Page 124 of 124 FirstFirst ... 2474114120121122123124
Results 1,231 to 1,236 of 1236

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1231
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,660

    Thumbs down JAVA_ADWIND telemetry

    FYI...

    JAVA_ADWIND - Trend Micro telemetry
    > http://blog.trendmicro.com/trendlabs...n-adwind-jrat/
    July 11, 2017 - "... our telemetry for JAVA_ADWIND... the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware...
    JAVA_ADWIND detections from January to June, 2017:
    > https://blog.trendmicro.com/trendlab...ind-spam-1.jpg
    ... a Java EXE, dynamic-link library (DLL) and 7-Zip installer will be fetched from a domain that we uncovered to be a file-sharing platform abused by the spam operators:
    hxxps ://nup[.]pw/DJojQE[.]7z
    hxxp ://nup[.]pw/e2BXtK[.]exe
    hxxps ://nup[.]pw/9aHiCq[.]dll ...
    ... it appears to have the capability to check for the infected system’s internet access. It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be -abused- to evade static analysis from traditional antivirus (AV) solutions...
    Indicators of Compromise:
    Files and URLs related to Adwind/jRAT:
    hxxp ://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php
    hxxp ://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif
    hxxps ://nup[.]pw/e2BXtK[.]exe
    hxxps ://nup[.]pw/Qcaq5e[.]jar ..."

    nup .pw: 149.210.145.237: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/9d...6033/analysis/

    employersfinder .com: 198.38.91.121: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/ff...9e9e/analysis/

    ccb-ba .adv.br: 50.116.112.205: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/71...0c44/analysis/

    Last edited by AplusWebMaster; 2017-07-11 at 23:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1232
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,660

    Thumbs down Fake 'Confidential Documents' SPAM

    FYI...

    Fake 'Confidential Documents' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    13 July 2017 - "An email with the subject of 'Confidential Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsconfidential .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ents-email.png

    ... they are asking you to insert an authorisation code or password... (but) there is -no- option in this word doc to do that. The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...tected_doc.png

    Protected.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
    http ://armor-conduite .com/geroi.png which of course is -not- an image file but a renamed .exe file that gets renamed to Tizpvu.exe and autorun (VirusTotal 9/63***). An alternative download location is
    http ://kgshrestha .com.np/geroi.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1499942591/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.138.226.110
    50.19.97.123
    186.208.111.188
    82.146.94.86


    *** https://www.virustotal.com/en/file/3...is/1499942505/

    armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/ff...e1d6/analysis/

    kgshrestha .com.np: 74.200.89.84: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/26...fcb1/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1233
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,660

    Thumbs down Fake 'Secure message' SPAM

    FYI...

    Fake 'Secure message' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...vers-trickbot/
    14 Jul 2017 - "An email with the subject of 'Secure email message. pretending to come from Sage Invoice but actually coming from a look-a-like domain <noreply@ sage-invoice .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ed-invoice.png

    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...nvoice_doc.png

    SageInvoice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
    http ://ridderbos .info/sergiano.png which of course is -not- an image file but a renamed .exe file that gets renamed to Pmkzc.exe and autorun (VirusTotal 8/61***)... An alternative download location is
    http ://kgshrestha .com.np/sergiano.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1500038647/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.138.226.110
    50.19.97.123
    186.208.111.188
    82.146.94.86


    *** https://www.virustotal.com/en/file/c...is/1493725297/

    ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/91...cb3b/analysis/

    kgshrestha .com.np: 74.200.89.84: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/da...4263/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1234
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,660

    Thumbs down Fake 'payment slip' SPAM

    FYI...

    Fake 'payment slip' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...a-jrat-trojan/
    18 Jul 2017 - "... an email with the subject of 'payment slip' ... pretending to come from random companies, names and email addresses with an ACE attachment (ACE files are a sort of zip file that normally needs special software to extract. Windows and winzip do not natively extract them) which delivers some malware... it has some indications of fareit Trojan. This also has a jrat java.jar file attachment...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...yment-slip.png

    > Attachments: bank detailes copy.xls.ace -and- TT COPY MBUNDU GISA 740,236 USD.jar

    bank detailes copy.xls.ace: Extracts to: bank detailes copy.xls.exe - Current Virus total detections 6/63*
    Payload Security**

    TT COPY MBUNDU GISA 740,236 USD.jar - Current Virus total detections 2/59[3]. Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1500351301/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    HTTP Traffic
    104.69.49.57

    3] https://www.virustotal.com/en/file/a...7698/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    174.127.99.198

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1235
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,660

    Thumbs down Fake blank-subject, 'Invoices', 'RFQ' SPAM, Bots - searching...

    FYI...

    Fake blank-subject SPAM - downloads Trickbot
    - https://myonlinesecurity.co.uk/trick...bject-noreply/
    18 July 2017 - "... Trickbot downloaders... from noreply@ random email addresses (all spoofed). Has a -blank- subject line and a zip attachment containing a VBS file...

    Screenshot: https://myonlinesecurity.co.uk/wp-co..._vbs_email.png

    doc00042714507507789135.zip extracts to: doc000799723147922720821.vbs - Current Virus total detections 9/57*.
    Payload Security* shows a download of an encrypted text file from
    http ://pluzcoll .com/56evcxv? which is converted to nbVXsSxirbe.exe (VirusTotal 31/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1500373606/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    210.1.58.190
    107.20.242.236


    *** https://www.virustotal.com/en/file/4...838c/analysis/

    pluzcoll .com: 210.1.58.190: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/b5...9e51/analysis/
    ___

    Fake 'Invoices' SPAM - deliver Trickbot
    - https://myonlinesecurity.co.uk/multi...anking-trojan/
    19 July 2017 - "... pdf attachments that drops a malicious macro enabled word doc that delivers Trickbot...
    today we have seen 3 different campaigns and subjects all eventually leading to the same Trickbot payload..."
    ___

    Fake 'RFQ' SPAM - delivers java adwind
    - https://myonlinesecurity.co.uk/spoof...s-java-adwind/
    19 July 2017 - "... emails containing java adwind or Java Jacksbot attachments...
    Screenshot: https://myonlinesecurity.co.uk/wp-co...ery-Co-Ltd.png ..."
    ___

    Bots - searching for Keys & Config Files
    - https://isc.sans.edu/diary/22630
    2017-07-19 - "... yesterday, I found a -bot- searching for... interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically leave juicy data amongst the HTML files... Each file was searched with a different combination of lower/upper case characters... This file could contain references to hidden applications (This is interesting to know for an attacker)..."
    (More detail at the isc URL above.)

    Last edited by AplusWebMaster; Yesterday at 18:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1236
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,660

    Thumbs down Fake 'eFax', various subjects SPAM

    FYI...

    Fake 'eFax' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/efax-...anking-trojan/
    20 July 2017 - "... Trickbot malspams... an email with the subject of 'eFax message from 8473365403' 1 page(s), Caller-ID: 44-020-3136-4931 pretending to come from eFax but actually coming from a look-a-like domain <message@ efax-download .com> with a malicious word doc attachment... they are registered via Godaddy as registrar hosted on 160.153.16.19 and the emails are sent via AS8972 Host Europe GmbH 85.93.88.109. These are registered with what are obviously -fake- details...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...spam_email.png

    ... The -link- in the email body goes to
    https ://efax-download .com/pdx_did13-1498223940-14407456340-60
    where you see page like this with-a-link to download the actual malware binary
    https ://efax-download .com/14407456340-60.zip. extracting to 14407456340-60.exe
    The page tries initially to automatically download 14407456340-60.pdf.exe (VirusTotal 3/64*).
    Payload Security[2]...
    > https://myonlinesecurity.co.uk/wp-co...x-download.png

    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1500552776/
    14407456340-60.pdf.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    efax-download .com: 160.153.16.19: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/7a...7ed5/analysis/
    ___

    Fake various subjects SPAM - deliver Trickbot, fake flashplayer
    - https://myonlinesecurity.co.uk/trick...tebin-adverts/
    20 July 2017 - "... Trickbot banking Trojan campaign comes in an email with varying subjects including:
    paper
    doc
    scan
    invoice
    documents
    Scanned Document
    receipt
    order
    They are all coming from random girls names at random email addresses. There is a zip attachment containing a VBS file...
    Download sites found so far are listed on:
    - https://pastebin.com/MGAVB1uz // Thanks to Racco42*

    * https://twitter.com/Racco42
    > Beware - for some reason the pastebin link is giving me -diverts- to a scumware site trying to download a -fake-flashplayer-hta-file (VirusTotal 17/58[1]) (Payload Security [2])
    https ://uubeilisthoopla .net/85123457821940/be74be7a58e47c2837f71295a31d1533/24c3df3c0fe3c937281c3d8d7427e1da.html
    which downloads
    https ://uubeilisthoopla .net/85123457821940/1500548202679984/FlashPlayer.jse
    (VirusTotal 4/58[3]) (Payload Security [4])...
    1]https://www.virustotal.com/en/file/25822bd5a94779301001ba485bcbb49f087b5f56c07e4e9803284af24174f3c7/analysis/1500548514/
    FlashPlayer.hta

    2] https://www.hybrid-analysis.com/samp...ironmentId=100

    3] https://www.virustotal.com/en/file/0...is/1500549163/
    FlashPlayer.jse

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    uubeilisthoopla .net: 209.126.113.203: https://www.virustotal.com/en/ip-add...3/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •