SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/05/malw...-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
From: PGOMEZ@polyair .co .uk
Date: 21 May 2015 at 08:58
Subject: Invoice# 2976361 Attached
Invoice Attached - please confirm..

Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that -other- versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195 "
* https://www.virustotal.com/en/file/7...is/1432196986/

** https://www.virustotal.com/en/file/4...is/1432197071/

*** https://www.virustotal.com/en/file/5...is/1432198215/


- http://myonlinesecurity.co.uk/invoic...sheet-malware/
21 May 2015
> https://www.virustotal.com/en/file/7...is/1432194451/
000001.DOC

mercury.powerweave .com: 50.97.147.195: https://www.virustotal.com/en/ip-add...5/information/
___

Fake 'Travel order confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/travel...sheet-malware/
21 May 2015 - "'Travel order confirmation 0300202959' pretending to come from overseastravel@ caravanclub .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Thank you for your travel order.
Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
Now you have booked your trip why not let The Club help you make the most of your stay?
Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?
Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.
If you’ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .
Yours sincerely
The Caravan Club
This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA...

21 May2015 : Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads -same- Dridex malware as today’s other word doc malspam run Invoice# 2976361 Attached – word doc or excel xls spreadsheet malware:
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1432197951/

- http://blog.dynamoo.com/2015/05/malw...firmation.html
21 May 2015 - "... Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run*."
* http://blog.dynamoo.com/2015/05/malw...-attached.html
___

Fake 'Pampered Chef' SPAM – PDF malware
- http://myonlinesecurity.co.uk/recipe...e-pdf-malware/
21 May 2015 - "'Recipes for your new Pampered Chef Baker' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hello!
I know you’ll love your new Pampered Chef baker! Thank you for your order.
Attached are Deep Covered Baker recipes.
Many Deep Covered Baker Recipes can also be made in the smaller, Round Covered Baker.
For microwave recipes, use half the ingredients and half the bake time suggested. For oven recipes, use half the
ingredients but follow recommended bake times or visual indicators in the recipe.
Enjoy!
Please contact me if you have questions or concerns.
Thank you,
Robbin

21 May 2015: Pampered_ingredients.zip: Extracts to: Pampered_ingredients.exe
Current Virus total detections: 3/57* . There are several different versions of the malware floating around. This is just one example. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1432205437/
___

Fake 'Unpaid Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unpaid...e-pdf-malware/
21 May 2015 - "'Unpaid Invoice' pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with a zip attachment is another one from the current bot runs... The email looks like:
Please pay this invoice at your earliest opportunity.

21 May 2015: invoice_8467_08202014.zip: Extracts to: invoice_8467_08202014.scr
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1432226961/
___

Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/05/malw...-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
From: PGOMEZ@ polyair .co .uk
Date: 21 May 2015 at 08:58
Subject: Invoice# 2976361 Attached
Invoice Attached - please confirm...

Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195 "
* https://www.virustotal.com/en/file/7...is/1432196986/

** https://www.virustotal.com/en/file/4...is/1432197071/

*** https://www.virustotal.com/en/file/5...is/1432198215/
___

Exploit kits delivering Necurs
- https://isc.sans.edu/diary.html?storyid=19719
2015-05-21 - "In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering -malware- identified as Necurs... Necurs is a type of malware that opens a back door on the infected computer [1]. It may also disable antivirus products as well as download additional malware [1][2]... I saw Necurs as a malware payload from Nuclear and Angler EKs last week... In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page). We ran across Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 91.121.63.249..."
(More detail at the isc URL above.)

1] https://www.symantec.com/security_re...121212-2802-99

2] https://www.microsoft.com/security/p...n:Win32/Necurs

185.14.30.218: https://www.virustotal.com/en/ip-add...8/information/

91.121.63.249: https://www.virustotal.com/en/ip-add...9/information/
___

“Facebook Recovery” accounts share Phishing link, offer Tech Support
- https://blog.malwarebytes.org/fraud-...-tech-support/
May 21, 2015 - "We’ve seen a certain j.mp -shortened- URL being shared by what we believe are
-rogue- (if not compromised) accounts within Facebook a couple of days ago. In the below sample we recovered, the URL in question is part of a message from another account called “Facebook recovery” — a truly -fake- one... that is up to task of notifying users that their accounts have been reported for abuse and will likely be disabled if they don’t act on the notice ASAP:
> https://blog.malwarebytes.org/wp-con...-spam-post.png
The URL, of course, hides the below phishing page:
> https://blog.malwarebytes.org/wp-con...ge-default.png
The blurb on the page is the same as the spammed message on Facebook. Once a user entered the credentials asked and click Log In, data is posted to recovery.php, and then users are -redirected- to this payment page, which asks for his/her full name, credit card details, and billing address:
> https://blog.malwarebytes.org/wp-con...ng-payment.png
We have no idea why all of a sudden the account that claims to be a legitimate entity from Facebook is asking for a form of monetary compensation for the recovery of accounts. Perhaps that is what the phishers meant when they said “help us do more for security and convenience for everyone”. We have looked at the stats for the j.mp URL and found that it didn’t yield that many clicks from the time of its creation up to the present... It’s highly likely that the URL is not shared during these days, making it less visible than your average malicious URL. Less visibility also means that potentially less companies would be able to block it due to flying under the radar. VT results for the j.mp URL shows this*.
* https://www.virustotal.com/en/url/b5...is/1432202719/
Furthermore, the majority of clicks are mostly from Asian countries and the United States:
> https://blog.malwarebytes.org/wp-con...er-country.png
We did a simple search on Facebook for accounts that may contain the string “Facebook recovery”. To date, we found more than 40... If you see posts on your feed that appear similar to the Facebook post we discussed here, whether it continues to bear the same URL or not, it’s best to -ignore- it and warn your network about an on-going -spam- campaign."

recovery-page-php .zz .mu: 185.28.21.145: https://www.virustotal.com/en/ip-add...5/information/
___

"Logjam"...
- https://blog.malwarebytes.org/securi...-need-to-know/
May 20, 2015 - "... Dubbed as Logjam, the vulnerability affects home users -and- corporations alike, and over 80,000 of the top one million domains worldwide were found to be vulnerable. The original report on Logjam can be found here:
- https://weakdh.org/
... While much of the research is performed against a Diffie-Hellman 512-bit key group, the researchers behind the Logjam discovery also speculate that 1024-bit groups could be vulnerable to those with “nation-state” resources, making a suggestion that groups like the NSA might have already accomplished this... . A comprehensive look at all of their research can be found here:
- https://weakdh.org/imperfect-forward-secrecy.pdf
... At the time of this writing, patches are still in works for all the major web browsers, including Chrome, Firefox, Safari, and Internet Explorer. They should be released in the next day or two, so ensure your browser updates correctly once its released. These updates should reject Diffie-Hellman key lengths that are less that 1024-bits..."

Also see:
- https://isc.sans.edu/diary.html?storyid=19717
2015-05-20