Fake 'Scan', 'bank transactions' SPAM, SWIFT security, Dropbox hacked
FYI...
Fake 'Scan' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/sent-...ky-ransomware/
31 Aug 2016 - "... received a massive malspam run of an email with the subject of 'FW: [Scan] 2016-08-13 15:49:12' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... One of the emails looks like:
From: Bertha <Bertha34@ your own email domain>
Date: Wed 31/08/2016 06:14
Subject: FW: [Scan] 2016-08-13 15:49:12
Attachment: 2016-08-30 436 663 415.zip
From: “Bertha” <Bertha34@[REDACTED]>
Sent: 2016-08-13 15:49:12
To: [REDACTED]
Subject: [Scan] 2016-08-13 15:49:12
Sent with Genius Scan for iOS ...
31 August 2016: 2016-08-30 436 663 415.zip: Extracts to: Yd95ozed8.hta - Current Virus total detections 9/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to QXkcpj1.dll by the instructions inside the HTA/JavaScript (VirusTotal 19/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1472620428/
** https://www.reverse.it/sample/15cf22...ironmentId=100
Contacted Hosts
210.157.28.18
80.150.6.138
195.208.0.137
95.85.19.195
188.127.249.32
58.158.177.102
*** https://www.virustotal.com/en/file/d...is/1472623964/
___
Fake 'bank transactions' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attac...elivers-locky/
31 Aug 2016 - "... Locky continues with an email with the subject of 'bank transactions' coming from random senders, companies and email addresses with a random named zip attachment containing a JS file... One of the emails looks like:
From: Marlene Carrillo <Carrillo.170@ veloxzone. com.br>
Date: Wed 31/08/2016 07:35
Subject: bank transactions
Attachment: b231f370cf0.zip
Good morning gold.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Marlene Carrillo
31 August 2016: b231f370cf0.zip: Extracts to: CC1BB558_bank_transactions.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://www.instalacionesjosearteaga .com/s7yy5 | http ://enigmes4saisons.perso. sfr .fr/dilveh
http ://mambarambaro .ws/1m202 | http ://www.meta. metro .ru/uumr65 which gets transformed into the Locky ransomware by the script KzgOzqkkKOZ.dll (VirusTotal 7/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1472629007/
** https://malwr.com/analysis/ZDI1NjIzZ...c4OGI3NTk5MzU/
Hosts
62.42.230.17
86.65.123.70
195.91.160.34
45.59.114.100
158.69.147.88
*** https://www.virustotal.com/en/file/e...is/1472629326/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.42.230.17
86.65.123.70
95.85.19.195
188.127.249.203
138.201.191.196
188.127.249.32
91.223.180.66
- http://blog.dynamoo.com/2016/08/malw...nsactions.html
31 Aug 2016 - "This -fake- financial spam comes with a malicious attachment:
From: Rueben Vazquez
Date: 31 August 2016 at 10:06
Subject: bank transactions
Good morning petrol.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Rueben Vazquez
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js ... According to the Malwr report of these three samples [1] [2] [3] the scripts download... Each one of those samples drops a -different- DLL... these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain .in .ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers .com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl .ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24 "
1] https://malwr.com/analysis/YzQyYzA2N...k0ZmVmZjE5Mzg/
2] https://malwr.com/analysis/YTVhMjg2N...RmNWEwZDFjY2E/
3] https://malwr.com/analysis/ZjM5YTNhO...ViOWM4YTNmOTQ/
___
Fake 'flight tickets' SPAM - delievers Locky
- https://myonlinesecurity.co.uk/i-am-...elivers-locky/
31 Aug 2016 - "This latest Locky ransomware malspam is a little bit more believable than some recent attempts and might actually fool a few recipients. An email with the subject of 'flight tickets' pretending to come from random companies, senders and email addresses with a random name zip attachment containing a JavaScript file... One of the emails looks like:
From: Wallace Hampton <Hampton.7365@writers-india.com>
Date: Wed 31/08/2016 18:37
Subject: flight tickets
Attachment: 4e0302044044.zip
Good evening admin.
I am sending you the flight tickets for your business conference abroad next month.
Please see the attached and note the date and time.
Respectfully,
Wallace Hampton
31 August 2016: 4e0302044044.zip: Extracts to: CE14A812_flight_tickets.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://roger.pierrieau.perso. sfr .fr/68d8ti | http ://virmalw .name/31fwt4cs
http ://simo62.web. fc2 .com/yywcdpbu | http ://www.francogatta .it/npoa0lzw which is converted to a working Locky ransomware file & autorun by the script 20mrgwO23alMfJvj.dll (VirusTotal 8/58***). Payload Security[4]...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1472665164/
** https://malwr.com/analysis/Y2U2MmYxO...Q2OWU2N2VmOGQ/
Hosts
158.69.147.88
208.71.106.61
195.78.215.76
86.65.123.70
*** https://www.virustotal.com/en/file/5...is/1472665518/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.99.111.28
208.71.106.61
95.85.19.195
138.201.191.196
188.127.249.203
188.127.249.32
91.223.180.66
69.195.129.70
___
SWIFT discloses more cyber thefts, pressures banks on security
- http://www.reuters.com/article/us-cy...-idUSKCN11600C
Aug 31, 2016 - "SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank... The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers... A SWIFT spokeswoman declined to elaborate on the recently uncovered incidents or the security issues detailed in the letter, saying the firm does not discuss affairs of specific customers. All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter. Accounts of the attack on Bangladesh Bank suggest that weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers. The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police..."
___
Hacks steal account details for 60M Dropbox Users
- https://it.slashdot.org/story/16/08/...-dropbox-users
Aug 31, 2016 - "Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard* obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts..."
* https://motherboard.vice.com/read/ha...opbox-accounts
:fear::fear: :mad:
Fake 'Shipping info', 'invoice', 'Travel expense sheet' SPAM, Cerber - Malvertising
FYI...
Fake 'Shipping info' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/our-s...elivers-locky/
1 Sep 2016 - "... the Locky onslaught continues with ever increasing frequency and complexity. The first of today’s Malspam is an email with the subject of 'Shipping information' coming from random names, companies and email addresses with a random named zip attachment containing a heavily obfuscated/encrypted JavaScript file... One of the emails looks like:
From: Celina Mccarty <Mccarty.8737@ spebs .com>
Date: Thu 01/09/2016 09:12
Subject: Shipping information
Attachment: 2020f266fc.zip
Dear customer,
Our shipping service is sending the order form due to the request from your company.
Please fill the attached form with precise information.
Very truly yours,
Celina Mccarty
1 September 2016: 2020f266fc.zip: Extracts to: 91CF4D63_shipping_service.js - Current Virus total detections 4/56*
.. MALWR* shows a download of an encrypted file from one of these locations:
http ://www.oltransservice .org/wxyig4v | http ://kreativmanagement.homepage. t-online .de/anlaok1d
http ://mambarambaro .ws/1zvqoqf which is transformed by the script to naXFQvt9.dll (VirusTotal 11/58***)
Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1472717463/
** https://malwr.com/analysis/Mjg1YzAyN...QwY2JmNWIwOGM/
Hosts
213.205.40.169
192.99.111.28
80.150.6.138
*** https://www.virustotal.com/en/file/3...is/1472718234/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
213.205.40.169
95.85.19.195
212.109.192.235
5.34.183.211
188.127.249.32
188.127.249.203
91.223.180.66
- http://blog.dynamoo.com/2016/09/malw...ervice-is.html
1 Sep 2016 - "This -fake- shipping email comes with a malicious attachment:
Subject: Shipping information
From: Charles Burgess
Date: Thursday, 1 September 2016, 9:30
Dear customer,
Our shipping service is sending the order form due to the request from your company.
Please fill the attached form with precise information.
Very truly yours,
Charles Burgess
The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js. Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome .de/430j1t
ngenge.web. fc2 .com/vs1qc0
mambarambaro .ws/1zvqoqf
timetobuymlw .in/2dlqalg0
peetersrobin.atspace .com/t2heyor1
www .bioinfotst. cba .pl/u89o4
Between those four reports, there are three -different- DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis* shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24 "
1] https://malwr.com/analysis/MzA5NTllN...lhYjlhNDQ0YjA/
Hosts
82.165.58.83
192.99.111.28
208.71.106.37
2] https://malwr.com/analysis/Nzg4YTM0O...NhZDJjMTUxNTE/
Hosts
82.197.131.109
158.69.147.88
95.211.144.65
3] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
82.165.58.83
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
82.197.131.109
95.85.19.195
5.34.183.211
212.109.192.235
188.127.249.203
188.127.249.32
91.223.180.66
5] https://virustotal.com/en/file/59bd7...is/1472720135/
6] https://virustotal.com/en/file/03f50...is/1472720153/
7] https://virustotal.com/en/file/cd8a2...8380/analysis/
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
82.197.131.109
95.85.19.195
5.34.183.211
212.109.192.235
188.127.249.203
188.127.249.32
91.223.180.66
___
Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malw...-attached.html
1 Sep 2016 - "This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.
Subject: Please find attached invoice no: 329218
From: victim@ victimdomain .tld
To: victim@ victimdomain .tld
Date: Thursday, 1 September 2016, 12:42
Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
Disclaimer ...
Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download... The payload appears to be Locky ransomware... This is similar to the list here*.
Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24 "
* http://blog.dynamoo.com/2016/09/malw...ervice-is.html
1 Sep 2016
___
Fake 'Travel expense sheet' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/trave...elivers-locky/
1 Sep 2016 - "... never ending series of Locky downloaders is an email with the subject of 'Travel expense sheet' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: ea00ba32a5.zip
Dear karen,
Here is the travel expense sheet for your upcoming company field trip. Please write down the approximate costs in the attachment.
Warm wishes,
Hilario Walton
1September 2016: ea00ba32a5.zip: Extracts to: Travel_expense_sheet_E492D6CB.js - Current Virus total detections 6/56*
.. MALWR shows a download of an encrypted file from one of these locations:
http ://www .cortesidesign .com/v1vmxyj | http ://www .aktion-zukunft-gestalten .info/hfgo3x
http ://portadeenrolar .ind.br/rbfr26 | http ://timetobuymlw .in/57h8t6it which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 21/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1472753839/
** https://malwr.com/analysis/YTU5OWRkM...ZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250
*** https://www.virustotal.com/en/file/1...is/1472755942/
___
Cerber dropped via Malvertising
- http://blog.trendmicro.com/trendlabs...-malvertising/
Aug 31, 2016 - "... The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits. Users are typically -redirected- to these exploit kit servers via ads appearing in a pop-up window after clicking a video to play. This ultimately leads to the download of Cerber. While this malvertisment campaign has affected several countries already, the attack is heavily concentrated in Taiwan. And although this malvertising campaign has been running for months, it was only now that it dropped Cerber 3.0 as its payload. In the case of Magnitude, a simple redirect script was used. Rig, on the other hand, opened a website in the background that contained a screenshot of legitimate US clothing shopping sites, perhaps to make the ad look less suspicious... Cerber demands 1.24 BTC (~US$523, as of March 4, 2016) and gave affected entities seven days. Cerber 3.0 asks for 1 BTC right away, but if the user waits more than five days the ransom doubles to 2 BTC:
> https://blog.trendmicro.com/trendlab...erber-v3-3.png
... The most fundamental defense against ransomware is still backing up. With proper backups in place, organizations need not worry about any data loss that may be incurred. At the very least, important files should be backed up on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location. A good defense against malvertising (and exploit kits in general) is to keep the software in use up-to-date with all security patches. This will reduce the risk against a wide variety of attacks, not just ransomware. This includes both the operating system and any applications in use. A security solution that can proactively provide defense against attacks targeting vulnerabilities in the system’s software is also recommended..."
:fear::fear: :mad:
Fake 'old office facilities', 'Scanned image', 'Body content empty/blank' SPAM
FYI...
Fake 'old office facilities' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malw...acilities.html
2 Sep 2016 - "This spam has a malicious attachment:
Subject: old office facilities
From: Kimberly Snow (Snow.741@ niqueladosbestreu .com)
Date: Friday, 2 September 2016, 8:55
Hi Corina,
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Best wishes,
Kimberly Snow
The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number. Analysis is pending, but this Malwr report* indicates attempted communications to:
malwinstall .wang
sopranolady7 .wang
..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
UPDATE 1: According to this Malwr report** it drops a DLL with a detection rate of 10/58***. Also those mysterious .wang domains appear to be multihomed on the following IPs:
23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)
Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28 "
* https://malwr.com/analysis/OGI2NWI3Z...A3YWRkMzZmNGE/
Hosts
66.85.27.250
23.95.106.195
** https://malwr.com/analysis/OTA3MDk3Z...BhM2I4MTE0OTE/
Hosts
66.85.27.250
23.95.106.195
*** https://virustotal.com/en/file/9dc5a...c5c7/analysis/
VQpnPCqe.dll
- https://myonlinesecurity.co.uk/old-o...elivers-locky/
2 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'old office facilities' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Angelina Nielsen <Nielsen.83382@ parklawnsprinklers .com>
Date: Fri 02/09/2016 08:27
Subject: old office facilities
Attachment: 1fade4423b3a.zip
Hi Chasity,
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Best wishes,
Angelina Nielsen
2 September 2016: 1fade4423b3a.zip: Extracts to: office_facilities_059AB2E9.js - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from http ://malwinstall .wang/ezr08tjd which is transformed by the script to VQpnPCqe.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1472801143/
** https://malwr.com/analysis/MzJkY2EzN...g4OGVhMzAyMDQ/
Hosts
23.95.106.195
66.85.27.250
*** https://www.virustotal.com/en/file/9...is/1472801991/
___
Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malw...mage-from.html
2 Sep 2016 - "This -fake- document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.
Subject: Scanned image from MX2310U@ victimdomain .tld
From: office@victimdomain.tld (office@ victimdomain .tld)
To: webmaster@victimdomain.tld;
Date: Friday, 2 September 2016, 2:29
Reply to: office@ victimdomain .tld [office@ victimdomain .tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception
File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) ...
Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component... The payload is Locky ransomware, phoning home to:
212.109.192.235/data/info.php [hostname: take. ru .com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers .xyz] (EDIS, Austria)
Recommended blocklist:
212.109.192.235
149.154.152.108 "
___
Fake 'Body content empty/blank' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/blank...s-locky-zepto/
2 Sep 2016 - "... Locky/Zepto downloaders... empty/blank email with the subject random numbers and either .jpg, gif, pdf, img, docx, tif, png etc. coming as usual from random names @ icloud .com with a random named zip attachment that is named the -same- as the numbers in the subject line containing a wsf file... One of the emails looks like:
From: Alejandra_6526@ icloud .com
Date: Fri 02/09/2016 12:27
Subject: 26889jpg
Attachment: 26889.zip
Body content: Empty/blank
2 September 2016: 26889.zip: Extracts to: W64pP.wsf - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://maxshoppppsr .biz/js/y54g3tr?NxMSERb=asaGYkQ | http ://illaghettodelcircoletto .it/flkekqs?NxMSERb=asaGYkQ
http ://vimp.hi2 .ro/xqbqjyn?NxMSERb=asaGYkQ which is transformed by the script to vTFEncqFbOk1.dll (VirusTotal 5/58***)
All of them contact the C2 centre http ://149.154.152.108 /data/info.php to get & store the encryption key that is used to encrypt your files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1472815578/
** https://malwr.com/analysis/YzJkMzM2M...ljNjI1ODBjNTY/
Hosts
89.42.39.81
195.110.124.188
66.85.27.252
149.154.152.108
*** https://www.virustotal.com/en/file/8...is/1472817060/
___
Bogus Windows error site - for iPad
- https://blog.malwarebytes.com/cyberc...ndows-fakeout/
2 Sep 2016 - "... The bogus error site is located at:
ipad-error-9023(dot)com
Given the URL, you’d expect to see some sort of iPad related shenanigans taking place – an interesting twist on the well worn theme of tech-support-scams. Who needs Windows desktops when you can go after the tablet market, right? Unfortunately for our scammers, it all goes a bit wrong in terms of being convincing with that whole iPad URL thing. Let me count the ways... text reads as follows:
Windows Security Error !
Your Hard drive will be DELETED if you close this page
You have a ZEUS virus! Please call Support Now!
Call Now to Report This Threat.
Do not Click ‘OK’ button below, doing so will start the hacking process.
... 'didn’t put much thought into this whole iPad thing, did they?...
> https://blog.malwarebytes.com/wp-con...al-dialogs.jpg
... a “prevent additional dialog” message from the browser? I’m guessing my PC hasn’t exploded yet. Maybe if I close the box and then hit the OK button:
> https://blog.malwarebytes.com/wp-con...age-locked.jpg
... While the attempted fakeout up above isn’t one of the best ones we’ve seen, there are plenty out there which succeed in their attempts at convincing device owners that they have a problem. From there, phone calls to “tech support” and payments to have the non-existent virus cleaned up are only a hop, step and jump away. If you think you may have been targeted by such scams – or just want to avoid such antics in the future – feel free to give our guide to Tech Support Scams* a read. It could well save you time and money – and a lot of increasingly infuriating phone calls..."
* https://blog.malwarebytes.com/tech-support-scams/
ipad-error-9023(dot)com: 107.180.21.58: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/15...5616/analysis/
:fear::fear: :mad:
Fake 'Credit card receipt', 'Malware in .pub files' SPAM
FYI...
Fake 'Credit card receipt' SPAM - leads tp Locky
- https://myonlinesecurity.co.uk/we-ar...ft-netmsg-dll/
5 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'Credit card receipt' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the emails looks like:
From: Wilda Hayden <Hayden.80411@ monicamatthews .com>
Date: Mon 05/09/2016 08:29
Subject: Credit card receipt
Attachment: 6aec8732b803.zip
Dear mrilw,
We are sending you the credit card receipt from yesterday. Please match the card number and amount.
Sincerely yours,
Wilda Hayden
Account manager
5 September 2016: 6aec8732b803.zip: Extracts to: credit_card_receipt_9F44E80E.js - Current Virus total detections 6/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://darkestzone2 .wang/1i0i75gq | http ://canonsupervideo4k .ws/1bcpr7xx
.. which is transformed by the script to aXZnmnI3ES.dll (VirusTotal 9/57***). This is also downloading the genuine Microsoft netmsg.dll in an attempt to confuse antiviruses and researchers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1473060526/
** https://malwr.com/analysis/YTU5OWRkM...ZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250
*** https://www.virustotal.com/en/file/3...is/1473062169/
- http://blog.dynamoo.com/2016/09/malw...ou-credit.html
5 Sep 2016 - "This -fake- financial spam has a malicious attachment:
From: Tamika Good
Date: 5 September 2016 at 08:43
Subject: Credit card receipt
Dear [redacted],
We are sending you the credit card receipt from yesterday. Please match the card number and amount.
Sincerely yours,
Tamika Good
Account manager
The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k .ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary) ...
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57*. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data .ru .com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt .pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55 "
1] https://malwr.com/analysis/MjA4OWI5O...lhYzZlNGExZjg/
Hosts
107.173.176.4
2] https://malwr.com/analysis/NjNjMTIyN...IyOTk2MDcyNTk/
Hosts
23.95.106.206
107.173.176.4
3] https://malwr.com/analysis/MTZmNjgyM...M1NjY0MGNlYWE/
Hosts
107.173.176.4
* https://virustotal.com/en/file/3068b...c2f6/analysis/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
5] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
91.211.119.71
185.162.8.101
158.255.6.109
185.154.15.150
188.120.232.55
6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
158.255.6.109
185.154.15.150
185.162.8.101
91.211.119.71
___
Malware in '.pub files' SPAM
- https://isc.sans.edu/diary.html?storyid=21443
2016-09-05 - "While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it also supports macros. By using .pub files, attackers make one step forward because potential victims don't know the extension ".pub" (which can be interpreted as "public" or "publicity" and make the document less suspicious), Spam filters do -not- block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze! A sample of a malicious .pub file is already available on VT[4] with a low detection score (5/55). Stay safe!"
[1] https://isc.sans.edu/forums/diary/Vo...somware/21397/
[2] https://isc.sans.edu/forums/diary/To...pt+File/21423/
[3] https://products.office.com/en/publisher
[4] https://www.virustotal.com/en/file/2...37fd/analysis/
:fear::fear: :mad:
Fake 'Invoice', 'August invoice', 'Message.. scanner', 'Suspected Purchases' SPAM
FYI...
Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/invoi...elivers-locky/
6 Sep 2016 - "... series of Locky downloaders... an email with the subject of 'Invoice INV0000385774' (random numbers) coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the emails looks like:
From: Earlene conyers <Earlene859@ pickledlizards .com>
Date: Tue 06/09/2016 10:27
Subject: INV0000385774
Attachment: ea00ba32a5.zip
Please find our invoice attached.
6 September 2016: Invoice_INV0000385774.zip: Extracts to: 14Tf5zYWx67.wsf - Current Virus total detections 6/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://around4percent.web .fc2 .com/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
http ://zse2 .pl/j8fn3rg3?jXRJazVGV=TBojQIxnjJC | http ://marcotormento .de/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
which is transformed by the script to pfRMaJgsGEL1.exe (VirusTotal 4/58***) which according to MALWR[4] creates/downloads/ drops another encrypted file... Payload Security reports [5] [6]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1472753839/
** https://malwr.com/analysis/MjI1MzM4Y...BkNzFhOTgyNWM/
14Tf5zYWx67.wsf
Hosts
208.71.106.48
66.85.27.108
13.107.4.50
216.126.225.149
93.157.100.25
81.169.145.157
*** https://www.virustotal.com/en/file/a...is/1473154258/
4] https://malwr.com/analysis/OTNjNjQ1O...BiZDk3MWJlMmI/
pfRMaJgsGEL1.exe
Hosts
66.85.27.108
13.107.4.50
216.126.225.149
5] https://www.reverse.it/sample/e586ae...ironmentId=100
14Tf5zYWx67.wsf
Contacted Hosts
216.239.120.224
208.71.106.48
66.85.27.108
216.126.225.149
6] https://www.reverse.it/sample/adc7cc...ironmentId=100
pfRMaJgsGEL1.exe
Contacted Hosts
66.85.27.108
___
Fake 'August invoice' SPAM - Locky
- https://myonlinesecurity.co.uk/xxxx-...pears-to-fail/
6 Sep 2016 - "... next in the never ending series of Locky downloaders is an email with the subject of 'August invoice' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Douglas Holmes <Holmes.850@ redbridgeconcern .org>
Date: Tue 06/09/2016 09:50
Subject: August invoice
Attachment: fe1afed4aa6f.zip
Hello montag, Brigitte asked me to send you invoice for August. Please look over the attachment and make a payment ASAP.
Best Regards,
Douglas Holmes
6 September 2016: fe1afed4aa6f.zip: Extracts to: August_invoice 2AAB15F0. pdf~.js - Current Virus total detections 4/56*
..Update: it looks like Payload security** have tweaked their system and managed to bypass the protection elements in today’s Locky and are now finding & getting the payloads... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1473151857/
** https://www.reverse.it/sample/078909...ironmentId=100
Contacted Hosts
107.173.176.4
23.95.106.220
192.3.150.178
91.211.119.71
158.255.6.109
185.162.8.101
185.154.15.150
188.120.232.55
___
Fake 'Message.. scanner' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/messa...elivers-locky/
6 Sep 2016 - "... Locky downloaders.. email with the subject of 'Message from “CUKPR0959703' pretending to come from scanner @ your own email domain with a random named zip attachment based on todays date containing a WSF file... One of the emails looks like:
From: scanner@ ...
Date: Tue 06/09/2016 16:11
Subject: Message from “CUKPR0959703”
Attachment: 20160906221127.zip
This E-mail was sent from “CUKPR0959703” (Aficio MP C305).
Scan Date: Tue, 06 Sep 2016 22:11:27 +0700
Queries to: <scanner@ ...
6 September 2016: 20160906221127.zip: Extracts to: 18YrNk1xk28.wsf - Current Virus total detections 16/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://www.alpstaxi .co .jp/j8fn3rg3?IxurVQb=sHiOGcukdY
http ://zui9reica.web .fc2 .com/j8fn3rg3?IxurVQb=sHiOGcukdY
which is transformed by the script to mUExMjQPwmL1.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1473175613/
** https://malwr.com/analysis/Njk1YjRlN...IzYjFkNGJiOTI/
Hosts
208.71.106.45
216.126.225.149
8.254.207.14
211.134.181.38
___
Fake 'Suspected Purchases' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/suspe...elivers-locky/
6 Sep 2016 - "... Locky downloaders... email with the subject of 'Suspected Purchases' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files starting with random characters and then Suspected_Purchases_PDF.js ... One of the emails looks like:
From: Alyssa English <English.55@ heritagehomebuyers .net>
Date: Thu 01/09/2016 19:22
Subject: Suspected Purchases
Attachment: 3adec1d16a7e.zip
Dear enrico,
We have suspected irregular purchases from the company’s account.
Please take a look at the attached account balance to see the purchase history.
Best Regards,
Alyssa English
Support Manager
6 September 2016: 3adec1d16a7e.zip: Extracts to: FAAD4310 Suspected_Purchases_PDF.js
Current Virus total detections 3/55*. MALWR** shows a download of an encrypted file from one of these locations:
http ://canonsupervideo4k .ws/2sye3alf
http ://virmalw .name/uw2vyhpd
http ://tradesmartcoin .xyz/rwevvv3a
which is transformed by the script to 4fWrgKKcG.dll (VirusTotal 9/58***). This also downloads the genuine Microsoft netmsg.dll... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1473179859/
** https://malwr.com/analysis/YWRjYjM0O...YzMTFiMWFiNjU/
Hosts
51.255.227.230
185.101.218.49
107.173.176.24
*** https://www.virustotal.com/en/file/0...is/1473180787/
___
Paypal - PHISH
- https://myonlinesecurity.co.uk/your-...qued-phishing/
6 Sep 2016 - "... daily -phishing- emails trying to steal your PayPal account. This one is worth mentioning because of the bad spelling and grammar that proves this does not come from an English speaking criminal. The original email looks like this:
Screenshot: https://myonlinesecurity.co.uk/wp-co...d-1024x563.png
From: no-reply@ paypal .com
Date: Tue 06/09/2016 14:59
Subject: Your PayPal access bloqued

Dear Customer,
Your account is temporarily suspended.
We are working to protect our users against fraud!
Your account has been selected for verification, we need to confirm that you are the real owner of this account
To conclude the recovery of his account and service interruption card with number 4*** **** **** ****..
Please consider that if you do not confirm your data now, we are forced to lock this account for your protection
Must follow two steps, in case you have any questions during the execution of this process can be supported support team .
Confirm account NAW
Regards,
Eduard Swards
The link behind 'confirm account NAW' goes to a well known-phishing-site, which has been reported so many times..
http ://paypal-securidad .com/informations/l/l/Index/
This one wants your personal details, your Paypal account log in details and your credit card and bank details..."
paypal-securidad .com: 192.185.128.24: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/9b...59e6/analysis/
:fear::fear: :mad:
Fake 'Agreement form', 'Invoice', 'Free sports player' SPAM
FYI...
Fake 'Agreement form' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/agree...eads-to-locky/
7 Sep 2016 - "... series of Locky downloaders... email with the subject of 'Agreement form' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Staci Cruz <Cruz.5000@ stluc-esa-bxl .org>
Date: Wed 07/09/2016 09:06
Subject: Agreement form
Attachment: 23ad34e21057.zip
Hi there,
[ random name] assigned you to make the payment agreement for the new coming employees.
Here is the agreement form. Please finish it urgently.
Best Regards,
Staci Cruz
Support Manager
7 September 2016: 23ad34e21057.zip: Extracts to: C3AB68A4 agreement_form_doc.js - Current Virus total detections 3/56*
.. MALWR** was unable to get any downloads but shows connections to
tradesmartcoin .xyz 216.244.68.195
virmalw .name 51.255.227.230
listofbuyersus .co .in
brothermalw .ws
Payload Security analysis*** which took an extremely long time (unusually) also doesn’t show any direct downloads or files. This is likely to mean that the Locky gang are using an ever more restrictive anti-analysis protection. Payload did detect some more unusually Apt named domains. Contacted Domains: tradesmartcoin .xyz, listofbuyersus .co.in, malwinstall .wang, brothermalw .ws, virmalw .name
Contacted Hosts: 216.244.68.195, 51.255.227.230 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1473235341/
** https://malwr.com/analysis/M2QzMjJiN...Y0ZDQ5MWUzZjk/
Hosts
51.255.227.230
216.244.68.195
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.244.68.195
51.255.227.230
- http://blog.dynamoo.com/2016/09/malw...-probably.html
7 Sep 2016 - "This -fake- financial spam leads to malware:
Subject: Agreement form
From: Marlin Gibson
Date: Wednesday, 7 September 2016, 9:35
Hi there,
Roberta assigned you to make the payment agreement for the new coming employees.
Here is the agreement form. Please finish it urgently.
Best Regards,
Marlin Gibson
Support Manager
The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..
308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js
Automated analysis [1] [2] shows that the scripts... attempt to download a binary from one of the following locations:
donttouchmybaseline .ws/ecf2k1o
canonsupervideo4k .ws/afeb6
malwinstall .wang/fsdglygf
listofbuyersus .co .in/epzugs
Of those locations, only the first three resolve, as follows:
donttouchmybaseline .ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k .ws 51.255.227.230 (OVH, France / Kitdos)
malwinstall .wang 51.255.227.230 (OVH, France / Kitdos) ...
The following also presumably evil sites are also hosted on those IPs:
bookinghotworld .ws
clubofmalw .ws
darkestzone2 .wang
donttouchmybaseline .ws
canonsupervideo4k .ws
malwinstall .wang
wangmewang .name
tradesmartcoin .xyz
virmalw .name
Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:
51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld .ws
clubofmalw .ws
darkestzone2 .wang
donttouchmybaseline .ws
canonsupervideo4k .ws
malwinstall .wang
wangmewang .name
tradesmartcoin .xyz
virmalw .name "
1] https://malwr.com/analysis/MjE5MmNhY...ZlMTc5Yzk0NTE/
Hosts
216.244.68.195
51.255.227.230
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
51.255.227.230
216.244.68.195
'UPDATE: My trusted source (thank you) says that it phones home to the following IPs and URLs:
91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota .org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg .work/data/info.php
balichpjuamrd .work/data/info.php
mvvdhnix .biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti .work/data/info.php
iruglwxkasnrcq .pl/data/info.php
xketxpqxj .work/data/info.php
qkmecehteogblx .su/data/info.php
bbskrcwndcyow .su/data/info.php
nqjacfrdpkiyuen .ru/data/info.php
ucjpevjjl .work/data/info.php
nyxgjdcm .info/data/info.php
In -addition- to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55 '
___
Fake 'Invoice' SPAM - JS malware attachment
- https://myonlinesecurity.co.uk/invoi...igned-malware/
7 Sep 2016 - "An email with the subject of 'Invoice 00014904; From CHALICE GOLD MINES LIMITED' [random numbered] pretending to come from CHALICE GOLD MINES LIMITED <AccountRight@ appsmyob .com> with a link in the email body to download a zip file containing a .JS file. The .js file downloads a digitally signed .exe file...
Screenshot: https://myonlinesecurity.co.uk/wp-co...D-1024x647.png
7 September 2016: 00014904.zip: Extracts to: 00014904.js - Current Virus total detections 2/55*
.. Payload Security** shows a download from
littlelionstudio .com/images/LLS-Landing-Image2.jpg which is actually a -renamed- .exe file which gets copied to
2 other file names and locations on the victim computer (VirusTotal 6/57***) | Payload Security[4]
This file is digitally signed with a valid signature so Windows will allow it to run without alerts from smart screen or other security software:
> https://myonlinesecurity.co.uk/wp-co...1-1024x713.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1473221665/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
209.51.136.27
62.75.195.103
178.255.83.2
91.213.126.113
62.75.195.118
91.213.126.113
*** https://www.virustotal.com/en/file/0...is/1473215063/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.75.195.103
178.255.83.2
91.213.126.113
62.75.195.118
91.213.126.113
___
Fake 'Free sports player' SPAM - delivers malware via hta files
- https://myonlinesecurity.co.uk/free-...via-hta-files/
7 Sep 2016 - "... I have seen 3 distinct subject lines:
****Dont’t miss this fantastic free sport media player****
**** You wished you had this sport media player sooner****
Amazing**** Free “Sport media Player”**
All the emails come from Splayer XXXXX where XXXX can be team, company, player, command, online or any other similar word. The rest of the email address is -spoofed- and random...
Screenshot: https://myonlinesecurity.co.uk/wp-co....-1024x556.png
... I have only found 3 base domains that contain the downloads, with hundreds of different random named folders and player versions. Each version appears to have a slightly different .hta file inside the zip and a strong warning should be given that they are using an unusual method of zipping the hta file so it extracts to computer-root and possibly/probably -autoruns- when you double click the zip:
http ://splayering .pw/download/ziefmz8dgi7/splayer-rc10.zip
http ://softship .online/download/6243onsblfasbatsr/splayer-rc21.zip
http ://itgnome .online/download/bm437mgs37khxmfzdivv/splayer-rc1.zip
> https://myonlinesecurity.co.uk/wp-co...ip_warning.png
... analysed 1 version of the .hta file so far but I am sure all the others will give similar results.
7 September 2016: splayer-rc10.zip: Extracts to: splayer.hta - Current Virus total detections 2/56*
.. Payload Security** shows a download from splayeracy .online/50d5fdc6-7ed5-4272-b148-fcade183219e/splayer.bin
(VirusTotal 16/58***). Payload Security[4] which shows this is using the same file, file names & behaviour that was described in THIS post[5] which look like some sort of password stealer and backdoor trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1473198884/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.3.150.197
*** https://www.virustotal.com/en/file/d...is/1473199782/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
5] https://myonlinesecurity.co.uk/invoi...igned-malware/
splayering .pw: 192.3.150.197: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/bb...761e/analysis/
softship .online: 192.3.150.197: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/e2...44b3/analysis/
itgnome .online: 192.3.150.197: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/e2...44b3/analysis/
// … as of 9/8/2016.
:fear::fear: :mad:
Fake 'voice mail', 'Lloyds Banking' SPAM, Malvertising w/EK's
FYI...
Fake 'voice mail' SPAM - Locky
- http://blog.dynamoo.com/2016/09/malw...new-voice.html
8 Sep 2016 - "This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.
Subject: [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
From: voicemail@ victimdomain .tld (voicemail@ victimdomain .tld)
To: webmaster@ victimdomain .tld
Date: Thursday, 8 September 2016, 13:15
Dear webmaster :
There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
You might want to check it when you get a chance.Thanks!
Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:
158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman .web .fc2.com/g76gyui
dcqoutlet .es/g76gyui
dpskaunas .puslapiai .lt/g76gyui
fidelitas .heimat .eu/g76gyui
gam-e20 .it/g76gyui
ghost-tony .com.es/g76gyui
josemedina .com/g76gyui
kreativmanagement.homepage. t-online .de/g76gyui
olivier.coroenne.perso .sfr .fr/g76gyui
portadeenrolar .ind .br/g76gyui
sitio655.vtrbandaancha .net/g76gyui
sp-moto .ru/g76gyui
srxrun.nobody .jp/g76gyui
thb-berlin.homepage .t-online .de/g76gyui
tst-technik .de/g76gyui
unimet.tmhandel.com/g76gyui
www .agridiving .net/g76gyui
www .alanmorgan .plus.com/g76gyui
www .aldesco .it/g76gyui
www .alpstaxi .co.jp/g76gyui
www .association-julescatoire .fr/g76gyui
www .bytove.jadro .szm .com/g76gyui
www .ccnprodusenaturiste .home .ro/g76gyui
www .gebrvanorsouw .nl/g76gyui
www .gengokk .co .jp/g76gyui
www .hung-guan .com .tw/g76gyui
www .idiomestarradellas .com/g76gyui
www .laribalta.org/g76gyui
www .mikeg7hen.talktalk .net/g76gyui
www .one-clap .jp/g76gyui
www .radicegioielli .com/g76gyui
www .rioual .com/g76gyui
www .spiritueelcentrumaum .net/g76gyui
www .texelvakantiehuisje .nl/g76gyui
www .threshold-online .co .uk/g76gyui
www .whitakerpd .co.uk/g76gyui
www .xolod-teplo .ru/g76gyui
Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu). Unusually, this version of -Locky- does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above -or- you could monitor for the string g76gyui in your logs.
UPDATE: the Hybrid Analysis of the script can be found here[1]."
1] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
211.134.181.38
81.24.34.9
62.24.202.31
93.184.220.29
54.192.203.242
___
Fake 'Lloyds Banking' SPAM - .doc malware
- https://myonlinesecurity.co.uk/lloyd...ivers-malware/
8 Sep 2016 - "An email with the subject of 'Lloyds Banking Group encrypted email pretending to come from GRP Lloydsbank Tech <info@ lloydsbanking52 .us> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... A little bit of digging around tells us that lloydsbanking52 .us was registered about 2 weeks ago...
Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x775.png
8 September 2016: PGPMessage04834838.doc - Current Virus total detections 4/56*
.. Payload Security didn’t find any sites to download the malware.. a manual analysis & de-obfuscation of the macro you can see here original on Pastebin** shows a download from http ://aclawgroup .com .au/2.zip which gives 2.exe (VirusTotal 1/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it...
Update: I am being told it is a smoke loader AKA Dofoil[1] which will eventually download another banking Trojan."
1] https://blog.malwarebytes.com/threat...n-still-alive/
* https://www.virustotal.com/en/file/5...is/1473344346/
** http://pastebin.com/ZuRM9iaN
*** https://www.virustotal.com/en/file/f...is/1473344266/
aclawgroup .com .au: 50.87.145.150: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/4e...5872/analysis/
___
Quick look at recent malvertising exploit chains
- https://www.zscaler.com/blogs/resear...exploit-chains
Sep 7, 2016 - "... during our daily exploit kit (EK) tracking, have been seeing some changes in both RIG and Sundown EKs. We recently encountered a malvertising chain serving both EKs on subsequent visits, and decided to compile a quick look at the these cases:
Graph showing the malvertising chains
> https://cdn-3.zscaler.com/cdn/farfut...sing-graph.PNG
... they quickly integrated the exploit into the more typical Sundown landing page format. In a more recent episode, Trustwave's Spiderlabs spotted the addition of a fingerprinting code*, however we have not seen this feature in our captured cycles, so the operators may have opted for the simpler, non-fingerprinted landing page since then...
* https://www.trustwave.com/Resources/...ay-to-the-Top/
... In the wake of both Angler and Nuclear disappearing, RIG has taken a dominant position in the EK landscape. The RIG operators appear content, however, to iterate more slowly, with changes to the EK itself happening less frequently. That said, RIG EK authors have now made noticable changes to the landing page structure... At this point, it's clear that the exploit kit landscape has been thoroughly shaken up since the disappearance of Angler and Nuclear (as we have covered in our round-ups and other EK-related blogs). This small update is meant to give a quick look at the latest techniques and trends used by RIG and Sundown. We will continue to monitor the situation, and provide updates to the community as usual."
{More detail at the zscaler blogs URL at the top.)
:fear::fear: :mad:
Fake 'Order Confirmation', 'MS acct sign-in', 'Documents Requested' SPAM
FYI...
Fake 'Order Confirmation' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/order...elivers-locky/
9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order Confirmation 9226435' [random number] coming as usual from random companies, names and email addresses with a random named zip attachment containing an HTA file... One of the emails looks like:
From: Meagan carnochan <Meagan4@ insightsundertwo .com>
Date: Fri 09/09/2016 09:01
Subject: Order Confirmation 9226435
Attachment: Ord9226435.dzip extracts to 2015jozE.hta
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.
9 September 2016: Ord9226435.dzip: Extracts to: 2015jozE.hta - Current Virus total detections 5/55*
.. Payload Security** shows a download of an encrypted file from walkerandhall .co .uk/7832ghd?TtrISozIzi=CemUQBnTyeQ
which is transformed by the script to a working locky version. Unfortunately Payload security isn’t showing the converted /decrypted file amongst the downloads although the screenshots definitely show locky... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1473408597/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
5.10.105.44
52.32.150.180
93.184.220.29
54.192.203.56
- http://blog.dynamoo.com/2016/09/malw...ion-xxxxx.html
9 Sep 2016 - "This -fake- financial spam leads to malware:
From: Ignacio le neve
Date: 9 September 2016 at 10:31
Subject: Order Confirmation 355050211
--
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.
The name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip. Contained within the ZIP file is a malicious .HTA script with a random name... This simply appears to be an encapsulated Javascript... my trusted source (thank you) says that the various scripts download from...
(many random URLs listed at the dynamoo URL above)...
The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a ...
This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above -or- monitoring/blocking access attempts with 7832ghd in the string.
UPDATE: The Hybrid Analysis* of one of the scripts does not add much except to confirm that this is ransomware."
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.185.196.41
93.114.64.41
50.112.202.19
72.21.91.29
54.192.203.144
___
Fake 'MS account - Unusual sign-in activity' malspam using JSE - delivers Locky
- https://myonlinesecurity.co.uk/micro...elivers-locky/
9 Sep 2016 - "... this being used to spread Locky ransomware is a step in the wrong direction. This sort of email ALWAYS catches out the unwary. To make it even worse a JSE file is an encoded/encrypted jscript file that runs in the computer properly but is unreadable to humans (looks like garbled text) and because of the garbled txt the majority of antiviruses do -not- see it as a threat. Jscript is a Microsoft specific interpretation of JavaScript. They use email addresses and subjects that will entice a user to read the email and open the attachment. Locky tries new techniques on a small scale to “test the waters” - we have seen several similar small scale attacks this week. They will use the results & returns from them to tweak and refine the techniques before mass malspamming them...
Screenshot: https://myonlinesecurity.co.uk/wp-co...y-1024x414.png
9 September 2016: 24549.zip: Extracts to: 24549.jse - Current Virus total detections 3/56*
.. Payload Security** shows a download from sonysoftn .top/log.php?f=3.bin which gave me log.exe (VirusTotal 20/57***).
Payload Security[4]. Many antiviruses are only detecting this malware heuristically (generic detections based on the NSIS packer used to create it). All indications suggest that it is a new variant of Locky ransomware. The IP numbers and sites it contacts have been used this week in other Locky ransomware versions. The problems are coming in the anti-analysis protections that Locky appear to have built-in to the new version of their horrifically proliferate ransomware. Although Payload security does show screenshots of a Locky ransomware file. NOTE: For some weird reason screenshots and images on payload security are -not- showing up in Internet explorer, although they do in Chrome and Firefox... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1473349038/
** https://www.reverse.it/sample/0adc7a...ironmentId=100
Contacted Hosts
155.94.209.82
91.211.119.71
158.255.6.109
185.162.8.101
52.32.150.180
93.184.220.29
54.192.203.50
*** https://www.virustotal.com/en/file/6...is/1473398861/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.162.8.101
158.255.6.109
91.211.119.71
52.34.245.108
93.184.220.29
54.192.203.209
52.33.248.56
___
Fake 'Documents Requested' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/pleas...elivers-locky/
9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Documents Requested' or 'FW: Documents Requested' pretending to come from a random name at your own email domain or company with a zip file named either Untitled(6).zip or newdoc(1).zip containing a HTA file (random numbers)... One of the emails looks like:
From: random name at your own email domain or company
Date: Fri 09/09/2016 14:03
Subject: FW:Documents Requested
Attachment: Untitled(6).zip
Dear addy,
Please find attached documents as requested.
Best Regards,
Gilbert
9 September 2016: Untitled(6).zip: Extracts to: 2809tib.hta - Current Virus total detections 6/58*
.. Payload Security** shows a download of an encrypted file from stylecode .co .in/7832ghd?KQWbOiH=QuwOGqnGpyL
which is transformed by the script to UcyxmkpQ1.dll (VirusTotal 21/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1473420208/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
43.242.215.197
50.112.202.19
93.184.220.29
54.192.13.29
*** https://www.virustotal.com/en/file/1...is/1472755942/
:fear::fear: :mad:
Fake 'Budget report' SPAM, Bank SMS Phish
FYI...
Fake 'Budget report' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malw...-leads-to.html
12 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Lauri Gibbs
Date: 12 September 2016 at 15:11
Subject: Budget report
Hi [redacted],
I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.
With many thanks,
Lauri Gibbs
Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:
921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js
The scripts are highly obfuscated however the Hybrid Analysis* and Malwr report** show that it downloads a component from:
lookbookinghotels .ws/a9sgrrak
trybttr .ws/h71qizc
These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked. A DLL is dropped with a detection rate of about 8/57*** [3] [4] which appears to phone home to:
51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte .ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy .ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia) ...
Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101 "
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.95.106.223
95.85.29.208
46.173.214.95
91.214.71.101
51.255.105.2
185.154.15.150
** https://malwr.com/analysis/M2M4NzY4M...YzZTFkODlmODM/
Hosts
23.95.106.223
1] http://blog.dynamoo.com/2016/09/malw...ou-credit.html
2] http://blog.dynamoo.com/2016/09/malw...acilities.html
*** https://virustotal.com/en/file/76438...is/1473694538/
3] https://virustotal.com/en/file/76438...is/1473694538/
4] https://virustotal.com/en/file/a7c5d...is/1473694540/
___
Avoid: BofA, Wells Fargo - SMS Phishing
- https://blog.malwarebytes.com/cyberc...-sms-phishing/
Sep 12, 2016 - "It always pays to be cautious where -unsolicited- text messages are concerned, as conniving phishers don’t always stick to the tried and tested route of email scams. For example, here’s two random texts sent out to one of our burner phones:
> https://blog.malwarebytes.com/wp-con...bofa-phish.jpg
...
> https://blog.malwarebytes.com/wp-con...ells-phish.jpg
The targets here are customers of Bank of America and Wells Fargo. The messages read as follows:
BofA customer your account has been disabled!!!
Please read this readmybank0famerica.cipmsg-importantnewalertt(dot)com
I think I’d probably be faintly worried if my otherwise sober and business-like bank started sending out messages with more than two exclamation marks in a sentence, but even without that, observant recipients would notice they also added an extra “t” onto the end of “alert”. The other message reads as follows:
The other message reads as follows:
(wells fargo) important message from security department! Login
vigourinfo(dot)com/secure.well5farg0card(dot)html
The above URL -redirects- clickers to the below website:
denibrancheau(dot)com/drt/w311sfg0/
> https://blog.malwarebytes.com/wp-con...ls-phish-2.jpg
The phishers want a big slice of personal information, including name, DOB, driving license, social security number, mother’s maiden name, address, city, zipcode, card information, ATM PIN number, and even an email address.
All this, from a simple text... SMS phishing is not new, but it does snag a lot of victims. Random messages from your “bank” asking you to visit a link should be treated with suspicion, especially if those links ask you to login. Banks are certainly not the only target of SMS phishers, but they’re one of the more valuable bullseye for scammers to sink their teeth into. Whether receiving messages by email, text, or phone, your logins are only as safe as you make them – don’t make it easy for bank phishers and delete that spam."
readmybank0famerica.cipmsg-importantnewalertt(dot)com: A temporary error occurred during the lookup...
vigourinfo(dot)com/secure.well5farg0card(dot)html: 166.62.26.11: https://www.virustotal.com/en/ip-add...1/information/
denibrancheau(dot)com/drt/w311sfg0/ : 173.236.178.135: https://www.virustotal.com/en/ip-add...5/information/
:fear::fear: :mad:
Fake 'Tax invoice', 'Accounts Documentation', 'Equipment receipts' SPAM
FYI...
Fake 'Tax invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/tax-i...elivers-locky/
13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Tax invoice' coming as usual from random companies, names and email addresses with a random named/numbered zip attachment containing 2 identical .WSF files. Payload Security* shows an error in the downloaded file so it might not actually deliver the Locky ransomware or it might be that it will not run on a sandbox or VM... One of the emails looks like:
From: Anne Fernandez <Fernandez.8581@ starfamilymedicine .com>
Date: Tue 13/09/2016 10:12
Subject: Tax invoice
Attachment: 1a45b45d76ed.zip
Dear Client,
Attached is the tax invoice of your company. Please do the payment in an urgent manner.
Best regards,
Anne Fernandez
13 September 2016: 1a45b45d76ed.zip: Extracts to: tax_invoice_scan PDF.316AA.wsf
Current Virus total detections 5/56**.. Payload Security shows a download of an encrypted file from smilehymy .com/f72gngb which is transformed by the script to c2BwHrtql2.dll (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.249.164.116
95.85.29.208
91.214.71.101
51.255.105.2
185.154.15.150
46.173.214.95
217.187.13.71
** https://www.virustotal.com/en/file/3...is/1473758776/
*** https://www.virustotal.com/en/file/1...is/1473759502/
- http://blog.dynamoo.com/2016/09/malw...nvoice-of.html
13 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Tax invoice
From: Kris Allison (Allison.5326@ resorts .com.mx)
Date: Tuesday, 13 September 2016, 11:22
Dear Client,
Attached is the tax invoice of your company. Please do the payment in an urgent manner.
Best regards,
Kris Allison
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:
adzebur .com/dsd7gk [37.200.70.6] (Selectel Ltd, Russia)
duelrid .com/b9m1t [not resolving]
madaen .net/e3ib4f [143.95.252.28] (Athenix Inc, US)
morningaamu .com/6wdivzv [not resolving]
smilehm .com/f72gngb [not resolving]
The payload then phones home... Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71 "
___
Fake 'Accounts Documentation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/accou...elivers-locky/
13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Accounts Documentation – Invoices' pretending to come from CreditControl @ your own email domain with a random named zip attachment containing an .HTA file... One of the emails looks like:
From: CreditControl@...
Date: Tue 13/09/2016 10:22
Subject: Accounts Documentation – Invoices
Attachment: ~0166.zip
Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
Alternatively if you do not know the name of the Credit Controller you can contact us at:
CreditControl@...
Please do not reply to this E-mail as this is a forwarding address only.
13 September 2016: ~0166.zip: Extracts to: 22FrDra16.hta - Current Virus total detections 6/56*
.. Payload Security** shows a download of an encrypted file from
goldenladywedding .com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS which is transformed by the script to a working Locky ransomware (unfortunately Payload Security does not show or allow us to download the actual file)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1472753839/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.185.94.100
93.184.220.29
54.192.203.254
___
Fake 'Equipment receipts' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/equip...elivers-locky/
13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Equipment receipts' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the emails looks like:
From: Stacey Aguirre <Aguirre.535@ coopenet .com.ar>
Date: Tue 13/09/2016 17:36
Subject: Equipment receipts
Attachment: 5926f98c2d8d.zip
Good day hyperbolasmappera, Molly asked you to file the office equipment receipts.
Here is the photocopying equipment receipts purchased last week.
Please send him the complete file as soon as you finish.
Best regards,
Stacey Aguirre
13 September 2016: 5926f98c2d8d.zip: Extracts to: Equipment receipts 66BF9A.wsf - Current Virus total detections 5/55*
.. Payload Security** shows a download of an encrypted file from latexuchee .net/c4i03t which is transformed by the script to B6fKnUsSQfkrS.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1473785537/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
31.210.120.153
51.255.105.2
95.85.29.208
217.187.13.71
*** https://www.virustotal.com/en/file/a...is/1473786095/
:fear::fear: :mad: