
Fake 'invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
19 Apr 2017 - "An email with the subject of 'Copy of your 123-reg invoice (123-230044839)' [random numbers] pretending to come from no-reply@ 123-reg .co.uk with a malicious pdf attachment that contains an embedded word doc delivers Dridex banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ke-invoice.png
123-230044839-reg-invoice.pdf - Current Virus total detections 10/57*. Payload Security** shows a download from
http ://jeanevermore .com/6gfd43 that is converted by the macro to redchip2.exe (VirusTotal 10/61***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1492601252/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.117.150.240
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119
*** https://www.virustotal.com/en/file/7...is/1492594268/
- http://blog.dynamoo.com/2017/04/malw...r-123-reg.html
19 Apr 2017 - "This -fake- financial spam does not come from 123-Reg (nor is it sent to 123-Reg customers). It has a malicious attachment.
From no-reply@ 123-reg .co.uk
Date Wed, 19 Apr 2017 17:19:51 +0500
Subject Copy of your 123-reg invoice ( 123-093702027 )
Hi [redacted],
Thank you for your order.
Please find attached to this email a receipt for this payment.
Help and support
If you are still stuck why not contact our support team? Simply visit our 123-reg
Support Centre and click on the Ask a Question tab.
Thank you for choosing 123-reg.
The 123-reg team...
The invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf). This PDF file appears to drop an Office document according to VirusTotal results 12/56*. Hybrid Analysis** shows the document dropping a malicious executable with a detection rate of 15/61***. It appears to contact the following IPs (some of which contain legitimate sites):
216.87.186.15 (Affinity Internet, US)
216.177.132.93 (Alentus Corporation, US)
152.66.249.132 (Budapest University of Technology and Economics, Budapest)
85.214.113.207 (Strato AG, Germany)
192.184.84.119 (RamNode LLC, US)
The general prognosis seems to be that this is dropping the Dridex banking trojan.
Recommended blocklist:
216.87.186.15
216.177.132.93
152.66.249.132
85.214.113.207
192.184.84.119 "
* https://virustotal.com/en/file/49671...is/1492608695/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/7...7872/analysis/
___
Malicious Excel Sheets...
- https://isc.sans.edu/diary.html?storyid=22322
2017-04-19 - "... found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros:
> https://isc.sans.edu/diaryimages/images/xls1.png
... the macro was, as usual, to download the malicious PE file, to store it on the disk and to execute it. The PE file has a VT score of 10/60[1]. This is not the first time that I saw this way of passing data to the macro. It’s easy to configure campaigns with many URLs and samples without touching the macro. I had a bunch of 400 malicious Excel sheets to inspect... bad guys also use data stored in the document itself and access it from the VBA code. I also saw a few times white text on white background in Word documents..."
(More detail at the isc URL above.)
1] https://www.virustotal.com/en/file/3...is/1491843226/
:fear::fear: :mad:
Fake 'Payment Receipt' SPAM
FYI...
Fake 'Payment Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-r...eipts-malspam/
21 Apr 2017 - "... an email with the subject of 'Payment Receipt 2724' or something similar pretending to come from random companies with a pdf attachment containing an embedded malicious word macro enabled doc which will download an encrypted txt file that is -transformed- into the Locky ransomware file redchip2.exe... Some of the subjects include (all have random numbers):
Receipt 435
Payment Receipt 2724
Payment-2677
Payment Receipt_739
Payment#229
Screenshot: https://myonlinesecurity.co.uk/wp-co...nt-Receipt.png
P2724.pdf - Current Virus total detections 9/57*. Payload Security** shows it drops an embedded macro enabled word doc (VirusTotal 12/59***) ... which downloads from
sherwoodbusiness .com/9yg65 which is an encrypted-text-file that is converted-by-the-macro to redchip2.exe
(Payload Security[4] (VirusTotal 6/62[5]). There are loads of other download locations for the encrypted txt file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1492775465/
** https://www.reverse.it/sample/d6aa22...ironmentId=100
Contacted Hosts
216.117.141.38
*** https://www.virustotal.com/en/file/5...is/1492775793/
4] https://www.reverse.it/sample/4ebc12...ironmentId=100
5] https://www.virustotal.com/en/file/4...is/1492775821/
redchip2.exe
sherwoodbusiness .com: 216.117.141.38: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/35...a0d3/analysis/
Embedded docs in PDF files can infect you
> https://myonlinesecurity.co.uk/embed...ly-infect-you/
22 Apr 2017
:fear::fear: :mad:
Fake 'Scan Data' SPAM, Interpol: 9,000 infected servers in SE Asia
FYI...
Fake 'Scan Data' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky...cro-word-docs/
24 Apr 2017 - "... another mass malspam onslaught with 2 separate emails with the subject of 'Scan Data' or '12345678.pdf' (random numbers) pretending to come from random email addresses at your-own-email-domain with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware... See HERE[1] for safe settings to stop these from working...
1] https://myonlinesecurity.co.uk/embed...ly-infect-you/
Screenshot: https://myonlinesecurity.co.uk/wp-co...data-locky.png
Scan_066379.pdf - Current Virus total detections 13/55*. Payload Security** - drops 744951.doc
(Virustotal 12/57***) - (Payload Security[4]) shows a download from
http ://dorsetcountymaintenance .co.uk/87tgyu which is converted by the macro to redchip2.exe
(VirusTotal 10/59[5]) (Payload Security [6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1493033052/
** https://www.reverse.it/sample/3abc2b...ironmentId=100
Contacted Hosts
188.65.115.102
*** https://www.virustotal.com/en/file/a...is/1493033505/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
188.65.115.102
5] https://www.virustotal.com/en/file/c...is/1493034283/
redchip2.exe
6] https://www.hybrid-analysis.com/samp...ironmentId=100
dorsetcountymaintenance .co.uk: 188.65.115.102: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/10...4a1e/analysis/
___
Locky ransomware comeback - Necurs botnet
- https://www.helpnetsecurity.com/2017.../locky-necurs/
April 24, 2017 - "The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims:
> https://www.helpnetsecurity.com/imag...curs-locky.jpg
The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousands upon thousands of emails in the last three or four days*...
* http://blog.talosintelligence.com/20...ns-necurs.html
... In the first part of the spam campaign, the emails contain no text except in the Subject line, which simply says 'Receipt' or 'Payment', followed by random numbers. Those numbers are seen again in the name of the attached PDF file... Later, the emails were made to look like they contained a scanned image in PDF format... In both cases, the attached PDF contains embedded Word documents with macros... there is currently no way to decrypt the files without paying the ransom..."
- https://isc.sans.edu/diary.html?storyid=22334
2017-04-23 - "... The PDF contains JavaScript to extract the malicious Word document and launch Word. The user is prompted before this action takes place, but if you want to mitigate this, you can -disable- JavaScript. If you use Adobe Reader version 15.009.20069 or later, then the extracted Word document is marked with a mark-of-web, regardless if the containing PDF document is marked as such:
> https://isc.sans.edu/diaryimages/ima...304-014929.png
... After applying Microsoft's patch for CVE-2017-0199, a downloaded HTA is no longer executed, but it is -still- downloaded without user interaction..."
Cisco - Threat Outbreak Alerts
> https://tools.cisco.com/security/cen...ing.x#~Threats
April 24, 2017 - Email Messages Distributing Malicious Software...
Locky has reemerged - borrowing attack techniques from Dridex
- http://www.zdnet.com/article/the-god...ier-than-ever/
April 24, 2017
___
Interpol finds nearly 9,000 infected servers in SE Asia
- http://www.reuters.com/article/us-si...-idUSKBN17Q1BT
Apr 24, 2017 - "An anti-cybercrime operation by Interpol and investigators from seven southeast Asian nations revealed nearly 9,000 malware-laden servers and hundreds of compromised websites in the ASEAN region, Interpol said on Monday. Various types of malware, such as that targeting financial institutions, spreading ransomware, launching Distributed Denial of Service (DDoS) attacks and distributing spam were among the threats posed by the infected servers, the operation showed... Experts from seven private firms also participated in the operation run out of the Singapore-based Interpol Global Complex for Innovation (IGCI), with China providing some cyber intelligence, the international police body said on its website*...
* https://www.interpol.int/News-and-me...2017/N2017-051
DDoS attacks have always been among the most common on the Internet, making use of hijacked and virus-infected computers to target websites until they can no longer cope with the scale of data requested. The operation also identified nearly 270 websites infected with a malware code, among them several government websites that may have contained citizens' personal data, Interpol added..."
:fear::fear: :mad: