Fake 'Remittance Advice' SPAM, Zeus phish...
FYI...
Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/spam...om-anglia.html
10 Dec 2014 - "This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.
From: Serena Dotson
Date: 10 December 2014 at 10:33
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd ...
The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros... which attempts to download an executable from the following locations:
http ://217.174.240.46:8080/stat/lld.php
http ://187.33.2.211:8080/stat/lld.php
This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows attempted connections to the following IPs:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)
Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic. The payload is most likely Dridex, a banking trojan. I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201
217.174.240.46
187.33.2.211 "
1] https://www.virustotal.com/en/file/5...is/1418208470/
2] https://www.virustotal.com/en/file/1...is/1418208468/
* https://www.virustotal.com/en/file/c...is/1418208856/
- http://myonlinesecurity.co.uk/remitt...l-xls-malware/
10 Dec 2014
Screenshot: http://myonlinesecurity.co.uk/wp-con...-Solutions.jpg
* https://www.virustotal.com/en/file/1...is/1418209362/
** https://www.virustotal.com/en/file/5...is/1418209779/
___
Fake JPMorgan Chase – ACH – Bank account info SPAM – PDF malware
- http://myonlinesecurity.co.uk/gre-pr...e-pdf-malware/
10 Dec 2014 - "'ACH – Bank account information form' pretending to come from random names at jpmchase.com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please fill out and return the attached ACH form along with a copy of a voided check.
Jules Hebert,
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Jules.Hebert@ jpmchase .com
GRE Project Accounting
10 December 2014: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
Current Virus total detections: 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1418238116/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
213.175.194.96: https://www.virustotal.com/en/ip-add...6/information/
UDP communications
107.23.150.92: https://www.virustotal.com/en/ip-add...2/information/
___
Fake 'PRODUCT ENQUIRY' SPAM - jpg malware
- http://myonlinesecurity.co.uk/re-pro...e-jpg-malware/
10 Dec 2014 - "'RE: PRODUCT ENQUIRY' coming from a random company with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hello,
We are very interested in your product line. We got your profile from sister-companies. Can you please email me the list of all your Class A products and their prices? How much is the minimum order for shipping? What is the mode of payment and can you ship to Stockholm (SWEDEN)?
Please refer to the attached photo in my email. I was informed that this was purchased from your company. I would also like to order this product. Can you send the product code in your reply.
Thank you very much
Stven Clark
Lindhagensgatan 90,
112 18 Stockholm,
SWEDEN…
10 December 2014: Product Image NO. 1_jpeg…………….. (1).7z:
Extracts to: Product Image NO. GXD46474848494DHW_jpeg…………….. (1).exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1418220978/
___
85% of website scams - China
- http://www.theregister.co.uk/2014/12...website_scams/
10 Dec 2014 - "Chinese internet users are behind 85 per cent of -fake- websites, according to a semi-annual report [PDF*] from the Anti-Phishing Working Group (APWG). Of the 22,679 -malicious- domain registrations that the group reviewed, over 19,000 were registered to servers based in China. This is in addition to nearly 60,000 websites that were hacked in the first half of 2014 and then used to acquire people's details and credit card information while pretending to offer real goods or services. Chinese registrars were also the worst offenders, with nine of the top ten companies with the highest percentages of phished domains based in China. Dot-com domains are the most popular for phishing sites, being used in 51 per cent of cases, but when it comes down to the percentage of phished domains against the number of domains under that registry, the clear winner is the Central African Republic's dot-cf, with more than 1,200 phished domain out of a total of 40,000 (followed by Mali's dot-ml, Palau's dot-pw and Gabon's dot-ga). Despite concerted efforts to crack down on fake websites, little improvement was made on the last report in terms of uptime (although it is significantly lower than when the group first started its work back in 2010). The average uptime of a phishing site was 32 hours, whereas the median was just under 9 hours. As for the phishers' targets: Apple headed the list for the first time being used in 18 per cent of all attacks, beating out perennial favorite PayPal with just 14 per cent. Despite some fears, the introduction of hundreds of new generic top-level domains has not led to a noticeable increase in phishing, according to the report. The authors posit that this may because of the higher average price of new gTLDs, although they expect the new of new gTLD phished domains to increase as adoption grows and websites are compromised. Around 20 per cent of phishing attacks are achieved through hacking of vulnerable shared hosting providers..."
* http://docs.apwg.org/reports/APWG_Gl...rt_1H_2014.pdf
___
Zeus malware thru browser warning: social engineering...
- http://blog.phishlabs.com/zeus-malwa...-at-its-finest
Dec 5, '14 - "Zeus malware continues to plague the Internet with distributions through spam emails and embeds in compromised corners of the web – all designed to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research Analysis and Intelligence Division) recently observed the Zeus malware being distributed through an alarmingly convincing browser warning that prompts viewers to download and “restore settings”... designed to manipulate viewers so that they believe the alert is based on security preferences that he or she has previously set up. The message creates a sense of urgency and fear, warning of “unusual activity”... Generally speaking, grammar and spelling are often indicators of fake or malicious requests that lead to malware but cybercriminals have caught on to this vulnerability and stepped up their game. Although it is not perfect, the warning observed in this case was much more accurate than what we usually see. The warning states:
"REPORTED BROWSER ONLINE DOCUMENT FILE READER WARNING”. We have detected unusual activities on your browser and the Current Online Document File Reader has been blocked base on your security preferences. It is recommended that you update to the latest version available in order to restore your settings and view Documents."
Browser warning leading to Zeus malware download:
> http://info.phishlabs.com/hs-fs/hub/...er_Warning.png
The fake browser warning requires the user to click the "Download and Install" button. Once clicked, the victim is redirected to a site that downloads the Zeus executable (Zbot) malware. The R.A.I.D was able to track the malware back to the Zeus control panel...
Zeus (Zbot) malware control panel:
> http://info.phishlabs.com/hs-fs/hub/...rol_Panel..png
Web users should be on the lookout for this kind of social engineering that capitalizes on fear and misleads users to believe the alert is showing up based on user-defined preferences. Zeus is a dangerous malware that continues to be distributed through sophisticated avenues. In the past, Zeus infections have led to exploitation of machines, making them part of a -botnet-, as well as bank account takeovers and fraud."
