Fake 'Insurance', 'Water Services Invoice', 'Invoice 1377' SPAM
FYI...
Fake 'Insurance' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...insurance.html
12 Oct 2015 - "This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.
From [accounts@ nolettinggo .co.uk]
Date Mon, 12 Oct 2015 11:43:16 +0330
Subject Insurance
Dear all
Please find attached insurance paperwork including EL certificate. Invoices
will follow at the beginning of November.
Regards
Karen
In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56*. This particular document contains this malicious macro... which downloads a malware component from the following location:
ukenterprisetours .com/877453tr/rebrb45t.exe
The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56**. That VirusTotal report and this Hybrid Analysis report[3] show network traffic to:
149.210.180.13 (TransIP BV, Netherlands)
I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan..."
* https://www.virustotal.com/en/file/f...is/1444637908/
** https://www.virustotal.com/en/file/0...is/1444638547/
... Behavioural information
TCP connections
149.210.180.13: https://www.virustotal.com/en/ip-add...3/information/
92.123.225.120: https://www.virustotal.com/en/ip-add...0/information/
3] https://www.hybrid-analysis.com/samp...nvironmentId=3
ukenterprisetours .com: 46.20.120.64: https://www.virustotal.com/en/ip-add...4/information/
- http://myonlinesecurity.co.uk/nolett...d-doc-malware/
12 Oct 2015 - "An email that appears to come from nolettinggo .co.uk with the subject of 'Insurance' pretending to come from accounts@ nolettinggo .co.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...o-1024x497.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
...
12 October 2015 : SKMBT_C36014102815580.doc - Current Virus total detections 7/55*
.. Downloads Dridex banking malware from http ://capricorn-cleaning .co.uk/877453tr/rebrb45t.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1444635759/
capricorn-cleaning .co.uk: 109.108.129.21: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...s-invoice.html
12 Oct 2015 - "This -fake- financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:
From "UUSCOTLAND" <UUSCOTLAND@ uuplc .co.uk>
Date Mon, 12 Oct 2015 17:12:12 +0530
Subject Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of
12 September 2015 to 12 October 2015.
If you would like any more help, or information, please contact me...
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland
T: 0345 0726077 (26816)...
The information contained in this e-mail is intended only for the individual to whom it is addressed. It may contain legally privileged or confidential information or otherwise be exempt from disclosure. If you have received this Message in error or there are any problems, please notify the sender immediately and delete the message from your computer. You must not use, disclose, copy or alter this message for any unauthorised purpose...
Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least -four- different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro... Download locations spotted so far are:
ukenterprisetours .com/877453tr/rebrb45t.exe
eventmobilecatering .co.uk/877453tr/rebrb45t.exe
thewimbledondentist .co.uk/877453tr/rebrb45t.exe
cardiffhairandbeauty .co.uk/877453tr/rebrb45t.exe
All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
46.20.120.64: https://www.virustotal.com/en/ip-add...4/information/
109.108.129.21: https://www.virustotal.com/en/ip-add...1/information/
213.171.218.221: https://www.virustotal.com/en/ip-add...1/information/
This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56[5]...
149.210.180.13 (TransIP BV, Netherlands)
86.105.33.102 (Data Net SRL, Romania)
I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.
Recommended blocklist:
149.210.180.13: https://www.virustotal.com/en/ip-add...3/information/
86.105.33.102: https://www.virustotal.com/en/ip-add...2/information/
.
1] https://www.virustotal.com/en/file/d...is/1444652575/
2] https://www.virustotal.com/en/file/b...is/1444652586/
3] https://www.virustotal.com/en/file/b...is/1444652597/
4] https://www.virustotal.com/en/file/f...is/1444652607/
5] https://www.virustotal.com/en/file/d...is/1444652695/
- http://myonlinesecurity.co.uk/water-...d-doc-malware/
12 Oct 10`5 - "An email that appears to come from United Utilities Scotland with the subject of 'Water Services Invoice' pretending to come from UUSCOTLAND <UUSCOTLAND@ uuplc .co.uk> with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x690.png
.. DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
...
12 October 2015: 12 October 2015 Invoice Summary.doc - Current Virus total detections 8/55*
... Downloads from the same locations as described in today’s earlier malspam run** of malicious word docs, but delivers an updated Dridex version (VirusTotal 1/56 ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1444654116/
** http://myonlinesecurity.co.uk/nolett...d-doc-malware/
*** https://www.virustotal.com/en/file/d...is/1444652695/
... Behavioural information
TCP connections
86.105.33.102: https://www.virustotal.com/en/ip-add...2/information/
191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Invoice 1377' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
12 Oct 2015 - "An email with the subject of 'Invoice 1377' pretending to come from info@ peachsoftware .co.uk with a zip attachment is another one from the current bot runs... The content of the email says:
Please see invoice attached
12 October 2015: invoice-1377.zip: Extracts to: invoice-1377.exe
Current Virus total detections 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1444648227/
___
Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles
- http://www.secureworks.com/cyber-thr...edin-profiles/
7 Oct 2015 - "Summary: While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.
Fake LinkedIn accounts: The 25 fake LinkedIn accounts identified by CTU researchers fall into two categories: fully developed personas (Leader) and supporting personas (Supporter). The table in the Appendix lists details associated with the accounts. The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas. The photos used in the fake accounts are likely of innocent individuals who have no connection to TG-2889 activity...
Legitimate endorsers of -fake- TG-2889 LinkedIn accounts by country:
> http://www.secureworks.com/assets/im...e007_500px.png
... Ongoing threat: Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical. It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. CTU researchers advise organizations to educate their users of the specific and general risks:
- Avoid contact with known fake personas.
- Only connect to personas belonging to individuals they know and trust.
- Adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they have not -verified- outside of LinkedIn.
When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual's purported employer. Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites..."
:fear::fear: :mad:
Fake 'Customer Invoice', 'Bank Payment' SPAM
FYI...
Fake 'Customer Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/quickh...d-doc-malware/
13 Oct 2015 - "An email appearing to come from 'QuickHostUK' with the subject of 'Customer Invoice' pretending to come from QuickHostUK <info@ quickhostuk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear customer,
This is a notice that an invoice has been generated on 11/10/2015.
Your payment method is: Credit/Debit Card
Invoice #302673
Amount Due: £40.00GBP
Due Date: 18/10/2015
Invoice Items
Fully Managed Hosting – Starter (18/10/2015 – 17/11/2015) £40.00GBP
Sub Total: £40.00GBP
Credit: £0.00GBP
Total: £40.00GBP
Payment will be taken automatically on 18/10/2015 from your credit card on record with us. To update or change the credit card details we hold for your account please login...
13 October 2015: Invoice-302673.doc - Current Virus total detections 5/56*
... Which downloads Dridex banking malware from http ://thelureofnoma .com/~web/34fc34t45t/8ijfew.exe (VirusTotal 1/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1444732952/
** https://www.virustotal.com/en/file/9...is/1444733145/
thelureofnoma .com: 69.72.240.66: https://www.virustotal.com/en/ip-add...6/information/
___
Fake 'Bank - Third Party Payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/common...e-pdf-malware/
13 Oct 2015 - "An email appearing to come from 'Commonwealth Bank of Australia' with the subject of 'First NetBank Third Party Payment' pretending to come from NetBankNotification@ cba .com.au with a zip attachment is another one from the current bot runs... The content of the email says :
First NetBank Third Party Payment
Your first transfer to the following third party account(s) has been successfully processed:
From Account: **** **** **** 6439 MasterCard
To Account(s): Bonnie Sharpe 511-187 ***7654 AMEX $6,990.72 Assistance to Refugees
Date: 13/10/2015
Please check attached file for more information about this transaction.
Yours sincerely,
Commonwealth Bank of Australia
Please do not reply. To confirm this is a genuine email sent by the Bank, please check your inbox on the NetBank home page.
Message: 932750168
13 October 2015: CBA Third Party Payment 932750168.zip: Extracts to: CBA Third Party Payment 949078743.scr
Current Virus total detections 10/57*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1444709718/
:fear::fear: :mad:
Flash 0-Day, Fake 'DocuSign', 'SMSF Gateway Svc Msg' SPAM, DRIDEX Takedown
FYI...
Flash 0-Day used in Pawn Storm...
>> http://blog.trendmicro.com/trendlabs...torm-campaign/
Oct 14, 2015 - "... the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years... Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207... We have notified Adobe about our discovery and are working with them to address this security concern. Updates to this entry will be made once more information is available."
'Just released 10.13.2015 .'Suggest Flash be -disabled- immediately until a new fix/release from Adobe is available...
* 'Suggest Java be disabled, too. Next scheduled release of Java update due 10.20.2015.
- https://community.qualys.com/blogs/l...y-october-2015
Oct 13, 2015 - "... Oracle will have their CPU later this month, on the 20th..."
___
Fake 'DocuSign' SPAM – PDF malware
- http://myonlinesecurity.co.uk/docusi...e-pdf-malware/
14 Oct 2015 - "An email with the subject of 'Completed: Optus agreement no JTJW-650508' pretending to come from thiaminenz570@ cintas .com; on behalf of; 'DocuSign via DocuSign <dse_eu1@ docusign .net>' with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...n-1024x780.png
14 October 2015: Optus agreement no JTJW-650508.zip: Extracts to: Optus agreement no LPRH-300726.scr
Current Virus total detections 6/56*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1444797213/
___
Fake 'SMSF Gateway Svc Msg' SPAM – PDF malware
- http://myonlinesecurity.co.uk/austra...e-pdf-malware/
14 Oct 2015 - "An email with the subject of 'Australia Post SMSF Gateway Service Message' pretending to come from SMSF Gateway Team <SMSFGateway-NO-REPLY@ smsfmsg .auspost .com.au> with a zip attachment is another one from the current bot runs... The content of the email says:
We’re pleased to advise you that the Australia Post SMSF Gateway Service has received a superannuation contribution message.
The details of this message are in the attached PDF.
The contribution payment should appear in your nominated bank account with a payment reference number listed in the PDF to allow for easy reconciliation.
Kind Regards
The SMSF Gateway Team ...
14 October 2015: Contribution448772241.zip: Extracts to: Contribution308911799.scr
Current Virus total detections 4/56*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1444789129/
___
FBI, Security Vendors Partner for DRIDEX Takedown
- http://blog.trendmicro.com/trendlabs...dridex-botnet/
Oct 13, 2015 - "Multiple command-and-control (C&C) servers used by the DRIDEX botnet have been taken down by the Federal Bureau of Investigation (FBI), following the action taken by the National Crime Agency (NCA) in the UK. US law enforcement officials obtained court orders that resulted in the seizure of multiple servers used by DRIDEX. This crippled the malware’s C&C network, which is used by the malware to send the stolen information to the cybercriminals and to download configuration files that include the list of targeted banks. Furthermore, charges have been made against Andrey Ghinkul, aka Andrei Ghincul and Smilex, the Moldovan administrator of the botnet. Taking down cybercriminals is no small feat. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise. The takedown of the command-and-control (C&C) network used by the banking malware DRIDEX is the latest example of that partnership’s success... DRIDEX has slowly been making a name for itself this past year and has been viewed as the successor to the Gameover Zeus (GoZ) malware. Its prevalence in the threat landscape can be attributed to its business model, P2P (peer-to-peer) architecture, and unique routines. Unlike other malware, DRIDEX operates using the BaaS (Botnet-as-a Service) business model. It runs several bot networks, each identified by a number and each containing a specific set of target banks. Our investigation revealed that its target banks mostly come from the US and Europe (particularly Romania, France, and the UK)... users in the US and the UK accounted for more than 35% of DRIDEX infections:
> https://blog.trendmicro.com/trendlab.../10/dridex.jpg
The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture. Learning from the GoZ takedown, creators of DRIDEX added a another layer in its architecture before the command-and-control (C&C) server. Apart from these, DRIDEX is also equipped to remove or hide tracks in the system. Similar to the Chthonic variant of ZBOT, it uses an invisible persistence technique which involves writing autostart reg key upon system shutdown and deleting autostart reg key upon system startup. However, only DRIDEX cleans up the stored configuration in the registry and changes the malware copy location. DRIDEX is easily spread using malicious email attachments, usually Microsoft Office documents that contain macros. The use of macros could be seen as one way of ensuring a higher chance of successful attacks. Macros are commonly used in automated and interactive documents. The feature is usually deactivated by default, but if it was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. Furthermore, we found that the macro code contains garbage and useless code... While the takedown of the C&C servers now prevents DRIDEX from executing malicious activities, total cleanup still requires users to ensure that DRIDEX has been removed from their systems..."
>>> http://www.justice.gov/usao-wdpa/pr/...lware-disabled
Oct 13, 2015 - "... Victims of Bugat/Dridex may use the following webpage created by US-CERT for assistance in removing the malware:
> https://www.us-cert.gov/dridex ..."
Oct 13, 2015
:fear::fear: :mad:
Fake 'DHL' SPAM, Backdoor Zegost delivered
FYI...
Fake 'DHL' SPAM - PDF malware
- http://myonlinesecurity.co.uk/dhl-au...e-pdf-malware/
16 Oct 2015 - "An email that appears to come from 'DHL Australia' with the subject of 'Return consignment AVD524417' pretending to come from DSC.AU.Returns@ dhl .com with a zip attachment is another one from the current bot runs... The content of the email says :
BOOKING OF YOUR CONTROLLED RETURN
Print off labels (on a LASER printer as this will ensure driver can scan barcode) and affix to carton.
Please ensure all other labels are removed from carton.
You can book your own freight by calling our Carrier Partner Startrack Express on 12 18 58 quoting Reference No. 524417
Alternatively, DHL will call within 3 business days after labels are sent to assist in booking in your freight for collection.
Quote the consignment Number that is on your labels (attached to your email with prefix AVD)
Startrack Express will provide you with a booking number, please retain this number.
Below is a mandatory TRANSFER SUMMARY. This must be completed prior to the arrival of driver; if not complete, this may result in a futile pick up.
Goods are required back into warehouse no later than 7 working days. Please ensure good are ready for collection.
STARTRACK EXPRESS TRANSFER SUMMARY REPORT ...
16 October 2015: FL-AVD524417.zip: Extracts to: FL-AVD084542.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1444969428/
___
Backdoor Zegost delivered via Hacking Team exploit
- http://research.zscaler.com/2015/10/...vered-via.html
Oct 16, 2015 - "... In past two months, we've spotted multiple instances of Zegost Backdoor Trojan installation attempts leveraging Hacking Team's Adobe Flash exploit (CVE-2015-5119) payload. These attacks do not appear to be targeted, but the payload involved in the infection cycle has some resemblance to recent APT payloads from HttpBrowser & the PlugX RAT family. Attack Chain: The infection cycle starts with a legitimate Chinese real estate and shopping site www[.]kongquechang[.]com, which appears to have been compromised by the attackers and contains an injected script. The injected script will cause a series of -redirects- leading to Hacking Team's exploit payload... Attackers are abusing the Chinese URL shortening service t .cn to -redirect- victims to the attack server and also Baidu's URL shortening service dwz .cn to deliver the Adobe Flash exploit payload... Below is the complete list of C&Cs it tries to connect.
80.247.233.18: https://www.virustotal.com/en/ip-add...8/information/
91.121.82.113: https://www.virustotal.com/en/ip-add...3/information/
69.164.213.85: https://www.virustotal.com/en/ip-add...5/information/
79.143.191.147: https://www.virustotal.com/en/ip-add...7/information/
199.241.30.233: https://www.virustotal.com/en/ip-add...3/information/
162.243.12.14: https://www.virustotal.com/en/ip-add...4/information/
188.93.73.90: https://www.virustotal.com/en/ip-add...0/information/
195.154.184.240: https://www.virustotal.com/en/ip-add...0/information/
Conclusion: The use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based whitelisting approach by signing their samples..."
(More detail at the zscaler URL at the top.)
kongquechang[.]com: Could not find an IP address for this domain name.
:fear::fear: :mad:
Fake 'Invoice / PO', 'Online banking app form' SPAM
FYI...
Fake 'Invoice / PO' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...stephanie.html
19 Oct 2015 - "This -fake- financial spam does not come from Bombardier Transportation but is instead a simple -forgery- with a malicious attachment:
From "Stephanie Greaves" [sgreaves@ btros .co.uk]
Date Mon, 19 Oct 2015 12:06:42 +0430
Subject COS007202
Good morning,
Please see attached purchase order.
Kind regards,
Stephanie Greaves
Administration Apprentice
Bombardier Transportation (Rolling Stock) UK Ltd
Electronics, Cabling, & Interior Division
Litchurch Lane, Derby, DE24 8AD
Attached is a file COS007202.doc which comes in at least three different versions (VT results [1] [2] [3]) each containing a slightly different malicious macro... Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan...
UPDATE: According to these Hybrid Analysis reports [4] [5] [6] , those macros download from the following locations:
euroagroec .com/35436/5324676645.exe
demo9.iphonebackstage .com/35436/5324676645.exe
webmatique .info/35436/5324676645.exe
The binary they download has a VirusTotal detection rate of 3/56[7] and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:
157.252.245.49 (Trinity College Hartford, US)
I recommend that you -block- traffic to that IP..."
1] https://www.virustotal.com/en/file/3...is/1445246850/
2] https://www.virustotal.com/en/file/4...is/1445246860/
3] https://www.virustotal.com/en/file/8...is/1445246874/
4] https://www.hybrid-analysis.com/samp...nvironmentId=3
5] https://www.hybrid-analysis.com/samp...nvironmentId=3
6] https://www.hybrid-analysis.com/samp...nvironmentId=1
7] https://www.virustotal.com/en/file/a...is/1445249638/
___
Fake 'Online banking app form' SPAM - PDF malware
- http://myonlinesecurity.co.uk/online...e-pdf-malware/
19 Oct 2015 - "An email appearing to come from Nat West Leicester Business Banking Customer Support with the subject of 'Online banking application form********* CRM:013545192' (random numbers) pretending to come from 'NW – Leicester CRT <Leicester.CMT@ NatWest .com> with a zip attachment is another one from the current bot runs... The content of the email says:
Please find enclosed the requested online application form which
you will need to complete and return to myself via the post.
Kind Regards
Janine Lyles
Relationship Manager’s Assistant
Leicester Business Banking Customer Support
1st Floor
1 Granby Street
Leicester
LE1 6EJ
Tel: 0116 2752435
Fax: 0116 2575469
E Mail ...
19 October 2015: Online banking upd appl form.zip: Extracts to: Online banking upd appl form.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1445250902/
:fear::fear: :mad:
Fake 'P.O.', 'NOTIFICATION' SPAM, Shifu banking trojan
FYI...
Fake 'P.O.' SPAM - PDF malware
- http://myonlinesecurity.co.uk/purcha...e-pdf-malware/
20 Oct 2015 - "An email appearing to come from Xstrata with the subject of 'PurchaseOrder DR67CV_30HJ' from 'Xstrata' by 'Emerson, Vicky (PROD)' pretending to come from XstrataQLD@ axis.ventyx .com with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached a PurchaserOder from Xstarta for your action. It has been sent via Mincom Axis.
This PurhcaseOrder is in PDF format and can be viewed with Adobe Acrobat Reader. You may ACCEPT or REJECT this PurchaseOrdre from this email by following the isntructions below. In either case, an email will be generated for you to send to the Buyer via Mincom Axis. Type in any notes or comments you wish to convey to the buyer in the email Body and send the email but do not modify any part of the email Subject.
To ACCEPT the whole PucrhaseOrder, click the following link and complete your details ...
20 October 2015: PurchaseOrder_9EP31W_52M1_707850624.zip: Extracts to: PurchaseOrder_816785634_036545298.exe
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1445314610/
___
Fake 'P.O.' SPAM - doc malware
- http://blog.dynamoo.com/2015/10/malw...-no-48847.html
20 Oct 2015 - "This -fake- financial spam comes with a malicious payload:
From Harminder Saund [MinSaund77@ secureone .co.uk]
Date Tue, 20 Oct 2015 16:08:53 +0700
Subject Purchase Order No: 48847
Attached is a copy of our Purchase Order number 48847
Harminder Saund
Secure One
The sender's email address varies slightly, for example:
MinSaund77@ secureone .co.uk
MinSaund92@ secureone .co.uk
MinSaund94@ secureone .co.uk
MinSaund013@ secureone .co.uk
Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro... There are probably different versions of the document with different macros. Automated analysis is pending, however the payload is most likely the Dridex Shifu banking trojan. Please check back for updates..."
1] https://www.virustotal.com/en/file/9...is/1445335728/
2] https://www.virustotal.com/en/file/a...is/1445335747/
UPDATE: So far, three download locations have been identified..
ladiesfirst-privileges .com/656465/d5678h9.exe
papousek.kvalitne .cz/656465/d5678h9.exe
pmspotter. wz.cz/656465/d5678h9.exe
This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56*... The Hybrid Analysis reports [1] [2] indicate that it calls home to:
fat.uk-fags .top / 188.166.250.20 (Digital Ocean, Singapore)
I recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/b...is/1445341067/
1] https://www.hybrid-analysis.com/samp...nvironmentId=3
2] https://www.hybrid-analysis.com/samp...nvironmentId=3
___
Fake 'NOTIFICATION' SPAM - xls malware
- http://blog.dynamoo.com/2015/10/malw...mailbella.html
20 Oct 2015 - "This spam comes with a malicious attachment:
From "GOMEZ SANCHEZ"[postmail@ bellair .net]
To
Date Tue, 20 Oct 2015 13:14:56 +0430
Subject victim@ victimdomain .tld
Congratulations
Print out the attachment file fill it and return it back by fax or email
Yours Sincerely
GOMEZ SANCHEZ
The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of -three- malicious macros... Analysis of the payload is pending, but is likely to be the Dridex Shifu banking trojan. Please check back later..."
1] https://www.virustotal.com/en/file/c...is/1445335252/
FINAL NOTIFICATION .xls - 4/56
2] https://www.virustotal.com/en/file/8...is/1445335267/
FINAL NOTIFICATION-2 .xls - 4/54
3] https://www.virustotal.com/en/file/7...is/1445335281/
FINAL NOTIFICATION-3 .xls - 4/56
UPDATE: So far, three download locations have been identified..
ladiesfirst-privileges .com/656465/d5678h9.exe
papousek.kvalitne .cz/656465/d5678h9.exe
pmspotter.wz. cz/656465/d5678h9.exe
This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56*... The Hybrid Analysis reports [1] [2] indicate that it calls home to:
fat.uk-fags .top / 188.166.250.20 (Digital Ocean, Singapore)
I recommend that you block traffic to that IP."
* https://www.virustotal.com/en/file/b...is/1445341067/
1] https://www.hybrid-analysis.com/samp...nvironmentId=3
2] https://www.hybrid-analysis.com/samp...nvironmentId=3
ladiesfirst-privileges .com: 159.253.148.199: https://www.virustotal.com/en/ip-add...9/information/
papousek.kvalitne .cz: 88.86.117.145: https://www.virustotal.com/en/ip-add...5/information/
pmspotter.wz. cz: 88.86.117.153: https://www.virustotal.com/en/ip-add...3/information/
Shifu banking trojan: http://news.softpedia.com/news/shifu...y-490580.shtml
:fear::fear: :mad:
Fake 'E-Toll', 'Delayed tax return', 'INVOICE', 'PNC' SPAM, Chrome -clone- 'eFast'
FYI...
Fake 'E-Toll' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-e...e-pdf-malware/
21 Oct 2015 - "An email with the subject of 'Your E-Toll account statement' pretending to come from RMSETollDontReply@ rms.nsw. gov.au with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Valued Customer,
Please find attached your E-Toll account statement.
If you would like to claim Cashback please:
Simply login to your account and click on the ‘Claim Cashback’ link on the Account Overview screen. Follow the easy steps and submit your claim online. Please note: Online claims can only be completed on E-Toll accounts with online access.
Mail the E-Toll transaction statements that list your toll usage for eligible trips and a completed Cashback rebate form to the following address: Roads and Maritime Services M5 Cashback Locked Bag 3 Dubbo NSW 2830
Rebates must be claimed within 12 calendar months of the end of the Cashback quarter.
Thank you for choosing E-Toll
Regards
The E-Toll Team Roads and Maritime Services
To view documents in PDF format, you must have Adobe Acrobat PDF reader software version 5 or above installed on your computer.
This email was sent to you by Roads and Maritime Services. This is an unmonitored email address so please do not reply to this email...
21 October 2015: Oct 2015ST.zip: Extracts to: Oct 2015ST.exe
Current Virus total detections 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1445398880/
___
Fake 'Delayed tax return' SPAM - PDF malware
- http://myonlinesecurity.co.uk/austra...e-pdf-malware/
21 Oct 2015 - "An email that appears to come from Australian Taxation Office with the subject of 'Delayed tax returns over 30 days' pretending to come from DelayedReturn <DelayedReturn@ ato. gov.au> with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...s-1024x769.png
21 October 2015: TaxAgentReport516177320151020230248.zip: Extracts to: TaxAgentReport061836020151020223957.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1445398912/
___
Fake 'INVOICE' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...ayment_21.html
21 Oct 2015 - "This -fake- financial spam is not from Lancashire Police but is a simple -forgery- with what appears to be a malicious attachment.
From: Whitehead, Lyn [Lyn.Whitehead@ lancashire.pnn.police .uk]
Date: 21 October 2015 at 10:15
Subject: INVOICE FOR PAYMENT - 7500005791
Hello
Please find attached an invoice that is now due for payment.
Regards
Lyn
Lyn Whitehead (10688)
Business Support Department - Headquarters
Email: Lyn.Whitehead@ lancashire.pnn.police .uk ...
The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending. The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive. Other analysis is pending please check back.
UPDATE 1: Another version of this is in circulation, also with zero detections at VirusTotal... The Hybrid Analysis for both samples in inconclusive...
UPDATE 2: An analysis of the documents shows an HTTP request to:
ip1.dynupdate.no-ip .com:8245
All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise...
UPDATE 4: The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros... in the document download a binary from the following locations:
www .sfagan.co .uk/56475865/ih76dfr.exe
www .cnukprint .com/56475865/ih76dfr.exe
www .tokushu. co.uk/56475865/ih76dfr.exe
www .gkc-erp .com/56475865/ih76dfr.exe
At present this has a zero detection rate at VirusTotal*... Those reports in addition to this Malwr report[4] indicate malicious traffic to the following IPs:
89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)
The payload is probably the Shifu banking trojan.
Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49 "
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
2] https://www.hybrid-analysis.com/samp...nvironmentId=1
3] https://www.hybrid-analysis.com/samp...nvironmentId=1
4] https://malwr.com/analysis/NjE3YmRhO...RkZDE2ZTk1ZDM/
* https://www.virustotal.com/en/file/3...is/1445428911/
... Behavioural information
TCP connections
119.47.112.227: https://www.virustotal.com/en/ip-add...7/information/
8.254.218.14: https://www.virustotal.com/en/ip-add...4/information/
195.154.251.123: https://www.virustotal.com/en/ip-add...3/information/
___
Fake 'PNC' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-p...e-pdf-malware/
21 Oct 2015 - "An email with the subject of 'Your PNC Bank Online Statement is ready to be viewed' pretending to come from PNCBank_Statements@ pnc .com with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x550.png
21 October 2015: Statement_7208_10212015.zip: Extracts to: Statement_3374_10212015.zip.scr
Current Virus total detections 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1445449142/
___
Chrome -clone- 'eFast' serves ads, collects info
- http://net-security.org/malware_news.php?id=3129
21.10.2015 - "A Google Chrome lookalike browser dubbed 'eFast' is being actively pushed onto users. The software is at best annoying and unwanted, and at worst can lead users to malware. Posing as a legitimate application that will benefit users, eFast is actually only helpful to its creators - it sidelines other browsers, generates intrusive online ads (the creators are paid for each click), redirects users to potentially malicious pages, and monitors their Internet browsing activity, which is then sold to third party companies. "eFast Browser is mostly proliferated as a 'bundle' with other (mostly free) software," PC Risk's Tomas Meskauskas warns*. "Users do not expect bundled applications to be concealed, and thus, developers intentionally hide them within the 'Custom' or 'Advanced' settings. Users who rush the download/installation processes and skip this section often inadvertently install potentially unwanted programs. In doing so, they expose their systems to risk of infection and compromise their privacy"... During installation, eFast will attempt to -replace- Chrome if that is already installed, by deleting all the shortcuts to it on your taskbar and desktop. "To make sure that you will use your new browser, eFast makes itself the default browser and takes over some file-associations. File-associations are settings that determine which program will run when files with a certain extension are opened," Malwarebytes' Pieter Arntz explains**..."
* https://www.pcrisk.com/removal-guide...-efast-browser
eFast Browser removal instructions
** https://blog.malwarebytes.org/online...-associations/
:fear::fear: :mad:
Fake 'Invoice Summary.doc' SPAM, Fake Java, Email account PHISH, Apple Invoice PHISH
FYI...
Fake 'Invoice Summary.doc' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...nvoice_22.html
22 Oct 2015 - "This -fake- invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment...
From "UUSCOTLAND" [UUSCOTLAND@ uuplc. co.uk]
Date Thu, 22 Oct 2015 19:30:13 +0700
Subject Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.
If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland ...
So far I have seen -three different- versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing... malicious macros... Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates."
1] https://www.virustotal.com/en/file/f...is/1445520172/
2] https://www.virustotal.com/en/file/a...is/1445520186/
3] https://www.virustotal.com/en/file/3...is/1445520199/
UPDATE 1: This VirusTotal report* also identifies the following download locations:
beauty.maplewindows .co.uk/t67t868/nibrd65.exe
dtmscomputers .co.uk/t67t868/nibrd65.exe
namastetravel .co.uk/t67t868/nibrd65.exe
This file has a VirusTotal detection rate of 2/54** and that report indicates network traffic to: 198.74.58.153 (Linode, US)
Further analysis is pending, in the meantime I suggest that you -block- traffic to the above IP."
* https://www.virustotal.com/en/file/a...is/1445520186/
** https://www.virustotal.com/en/file/5...is/1445521267/
198.74.58.153: https://www.virustotal.com/en/ip-add...3/information/
___
Fake Java "pop-ups for Download"
- https://blog.malwarebytes.org/online...ava-i-ordered/
Oct 22, 2015 - "... The downloaded file is called setup.exe and is recognized by a few scanners* that detect this file as potentially unwanted adware. (PUP.Optional.Media)... It installs a program called Media Downloader version 1.5:
> https://blog.malwarebytes.org/wp-con.../warning4w.png
The other one I want to show you is not actually a pop-up, but a background image that was made to look like one:
> https://blog.malwarebytes.org/wp-con.../10/site1w.png
Clicking this “Install” button downloads and prompts you to install a bundler that does install Java version 1.8.25 but not until they have offered the other components of the bundle. In this case I had to “Decline” Norton360, Weatherbug, PC Mechanic and Stormfall Age of War. Note that the latest version for my system is Version 8 Update 65. Version 8u25 is over a year old. Paying attention to the UAC prompt could have saved us some work here. Super IS (Fried Cookie Ltd.) somehow doesn’t have that official ring to it to convince me that this is the Java installer I was promised:
> https://blog.malwarebytes.org/wp-con...UACpromptw.png
Probably triggered by the critical patch update that was released by Oracle there are some sites that use this opportunity to lure users into using Java prompt -lookalikes- or bundled installers (for outdated versions). As always, get your software from trusted sources..."
* https://www.virustotal.com/nl/file/5...02a9/analysis/
___
Email account credentials - PHISH
- http://myonlinesecurity.co.uk/email-...ials-phishing/
22 Oct 2015 - "I came across this slightly different email -phishing- attempt this morning... The original email is quite bland, but just enticing enough to persuade a user to click and fill in the forms...
Screenshot: http://myonlinesecurity.co.uk/wp-con...l-1024x338.png
If you did follow the link, you would see a webpage looking like this:
> http://myonlinesecurity.co.uk/wp-con...e-1024x565.png
This site is hosted on a free hosting company weebly .com. Unfortunately these free hosts have minimal checks and it is easy to put up almost anything that can infect a user or act as a phishing site. Weebly does eventually respond to abuse reports but in my experience they are quite slow and take a long time to think about whether the site contravenes their T&Cs. Do -not- fill in the forms otherwise your email account will be compromised. You -never- need to give your email account password to anybody."
___
Apple Invoice - Phish
- https://blog.malwarebytes.org/fraud-...invoice-phish/
Oct 22, 2015 - "... a blatant attempt to swipe your payment information. Couched in the well-worn guise of a supposed Apple Store refund, the mail wants potential victims to hand over their Apple ID / password and then a chunk of personal / payment details:
> https://blog.malwarebytes.org/wp-con...pplephis01.jpg
... Of course, you probably did not authorise any sort of purchase for a “CoPilot Premium HD” which is exactly the “Oh no my money, I must retrieve it” reaction they’re banking on (unless you actually did buy one of these, in which case things might get a little confusing). Nothing will have people rushing to click buttons and hand over information faster than the possibility of someone making unauthorised payments – clicking the refund links will take them to a -fake- login, via a -redirect- on a potentially compromised t-shirt website. The phish pages themselves are located at
aut0carhire(dot)com/index/user12-appleid/index(dot)html
> https://blog.malwarebytes.org/wp-con...pplephish1.jpg
After handing over Apple ID credentials, the victim is taken to the next step which involves them giving name, address, DOB and full payment information:
> https://blog.malwarebytes.org/wp-con...pplephish2.jpg
... Unfortunately, hitting the “Cancel Transaction” button here would be pretty much the exact opposite of cancelling a transaction and victims could expect to see many more actual payments suddenly leaving their bank account. If you have this sitting in your mailbox, delete it. If you’ve already sent the scammers your details, notify your bank and cancel the card – while keeping an eye out for any dubious payments. Apple themed phish scams are a popular choice for criminals, and whether faced with iTunes logins, “Find my phone” fakeouts, iCloud shenanigans or payment receipts such as the one above, recipients should be wary and – if in doubt – head to -official- Apple pages* to find out if a payment really is being processed."
* http://www.apple.com/shop/account/home
aut0carhire(dot)com: 97.74.181.128: https://www.virustotal.com/nl/ip-add...8/information/
>> https://www.virustotal.com/nl/url/6a...f05e/analysis/
:fear::fear: :mad:
Fake 'cleaning invoice', 'Credit Note', 'Receipt for Payment' SPAM, Paypal PHISH
FYI...
Fake 'cleaning invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...e-deborah.html
23 Oct 2015 - "This -fake- financial spam comes with a malicious attachment:
From "deborah Sherer" [thesherers@ westnet .co.uk]
Date Fri, 23 Oct 2015 17:03:19 +0700
Subject cleaning invoice
Hello
attached is invoice for payment
thanks
Deborah Sherer
---
This email has been checked for viruses ...
Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro... and downloads a malicious binary from one of the following locations:
www .bhtfriends .org/tydfyyur54/43e67tko.exe
zomb.webzdarma .cz/tydfyyur54/43e67tko.exe
nisanyapi .com/tydfyyur54/43e67tko.exe
This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55* (that's just a generic detection by Kaspersky). That VirusTotal report plus this Hybrid Analysis report** show network traffic to:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
Private sources also identify these following IPs as part of the C2 infrastructure:
157.252.245.49 (Trinity College Hartford, US)
198.74.58.153 (Linode, US)
68.168.100.232 (Codero, US)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
195.154.251.123
157.252.245.49
198.74.58.153
68.168.100.232 "
1] https://www.virustotal.com/en/file/4...is/1445595890/
2] https://www.virustotal.com/en/file/d...is/1445595902/
3] https://www.virustotal.com/en/file/2...is/1445595912/
* https://www.virustotal.com/en/file/a...is/1445595923/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
___
Fake 'Credit Note' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...6536-from.html
23 Oct 2015 - "This -fake- financial spam has a malicious attachment:
From: Accounts [message-service@ post.xero .com]
Date: 23 October 2015 at 15:08
Subject: Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)
Hi Mattie,
Attached is your credit note CN-06536 for 8954.41 GBP.
This has been allocated against invoice number
If you have any questions, please let us know.
Thanks,
Avnet, Inc.
The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc .. but it's actually a -ZIP- file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe and has a VirusTotal detection rate of 4/55*. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan... the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.
UPDATE: The Hybrid Analysis report is here**, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe "
* https://www.virustotal.com/nl/file/9...is/1445609013/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
197.149.90.166: https://www.virustotal.com/nl/ip-add...6/information/
___
Fake 'Scan Data' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...5-t2-scan.html
23 Oct 2015 - "This -fake- document scan appears to originate from within the victim's own organisation, but doesn't. Instead it comes with a malicious attachment.
From: DocuCentre-V C6675 T2 [reception@ victimdomain .com]
Reply-to: reception@ victimdomain .com
Date: 23 October 2015 at 09:23
Subject: Scan Data from FX-D6DBE1
Number of Images: 1
Attachment File Type: DOC
Device Name: DocuCentre-V C6675 T2
Device Location:
Attached is a file 22102015160213-0001.doc which comes in a few different versions. The payload is Dridex and all the files and downloaded binaries are the same as used in this spam run*."
* http://blog.dynamoo.com/2015/10/malw...e-deborah.html
___
Fake 'Receipt for Payment' SPAM - PDF malware
- http://myonlinesecurity.co.uk/thank-...e-pdf-malware/
23 Oct 2015 - "An email saying 'Thank you for filing your taxes with FreeTaxUSA' with the subject of 'Receipt for Payment' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x939.png
23 October 2015: unjammed black fly.zip: Extracts to: 9842548_2377731824.exe
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/nl/file/c...is/1445596923/
___
Western Union Business Solutions Spam
- http://threattrack.tumblr.com/post/1...solutions-spam
Oct 23, 2015 - "Subjects Seen:
Order 49746970 Booked - Western Union Business Solutions Online FX for Corporate
Typical e-mail details:
Please be advised that Order 49746970 totaling 70,494.00 USD has been booked on Oct 23 2015.
Click on the attached file to view details of the order or to print a receipt.
This email was sent by Western Union Business Solutions. We respect your right to privacy.
Thank you for using Western Union Business Solutions.
Sincerely,
Western Union Business Solutions
Malicious File Name and MD5:
westernunion_order_receipt.exe (E4510056BB38A37EE7AE485AA6C4B36A)
Screenshot: https://40.media.tumblr.com/356fe0f2...r6pupn_500.png
Tagged: Western Union, Upatre
___
Paypal - PHISH... again.
- http://myonlinesecurity.co.uk/paypal...ited-phishing/
23 Oct 2015 - "... There are a few major common subjects in a phishing attempt involving either PayPal or your Bank or Credit Card, with a message saying some thing like:
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your Account Access Is Limited
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x780.png
... the links to the -phishing- website are behind the 'update your info' button or the 'update now' link... The eventual site is the highlighted part of the very long url which goes via googleadservices. Now many phishers have been using google search links to persuade a recipient to click-a-link. Hovering over the link in an email will show google which most people would think was safe... The only way is look at the address bar and in the -Genuine- PayPal site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)...
> http://myonlinesecurity.co.uk/wp-con...ypal_phish.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
___
Fake 'Notice to Appear' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/10/malw...to-appear.html
22 Oct 2015 - "This -fake- legal spam comes with a malicious attachment:
From: District Court
Date: 22 October 2015 at 19:03
Subject: Notice to Appear
Notice to Appear,
This is to inform you to appear in the Court on the October 27 for your case hearing.
Please, prepare all the documents relating to the case and bring them to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
You can review complete details of the Court Notice in the attachment.
Sincerely,
Michael Newell,
District Clerk
Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js... This obfuscated script translates into something a bit more understandable which clearly references the following domains:
www .flowarrior .com
www .abama .org
littlefacesofpanama-association .com
The Hybrid Analysis report* shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55** (possibly Cridex). It references the following IPs as being highly suspect:
91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)
A -large- number of IPs are queried... I have not had the chance to check those individual IP addresses, but I recommend that you -block- the following two at least:
91.121.108.77
78.24.220.229 "
* https://www.hybrid-analysis.com/samp...nvironmentId=1
** https://www.virustotal.com/nl/file/d...is/1445547994/
> https://www.virustotal.com/nl/url/37...1464/analysis/
___
G DATA Malware Report H1 2015
- https://www.gdata-software.com/g-dat...t-half-of-2015
Oct 22, 2015 - "... G DATA, is releasing their H1 2015 Malware Report, which looks at malware over the first half of 2015. Among the findings, researchers discovered a 64.8 percent spike of new malware strains as compared to the first half of 2014. This averages out to 12 new strains per minute. In all, the total number of malware strains this year is expected to be well above the level of 2014, with the U.S., China and France hosting the most malicious and fraudulent websites. In looking more closely at the banking industry, researchers found that Wells Fargo was the most frequently targeted financial services company by banking Trojans, and the Swatbanker family was the mostly frequently seen banking Trojan in the 6 month period, followed by the ZeuS family... websites related to the healthcare industry were most frequently classified as malicious (26.6 percent), with technology and telecom a distant second. The most commonly seen malware campaign was “Money Rain,” promising various ways to easily acquire money. While this campaign was seen on websites for all of the categories researched, 37 percent of the websites that were clearly connected to Money Rain were in the healthcare industry. Also of note, a new category, personal ads and dating, was revealed to be in the top 10 list of most prevalent malicious and fraudulent websites.
> https://static.gdatasoftware.com/110..._48890w417.jpg
Additional Key Findings Include:
• The "Top 10" list of prevented malware attacks is dominated by adware and Potentially Unwanted Programs (PUP). Dealply and Graftor are the most prevalent families in this field.
• Ukraine is new to the Top 10 list of countries most frequently found to be hosting malicious websites with 5% of the activity, putting the country in fourth place. This could potentially be due to the political havoc occurring in this region.
• Exploits for vulnerabilities are now being integrated into exploit kits after just a few days. Users who do not keep their systems up-to-date will easily fall victim to cyber criminals.
• The vulnerabilities in Adobe Flash were most frequently abused to silently and automatically attack and compromise PCs (Exploit)..."
PDF - Full report: https://public.gdatasoftware.com/Pre...H1_2015_EN.pdf
> https://static.gdatasoftware.com/110..._48866w800.jpg
:fear::fear: :mad: