Page 102 of 132 FirstFirst ... 252929899100101102103104105106112 ... LastLast
Results 1,011 to 1,020 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1011
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'transaction' SPAM, CrypMIC ransomware, Business sites hijacked

    FYI...

    Fake 'transaction' SPAM - Java Adwind Trojan
    - https://myonlinesecurity.co.uk/java-...alspam-emails/
    20 July 2016 - "Overnight we received 2 separate sets of malspam emails both eventually leading to the same Java Adwind Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...n-1024x568.png

    Update: I am also getting some of these 'Pending Sendout Transaction' emails coming through pretending to come from amirmuhammed @almuzaniexchange .ae "
    Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x617.png

    20 July 2016: Sendout-Copy.zip: Extracts to: Sendout_copy..js - Current Virus total detections 1/54*
    .. Payload Security**. This is a JavaScript file that automatically downloads and runs
    http ://ebhar .net/css/new_file_jacob.jar Which is the -same- Java Adwind Trojan as the Java.jar file in the second email.

    20 July 2016: Sendout-Report.rar: Extracts to: Sendout-Copy.jar - Current Virus total detections 18/55[3]
    .. Payload Security [4].
    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/b...is/1468989481/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.194.169.160

    3] https://www.virustotal.com/en/file/d...is/1468989622/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    ebhar .net: 216.194.169.160: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/5c...9851/analysis/
    ___

    CrypMIC ransomware follows CryptXXX ...
    - http://blog.trendmicro.com/trendlabs...llow-cryptxxx/
    July 20, 2016 - "... a new ransomware family that mimics CryptXXX in terms of entry point, ransom notes and payment site UIs. CrypMIC’s perpetrators are possibly looking for a quick buck owing to the recent success of CryptXXX...
    Comparison of CrypMIC (left) and CryptXXX (right) ransom notes and user interfaces of their payment sites
    > https://blog.trendmicro.com/trendlab...cryptxxx08.png
    CrypMIC and CryptXXX share many similarities; both are spread by the Neutrino Exploit Kit and use the same format for sub-versionID/botID (U[6digits]/UXXXXXX]) and export function name (MS1, MS2). Both threats also employed a custom protocol via TCP Port 443 to communicate with their command-and-control (C&C) servers... The demise of the Angler exploit kit from crypto-ransomware activity has made CryptXXX migrate to Neutrino exploit kit, which have been recently reported to be delivering -other- ransomware families such as CryptoWall, TeslaCrypt, CryptoLocker and Cerber. We have observed that CrypMIC and CryptXXX were distributed by Neutrino interchangeably over the course of a week. CrypMIC was first pushed by Neutrino on July 6th before switching back to delivering CryptXXX 4.001 on July 8th. It started redistributing CrypMIC on July 12th before reverting to CryptXXX the next day. On the same week, Neutrino also distributed Cerber via -malvertising- as well as -other- malware from other cybercriminal groups. By July 14th, Neutrino has started to distribute an apparently newer version of CryptXXX (5.001)... CryptXXX automatically scans the machine for network-drives then proceeds to encrypt files stored on them. CryptXXX 4.001 also downloads and executes an information-stealing module on its process memory — named fx100.dll ... the decryptor created by CrypMIC’s developers has been reported to be not functioning properly. Additionally, paying the ransom only makes businesses and users susceptible to more ransomware attacks. Besides regularly backing up files, keeping systems updated with the latest patches is another means of mitigating the risks of ransomware. A multilayered defense that can secure systems, servers and networks is also recommended..."

    > https://www.proofpoint.com/us/threat...xxx-ransomware
    July 14, 2016 - "... detected an email campaign with document attachments containing malicious macros. If opened, these attachments download and install CryptXXX ransomware..."
    ___

    Business sites hijacked to deliver ransomware ...
    - http://arstechnica.com/information-t...to-ransomware/
    7/19/2016, 5:56 PM - "If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for*. These sites are -redirecting- visitors to a -malicious- website that attempts to install CryptXXX — a strain of cryptographic ransomware first discovered in April. The sites were most likely exploited by a botnet called SoakSoak* or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea**. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin. In this recent wave of compromises, SoakSoak planted code that -redirects- visitors to a website hosting the Neutrino Exploit Kit... Even as those organizations try to regain control of their websites, others are likely to be rapidly compromised because of the vast number of sites that are behind on patching site add-ons like WordPress plugins."
    * https://storify.com/BelchSpeak/soaks...ptxxx-ransomwa

    ** https://www.invincea.com/2016/07/maj...xx-ransomware/

    Last edited by AplusWebMaster; 2016-07-20 at 18:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1012
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Twitter account - phish

    FYI...

    'Authorize your Twitter account' - phishing scam
    - https://blog.malwarebytes.com/cyberc...phishing-scam/
    July 21, 2016 - "... a phish targeting people who desire Twitter verification. The fake site, located at
    twitterverifiy(dot)verifiy(dot)ml
    ... poses as an app to be authorised, but is simply out to -steal- login credentials. Take note of the rather unique spelling of “verify” in the URL, too:
    > https://blog.malwarebytes.com/wp-con...tter-phish.jpg
    After hitting the “Authorize app” button, the victim is redirected off to the real Twitter website. At this point, the scammers are free to do what they like with the stolen account. One assumes the scammers behind this one aren’t really paying attention to who they send their messages to (and the screenshot cuts off the username of the spam account, so we can’t see what else they’re up to). Suffice to say, if you have your Direct Messages open to all then potentially you could receive a missive such as the one above. Verification has a specific process attached to it, and although it’s currently changing, you definitely won’t get a blue tick next to your Username by giving permission to phish pages posing as non-existent apps. No matter who you are, now matter how involved in issues of privacy and / or security you may be, there’s always the possibility you could get caught out by a clever scam. Keep your wits about you, and steer clear of “too good to be true” offers..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1013
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'sorry', 'Fedex label', 'Invoice/Credit/Statement' SPAM, Upgrade Outlook - PHISH

    FYI...

    Fake 'sorry' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/07/malw...ry-that-i.html
    22 July 2016 - "This spam has a malicious attachment:
    From: "Lizzie Carpenter"
    Subject: sales report
    Date: Fri, 22 Jul 2016 21:38:25 +0800
    I am truly sorry that I was not available at the time you called me yesterday.
    I attached the report with details on sales figures.
    Best of luck,
    Lizzie Carpenter
    SCHRODER GLOBAL REAL ESTATE SEC LTD ...


    The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report". In a change from recent malware runs, the script does -not- directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script. This executable has a detection rate of 4/54* and trusted analysis says that it is Locky ransomware, phoning home to:
    77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
    194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
    185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
    176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
    Recommended blocklist:
    77.222.54.202
    194.1.236.126
    185.117.153.176
    176.111.63.51
    "
    * https://virustotal.com/en/file/c5011...is/1469197692/
    ___

    Fake 'Fedex label' SPAM - .docm leads to Locky
    - https://myonlinesecurity.co.uk/pleas...ky-ransomware/
    22 July 2016 - "An email with the subject of 'PO5' pretending to come from Mary Leons <mary.leons@ airmenzies .com> with a malicious word doc attachment which downloads Locky ransomware... The email looks like:
    From: Mary Leons <mary.leons@ airmenzies .com>
    Date: Fri 22/07/2016 10:04
    Subject: PO5
    Attachment: 906569711935.docm
    Hi
    Please see Fedex label as attached
    Kindest Regards
    Mary Leons
    Customer Service Supervisor | Air Menzies International ...


    22 July 2016: 906569711935.docm - Current Virus total detections 10/55*
    .. MALWR** shows a download from http ://dillerator.chat .ru/09yhbvt4 (VirusTotal 6/53***).
    Other download locations for today’s Locky version include [duplicate's removed]:
    http ://allmusic .c0.pl/09yhbvt4
    allmusic .c0.pl: 95.211.144.65: https://www.virustotal.com/en/ip-add...5/information/
    http ://delta5.homepage.t-online .de/09yhbvt4
    t-online .de:
    2003:2:4:164:217:6:164:162
    2003:2:2:40:62:153:159:92
    217.6.164.162
    : https://www.virustotal.com/en/ip-add...2/information/
    62.153.159.92: https://www.virustotal.com/en/ip-add...2/information/
    http ://dillerator.chat .ru/09yhbvt4
    chat .ru: 195.161.119.85: https://www.virustotal.com/en/ip-add...5/information/
    http ://files.igamingbusiness .co.uk/09yhbvt4
    igamingbusiness .co.uk: 109.108.132.162: https://www.virustotal.com/en/ip-add...2/information/
    http ://fotouniek.grafi-offshore .com/09yhbvt4
    grafi-offshore .com: 85.214.152.145: https://www.virustotal.com/en/ip-add...5/information/
    http ://hxt.50webs .com/09yhbvt4
    50webs .com: 198.23.53.64: https://www.virustotal.com/en/ip-add...4/information/
    http ://mizosiri3.web.fc2 .com/09yhbvt4
    fc2 .com: 52.41.146.181: https://www.virustotal.com/en/ip-add...1/information/
    54.187.26.65: https://www.virustotal.com/en/ip-add...5/information/
    http ://okumachiryouin.yu-yake .com/09yhbvt4
    yu-yake .com: 112.140.42.29: https://www.virustotal.com/en/ip-add...9/information/
    http ://pamm-invest .ru/09yhbvt4
    pamm-invest .ru: 81.177.135.251: https://www.virustotal.com/en/ip-add...1/information/
    http ://tattoo-studio .nl/09yhbvt4
    tattoo-studio .nl: 80.69.86.210: https://www.virustotal.com/en/ip-add...0/information/
    http ://www.gerichtszeichnungen .de/09yhbvt4
    gerichtszeichnungen .de: 2a01:238:20a:202:1148::
    81.169.145.148
    : https://www.virustotal.com/en/ip-add...8/information/
    http ://www.moran10.karoo .net/09yhbvt4
    karoo .net: Could not find an IP address for this domain name.
    http ://www.silvotecna .co.cl/09yhbvt4
    silvotecna .co.cl: Could not find an IP address for this domain name.
    http ://www.sirigor.republika .pl/09yhbvt4
    republika .pl: 213.180.150.17: https://www.virustotal.com/en/ip-add...7/information/

    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1469178299/

    ** https://malwr.com/analysis/MjI2YWM0Y...djODViYmNiOGU/
    Hosts
    195.161.119.85

    *** https://www.virustotal.com/en/file/1...is/1469188310/

    dillerator.chat .ru: 195.161.119.85: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/b5...bb6c/analysis/
    ___

    Fake 'Invoice/Credit/Statement' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/vp-in...eads-to-locky/
    22 July 2016 - "... an email with the subject of 'VP Invoice/Credit/Statement – H10040' pretending to come from Prism Server Account <accounts@ vpplc .com> with a malicious word doc attachment which downloads Locky ransomware...
    The email looks like:
    From: Prism Server Account <accounts@ vpplc .com>
    Date: Fri 22/07/2016 10:27
    Subject: VP Invoice/Credit/Statement – H10040
    Attachment: INVOICE.DOCM
    Please find document(s) attached.
    The attached file(s) are in Adobe PDF format. Use Adobe Acrobat Reader or equivalent to view the file(s)...


    This attachment downloads the same Locky ransomware as described in this post* from the same locations... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://myonlinesecurity.co.uk/pleas...ky-ransomware/
    ___

    HelpDesk Upgrade Outlook Web - PHISH
    - https://myonlinesecurity.co.uk/ict-h...-app-phishing/
    22 July 2016 - "... many small companies and even ISPs do outsource IT support and email to 3rd parties and an end user never really is sure who the email provider actually is... slightly more believable than many others and it is quite easy to fall for it...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x676.png

    The -link- in the email goes to:
    http ://xprs.imcreator .com/free/icthelpdesk/password
    ... which looks like this:
    > https://myonlinesecurity.co.uk/wp-co...e-1024x535.png "

    imcreator .com: 97.74.141.1: https://www.virustotal.com/en/ip-add...1/information/

    Last edited by AplusWebMaster; 2016-07-22 at 19:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1014
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Emailing: Photo - Document' SPAM

    FYI...

    Fake 'Emailing: Photo - Document' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/07/malw...5-07-2016.html
    25 July 2016 - "This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
    From: Rebeca [Rebeca3@ victimdomain .tld]
    Date: 25 July 2016 at 10:16
    Subject: Emailing: Photo 25-07-2016, 34 80 10
    Your message is ready to be sent with the following file or link
    attachments:
    Photo 25-07-2016, 34 80 10 ...


    Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".
    An alternative -variant- comes with a malicious -Word- document:
    From: Alan [Alan306@ victimdomain .tld]
    Date: 25 July 2016 at 12:40
    Subject: Emailing: Document 25-07-2016, 72 35 48
    Your message is ready to be sent with the following file or link
    attachments:
    Document 25-07-2016, 72 35 48 ...


    The attachment is this case is a .DOCM filed named in a similar way as before. This analysis is done by my usual trusted source (thank you). These scripts and macros download a component... The payload here is Locky ransomware, and it phones home to the following addresses:
    77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
    194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
    185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
    Recommended blocklist:
    77.222.54.202
    194.1.236.126
    185.117.153.176
    "

    77.222.54.202: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/8d...fca9/analysis/
    194.1.236.126: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/d9...138c/analysis/
    185.117.153.176: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/2a...49bd/analysis/

    Last edited by AplusWebMaster; 2016-07-25 at 15:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1015
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Attached Image', 'list of activities' SPAM, Ransomware 2.0

    FYI...

    Fake 'Attached Image' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...-leads-to.html
    26 July 2016 - "This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.
    From: victim@ victimdomain .tld
    To: victim@ victimdomain .tld
    Date: 26 July 2016 at 10:27
    Subject: Attached Image ...


    Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number... In this example* the script downloads a malicious binary from:
    www .isleofwightcomputerrepairs .talktalk .net/okp987g7v
    There will be -many- other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54**. The Hybrid Analysis*** for the dropped file shows it phoning home to:
    31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
    91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
    Recommended blocklist:
    31.41.47.41
    91.234.35.216
    "
    * https://malwr.com/analysis/MWYxYjBhO...Y0ZmFhZjEzZWY/
    Hosts
    62.24.202.31

    ** https://virustotal.com/en/file/96bc5...af25/analysis/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    91.234.35.216
    31.41.47.41


    - https://myonlinesecurity.co.uk/yet-a...email-address/
    26 July 2016 - "An email with the subject of 'Attached Image' pretending to come from your own email address with a zip attachment which downloads Locky Ransomware... One of the emails looks like:
    From: your own email address
    Date: Tue 26/07/2016 10:22
    Subject: Attached Image
    Attachment: 0324923_02.zip ...


    26 July 2016: 0324923_02.zip: Extracts to: 753707_02.js - Current Virus total detections 8/54*
    .. MALWR** shows a download of xxxx from
    http ://exploromania4x4club .ro/okp987g7v?tKLWyjuj=PrkWVPasbrS which gave me lnHLopubGiz.exe (VirusTotal 5/54***).
    Hybrid Analysis[4] . This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1469524580/

    ** https://malwr.com/analysis/YjY2ZmQyM...dkMTNhNGY2OWM/
    Hosts
    89.42.216.118
    *** https://www.virustotal.com/en/file/9...is/1469524971/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    89.42.216.118: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/d0...c66e/analysis/
    31.41.47.41: https://www.virustotal.com/en/ip-add...1/information/
    91.234.35.216: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'list of activities' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...ies-leads.html
    26 July 2016 - "This -fake- business spam has a malicious attachment:
    From "Penelope Phelps"
    Date Tue, 26 Jul 2016 23:02:43 +1100
    Subject list of activities
    Hello,
    Attached is the list of activities to help you arrange for the coming presentation.
    Please read it carefully and write to me if you have any concern.
    Warm regards,
    Penelope Phelps
    ALLIED MINDS LTD
    Security-ID ...


    The sender's name, company and 'Security-ID' vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script... This Malwr report* and this Hybrid Analysis** show this particular sample downloading from:
    akva-sarat.nichost .ru/bokkdolx
    There will be -many- other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55***. Further analysis is pending, however it is quite likely that this sample uses the -same- C2 servers as seen earlier today[4]."
    * https://malwr.com/analysis/ZTA1ZmZmO...diYzRjMmY0NjQ/
    Hosts
    195.208.0.150

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    195.208.0.150: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/97...300d/analysis/

    *** https://virustotal.com/en/file/6cd6c...29e2/analysis/

    4] http://blog.dynamoo.com/2016/07/malw...-leads-to.html
    ___

    Ransomware 2.0 ...
    - http://www.techrepublic.com/article/...he-enterprise/
    July 26, 2016 - ... profits from ransomware are making it one of the fastest growing types of malware and new versions could negatively impact entire industries, according to a Cisco report
    "... Cisco used data from its customers to create the report, since there are more than 16 billion web requests that go through the Cisco system daily, with nearly 20 billion threats blocked -daily- and with more than 1.5 million unique malware samples daily, which works out to 17 new pieces of malware every second..."

    Last edited by AplusWebMaster; 2016-07-26 at 21:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1016
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Sent from my Samsung', 'updated details' SPAM

    FYI...

    Fake 'Sent from my Samsung' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...amsung_27.html
    27 July 2016 - "This spam comes in a few different variations:
    From: Lottie
    Date: 27 July 2016 at 10:38
    Subject: scan0000510
    Sent from my Samsung device


    The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component... The dropped file is Locky ransomware and it has a detection rate of 2/52*. It phones home to the following locations:
    5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
    178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
    (Thank you to my usual source for this data) There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.
    Recommended blocklist:
    5.9.253.160/27
    178.62.232.244
    "
    * https://www.virustotal.com/en/file/9...dfda/analysis/

    5.9.253.173: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/59...d145/analysis/
    178.62.232.244: https://www.virustotal.com/en/ip-add...4/information/
    >> https://www.virustotal.com/en/url/20...9b6e/analysis/
    ___

    Fake 'updated details' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/07/malw...s-updated.html
    27 July 2016 - "This spam has a malicious attachment:
    Subject: updated details
    From: Faith Davidson (Davidson.43198@ optimaestate .com)
    Date: Wednesday, 27 July 2016, 11:13
    Attached is the updated details about the company account you needed
    King regards
    Faith Davidson ...


    The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample* shows the script download from:
    beauty-jasmine .ru/6dc2y
    There will be -many- more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55**. Analysis of this payload is pending, however the C2 servers may well be the same as found here***."
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    195.208.1.120: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/47...ed8c/analysis/

    ** https://virustotal.com/en/file/085d8...5de3/analysis/

    *** http://blog.dynamoo.com/2016/07/malw...amsung_27.html

    Last edited by AplusWebMaster; 2016-07-27 at 21:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1017
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice', 'Self Billing Statement' SPAM

    FYI...

    Fake 'invoice' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...-attached.html
    28 July 2016 - "This -fake- financial spam leads to malware:
    Subject: Invoice
    From: Kendall Harrison (Harrison.59349@ chazsmedley .com)
    Date: Thursday, 28 July 2016, 10:33
    Hello,
    Please check the attached invoice and confirm me if I sent the right data
    Yours sincerely,
    Kendall Harrison
    320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3


    The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted". The Malwr analysis* for the partially deobfuscated script and this Hybrid Analysis** show this particular sample downloading from:
    83.235.64.44/~typecent/xvsb58
    This drops a malicious Locky ransomware binary with a detection rate of 7/55***. Analysis of this binary is pending.
    UPDATE: Thank you to my usual source for this analysis... C2 locations:
    178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
    193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
    139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)
    Recommended blocklist:
    178.62.232.244
    193.124.180.6
    139.59.147.0
    "
    * https://malwr.com/analysis/Nzg5YzJmZ...M5Y2Q3NGQwNmM/
    Hosts
    83.235.64.44

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    83.235.64.44: https://www.virustotal.com/en/ip-add...4/information/
    >> https://www.virustotal.com/en/url/7e...e541/analysis/

    *** https://virustotal.com/en/file/1da2b...3f9e/analysis/
    ___

    Fake 'Self Billing Statement' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...statement.html
    28 July 2016 - "This -fake- financial spam comes with a malicious attachment:
    From Kathryn Smith [kathryn@ powersolutions .com]
    Date Thu, 28 Jul 2016 16:21:41 +0530
    Subject Self Billing Statement


    I do not know if there is any body text at present. Attached is a file with a name similar to 'Self Billing Statement_431.zip' which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js).
    Analysis by a trusted party shows that these scripts download a component...
    This originally dropped this payload* since updated to this payload**, both of which are Locky ransomware.
    The C2 servers to -block- are exactly the -same- as found in this earlier spam run***."
    * https://www.virustotal.com/en/file/6...5000/analysis/

    ** https://www.virustotal.com/en/file/a...f36d/analysis/

    *** http://blog.dynamoo.com/2016/07/malw...-attached.html

    Last edited by AplusWebMaster; 2016-07-28 at 14:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1018
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Bank account record', 'Voicemail' SPAM, RIG Exploit Kit

    FYI...

    Fake 'Bank account record' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...ord-leads.html
    29 July 2016 - "This -fake- financial spam leads to malware:
    Subject: Bank account record
    From: Stephen Ford (Ford.24850@ aworkofartcontracting .com)
    Date: Friday, 29 July 2016, 10:56
    Good morning,
    Did you forget to finish the Bank account record?
    Read the attachment and let me know if there is anything I didn't make clear.
    Yours sincerely,
    Stephen Ford
    57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe


    The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attached is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record"...
    According to the Hybrid Analysis* on that script and Malwr report** on a partly deobfuscated version the script downloads a binary from:
    oleanderhome .com/q59ldt5r
    This dropped binary has a detection rate of 5/55*** and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2]. The is also traffic to kassa.p0 .ru which is more of a puzzle and doesn't look particularly malicious****. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs. If I get more information on this I will post it here."
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    195.216.243.102
    107.180.50.233


    ** https://malwr.com/analysis/OGYzZWU1Y...Y4MzFlMTJhNGE/
    Hosts
    195.216.243.102: https://www.virustotal.com/en/ip-add...2/information/
    107.180.50.233: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/d2...0e6e/analysis/

    *** https://virustotal.com/en/file/00f8d...0c13/analysis/

    **** https://urlquery.net/report.php?id=1469786112022

    1] https://www.hybrid-analysis.com/samp...ironmentId=100

    2] https://malwr.com/analysis/Njk0YmQ0Z...VmOTE5MjZjMzA/

    UPDATE: My trusted source (thank you) gives the following... C2 servers are the same as found here*.
    178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
    91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
    91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
    Recommended blocklist:
    178.62.232.244
    91.195.12.143
    91.230.211.139
    "
    * http://blog.dynamoo.com/2016/07/malw...anonymous.html
    29 July 2016
    ___

    Fake 'Voicemail' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...anonymous.html
    29 July 2016 - "This -fake- voicemail spam has a malicious attachment:
    From SureVoIP [voicemailandfax@ surevoip .co.uk]
    Date Fri, 29 Jul 2016 17:47:41 +0700
    Subject Voicemail from Anonymous <Anonymous> 00:02:15
    Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
    00:02:37Account: victimdomain .tld


    The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf...
    The downloaded binary is Locky ransomware, phoning home to:
    178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
    91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
    91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
    Recommended blocklist:
    178.62.232.244
    91.195.12.143
    91.230.211.139
    "

    178.62.232.244: https://www.virustotal.com/en/ip-add...4/information/
    >> https://www.virustotal.com/en/url/20...9b6e/analysis/
    91.195.12.143: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/fc...57dd/analysis/
    91.230.211.139: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/3b...29a4/analysis/
    ___

    Recent Activity - RIG Exploit Kit
    - https://atlas.arbor.net/briefs/index#233459834
    July 28, 2016 - "... Analysis: In the wake of the disappearance of the previously successful Angler exploit kit and Nuclear Exploit Kit, cybercrime continues through other kits such as Neutrino, RIG, Sundown and others although campaign activity as recently as June has been lower volume compared to the time period when Angler and Nuclear were active... It is likely that this exploit kit traffic will increase over time, as prior users of other exploit kits migrate."
    > https://blog.malwarebytes.com/threat...kit-campaigns/

    Last edited by AplusWebMaster; 2016-07-30 at 15:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1019
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Corrected report' SPAM, Google snippets abused

    FYI...

    Fake 'Corrected report' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...-attached.html
    1 Aug 2016 - "This spam comes with a malicious attachment:
    Subject: Corrected report
    From: Joey Cox (Cox.48@ sodetel .net.lb)
    Date: Monday, 1 August 2016, 13:37
    Dear webmaster,
    Please review the attached corrected annual report.
    Yours faithfully
    Joey Cox


    The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware (MANY locations listed)...
    The dropped binary then attempts to phone home to:
    91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
    37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
    91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
    The host for that last one comes up over and over again, it's time to -block- that /22.."
    Recommended blocklist:
    91.230.211.139
    37.139.30.95
    91.219.28.0/22
    "

    91.230.211.139: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/3b...29a4/analysis/
    37.139.30.95: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/16...5508/analysis/
    91.219.29.48: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/e3...8257/analysis/
    ___

    Google featured snippets abused by SEO scammers
    - https://blog.malwarebytes.com/cyberc...-seo-scammers/
    Aug 1, 2016 - "... online crooks are abusing Google’s featured snippets via compromised-websites that -redirect- to -bogus- online stores. A featured snippet is triggered when a user types in a question via a standard search. Google will display a block with a summary of the answer and a link to the site, on top of the regular search results. Because of this prominent placement, Blackhat SEO miscreants are extremely interested in featured snippets as they can capture a large amount of traffic and redirect it to any site of their choosing. In this particular case, a hacked Hungarian sports site (which has nothing to do with software or license keys) is used to game Google’s algorithm which programmatically determines that a page contains a likely answer to the user’s question. People who click-on-the-link will be -redirected- to cheapmicrosoftkey[.]com a site that offers various license keys for Microsoft products at ‘discounted’ prices. Buying from such dubious online shops is -never- a good idea as you might actually purchase stolen merchandise, or worse, get completely scammed:
    > https://blog.malwarebytes.com/wp-con...ow_snippet.png
    ... In an added twist, if you visited the Hungarian website directly, you would be -redirected- to the Neutrino exploit kit and get infected with the CrypMIC ransomware. This is a good example of the multiple ways criminals can monetize a -hacked- site. It is quite likely in this case that the site was hacked several different times in unrelated automated attacks, perhaps even via the same vulnerability... As an end user, beware of online deals that sound too good to be true. This example is particularly tricky as people would be inclined to trust their search engine for showing them the answer to their question. We have reported this particular abuse to the Google team."
    IOC:
    IP: 185.139.238.210: https://www.virustotal.com/en/ip-add...0/information/

    cheapmicrosoftkey[.]com: 185.139.238.210

    Last edited by AplusWebMaster; 2016-08-02 at 13:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1020
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Paid bills', 'Unable to deliver' SPAM, Tech Support Scams

    FYI...

    Fake 'Paid bills' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...ched-last.html
    2 Aug 2016 - "This -fake- financial spam has a malicious attachment:
    From: Nathanial Lane
    Date: 2 August 2016 at 12:05
    Subject: Paid bills
    Hello [redacted],
    Please see the attached last month’s paid bills for the company
    Best regards
    Nathanial Lane


    The name of the sender varies. It appears that these are being sent out in very-high-volumes. Attached to the email message is a randomly-named ZIP file which contains a malicious .js script beginning with "sales charts".
    Thank you to my usual source for this analysis: the script downloads... (from MANY locations)...
    The payload is Locky ransomware, phoning home to:
    37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy .ru]
    93.170.128.249/upload/_dispatch.php (Krek Ltd, Russia)
    Recommended blocklist:
    37.139.30.95
    93.170.128.249
    "

    37.139.30.95: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/16...5508/analysis/
    93.170.128.249: https://www.virustotal.com/en/ip-add...9/information/
    Country: RU
    ___

    Fake 'Unable to deliver' SPAM - leads to ransomware
    - http://blog.dynamoo.com/2016/08/malw...iver-your.html
    2 Aug 2016 - "This -fake- FedEx email has a malicious attachment.
    From: FedEx International Ground [terry.mcnamara@ luxmap .com]
    Date: 2 August 2016 at 18:53
    Subject: [REDACTED], Unable to deliver your item, #000179376
    Dear [Redacted],
    This is to confirm that one or more of your parcels has been shipped.
    Please, open email attachment to print shipment label.
    Thanks and best regards,
    Terry Mcnamara,
    Support Manager.


    Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis* on the sample shows that the script downloads -ransomware- from opros.mskobr .ru but a quick examination of the code reveals several download locations:
    opros.mskobr .ru
    alacahukuk .com
    www .ortoservis .ru
    aksoypansiyon .com
    samurkasgrup .com
    Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:
    195.208.64.20 (ROSNIIROS, Russia)
    77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
    5.101.153.32 (Beget Ltd, Russia)
    A couple of binaries are dropped onto the system, a.exe (detection rate 2/53)** [may not be malicious] and a2.exe (detection rate 7/53)***.
    The payload seems to be Nemucod/Crypted or some related ransomware.
    Recommended blocklist:
    195.208.64.20
    77.245.148.51
    5.101.153.32
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    195.208.64.20

    ** https://www.virustotal.com/en/file/4...is/1470163333/

    *** https://www.virustotal.com/en/file/4...is/1470163336/
    ___

    Tech Support Scams - two for one ...
    - https://blog.malwarebytes.com/cyberc...-price-of-one/
    Aug 2, 2016 - "... Running an executable file posing as an installer for “VMC Media Player”, we were greeted by these prompts telling us we were going to be logged off:
    > https://blog.malwarebytes.com/wp-con...warning1-1.png
    ..
    > https://blog.malwarebytes.com/wp-con...7/warning3.png
    — and this site opening in our default browser:
    > https://blog.malwarebytes.com/wp-con...warning2-1.png
    Since yolasite .com offers users the option to track visitors to their sub-domain, we suspect this site to be built to keep track of the people that installed the “software”. We have reported this site to Yola and are awaiting a reply. This sequence of events is programmed in a simple batch file that opens the site and commands the computer to shut down in 5 minutes... Once the victims log back on, they will be confronted with this -fake- BSOD screen:
    > https://blog.malwarebytes.com/wp-con.../07/main-2.png
    The screen’s text rambles a lot about errors and Trojans and displays the phone-number they would like you to call. It also shows a seemingly unrelated prompt to “get the product key”, which we will discuss later on, and a button labeled “Microsoft Help” that opens the site www[dot]microsoft[dot]aios[dot]us:
    > https://blog.malwarebytes.com/wp-con...16/07/site.png
    Here you can download remote administration tools to get ”support” for a great variety of products. We have seen complaints about the people running this site and its predecessors for at least two years. The site shows a prompt that is a bit unclear about your options:
    > https://blog.malwarebytes.com/wp-con...07/choices.png
    The listed options are YES to “Start Support Session” or NO to “Browse Support Site”, but the buttons are labeled OK and Cancel. I tested for you, and Cancel gets rid of the pop-up. And if you allow more pop-ups and click OK a few times, you will eventually get the option to download the legitimate remote administration tool TeamViewer.
    And the second Tech Support Scam? Ah yes, let’s circle back to the prompt that promised us a product key:
    > https://blog.malwarebytes.com/wp-con...getthenext.png
    Click OK on that one, and you will see a download prompt for a file called license_key.exe:
    > https://blog.malwarebytes.com/wp-con...oadfromrun.png
    This file has been reported to Mediafire. If you run this file, you may get some déj* vu feelings as you will see the “Thank you” prompt to notify that you will be logged off and visit another Yola site, this time it’s thankyou1234[dot]yolasite[dot]com using the URL shortener lnk.direct. Statistics of the URL shortener showed it was created 06/29/2016 and had 1143 visitors over the past month... The relatively good news about this repetition is that it will get rid of the fake BSOD for you because it alters the Winlogon Shell registry value yet again, only to replace it with -another- Tech Support Scammers -lock-screen- however. This time one that looks a lot like some of the earlier ones. A phone number and a form requesting “a product key”:
    > https://blog.malwarebytes.com/wp-con.../07/main-3.png
    Only this time it looks like you are completely -stuck- without any option. The part of the form that you would expect to fill out and the “Cancel” button are both unresponsive, so most people will end up having to use Ctrl-Alt-Del to get out of this. The name of the running processes for both rounds is fatalerror(.exe). We have dubbed the second one “Product Key” as that is the name of the folder it creates in Program Files (x86). But for the benefit of the Tech Support Scammers there is an “Easter egg” hidden in this screen. If you click -anywhere- in the 5th line (the one starting with the words “PRODUCT KEY”) you will go to this screen:
    > https://blog.malwarebytes.com/wp-con...eretheyare.png
    ... Summary: In what must be an attempt to drive victims crazy enough to call one of their numbers, Tech Support Scammers replace one logon lock-screen with another... save yourself the hassle and get protected."

    yolasite[dot]com: 2400:cb00:2048:1::6810:69f9
    2400:cb00:2048:1::6810:68f9
    2400:cb00:2048:1::6810:67f9
    2400:cb00:2048:1::6810:6af9
    2400:cb00:2048:1::6810:6bf9

    104.16.105.249: https://www.virustotal.com/en/ip-add...9/information/
    104.16.106.249: https://www.virustotal.com/en/ip-add...9/information/
    104.16.103.249: https://www.virustotal.com/en/ip-add...9/information/
    104.16.107.249: https://www.virustotal.com/en/ip-add...9/information/
    104.16.104.249: https://www.virustotal.com/en/ip-add...9/information/

    aios[dot]us: 107.180.21.20: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/7e...8b79/analysis/

    Last edited by AplusWebMaster; 2016-08-03 at 00:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •