Fake 'Confirmation', 'Certificate', 'e-fax' SPAM
FYI...
Fake 'Confirmation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...ky-ransomware/
14 Dec 2016 - "An email -spoofing- Kirklees Council with the subject of 'Booking Confirmation' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: jewell nethercote <jewell.nethercote@ luciafranca .com>
Date: Wed 14/12/2016 08:06
Subject: Booking Confirmation
Attachment: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
Booking Confirmation
This email and any attachments are confidential. If you have received it in error – notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.
14 December 2016: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
Current Virus total detections 13/56*. MALWR** shows a download of an encrypted file from
http ://eastoncorporatefinance .com/nbv364 which is converted by the script to sonmoga2.rudf (VirusTotal 7/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1481706521/
** https://malwr.com/analysis/ZmQyMjMzY...JlNTBjYTEzYjY/
Hosts
217.160.231.206
176.121.14.95
*** https://www.virustotal.com/en/file/a...is/1481706902/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
217.160.231.206
176.121.14.95
185.117.72.105
52.34.245.108
52.85.184.150
35.160.111.237
___
Fake 'Certificate' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/parce...ky-ransomware/
14 Dec 2016 - "... an email with the subject of 'Parcel Certificate' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of par_cert_5444211.zip which delivers Locky ransomware... One of the emails looks like:
From: Effie Bush <Bush.Effie@ adkime .com>
Date: Wed 14/12/2016 09:41
Subject: Parcel Certificate
Attachment: par_cert_5444211.zip
Dear hyperbolasmappera,
Please check the parcel certificate I am sending you in the attachment.
Order number is 477-F. Quite urgent, so please review it.
Best Regards,
Effie Bush
14 December 2016: par_cert_5444211.zip: Extracts to: ~_9UZONB_~.wsf - Current Virus total detections 3/54*
Payload Security** shows a download of an encrypted file from http ://ziskant .com/kqnioulnfj which is converted by the script to hIzFvc4Ek.zk (VirusTotal 4/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1481708404/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.210.89.38
185.129.148.56
86.110.117.155
213.32.113.203
35.160.111.237
*** https://www.virustotal.com/en/file/4...is/1481709795/
___
Fake 'e-fax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
14 Dec 2016 - "An email with the subject of 'eFax message from +611300786102 – 4 page(s), Caller-ID: +611300786102' (random numbers) pretending to come from eFax <inbound@ efax .delivery> with a malicious word doc attachment delivers Trickbot banking Trojan...
Screenshot: https://i2.wp.com/myonlinesecurity.c...g?w=1308&ssl=1
14 December 2016: InboundMessage.doc - Current Virus total detections 10/53*
Payload Security** shows a download from ‘http ://cendereci .com/dasphdasodasopjdaspjdasdasa.png’ which is -not- a png (image file) but -renamed- .exe (VirusTotal 41/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1481698402/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
85.159.66.172
23.21.228.240
36.37.176.6
202.5.50.55
*** https://www.virustotal.com/en/file/a...78f8/analysis/
:fear::fear: :mad:
Fake 'Amount Payable', 'Order Receipt' SPAM, Yahoo hack
FYI...
Fake 'Amount Payable' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malw...-leads-to.html
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Lynn Drake
Date: 15 December 2016 at 09:55
Subject: Amount Payable
Dear [redacted],
The amount payable has come to $38.29. All details are in the attachment.
Please open the file when possible.
Best Regards,
Lynn Drake
The name of the sender will vary, although the dollar amount seems consistent in all the samples I have seen. Attached is a file with a name similar to doc_6937209.zip which contains an apparently randomly-named script in a format similar to ~_ZJR8WZ_~.js... highly obfuscated script... Typical detection rates for the script are around 16/54*. There are many different scripts, downloading a component...
(Long list of domain-names at the dynamoo URL above.)
According to this Malwr analysis**, a DLL is dropped with a detection rate of 18/55***. This Hybrid Analysis[4] shows the Locky infection clearly and identifies some C2s, combining this with another source gives the following list of C2 servers:
86.110.117.155 /checkupdate (Rustelekom, Russia)
185.129.148.56 /checkupdate (MWTV, Latvia)
185.17.120.166 /checkupdate (Rustelekom, Russia)
MWTV is a known-bad-host, so I recommend blocking the entire /24.
Recommended blocklist:
86.110.117.155
185.129.148.0/24
185.17.120.166 "
* https://virustotal.com/en/file/bd028...is/1481796164/
** https://malwr.com/analysis/MzY2YzNhZ...gxNzFiYTMxYjk/
Hosts
92.48.111.60
*** https://virustotal.com/en/file/d46ba...is/1481796614/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
92.48.111.60
185.129.148.56
86.110.117.155
52.42.26.69
52.85.184.67
52.35.54.251
___
Fake 'Order Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-...ky-ransomware/
15 Dec 2016 - "... an email with the subject of 'Order Receipt' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format which delivers Locky ransomware... One of the emails looks like:
From: Joshua Mooney <Mooney.Joshua@ ricket .net>
Date: Thu 15/12/2016 10:54
Subject: Order Receipt
Attachment: scan9022222.zip
Dear enrico,
Thank you for making your order in our store!
The payment receipt and crucial payment information are in the attached document.
King Regards,
Joshua Mooney
Sales Manager
15 December 2016: scan9022222.zip: Extracts to: ~_4RYT3KP_~.js - Current Virus total detections 6/54*
MALWR** shows a download of an encrypted file from http ://www.bds-1 .com/gfftte3uv which is converted by the script to RJJvCX8vggvNw4PW.zk (VirusTotal 4/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1481799202/
** https://malwr.com/analysis/NjUxOTUxM...Y1YTYwZWZlNTA/
Hosts
64.71.33.107
*** https://www.virustotal.com/en/file/5...is/1481804458/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
64.71.33.107
185.17.120.166
185.129.148.56
178.209.51.223
52.42.26.69
52.85.184.195
35.160.111.237
91.198.174.192
91.198.174.208
___
One -billion- users affected - Yahoo hack
- https://www.helpnetsecurity.com/2016...on-yahoo-hack/
Dec 15, 2016 - "Yahoo has revealed that it’s been the victim of -another- hack and massive data breach that resulted in the compromise of information of a -billion- users... Outside forensic experts that have been called in to help with the investigation believe that this breach happened in August 2013, and that it’s likely -not- been performed by the same attackers as the 2014 breach disclosed this September. In addition to this, the company says that attackers have accessed the company’s proprietary code, which allowed them to learn how to -forge-cookies- and to, therefore, be able to access user accounts -without- a password... Yahoo says that they were unable to identify the intrusion associated with this latest data theft, but that it seems that data associated with more than one -billion- user accounts has been stolen..."
* https://help.yahoo.com/kb/account/SL...pressions=true
Dec 14, 2016
:fear::fear: :mad:
Fake 'document', 'Subscription', 'Processing Problem' SPAM, Malvertising
FYI...
Fake 'document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...e-again-today/
16 Dec 2016 - "Another -blank/empty- email with the subject of 'Attached document' pretending to come from copier@ your-own-email-address with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: copier@ your-own-email-address
Date: Fri 16/12/2016 09:57
Subject: Attached document
Attachment: 3867_002.docm
Body content: Completely empty/Blank
16 December 2016: 3867_002.docm - Current Virus total detections 12/56*
Payload Security** shows a download of an encrypted file from http ://fiddlefire .net/hjg766′ which is converted by the script to loppsa2.aww ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1481882199/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
69.161.143.24
37.235.50.29
176.121.14.95
86.110.117.155
83.220.172.182
52.88.7.60
91.198.174.192
91.198.174.208
___
Fake 'Subscription' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/subsc...ky-ransomware/
16 Dec 2016 - "... an email with the subject of 'Subscription Details' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of user0989063.zip which delivers Locky ransomware... One of the emails looks like:
From: Cyril Levy <Levy.Cyril@ dragonflystudiosalon .com>
Date: Fri 16/12/2016 10:49
Subject: Subscription Details
Attachment: user0989063.zip
Dear mammoth, thank for you for subscribing to our service!
All payment and ID details are in the attachment.
16 December 2016: user0989063.zip: Extracts to: ~_P1EJYA_~.js - Current Virus total detections 4/55*
Payload Security** shows a download of an encrypted file from http ://rondurkin .com/c6w5pscmc which is converted by the script to jex1N6oXpYUpIQ.zk (VirusTotal 5/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1481885511/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137
*** https://www.virustotal.com/en/file/3...is/1481886225/
___
Fake 'Processing Problem' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malw...g-problem.html
15 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Juliet Langley
Date: 15 December 2016 at 23:17
Subject: Payment Processing Problem
Dear [redacted],
We have to inform you that a problem occured when processing your last payment (code: 3132224-M, $789.$63).
The receipt is in the attachment. Please study it and contact us.
King Regards,
Juliet Langley
The name of the sender will vary as will the reference number and dollar amounts. Attached is a ZIP file with a name somewhat matching the reference (e.g. MPay3132224.zip) containing in turn a malicious Javascript with a name similar to ~_AB1C2D_~.js... the scripts download a component...
(Long list of domain-names at the dynamoo URL above.)
The malware then phones home to the following locations:
185.129.148.56 /checkupdate (MWTV, Latvia)
178.209.51.223 /checkupdate [hostname: 454.SW.multiservers.xyz] (EDIS, Switzerland)
37.235.50.119 /checkupdate [hostname: 454.2.SW.multiservers.xyz] (EDIS, Switzerland)
Recommended blocklist:
185.129.148.0/24
178.209.51.223
37.235.50.119 "
- https://myonlinesecurity.co.uk/payme...elivers-locky/
15 Dec 2016 - "... an email with the subject of 'Payment Processing Problem' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of MPay7197337.zip which delivers Locky ransomware... One of the emails looks like:
From: Kristie Soto <Soto.Kristie@ kadgraphics .com>
Date: Thu 15/12/2016 22:33
Subject: Payment Processing Problem
Attachment: MPay7197337.zip
Dear adkins,
We have to inform you that a problem occured when processing your last payment (code: 7197337-M, $454.$86).
The receipt is in the attachment. Please study it and contact us.
King Regards,
Kristie Soto
15 December 2016: MPay7197337.zip: Extracts to: ~_7XXTOQ_~.js - Current Virus total detections 3/55*
Payload Security** shows a download of an encrypted file from http ://ustadhanif .com/q0w93lkrvp
which is converted by the script to HNUsEBnh.zk (VirusTotal 6/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1481842328/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
208.75.151.108
37.235.50.119
52.85.184.150
*** https://www.virustotal.com/en/file/7...is/1481843139/
___
Malvertising compromises routers instead of computers
- https://www.helpnetsecurity.com/2016...mises-routers/
Dec 16, 2016 - "The DNSChanger exploit kit is back and more effective than ever, and is being used in a widespread malvertising attack whose goal is to compromise small/home office routers. According to Proofpoint* researchers, the attacker’s current main goal is to change DNS records on the target router, so that it queries the attacker’s rogue DNS servers, and the users are served with ads that will earn the attackers money:
> https://www.helpnetsecurity.com/imag...ger-attack.jpg
... Using ad-blocking software should also minimize the risk of getting hit through this and other malvertising campaigns. According to Kafeine**, the current one is successfully targeting Chrome browser users on Windows desktops and Android devices. Also, this is not the first time that attackers are successfully using steganography to deliver and run malicious code. Earlier this month, ESET researchers flagged a malvertising campaign that redirected users to the Stegano exploit kit through malicious code hidden in the pixels of the bad ads/banners."
* https://www.proofpoint.com/us/threat...ndroid-devices
"... Since the end of October, we have seen an improved version of the “DNSChanger EK” ** used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims' home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising..."
** http://malware.dontneedcoffee.com/20...d-to-csrf.html
:fear::fear: :mad:
Fake 'Payslip', 'LogMeIn' SPAM
FYI...
Fake 'Payslip' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/paysl...elivers-locky/
19 Dec 2016 - "An email with the subject of 'Payslip for the month Dec 2016' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: JASMINE DICKEY <jasmine.dickey@ ejmbcommercial .com>
Date: Mon 19/12/2016 09:50
Subject: Payslip for the month Dec 2016.
Attachment: Payslip_Dec_2016_5490254.doc
Dear customer,
We are sending your payslip for the month Dec 2016 as an attachment with this mail.
Note: This is an auto-generated mail. Please do not reply.
19 December 2016: Payslip_Dec_2016_5490254.doc - Current Virus total detections 11/53*
Payload Security** shows a download of an encrypted file from http ://routerpanyoso.50webs .com/8hrnv3 which is converted by the script to shtrina2.ero (VirusTotal 12/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1482144602/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
162.210.101.94
193.201.225.124
46.148.26.82
188.127.237.76
176.121.14.95
52.39.24.163
52.85.184.92
91.198.174.192
13.82.139.29
91.198.174.192
91.198.174.208
*** https://www.virustotal.com/en/file/a...is/1482144877/
- http://blog.dynamoo.com/2016/12/malw...-dec-2016.html
19 Dec 2016 - "This -fake- financial spam leads to Locky ransomware:
From: PATRICA GROVES
Date: 19 December 2016 at 10:12
Subject: Payslip for the month Dec 2016.
Dear customer,
We are sending your payslip for the month Dec 2016 as an attachment with this mail.
Note: This is an auto-generated mail. Please do not reply.
The name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55*. This Hybrid Analysis** clearly shows Locky ransomware in action when the document is opened. According to my usual reliable source, the various versions of this download a component...
(Long list of domain-names shown at the dynamoo URL above.)
... The malware then phones home to one of the following locations:
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
193.201.225.124 /checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76 /checkupdate (SmartApe, Russia)
46.148.26.82 /checkupdate (Infium, Latvia / Ukraine)
A DLL is dropped with a detection rate of 12/52*.
Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82 "
* https://virustotal.com/en/file/17e89...is/1482147232/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
193.201.225.124
188.127.237.76
46.148.26.82
176.121.14.95
52.85.184.12
*** https://virustotal.com/en/file/a2e90...16d3/analysis/
___
Fake 'LogMeIn' SPAM - delivers malware
- https://myonlinesecurity.co.uk/logme...ivers-malware/
19 Dec 2016 - "The email looks like:
From: LogMeIn.com Auto-Mailer <noreply@ ssl-logmein .com>
Date: Mon 19/12/2016 17:10
Subject: LogMeIn Account Notification – Ip blocked
Attachment: -Link-in-email-body- downloads notification_recipients_name.doc
Your IP has been blocked from using the LogMeIn website after too many failed log-in attempts.
Account holder: keith@[redacted]
Event: IP blocked
At: Mon, 19 Dec 2016 19:09:37 +0200
To clear the IP address lockout, please follow the instructions...
Screenshot: https://i0.wp.com/myonlinesecurity.c...le-editing.png
19 December 2016: notification_keith.doc - Current Virus total detections 3/54*
Payload Security **. The link-in-the-email is to http ://www .celf .jp/wp-content/themes/i-max/api/get.php?id=recipients email address encoded in base 64... The domain ssl-logmein .com was registered -today- 19 December 2016 via a Chinese registrar to a Bulgarian entity (IP address listed as 1.1.1.1). The emails are actually coming via a botnet of infected/compromised computers and servers... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1482167739/
Trojan:W97...
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.21.228.240
80.78.251.134
212.24.98.247
ssl-logmein .com: 1.1.1.1: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/98...a4a5/analysis/
:fear::fear: :mad:
Fake 'printing', 'Scan' SPAM
FYI...
Fake 'printing' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...ky-ransomware/
20 Dec 2016 - "An email spoofing Moonbake Inc with the subject of 'for printing' coming from random sender with a malicious Excel XLS spreadsheet attachment delivers Locky... One of the email looks like:
From: HILLARY TATEHAM <hillary.tateham@ stonelawassociates .Com>
Date: Tue 20/12/2016 09:47
Subject: for printing
Attachment: Certificate_2373.xls
Hi,
For printing.
Thank you so much.
HILLARY TATEHAM Cristobal HRD/Admin Officer
Moonbake Inc. 14 Langka St., Golden Acres Talon 1
Las Piñas City, Philippines ...
20 December 2016: Certificate_2373.xls - Current Virus total detections 5/56*
Payload Security** shows a download of an encrypted file from http ://yorkshire-pm .com/hjv56 which is converted by the script to momerk2.vip (VirusTotal 9/55***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do. Manual analysis shows these download locations:
yorkshire-pm .com/hjv56
isriir .com/hjv56
noosnegah .com/hjv56 ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1482227222/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
103.11.101.46
91.223.180.3
188.127.239.48
193.201.225.124
54.239.168.79
*** https://www.virustotal.com/en/file/3...is/1482228007/
___
Fake 'Scan' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...elivers-locky/
20 Dec 2016 - "... an email spoofing Lumax Industries Ltd. with the subject of 'Scan' pretending to come from random companies, names and email addresses with a random named zip attachment which delivers Locky ransomware...
Screenshot: https://i0.wp.com/myonlinesecurity.c...ng?w=896&ssl=1
20 December 2016: 07cff4edf9a.zip: Extracts to: r9a2aa5cdfcbabe8bbbfc598cd334abb.wsf
Current Virus total detections 9/55*. Payload Security** shows a download of an encrypted file from
http ://www.judo-hattingen .de /hjv56?lktttKC=koHaQOx which is converted by the script to pYmpJfsNiM1.dll which unfortunately the free web version of Payload security does not make available for download... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1482248792/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
91.250.102.57
176.121.14.95
193.201.225.124
52.32.150.180
52.85.184.12
:fear::fear: :mad:
Fake 'Secure Comm', 'Photo' SPAM
FYI...
Fake 'Secure Comm' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...ivers-malware/
21 Dec 2016 - "An email spoofing CommBank with the subject of 'Secure Communication' coming from < secure.message@ commbanksecureemail .com > with a malicious word doc attachment delivers Trickbot banking Trojan...
Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C805&ssl=1
21 December 2016: Message.doc - Current Virus total detections 14/54*
Payload Security** shows a downloadfrom http ://onsitepcinc .com/images/344bzhmyVYyWz7NqRpfuunqXxjkseLhdmy.png which is -not- a png (image file) but a renamed .exe that is renamed by the script to wynrajo.exe (VirusTotal 22/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1482306465/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
65.108.116.221
78.47.139.102
36.37.176.6
201.236.219.180
144.76.249.26
*** https://www.virustotal.com/en/file/5...is/1482314962/
___
Fake 'Photo' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/photo...elivers-locky/
21 Dec 2016 - "... another -blank- empty email with the subject of 'Photo' from {random Girl’s name} pretending to come from names and email addresses with a semi-random named zip attachment in the format of IMG-date-WA1234.zip which delivers Locky ransomware... One of the emails looks like:
From: Glenna <Glennaherron3424@ syprotek .com>
Date: Wed 21/12/2016 09:32
Subject: Photo from Glenna
Attachment: IMG-20161221-WA4646.zip
Body content: totally blank/Empty
21 December 2016: IMG-20161221-WA4646.zip: Extracts to: A87D1FCF.wsf - Current Virus total detections 8/55*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1482312946/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
103.232.120.79
176.121.14.95
52.42.26.69
54.240.162.130
52.35.54.251
:fear::fear: :mad:
Fake 'scanned copy', 'Bestbuy' SPAM
FYI...
Fake 'scanned copy' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scann...ky-ransomware/
22 Dec 2016 - "... another -blank/empty- email with the subject of 'scanned copy' pretending to come from random names and email addresses with a semi-random named zip attachment in the format of HP0000000937.zip delivers Locky ransomware... One of the emails looks like:
From: jeanne whitehorne <jeanne.whitehorne@ owdv .net>
Date: Thu 22/12/2016 03:55
Subject: scanned copy
Attachment: HP0000000937.zip
Body content: totally blank/empty
22 December 2016: HP0000000937.zip: Extracts to: JFF38A.vbs - Current Virus total detections 8/55*
Payload Security** shows a download of an encrypted file from http ://www .dvdpostal .net/result ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1482379501/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
213.0.77.6
176.121.14.95
52.88.7.60
54.240.162.173
35.160.111.237
___
Fake 'Bestbuy' SPAM - delivers malware
- https://myonlinesecurity.co.uk/your-...liver-malware/
22 Dec 2016 - "... an email with the subject of 'Your Bestbuy item is due for delivery on 22th December' pretending to come from random names at yahoo .com with a random named zip attachment which tries to deliver some sort of malware. This zip file extracts to another zip file before it extracts to the .js file... One of the emails looks like:
From: josecastillo2344@ yahoo .com
Date: Thu 22/12/2016 08:56
Subject: Your Bestbuy item is due for delivery on 22th December
Attachment: ECIOPZiodlxc.zip
On the morning 22th of December you’ll be delivered a window and you’ll have the possibility to track your request on its way to your address.
Please make sure someone is available to sign for your delivery.
Pack delivery info and your contact data is in the file attached to this letter.
If you will be out, it’s not a problem: you have a range of ‘in-flight’ options like changing your delivery time collecting from the nearest DPD Pickup Shop, asking us to deliver to one of your frients or arranging to have your item delivered to a safe place at your work address.
22 December 2016: ECIOPZiodlxc.zip: Extracts to: ECIOPZiodlxc.js - Current Virus total detections 3/54*
Payload Security** shows a download of an encrypted file from http ://optimastop .eu/castle/map which is currently giving me a 403 forbidden. It does show it wants to use BITS transfer and it is possible that a standard http get is blocked... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1482399844/
Troj.Downloader.Js...
** https://www.hybrid-analysis.com/samp...ironmentId=100
:fear::fear: :mad:
Tech support phone SCAM, Fake 'eFax' SPAM
FYI...
Tech support phone SCAM
- http://blog.dynamoo.com/2016/12/0208...cam-using.html
23 Dec 2016 - "If these people ring you DO -NOT- GIVE THEM ACCESS TO YOUR PC and either hang up - or waste their time like I do. It seems there are some prolific technical support scammers ringing from 02085258899 pretending to be from BT. They had a very heavy Indian accent, and they have made many silent calls to my telephone number before today. They -claim- that hackers are accessing my router. I wasted 37 minutes of their time, these are some of the steps to watch out for..
1. They get you to open a command prompt and type ASSOC which brings up a big long list of file associations, in particular they seem interested in one that says .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
2. Then they get you to bring up the Event Viewer by typing EVENTVWR and then clicking "Custom Views" and "Administrative Events". This is a log file that will always show a whole bunch of meaningless errors (such as network faults). It's quite normal for this to look quite bad to the untrained eye.
3. Then in order they try to get you to connect to the following services to take remote control of your PC: www .anydesk .com, www .teamviewer .com and www .supremofree .com. All of these are legitimate services, but I have to confess I'd never heard of the last one.. so I will add it to my corporate blacklist.
4. When those didn't work they tried directing me to a proxy at hide .me/proxy and www .hide .me/proxy (the same thing I know) which is probably another candidate for blocking.
Of course, once they have access to your PC they will try to convince you that you need to -pay- them some money for technical support. Be warned, that they can render-your-PC-unusable if you don't pay, and they can also steal confidential data. Despite how many times they may tell you they are from BT, they are not.. they are simply fraudsters."
___
Fake 'eFax' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoof...known-malware/
22 Dec 2016 - "... another email spoofing eFax with the subject of 'You have recevied a message' pretending to come from faxscanner scanner@ your-own-email-address with a semi-random named zip attachment in the format of Message efax system-1701.zip which delivers an unknown malware. Indications are that this could be Trickbot or could be Dridex banking Trojan... One of the emails looks like:
From: Fax Scanner <scanner @ your-email-address>
Date: Thu 22/12/2016 20:51
Subject: You have recevied a message
Attachment: Message efax system-1701.zip
You have received a message on efax.
Please download and open document attached.
Scanner eFax system.
22 December 2016: Message efax system-1701.zip: Extracts to: Message efax system-2817.js
Current Virus total detections 4/53*. Payload Security** shows a download of ntntoto1].png (but doesn’t give the download url) which is renamed by the script to QE7JlpDt.exe (VirusTotal 29/56***). The js file is heavily obfuscated and almost impossible to human read and decrypt. Update: MALWR[4] gave me ‘http ://glendaleoffice .com/js/ntntoto.png’ as the download location... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1482441908/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
78.47.139.102
36.37.176.6
201.236.219.180
*** https://www.virustotal.com/en/file/b...9c29/analysis/
4] https://malwr.com/analysis/MGQ1ZTFiZ...gwMDIxODEwMmU/
Hosts
69.67.54.86
78.47.139.102
54.243.154.49
45.76.25.15
167.114.174.158
188.40.53.51
36.37.176.6
192.189.25.143
glendaleoffice .com: 69.67.54.86: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/4e...d12e/analysis/
:fear::fear: :mad:
Fake 'USPS', 'FedEx' SPAM
FYI...
Fake 'USPS' SPAM - delivers Locky, Kovter, other malware
- https://myonlinesecurity.co.uk/spoof...other-malware/
27 Dec 2016 - "... malware gang spoofing FedEx, USPS and every other courier, delivery or postal service, sending thousands of 'Courier was not able to deliver your parcel' and hundreds of variants or similar subjects like 'USPS issue #06914074: unable to delivery parcel'... Some subjects seen, all have random numbers, include:
USPS issue #06914074: unable to delivery parcel
Parcel #006514814 shipment problem, please review
USPS parcel #3150281 delivery problem
Courier was not able to deliver your parcel (ID006976677, USPS)
Parcel 05836911 delivery notification, USPS
... malware downloaders spoofing USPS pretending to be a message saying cannot deliver the parcel. These deliver Locky ransomware and Kovter Trojans amongst others...
27 December 2016: Delivery-Details-06914074.zip: Extracts to: Delivery-Details-06914074.doc.wsf
Current Virus total detections 7/55*. Payload Security** shows a download from
http ://boardedhallgreen .com/counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7
which gives counter.js (VirusTotal 1/55***) that in turn downloads from
http ://baltasmenulis .lt/counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01 (and 02 – 05).
The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js on your computer, that is run directly from temp internet files ). It downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site giving counter.js to actually download from itself, normally that downloads from a different site on the list. All the files (apart from the original counter.js) pretend to be png (image files). They are actually all renamed .exe files or in the case of number 3, a -renamed- php script. Both of the innocent files are misused to run the malware. This is a very noisy malware set that contacts 4 domains and -179- hosts. View the network section on the Payload Security report[4] for more details... One of the emails looks like:
From: USPS Priority Delivery <steven.kent@ confedampa .org>
Date: Tue 27/12/2016 06:57
Subject: USPS issue #06914074: unable to delivery parcel
Attachment: Delivery-Details-06914074.zip
Dear Customer,
Your item has arrived at December 25, but our courier was not able to deliver the parcel.
You can download the shipment label attached!
Thank you for your assistance in this matter,
Steven Kent,
USPS Chief Delivery Manager.
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1482822876/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.virustotal.com/en/file/7...is/1482824922/
4] https://www.hybrid-analysis.com/samp...etwork-traffic
Contacted Hosts (179)
___
Fake 'FedEx' SPAM - delivers Locky and other malware
- https://myonlinesecurity.co.uk/more-...ther-malwares/
25 Dec 2016
> https://www.hybrid-analysis.com/samp...etwork-traffic
Contacted Hosts (170)
:fear::fear: :mad: :mad: