SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake 'New order' SPAM - malware
- http://myonlinesecurity.co.uk/daniel...order-malware/
25 Oct2014 - "'Daniela Lederer Re: New Order' is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-con...-new-order.png

25 October 2014: J2134457863.zip: Extracts to: J2134457863.exe
Current Virus total detections: 14/54* . Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fil...is/1414216443/

[AplusWebMaster]

FYI...

'Dark market' websites seized in U.S., European busts - Silk Road 2.0
- http://www.reuters.com/article/2014/...0IR0Z120141107
Nov 7, 2014
> http://s4.reutersmedia.net/resources...=LYNXMPEAA60EZ
"U.S. and European authorities on Friday announced the seizure of more than 400 secret website addresses and arrests of 16 people in a sweep targeting black markets for drugs and other illegal services. The developments were announced a day after prosecutors in New York unveiled criminal charges against the alleged operator of underground online drug marketplace Silk Road 2.0. U.S. authorities called the global sweep the largest law enforcement action to date against illegal websites operating on the so-called Tor network, which lets users communicate anonymously by masking their IP addresses... Europol, in a statement, said U.S. and European cyber crime units, in a sweep across 18 countries, had netted $1 million worth of Bitcoin, the digital currency, 180,000 euros in cash, silver, gold and narcotics. The more than 400 websites and domains seized on Thursday existed on the Tor network and were used by dozens of online marketplaces where such things as child pornography, guns and murder-for-hire could be purchased, authorities said. Sixteen people operating illegal sites were arrested in addition to the defendant in the Silk Road 2.0 case, Europol added, without specifying the charges... On Thursday, U.S. authorities said they had shut down Silk Road 2.0, a successor website to underground online drugs marketplace Silk Road. Blake Benthall, the alleged operator of Silk Road 2.0, was arrested and charged with -conspiracy- to commit drug trafficking, computer hacking, money laundering and other crimes. Troels Oerting, head of Europol's cybercrime center, said the operation knocked out a significant part of the infrastructure for illegal online drugs and weapons trade in the countries involved... The websites had complete business models, Oerting said, and displayed what they sold, including drugs, weapons, stolen credit cards..."
- http://www.fbi.gov/newyork/press-rel...-federal-court
___

Fake invoice SPAM - malicious Word macro attachment
- http://blog.dynamoo.com/2014/11/sue-...-contains.html
7 Nov 2014 - "This -fake- invoice spam (all pretending to be from someone called Sue Morckage) comes with a malicious Word macro attachment.
From: Sue Morckage
Date: 7 November 2014 13:10
Subject: inovice 9232088 November
This email contains an invoice file attachment

The number in the subject is random, and attached is a document with the same format name (in this example invoice_9232088.doc). So far I have seen two attachments both with VT detection rates of 4/54 [1] [2]... which contains one of two malicious macros... which then go and download a binary from one of the following locations:
http ://ksiadzrobak .cba .pl/bin.exe > https://www.virustotal.com/en/ip-add...9/information/
http ://heartgate .de/bin.exe > https://www.virustotal.com/en/ip-add...6/information/
This binary gets copied into %TEMP%\AKETVJIJPZE.exe and it has a VirusTotal detection rate of just 1/54*, but so far automated analysis tools... are inconclusive as to what this does, however the payload is likely to be Cridex."
* https://www.virustotal.com/en/file/e...is/1415369050/

1] https://www.virustotal.com/en/file/7...is/1415365398/

2] https://www.virustotal.com/en/file/0...is/1415368736/

- http://myonlinesecurity.co.uk/sue-mo...d-doc-malware/
7 Nov 2014
> https://www.virustotal.com/en/file/6...is/1415372037/
___

Fake job sites ...
- http://blog.dynamoo.com/2014/11/euro...-fake-job.html
7 Nov 2014 - "This tip* from @peterkruse about a spam run pushing -fake- jobs using the domain europejobdays .com caught my eye, especially the mention of the nameservers using the stemcellcounseling.net domain. These -fake- job sites tend not to go alone, and a look a the other domains using the same namesevers comes up with a whole list of related -fake- sites... avoid**. You should be aware that the jobs on offer are actually part of some criminal enterprise such as money laundering or parcel reshipping. You can see a video that explains the parcel reshipping scam and the role of the parcel mule below:
> https://www.youtube.com/watch?v=UbSCXqL1jL4

* https://twitter.com/peterkruse/statu...28073264517120

** (Long list at the dynamoo URL at the top.)
___

Fake Tech Support website infections ...
- https://blog.malwarebytes.org/exploi...-even-dial-in/
Nov 6, 2014 - "... Many websites that are promoted via ads on search engines or pop ups often turn out to be impostors or crooks and it doesn’t matter whether they are overseas or here in the U.S. This time around, our focus is on a company that seems to want a big piece of the U.S. market and boasts their infrastructure as being 'ahead of time technology equipment' while 'your computer issues are fixed securely'. This couldn’t be further from the truth. For some reason, looking at the site gives an impression of déjà-vu. Perhaps it is the template and stock photos typically used by many overseas tech support companies... While we shouldn’t judge a book by its cover, there is something really wrong that happens when you visit their website:
> https://blog.malwarebytes.org/wp-con...d-1024x817.png
... One of the html files (a banner) contains a malicious script loading a page from a compromised website. This site contains an -iframe- with a dynamic URL that silently -redirects- the user to the Angler Exploit Kit... In this case, if your system was outdated and you had no security solution, you would have been victim of the fileless infection followed by additional malware... This drive-by infection almost seems like the perfect segue into a malware diagnostic. In fact, right from the beginning of our call, the technician already assumed our computer was infected... Sadly, the service provided by American Tech Help is not up to par either. The technicians are quick to point out errors and ‘hackers’ that have compromised your computer by simply showing the (typical) warnings displayed in the Windows Event Viewer:
> https://blog.malwarebytes.org/wp-con...r-1024x728.png
... here’s the problem: Before browsing to their site and calling them up we had made sure our computer was fully patched. So while the site attempted to exploit our system, it never succeeded. So the technician’s report is completely -bogus- . It is quite possible that the tech support site was simply hacked because of poor security practices and that their owners aren’t aware of it. Or perhaps they don’t even care until the major browsers start blacklisting them and they see their traffic take a dive... There was a time when we could say that as long as you didn’t let scam artists take remote control of your computer, you were fine. Now the mere fact of browsing to one of their sites could be the beginning of some real troubles. It is -not- entirely surprising that such sites are dangerous to visit: they are built quickly, on the cheap and with little to no maintenance. This is just a recipe for disaster as any good website owner would tell you. For more information on tech support scams and general advice, please check out our Tech Support -Scams- resource page*."
* https://blog.malwarebytes.org/tech-support-scams/

- http://www.symantec.com/connect/blog...eet-ransomlock
7 Nov 2014 - "A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue...
Top ten ransomware detections as of 11-07-14:
> http://www.symantec.com/connect/site...omlock%202.png
Fake BSoD lock screen:
> http://www.symantec.com/connect/site...203%20edit.png ..."

- http://www.ftc.gov/news-events/press...h-support-scam

[AplusWebMaster]

FYI...

Something evil on 46.8.14.154
- http://blog.dynamoo.com/2014/11/some...-46814154.html
21 Nov 2014 - "46.8.14.154 (Netart Group S.r.o. / Movenix International Inc) forms part of an exploit chain that starts with compromised OpenX servers and appears to end up with an exploit kit of some sort... subdomains have been active on that server, they are ALL hijacked GoDaddy domains... (Long list @ the dynamoo URL above) ... The best thing to do is to -block- traffic to 46.8.14.154 because these domains seem to change every few minutes."
___

Fake 'Payment Received' SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/11/dupl...spam-from.html
21 Nov 2014 - "This -fake- financial spam has a malicious Word document attached.
From: Enid Tyson
Date: 21 November 2014 15:36
Subject: INV209473A Duplicate Payment Received
Good afternoon,
I refer to the above invoice for which we received a bacs payment of £675.74 on 10th November 14. Please be advised that we already received payment for this invoice, by bacs on 30th October 2014.
I will therefore arrange a refund, please confirm preferred method, cheque or bacs transfer. If a cheque please confirm the name the cheque should be made out too or if bank transfer, please advise bank details.
If you have any queries regarding this matter, please do not hesitate to contact me.
I look forward to hearing from you .
Many thanks
Enid Tyson
Accounts Department

In this case the attachment is De_209473A.doc but it will probably vary with the subject name, the document itself has zero detections at VirusTotal (the Malwr report is inconclusive).This contains a malicious macro.. which connects to the following URL:
http ://79.137.227.123 :8080/get1/get1.php
...This has a VirusTotal detection rate of just 1/55*. The malware is hardened against analysis in a Sandbox so automated results are inconclusive...
UPDATE: A second version is going the rounds, with zero detections** and a download location of http :// 61.221.117.205 :8080/get1/get1.php ..."
* https://www.virustotal.com/en/file/7...is/1416584784/

* https://www.virustotal.com/en/file/e...is/1416584533/

[AplusWebMaster]

FYI...

Something evil on 46.161.30.0/24
- http://blog.dynamoo.com/2014/12/some...616130024.html
4 Dec 2014 - "The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware. In the past, this IP range has hosted various sites which have moved off... There are no legitimate sites in this network range, so I strongly recommend that you -block- the entire 46.161.30.0/24 range."
(More detail at the dynamoo URL above.)
___

Fake 'Quickbooks intuit unpaid invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/quickb...e-pdf-malware/
4 Dec 2014 - "'Quickbooks intuit unpaid invoice' with a zip attachment pretending to come from Elena.Lin@ intuit .com <Elena.Lin@ quickbooks .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review the attached invoice and pay this invoice at your earliest convenience. Feel free to contact us if you have any
questions.
Thank you.

4 December 2014 : invoice72.zip: Extracts to: invoice72.scr
Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1417726300/
... Behavioural information
TCP connections
80.248.222.238: https://www.virustotal.com/en/ip-add...0/information/
198.58.84.150: https://www.virustotal.com/en/ip-add...0/information/
UDP communications
198.27.81.168: https://www.virustotal.com/en/ip-add...8/information/
192.95.17.62: https://www.virustotal.com/en/ip-add...2/information/
___

Fake 'FedEx Delivery' confirmation - phishing 419 SCAM
- http://myonlinesecurity.co.uk/fedex-...hing-419-scam/
4 Dec 2014 - "'FedEx Delivery Notification. (Confirmation)' pretending to come from FedEx Courier Delivery <FedExdelivery@ FedEx .com> is a phishing scam. When I first saw these emails start to come in, I thought it was a follow 0n to the current malware spreading campaign Fedex Unable to deliver your item, #00486182 malware but no, it is a pure and simple phishing scam trying to get you to voluntarily give your details. It is most likely a 419 scam which will ask for a fee to expedite the delivery. Just look at all the spelling and grammar mistakes in the email, but of course most victims just don’t read emails closely, just blindly follow instructions and do what is asked without thinking. Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-con...very_phish.jpg

... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake Air Canada emails with ticket and flight confirmation leads to malicious ZIP file
- http://blog.mxlab.eu/2014/12/03/new-...ious-zip-file/
Dec 3, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
Order #70189189901 successfully – Ticket and flight details
Order #70189101701 paid – E-ticket and flight details
This email is sent from the -spoofed- address “Aircanada .com” <tickets@ aircanada .com>” and has the following body:
Dear client,
Your order has been successfully processed and your credit card charged.
ELECTRONIC TICKET – 70189101701
FLIGHT – QB70189101701CA
DATE / TIME – Dec 4th 2014, 15:30
ARRIVING – Quebec
TOTAL PRICE / 575.00 CAD
Your ticket can be downloaded and printed from the following URL: ...
hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?ticket_number=70189101701& view_pdf=yes
For information regarding your order, contact us by visiting our website: ...
Thank you for choosing Air Canada

The embedded URL does -not- point the browser to the real web site address but to hxxp ://ravuol .com/wp-content/plugins/revslider/temp/update_extract/revslider/pdf_ticket_QB70189189901CA.zip. Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif. The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL. This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies. At the time of writing, 2 of the 52* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/8...96fb/analysis/

ravuol .com / 192.232.218.114: https://www.virustotal.com/en/ip-add...4/information/

[AplusWebMaster]

FYI...

More than 100,000 'WordPress sites infected with Malware'
- https://www.sans.org/newsletters/newsbites/xvi/99#301
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
> http://arstechnica.com/security/2014...rious-malware/
Dec 15, 2014
(More links at the sans URL above.)

* http://blog.sucuri.net/2014/12/soaks...-websites.html
Dec 14, 2014
___

Fake 'AquAid Card' SPAM – doc malware
- http://myonlinesecurity.co.uk/tracey...d-doc-malware/
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
Hi
Please find attached receipt of payment made to us today
Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...

Screenshot: http://myonlinesecurity.co.uk/wp-con...ious-email.jpg

The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
* https://www.virustotal.com/en/file/b...is/1418893740/

** https://www.virustotal.com/en/file/c...is/1418891360/

*** https://www.virustotal.com/en/file/0...is/1418891888/


> http://blog.dynamoo.com/2014/12/malw...d-receipt.html
18 Dec 2014
- https://www.virustotal.com/en/file/c...is/1418893415/
... Recommended blocklist:
74.208.11.204
81.169.156.5 "
___

Fake 'Internet Fax' SPAM - trojan Upatre.FH
- http://blog.mxlab.eu/2014/12/18/emai...jan-upatre-fh/
Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
Fax image data
hxxp ://bursalianneler .com/documents/fax.html

The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/7...f048/analysis/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
192.185.52.226: https://www.virustotal.com/en/ip-add...6/information/
78.46.73.197: https://www.virustotal.com/en/ip-add...7/information/
UDP communications
203.183.172.196: https://www.virustotal.com/en/ip-add...6/information/
203.183.172.212: https://www.virustotal.com/en/ip-add...2/information/
___

Fake 'JPMorgan Chase' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/jpmorg...e-pdf-malware/
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is a secure, encrypted message.
Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.
Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Need Help?
Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved

Screenshot: http://myonlinesecurity.co.uk/wp-con...re-message.jpg

17 December 2014: message_zdm.zip: Extracts to: message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1418844158/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
217.199.168.166: https://www.virustotal.com/en/ip-add...6/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/
217.10.68.178: https://www.virustotal.com/en/ip-add...8/information/

- http://threattrack.tumblr.com/post/1...e-message-spam
Dec 18, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019...Hwm1r6pupn.png
Tagged: JPMorgan, Upatre
___

ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
- http://arstechnica.com/security/2014...ishing-attack/
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
* https://www.icann.org/news/announcement-2-2014-12-16-en

* https://czds.icann.org/en
___

Worm exploits nasty Shellshock bug to commandeer network storage systems
- http://arstechnica.com/security/2014...orage-systems/
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
* http://arstechnica.com/security/2014...ith-nix-in-it/

** https://isc.sans.edu/forums/diary/Wo...+Devices/19061

[AplusWebMaster]

FYI...

binarysmoney .com / clickmoneys .com / thinkedmoney .com "job" SPAM
- http://blog.dynamoo.com/2015/01/bina...moneyscom.html
2 Jan 2015 - "I've been plagued with these for the past few days:
Date: 2 January 2015 at 11:02
Subject: response
Good day!
We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
We cooperate with different countries and currently we have many clients in the world.
Part-time and full-time employment are both currently important.
We offer a flat wage from $1500 up to $5000 per month.
The job offers a good salary so, interested candidates please registration on the our site: www .binarysmoney .com
Attention! Accept applications only on this and next week.
Respectively submitted
Personnel department

Subject lines include:
New employment opportunities
Staff Wanted
Employment invitation
new job
New job offer
Interesting Job
response
Spamvertised sites seen so far are binarysmoney .com, clickmoneys .com and thinkedmoney .com, all multihomed on the following IPs:
46.108.40.76 (Adnet Telecom / "Oancea Mihai Gabriel Intreprindere Individuala", Romania)
201.215.67.43 (VTR Banda Ancha S.A., Chile)
31.210.63.94 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
Another site hosted on these IPs is moneyproff .com. All the domains have apparently -fake- WHOIS details.
It looks like a money mule spam, but in fact it leads to some binary options trading crap.
> http://2.bp.blogspot.com/-91ORuyJxnp...ry-options.jpg
... that's just a Shutterstock stock photo that is pretty widely used on the web. In fact, everything about this whole thing is a cookie-cutter site with text and images copied from elsewhere. Binary options are a haven for scammers, and my opinion is that this is such a -scam- given the spammy promotion and hidden identity of the operators. I would recommend that you avoid this and also block traffic to the following IPs and domains:
46.108.40.76
201.215.67.43
31.210.63.94
clickmoneys .com
thinkedmoney .com
binarysmoney .com
moneyproff .com"

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - malware attached
- http://blog.dynamoo.com/2015/01/malw...d-invoice.html
15 Jan 2015 - "This -fake- invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.
From: Invoice from Hexis [Invoice@ hexis .co.uk]
Date: 15 January 2015 at 06:36
Subject: Invoice
Sent 15 JAN 15 08:30
HEXIS (UK) LIMITED
7 Europa Way
Britannia Park
Lichfield
Staffordshire
WS14 9TZ
Telephone 01543 411221
Fax 01543 411246

Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in -two- different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros... which download a component from one of the following locations:
http ://dramakazuki.kesagiri .net/js/bin.exe
http ://cassiope .cz/js/bin.exe
This has a VirusTotal detection rate of 3/57*. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:
59.148.196.153
74.208.11.204
81.27.38.97
UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57**."
1] https://www.virustotal.com/en/file/6...is/1421314924/

2] https://www.virustotal.com/en/file/7...is/1421314937/

* https://www.virustotal.com/en/file/8...is/1421315774/

** https://www.virustotal.com/en/file/1...is/1421318457/


- http://myonlinesecurity.co.uk/hexis-...d-doc-malware/
15 Jan 2015
* https://www.virustotal.com/en/file/6...is/1421309107/

** https://www.virustotal.com/en/file/7...is/1421309412/
___

Fake 'Payment request' SPAM - malware attachments
- http://blog.dynamoo.com/2015/01/malw...of-417694.html
15 Jan 2015 - "This -spam- comes with a malicious Word document attached:
from: Alan Case
date: 15 January 2015 at 08:49
subject: Payment request of 4176.94 (14 JAN 2015)
Dear Sirs,
Sub: Remitance of GBP 4176.94
This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
For more information on our bank details please refer to the attached document.
Thanking you,
Alan Case Remittance Manager

Other names and job titles seen... The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro... which attempt to download another component from one of the following locations:
http ://95.163.121.71 :8080/mopsi/popsi.php
http ://95.163.121.72 :8080/mopsi/popsi.php
http ://136.243.237.204 :8080/mopsi/popsi.php
Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking. 136.243.237.204 is a Hetzner IP. The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57*. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP. The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.
Recommended blocklist:
194.146.136.1
95.163.121.71
95.163.121.72
136.243.237.204
UPDATE: the following -are- Dridex C&C servers which you should also block:
80.237.255.196 "
1] https://www.virustotal.com/en/file/5...is/1421313787/

2] https://www.virustotal.com/en/file/2...is/1421313798/

3] https://www.virustotal.com/en/file/d...is/1421313810/

* https://www.virustotal.com/en/file/f...is/1421313825/


- http://myonlinesecurity.co.uk/paymen...d-doc-malware/
15 Jan 2015
15 January 2015 : ADV0291LO.doc - Current Virus total detections: 3/55*
15 January 2015 : 57959SI.xls (35 kb) - Current Virus total detections: 3/57**
| 3093720WF.xls (47 kb) - Current Virus total detections: 2/57***
* https://www.virustotal.com/en/file/2...is/1421309631/

** https://www.virustotal.com/en/file/0...is/1421316140/

*** https://www.virustotal.com/en/file/a...is/1421315881/
___

Fake 'open24 .ie important changes alert' SPAM – malware
- http://myonlinesecurity.co.uk/open24...alert-malware/
15 Jan 2015 - "'Some important changes to some services' (email alert) pretending to come from Open24 <inf01@ open24 .ie> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Fwd: Software Upgrade
Dear
Open24 Customer,
We have now implemented a number of
changes to our Internet Banking service. This is to ensure the highest
level of security of information passing between you and our server.
To have access to this service, simply follow the button below and activate the service...
Kind regards
Open24
This email is personal & confidential and is intended for the recipient only...

15 January 2015: open24changes.zip (523 kb) : Extracts to: Payment.scr
Current Virus total detections: 17/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1421332957/
___

Fake 'ADP Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/johnny...e-pdf-malware/
15 Jan 2015 - "'ADP Invoice for week ending 01/11/2015' pretending to come from Johnny.West@ adp .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Your most recent ADP invoice is attached for your review.
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Thank you for choosing ADP for your business solutions.
Important: Please do not respond to this message. It comes from an unattended mailbox.

15 January 2015: invoice_418270412.pdf.zip (11kb): Extracts to: invoice_418270412.pdf.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1421335768/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
174.120.16.66: https://www.virustotal.com/en/ip-add...6/information/
69.49.101.51: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'HSBC Payment Advice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/hsbc-p...e-pdf-malware/
15 Jan 2015 - "'Payment Advice – Advice Ref:[GB956959] / CHAPS credits' pretending to come from HSBC Advising Service [mailto:Bankline.Administrator@ nutwest .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link or open the attachment... The email looks like:
Sir/Madam,
Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
Download link: <redacted>
Yours faithfully,
Global Payments and Cash Management
HSBC ...

When you follow the... link you get a page looking like this, where depending on which browser you are using, you might get a direct download of the zip file containing the -malware- or you might get the message to follow the link... which will give you the malware:
Screenshot: http://myonlinesecurity.co.uk/wp-con...01/avralab.jpg
15 January 2015: doc974_pdf.zip (11kb) : Extracts to: doc963_pdf.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1421341083/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
66.147.240.173: https://www.virustotal.com/en/ip-add...3/information/