Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake RBS SPAM, Exploit kit redirection ...

    FYI...

    Fake RBS SPAM - leads to malicious ZIP file
    - http://blog.dynamoo.com/2014/06/rbs-...-leads-to.html
    25 June 2014 - "This -fake- RBS spam leads to malware:
    From: Bankline.Administrator@ rbs .co.uk [Bankline.Administrator@ rbs .co.uk]
    Date: 25 June 2014 15:25
    Subject: Outstanding invoice
    Dear [redacted],
    Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.
    http ://figarofinefood .com/share/document-128_712.zip
    I would be grateful if you could look into this matter and advise on an expected payment date .
    Many thanks
    Max Francis
    Credit Control ...


    The link isn't a Dropbox link at all, but it downloads an archive file from [donotclick]figarofinefood.com/share/document-128_712.zip which contains the malicious executable document-128_712.scr which has a VirusTotal detection rate of 4/54*. Automated analysis tools... show that it attempts to phone home to babyslutsnil .com on 199.127.225.232 (Tocici LLC, US). That domain was registered a few days ago..."
    * https://www.virustotal.com/en-gb/fil...is/1403708638/

    199.127.225.232: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake Payment Advice / CHAPS credits – PDF malware ...
    - http://myonlinesecurity.co.uk/paymen...e-pdf-malware/
    25 June 2014 - "Payment Advice – Advice Ref:[GB960814205896] / CHAPS credits... pretending to come from HSBC Advising Service... mail.hsbcnet.hsbc .com... is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
    Sir/Madam,
    Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
    Download link:
    http ://salamatiancar .ir/css/document-128_712.zip
    Yours faithfully,
    Global Payments and Cash Management
    HSBC ...


    An alternative version of this malware email is Outstanding invoice pretending to come from Bankline.Administrator@ rbs .co .uk
    Dear scans,
    Please download on the link below from dropbox copy invoice which is showing as unpaid on our ledger.
    http ://figarofinefood .com/share/document-128_712.zip
    I would be grateful if you could look into this matter and advise on an expected payment date .
    Many thanks
    Jack Duncan
    Credit Control ...


    Todays Date: document-128_712.zip (95kb) Extracted file name: document-128_712.scr
    Current Virus total detections: 5/54* ... another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...81f5/analysis/
    ___

    Fake Amazon order/email contains trojan
    - http://blog.mxlab.eu/2014/06/25/fake...ntains-trojan/
    June 25, 2014 - "... new trojan distribution campaign by email with the subject “Order Details”.
    This email is sent from the spoofed address “delivers@ amazon .com”...

    Screenshot: http://img.blog.mxlab.eu/2014/20140625_amazon.gif

    The attached ZIP file has the name order_id_78362477.zip and contains the 118 kB large file order_id_7836247823678423678462387.exe. The trojan is known as Win32:Malware-gen, Trojan.Win32.Krap.2!O, Spyware.Zbot.VXGen, PE:Malware.XPACK-HIE/Heur!1.9C48 or TROJ_GEN.F0D1H0ZFP14. At the time of writing, 7 of the 54 AV engines did detect the trojan at Virus Total*. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
    SHA256: d12526fc430fa213d77f8523a89c92c5f4e0d11deacbaf5c160a16f87ed5adc3."
    * https://www.virustotal.com/en/file/d...is/1403726988/

    ** https://malwr.com/analysis/ZjQ4OGMwZ...U2NmJjOTg2N2Q/
    ___

    PlugX RAT with “Time Bomb” abuses Dropbox for C&C settings
    - http://blog.trendmicro.com/trendlabs...trol-settings/
    June 25, 2014 - "Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks. Last May we encountered a targeted attack that hit a government agency in Taiwan. In the said attack, threat actors used PlugX RAT that abused Dropbox to download its C&C settings. The Dropbox abuse is no longer new since an attack before employed this platform to host the malware. However, this is the first instance we’ve seen this technique of using Dropbox to update its C&C settings... Although there are differences in the features of types I and II PlugX, the similarities in certain techniques and indicators of compromise can aid in mitigating the risks posed to confidential data. Targeted attack campaigns that used PlugX can be detected via threat intelligence. The publicly available information on indicators of compromise can determine if an enterprise is being hit by targeted attacks... we didn’t find any vulnerability in Dropbox during our investigation and other similar cloud applications could be used in this manner. Dropbox was already informed of this incident as of posting."
    ___

    Havex hunts for ICS/SCADA systems
    - http://www.f-secure.com/weblog/archives/00002718.html
    June 23, 2014 - "... we've been keeping a close eye on the Havex malware family and the group behind it. Havex is known to be used in targeted attacks against different industry sectors, and it was earlier reported to have specific interest in the energy sector. The main components of Havex are a general purpose Remote Access Trojan (RAT) and a server written in PHP. The name "Havex" is clearly visible in the server source code... Havex took a specific interest in Industrial Control Systems (ICS)... The attackers have trojanized software available for download from ICS/SCADA manufacturer websites in an attempt to infect the computers where the software is installed to. We gathered and analyzed -88- variants of the Havex RAT used to gain access to, and harvest data from, networks and machines of interest. This analysis included investigation of -146- command and control (C&C) servers contacted by the variants, which in turn involved tracing around -1500- IP addresses in an attempt to identify victims. The attackers use compromised websites, mainly blogs, as C&C servers... We also identified an additional component used by the attackers that includes code to harvest data from infected machines used in ICS/SCADA systems. This indicates that the attackers are not just interested in compromising the networks of companies they are interested in, but are also motivated in having control of the ICS/SCADA systems in those organizations. The source of this motivation is unclear to us... The Havex RAT is distributed at least through following channels:
    - Spam email
    - Exploit kits
    - Trojanized installers planted on compromised vendor sites
    ... Of more interest is the third channel, which could be considered a form of "watering-hole attack", as the attackers chose to compromise an intermediary target - the ICS vendor site - in order to gain access to the actual targets. It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers. Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were -trojanized- to include the Havex RAT. We suspect more similar cases exist but have not been identified yet... All of these entities are associated in some way with the development or use of industrial applications or machines. The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers. Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering... Summary: The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure. The method of using -compromised- servers as C&C's is typical for this group... We managed to monitor infected computers connecting to the servers and identify victims from several industry sectors. The additional payload used to gather details about ICS/SCADA hardware connected to infected devices shows the attackers have direct interest in controlling such environments. This is a pattern that is not commonly observed today..."
    ___

    Interactive exploit kit redirection technique
    - http://www.welivesecurity.com/2014/0...ion-technique/
    20 June 2014 - "The usual pattern we see when dealing with exploit kits starts with a legitimate website that gets compromised and used to automatically redirect its visitors to the actual malicious content. Techniques such as iFrame injection and HTTP -redirections- are frequently observed. This week though, we found an interesting variation while doing research on some exploit kit traffic. We noticed that the compromised website contained code that actually interacts with the user by presenting a -fake- message about some script slowing down the browser:
    > http://www.welivesecurity.com/wp-con...e_warning2.png
    The code responsible for this interaction is an injected HTML form that is shown only when the visiting browser is Internet Explorer... Of course, clicking on either Cancel or OK triggers the same POST request to an intermediate page, which in turn -redirects- the visitor to the Angler exploit kit by returning a small snippet of HTML and Javascript code... Typically the visitors are automatically redirected to the exploit kit when they visit a compromised website, so why bother with displaying a message first? It might be to prevent automated systems (malware analysis sandboxes, search-engine bots etc.) from reaching the exploit kit, making it harder for researchers to track and investigate such a threat. The malware that was being distributed at the time we performed our research was Win32/PSW.Papras.CX* (SHA1: 7484063282050af9117605a49770ea761eb4549d)."
    * http://www.virusradar.com/en/Win32_P...CX/description

    Last edited by AplusWebMaster; 2014-06-26 at 00:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •