Page 129 of 132 FirstFirst ... 2979119125126127128129130131132 LastLast
Results 1,281 to 1,290 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1281
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Payment Advice' SPAM

    FYI...

    Fake 'Payment Advice' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    5 Oct 2017 - "An email with the subject of 'Important – Payment Advice' pretending to come from HSBC but actually coming from a look-a-like domain HSBC <no-reply@ hsbcpaymentadvice .com> or HSBC <no-reply@ hsbcadvice .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... there is a slight formatting problem in Outlook, where the emails arrive with a -blank- body. Reading in plain text or using view source, shows the content...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...vice_-HSBC.png

    SecureMessage.doc - Current Virus total detections 10/59*. Payload Security**
    This malware file downloads from
    http ://diga-consult .de/ser1004.png which of course is -not- an image file but a renamed .exe file that gets renamed to aqdccc.exE (VirusTotal 13/65***). An alternative download location is
    http ://hill-familie .de/ser1004.png
    This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...c_4_Oct_17.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1507166812/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    87.106.222.158
    64.182.208.181
    194.87.92.191


    *** https://www.virustotal.com/en/file/a...is/1507170157/
    ser1004.png

    diga-consult .de: 87.106.222.158: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/59...8c0e/analysis/

    hill-familie .de: 148.251.5.116: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/cf...7ff4/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1282
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Payment history' SPAM

    FYI...

    Fake 'Payment history' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...-of-zip-files/
    6 Oct 2017 - "... Locky downloaders... an email with the subject of 'Payment history' pretending to come from accounts @ random email addresses and companies.... encoding the files today and the so called 7z attachment is actually a base64 file that needs decoding to get the 7z file, before extracting the VBS...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ocky-email.png

    62046_Remittance.7z: decoded from base 64 and Extracts to: 872042 Remittance.vbs
    Current Virus total detections 9/60*. Payload Security**
    This particular VBS has these URLs hardcoded (there will be loads of others)
    "asheardontheradiogreens .com/uywtfgh36?”,
    ”thedarkpvp .net/p66/uywtfgh36″
    ”2-wave .com/uywtfgh36?” (virusTotal 14/66[3]) (Payload Security[4])...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1507281470/
    872042 Remittance.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.58.213.142
    74.125.160.39
    199.30.241.139
    91.142.170.187
    209.54.62.81


    3] https://www.virustotal.com/en/file/7...is/1507281734/
    freSUUFBdtY.exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    173.223.106.227

    asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-add...9/information/

    thedarkpvp .net: https://en.wikipedia.org/wiki/Fast_flux

    2-wave .com: 209.54.62.81: https://www.virustotal.com/en/ip-add...1/information/

    Last edited by AplusWebMaster; 2017-10-06 at 16:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1283
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Remittance Advice' SPAM

    FYI...

    Fake 'Remittance Advice' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...-working-zips/
    9 Oct 2017 - "... Locky downloaders... the same email as last Friday* with the subject of 'Your Remittance Advice' pretending to come from accounts @ random email addresses and companies...
    * https://myonlinesecurity.co.uk/locky...-of-zip-files/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ocky-email.png

    43699 Remittance.7z: decoded from base 64 and Extracts to: Invoice IP8729962.vbs
    Current Virus total detections 6/59*. Payload Security** | This particular VBS has these URLs hardcoded (there will be loads of others)
    “anderlaw .com/8734gf3hf?”,
    ”scottfranch .org/p66/8734gf3hf”,
    ”cagliaricity .it/8734gf3hf?” (virusTotal 13/65***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1507542515/
    Invoice IP8729962.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    98.124.251.69

    *** https://www.virustotal.com/en/file/2...is/1507543011/
    MEyrCrdQK.exe

    anderlaw .com: 98.124.251.69: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/76...23e9/analysis/

    scottfranch .org: https://en.wikipedia.org/wiki/Fast_flux

    cagliaricity .it: 95.110.196.214: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/82...c176/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1284
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 'FormBook' malware

    FYI...

    'FormBook' malware...
    - https://www.helpnetsecurity.com/2017...mbook-malware/
    Oct 10, 2017 - "Information stealing FormBook malware is being lobbed at defense contractors, manufacturers and firms in the aerospace sector in the US and South Korea... The malware is delivered via high-volume spam campaigns and email attachments that take the form of:
    - DOC/XLS files loaded with malicious macros that initiate the download of FormBook payloads
    - Archive files containing FormBook executable files
    - PDFs containing links to the tny .im URL-shortening service, which point to FormBook executables hosted on a staging server.
    > https://www.helpnetsecurity.com/imag...k-industry.jpg
    ... The emails are made to look like they are coming from FedEx and DHL (with the PDF attachment), as emails delivering invoices, price quotations or purchase orders (with the malicious-macros-carrying Office files), and payment confirmations and purchase orders (archive files containing malicious executables)..."

    > https://www.fireeye.com/blog/threat-...campaigns.html
    Oct 05, 2017

    clicks-track .info: 188.209.52.47: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/f4...5654/analysis/

    Last edited by AplusWebMaster; 2017-10-10 at 16:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1285
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Amazon' SPAM

    FYI...

    Fake 'Amazon' SPAM - delivers banking trojan
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    11 Oct 2017 - "... malware scammers are imitating Amazon Associates to deliver their malware. An email with the subject of coming from 'Amazon Associates Network' <erikam1@ umbc .edu> with a malicious word doc or Excel XLS spreadsheet attachment delivers Cthonic banking trojan. These are coming via a -compromised- umbc .edu email account. All the sites in the malware delivery chain are -compromised- sites...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...work-email.png

    The link-in-the-email goes to a broken link
    ttps ://www.angelbasar .de/skin/form.php it should be
    https ://www.angelbasar .de/skin/form.php where it downloads Your account, statement.docm
    Current Virus total detections 5/61*. Payload Security** Where you can see the same screenshots as described yesterday where the content only appears after enabling and allowing macros to run. This malware doc downloads from
    http ://shirtlounge .eu/skin/priv8.exe (VirusTotal 50/62[3]) (Payload Security[4]) Cthonic banking trojan...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1507708534/
    bddca74a4da71137b8f780ff9c959a54_doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    3] https://www.virustotal.com/en/file/1...e217/analysis/
    A.exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    104.238.186.189
    87.98.175.85
    5.9.49.12
    144.76.133.38
    49.51.33.103
    93.170.96.235
    85.159.213.210
    37.187.16.17
    31.3.135.232
    62.113.203.55
    62.113.203.99


    angelbasar .de: 82.165.238.218: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/7d...4e3a/analysis/

    shirtlounge .eu: 85.214.130.213: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/9b...fd4c/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1286
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Equifax hacked again ...

    FYI...

    Equifax website hacked again - redirects to fake Flash update
    - https://arstechnica.com/information-...-flash-update/
    10/12/2017 - "In May credit reporting service Equifax's website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday the site was compromised again, this time to deliver -fraudulent- Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers. Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp :centerbluray .info that looked like this:
    > https://cdn.arstechnica.net/wp-conte...irst-flash.jpg
    ... he encountered the -bogus- Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit... The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry* shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security** shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes[3] flagged the centerbluray .info site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains, newcyclevaults .com. In the hour this post was being reported and written, Abrams was unable to reproduce the -redirects- leading to the malicious download. It's possible Equifax has cleaned up its site. It's also possible the attackers have shut down for the night and have the ability to return at will to visit still worse misfortunes on visitors. Equifax representatives didn't respond to an e-mail that included a link to the video and sought comment for this post."
    * https://www.virustotal.com/en/file/6...is/1506995209/
    MediaDownloaderIron.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    3] https://www.virustotal.com/en/url/f6...1cc7/analysis/

    centerbluray .info: Could not find an IP address for this domain name...

    newcyclevaults .com: Could not find an IP address for this domain name...

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1287
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'MoneyGram' SPAM, FBI press releases

    FYI...

    Fake 'MoneyGram' SPAM - delivers java trojan
    - https://myonlinesecurity.co.uk/fake-...s-java-trojan/
    27 Oct 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...
    The link-in-the-email goes to a zip file which doesn’t extract. However if you rename the zip to .rar it does...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...tion-Query.png

    The link-in-the-email goes to
    http ://analab .it/TransactionQuery_10-16-2017.zip which is actually a .rar file that needs to be renamed to .rar to extract it.
    TransactionQuery_10-16-2017.jar (307kb) - Current Virus total detections 19/58*. Payload Security**... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...5185/analysis/
    TransactionQuery_10-16-2017.jar

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    46.183.223.33: https://www.virustotal.com/en/ip-add...3/information/

    analab .it: 62.149.205.46: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/87...7ff2/analysis/
    ___

    FBI press releases
    > https://www.fbi.gov/news/pressrel

    10.17.2017: Twelve People Indicted Installing Credit-Card Skimmers on Gas Pumps in Five States and Stealing Account Information from Thousands

    10.17.2017: Two Women, Including Former Associate Dean of Caldwell University, Admit Defrauding Veterans’ G.I. Bill

    10.17.2017: Doctor Admits Billing Medicare, Other Insurers $3 Million for Therapy Services Performed by Unqualified Personnel

    10.17.2017: New York Man Sentenced to 43 Months in Prison for Robbing Bergen County, New Jersey Bank

    Last edited by AplusWebMaster; 2017-10-17 at 23:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1288
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice' SPAM

    FYI...

    Fake 'Invoice' SPAM - delivers Locky or Trickbot
    - https://myonlinesecurity.co.uk/necur...y-or-trickbot/
    18 Oct 2017 - "... downloaders from the Necurs botnet that deliver Locky ransomware or Trickbot banking trojan... I saw a few twitter links leading to this post on Bleeping Computer[1] saying that Locky (Necurs Downloaders) will take screenshots of the “victim’s” computer and send back error messages to base... Todays is an email pretending to come from invoicing@ random names and email addresses, with a subject like 'Invoice 009863361 10.18.2017' where the numbers are random with a blank/empty body...
    One of the emails looks like:
    From: Invoicing <Invoicing@ random name>
    Date: Wed 18/10/2017 10:27
    Subject: Invoice 009863361 10.18.2017
    Attachment: Invoice 009863361 10.18.2017.7z
    Body content:
    totally empty blank


    1] https://www.bleepingcomputer.com/new...untime-errors/
    Oct 17, 2017
    > https://www.symantec.com/connect/blo...e-your-desktop
    17 Oct 2017 - "... Beware of strangers offering fake invoices..."

    Invoice 009863361 10.18.2017.7z: Extracts to: Invoice 364776483 10.18.2017.vbs
    Current Virus total detections 10/56[2]. Payload Security [3]| JoeSandbox[4].
    Thanks to various Twitter contacts (my grateful thanks to them all for their hard work and expert knowledge) we have some downloads sites delivering Locky ransomware using USA IP numbers - VirusTotal 17/56[5]. Payload Security[6] from these locations:
    dbatee .gr/niv785yg
    goliathstoneindustries .com/niv785yg
    3overpar .com/niv785yg
    pciholog .ru/niv785yg
    disfrance .net/p66/niv785yg
    Joesandbox was given a different binary (sandbox pcap) that is a totally different size (VirusTotal 17/66[7]) (Payload Security[8]) it looks like the file must have been cut off during download. Using a different UK IP number, one researcher was given Trickbot banking trojan (VirusTotal 21/66[9]) (Payload Security[10]) from:
    envi-herzog .de/iuty56g
    pac-provider .com/iuty56g
    pesonamas .co.id/iuty56g
    disfrance .net/p66/iuty56g
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    2] https://www.virustotal.com/en/file/d...is/1508316046/
    Invoice 364776483 10.18.2017.vbs

    3] https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    49.51.134.78
    Contacted Hosts
    49.51.134.78

    4] https://jbxcloud.joesecurity.org/analysis/390019/1/html

    5] https://www.virustotal.com/en/file/6...e484/analysis/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    7] https://www.virustotal.com/en/file/6...e484/analysis/

    8] https://www.hybrid-analysis.com/samp...ironmentId=100

    9] https://www.virustotal.com/en/file/9...564b/analysis/

    10] https://www.hybrid-analysis.com/samp...ironmentId=100

    Last edited by AplusWebMaster; 2017-10-18 at 22:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1289
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice', 'eFax' SPAM, Locky SPAM

    FYI...

    Fake 'Invoice' SPAM - delivers Locky and Trickbot
    - https://myonlinesecurity.co.uk/malwa...icrosoft-word/
    19 Oct 2017 - "Another change from the Necurs botnet delivering Locky and Trickbot again today with an email with the subject of 'Emailed Invoice – 459572' (random numbers) pretending to come from random names at your own email address or company domain...
    They have changed to using word docs again but they are -not- using macros but using the DDE “exploit” or feature which -allows- linked files. These are very similar to embedded ole objects but instead of the object (normally a script file) being embedded in the word doc & you clicking it to allow it to run, these link to a remote website without you seeing the link. This link describes it in better detail:
    > https://blog.barkly.com/microsoft-of...tack-no-macros

    One of the emails looks like:
    From: Stacie Osborne <Stacie@ victim domain .tld>
    Date: Thu 19/10/2017 11:15
    Subject: Emailed Invoice – 459572
    Attachment: I_459572.doc
    Body content:
    As requested
    regards
    Stacie Osborne ...


    Screenshot of word doc:
    > https://myonlinesecurity.co.uk/wp-co...459572_doc.png

    I_459572.doc - Current Virus total detections 9/60*. Payload Security**
    The word doc uses this DDE “feature” to contact (in this example, there will be loads of others)
    http ://alexandradickman .com/KJHDhbje71 where a base64 encoded file is opened and decoded.
    This has 3 hardcoded URLS inside it (again there will be others in other examples)
    “http ://shamanic-extracts .biz/eurgf837or”,
    ”http ://centralbaptistchurchnj .org/eurgf837or”,
    ”http ://conxibit .com/eurgf837or” which gives a txt file which is -renamed- to rekakva32.exe
    (VirusTotal 6/65[3]) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1508408047/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    98.124.251.65
    83.242.103.81
    98.124.251.65

    Contacted Hosts
    98.124.251.65
    62.212.154.98
    83.242.103.81


    3] https://www.virustotal.com/en/file/d...is/1508408465/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    188.190.71.132
    ___

    Fake 'eFax' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/more-...anking-trojan/
    19 Oct 2017 - "An email with the subject of 'eFax' pretending to come from eFax service but actually coming from a whole range of look-a-like domains with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... the criminals sending these have registered various domains that look-like genuine Company, Bank, Government or message sending services...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...rvicexx_ml.png

    efax190238535-34522.doc - Current Virus total detections 4/59*. Payload Security**
    This malware file downloads from
    http ://acupuncturenorthwest .com/kas47.png which of course is -not- an image file but a renamed .exe file that gets renamed to Fcd-4.exe (VirusTotal 12/64[3]). An alternative download location is
    http ://www.agcofruit .com/kas47.png
    This email attachment contains a genuine word doc with a macro script that when run will infect you.
    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...-34522_doc.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1508420918/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    74.50.21.13
    64.182.208.184

    Contacted Hosts
    74.50.21.13
    64.182.208.184
    79.170.7.139
    185.125.46.77


    3] https://www.virustotal.com/en/file/b...884d/analysis/
    Fcd-4.exe

    acupuncturenorthwest .com: 74.50.21.13: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/42...fff7/analysis/

    agcofruit .com: 192.185.118.67: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/ad...0065/analysis/
    ___

    Locky Ransomware’s Recent SPAM
    - http://blog.trendmicro.com/trendlabs...am-activities/
    Oct 19, 2017 - "... A closer look at Locky’s activities reveals a constant: the use of spam. While spam remains to be a major entry point for ransomware, others such as Cerber also employ vectors like exploit kits. Locky, however, appears to concentrate its distribution through large-scale spam campaigns regardless of the variants released by its operators/developers... We’ve also found how the scale and scope of Locky’s distribution are fueled by the Necurs botnet, a spam distribution infrastructure comprising zombified devices. It churns out a sizeable amount of spam emails carrying information stealers like Gameover ZeuS, ZBOT or Dridex, and other ransomware families such as CryptoLocker, CryptoWall, and Jaff. Necurs is Locky’s known and long-time partner in crime, and it’s no coincidence that the surge of Locky-bearing spam emails corresponds with the uptick in Necurs’ own activity. In fact, we saw that Necurs actively pushed Locky from August to October:
    > https://blog.trendmicro.com/trendlab...cky-spam-2.jpg
    It’s also worth noting that Necurs also distributed Locky via URL-only spam emails — that is, the messages didn’t have -any- attachments, but rather -links- that divert users to -compromised- websites hosting the ransomware. The use of HTMLs embedded with -links- to the -compromised- site also started gaining traction this year... the continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists. Some of the recent lures we saw were:
    - Fake voice message notifications (vishing, or the use of voice-related systems in phishing attacks)
    - HTML attachments posing as invoices
    - Archive files masquerading as business missives from multinationals, e.g., audit and budget reports
    - Fraudulent emails that involve monetary transactions such as bills, parcel/delivery confirmations, and payment receipts..."
    (More detail at the trendmicro URL above.)

    Last edited by AplusWebMaster; 2017-10-19 at 17:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1290
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Cyber criminal attempts to INFECT systems through E-mail gets WORSE

    FYI...

    Today's crop of cyber criminal attempts to INFECT systems and PC's through E-mail gets WORSE. 'Best bet is to read these posts by "good-guy" analysts and get what you can from their research, however convoluded the criminals means have evolved, and remember the standard warnings for ALL E-mail that hits your Inbox:

    "DO NOT follow the advice they give to enable macros or enable editing to see the content.

    The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it."

    Scanned image from MX-2600N malspam pretending to come from your own company delivers Locky ransomware using Word DDE exploit
    - https://myonlinesecurity.co.uk/scann...d-dde-exploit/
    20 Oct 2017

    Fake Swift Copy message delivers fareit trojan
    - https://myonlinesecurity.co.uk/fake-...fareit-trojan/
    20 Oct 2017

    More Locky ransomware delivered via DDE exploit pretending to come from your own company or email address
    - https://myonlinesecurity.co.uk/more-...email-address/
    20 Oct 2017

    Necurs Botnet malspam pushes Locky using DDE attack
    - https://isc.sans.edu/forums/diary/Ne...+attack/22946/
    2017-10-19 - "... the DDE attack* technique has spread to large-scale distribution campaigns..."
    * https://www.bleepingcomputer.com/new...eeding-macros/
    ___

    Alert (TA17-293A)
    Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors

    - https://www.us-cert.gov/ncas/alerts/TA17-293A
    Oct 20, 2017 - "Systems Affected:
    Domain Controllers
    File Servers
    Email Servers
    Overview: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working with U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on compromised victims’ networks...
    DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to gain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity..."
    (More detail at the us-cert URL above.)

    Last edited by AplusWebMaster; 2017-10-21 at 15:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •