Page 120 of 120 FirstFirst ... 2070110116117118119120
Results 1,191 to 1,193 of 1193

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1191
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,564

    Thumbs down Fake 'confirmation' SPAM, Phish - distributing ransomware

    FYI...

    Fake 'confirmation' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/the-l...cro-word-docs/
    25 Apr 2017 - "... another 2 mass malspam onslaughts with different email subjects. The first is 'confirmation_12345678.pdf' (random numbers) pretending to come from info@ random .tld with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware. The second is a -blank- email with the subject of 'paper', coming from random names, companies and email addresses. In all cases the alleged sending address is -spoofed- ... In both campaigns the PDF appears totally to be a -blank- page but still contains the embedded macro word doc that will infect you when opened. These macro enabled word docs embedded into PDF files can easily infect you, -IF- you have default PDF settings set in Adobe Reader. See HERE[1] for safe settings to stop these working...
    1] https://myonlinesecurity.co.uk/embed...ly-infect-you/
    ... 2 distinct malspam approaches today. First coming from 'scanner' (or other MFD, like scan, Epson, Printer, canon etc ) @ your-own-email-domain with a subject of 'scan data'. The second comes from totally random names @ your-own-email-domain with a subject of '12345678.pdf' (random numbers) and has a completely -empty- email body...

    Screenshot1: https://myonlinesecurity.co.uk/wp-co...nfirmation.png

    Screenshot2: https://myonlinesecurity.co.uk/wp-co...ocky_paper.png

    6446165b2.pdf - Current Virus total detections 13/56*. Payload Security** drops 216616.docm downloads from
    http ://parallelsolutions .nl/jhg67g which is converted by the macro to pitupi2.exe
    (VirusTotal 23/59***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1493096091/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    159.253.0.19

    *** https://www.virustotal.com/en/file/a...is/1493096408/
    pitupi2.exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    parallelsolutions .nl: 159.253.0.19: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/6d...c163/analysis/
    ___

    Phish attacks responsible for 3/4 of all malware
    - https://www.helpnetsecurity.com/2017...tacks-malware/
    April 25, 2017 - "With phishing now widely used as a mechanism for distributing ransomware, a new NTT Security reveals that 77% of all detected ransomware globally was in four main sectors – business & professional services (28%), government (19%), health care (15%) and retail (15%):
    > https://www.helpnetsecurity.com/imag...y-042017-2.jpg
    While technical attacks on the newest vulnerabilities tend to dominate the media, many attacks rely on less technical means. According to the GTIR, phishing attacks were responsible for nearly three-quarters (73%) of all malware delivered to organizations, with government (65%) and business & professional services (25%) as the industry sectors most likely to be attacked at a global level. When it comes to attacks by country, the U.S. (41%), Netherlands (38%) and France (5%) were the top three sources of phishing attacks. The report also reveals that just 25 passwords accounted for nearly 33% of all authentication attempts against NTT Security honeypots last year. Over 76% of log on attempts included a password known to be implemented in the Mirai botnet – a botnet comprised of IoT devices, which was used to conduct, what were at the time, the largest ever distributed denial of service (DDoS) attacks. DDoS attacks represented less than 6% of attacks globally, but accounted for over 16% of all attacks from Asia and 23% of all attacks from Australia. Finance was the most commonly attacked industry globally, subject to 14% of all attacks. The finance sector was the only sector to appear in the top three across all of the geographic regions analysed, while manufacturing appeared in the top three in five of the six regions. Finance (14%), government (14%) and manufacturing (13%) were the top three most commonly attacked industry sectors:
    > https://www.helpnetsecurity.com/imag...y-042017-1.jpg
    ... NTT Security summarizes data from over 3.5 -trillion- logs and 6.2 -billion- attacks for the 2017 Global Threat Intelligence Report (GTIR)*..."
    * https://www.nttcomsecurity.com/us/gtir-2017/
    ___

    Phish: PayPal Credit Service Security Check
    - https://security.intuit.com/index.ph...security-check
    24 April 2017 - "People are reporting receiving -fake- emails as found below. Please be aware that the From address as well as the Subject line may change; however, the content with in the body of the email will stay the same with the exception of a change to the malicious URL link, which may have many different variations. Below is an example of the email people are receiving:
    > https://security.intuit.com/images/2...4_14-51-41.png
    ... end of the -fake- email..."

    Last edited by AplusWebMaster; 2017-04-25 at 16:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1192
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,564

    Thumbs down Fake 'DHL' SPAM, JavaScript Malspam Campaigns

    FYI...

    Fake 'DHL' SPAM - delivers js malware
    - https://myonlinesecurity.co.uk/fake-...known-malware/
    26 Apr 2017 - "... email with the subject of 'DHL Shipment Notification: 1104749373' pretending to come from DHL Customer Support <support@ dhl .com> with a semi-random named zip attachment in the format of Pickup EXPRESS.Date2017-04-26.zip which delivers or tries to deliver some sort of malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...1104749373.png

    Pickup EXPRESS.Date2017-04-26.zip: Extracts to: Pickup DOMESTIC EXPRESS Date2017-04-26.pdf.js
    Current Virus total detections 4/57*. Payload Security** | JoeSandbox*** all of which do show a connection to 47.91.74.140 80 horcor .com which looks to be connected to or hosted by Chinese online company Alibaba.
    Payload Security shows an attempt to contact http ://horcor .com/gate.php?ff1 (ff1 – ff12) in turn via get requests BUT only when you expand the wscript.exe section and examine the script calls... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1493200305/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    47.91.74.140

    *** https://jbxcloud.joesecurity.org/analysis/259442/1/html

    horcor .com: 47.91.74.140: https://www.virustotal.com/en/ip-add...0/information/
    ___

    JavaScript Malspam Campaigns
    Multiple malicious JavaScript spam campaigns active in the wild
    - https://www.zscaler.com/blogs/resear...spam-campaigns
    April 25, 2017 - "... multiple active malspam campaigns with links to malicious JavaScript payloads in the wild. These JavaScript files when opened by the end user will trigger download and execution of malware executables belonging to various Dropper and Backdoor Trojan families. We have seen over 10,000 instances of malicious JavaScript payloads from these campaigns in last two weeks. The JavaScript files are highly obfuscated to avoid detection and on first look shared similarity to Angler EK's landing page. Two URL formats are commonly being used at this time, one with just alphanumeric characters in path and the other with string ‘.view’ in the path. The examples for these URLs are seen below:
    http ://yountstreetglass [.]com/TRucDEpdoO4jsaFaF4wCTxl8h/
    http ://unbunt [.]com/view-report-invoice-0000093/w0ru-bb26-w.view/
    The javascript files have names which try to masquerade as bills and receipts of various services like DHL, UPS and Vodafone to name a few... When we opened the JavaScript, we observed that it was heavily obfuscated with random strings and numbers assigned to variables, which makes very little sense...
    Conclusion: We should always be cautious when clicking on links or handling e-mail attachments received from an unknown sender. Threat actors keep changing their obfuscation techniques in an attempt to evade detection methods used by security engines. It is increasingly important to have multiple security layers to block these kinds of attacks..."
    (More detail at the zscaler URL above.)

    yountstreetglass .com: 107.180.2.25: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/67...64d9/analysis/

    unbunt .com: 5.153.24.46: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/17...3e79/analysis/

    Last edited by AplusWebMaster; 2017-04-26 at 15:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1193
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,564

    Thumbs down Fake 'Secure email' SPAM, Intrusions - Multiple Victims/Sectors, Mac's - OSX malware

    FYI...

    Fake 'Secure email' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/more-...alspam-emails/
    28 Apr 2017 - "An email with the subject of 'Secure email communication' pretending to come from HM Revenue & Customs <GSRPCommunication@ govsecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine HMRC domains... So far we have found
    govsecure .co.uk
    gov-secure .co.uk
    ... they are registered via Godaddy as registrar and the emails are sent via City Network Hosting AB Sweden 89.46.82.3, 89.46.82.2, 89.42.141.46, 89.40.217.178, 89.40.217.179, 89.40.217.185 ...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...munication.png

    Unsuccessful_Payments_Documents.doc - Current Virus total detections 3/56*. Payload Security** shows a download via powershell from http ://elevationstairs .ca/fonts/60c5776c175c54d2.png which of course is
    -not- an image file but a renamed .exe (VirusTotal 8/61***) (Payload Security [4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1493381297/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    70.33.246.140
    107.22.214.64
    184.160.113.13
    217.31.111.153


    *** https://www.virustotal.com/en/file/f...is/1493382383/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    elevationstairs .ca: 70.33.246.140: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/e8...c048/analysis/
    ___

    Intrusions - Multiple Victims across Multiple Sectors
    - https://www.us-cert.gov/ncas/alerts/TA17-117A
    April 27, 2017 - "... Overview:
    The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
    According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.
    Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.
    NCCIC will update this document as information becomes available.
    For a downloadable copy of this report and listings of IOCs, see:
    > https://www.us-cert.gov/sites/defaul...7-093-01C.xlsx
    IOCs (.xlsx)
    61.97.241.239 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    103.208.86.129 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    109.237.108.202 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
    109.237.111.175 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...5/information/
    109.248.222.85 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...5/information/
    95.47.156.86 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
    162.243.6.98 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
    160.202.163.78 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
    86.106.102.3 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    110.10.176.181 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
    185.133.40.63 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    185.14.185.189 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    95.183.52.57 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...7/information/
    185.117.88.78 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
    185.117.88.77 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...7/information/
    185.117.88.82 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
    109.237.108.150 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
    211.110.17.209 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    81.176.239.56 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
    151.236.20.16 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
    107.181.160.109 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    151.101.100.73 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    158.255.208.170 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
    158.255.208.189 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    158.255.208.61 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
    160.202.163.79 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    160.202.163.82 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
    160.202.163.90 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
    160.202.163.91 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
    185.117.88.81 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
    185.141.25.33 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    31.184.198.23 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    31.184.198.38 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
    92.242.144.2 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
    183.134.11.84 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...4/information/

    > https://www.helpnetsecurity.com/2017...tack-campaign/
    April 28, 2017
    ___

    Mac's - OSX.Dok malware intercepts web traffic
    > https://blog.malwarebytes.com/threat...s-web-traffic/
    April 28, 2017 - "Most Mac malware tends to be unsophisticated. Although it has some rather unpolished and awkward aspects, a new piece of Mac malware, dubbed 'OSX.Dok', breaks out of that typical mold. OSX.Dok, which was discovered by Check Point*, uses sophisticated means to monitor — and potentially alter — all HTTP and HTTPS traffic to and from the infected Mac. This means that the malware is capable, for example, of capturing account credentials for any website users log into, which offers many opportunities for theft of cash and data. Further, OSX.Dok could modify the data being sent and received for the purpose of -redirecting- users to malicious websites in place of legitimate ones...
    * http://blog.checkpoint.com/2017/04/2...https-traffic/
    Distribution method: OSX.Dok comes in the form of a file named Dokument.zip, which is found being -emailed- to victims in -phishing- emails. Victims primarily are located in Europe...
    Removal: Removal of the malware can be accomplished by simply removing the two aforementioned LaunchAgents files, but there are many leftovers and modifications to the system that -cannot- be as easily reversed...
    Consumers: Malwarebytes Anti-Malware for Mac will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.
    Businesses: The impact on business could be much more severe, as it could expose information that could allow an attacker to gain access to company resources. For example, consider the potential damage if, while infected, you visited an internal company page that provided instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server. If you have been infected by this malware in a business environment, you should consult with your IT department, so they can be aware of the risks and begin to mitigate them."
    (More detail at the malwarebytes -and- checkpoint URL's above.)

    Last edited by AplusWebMaster; Yesterday at 21:11.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •