Fake 'Invoice', 'Receipt' SPAM
FYI...
Fake 'Invoice' SPAM - leads to malware/Trojan
- https://myonlinesecurity.co.uk/emote...oded-sections/
31 July 2017 - "Following on from THIS* -fake- invoice email is a -newer- version with a different word doc at the end of the link-in-the-email. Today’s email with the subject of 're: Invoice 622806' pretending to come from senders with a known connection to the recipient. The link-in-the-email leads to a malicious word doc that eventually delivers Emotet/Geodo banking Trojan...
* https://myonlinesecurity.co.uk/invoi...ivers-malware/
Screenshot: https://myonlinesecurity.co.uk/wp-co...ice-622806.png
ZDFRRI208.doc - Current Virus total detections 1/58[1]. Payload Security[2] doesn’t show any download... Twitter contacts Malwarehunterteam[3] and Antelox[4] have found some of the associated download urls and payload...
Theses word docs are using various tricks that make it difficult for the online sandboxes to decode/analyse, find the download sites and download the eventual payload. The url so far found is
http ://macsys.ca/ZQRZCy/ but... there are others.
1] https://www.virustotal.com/en/file/6...is/1501480309/
BNCKKK930.doc
2] https://www.hybrid-analysis.com/samp...ironmentId=100
3] https://twitter.com/malwrhunterteam/...13205047590913
4] https://twitter.com/Antelox/status/891914028246638592
Update: another contact[5] has found the complete list[5a] (pastebin[6])
http ://macsys .ca/ZQRZCy/ > 216.177.130.19
http ://paulplusa .com/jUiYKJFIuj/ > 216.97.239.25
http ://josephconst .com/cByNSVwsK/ > 67.228.48.40
http ://cs-skiluj.sanfre .eu/PSArDr/ > 185.5.98.24
http ://itdoctor .ca/jgaeQ/ > 67.205.112.177
5] https://twitter.com/phage_nz/status/891922001647894528
5a] https://twitter.com/phage_nz/status/891918128627597315
6] https://pastebin.com/Cdvat2Bp
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
> https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
207.210.245.164
___
Fake 'Receipt' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/more-...be-ransomware/
31 July 2017 - "... malware downloaders pretending to be a 'payment receipt' -or- a 'receipt' is an email with the subject of 'Receipt 21426' coming or pretending to come from donotreply@ random email addresses with a zip attachment containing a .vbs file that delivers globe ransomware. The zip name corresponds with the subject line. There are a mass of subject lines today. Some of the patterns include:
Receipt#83396
Receipt 21426
Payment-421
Payment Receipt 222
Payment Receipt#97481
Payment Receipt_8812
Receipt-351
Payment Receipt_03950 ...
One of the emails looks like:
From: donotreply@ blueprintrecruitment .co.uk
Date: Mon 31/07/2017 11:15
Subject: Receipt 21426
Attachment: P21426.zip
[Body content:]
Attached is the copy of your payment receipt.
P21426.zip: Extracts to: 20172.2017-07-31_75.20.68.vbs - Current Virus total detections 7/58*. Payload Security** shows a download of a txt file from
http ://koewege .de/98wugf56? > 81.169.145.77
which is simply renamed by the script to a random named .exe file (VirusTotal 14/64[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1501499651/
20172.2017-07-31_75.20.68.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.145.77
3] https://www.virustotal.com/en/file/a...is/1501501469/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Associated URLs: http ://okdomvrn .ru/98wugf56?
okdomvrn .ru: 92.53.96.9: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/7b...80ed/analysis/
:fear::fear: :mad:
Fake 'secure message' 'Voicemail' SPAM
FYI...
Fake 'secure message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
1 Aug 2017 - "An email with the subject of 'You have a new secure message waiting' pretending to come from Santander but actually coming from a look-alike-domain Santander <pleasedonotreply@ -santandersecuremessage- .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ge-waiting.png
SecureMessage.doc - Current Virus total detections 5/58* Payload Security** shows a download from
http ://lexpertpret .com/fr/nologo.png which of course is -not- an image file but a renamed .exe file that gets renamed to ywbltmn.exe and autorun (VirusTotal 16/63[3]) (Payload Security[4]). An alternative download location is
https ://hvsglobal .co.uk/image/nologo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1501605462/
SecureMessage.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.138.226.110
146.255.36.1
69.247.60.183
46.105.250.84
91.206.4.216
3] https://www.virustotal.com/en/file/1...is/1501604882/
ywbltmn.exe
4] https://www.hybrid-analysis.com/samp...ironmentId=100
lexpertpret .com: 216.138.226.110: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/7b...c217/analysis/
hvsglobal .co.uk: 192.185.37.229: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/9e...ea4b/analysis/
___
Fake 'Voicemail' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
1 Aug 2017 - "... an email with the subject of 'Voicemail From 845-551-#### at 9:35AM' pretending to come from Microsoft Voice <MSVoice@ your own email domain> downloads Emotet banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...6-at-935AM.png
VM97358238_20170801.zip: Extracts to: VM9742814303_20170801.vbs Current Virus total detections 16/55*
Payload Security**. Manual analysis of the vbs file shows these download sites hardcoded in a base64 encoding with a bit of extra nonsense padding to try to hide them (there will be loads of other sites in other vbs files attached to a -different- version of this)
showyourdeal .com/JHghjHy6? > 143.95.99.159
89tg7gjkkhhprottity .com/af/JHghjHy6 > 91.214.114.154
mybutterhalf .com/JHghjHy6? > 208.91.198.170
dreamoneday .com/JHghjHy6? > 103.21.58.181
These are downloaded as txt files but are simply renamed .exe files (VirusTotal 16/55[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480616575/
-6dt874p53077.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137
3] https://www.virustotal.com/en/file/7...is/1480616575/
-6dt874p53077.js
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137
Update: it appears that this is more likely to be Globeimposter ransomware* not Emotet. It looks like I was mislead by initial detections on VirusTotal and the delivery method.
* https://twitter.com/VK_Intel/status/892613372889399296
2nd Update 2 August 2017: This campaign has continued on and off all night (UK time) with a slight change to the zip file names. From exactly midnight UK time last night the last part of the zip name ( the date) changed from VM#######_20170801.zip to VM#######_20170802.zip. Looking through a few of the nearly 600 I received, it looks like the download sites are the -same- as many of the sites in yesterday’s (and earlier) Trickbot and globeimposter campaigns that I didn’t report on because of other real world commitments. A list of sites can be seen in VT comments**. Just change /98wugf56 to /JHghjHy6 (quite a few sites are live using the latest file name format).
** https://www.virustotal.com/en/file/a...fa27/analysis/
:fear::fear: :mad:
Fake 'Secure Email' SPAM, 'Payment copy' - Phish
FYI...
Fake 'Secure Email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
3 Aug 2017 - "An email with the subject of 'Nationwide Secure Email – Secured Message' pretending to come from Nationwide but actually coming from a look-a-like domain <secured@ nationwidesecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... Today’s example of the spoofed domain is nationwidesecure .co.uk 184.168.221.37 ip-184-168-221-37 .ip.secureserver .net...
The word doc attachment looks like this and tells you to use the non existent passphrase to open it. The blue moving circle makes you think that you need to enable the content & macros to see the hidden secure content.
DO NOT enable the macros or content. You WILL be infected:
> https://myonlinesecurity.co.uk/wp-co...Secure_doc.png
Secure.doc - Current Virus total detections 7/58*. Payload Security** shows a download from
http ://catterydelacanaille .be/logo.png which of course is -not- an image file but a renamed .exe file
that gets renamed to tyltl.exe and autorun (VirusTotal 15/65[3]). An alternative download location is
http ://carriereiserphotography .com/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1501756792/
Secure.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
89.255.9.40
37.120.182.208
185.30.144.205
3] https://www.virustotal.com/en/file/8...is/1501755791/
tyltl.exe
catterydelacanaille .be: 89.255.9.40: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/3a...4ba2/analysis/
carriereiserphotography .com: 72.32.177.50: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/1a...9dce/analysis/
___
'Payment copy' - Phish
- https://myonlinesecurity.co.uk/payme...l-credentials/
3 Aug 2017 - "... phishing attempts for email credentials. This one is slightly different than many others and surprisingly creative from the phisher. It pretends to be a message saying to 'download a payment copy and please ship the goods' they have ordered...
Screenshot: https://myonlinesecurity.co.uk/wp-co...shing-scam.png
If you follow the link inside the email you see a webpage looking like this:
http ://clcktoviewnow.a-acheter .org/ which contains an -Iframe- to
http ://www.pensiunea-ciobanelu .ro/view-ttcpy/
which actually displays the phishing attempt:
> https://myonlinesecurity.co.uk/wp-co..._pensiunea.png
After you input your email address and password, you get told “Please wait download will start in a minute”. It never does, there is no download of anything, whether malware or a genuine “fake” invoice or payment receipt and this is simply a phishing -scam- to get your email account credentials:
> https://myonlinesecurity.co.uk/wp-co...pensiunea2.png
... these emails use Social engineering tricks to persuade you to open the attachments or follow links in emails..."
clcktoviewnow.a-acheter .org: 85.14.138.114: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/16...319e/analysis/
pensiunea-ciobanelu .ro: 89.40.32.15: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/ed...8c36/analysis/
:fear::fear: :mad:
Fake 'Beneficiary’s Details', 'Secure Email' SPAM
FYI...
Fake 'Beneficiary’s Details' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/fake-...s-java-adwind/
14 Aug 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... 'previously mentioned many of these HERE*. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically...
* https://myonlinesecurity.co.uk/?s=java+adwind
Screenshot: https://myonlinesecurity.co.uk/wp-co...2602119326.png
The link in the email body goes to
http ://karizma-co .com/wp-admin/user/Beneficiary%27s Details.R01 (VirusTotal 0/65[1]) (almost certainly a compromised WordPress website) where a zip file is downloaded.
Beneficiary’s Details.zip - Extracts to Beneficiary’s Details.jar (478kb) - Current Virus total detections 1/59[2]
Payload Security[3]... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustotal.com/en/url/15...is/1502700304/
2] https://www.virustotal.com/en/file/d...is/1502679993/
Xpressmoney Global network.jar
3] https://www.hybrid-analysis.com/samp...ironmentId=100
File Details:
Beneficiary's Details.jar
karizma-co .com: 5.189.185.178: https://www.virustotal.com/en/ip-add...8/information/
___
Fake 'Secure Email' SPAM - delivers trickbot
- https://myonlinesecurity.co.uk/fake-...vers-trickbot/
14 Aug 2017 - "An email with the subject of 'You have a Santander Secure Email' pretending to come from Santander Bank but actually coming from a look-a-like domain <message@ santanderdocs .co.uk> with an html attachment which downloads a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is
santanderdocs .co.uk: 160.153.162.141: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/1e...ffb3/analysis/
I don’t have an actual email. The information was forwarded to me and only has the basic details with -no- email body content. The email looks like:
From: Santander <message@santanderdocs .co.uk>
Date: 14 August 2017 20:12
Subject: You have a Santander Secure Email
Attachment: SecureDoc.html
Screenshot of word doc: Beware of the -login- in the word doc. It is only there to persuade the recipient to enable content which allows the macros-to-run and infect you. Do NOT follow those instructions:
> https://myonlinesecurity.co.uk/wp-co..._SecureDoc.png
SecureDoc.doc - Current Virus total detections 3/58*. Payload Security**. This malware file downloads from
http ://cfigueras .com/armanistand.png which of course is -not- an image file but a renamed .exe file that gets renamed to Cqgcf.exe (VirusTotal 10/64[3]). An alternative download location is
http ://centromiosalud .es/armanistand.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1502715405/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
178.255.225.215
158.69.26.138
46.160.165.31
3] https://www.virustotal.com/en/file/d...is/1502713865/
cfigueras .com: 51.254.83.173: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/ce...f174/analysis/
centromiosalud .es: 178.255.225.215: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/d1...d183/analysis/
:fear::fear: :mad:
Fake 'eFax' SPAM, 'Locky' returns, Paypal phish
FYI...
Fake 'eFax' SPAM - delivers trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
15 Aug 2017 - "An email with the subject of 'eFax' pretending to come from eFax but actually coming from a look-a-like domain eFax <noreply@ faxdocuments120 .ml> with a malicious word doc attachment is today’s latest spoof of a well known company, messaging service, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...cuments120.png
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...3_2425_doc.png
efax42542153_2425.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
http ://cfigueras .com/nothing44.png which of course is -not- an image file but a renamed .exe file that gets renamed to Qhdizwg.exe and autorun (VirusTotal 14/64***). An alternative download location is
http ://cfai66 .fr/nothing44.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1502883132/
efax42542153_2425.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
51.254.83.173
158.69.26.138
185.141.26.86
185.40.20.42
*** https://www.virustotal.com/en/file/b...is/1502881050/
Qhdizwg.exe
cfigueras .com: 51.254.83.173: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/d8...777e/analysis/
cfai66 .fr: 87.252.5.144: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/7e...7f20/analysis/
___
Locky ransomware returns - two new "flavors"
- https://blog.malwarebytes.com/cyberc...o-new-flavors/
Aug 16, 2017 - "We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware... From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random] .htm“. Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus .html“... Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script:
> https://blog.malwarebytes.com/wp-con...us_MalSpam.png
... The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should
-never- assume Locky is gone simply because it’s not active at a particular given time..."
(More detail at the first malwarebytes URL above.)
___
Paypal phish - fake verification
- https://isc.sans.edu/diary/22726
2017-08-16 - "They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new -fake- pages almost daily. Sometimes, the web server isn’t properly configured and the source code is publicly available... I presume that the kit is related to a spam campaign but I did not get the initial email. Based on the quality of the kit, I suspect the email to be properly written. As usual, it starts with the classic Paypal login page:
- https://isc.sans.edu/diaryimages/ima...20170816-1.png
Then a fake verification page is displayed to warn the victim that a check of the account must be performed. Note that the values are hard coded:
- https://isc.sans.edu/diaryimages/ima...20170816-2.png
The next steps ask the victim to enter his/her details, including banking details:
- https://isc.sans.edu/diaryimages/ima...20170816-4.png
Graphically, the different pages are very clean and use components from the Paypal website to reproduce a look and feel very close to the official pages... There is also a second check of the IP address included in the PHP code. If a valid IP address or User-Agent is detected, an HTTP error 404 (page not found) is returned... When the verification screens are displayed to the victim, fields are prefilled with the extracted information from Paypal. This is really evil! All fields are also validated to prevent garbage and increase the change to capture real data. Depending on the card number that the victim provided, a next screen is presented to fill bank details. Based on the source code, three countries are targeted: US, CA and UK. Depending on the bank, specific forms are displayed to request valid connection details... At the end of the “verification process”, an email is sent to the attacker with all the victim's details. The destination is a gmail .com account... If most phishing kits remain simple and can be easily spotted by the victims, some of them are really well developed and harder-to-catch, especially if the URL used is nicely chosen and distributed via HTTPS. This kit was huge with more than 300 files in a 1.8MB ZIP file. Take care!"
:fear::fear: :mad:
Fake 'invoice', 'Outstanding invoices' SPAM
FYI...
Fake 'invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
17 Aug 2017 - "... an email with the subject of 'Your Xero Invoice INV-0855485' coming from subscription.notifications@ xeronet .org which uses -compromised- sharepoint aka onedrive for business accounts to deliver Dridex banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...NV-0855485.png
The -link- in the body of the email is to
https ://lakesambel-my.sharepoint .com/personal/contact_caravanparkbeechworth_com_au/_layouts/15/guestaccess.aspx?docid=03b4b6316d9ca4fa48971a9101a38b364&authkey=Afo8hRz5LV65-XWim02sZtg
where a zip file containing a .js file is downloaded.
Xero Invoice.zip: Extracts to: Xero Invoice.js - Current Virus total detections 20/57[1]. Payload Security[2]
This malware downloads from
https ://stakks-my.sharepoint .com/personal/accounts_stakks_com_au/_layouts/15/guestaccess.aspx?docid=0426cc21c900f4425bfd868cf0a9bc836&authkey=AdVBGQCO-SGtytiexhgUfw8
to deliver documents.xero which is -renamed- to Y739Ayh.exe (VirusTotal 34/65[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/1...is/1502950371/
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
13.107.6.151
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229
3] https://www.virustotal.com/en/file/b...0aea/analysis/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229
lakesambel-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-add...1/information/
stakks-my.sharepoint .com: 13.107.6.151
___
Fake 'Outstanding invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/outst...ky-ransomware/
17 Aug 2017 - "An email with the subject of 'Outstanding invoices email 1 of 2' pretending to come from random names and email addresses with a malicious word doc attachment delivers Locky Ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ail-1-of-2.png
056757.doc - Current Virus total detections 15/58*. Payload Security**.
This malware downloads from
http ://campingtossa .com/87wifhFsdf (VirusTotal 23/63***).
There will be dozens if not hundreds of other downloads sites in different versions of these word docs...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1502969190/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
188.93.73.211
212.109.220.109
*** https://www.virustotal.com/en/file/2...is/1502969865/
87wifhFsdf.exe
campingtossa .com: 188.93.73.211: https://www.virustotal.com/en/ip-add...1/information/
:fear::fear: :mad:
Fake 'order' SPAM, Cloud: User Account Attacks
FYI...
Fake 'order' SPAM - links deliver malware
- https://myonlinesecurity.co.uk/your-...ivers-malware/
18 Aug 2017 - "... an email with the subject of 'Your order no 8194788 (random numbers) has been processed' coming from random names @ creatingkindly .com which delivers some sort of malware... These pretend to be an order confirmation for cotton material from a -random- name shop with a -fake- address...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-processed.png
The email has a -link- in the body to
http ://michellesteve .com/victim_name/8194788.php?recipient-id=bzmqkpohrma&=282193283842&395981697844=760611824 which downloads document.zip: which Extracts to: document.lnk
- Current Virus total detections 6/55[1]. Payload Security[2].
An alternative email had the -link- to
http ://letsgetvisibility .com/victim_name/6290807.php?id-ee=ycttmymbp&=vdfq&jxkhgrs=vddrhdu
which currently gives me a 404 on the entire domain although it does have registration details from 2015.
This malware downloads from
http ://otp.forgetmenotbeading .com/valid.bin which is -renamed- by the script to combo.exe
(VirusTotal 8/61[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it... -Never- attempt to open a zip directly from your email, that is a guaranteed way to get infected... just delete the unexpected zip and not risk any infection..."
1] https://www.virustotal.com/en/file/b...is/1503034822/
document.zip
2] https://www.hybrid-analysis.com/samp...ironmentId=100
3] https://www.virustotal.com/en/file/4...is/1503034808/
valid.bin
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
65.55.50.189
185.117.73.5
creatingkindly .com: 50.63.202.38: https://www.virustotal.com/en/ip-add...8/information/
michellesteve .com: 185.61.152.60: https://www.virustotal.com/en/ip-add...0/information/
letsgetvisibility .com: A temporary error occurred during the lookup...
[Corrected to:] otp.forgetmenotbeading .com: 185.183.97.141: https://www.virustotal.com/en/url/1b...607e/analysis/
___
Cloud: User Account Attacks jumped 300% since 2016
... Most of these Microsoft user account compromises can be attributed to weak, guessable passwords and poor password management...
- http://www.darkreading.com/cloud/mic...d/d-id/1329666
8/17/2017 - "... 'One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites', the report* states... Attackers -frequently- compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning..."
* http://download.microsoft.com/downlo..._Volume_22.pdf
:fear::fear: :mad:
Fake 'please print' 'images etc', 'O2 Bill' SPAM
FYI...
Fake 'please print' 'images etc' SPAM - delivers Cerber
- http://blog.dynamoo.com/2017/08/cerb...mages-etc.html
21 Aug 2017 - "I only have a couple of samples of this spam, but I suspect it comes in many different flavours..
Subject: images
From: "Sophia Passmore" [Sophia5555@ victimdomain .tld]
Date: Fri, May 12, 2017 7:18 pm
*Sophia Passmore*
--
Subject: please print
From: "Roberta Pethick" [Roberta5555@ victimdomain .tld]
Date: Fri, May 12, 2017 7:18 pm
*Roberta Pethick*
In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58*. Both samples contained a malicious Javascript named 20170821_08914700.js ...
Automated analysis [1] [2] shows a download from the following locations:
gel-batterien-agm-batterien .de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh .info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]
The Hybrid Analysis report[1] shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64[3].
Recommended blocklist:
46.4.91.144
119.28.100.249 "
* https://virustotal.com/#/file/27b49b...e573/detection
??
1] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
46.4.91.144
119.28.100.249
216.58.206.228
2] https://malwr.com/analysis/NjRlNDBiZ...VmMTJlNjg3Y2M/
Hosts
46.4.91.144
119.28.100.249
3] https://www.virustotal.com/en/file/a...234c/analysis/
___
Fake 'O2 Bill' SPAM - delivers Emotet banking Trojan
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
21 Aug 2017 - "... an email with the subject of 'My O2 Business – Your O2 Bill is ready' – (recipient’s name) coming from random senders which delivers Emotet banking Trojan. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in -all- the campaigns...
Screenshot: https://myonlinesecurity.co.uk/wp-co...08/O2_bill.png
Update 22 August 2017: a new malspam run this morning with a slightly changed subject 'Your O2 bill is ready' – (recipient name) still coming from random senders but pretending to come from 'O2 bill'. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in all the campaigns...
Screenshot: https://myonlinesecurity.co.uk/wp-co...08/O2_bill.png
The link in the email is to various sites where a word doc is downloaded. Some sites include:
http ://ekomer .es/HPRKFQZXAP5465294/ > 5.145.175.240
http ://eyelife .org/Rech-59081174958/ > 188.65.115.132
http ://cruisecapital .co.uk/gescanntes-Dokument-38085714326/ > 173.236.152.205
http ://theglobetrotters .org/Rechnung-55894642722/ > 69.195.116.213
http ://bryntel .com/JWYFPGLBMH8935758/ > 50.87.66.150
http ://itgrammatics .com/VMZJSGJXBS6464519/ > 178.159.253.100
http ://atitmedia .com/RIVTDJLDUW6513072/ > 109.104.86.127
http ://bytesoftware .com.br/FXXIGOFTER8590131/ > 216.172.172.168
http ://hapmag .com/VVHMVGTRCP7428957/ > 143.95.238.54
http ://marianamengote .com/RLDXAIYKZD2314573/ > 173.254.28.19
The word doc when opened [ and -if- you are unwise enough to enable macros ] will drop an encoded/obfuscated PowerShell script that has several obfuscated hard coded URLs inside it which download the actual Emotet banking Trojan. These do need quite a bit of decoding to get to the payload.
Some of today’s Urls are:
http ://ohleronline .com/qnhvqLeGds/ > Could not find an IP address for this domain name.
http ://wilsondesign .com.au/EmOYzciXN/ > 192.232.203.190
http ://effectiveit .com.au/zrMwJInVT/ > 175.107.174.7
http ://portseven .com.br/AEVHV/ > 67.23.238.138
http ://nubodyofdallas .com/FwJSgvPKF/ > 74.124.198.22
... The basic rule is NEVER open any attachment -or- link ln an email, unless you are expecting it...
Analysis reports: Note the binaries update at frequent intervals during the day (time of the malware campaign) so you will get -different- versions/file hashes from those mentioned here."
Word Doc: > https://www.virustotal.com/en/file/f...c54e/analysis/
Rech-03674886877.doc
O2 bill - 000952128372.doc
> https://www.hybrid-analysis.com/samp...ironmentId=100
Dropped binary: > https://www.virustotal.com/en/file/7...is/1503320867/
nvidiamath.exe
> https://www.virustotal.com/en/file/7...is/1503333837/
vHsZK.exe
> https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
104.236.252.178
storagewmi.exe
> https://www.hybrid-analysis.com/samp...ironmentId=100
HTTP Traffic
104.236.252.178
:fear::fear: :mad:
Fake 'Voicemail Service', 'Payments request', 'Purchase Order' SPAM
FYI...
Fake 'Voicemail Service' SPAM - delivers ransomware
- http://blog.dynamoo.com/2017/08/malw...l-service.html
22 Aug 2017 - "This -fake- voicemail leads to malware:
Subject: [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From: "Voicemail Service" [pbx@ local]
Date: Tue, August 22, 2017 10:37 am
To: "Evelyn Medina"
Priority: Normal
Dear user:
just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance. Thanks!
--Voicemail Service
The numbers and details -vary- from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js...
The script has a VirusTotal detection rate of 14/59*.
According to automated analysis [1] [2] the script reaches out to the following URLs:
5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]
A -ransomware- component is dropped (probably Locky) with a detection rate of 16/64[3]."
* https://virustotal.com/#/file/ac87d5...e059/detection
??
1] https://malwr.com/analysis/NDI0ZWUyN...E0OWUxNGZkMTA/
msg6355.js
Hosts
91.234.195.48
5.196.99.239
2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.58.209.238
91.234.195.48
5.188.63.30
3] https://www.virustotal.com/en/file/2...d38f/analysis/
jbfr387
> https://myonlinesecurity.co.uk/more-...elivers-locky/
22 Aug 2017 - "... an email with the subject of '[PBX]: New message 10 in mailbox 101 from 100GOFEDEX' <7820413853> pretending to come from 'Voicemail Service' <pbx@ local>... The new message number, mailbox number, gofedex number and telephone number are all random. All of these are being sent to Evelyn Medina <random_name@ recipient_domain .tld>...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-voicemail.png
msg0575.rar: Extracts to: msg0575.js - Current Virus total detections 16/55*. Payload Security** delivers
bURnweP2.exe VirusTotal 16/65***...
There are literally hundreds of sites listed in the different versions of js files - when one of the other researchers uploads a list of today’s sites, I will edit this post to link to it...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480616575/
-6dt874p53077.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
File Details
msg4975.js
Contacted Hosts
37.247.123.33
94.242.59.239
5.196.99.239
*** https://www.virustotal.com/en/file/2...d38f/analysis/
jbfr387[1].3164.dr
___
Fake 'Payments request' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
22 Aug 2017 - "An email with the subject of 'Payments request' pretending to come from HSBC but actually coming from a look-a-like domain <message@ hsbc-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is hsbc-mail .co.uk 89.233.106.146. As usual they are registered via Godaddy as registrar and the emails are being sent via sent 89.233.106.146 AS35017 Swiftway Sp. z o.o...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ts-request.png
Word doc looks like: https://myonlinesecurity.co.uk/wp-co...uments_doc.png
PaymentDocuments.doc - Current Virus total detections 3/59*. Payload Security**. This malware file downloads from
http ://pfsmoney .com/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to vgjqlt.exe and autorun (VirusTotal 13/65***).
An alternative download location is
http ://panda .biz/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...3167/analysis/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
195.191.25.102
37.120.182.208
194.87.144.16
172.93.37.143
*** https://www.virustotal.com/en/file/c...is/1503394753/
pfsmoney .com: 162.144.12.198: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/5d...01b0/analysis/
panda .biz: 192.64.147.215: https://www.virustotal.com/en/ip-add...5/information/
___
Fake 'Purchase Order' SPAM - delivers nanocore RAT
- https://myonlinesecurity.co.uk/angel...-nanocore-rat/
22 Aug 2017 - "... an email with the subject of 'Purchase Order' coming from Angelika Rodriguez <zales@ municipiodepaute .gob.ec>[1] which delivers what is probably a nanocore RAT (it matches yara sigs for that malware)...
1] http://www.reputationauthority.org/l...9.250&d=gob.ec
Screenshot: https://myonlinesecurity.co.uk/wp-co...hase-order.png
Purchase_Order_List_Aug.zip: Extracts to: Purchase_Order_List_Aug.exe - Current Virus total detections 12/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1503426139/
Purchase_Order_List_Aug.exe
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
174.127.99.135
:fear::fear: :mad: