Page 121 of 132 FirstFirst ... 2171111117118119120121122123124125131 ... LastLast
Results 1,201 to 1,210 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1201
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down WannaCry Ransomware, Fake 'invoice' SPAM

    FYI...

    Indicators Associated With WannaCry Ransomware
    - https://www.us-cert.gov/ncas/alerts/TA17-132A
    Last revised: May 15, 2017 - "... According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours... Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010* (link is external) vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (link is external) operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails...
    * https://technet.microsoft.com/en-us/.../ms17-010.aspx
    March 14, 2017
    The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans...
    Precautionary measures to mitigate ransomware threats include:
    - Ensure anti-virus software is up-to-date.
    - Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
    - Scrutinize -links- contained in -e-mails- and do -not- open -attachments- included in unsolicited e-mails.
    - Only download software – especially free software – from sites you know and trust.
    - Enable automated patches for your operating system and Web browser..."
    (More detail at the us-cert URL at the top of this post.)

    WannaCry/WannaCrypt Ransomware Summary
    - https://isc.sans.edu/diary.html?storyid=22420
    2017-05-15
    ___

    > http://blog.talosintelligence.com/20...acry.html#more
    May 12, 2017 - "... Umbrella* prevents DNS resolution of the domains associated with malicious activity..."
    * https://umbrella.cisco.com/
    ... aka 'OpenDNS' - FREE:
    >> https://www.opendns.com/setupguide/#/?new=home-free

    Test -after- setups: https://welcome.opendns.com/
    ___

    Fake 'invoice' SPAM - delivers pdf attachment jaff ransomware
    - https://myonlinesecurity.co.uk/more-...liver-malware/
    15 May 2017 - "An email pretending to be an invoice coming from random senders with a PDF attachment that drops a malicious macro enabled word doc...
    Update: confirmed as Jaff ransomware (VirusTotal 5/61*) (Payload Security**)...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...nt-malspam.png

    ... An alternative docm file that was extracted confirms it to be jaff ransomware downloads
    ecuamiaflowers .com/hHGFjd encrypted txt (Payload Security[3]) (VirusTotal 13/56[4]) JoeSandbox[/5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1494846406/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    47.91.107.213

    3] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    107.180.14.32
    47.91.107.213


    4] https://www.virustotal.com/en/file/f...is/1494844454/

    5] https://jbxcloud.joesecurity.org/analysis/271421/1/html

    ecuamiaflowers .com: 107.180.14.32: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/b5...5814/analysis/

    h552terriddows .com: 47.91.107.213: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/5c...2c85/analysis/

    Last edited by AplusWebMaster; 2017-05-15 at 16:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1202
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice', 'pdf attachments' SPAM

    FYI...

    Fake 'invoice' SPAM - downloads Cerber ransomware
    - https://myonlinesecurity.co.uk/blank...liver-malware/
    16 May 2017 - "... an empty/blank email with the subject of 'Re: invoice 28769' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment that contains another zip that in turn contains a .js file... downloads Cerber ransomware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...voice28769.png

    ... I am reliably informed[1] that with a couple of minor fixes to correct the malware developers mistakes this downloads Cerber ransomware from
    hxxp ://mdnchdbde .pw/search.php which delivers a file 1 (VirusTotal 6/59*) (Payload Security**)... 'certain that they will fix it in the next malspam run. These criminal gangs often send a small spam run out to “test the waters” and when they don’t get any expected result they double check & fix the errors ready for the next spam run.

    262647732.zip: extracts to 27000_packed.zip: which in turn Extracts to: 27000.js
    Current Virus total detections 0/57[3]: Payload Security[4] Joebox[5] - none of the online sandboxes managed to get any download location or malware content from the .js file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://twitter.com/Techhelplistcom/...50538112016385

    * https://www.virustotal.com/en/file/6...is/1494912080/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (1088)

    3] https://www.virustotal.com/en/file/0...is/1494910036/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    5] https://jbxcloud.joesecurity.org/analysis/271922/1/html

    mdnchdbde .pw: 35.163.27.202: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/99...809c/analysis/
    ___

    Fake 'pdf attachments' SPAM - delivers Jaff ransomware
    - https://myonlinesecurity.co.uk/pdf-p...ff-ransomware/
    16 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Emailing: 2650032.pdf' (random numbers) pretending to come from random names at your-own-email-address that delivers Jaff ransomware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...650032_pdf.png

    2650032.pdf - Current Virus total detections 8/54*: Payload Security**... drops EYRCUD.docm
    (VirusTotal 8/59***) (Payload Security[4])... downloads an encrypted txt file from
    http ://personalizar .net/Nbiyure3 which is converted by the script to galaperidol8.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1494926923/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.88.57.70
    47.91.107.213


    *** https://www.virustotal.com/en/file/4...is/1494927173/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.88.57.70
    47.91.107.213


    personalizar .net: 81.88.57.70: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/2e...74c2/analysis/

    Last edited by AplusWebMaster; 2017-05-16 at 17:14.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1203
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Secure Message' SPAM, Adobe phish

    FYI...

    Fake 'Secure Message' SPAM - delivers trickbot
    - https://myonlinesecurity.co.uk/fake-...vers-trickbot/
    17 May 2017 - "An email with the subject of 'You have received a new Bankline Secure Message' pretending to come from Bankline RSA but actually coming from a look-a-like domain Bankline RSA <SecureMessage@ banklinersa .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...re-message.png

    ... criminals sending these have registered various domains that look like genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today banklinersa .co.uk. As usual they are registered via Godaddy as registrar and for a change the emails are sent via rackspace hosting not the usual citynetwork AB in Sweden. They are currently using IP numbers 104.130.29.210, 172.99.115.203, 172.99.115.216, 172.99.115.23, 104.239.169.15, 104.130.29.243, 104.130.29.245, 172.99.115.29...

    SecureMessage.doc - Current Virus total detections 4/56*. Payload Security** downloads from
    http ://ocysf .org/wp-content/GktpotdC7dyTH1aoroa.png which of course is -not- an image file but a renamed .exe file that gets -renamed- to a .exe and autorun (VirusTotal 10/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1495019899/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    50.87.146.185
    107.22.214.64
    95.104.2.225
    192.157.238.15


    *** https://www.virustotal.com/en/file/b...is/1495019988/

    ocysf .org: 50.87.146.185: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/a2...6f8a/analysis/
    ___

    Adobe account - Phish
    - https://myonlinesecurity.co.uk/adobe...ext-data-urls/
    17 May 2017 - "... 'thought this was going to be some newer malware delivery method, but it is only -phishing- for email credentials, which of course is also extremely serious and very bad.
    NOTE: This phishing scam only works in Google Chrome. Internet Explorer will not open data:text/html urls and gives a 'cannot display' page message. Firefox refuses to display anything - just a white screen with the original url in the address bar...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...hing-email.png

    This email has a genuine PDF attachment that contains a blurred out image of an invoice with the prompt to view the Secured PDF Online Document on Adobe:
    > https://myonlinesecurity.co.uk/wp-co...ce1246_pdf.png
    -If- you click on the blurred image you get a pop up warning about links. When you follow the link inside the pdf it sends you to http ://tiny .cc/tis7ky which immediately -redirects- to
    http ://qualifiedplans .com/administrator/components/com_smartformer/plugins/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/phmho/
    where it downloads/opens a data:text url that displays a web page on your computer -not- an external site looking like:
    > https://myonlinesecurity.co.uk/wp-co.../timed_out.png
    After you press OK you get what looks-like an Adobe Business sign in page with what looks-like a download button. I inserted the usual set of fake details & pressed download, expecting some sort of malware to appear, but no it just -bounced- me on to the genuine Adobe page while your stolen data is sent to http ://setas2016 .com/image/catalog/Katalog/files/pageConfig/PDF3/index/adobe.php
    With a bit of digging around We have discovered the compete phish is also hosted on http ://setas2016 .com/image/catalog/Katalog/files/pageConfig ...
    > https://myonlinesecurity.co.uk/wp-co...be_sign_in.png
    The data:text/html file is available for download via Payload Security*. It is in the extracted files section named urlref_httptiny .cctis7ky ..."
    * https://www.hybrid-analysis.com/samp...ironmentId=100

    setas2016 .com: 87.118.140.114: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/49...fab9/analysis/
    ___

    ICS-ALERT-17-135-01A
    Indicators Associated With WannaCry Ransomware (Update A)
    > https://ics-cert.us-cert.gov/alerts/...ERT-17-135-01A
    Original release date: May 15, 2017 | Last revised: May 16, 2017
    "... updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site..."
    (More detail at the URL above.)

    Last edited by AplusWebMaster; 2017-05-17 at 17:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1204
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'UPS', 'FedEx' SPAM

    FYI...

    Fake 'UPS' SPAM - delivers banking Trojan
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    18 May 2017 - "... some are being delivered with the word -doc- attachment, but about half are just getting the email body with an -HTML- attachment which has the same details as the email body and no word doc attachment... the details with an email with the subject of 'Fwd: UPS Worldwide Saver Notification' pretending to come from various random names @ yahoo. es -or- .de -or- .pt -or- from random@ hotmail .es -or- de . We are also seeing a sprinking from other free webmail services like web .de with a malicious word doc attachment with a random number delivers ursnif banking Trojan. I am also seeing other parcel delivery companies like TNT and unnamed delivery services also being imitated and -spoofed- in this campaign. The TNT ones are zips with word docs inside. -All- of them today are using embedded OLE objects rather than macros to deliver Ursnif banking and password stealing Trojans.
    Update: Now seeing some coming through with zip attachments containing .js files
    Some subjects include:
    TNT Express – Documents – RL54413826 ( random numbers)
    Order Processed
    Export Scan
    Fwd: UPS Worldwide Saver Notification ...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...wide-saver.png

    These word docs contain 2 images of what pretend to be another word doc and an xls file both pretending to be invoices, However they are embedded ole objects and drop 2 different named but identical .js files when clicked on:
    > https://myonlinesecurity.co.uk/wp-co...le-objects.png
    The TNT version has a slightly different email content and word attachment, although still downloading from the -same- urls as other versions:
    > https://myonlinesecurity.co.uk/wp-co...livery-doc.png
    ...

    doc60 for clearance.doc - Current Virus total detections 0/58*. Payload Security** drops a js file
    (VirusTotal 1/22***) (Payload Security[4]) downloads from one of these 2 locations:
    http ://dacera .net/horizont.cv -or- http ://raimco .com/case.sub
    and gets converted/renamed to a working .exe file (VirusTotal 9/61[5])

    TNT version: RL82670483822.zip extracts to RL02993847001.doc VirusTotal 0/57[6]| Payload Security[7]

    Zip/JS version: QPABA0MCY0D2.zip extracts to 1A029837T2990101.pdf.js VirusTotal 3/57[8]|
    Payload Security[9] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1495100198/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    2.17.22.36

    *** https://www.virustotal.com/en/file/c...is/1495100566/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    54.149.71.19
    77.104.189.47


    5] https://www.virustotal.com/en/file/8...889a/analysis/

    6] https://www.virustotal.com/en/file/2...is/1495101803/

    7] https://www.hybrid-analysis.com/samp...ironmentId=100

    8] https://www.virustotal.com/en/file/1...is/1495102966/

    9] https://www.hybrid-analysis.com/samp...ironmentId=100

    dacera .net: 54.149.71.19: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/cb...9b60/analysis/

    raimco .com: 77.104.189.47: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/file/8...889a/analysis/

    dacera .net/horizont.cv
    > https://www.virustotal.com/en/url/cb...9b60/analysis/

    raimco .com/case.sub
    > https://www.virustotal.com/en/url/8f...c432/analysis/
    ___

    Fake 'FedEx' SPAM - delivers -kovter- malware
    - https://myonlinesecurity.co.uk/big-c...-using-macros/
    18 May 2017 - ""An email with the subject of 'FedEx Parcel #262844740, Delivery Unsuccessful' pretending to come from FedEx Customer Service <tamawuv52640888@ soie. in> (random email addresses) with a malicious word doc attachment delivers multiple malware... 'used to seeing these -fake- FedEx and other parcel delivery services emails, but they usually contain zip files and js files. It is -unusual- to have word macro attachments...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...x-delivery.png

    The instructions and image in the macro laden word doc have also -changed- from previous versions:
    > https://myonlinesecurity.co.uk/wp-co...livery-doc.png

    info_delivery.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
    http ://regereeeeee .com/gate2.php?ff1 which appears to be a massive encrypted txt file (833kb) which appears to drop -kovter- (b215.exe ***) (VirusTotal 14/61[4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...2b00/analysis/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (424)

    *** https://www.hybrid-analysis.com/samp...0183af2e4be850
    Contacted Hosts (424)

    4] https://www.virustotal.com/en/file/8...is/1495118313/

    regereeeeee .com: 13.58.26.56: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/ae...b9d4/analysis/

    > https://www.virustotal.com/en/url/95...c005/analysis/
    ___

    WannaCry Fact Sheet
    - https://www.us-cert.gov/ncas/current...Cry-Fact-Sheet
    Last revised: May 18, 2017
    >> https://ics-cert.us-cert.gov/sites/d...Ransomware.pdf
    "... Systems that have installed the MS17-010 patch* are -not- vulnerable to the exploits..."
    * https://technet.microsoft.com/en-us/.../ms17-010.aspx
    March 14, 2017

    Last edited by AplusWebMaster; 2017-05-19 at 14:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1205
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'blank' SPAM

    FYI...

    Fake 'blank' SPAM - doc/js attachment delivers ransomware
    - https://myonlinesecurity.co.uk/blank...-0-ransomware/
    21 May 2017 - "An empty/blank email with no subject pretending to come from jhavens@ mt .gov with a zip file that contains malicious word doc with an embedded OLE object delivers GlobeImposter 2.0 ransomware...
    The email looks like:
    From: jhavens@ mt .gov
    Date: Sun 21/05/2017 13:34
    Subject: none
    Attachment: 625855442530.zip
    Body content:
    totally blank/empty


    625855442530.zip - extracts to 1.doc - Current Virus total detections 0/56*. Payload Security**
    - drops a js file... (BR16E2~1 .JS) - VirusTotal 2/56[3] | Payload Security[4] downloads from
    http ://oldloverfg .top/admin.php?f=2 which gave yez348746.tae (VirusTotal 12/61[5]) | Payload Security[6]
    While encrypting your files the js file drops this html file with instructions how to pay the ransom & retrieve your files. They are charging 1 bitcoin which is currently approx. $2000 USD...
    > https://myonlinesecurity.co.uk/wp-co...ansom-note.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1495370663/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    47.91.93.208

    3] https://www.virustotal.com/en/file/6...is/1495370901/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    47.91.93.208

    5] https://www.virustotal.com/en/file/c...is/1495371343/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    oldloverfg .top: 47.91.93.208: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/5e...4e46/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1206
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice' SPAM

    FYI...

    Fake 'Invoice' SPAM - delivers ransomware
    - https://myonlinesecurity.co.uk/copy-...ff-ransomware/
    22 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice 43412591' (random numbers) pretending to come from noreply@ random companies that delivers Jaff ransomware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-43412591.png

    43412591.PDF - Current Virus total detections 13/56*. Payload Security** - drops QDLCPQKK.doc
    (VirusTotal 10/58[3]) (Payload Security [4]) downloads an encrypted txt file from
    http ://primary-ls .ru/jhg6fgh which is converted by the script to buzinat8.exe (VirusTotal 7/58[5])
    There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
    primary-ls .ru\jhg6fgh
    brotexxshferrogd .net\af\jhg6fgh
    herrossoidffr6644qa .top\af\jhg6fgh
    joesrv .com\jhg6fgh
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1495454756/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    141.8.195.87
    217.29.63.199


    3] https://www.virustotal.com/en/file/f...is/1495455867/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    141.8.195.87
    217.29.63.199


    5] https://www.virustotal.com/en/file/3...is/1495455099/

    primary-ls .ru: 141.8.195.87: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/79...d7c3/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1207
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Jaff ransomware

    FYI...

    Jaff ransomware gets a makeover: fake -invoice- theme
    - https://isc.sans.edu/forums/diary/Ja...akeover/22446/
    2017-05-24 - "Since 2017-05-11, a new ransomware named 'Jaff' has been distributed through malicious spam (malspam) from the 'Necurs botnet':
    > https://securityintelligence.com/the...alicious-spam/
    This malspam uses PDF -attachments- with 'embedded Word documents' containing -malicious- macros. Victims must open the PDF attachment, -agree- to open the embedded Word document, then -enable- macros on the embedded Word document to -infect- their Windows computers:
    > https://isc.sans.edu/diaryimages/ima...y-image-01.jpg
    Prior to -Jaff- we've seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push
    -Locky- ransomware. Prior to that, this type of malspam was pushing -Dridex-. With all the recent news about
    -WannaCry- ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now... The emails: This specific wave of malspam used a -fake- invoice theme... I collected -20- emails... these emails -all- have PDF attachments, and each one contains an embedded Word document. The Word document contains malicious-macros designed to -infect- a Windows computer:
    > https://isc.sans.edu/diaryimages/ima...y-image-05.jpg
    The embedded Word document with malicious macros:
    > https://isc.sans.edu/diaryimages/ima...y-image-06.jpg
    Follow the entire infection chain, and you'll see minimal network traffic compared to other types of malware. The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host... My infected host asked for 0.35630347 bitcoin as a ransom payment:
    > https://isc.sans.edu/diaryimages/ima...y-image-14.jpg
    ... Much of this malspam is easy to spot among the daily deluge of spam most organizations receive. However, this PDF attachment/embedded Word doc scheme is likely an attempt to bypass spam filtering... as long as it's profitable for the criminals behind it, we'll continue to see this type of malspam..."
    > http://www.malware-traffic-analysis..../24/index.html
    (More detail at the isc URL at the top of this post.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1208
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'receipt', 'Reminder' SPAM

    FYI...

    Fake 'receipt' SPAM - delivers Jaff ransomware
    - https://myonlinesecurity.co.uk/more-...yments-emails/
    25 May 2017 - "... emails with pdf attachments that drops a malicious macro enabled word doc is an email with various subjects along the line of 'receipt, payment, payment receipt' etc. (random numbers) pretending to come from donotreply@ random email addresses and companies that delivers Jaff ransomware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ceipt-4830.png

    P4830.pdf - Current Virus total detections 12/56*. Payload Security** drops ELMIRJX.doc
    (VirusTotal 4/23[3]) (Payload Security[4]) downloads an encrypted txt file from
    http ://dreamybean .de/TrfHn4 which should be converted by the script to bruhadson8.exe (unfortunately payload security is showing this as a tiny data file, so something is going wrong there and there must be an anti-analysis element to the malware). There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1495710733/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.169.145.160

    3] https://www.virustotal.com/en/file/b...is/1495710997/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.169.145.160

    dreamybean .de: 81.169.145.160: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/6f...1cf5/analysis/
    > https://www.virustotal.com/en/url/ad...75f3/analysis/
    ___

    Fake 'Reminder' SPAM - RTF file exploits deliver malware
    - https://myonlinesecurity.co.uk/fake-...liver-malware/
    25 May 2017 - "... RTF files this time using the CVE-2017-0199* vulnerability that was fixed in April 2017** and again extra added protections by the May 2017 security updates***. If you haven’t got round to applying these essential patches yet, then go & do it NOW...
    * https://nvd.nist.gov/vuln/detail/CVE-2017-0199

    ** https://portal.msrc.microsoft.com/en.../CVE-2017-0199

    *** https://portal.msrc.microsoft.com/en...a-000d3a32fc99

    ... email with the subject of '2nd Reminder Final Demand – Notice of Legal Intention' pretending to come from creditcontrol@ bookatable .com with a malicious word doc attachment eventually delivers sharik/smoke loader after a convoluted download system involving .hta files and PowerShell...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...able-email.png

    294616_05152017.rtf - Current Virus total detections 28/57[1]. Payload Security[2] downloads an HTA file from
    http :// 185.162.8.231 :64646/logo.doc (VirusTotal 0/57[3]) which in turn uses powershell to download
    http :// 185.162.8.231 :64646/00001.exe (VirusTotal 48/59[4]) (Payload Security[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/c...is/1494977406/

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.162.8.231: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/e8...fd1a/analysis/
    > https://www.virustotal.com/en/url/24...55f4/analysis/

    3] https://www.virustotal.com/en/file/d...is/1494854940/

    4] https://www.virustotal.com/en/file/5...is/1495445391/

    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.141.25.27
    193.104.215.58


    Last edited by AplusWebMaster; 2017-05-26 at 18:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1209
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'DHL' SPAM

    FYI...

    Fake 'DHL' SPAM - delivers js malware
    - https://myonlinesecurity.co.uk/fake-...rs-ransomware/
    27 May 2017 - "... an email with the subject of 'DHL Tracking Number for shipment 97 93745 186' (random numbers) pretending to come from DHL Corporation with a link in email body to download a file...
    Update: Thanks to Antelox* we now have an unpacked version of the malware which is being detected as a corebot / zbot variant (VirusTotal 10/59**) ... Microsoft describes this as TrojanProxy: Win32/Malynfits.A***...
    * https://twitter.com/Antelox/status/868414436264071168
    ... after lots of different tweets and conversations, found this from Brad (MalwareTraffic) confirming corebot with a nice writeup by him:
    > http://www.malware-traffic-analysis..../26/index.html

    ** https://www.virustotal.com/en/file/c...is/1495880747/

    *** https://www.microsoft.com/security/p...ID=-2147245786

    Screenshots(a): https://myonlinesecurity.co.uk/wp-co...lsystem_IE.png

    (b): https://myonlinesecurity.co.uk/wp-co...mailsystem.png

    invoice-0063827410370260857-000001870346531780753154078347.pdf.js - Current Virus total detections 5/56[1]
    Payload Security[2] shows a download of various files from the same server one being auvrq.exe
    (VirusTotal 20/61[3]) (Payload Security[4])... The link in email body (in the working versions) goes to
    http ://dhlmailsystem .com/documentdir/777126146374729609489374827 where you get slightly different behaviour depending on what browser you use to visit. If you use Internet Explorer or Google Chrome, you get a zip file containing a .js file. Using Firefox you get the .js file itself... you first see a page like this (b) with a message saying 'preparing download' with a countdown marker. When it reaches 0 the message becomes a -link- saying “click here to download if not started automatically” and the malware file is delivered... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/e...is/1495836615/

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    89.223.27.247

    3] https://www.virustotal.com/en/file/c...is/1495865017/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    dhlmailsystem .com: 89.223.27.247: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/7d...2a6e/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1210
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'documents', 'Notification' SPAM

    FYI...

    Fake 'documents' SPAM - xls attachment delivers malware
    - https://myonlinesecurity.co.uk/docum...known-malware/
    30 May 2017 - "An email with the subject of 'documents' pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment delivers malware... Some subjects in this malspam campaign include ...
    inv. payment
    documents


    Screenshot: https://myonlinesecurity.co.uk/wp-co...ent-austin.png

    61759684.xls - Current Virus total detections 6/56*: Payload Security** wasn’t able to decode or decrypt the macro but a very quick & easy manual examination shows downloads from
    http ://cautiousvirus .com/mbtrf.exe (VirusTotal 7/60[3]) (Payload Security[4])... The macro in the xls document is trivially encoded by using reverse strings... Opening the XLS attachment gives this -fake- invoice:
    > https://myonlinesecurity.co.uk/wp-co...759684_xls.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1496135720/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    3] https://www.virustotal.com/en/file/2...f973/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    cautiousvirus .com: 54.91.240.28: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/38...12c0/analysis/
    ___

    Fake 'Notification' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    30 May 2017 - "An email with the subject of 'Notification of direct debit of fees' pretending to come from HM Land Registry but actually coming from a look-alike domain... with a malicious word doc attachment... -spoof- of a well known company, bank or public authority delivering malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...it-of-fees.png

    Opening the word doc (in protected mode where it is safe) gives this which tries to convince you it is genuine:
    > https://myonlinesecurity.co.uk/wp-co...gistry-doc.png

    apl053017_045894595.doc - Current Virus total detections 5/56*. Payload Security** shows a download from
    http ://200.7.105.13 /jpon13.exe (VirusTotal 7/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1496147244/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    200.7.105.13
    184.87.218.172
    185.141.25.27


    *** https://www.virustotal.com/en/file/7...is/1496137829/

    200.7.105.13: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/58...37cb/analysis/

    Last edited by AplusWebMaster; 2017-05-30 at 21:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •