Fake 'Important matter' SPAM, 'Message from IT' - Phish
FYI...
Fake 'Important matter' SPAM - delivers unknown malware
- https://myonlinesecurity.co.uk/distu...known-malware/
28 Mar 2017 - "This email was forwarded to me by a contact who works for a public service agency. I have redacted the actual recipients domain and any email address. There is a 'Charmaine' [redacted] living at the address listed according to google searches. I am sure that there will be a lot of other emails with other real details that will really scare the recipients into opening these emails and being infected. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain .com >. That is why these scams and phishes work so well... The email looks like:
From: Antony Gfroerer <antongfoufou@ wanadoo .fr>
Date: Tue, 28 Mar 2017 09:37:38 +0000
To: Charmaine [redacted] <c*********@ [redacted]>
Subject: Charmaine
Attachment: victim.dot (renamed from recipients name)
Hello, Charmaine!
I am disturbing you for a very important matter. Though we are not familiar, but I have considerable ammount of information concerning you. The matter is that, most probably mistakenly, the data of your account has been sent to me.
For example, your address is:
5 [redacted] Lane
Perth
Perthshire and Kinross
PH2 [redacted]
I am a lawful citizen, so I decided to personal details may have been hacked. I pinned the file – victim.dot that that was emailed to me, that you could find out what information has become accessible for fraudsters. File password is – 2131
I look forward to hearing from you,
Antony Gfroerer ...
victim.dot - Current Virus total detections 0/55*. Payload Security** is unable to analyse as an unsupported format. MALWR*** shows nothing... I am informed that they download:
galaxytown .net/store/read.gif -and- effeelle .eu/img/logo.gif which appear to be genuine gif files from the headers, although they refuse to display as any sort of image file and must contain some sort of embedded -malware- content... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1490695414/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.149.140.45: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/fa...3c34/analysis/
*** https://malwr.com/analysis/NDQ3MDg1O...lhNWUyNDViYjQ/
galaxytown .net: 67.225.216.115: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/7b...8912/analysis/
___
'Message from IT' - Phish
- https://myonlinesecurity.co.uk/impor...-365-phishing/
28 Mar 2017 - "... slightly different than many others and much more involved and complicated. It pretends to be a message from IT support to update webmail to use Office 365 / Outlook web access...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-IT-Sector.png
This email has a genuine PDF attachment:
> https://myonlinesecurity.co.uk/wp-co...65_upgrade.png
If you follow the link inside the pdf you see a webpage looking like this:
[ http ://radioclassicafm .com.br/lr/barracuda/barracuda/index.html ]
>> https://myonlinesecurity.co.uk/wp-co...da_signin1.png
After you input your email address and password, you get told -incorrect- details and -forwarded- to an almost identical looking page where you can put it in again:
>> https://myonlinesecurity.co.uk/wp-co...cuda_login.png
Then you get sent to an imitation of the Google Verification page where they ask for either your phone number or alternative email address...
>> https://myonlinesecurity.co.uk/wp-co...gle_verify.png
Then you get a 'success' page... All of these emails use Social engineering tricks to persuade you to open the -attachments- that come with the email..."
radioclassicafm .com.br: 216.172.173.156: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/2f...bdc8/analysis/
:fear::fear: :mad:
Fake 'Payment Receipt', 'Confirmation' SPAM
FYI...
Fake 'Payment Receipt' SPAM - delivers malware
- https://myonlinesecurity.co.uk/payme...ivers-malware/
30 Mar 2017 - "... -blank- or -empty- body emails today with the subject of 'Payment Receipt 79159'
(almost certainly random numbers) coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment, that does -not- match the subject line which delivers what some AV are calling nymaim Trojan, while others are just giving heuristic detections. This starts with a zip Receipt28765.zip which extracts to PaymentReceipt.zip which extracts to PaymentReceipt86654.exe which has an icon making it look like a PDF file... One of the emails looks like:
From: donotreply@ yuku .biz
Date: Thu 30/03/2017 06:15
Subject: Payment Receipt 79159
Attachment: ea00ba32a5.zip
Body content: Totally empty/blank
Screenshot: https://myonlinesecurity.co.uk/wp-co...eipt-79159.png
Receipt28765.zip: Extracts to: PaymentReceipt86654.exe - Current Virus total detections 18/61*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1490851299/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
84.200.69.80: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/b6...e11e/analysis/
___
Fake 'Confirmation' SPAM - delivers malware
- https://myonlinesecurity.co.uk/confi...ivers-malware/
30 Mar 2017 - "... an email with the subject of 'uk_confirmation_ph489329718.pdf' (random numbers) coming or pretending to come from info@ random companies and email addresses with a semi-random named zip attachment...
Update: I am being reliably informed it is QuantLoader* which is dropping various malwares including Dridex banking Trojan [1] [2] [3]...
* https://blogs.forcepoint.com/securit...an-underground
1] https://www.virustotal.com/en/file/6...2fcd/analysis/
2] https://www.virustotal.com/en/file/5...71fe/analysis/
3] https://www.virustotal.com/en/file/f...1771/analysis/
One of the emails looks like:
From: info@criticare-anaesthesia .co.uk
Date: Thu 30/03/2017 12:15
Subject: uk_confirmation_ph489329718.pdf
Attachment: uk_confirmation_ph489329718.zip
Confirmation letter enclosed. Please see attachment.
uk_confirmation_ph489329718.pdf.zip :Extracts to: uk_confirmation_ph954869378.exe - Current Virus total detections 15/60**. Payload Security***. Nothing is definite on what these are but it looks vaguely like a zeus/Zbot variant.
Update: now getting a -second- run with same file names that Clam AV on the mailserver is detecting as Win.Trojan.Ag-3 and quarantining VirusTotal 10/62[4] | Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/a...is/1490873262/
*** https://www.hybrid-analysis.com/samp...ironmentId=100
4] https://www.virustotal.com/en/file/1...is/1490874947/
5] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
8.8.247.36
81.12.229.190
107.170.0.14
37.120.172.171
:fear::fear: :mad:
Fake 'Western Union', 'GameStop', 'Payment Request' SPAM
FYI...
Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoof...s-java-adwind/
31 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ash-Report.png
Western Union Cash Report Reference.jar (478kb) - Current Virus total detections 15/59*: MALWR**
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1490914940/
** https://malwr.com/analysis/YmJlMjM2O...ExMzRjZmM4ZmU/
___
> https://myonlinesecurity.co.uk/spoof...s-java-adwind/
30 Mar 2017
Screenshot: https://myonlinesecurity.co.uk/wp-co...ion-refund.png
"... links in the email go to http ://www.ctraxa .net/wp-content/plugins/akismet/views/Western Union Refund Transaction.zip ..."
ctraxa .net: 212.193.234.99: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/de...0df2/analysis/
2017-03-31
___
Fake 'GameStop' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoof...ivers-malware/
31 Mar 2017 - "... an email with the subject of '[GameStop] Order No.327609' (random numbers) pretending to come from “GameStop .co.uk Help” with a semi-random named zip attachment which delivers malware. The attachment extracts to -2- files: First a long set of random characters and numbers .exe that has an icon of a PDF file and a genuine PDF with just a few numbers in it called info.pdf...
Update: First indications are that is a plain and simple Dridex banking Trojan, not the Quantloader intermediary...
Screenshot: https://myonlinesecurity.co.uk/wp-co...r-No.32760.png
066525-960519-20170331-105353-2f0134f7-23cd-f947-1b65-f1a530c28254.zip:
Extracts to: 156910-268936-20161128-151851-de121ee8-6954-4911-80aa-8255b6b023cb.exe
Current Virus total detections 11/62*. Payload Security** | MALWR***
... There are frequently dozens or even hundreds of different download locations, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions from each one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1490951595/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://malwr.com/analysis/ODM1MzkzM...dmM2IyMDhhZDI/
___
Fake 'Payment Request' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/payme...livers-dridex/
31 Mar 2017 - "... a 'Payment Request' email coming from random email addresses. The payload is the -same- as this slightly earlier campaign spoofing GameStop .co.uk*. The file -names- are different but the content is
-identical- with -same- SHA-256 hash numbers. All the copies I have seen -spoof- Hedley & Ellis Ltd, Newark Road, Peterborough, PE1 5UA in the email body, but have totally random senders with the email address in the email body...
* https://myonlinesecurity.co.uk/spoof...ivers-malware/
Screenshot: https://myonlinesecurity.co.uk/wp-co...nt-request.png
... There are frequently dozens or even hundreds of different download locations, sometimes delivering the exact same malware from all locations and sometimes slightly different malware versions from each one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
:fear::fear: :mad:
Fake 'Contract', 'DHL Delivery', 'Western Union' SPAM, 'Quota Exceeded' - Phish
FYI...
Fake 'Contract' SPAM - delivers trojan
- https://myonlinesecurity.co.uk/malsp...ering-malware/
4 Apr 2017 - "... malspam emails with password protected word doc attachments. They come with various subjects and themes, but they all contain -genuine- information about the recipient. Some like this one, only have the recipients full Name, Address and email address but some also contain genuine phone numbers, either landline or mobile numbers. An email with the subject of '[recipients name] Contract EFKP030417GD' pretending to come from random senders with a malicious word doc attachment...
Screenshot: https://myonlinesecurity.co.uk/wp-co...KP030417GD.png
victim.EFKP030417GD.doc - eventually downloads Ursnif (virustotal 10/60*) see VT comments for full details...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.com/en/file/2e013...is/1491230132/
03EF8.exe
Ursnif: http://researchcenter.paloaltonetwor...ks-identified/
"... banking Trojan..."
___
Fake 'DHL Delivery' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/more-...ivers-malware/
4 Apr 2017 - "... an email with the subject of 'DHL Delivery' coming or pretending to come from DHL Express UK. These do look very realistic and if you are expecting a delivery today (many recipients will be) you can be very easily fooled by it... from the various reports are connections to various well known websites and webmail services like Google, Facebook, Yahoo, Nirsoft .com and what looks like attempted logins. The javascript file is basically -obfuscated- by simple reversing the url strings embedded in the file, so for example these reverse encoded strings embedded in the js file...
/6863daolnwod/se.aicnelapnerarpmoc//:ptth
/7184daolnwod/moc.leuftnuocsidupe//:ptth
/4372daolnwod/moc.puorgcmc//:ptth
/4819daolnwod/ku.oc.nimdagcc.www//:ptth
/8522daolnwod/xm.moc.zenitramoderfla.www//:ptth
Transform to:
http ://www .alfredomartinez .com.mx/download2258/ : 162.144.80.161: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/cb...7052/analysis/
http ://www .ccgadmin .co.uk/download9184/ : 193.238.80.70: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/8d...5435/analysis/
http ://cmcgroup .com/download2734/ : 216.218.207.100: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/d4...798c/analysis/
http ://epudiscountfuel .com/download4817/ : 69.175.87.139: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/25...8783/analysis/
http ://comprarenpalencia .es/download3686/ : 149.202.107.130: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/de...d5f9/analysis/
...
Screenshot: https://myonlinesecurity.co.uk/wp-co...spam-email.png
The link in the email goes to http ://atvicon .com/OXF31666g/ where you see an open directory. Selecting index.php gives you the download of the .js file (VirusTotal 12/56*). The payload Security report** of this .js file shows lots of other urls associated with this malware & downloads, some of which give an immediate download of the .js file. The Payload Security report shows a download of a file named 2tlj63ijo.exe (VirusTotal 28/61***) (Payload Security[4]) ... my -manual- download gave me (VirusTotal 8/62[5]) Payload Security[6] ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1491300071/
DHL__Report__5238760711__Di__April__04__2017.js
** https://www.hybrid-analysis.com/samp...01b38374bbcce7
Contacted Hosts
216.218.207.100
87.106.105.76
67.205.128.122
*** https://www.virustotal.com/en/file/0...6f92/analysis/
2tlj63ijo.exe
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
87.106.105.76
67.205.128.122
5] https://www.virustotal.com/en/file/5...is/1491300282/
5960.exe
6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
87.106.105.76
67.205.128.122
atvicon .com: 67.222.136.31: https://www.virustotal.com/en/ip-add...1/information/
___
Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoof...s-java-adwind/
4 Apr 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... Unlike today’s slightly earlier Java Adwind malspam spoofing Bank of Bahamas*, this one does have a new Java Adwind version at the end of the complicated delivery chain...
* https://myonlinesecurity.co.uk/spoof...s-java-adwind/
Screenshot: https://myonlinesecurity.co.uk/wp-co...n-1_4_2017.png
These contain a genuine PDF that has a link to the site to download a zip file. First the pdf looks like:
> https://myonlinesecurity.co.uk/wp-co...tcn_wu_pdf.png
The link today goes to:
http ://publikasi-fbio .ukdw .ac.id/css/WesternUnion_Fund_Verification_As_of_1st_April_2017.htm
where you see this page with instructions trying to make you think it is genuine with yet another download link:
http ://publikasi-fbio .ukdw .ac.id/css/WesternUnion_Fund_Verification_As_of_1st_April_2017.zip
> https://myonlinesecurity.co.uk/wp-co...wnloadpage.png
AWD020025 MTCN 25 Funds Verification.jar (478kb) Current Virus total detections 11/58*: MALWR**
details.jar (119kb) Current Virus total detections 5/55***: Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1491283408/
AWD020025 MTCN 25 Funds Verification.jar
** https://malwr.com/analysis/N2JkYTE4Z...QwYmE2NTFiOGU/
*** https://www.virustotal.com/en/file/8...is/1476250143/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
publikasi-fbio .ukdw .ac.id: 119.235.252.122: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/c0...f960/analysis/
___
'Quota Exceeded' - Phish
- https://myonlinesecurity.co.uk/spoof...-now-phishing/
4 Apr 2017 - "... phishing attempts for email credentials...:
Screenshot: https://myonlinesecurity.co.uk/wp-co...se-Add-Now.png
If you follow the -link- inside-the-email you see a webpage looking like this:
http ://maharajasweet .com/flash/bestdomain/?email=victim@domain.com :
> https://myonlinesecurity.co.uk/wp-co...mail_phish.png
... recognize familiar details like our email address or domain name... look at the -real- address in the URL bar at the top of the page:
> https://myonlinesecurity.co.uk/wp-co...ail_phish2.png
After you input your email address and password, you get a 'success' page:
> https://myonlinesecurity.co.uk/wp-co...04/success.png
... whether it is a straight forward attempt, like this one, to -steal- your personal, bank, credit card or email and social networking log in details... the final IP address outside of your network in the Received: fields can be trusted as others can be -spoofed- ..."
maharajasweet .com: 209.200.238.28: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/28...5373/analysis/
:fear::fear: :mad:
Fake 'Customer Statement', '.JPG' SPAM
FYI...
Fake 'Customer Statement' SPAM - deliverers malware
- https://myonlinesecurity.co.uk/spoof...erers-malware/
7 Apr 2017 - "An email with the subject of pretending to come from random companies with a zip file that extracts to another zip that eventually extracts to a malicious word doc attachment delivers malware probably Dridex banking Trojan. Currently Payload Security has a massive backlog so analysis is pending...
Screenshot: https://myonlinesecurity.co.uk/wp-co...-statement.png
Statement_SE8743.docm - Current Virus total detections 8/58* MALWR**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1491553437/
** https://malwr.com/analysis/Nzg2ZDExM...c3MTg1MGM4NjQ/
Hosts
195.114.1.135
___
Fake '.JPG' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/email...livers-dridex/
7 Apr 2017 - "... an email with a subject saying something like 'Emailing: PIC9744891.JPG' (random numbers and file extensions... Gif, JPG, Tiff, Png or any other image or doc file extension). They all come from random senders. The zip attachment extracts to another zip file that eventually extracts to the VBS dropper...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ex-malspam.png
PIC9390310.vbs - Current Virus total detections 5/56* - MALWR** shows a download of an encrypted file from
http ://staciedunlop .com/87hcwc? which is converted by the script to KhtLPsv.exe (VirusTotal 14/61***)
Each VBS file has 4-or-5 embedded urls that download the encrypted text file that gets converted to the Dridex payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1491567450/
** https://malwr.com/analysis/YzY3OGY0M...RjNjhmYTJlOWQ/
Hosts
64.69.93.68
*** https://www.virustotal.com/en/file/4...is/1491568169/
staciedunlop .com: 64.69.93.68: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/87...af59/analysis/
:fear::fear: :mad:
'Paypal Update acct info' – phish
FYI...
'Paypal Update acct info' – Phish
- https://myonlinesecurity.co.uk/paypa...-a-difference/
8 Apr 2017 - "We see lots of phishing attempts for PayPal details. This one is slightly different than many others and much more involved and complicated. This one has an html -attachment- that contains the phishing acts... They ask you to give all the usual details... The whole HTML file is -encrypted- ...
Update: ... by numerous contacts on Twitter, eventually it has been discovered that
http ://www.accunetix .net/80f78664.php is the phishing drop site...
Screenshot: https://myonlinesecurity.co.uk/wp-co...nformation.png
The html form looks like this (reduced in size to fit on one screenshot):
> https://myonlinesecurity.co.uk/wp-co...atatchment.png
... Watch for -any- site that invites you to enter ANY personal or financial information..."
accunetix .net: 94.102.60.170: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/a9...c62d/analysis/
:fear::fear: :mad:
Fake 'Scanned image', 'scan data' SPAM
FYI...
Fake 'Scanned image' SPAM - delivers Cerber
- https://myonlinesecurity.co.uk/scann...er-ransomware/
10 Apr 2017 - "... An email with the subject of 'Scanned image from MX-2600N' pretending to come from noreply@ your own email address with a zip file attachment that extracts to another zip file then a malicious word doc delivers Cerber ransomware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...m-MX-2600N.png
20170410_294152.docm - Current Virus total detections 11/58*: Payload Security** shows a download of an encrypted txt file from http ://villa-kunterbunt-geseke .de/nkjv78v which is transformed by the macro script to redchip2.exe (VirusTotal 8/61***). Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1491816739/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
85.114.146.10
*** https://www.virustotal.com/en/file/1...is/1491816149/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
194.9.25.17
villa-kunterbunt-geseke .de: 85.114.146.10: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/2e...ec24/analysis/
___
Fake 'scan data' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/scan-...liver-malware/
10 Apr 2017 - "... an email with the subject of 'scan data' pretending to come from noreply@ your own email address...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ta-malspam.png
... several antiviruses on VirusTotal 8/56* declare this as 'a malicious PDF file'. PDF examiner** declares this 'a suspicious.embedded doc file' and 'suspicious.warning: object contains JavaScript' | Payload Security***...
ScanData155328.docm (VirusTotal 10/57[4]) (Payload Security [5]) | MALWR[6]. This contacts:
super-marv .com/874hv... It looks like it should download an -encrypted- txt file that is converted to redchip2.exe... Update: this one is Dridex... An alternative pdf gave me Payload Security[7] which downloaded redchip2.exe from
hiddencreek .comcastbiz .net/874hv (Virustotal 10/61[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1491827466/
[See 'File detail']
** https://www.malwaretracker.com/pdfse...bfa06d241b8f27
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
194.9.25.17
143.95.251.11
4] https://www.virustotal.com/en/file/b...is/1491829510/
ScanData155328.docm
5] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
194.9.25.17
143.95.251.11
6] https://malwr.com/submission/status/...U3NWQxMmRhM2Q/
Hosts
143.95.251.11
7] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
194.9.25.17
216.87.186.165
185.44.105.92
64.79.205.100
185.25.184.214
8] https://www.virustotal.com/en/file/1...is/1491828872/
redchip2.exe
hiddencreek .comcastbiz .net: 216.87.186.165: https://www.virustotal.com/en/ip-add...5/information/
:fear::fear: :mad:
Fake 'RBS', 'scanned file' SPAM, Fake Google Maps listings
FYI...
Fake 'RBS' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoof...ivers-malware/
11 Apr 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from RBS BACs <GRGBACspaymentsdelivery@ rbsdocuments .co.uk> with a malicious word doc spreadsheet attachment delivers malware... it appears to be Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...4/rbs_bacs.png
RBS_BACs_11042017.doc - Current Virus total detections 3/54*. Payload Security currently is not responding for me. MALWR** shows nothing relevant.
I am informed that it uses PowerShell to download http ://hitecmetal .com.my/images/NGVN4LNyaCV6amPf8jsgJeHVgLX.png which of course is -not- a png but a renamed .exe file (VirusTotal 11/60***) which even more suggests ursnif or Trickbot banking Trojans... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1491904361/
** https://malwr.com/analysis/ZGRhZGUwZ...Q0MzZhMjVhNTQ/
*** https://www.virustotal.com/en/file/2...is/1491905198/
kxecz.exe
hitecmetal .com.my: 110.4.45.192: https://www.virustotal.com/en/ip-add...2/information/
___
Fake 'scanned file' SPAM - delivers malware
- https://myonlinesecurity.co.uk/scann...ivers-malware/
11 Apr 2017 - "... an email that has a multitude of subjects all along the line of 'scanned file/image document/image etc. pretending to come from totally random senders with a pdf attachment. This PDF does have an embedded word doc inside... Payload Security Hybrid Analysis... is currently down. I assume this will turn out to be Dridex in the same way it did yesterday*...
* https://myonlinesecurity.co.uk/scan-...liver-malware/
Screenshot: https://myonlinesecurity.co.uk/wp-co...image-data.png
20170411414556.pdf - Current Virus total detections 10/57*. MALWR**...
Update: ... the word macro content shows downloads of -encrypted- txt files from:
medjobsmatch .com/kjv783r
outoftheboxpc .org/kjv783r
jenya.kossoy .com/kjv783r
Which MALWR*** managed to decode as redchip2.exe (VirusTotal 8/61[4]) which although not being detected as Dridex is either likely to be Dridex or Kegotip... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1491908876/
** https://malwr.com/analysis/OGUxZGU5Y...JlMjg1NmQ4Yjg/
*** https://malwr.com/analysis/NjNkM2JiM...k1ZmM5MGZmZmU/
Hosts
23.229.143.7
4] https://www.virustotal.com/en/file/6...is/1491910444/
medjobsmatch .com: 23.229.143.7: https://www.virustotal.com/en/ip-add...7/information/
outoftheboxpc .org: 216.87.186.17: https://www.virustotal.com/en/ip-add...7/information/
jenya.kossoy .com: 64.111.126.118: https://www.virustotal.com/en/ip-add...8/information/
___
Fake Google Maps listings redirect Users to fraudulent sites
- https://www.bleepingcomputer.com/new...es-each-month/
Apr 10, 2017 - "... This is the result of a study carried out by Google and University of California, San Diego researchers, who analyzed over 100,000 businesses marked as 'abusive' and added to Google Maps between June 2014 and September 2015. Researchers say that 74% of these abusive listings were for local businesses in the US and India, mainly in pockets around certain local hotspots, especially in large metropolitan areas such as New York, Chicago, Houston, or Los Angeles. In most cases, the scheme was simple. A customer in need of a locksmith or electrician would search Google Maps for a local company. If he navigated to the website of a fake business or called its number, a call center operator posing as the business' representative would send over an unaccredited contractor that would charge much more than regular professionals. If a customer's situation were urgent, the contractor would often charge more than the initial agreed upon price. Researchers said that 40.3% of all the listings for fake companies they found focused on on-call services, such as locksmiths, plumbers, and electricians, were customers were desperate to resolve issues... To list a business card on Google Maps, companies must go through a series of checks that involves Google mailing a postal card, or making a phone call to the business headquarters. After analyzing over 100,000 fake listings, researchers said miscreants registered post office boxes at UPS stores and used the same address to register tens to hundreds of listings per address. They did the same thing for their phone contact, by buying cheap VoIP numbers from providers such as Bandwidth .com, Level 3, Twilio, or Ring Central... The research team discovered that crooks managed to hijack 0.5% of Google Maps' outbound traffic for the studied period... Google also says it currently detects and disables around 85% fake listings before they ever appear on Google Maps..."
> https://static.googleusercontent.com...hive/45976.pdf
[ 9 pages ]
:fear::fear: :mad:
Fake 'resume' SPAM, Ransomware variants
FYI...
Fake 'resume' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spear...ds-to-malware/
12 Apr 2017 - "An email with the subject of 'Greetings' come from a random name and email address that says it is a resume applying for employment with a malicious word doc attachment delivers malware... Update: I am very reliably informed this is a Zyklon HTTP bot* which is being used in DDOS attacks against a wide variety of sites and is a password and other credential stealer, including all windows, office and many other software licencing keys, as well as email credentials, website passwords and any other password that you can think of...
* https://security.radware.com/ddos-th...n-http-botnet/
Screenshot: https://myonlinesecurity.co.uk/wp-co...rah-resume.png
Sarah-Resume.doc - Current Virus total detections 7/57**. Payload Security*** shows a download using PowerShell from
http ://185.165.29.36 /11.mov which is -renamed- by the macro to k4208.exe
(VirusTotal 7/61[4]) (Payload Security[5]) and autorun and in turn drops iTunes.exe and autorun
(VirusTotal 5/61[6]) (Payload Security[7])... The word doc has a slightly different instruction message than we usually see:
> https://myonlinesecurity.co.uk/wp-co...ent-locked.png
This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/3...is/1491973686/
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.165.29.36
78.47.139.102
76.73.17.194
154.35.32.5
86.59.21.38
194.109.206.212
84.146.168.11
91.121.230.210
185.66.250.141
192.87.28.82
163.172.29.21
178.162.194.82
130.230.113.235
4] https://www.virustotal.com/en/file/a...is/1491963473/
5] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (20)
6] https://www.virustotal.com/en/file/5...is/1491963495/
7] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (13)
___
Ransomware variants - emails
- https://isc.sans.edu/diary.html?storyid=22290
2017-04-12 - "... malicious spam (malspam) on Tuesday morning 2017-04-11. At first, I thought it had limited distribution. Later I found several other examples, and they were distributing yet another ransomware variant... The ransomware is very aware of its environment, and I had use a physical Windows host to see the infection activity...:
> https://isc.sans.edu/diaryimages/ima...y-image-01.jpg
... I collected 14 samples of the malspam on Tuesday 2017-04-11. It started as early as 14:12 UTC and continued through at least 17:03 UTC. Each email had a -different- subject line, a -different- sender, -different- message text, and a -different-link- to click:
> https://isc.sans.edu/diaryimages/ima...y-image-02.jpg
... -All- are subdomains of ideliverys .com on 47.91.88.133 port 80. The domain ideliverys .com was registered the-day-before on Monday 2017-04-10...
As usual, humans are the weakest link in this type of infection chain. If people are determined to bypass all warnings, and their systems are configured to allow it, they will become infected. Unfortunately, that's too often the case. I don't believe the situation will improve any time soon, so we can expect these types of malspam campaigns to continue..."
(More detail at the first ISC URL at the top.)
ideliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/16...9d0f/analysis/
:fear::fear: :mad: