Fake 'March Invoice', 'Your Order', 'MX62EDO' SPAM, Tesco Bank Phish
FYI...
Fake 'March Invoice' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/03/malw...kan-dream.html
1 Mar 2016 - "This -fake- financial spam can't make up its mind which month it is for.
From: Caitlin Velez
Date: 1 March 2016 at 11:50
Subject: March Invoice
Hi,
Attached is the November invoice.
Thanks!
Caitlin Velez
Customer Service
Balkan Dream Properties ...
So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero*. This Malwr report** shows that it is the Locky ransomware, download a binary from:
intuit.bitdefenderdistributor .info/intrabmw/get.php
This is hosted on a bad webserver at..
93.95.100.141 (Mediasoft ekspert, Russia)
..and it then phones home to..
5.34.183.195 (ITL / UA Servers, Ukraine)
There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..
31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141 "
* https://www.virustotal.com/en/file/0...is/1456833407/
** https://malwr.com/analysis/MDlhNDk3Y...ZhZGQxZDg4N2I/
- http://myonlinesecurity.co.uk/march-...ky-ransomware/
1 Mar 2016 - "... an email with the subject of 'March Invoice' pretending to come from random names, companies and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Grace Buckley <BuckleyGrace41@ jackvalan .com>
Date: Tue 01/03/2016 11:51
Subject: March Invoice
Attachment: INVBEAC8E.zip
Hi,
Attached is the November invoice.
Thanks!
Grace Buckley
Customer Service
MONTANARO UK SMALLER COS INVESTM TR ...
1 March 2016: INVBEAC8E.zip: Extracts to: statistics_60165140386.js - Current Virus total detections 0/56*
MALWR** shows it downloads http ://intuit.bitdefenderdistributor .info/intrabmw/get.php which gave me
lohi.exe (VirusTotal 5/54***). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1456833183/
** https://malwr.com/analysis/MDlhNDk3Y...ZhZGQxZDg4N2I/
93.95.100.141
5.34.183.195
*** https://www.virustotal.com/en/file/f...is/1456832632/
TCP connections
185.14.29.188: https://www.virustotal.com/en/ip-add...8/information/
___
Fake 'Your Order' SPAM - Locky ransomware
- http://myonlinesecurity.co.uk/delay-...ky-ransomware/
1 Mar 2016 - "An email with the subject of 'Delay with Your Order #200C189B, Invoice #37811753' [random numbered] pretending to come from Random names, companies and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Joel Barron <BarronJoel28@ softranstech .com>
Date: Tue 01/03/2016 11:30
Subject: Delay with Your Order #200C189B, Invoice #37811753
Attachment: order_copy_200C189B.zip
Dear Valued Customer,
It is very unpleasant to hear about the delay with your order #200C189B, but be sure that our department will do its best to resolve the problem. It usually takes around 7 business days to deliver a package of this size to your region.
The local post office should contact your as soon as they will receive the parcel. Be sure that your purchase will be delivered in time and we also guarantee that you will be satisfied with our services.
Thank you for your business with our company.
Joel Barron
Sales Manager
1 March 2016: order_copy_200C189B.zip: Extracts to: readme_692768919.js - Current Virus total detections 0/56*
MALWR** shows what looks like a download of Locky Ransomware from
http ://sitemar.ro/5/92buyv5 ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1456831819/
** https://malwr.com/analysis/YzUzMWY2N...UzZjg0ZmY1ZmU/
Hosts
89.38.241.66
185.14.29.188
- http://blog.dynamoo.com/2016/03/malw...mer-it-is.html
1 Mar 2016 - "This strangely worded spam leads to the Locky ransomware:
From =cU3RlZmFuaWUgU3VsbGl2YW4=?= [SullivanStefanie68750@numericable .fr]
Date Tue, 01 Mar 2016 13:40:48 +0200
Subject =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICM3QjZCN0UwOCwgSW52b2ljZSAjMzI1ODMzNDY=?=
Dear ValuedCustomer,
It is very unpleasant to hear about the delay with your order #7B6B7E08, but be sure
thatour department will do its best to resolve the problem.It usually takes around7
business days to deliver a package of this size to your region.
The local post office should contact your as soon as they will receive theparcel.Be
sure that your purchase will be delivered in time and we alsoguarantee that you will
be satisfied with our services.
Thank you for your business with our company.
Stefanie Sullivan
Sales Manager
All the samples I have seen have slightly -mangled- headers. The sender name varies. Attacked is a ZIP file named in a similar format to order_copy_7B6B7E08.zip which contains a malicious script named something like:
important_181031694.js
warning_659701636.js
statistics_466026824.js
I have seen -six- different samples so far with zero detection rates [1]... and which according to these analysis [7]... attempt to download a Locky binary from:
sitemar .ro/5/92buyv5
pacificgiftcards .com/3/67t54cetvy
maisespanhol .com.br/1/8y7h8bv6f
Those binaries phone home to:
5.34.183.195/main.php
31.184.197.119/main.php
Those C&C servers are the same as I mentioned in this spam run* and I suggest you -block- traffic to:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55 "
1] https://www.virustotal.com/en/file/a...6de8/analysis/
7] https://malwr.com/analysis/OWM1MmU0M...VjZmNlNTM4NWY/
* http://blog.dynamoo.com/2016/03/malw...kan-dream.html
___
Fake 'MX62EDO' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...-01032016.html
1 Mar 2016 - "This -fake- document scan has a malicious attachment. It appears to come from within the victim's own domain.
From: documents@ victimdomain .tld
Date: 1 March 2016 at 13:43
Subject: Emailing: MX62EDO 01.03.2016
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 01.03.2016 SERVICE SHEET
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
This email has been checked for viruses by Avast antivirus software...
I have seen two samples so far, with an attachment that has a similar name to MX62EDO20160301538482.zip which contains a malicious randomly-named script (e.g. PK5293425659.js). Detection rates on the scripts are fairly low [1] [2]. According to these Malwr reports [3] [4] the payload is the Locky ransomware. These two samples download malicious binaries from:
tianshilive .ru/vqmod/xml/87yhb54cdfy.exe
ubermensch .altervista.org/system/logs/87yhb54cdfy.exe
In turn, these attempt to phone home to:
31.184.197.119 /main.php
5.34.183.195 /main.php
These are the -same- C&C servers as seen here*."
1] https://www.virustotal.com/en/file/4...9efa/analysis/
2] https://www.virustotal.com/en/file/0...is/1456840115/
3] https://malwr.com/analysis/MDExMGY0O...UxNTAwMWE1NWI/
Hosts
5.101.152.42
31.184.197.119
4] https://malwr.com/analysis/Yzk3OTI3N...FmMWU2NTQ2ZjI/
Hosts
176.9.24.196
5.34.183.195
* http://blog.dynamoo.com/2016/03/malw...mer-it-is.html
___
Tesco Bank - 'Interest Rate And Tax' Phish
- http://myonlinesecurity.co.uk/tesco-...-tax-phishing/
1 Mar 2016 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card.. This one from Tesco is no exception... The link in this case goes to:
http ://grupomathile .com.br/hhaa/hhaa.html which -redirects- to:
http ://agapechurchindia .org/jss/tesco/tesco/Log.htm
This particular phishing campaign starts with an email with-a-link:
Screenshot: http://myonlinesecurity.co.uk/wp-con...x-1024x511.png
If you fill in the user name you get sent on to a series of pages asking for more information:
> http://myonlinesecurity.co.uk/wp-con...1-1024x558.png
... which is a typical phishing page that looks very similar to a genuine Tesco Bank page, if you don’t look carefully at the URL in the browser address bar..."
