'Changed Identification Numbers', 'Hilton Hotel' SPAM, Zombie 'Orkut' Phish ...
FYI...
'Changed Identification Numbers' Spam
- http://threattrack.tumblr.com/post/1...n-numbers-spam
July 7, 2015 - "Subjects Seen:
Changed identification numbers
Typical e-mail details:
Trust You are well.
Kindly see enclosed modified personal numbers regarding Your bank card.
Kindly confirm the safe recepiency of this letter and of enclosed codes.
Consider this message as strictly personal and never copy it to other entities.
Helen Jackson
Senior Consultant
Screenshot: https://36.media.tumblr.com/eb4e4902...r6pupn_500.png
Malicious File Name and MD5:
transcript_of_perosnal_forms.exe (0166afeac63b594aa608dab85deddc07)
___
'Hilton Hotel Receipt' Spam
- http://threattrack.tumblr.com/post/1...l-receipt-spam
July 7, 2015 - "Subjects Seen
A for guest WARDE SAID
Typical e-mail details:
Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us.
Enclosed is a copy of your receipt(FOLIODETE_2317766.pdf). Should you require any further assistance please do not hesitate to contact us directly.
We look forward to welcoming you back in the near future.
This is an automatically generated message. Please do not reply to this email address.
Screenshot: https://40.media.tumblr.com/a0bffde5...r6pupn_500.png
Malicious File Name and MD5:
FOLIODETE_0447019.exe (da3fd8a0905df536969e38468d5ca5c8)
___
Zombie 'Orkut' Phish...
- https://blog.malwarebytes.org/fraud-...hishing-pages/
July 7, 2015 - "... Orkut -was- a Google run social network, invite-only and very popular in places like Brazil, India and the US. Unfortunately, its users were frequent targets of scams, and I myself researched the first -Worm- on the Orkut network way back in 2006. Eventually, other Google services became more popular and the shutters came down for good in 2014:
> https://blog.malwarebytes.org/wp-con.../07/orkut1.jpg
This is done by logging into your Google Account, navigating to the relevant Archive section and being offered a mixture of original format files and HTML:
> https://blog.malwarebytes.org/wp-con.../07/orkut2.jpg
In other words, your still-dead Orkut account has a value attached, in the form of your entirely still-alive Google login. As a result, you’ll still occasionally come across the odd -fake- Orkut frontpage asking for credentials:
> https://blog.malwarebytes.org/wp-con.../07/orkut3.jpg
The above is located at:
lokoleonadinho(dot)xpg(dot)uol(dot)com(dot)br
The page reads as follows:
Who do you know?
Connect to your friends and family using scraps and instant messaging
Meet new people through friends of friends and communities
Share your videos, pictures and passions all in one place
Sign in to orkut with your
Google Account
There’s another one using the same layout and text at:
davitosta(dot)xpg(dot)uol(dot)com(dot)br
These Zombie Login pages are effective whether the scammer intended any sort of “Reclaim your data” riff or not – it doesn’t matter if the page is a regular Orkut login (the ones above are straight copies of the old Orkut frontpage), or geared towards reclaiming Takeout data. It doesn’t matter if the -fakes- were created last week, last month or last year. For as long as old users of Orkut associate it with a Google login, it will always be something that can be leveraged as a potential way in to a Google account whether Orkut is actually active or not. Should the unwary end up on an Orkut -phish- by chance, they may well assume the phony site is somehow the first step to grabbing their old information. With a few taps of the keyboard, their Google login will have been swiped (another good reason to use a password manager, incidentally, because they won’t go auto-filling your data on a fake website – assuming they have autofill and you’re making use of it, of course). A single sign on for multiple services is one way to lessen the impact on users where all of the products are managed by a single company, but this does mean that when one of those services fades into oblivion it can still end up being a gateway to phishing scams. Whether you have fond memories of Orkut, scrapbooks and the occasional worm or your first response is “Orkut on the what now”, be mindful of where you’re entering your Google login – there’s a time and a place for handing over your email and password, and the above two websites are most definitely -not- it."
lokoleonadinho(dot)xpg(dot)uol(dot)com(dot)br:
200.147.36.16: https://www.virustotal.com/en/ip-add...6/information/
200.147.100.28: https://www.virustotal.com/en/ip-add...8/information/
davitosta(dot)xpg(dot)uol(dot)com(dot)br:
200.147.36.16: https://www.virustotal.com/en/ip-add...6/information/
200.147.100.28: https://www.virustotal.com/en/ip-add...8/information/
:fear::fear: :mad:
Fake 'Your order', 'Traffic Fines', 'AMEX Safe Key' SPAM
FYI...
Fake 'Your order' SPAM - doc/xls spreadsheet malware
- http://myonlinesecurity.co.uk/your-o...sheet-malware/
9 July 2015 - "'Your order No. 3269637 has been despatched' pretending to come from info@ 123print <info@ 123print .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear customer
Your order 3269637 has been despatched.
Please see attachment for details.
9 July 2015 : 4077774.doc - Current Virus total detections: 4/56*
... which downloads Dridex banking malware (VirusTotal**) from one of these locations
http ://illustramusic .com/43/82.exe
http ://prodasynth .com/43/82.exe
http ://jjsmith .it/43/82.exe
http ://robindesdroits .com/43/82.exe
http ://cabinet-marc-dugue .com/43/82.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fil...is/1436435418/
** https://www.virustotal.com/en-gb/fil...is/1436434288/
... Behavioural information
TCP connections
62.210.214.106: https://www.virustotal.com/en-gb/ip-...6/information/
23.14.92.35: https://www.virustotal.com/en-gb/ip-...5/information/
illustramusic .com: 213.186.33.19: https://www.virustotal.com/en-gb/ip-...9/information/
prodasynth .com: 213.186.33.19:
jjsmith .it: 81.88.48.113: https://www.virustotal.com/en-gb/ip-...3/information/
robindesdroits .com: 213.186.33.87: https://www.virustotal.com/en-gb/ip-...7/information/
cabinet-marc-dugue .com: 213.186.33.19:
- http://blog.dynamoo.com/2015/07/malw...69637-has.html
9 July 2015
> https://www.virustotal.com/en/file/f...is/1436444607/
"... Recommended blocklist:
62.210.214.106 "
___
Unsettled Traffic Fines Spam
- http://threattrack.tumblr.com/post/1...fic-fines-spam
July 9, 2015 - "Subjects Seen
Unsettled traffic fines report
Typical e-mail details:
Kindly see enclosed traffic fines dispatched by State Road Traffic Safety Authority.
Please arrange settlement of penalties in a short time becuase aditional penalties can be imposed as a result of delayed settlement.
In addition check requisites of the document.
Robin Willis
Senior Manager
Screenshot: https://36.media.tumblr.com/5b4d651c...r6pupn_500.png
Malicious File Name and MD5:
extract_of_issued_order.scr (cda3dd2862026cf5e1037f35b5660c2f)
Tagged: Upatre, traffic ticket
___
Fake 'AMEX Safe Key' SPAM – PDF malware
- http://myonlinesecurity.co.uk/americ...e-pdf-malware/
9 July 2015 - "'American Express – Safe Key' pretending to come from American Express Customer Service <AmericanExpress@ welcome .aexp.com> with a link to download a zip attachment is another one from the current bot runs... The email looks like:
Amex Logo
Safe Key
Create your safe key now
Safe Key Logo
Please create your Personal Security Key. Personal Safe Key (PSK) is one of several authentication measures we utilize to ensure we are conducting business with you, and only you, when you contact us for assistance.American Express uses 128-bit Secure Sockets Layer (SSL) technology. This means that when you are on our secured website the data transferred between American Express and you is encrypted and cannot be viewed by any other party. The security of your personal information is of the utmost importance to American Express, please access https ://americanexpress .com to create your PSK (Personal Safe Key).
Note: You will be redirected to a secure encrypted website.
The contained message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Sincerely,
American Express Customer Service ...
9 July 2015: Personal Safe Key instruction.zip: Extracts to: Personal Safe Key instruction.scr
Current Virus total detections: 9/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1436458305/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en-gb/ip-...5/information/
38.65.142.12: https://www.virustotal.com/en-gb/ip-...2/information/
24.148.217.188: https://www.virustotal.com/en-gb/ip-...8/information/
2.22.48.170: https://www.virustotal.com/en-gb/ip-...0/information/
:fear::fear: :mad:
Fake 'Invoice reminder', 'HBSC' SPAM
FYI...
Fake 'Invoice reminder' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
10 July 2015 - "'Invoice reminder' pretending to come from random names @ morgan-motor .co.uk with a zip attachment is another one from the current bot runs... The email looks like:
Please note that so far we had not received the outstanding amounts in accordance with the invoice enclosed below.
Unfortunately, we cannot wait another week for amounts to be settled. Kindly ask You to arrange the payment in the nearest future (2 days).
In case the funds are not received in two days we reserve the right to use legal approaches in order to resolve this issue.
We hope You will duly react to this notification and save good business relationships with us.
10 July 2015: invoice-ITK709415.zip: Extracts to: invoice-ITK709415.scr
Current Virus total detections: 1/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1436525114/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en-gb/ip-...1/information/
38.65.142.12: https://www.virustotal.com/en-gb/ip-...2/information/
173.248.31.6: https://www.virustotal.com/en-gb/ip-...6/information/
88.221.14.130: https://www.virustotal.com/en-gb/ip-...0/information/
- http://blog.dynamoo.com/2015/07/malw...er-morgan.html
10 July 2015
"... Recommended blocklist:
38.65.142.12 "
___
Fake 'HBSC' SPAM - malware attached
- http://myonlinesecurity.co.uk/attn-h...yment-malware/
10 July 2015 - "'ATTN: HSBC ENCRYPTED 3RD PARTY PAYMENT' pretending to come from Payment Administrator <info@ hsbc .com.hk> with a zip attachment is another one from the current bot runs.. The email looks like:
Dear Sir/Madam,
The attached payment advice is issued at the request of our customer. This payment is encrypted for security reasons.
The advice is for your reference only. Confirm receipt of this email. In the case you have problems downloading the attachment do not hesitate to revert back to us.
See attached
Yours faithfully,
Global Payments and Cash Management
HSBC ...
10 July 2015: Attachment.rar Extracts to: Dedebot_crypted10806.scr
Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1436528754/
___
Fake 'discounts' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/monthl...sheet-malware/
10 July 2015 - "'Monthly discounts pretending to come from support@ proprofs .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Good Morning!
We would appreciate if you took a look at and gained insight into our discounts.
Here we attach the file with information on discounts.
Discounts are time limited.
Best regards, team proprofs.
10 July 2015: e-gift.doc - Current Virus total detections: 25/56*
... Which tries to download http ://gets-adobe .com/fid/ZmlsZToxMTA4NzQzLy8/nkernel.exe However I get nothing from the site from my UK IP number but a colleague in USA did manage to get the payload (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1436543817/
** https://www.virustotal.com/en/file/4...is/1436549421/
... Behavioural information
TCP connections
5.255.255.5: https://www.virustotal.com/en/ip-add...5/information/
204.45.251.183: https://www.virustotal.com/en/ip-add...3/information/
5.255.255.55: https://www.virustotal.com/en/ip-add...5/information/
gets-adobe .com: 109.234.38.103: https://www.virustotal.com/en/ip-add...3/information/
___
PC Shipments declined 9.5% in Q2 2015
- https://www.gartner.com/newsroom/id/3090817
July 9, 2015 - "Worldwide PC shipments totaled 68.4 million units in the second quarter of 2015, a 9.5 percent decline from the second quarter of 2014, according to preliminary results by Gartner, Inc. This was the steepest PC shipment decline since the third quarter of 2013. PC shipments are projected to decline 4.4 percent in 2015. There were many contributors to the decline of PC shipments in the second quarter of 2015, and Gartner analysts highlighted three of the major reasons for the drop in shipments. Analysts emphasized that these inhibitors are temporary events, and they are not changing the PC market's structure. Therefore, while the PC industry is going through a decline, the market is expected to go back to slow and steady growth in 2016..."
> http://www.businesswire.com/news/hom...e#.VZ-imZNVhBf
July 09, 2015
:fear::fear: :mad:
Another Hacking Team Flash 0day Uncovered ...
FYI...
Another Hacking Team Flash 0day Uncovered...
- https://blog.malwarebytes.org/exploi...day-uncovered/
Update: 07/11 9 AM PT As reported by Kafeine*, Angler EK is now using this zero-day...
* http://malware.dontneedcoffee.com/20...two-flash.html
... On a late Friday night, yet another zero-day targeting once again the Flash Player has been uncovered from this very same Hacking Team archive. Adobe released a security bulletin shortly after:
> https://helpx.adobe.com/security/pro...apsa15-04.html
July 10, 2015 - 'Summary: A critical vulnerability (CVE-2015-5122) has been identified in Adobe Flash Player 18.0.0.204 and earlier versions... Adobe is aware of reports** that an exploit targeting this vulnerability has been published publicly... Adobe expects to make updates available during the week of July 12, 2015... Adobe categorizes this as a critical vulnerability...'"
** https://www.fireeye.com/blog/threat-...22_-_seco.html
> http://blog.trendmicro.com/trendlabs...ing-team-leak/
July 11, 2015 - "... -two- Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered -another- Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123)... we recommend users -disable- Adobe Flash Player for the meantime until the patch from Adobe becomes available..."
>> https://helpx.adobe.com/security/pro...apsa15-04.html
Updated: July 12, 2015 - "Critical vulnerabilities (CVE-2015-5122, CVE-2015-5123) have been identified... Adobe expects to make updates available during the week of July 12, 2015..."
Uninstall or Disable Plugins ...
> http://www.howtogeek.com/209156/unin...r-more-secure/
:fear: :mad: :fear:
Fake 'Criminal prosecution' SPAM – PDF malware
FYI...
Fake 'Criminal prosecution' SPAM – PDF malware
- http://myonlinesecurity.co.uk/crimin...e-pdf-malware/
13 July 2016 - "The latest email being sent by the criminal gangs trying to infect you with an Upatre downloader tries to convince you that you are being investigated by the police for a Criminal offence prosecution. Don’t open the attachment - it will infect you. The email looks like:
It has been detected that via Your e-mail account are being mailed materials including discriminatory propaganda.
Please note that mentioned actions are to be qualified as criminal offence forbidden by legislation.
Police will conduct according investigation as a result of which You to five years.
If You had not mailed mentioned materials as sson as possible execute enclosed declaration and forward the scan-copy
13 July 2015: statement_to_be_filed.zip : Extracts to: statement_to_be_executed.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1436803275/
:fear::fear: :mad:
IE 0-day added to mix ...
FYI...
IE 0-day added to mix...
- http://blog.trendmicro.com/trendlabs...-added-to-mix/
July 14, 2015 - "... -another- vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065*. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability..."
* https://technet.microsoft.com/library/security/MS15-065
July 14, 2015
> https://support.microsoft.com/en-us/kb/3065822
Last Review: 07/14/2015 - Rev: 1.0
Applies to:
Internet Explorer 11
Internet Explorer 10
Windows Internet Explorer 9
Windows Internet Explorer 8
Windows Internet Explorer 7
Microsoft Internet Explorer 6.0
> https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-2425
Last revised: 07/14/2015
:fear::fear:
Fake 'Perfect job', 'About your suggestions' SPAM
FYI...
Fake 'Perfect job' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/perfec...sheet-malware/
16 July 2015 - "An email with subjects like 'Perfect achievement ! / Perfect job ! / Great work !' coming from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Congratulations ! You will take a 30% rake-off for the latest selling. Please overlook the attached documents to know the entire sum you’ve received.
Every day you demonstrate that you are the superior strength of our crew in the market. I am elate and appreciative to get such a capable and experienced subordinate. Keep up the good achievements.
With the best regards.
Michelle Silva General manager
-Or-
Congratulations ! You will receive a 30% commission for the previous disposition. Please check out the enclosed documents to find out the whole amount you’ve won.
Everyday you prove that you are the major force of our crew in the trading. I am sublime and appreciative to get such a capable and skilled workman. Continue the great job.
All the best.
Kathryn Brooks Company management
-Or-
Congratulations ! You will win a 40% commission for the latest realization. Please overlook the next documentation to get to know the whole amount you’ve won.
Everyday you demonstrate that you are the major strength of our team in the world of trade. I am sublime and appreciative to have such a capable and proficient subordinate. Proceed the good achievements.
All the best.
Sharon Silva General manager
-Or-
Congratulations ! You will gain a 45% rake-off for the last disposal. Please overlook the following documentation to know the whole amount you’ve won.
Everyday you convince that you are the best power of our team in the market. I am sublime and beholden to have such a clever and able sub. Continue the perfect job.
With best wishes.
Kathryn Pearson General manager
And others with similar wording... If you are unwise enough to try to open the word doc, you will see this message:
> http://myonlinesecurity.co.uk/wp-con...sition_doc.png
Do -not- follow their suggestions to enable editing or content, otherwise you will be infected...
25 February 2015: total_sum_from_latest_disposition.doc - Current Virus total detections: 4/55*
... This tries to connect to 2 web sites:
thereis.staging.nodeproduction .com/wp-content/uploads/78672738612836.txt
... which downloads an encrypted text file... and to
www .buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt which gives the web address of http ://midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe. This file is an Upatre downloader for the typical Dyre banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://https ://www.virustotal.com/e...is/1437049226/
** https://www.virustotal.com/en-gb/fil...is/1437046046/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-...3/information/
93.185.4.90: https://www.virustotal.com/en-gb/ip-...0/information/
176.36.251.208: https://www.virustotal.com/en-gb/ip-...8/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-...9/information/
nodeproduction .com: 72.10.52.104: https://www.virustotal.com/en-gb/ip-...4/information/
buildingwalls .co.za: 196.220.41.72: https://www.virustotal.com/en-gb/ip-...2/information/
midwestlabradoodles .com: 72.167.131.160: https://www.virustotal.com/en-gb/ip-...0/information/
- http://blog.dynamoo.com/2015/07/malw...-job-good.html
16 July 2015
"... Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction .com
www .buildingwalls .co.za
midwestlabradoodles .com "
___
Fake 'About your suggestions' SPAM – PDF malware
- http://myonlinesecurity.co.uk/about-...e-pdf-malware/
16 July 2016 - "'About your suggestions' pretending to come from emaillambflan <emaillambflan@ totalnetwork .it> with a zip attachment is another one from the current bot runs... The email looks like:
We chatted few hours ago. We have thought about your programs how to perfect our work and financial profit. Your suggestions seem extremely inspiring and we undoubtedly want such a genius like you. We consider your plans are feasible and would like to implement them. Attached are our progression charts and processes directory. Please look through them and if you will have some questions ask about it. Also make a succinct plan thus we will confer about the elements of every step./r/n We are waiting for your reply soon !
16 July 2015: figures_and_guide.zip: Extracts to: figures_and_directory.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fil...is/1437056410/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en-gb/ip-...1/information/
93.185.4.90: https://www.virustotal.com/en-gb/ip-...0/information/
109.86.226.85: https://www.virustotal.com/en-gb/ip-...5/information/
23.14.92.65: https://www.virustotal.com/en-gb/ip-...5/information/
___
Sales Commission Spam
- http://threattrack.tumblr.com/post/1...ommission-spam
July 16, 2015 - "Subjects Seen
Good achievement !
Typical e-mail details:
Congratulations ! You will win a 43% commission for the last sale. Please see the next documents to get to know the whole sum you’ve obtained.
Daily you prove that you are the best power of our team in the world of commerce. I am proud and grateful to get such a gifted and experienced worker. Go on the excelent job.
With best wishes.
Kathryn Brooks Director
Screenshot: https://41.media.tumblr.com/e31f6795...r6pupn_500.png
Malicious File Name and MD5:
amount_from_last_realization.scr (1e314705c1f154d7b848fcc20bfcd5e8)
Tagged: Sales Commission, Upatre
:fear::fear: :mad:
Fake 'eFax', 'You've earned it' SPAM
FYI...
Fake 'eFax' SPAM - leads to malware
- http://blog.dynamoo.com/2015/07/malw...m-unknown.html
17 July 2015 - "This -fake- fax spam leads to malware:
Screenshot: https://2.bp.blogspot.com/-a9Ay1zeHZ...0/fake-fax.png
Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but -hacked- site at:
breedandco .com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of 6/55* and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55**. Automated analysis... shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90 :12325/ETK7//0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90 :12325/ETK7//41/5/1/GKBIMBFDBEEE
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip .dyndns .org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55***] and vastuvut.exe [VT 6/55****].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106 "
* https://www.virustotal.com/en/file/4...is/1437133169/
** https://www.virustotal.com/en/file/0...is/1437133178/
*** https://www.virustotal.com/en/file/a...is/1437135014/
**** https://www.virustotal.com/en/file/5...is/1437135026/
___
Fake 'You've earned it' SPAM - malware
- http://blog.dynamoo.com/2015/07/malw...-it-youve.html
17 July 2015 - "This is another randomly-generated round of malware spam, following on from this one[1].
1] http://blog.dynamoo.com/2015/07/malw...-job-good.html
Date: 16 July 2015 at 12:53
Subject: Excelent job !
Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
All the best.
Michelle Curtis Company management
---------------------
Date: 16 July 2015 at 11:53
Subject: Good achievement !
Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
With the best regards.
Sharon Silva Company management ...
Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc
Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55*. Inside the document is this malicious macro... which according to Hybrid Analysis downloads several components (scripts and batch files) from:
thereis.staging .nodeproduction .com/wp-content/uploads/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt
These are executed, then a malicious executable is downloaded from:
midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe
This has a VirusTotal detection rate of 8/55** and that report plus other automated analysis tools... phones home to the following malicious URLs:
93.185.4.90 :12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90 :12319/LE2/<MACHINE_NAME>/41/7/4/
That IP belongs to C2NET in the Czech Republic. It also sends non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.
This malware drops the Dyre banking trojan.
Recommended blocklist:
93.185.4.90
thereis .staging.nodeproduction .com
www .buildingwalls .co.za
midwestlabradoodles .com
* https://www.virustotal.com/en/file/d...is/1437053265/
** https://www.virustotal.com/en/file/e...is/1437054039/
:fear::fear: :mad:
Fake 'copy', 'Order Confirmation', 'Loan service' SPAM
FYI...
Fake 'copy' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/copy-w...sheet-malware/
27 July 2015 - "An email with a subject simply saying 'copy' pretending to come from belinda.taylor@ bssgroup .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email body simply says: copy
27 July 2015 : 13409079779.docm - Current Virus total detections: 4/56*
Downloads Dridex banking malware from:
terrasses-de-santeny .com/yffd/yfj.exe . Other versions of this downloader will download the -same- Dridex banking malware from alternative locations. So far we have seen
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://terrasses-de-santeny .com/yffd/yfj.exe
http ://blog.storesplaisance .com/yffd/yfj.exe
http ://telechargement.storesplaisance .com/yffd/yfj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1437987707/
terrasses-de-santeny .com: 94.23.55.169: https://www.virustotal.com/en/ip-add...9/information/
madagascar-gambas .com: 'Could not find an IP address for this domain name' (May have been taken-down)
technibaie .net: 94.23.1.145: https://www.virustotal.com/en/ip-add...5/information/
storesplaisance .com: 94.23.1.145: FR / 16276 (OVH SAS)
___
Fake 'Order Confirmation' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/07/malw...ation-ret.html
27 July 2015 - "This spam does not come from Royal Canin, but is instead a simple -forgery- with a malicious attachment:
From "[1NAV PROD RCS] " [donotreply@ royal-canin .fr]
Date Mon, 27 Jul 2015 18:49:16 +0700
Subject Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55*, which in turn contains a malicious macro... which downloads an executable from one of the following locations (there are probably more):
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://blog.storesplaisance .com/yffd/yfj.exe
This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55**. Automated analysis tools... show that it attempts to phone home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)..."
* https://www.virustotal.com/en/file/8...is/1437999231/
** https://www.virustotal.com/en/file/c...is/1437999249/
> http://myonlinesecurity.co.uk/order-...sheet-malware/
27 July 2015: Order Confirmation RET-396716 230715.xml - Current Virus total detections: 1/56*
... Which downloads an updated version of Dridex banking malware..."
* https://www.virustotal.com/en/file/8...is/1437997926/
___
Fake 'Loan service' – PDF malware
- http://myonlinesecurity.co.uk/new-lo...e-pdf-malware/
27 July 2015 - "'New Loan service nearby' with a zip attachment is another one from the current bot runs... Alternative subjects for this malspam run include: 'New Credit service near you'. The email looks like:
We are happy to inform you that we are founding a affiliate in your vicinity next week. We are credit services firm with more than 15 years practice , and several branches in the region. We give help to individuals and corporations in profiting money for the objective. We provide all the acts , consisting of bringing the money source that sets the lowest percentage and the best conditions of pays , all the paperwork , and etc.
We are enclosing the invite ticket for the opening celebration and service’s accommodation schedule. Wish to see you on our opening.
Give us a chance to maintain you!
Thanks,
Truly yours,
Mike Ward General management Info
-Or-
We are happy to announce you that we are opening a branch in your area soon. We are loan accommodations firm with more than 25 years workmanship, and several offices in the region.
We provide help to ordinary people and corporations in availing money for the objective.
We ensure all the actions, consisting of bringing the fiscal source that offers the lowest commissions and the best terms of payment, all the papers, and so on.
We are applying the engagement card for the opening and organization’s accommodation schedule. Hope to see you on that day.
Give us a chance to serve you!
Thanking you,
Yours truly,
Mike Ward General management Superior
And the usual other variety of computer bot generated wording that doesn’t quite read as proper English.
27 July 2015: invitation_and_accommodations.zip: Extracts to: call_and_accommodations.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1438000007/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
93.185.4.90: https://www.virustotal.com/en/ip-add...0/information/
173.248.31.6: https://www.virustotal.com/en/ip-add...6/information/
2.18.213.48: https://www.virustotal.com/en/ip-add...8/information/
:fear::fear: :mad: