SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2017-06-16, 15:33

FYI...

Fake Email account notice – Phish
... 'Your Mailbox Will Be Terminated'
- https://myonlinesecurity.co.uk/your-...l-credentials/
16 Jun 2017 - "We see lots of phishing attempts for email credentials. This one is slightly different...

Screenshot: https://myonlinesecurity.co.uk/wp-co...er.co_.uk-.png

If you follow the link you see a webpage looking like this:
https ://deadsocial .com//media/email_updatep1/login.php?userid=ans@ thespykiller .co.uk
(you can put any email address at the end of the link & get the same page with email already filled in).
The red countdown continues to decrease in time while the page is open:
> https://myonlinesecurity.co.uk/wp-co...ail_update.png

... After you input your email address and password, you get told 'incorrect details' and forwarded to an almost identical looking page where you can put it in again and it does that on a continual loop:
> https://myonlinesecurity.co.uk/wp-co...il_update2.png

... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

deadsocial .com: 184.154.216.243: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/71...24c7/analysis/

**AplusWebMaster** · 2017-06-20, 12:47

FYI...

Fake DHL SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
20 Jun 2017 - "An email with the subject of 'Commercial Invoice' pretending to come from export@ dhl-invoice .com with a malicious Excel XLS spreadsheet attachment delivers some sort of malware... I am being told that -other- subjects in this malspam run -spoofing- DHL include: 'DHL Commercial Invoice' and 'DHL poforma invoice'. There appear to be several different -spoofed- senders @dhl-invoice .com...

Screenshot: https://myonlinesecurity.co.uk/wp-co...spam-email.png

dhl_commercial_invoice_.xls - Current Virus total detections 5/55*. Payload Security** shows a download from
http ://travel-taxi .net/test/edf.exe (VirusTotal 51/62[3]), (Payload Security[4]).
Other download locations -embedded- in other versions of the macro include
http ://okinawa35 .net/m/iop.exe
The XLS file looks like:
> https://myonlinesecurity.co.uk/wp-co...nvoice_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1497948303/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
202.218.50.130

3] https://www.virustotal.com/en/file/1...e217/analysis/

4] https://www.hybrid-analysis.com/samp...ironmentId=100

travel-taxi .net: 203.183.93.149: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/2b...c1d5/analysis/

okinawa35 .net: 202.218.50.130: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/8b...fd1c/analysis/

**AplusWebMaster** · 2017-06-21, 19:11

FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-r...nvoice-emails/
21 Jun 2017 - "... an email with the subject of 'Copy of Invoice 79898702' coming or pretending to come from noreply@ random email addresses with a semi-random named zip attachment in the format of 79898702.zip (random 8 digits). The zip matches the subject... Whether this is a permanent return to Locky or a one off, I don’t know... Locky has vanished for while before & returned. It is also very unusual for Locky to come as an executable file inside a zip...

Screenshot: https://myonlinesecurity.co.uk/wp-co...e-79898702.png

79898702.zip: extracts to INV-09837592.zip which in turn Extracts to: INV-09837592.exe
Current Virus total detections 10/60*. Payload Security**. None of the sandboxes are showing any encrypting activity or the usual Locky signs, so it looks like a -new- version with protections against analysis. We only know it is Locky because one of the analysts[1] extracted the Locky payload from the memory while running this file (Virustotal 39/60***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...9cd8/analysis/
INV-09837592.exe

** https://www.hybrid-analysis.com/samp...ironmentId=100

*** https://www.virustotal.com/en/file/b...is/1498057764/
_005C0000.mem

1] https://twitter.com/mpvillafranca94/...44503720247296

- http://blog.talosintelligence.com/20...-campaign.html
June 21, 2017 - "... The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems*. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky... we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam... it's always risky clicking-on-links or opening -attachments- in strange email messages..."
> https://1.bp.blogspot.com/-O9IsDuPG5...600/image3.jpg
___

Fake 'Receipt to print' SPAM - delivers malware
- https://myonlinesecurity.co.uk/recei...ivers-malware/
21 Jun 2017 - "... an email with the subject of 'Receipt to print' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers some malware... Earlier WSF files today delivered Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-co...t-to-print.png

Receipt_6706.zip: extracts to archive0124.zip which extracts to: 0923.wsf
Current Virus total detections 11/57*. Payload Security** shows a download of an encrypted file from
http ://tag27 .com/08345ug? which is converted by the script to IeEOifS6.exe (VirusTotal 11/57***).
Manual examination and basic decoding of the WSF file shows these download locations:
tag27 .com/08345ug? > 162.210.102.220
78tguyc876wwirglmltm .net/af/08345ug > 119.28.86.18
malamalamak9 .net/08345ug? > 74.122.121.8
randomessstioprottoy .net/af/08345ug > 119.28.86.18
shreveporttradingantiques .com/08345ug? > 74.220.215.225 ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1498051603/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
162.210.102.220
119.28.86.18
74.122.121.8

*** https://www.virustotal.com/en/file/1...is/1480617465/

**AplusWebMaster** · 2017-06-26, 12:11

FYI...

Fake 'INVOICE' SPAM - delivers malware
- https://myonlinesecurity.co.uk/confi...liver-malware/
26 Jun 2017 - "An email with the subject of '*CONFIRM ORDER AND REVISE INVOICE*' pretending to come from admin@ random company with a malicious word doc attachment. This word doc is actually an RTF file that uses what looks like the CVE-2017-0199 exploit...

Screenshot: https://myonlinesecurity.co.uk/wp-co...SE-INVOICE.png

Order Ref-22550.doc - Current Virus total detections 16/56*. Neither MALWR nor JoeSandbox could get any malicious content from it. Payload Security is still -down- this morning for maintenance that was hoped to be done over the weekend.
Update: after a bit of manual editing & investigating I was able to find the download location:
https ://dev.null .vg/OtoGQj9.hta (VirusTotal 13/56**) ( MALWR***) which should deliver
http ://allafrance .com/ziko.exe but is currently giving me a 404... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1498451330/
Order Ref-22550.doc

** https://www.virustotal.com/en/file/f...is/1498457573/
OtoGQj9.hta

*** https://malwr.com/analysis/ZDI4ZWFmY...YzMjAzNjBkNjY/

dev.null .vg: 104.27.187.29: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/22...9263/analysis/
104.27.186.29: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/22...9263/analysis/

allafrance .com: 85.14.171.25: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/09...eb4e/analysis/
___

Fake 'invoice' SPAM - links to malware doc file
- https://myonlinesecurity.co.uk/more-...liver-malware/
26 Jun 2017 - "... An email with the subject of 'Cust # 880767-00057' [redacted] pretending to come from Jackie Fill <vs1.kirchdorf@ eduhi .at> (probably random senders) with a -link- that downloads a malicious word doc. The subject and the link that appears in body of the email has the recipients name in it but the actual link doesn’t. The link in this case went to
http ://facyl .com.br/Invoices-payments-and-questions-JBQHL-933-907247/ where it downloaded a macro enabled word doc (the link is very slow & does time out)...

Screenshot: https://myonlinesecurity.co.uk/wp-co...0767-00057.png

Invoice-NUVKHC-227-980463.doc - Current Virus total detections 9/56*... Joesandbox** shows connections to numerous sites where a malicious file is downloaded using PowerShell, including:
http ://carbeyondstore .com/cianrft/ > 72.52.246.64
http ://motorgirlstv .com/kdm/ > 202.191.62.208
http ://nonieuro .com/xauqt/ > 216.104.189.202
http ://pxpgraphics .com/espzyurt/ > 69.65.3.206
http ://studiogif .com.br/jedtvuziky/ > 192.185.216.153
Eventually giving an .exe file (VirusTotal 10/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1498480442/

** https://jbxcloud.joesecurity.org/analysis/297919/1/html

*** https://www.virustotal.com/en/file/b...is/1498478920/

facyl .com.br: 187.45.187.130: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/f8...44e5/analysis/

**AplusWebMaster** · 2017-06-27, 17:16

FYI...

Fake 'Fattura' SPAM - delivers xls attachment malware
- https://myonlinesecurity.co.uk/more-...nking-trojans/
27 Jun 2017 - "An email with the subject of 'Fattura n.9171 del 27/06/17' pretending to come from random Italian email addresses with an Excel XLS spreadsheet attachment...
Update: I am 100% assured* that this is Trickbot banking Trojan...
* https://twitter.com/_operations6_/st...80802136707073

Screenshot: https://myonlinesecurity.co.uk/wp-co...a_it_spam1.png

Attachment: https://myonlinesecurity.co.uk/wp-co...a_it_spam2.png

The xls file looks like this, with the instructions to 'enable content' in Italian. They obviously hope that the victim will 'enable content & macros' to see the washed out invoice details in full detail:
> https://myonlinesecurity.co.uk/wp-co...nvoice-xls.png

FATTURA num. 6655 del 27-=.xls - Current Virus total detections 6/56[1]. Payload Security[2] shows a download from
https ://3eee22abda47 .faith/nvidia4.dvr (VirusTotal 11/61[3])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/d...9395/analysis/
1_FATTURA num. 5999 del 27-06-2017.xls

2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
46.173.218.138

3] https://www.virustotal.com/en/file/8...19f8/analysis/
nvidia4.dvr

3eee22abda47 .faith: 46.173.218.138: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/a0...eca1/analysis/
___

Protect Your Cloud - from Ransomware
> http://www.darkreading.com/cloud/9-w...d/d-id/1329221
6/27/2017
___

Multiple Petya Ransomware Infections Reported
- https://www.us-cert.gov/ncas/current...tions-Reported
June 27, 2017

- http://blog.talosintelligence.com/20...e-variant.html
June 27, 2017 - "... a new malware variant has surfaced..."

- https://www.helpnetsecurity.com/2017...ya-ransomware/
June 27, 2017

- http://www.reuters.com/article/us-cy...-idUSKBN19I1TD
Jun 27, 2017 | 4:35pm EDT

- http://www.telegraph.co.uk/news/2017...cyber-attack1/
27 June 2017 • 8:50pm GMT

**AplusWebMaster** · 2017-06-29, 14:18

FYI...

Fake 'UPS cannot deliver' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/retur...ovter-payload/
29 Jun 2017 - "The 'UPS failed to deliver' messages have come back... it looks like the Kovter gang have taken advantage of the Petya outbreak to add to the mix. They have updated the nemucod ransomware version to make it, on first look, impossible to decrypt at this time without paying the ransom. Thanks to Michael Gillespie* a well known anti-ransomware campaigner for his assistance and pointing me in the right direction about the new nemucod ransomware version...
* https://twitter.com/demonslay335
If you get infected by this or any other ransomware please check out the ID Ransomware service** which will help to identify what ransomware you have been affected by and offer suggestions for decryption...
** https://id-ransomware.malwarehunterteam.com/index.php

The emails are the same as usual (you only have to look through this blog and search for UPS[1] or FedEx[2] or USPS[/3]... hundreds of different examples and subjects)...
1] https://myonlinesecurity.co.uk/?s=UPS

2] https://myonlinesecurity.co.uk/?s=fedex

3] https://myonlinesecurity.co.uk/?s=usps

Screenshot: https://myonlinesecurity.co.uk/wp-co...to_deliver.png

... there is a difference in the .js files that are coming in the (attachment) zips... The initial js looks very similar to previous but has much longer vars (var zemk) that is used to download the other files...
Showing a high level of encryption that at this time appears unable to be decrypted without paying the ransom.
This ransom note (or something similar with different links) gets displayed on the victim’s desktop:
>> https://myonlinesecurity.co.uk/wp-co...structions.jpg

The original js downloads 3 files - 1 is Kovter as usual, the second is unknown and there is a massive 6.7mb php interpreter. The 2nd file won’t run without the php interpreter. It looks like it also belongs to PHP and both php files together are needed to run the downloaded php counter files to encrypt the computer...
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (406)

5] https://jbxcloud.joesecurity.org/analysis/300085/1/html
UPS-Delivery-005156577.doc.js

6]https://www.virustotal.com/en/file/d167368409c3fa244e17cef06eb83174b03fc0397cb0d907daf30dfdba5e100e/analysis/1498629470/
UPS-Delivery-005156577.doc.js
Detection ratio: 9/55

... The Kovter download looks like it works separately to the ransomware but might actually be involved somewhere along the line:
7] https://www.virustotal.com/en/file/2...is/1498630707/
da40c167cd75d.png
Detection ratio: 25/62

8] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts (398)

... Sites involved in this campaign found so far this week:
resedaplumbing .com > 166.62.58.18
modx.mbalet .ru> 95.163.101.104
artdecorfashion .com > 107.180.0.125
eventbon .nl > 109.106.167.212
elita5 .md > 217.26.160.15
goldwingclub .ru > 62.109.17.210
www .gloszp .pl > 87.98.239.19
natiwa .com > 115.84.178.83
desinano .com.ar > 190.183.59.228
amis-spb .ru > 77.222.61.227
perdasbasalti .it > 94.23.64.3
120.109.32.72: https://www.virustotal.com/en/ip-add...2/information/
calendar-del .ru > 77.222.61.227
indexsa.com .ar > 190.183.59.228 ..."
___

'Blank Slate' - malspam campaign -ransomware-
- https://isc.sans.edu/forums/diary/Ca...+strong/22570/
Last Updated: 2017-06-29 - "'Blank Slate' is the nickname for a malicious spam (malspam) campaign pushing -ransomware- targeting Windows hosts... Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign. Today's Blank Slate malspam was pushing Cerber and GlobeImposter ransomware... -fake- Chrome pages sent victims zip archives containing malicious .js files designed to infect Windows hosts with ransomware... potential -victims- must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations..."
(More detail at the isc URL above.)
___

- https://www.bitdefender.com/news/mas...ages|goldeneye
Update 6/28 08.00 GMT+3 - "There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction..."

**AplusWebMaster** · 2017-07-05, 17:56

FYI...

Fake 'Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
5 Jul 2017 - "An email with the subject of 'Important Account Documents' pretending to come from Lloyds bank but actually coming from a look-a-like domain Lloyds Bank Documents <no-reply@ lloydsbankdocs .co.uk> with a malicious word doc attachment... So far we have only found 1 site sending these today:
lloydsbankdocs .co.uk
As usual they are registered via Godaddy as registrar and the emails are sent via IP 37.46.192.51 which doesn’t have any identifying details except AS47869 Netrouting in Netherlands...

Screenshot: https://myonlinesecurity.co.uk/wp-co...-Documents.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...count-docs.png

AccountDocs.doc - Current Virus total detections 7/57*. Payload Security** shows a download from
http ://pilotosvalencia .com/sergollinhols.png which of course is -not- an image file but a -renamed- .exe file that gets renamed to fsrtat.exe and autorun (VirusTotal 14/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...43f6/analysis/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.217.4
167.114.174.158
197.248.210.150

*** https://www.virustotal.com/en/file/2...0a11/analysis/
___

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
5 July 2017 - "... delivering banking Trojans is an email with the subject of 'Customer message' pretending to come from 'Nat West Bank' but actually coming from a series of look alike domains - NatWest Bank Plc <alert@ natwest-serv478 .ml> with a malicious word doc attachment... criminals sending these have registered various domains that look-like-genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate-the-bank or some message sending service... we have found 6 but it is highly likely there could be hundreds, because they are -free- domains that don’t need any checkable registration details:
natwest-serv478 .ml > 81.133.163.165
natwest-serv347 .ml > 185.100.68.185
natwest-serv305 .ml > 72.21.246.90
natwest-serv303 .ml > 47.42.101.137
natwest-serv505 .ml > 98.191.98.153
natwest-serv490 .ml > 128.95.65.99
These are registered via freenom .com as registrar and the emails are sent via a series of what are most likely compromised email accounts or mail servers:
> https://myonlinesecurity.co.uk/wp-co..._spam_list.png

Screenshot: https://myonlinesecurity.co.uk/wp-co...er-message.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...ent283_doc.png

message_payment283.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
http ://armor-conduite .com/34steamballons.png which of course is -not- an image file but a renamed .exe file that gets renamed to nabvwhy.exe and autorun (VirusTotal 16/62***) which is a slightly different -Trickbot- payload... An alternative download location is
http ://teracom .co.id/34steamballons.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1499266638/
message_payment283.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
202.169.44.149
94.42.91.27

*** https://www.virustotal.com/en/file/d...ff7f/analysis/
nabvwhy.exe

armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/93...2e47/analysis/

teracom .co.id: 202.169.44.149: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/9c...dd04/analysis/
___

'AdGholas' malvertising ...
- https://blog.malwarebytes.com/cyberc...are-outbreaks/
July 5, 2017 - "... other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific -malvertising- gang of the moment, dubbed 'AdGholas'... A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the -malvertising- operators are able to quickly roll out and activate a -fake- advertising infrastructure for a few days before getting banned...
> https://blog.malwarebytes.com/wp-con...7/06/certs.png
... We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of -redirect- is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity...
IOCs:
AdGholas:
expert-essays[.]com
jet-travels[.]com
5.34.180.73
162.255.119.165
Astrum Exploit Kit:
uniy[.]clamotten[.]com
comm[.]clamotten[.]com
comp[.]computer-tutor[.]info
lexy[.]computer-tutor[.]info
sior[.]ccnacertification[.]info
kvely[.]our-health[.]us
nuent[.]mughalplastic[.]com
mtive[.]linksaffpixel[.]com
cons[.]pathpixel[.]com
sumer[.]pathlinkaff[.]com
nsruc[.]ah7xb[.]com
ction[.]ah7xb[.]com
nstru[.]onlytechtalks[.]com
const[.]linksaffpixel[.]com
quely[.]onlytechtalks[.]com
coneq[.]modweave[.]com
94.156.174.11 ..."
(More detail at the malwarebytes URL above.)
___

Fake 'invoice' SPAM - delivers java adwind malware
- https://myonlinesecurity.co.uk/fake-...g-java-adwind/
4 Jul 2017 - "... fake 'invoices' rather then their more usual method of fake 'MoneyGram' or 'Western Union money transfer' reports or updates...

Screenshot: https://myonlinesecurity.co.uk/wp-co...e-invoices.png

Payment Dunmore 27.26.170001.jar (566kb) - Current Virus total detections 12/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1499145423/

** https://malwr.com/analysis/ZTI2MTE2M...BiNWE0NmNlNGE/

**AplusWebMaster** · 2017-07-06, 12:18

FYI...

Fake 'wire request' SPAM - delivers banking trojan
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
6 Jul 2017 - "An email with the subject of 'The wire request is unsuccessful!' pretending to come from Billing Support using random senders & email addresses with a malicious word doc attachment delivers Chthonic banking trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ng-support.png

printed_ty_0717.doc - Current Virus total detections 12/58*. Payload Security** shows a download from
http ://185.117.73.105 /bofasup.exe (VirusTotal 13/57***)... alternative doc detections [1] [2]. Other download locations include: (there are 3 download locations hard coded in the macro):
http ://185.45.192.116 /bofasup.exe
http ://185.117.72.251 /bofasup.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1499318502/

** https://www.hybrid-analysis.com/samp...ironmentId=100

*** https://www.virustotal.com/en/file/d...e397/analysis/
bofasup.exe

1] https://www.virustotal.com/en/file/b...3968/analysis/
printed_copy_da_0717.doc
Detection ratio: 13/57

2] https://www.virustotal.com/en/file/8...is/1499319821/
copy_wt_0717.doc
Detection ratio: 11/57
___

Fake 'eFax' SPAM - malicious doc/xls attachment
- https://myonlinesecurity.co.uk/more-...ivers-malware/
6 Jul 2017 - "... spoofed eFax message from 1 month ago[1], the same gang are using a similar range of fake e-faxcorporatexxx.top domains to send these malspam emails. Today’s comes with the usual typical subject of 'eFax message from “0300 200 3822” – 2 page(s)' coming from eFax <message@ e-faxcorporate102 .top> with a malicious word doc attachment which delivers some sort of malware...
1] https://myonlinesecurity.co.uk/fake-...-and-trickbot/

Screenshot: https://myonlinesecurity.co.uk/wp-co.../efax_nest.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...gedoc_nest.png

SecureMessage.doc - Current Virus total detections 6/57*... Joesandbox** shows a download from
http ://5.149.252.155 /parcelon13.exe (VirusTotal 15/63***)...
This email attachment contains what appears to be a genuine word doc -or- Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1499264264/
SecureMessage.doc

** https://jbxcloud.joesecurity.org/analysis/304760/1/html

*** https://www.virustotal.com/en/file/c...is/1499306577/

e-faxcorporate102 .top: 46.8.221.104: https://www.virustotal.com/en/ip-add...4/information/

**AplusWebMaster** · 2017-07-07, 14:36

FYI...

Fake 'BACs documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
7 Jul 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from Royal Bank of Scotland but actually coming from a look-a-like domain <Secure.Delivery@ rbsdocs .co.uk> with a -link- to a malicious zip attachment containing a .js file... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine Bank domains. Normally there are 3 or 4 newly registered domains that -imitate- the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today:
rbsdocs .co.uk > 160.153.162.130
As usual they are registered via Godaddy as registrar and hosted by Godaddy on ip 160.153.162.130 but the emails are being sent via host Europe 85.93.88.125...

Screenshot: https://myonlinesecurity.co.uk/wp-co...s_trickbot.png

Rbs_Account_BACs.js - Current Virus total detections 1/57*. Payload Security** shows a download from
http ://mutfakdolabisitesi .com/grandsergiostalls.png which of course is -not- an image file but a renamed .exe file that gets renamed to qkY5ijY.exe and autorun (VirusTotal 12/64***)... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1499423876/
Rbs_Account_BACs.js

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
46.235.11.61
50.19.227.215
37.120.182.208
78.47.139.102

*** https://www.virustotal.com/en/file/b...is/1499422646/

mutfakdolabisitesi .com: 46.235.11.61: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/f9...b157/analysis/

rbsdocs .co.uk: 160.153.162.130: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/8d...dfec/analysis/
___

'Facebook Lottery' - Scam
- https://myonlinesecurity.co.uk/facebook-lottery-scam/
7 Jul 2017 - "'Oh look I have won the Facebook Lottery', or might have done if there actually was such a thing. Unfortunately it is all a big scam. If you were unwise enough to reply, all you would get is a request for a sum of money for Post & packing and the transfer fee for the money. To make it more attractive than usual, apart from the just over $1m money they are giving you a Facebook cap, tee shirt and wallet, 'Wow! how exciting!'. To show how clueless or how they don’t filter or check email addresses they send to, this was sent to a spam-trap-email address...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ok-lottery.png

Email Headers:
124.153.79.193 - mailgw.notvday .in...
188.207.76.172 - static.kpn .net...

**AplusWebMaster** · 2017-07-10, 12:39

FYI...

Fake 'Delivery Status' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/new-p...unce-messages/
10 July 2017 - "We were notified of a new ransomware version* last night. This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a -fake- 'Delivery Status Notification, failed to deliver' email bounce message. The .js file in the email attachment is a PowerShell -script- and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent 'UPS failed to deliver'** nemucod ransomware versions...
* https://twitter.com/SecGuru_OTX/stat...36470910562304

** https://myonlinesecurity.co.uk/retur...ovter-payload/

Screenshot: https://myonlinesecurity.co.uk/wp-co...re_email-1.png

There is also a section in the script... causes a fake pop up message making the victim think that the file isn’t running properly:
> https://myonlinesecurity.co.uk/wp-co...ot_found-1.png

After the file has run and encrypted your files, you get a message left called _README-Encrypted-Files .html:
> https://myonlinesecurity.co.uk/wp-co...mware_note.jpg

As well as encrypting the usual image, music, video and document files this also encrypts databases files, email, and very unusually many executable file types. It also encrypts your bitcoin wallet and other similar financial files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/7...is/1499666506/
Readable Msg-j8k5b798d4.js

2] https://www.reverse.it/sample/7a6d5a...ironmentId=100
Readable Msg-j8k5b798d4.js

The sender domain is also the C2 http ://joelosteel .gdn/pi.php currently hosted by digitalocean .com on 165.227.1.206 ..."

joelosteel .gdn: 165.227.1.206: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/66...e150/analysis/
___

Fake 'Secure Communication' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/yet-a...anking-trojan/
10 Jul 2017 - "An email with the subject of 'Secure Communication' pretending to come from HM Revenue & Customs but actually coming from a look-alike-domain < Secure.Communication@ hrmccommunication .co.uk > with a malicious word doc attachment... delivering Trickbot banking Trojan... a very important site involved in today’s campaign with images being hosted on www .libdemvoice .org/wp-content/uploads/2012/06/HMRC-logo-300×102.jpg... they have been hosting an HMRC logo since 2012...

Screenshot: https://myonlinesecurity.co.uk/wp-co...rc_10_july.png

HMRC3909308823743.doc - Current Virus total detections 6/57*. Payload Security** shows a download from one of these 2 locations:
http ://pilotosvalencia .com/grazlocksa34.png -or- http ://ridderbos .info/grazlocksa34.png
which of course is -not- an image file but a renamed .exe file that gets renamed to Sonqa.exe and
autorun (VirusTotal 10/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1499682599/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.217.4
107.22.214.64
93.99.68.140
195.133.197.179

*** https://www.virustotal.com/en/file/9...c9cf/analysis/

pilotosvalencia .com: 81.169.217.4: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/47...a61a/analysis/

ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/e6...e526/analysis/

libdemvoice .org: 104.28.31.9: https://www.virustotal.com/en/ip-add...9/information/
104.28.30.9: https://www.virustotal.com/en/ip-add...9/information/

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake Email account notice - Phish

Fake DHL SPAM

Fake 'Invoice', 'Receipt to print' SPAM

Fake 'INVOICE' SPAM

Fake 'Fattura' SPAM, Protect Your Cloud, Petya Ransomware Infections Reported

Fake 'UPS cannot deliver' SPAM, 'Blank Slate' ransomware

Fake 'Documents', 'Customer message', 'invoice' SPAM, 'AdGholas' malvertising

Fake 'wire request', 'eFax' SPAM

Fake 'BACs documents' SPAM

Fake 'Delivery Status', 'Secure Communication' SPAM

Posting Permissions