Page 62 of 132 FirstFirst ... 125258596061626364656672112 ... LastLast
Results 611 to 620 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #611
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Exploit kits - Nuclear EK, Fake 'Accounts Payable', Fake 'NUCSOFT-Payroll' SPAM

    FYI...

    Exploit kits on Choopa LLC / Gameservers .com IP addresses
    - http://blog.dynamoo.com/2015/01/expl...hoopa-llc.html
    7 Jan 2015 - "... The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE:
    ooshuchahxe .co.vu
    ahjoneeshae .co.vu
    phamiephim .co.vu
    kaemahchuum .co.vu
    pahsiefoono .co.vu
    kaghaingai .co.vu
    buengaiyei .co.vu
    ohmiajusoo .co.vu
    oodeerahshe .co.vu
    paotuchepha .co.vu
    aedeequeekou .co.vu
    eikoosiexa .co.vu
    phielaingi .co.vu
    thohbeekee .co.vu
    A typical exploit landing page looks like this* [URLquery report] which appears to be the Nuclear EK. These are hosted on the following Choopa LLC / Gamservers .com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:
    108.61.165.69: https://www.virustotal.com/en/ip-add...9/information/
    108.61.165.70: https://www.virustotal.com/en/ip-add...0/information/
    108.61.165.96: https://www.virustotal.com/en/ip-add...6/information/
    108.61.167.160: https://www.virustotal.com/en/ip-add...0/information/
    108.61.172.139: https://www.virustotal.com/en/ip-add...9/information/
    108.61.175.125: https://www.virustotal.com/en/ip-add...5/information/
    108.61.177.107: https://www.virustotal.com/en/ip-add...7/information/
    108.61.177.89: https://www.virustotal.com/en/ip-add...9/information/
    ... these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google... Recommended minimum blocklist (Choopa LLC IPs are highlighted):
    108.61.123.219
    108.61.165.69
    108.61.165.70
    108.61.165.96
    108.61.167.160
    108.61.172.139
    108.61.172.145
    108.61.175.125
    108.61.177.107
    108.61.177.89
    108.61.198.148
    108.61.211.121

    64.187.225.245
    104.224.147.220
    UPDATE: Choopa LLC say they have terminated those IPs**. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised."
    * http://urlquery.net/report.php?id=1420560803160

    ** https://2.bp.blogspot.com/-6jzwvTDMi...600/choopa.png
    ___

    Huffington Post and Gamezone vistors targeted with malvertising, infected with ransomware
    - http://net-security.org/malware_news.php?id=2936
    Jan 7, 2015 - "The last days of the past and the first days of the current year have been unlucky for visitors of several popular sites including the Huffington Post and Gamezone .com, which were unknowingly serving malicious ads that ultimately led to a ransomware infection. Cyphort Lab researchers first spotted the malvertising campaign on New Year's Eve on the HuffPo's Canadian website. A few days later, the ads were served on HuffingtonPost .com. The ensuing investigation revealed that the source of the ads is advertising .com, an AOL ad-network. Visitors to the sites who were served the ads were automatically redirected to a landing page hosting either the Neutrino or the Sweet Orange exploit kit. The kits served several exploits, and if one of them was successful, a new variant of the Kovter ransowmare was downloaded and executed. Kovter* blocks the targeted computer's keyboard and mouse, usually demands a ransom of around $300, and searches the web browser's history for URLs of adult content sites to include in the ransom note. AOL has been notified of the problem, and has removed the malicious ads from rotation both in their advertising.com ad-network as well as in their adtech .de one... This is not the first time that Kovter was delivered in this way. Another malvertising campaign targeting YouTube users** was spotted in October 2014."
    * http://www.net-security.org/malware_news.php?id=2450

    ** http://www.net-security.org/malware_news.php?id=2883
    Sweet Orange exploit kit/NeutrinoEK: http://blog.trendmicro.com/trendlabs...it-us-victims/

    >> http://www.cyphort.com/huffingtonpost-serving-malware/
    ___

    Fake 'Accounts Payable - Remittance Advice' SPAM - doc malware
    - http://myonlinesecurity.co.uk/senior...d-doc-malware/
    7 Jan 2015 - "'Remittance Advice for 945.66 GBP' (random amounts) pretending to come from a random named Senior Accounts Payable Specialist at a random company with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Update: we are also seeing a slightly different version with the subject Invoice 2907.51 GBP (random amounts) with an Excel XLS attachment... The email looks like:

    Please find attached a remittance advice for recent BACS payment of 945.66 GBP.
    Any queries please contact us.
    Katie Carr
    Senior Accounts Payable Specialist
    BUSHVELD MINERALS LTD


    7 January 2015 : REM_5160JW.doc - Current Virus total detections: 4/56*
    ... [1]connects to 193.136.19.160 :8080//mans/pops.php and downloads the usual dridex to %temp%\1V2MUY2XWYSFXQ.exe Current VirusTotal definitions 4/56**
    RBAC_2856PJ.xls Current Virus total detections: 3/56***
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1420634098/

    ** https://www.virustotal.com/en/file/f...is/1420635840/
    ... Behavioural information:
    TCP connections
    194.146.136.1: https://www.virustotal.com/en/ip-add...1/information/

    *** https://www.virustotal.com/en/file/f...is/1420636228/

    1] 193.136.19.160: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'NUCSOFT-Payroll' SPAM - doc malware
    - http://myonlinesecurity.co.uk/eliza-...d-doc-malware/
    7 Jan 2015 - "'NUCSOFT-Payroll December 2014' pretending to come from Eliza Fernandes <eliza_fernandes@ nucsoft .co.in> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... The email looks like:

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ember-2014.jpg

    7 January 2015 : Payroll Dec’14.doc . Current Virus total detections: 2/56*
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1420619222/

    - http://blog.dynamoo.com/2015/01/malw...s-nucsoft.html
    7 Jan 2015
    > https://www.virustotal.com/en/file/7...is/1420623113/

    >> https://www.virustotal.com/en/file/4...is/1420624521/

    Recommended blocklist:
    59.148.196.153: https://www.virustotal.com/en/ip-add...3/information/
    74.208.11.204: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Malformed AndroidManifest.xml in Apps Can Crash Mobile Devices
    - http://blog.trendmicro.com/trendlabs...obile-devices/
    Jan 7, 2015 - "Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, “information the system must have before it can run any of the app’s code.” We came across a vulnerability related to the manifest file that may cause an affected device to experience a -continuous- cycle of rebooting — rendering the device nearly useless to the user. The Manifest File Vulnerability: The vulnerability can cause the OS to crash through two different ways. The first involves very long strings and memory allocation. Some apps may contain huge strings in their .XML files, using document type definition (DTD) technology. When this string reference is assigned to some of the tags in AndroidManifest.xml (e.g., permission name, label, name of activity), the Package Parser will require memory to parse this .XML file. However, when it requires more memory than is available, the PackageParser will crash. This triggers a chain reaction wherein all the running services stops and the whole system consequently reboots once. The second way involves .APK files and a specific intent-filter, which declares what a service or activity can do. An icon will be created in the launcher if the manifest file contains an activity definition with this specific intent-filter:
    <intent-filter>
    <action android:name=”android.intent.action.MAIN”/>
    <category android:name=”android.intent.category.LAUNCHER”/>
    </intent-filter>
    If there are many activities defined with this intent-filter, the same number of icons will be created in the home page after installation. However, if this number is too large, the .APK file will trigger a loop of rebooting. If the number of activities is bigger than 10,000:
    For Android OS version 4.4, the launcher process will undergo the reboot.
    For version L, the PackageParser crashes and reboots. The malformed .APK will be installed by no icon will be displayed. If the number of activities is larger than 100,000, the devices will undergo the -loop- of rebooting...
    We have tested and proven that this created APK could -crash- both Android OS 4.4.4, Android OS L, -and- older versions of the platform... While this vulnerability isn’t a technically a security risk, it does put devices at risk in terms of functionality. This vulnerability can essentially leave devices useless. Affected devices can be “rescued” but -only- if the Android Debug Bridge (ADB) is activated or enabled. The only solution would be to connect the device to a computer, boot the phone in fastboot mode, and flash the ROM. Unfortunately, such actions can only be done by highly technical users as a mistake can possibly brick a device. For this issue, we recommend that users contact customer service (if their devices are still under warranty) or a reputable repair shop. We have notified Google about this issue."
    ___

    Fake Flight QZ8501 Video on Facebook
    - https://blog.malwarebytes.org/fraud-...o-on-facebook/
    Jan 6, 2015 - "... If you’re waiting on information with regards what caused the tragic crash of AirAsia Flight QZ8501, please be aware that the inevitable fake Facebook video links are now putting in an appearance. Here’s one, located at: bergkids(dot)com/qz8501 - The page is pretty bare, save for the imagery of what they claim is the plane in question and the following text:
    [CRASH VIDEO] AirAsia Flight QZ8501 Crashed near east coast of Sumatera.
    > https://blog.malwarebytes.org/wp-con...01/fakeqz1.jpg
    Clicking the play button encourages Facebook users to share it, before being redirected to an -imitation- YouTube page located at: urvashi(dot)altervista(dot)org/video/vid(dot)php
    > https://blog.malwarebytes.org/wp-con...01/fakeqz2.jpg
    While visitors might think this would be the video in question, in actual fact they’re looking at a sort of -fake- video -farm- where clicking the link takes them to a wide variety of phony clip scams... From there, they’re then (re)directed to one of the links in the screenshot above. There’s everything from “You won’t eat [product x] again after seeing this” to non-existent leaked celebrity tapes. Disturbingly, two of the pages claim to show car accidents and one of them uses a rather graphic photograph. Given that people could be arriving there from a personal need to find out more information about the plane crash, this is just more proof that the people behind these pages couldn’t care less... All of the above pages return the visitor to the “main” Altervista URL, where they’ll be asked to share then be sent to another of the links in the -redirect- code. It seems to be a way of trying to drop the links on as many feeds as possible (assuming the Facebook account owner changes the share option from “just me” to people in their social circles). Should the weary clicker grow tired of this digital roundabout and simply sit on the altervista page too long, they’ll find that they’re automatically sent to a page called “Horrific Video”:
    > https://blog.malwarebytes.org/wp-con...01/fakeqz5.jpg
    Unlike the other pages which simply loop potential victims around while asking them to share links, this one will take them to a -survey- page if the video “player” is clicked... As with all other survey pages, the links could lead to everything from offers and personal questions to ringtone signups or software installs and are usually served up according to region... If you want to know the latest information on the AirAsia crash, please stick to news sources you know and trust. It’s extremely unlikely someone is going to have exclusive footage sitting on some video website you’ve near heard of, and the moment you’re caught in a loop of “Share this on Facebook to view” messages you can bet there’s nothing on offer except someone trying to make a fast buck."

    Last edited by AplusWebMaster; 2015-01-07 at 21:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #612
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice EME018', Fake 'INVOICE ADVISE' and 'NOVEMBER INVOICE' SPAM – malware

    FYI...

    Fake 'invoice EME018' SPAM – doc malware
    - http://myonlinesecurity.co.uk/ieuan-...d-doc-malware/
    8 Jan 2015 - "'invoice EME018.docx' pretending to come from Ieuan James <emerysieuan@ gmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email has come in corrupted on my email server and looks like this (I am sure some email servers will serve up a working version) :
    –Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
    Content-Type: text/plain;
    charset=us-ascii
    Content-Transfer-Encoding: 7bit
    –Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
    Content-Type: application/msword;
    name=”invoice EME018.doc”;
    x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
    Content-Disposition: attachment;
    filename=”invoice EME018.doc”
    Content-Transfer-Encoding: base64 ...


    ... extracted the malicious word doc from the content.
    8 January 2015 : invoice EME018.doc - Current Virus total detections: 1/56*
    According to Dynamoo’s blog[1] this EME018.doc malware file will connect to one of these sites http ://ecovoyage.hi2 .ro/js/bin.exe http ://mateusz321.cba .pl/js/bin.exe - This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55** ..."
    * https://www.virustotal.com/en/file/6...is/1420701971/

    ** https://www.virustotal.com/en/file/1...is/1420708713/

    1] http://blog.dynamoo.com/2015/01/malw...s-invoice.html
    8 Jan 2015 - "... this morning I've seen a handful of these malformed malware spams, claiming to be from a Ieuan James and with a subject of invoice EME018.docx. The body text contains some Base64 encoded data which presumably is meant to be an attachment... Recommended minimum blocklist:
    59.148.196.153
    74.208.11.204
    129.215.249.52
    78.140.164.160
    37.1.208.21
    86.156.238.178

    In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range..."
    ___

    Fake 'INVOICE ADVISE' and 'NOVEMBER INVOICE' SPAM - doc/xls malware
    - http://blog.dynamoo.com/2015/01/malw...-08012015.html
    8 Jan 2015 - "These two -spam- runs have different email messages but the same payload. In both cases, there are multiple -fake- senders:
    Sample 1 - INVOICE ADVISE 08/01/2015
    From: Mia Holmes
    Date: 8 January 2015 at 09:11
    Subject: INVOICE ADVISE 08/01/2015
    Good morning
    Happy New Year
    Please could you advise on the November GBP invoice in the attachment for me?
    Many thanks
    Kind Regards
    Mia Holmes
    Accountant
    SULA IRON & GOLD PLC

    Sample 2 - NOVEMBER INVOICE
    From: Reed Barrera
    Date: 8 January 2015 at 09:16
    Subject: NOVEMBER INVOICE
    Good morning
    Happy New Year
    Please could you advise on the November GBP invoice in the attachment for me?
    Many thanks
    Kind Regards
    Reed Barrera
    Controller
    ASSETCO PLC


    Other sender names include:
    - Marlin Rodriquez
    Accountant
    CLONTARF ENERGY PLC
    - Olive Pearson
    Senior Accountant
    ABERDEEN UK TRACKER TRUST PLC
    - Andrew Salas
    Credit Management
    AMTEK AUTO
    The attachment is in a Word document (in one sample it was a Word document saved as an XLS file). Example filenames include:
    RBAC_9971IV.xls
    INV_6495NU.doc
    2895SC.doc
    There are -four- different malicious files that I have seen so far, all with low detection rates [1] [2] [3] [4] which contain in turn one of these macros... leading to a download from one of the following locations:
    http ://188.241.116.63 :8080/mops/pops.php
    http ://108.59.252.116 :8080/mops/pops.php
    http ://178.77.79.224 :8080/mops/pops.php
    http ://192.227.167.32 :8080/mops/pops.php
    This file is downloaded as g08.exe which is then copied to %TEMP%\1V2MUY2XWYSFXQ.exe. This file has a detection rate of 3/56*. The VT report shows a POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known malware server which I recommend that you block. This IP is confirmed in the Malwr report which also shows a dropped DLL which is the same as found in this spam run and has a detection rate of just 2/56**."
    1] https://www.virustotal.com/en/file/e...is/1420712512/

    2] https://www.virustotal.com/en/file/b...is/1420712527/

    3] https://www.virustotal.com/en/file/b...is/1420712717/

    4] https://www.virustotal.com/en/file/d...is/1420713398/

    * https://www.virustotal.com/en/file/b...is/1420713841/

    ** https://www.virustotal.com/en/file/b...is/1420714510/

    - http://myonlinesecurity.co.uk/novemb...l-xls-malware/
    8 Jan 2015: INV_7330KQ.doc - Current Virus total detections: 1/56*
    * https://www.virustotal.com/en/file/b...is/1420713841/
    ... Behavioural information
    TCP connections
    194.146.136.1: https://www.virustotal.com/en/ip-add...1/information/

    Last edited by AplusWebMaster; 2015-01-08 at 15:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #613
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Monthly Invoice & Report', Fake 'Fax' SPAM - malware

    FYI...

    Fake 'Monthly Invoice & Report' SPAM - malware
    - http://blog.dynamoo.com/2015/01/malw...asharp-uk.html
    9 Jan 2015 - "This spam email pretends to be from a wholly legitimate company called Datasharp UK Ltd but it isn't, it is a spoof. Datasharp is not sending the spam, their systems have not been compromised in any way.
    From: ebilling@ datasharp .co
    Date: 9 January 2015 at 06:55
    Subject: DO-NOT-REPLY Datasharp UK Ltd - Monthly Invoice & Report
    THIS MESSAGE WAS SENT AUTOMATICALLY
    Attached is your Invoice from Datasharp Hosted Services for this month.
    To view your bill please go to www .datasharp .co.uk. Allow 24 hours before viewing this information.
    For any queries relating to this bill, please contact hosted.services@ datasharp .co.uk or call 01872 266644.
    Please put your account number on your reply to prevent delays
    Kind Regards
    Ebilling


    So far I have seen two different Word documents attached with low detection rates at VirusTotal [1] [2] containing one of two malicious macros... which then attempt to download an additional component from the following locations:
    http ://TICKLESTOOTSIES .COM/js/bin.exe
    http ://nubsjackbox.oboroduki .com/js/bin.exe
    The tickletootsies .com download location has been cleaned up, but the other one is still working as it downloads a file with a VirusTotal detection rate of 5/56*. That VirusTotal report also shows that it attempts to POST to 74.208.11.204:8080 (1&1, US) which has been a malware C&C server for several weeks and is definitely worth blocking.
    UPDATE: the Malwr report shows connections to the following IPs which I recommend you block:
    59.148.196.153
    74.208.11.204
    "
    1] https://www.virustotal.com/en/file/1...is/1420794297/

    2] https://www.virustotal.com/en/file/e...is/1420794299/

    * https://www.virustotal.com/en/file/5...is/1420793909/

    - http://myonlinesecurity.co.uk/not-re...d-doc-malware/
    9 Jan 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...ice-Report.jpg

    * https://www.virustotal.com/en/file/1...is/1420787444/

    ** https://www.virustotal.com/en/file/e...is/1420787603/

    *** https://www.virustotal.com/en/file/5...is/1420793909/
    ___

    Fake 'Fax' SPAM
    - http://blog.dynamoo.com/2015/01/malw...documents.html
    9 Jan 2015 - "This -fake- fax run is a variation of this one* from yesterday.
    From: Fax [no-replay@ fax-voice .com]
    Date: 9 January 2015 at 14:52
    Subject: Employee Documents - Internal Use
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Fax Documents
    DOCUMENT LINK: <redacted> ...


    As before, there are several links leading to different download locations... These landing pages lead to a pair of jjencoded javascripts hosted on different files. I explained a little about those last time* ... the download location that you coax out of the script is time-limited. If you wait too long, you get a nonsense script instead. And possibly even more interesting is that every time you download the target ZIP file "message.zip ;.zip ;.zip ;" it seems to be different... That led to -10- different ZIP files containing different EXE files... Although those reports indicate some difference in the port numbers, we can see the following URLs being accessed:
    http ://202.153.35.133 :55365/0901us1/HOME/0/51-SP3/0/
    http ://202.153.35.133 :55365/0901us1/HOME/1/0/0/
    http ://crecrec .com/mandoc/nuts12.pdf
    http ://202.153.35.133 :55350/0901us1/HOME/41/7/4/
    http ://samrhamburg .com/img/ml1.tar
    202.153.35.133 (Excell Media Pvt Lt, India) is probably the key thing to block. Despite the differences in the downloader, they all seem to drop a randomly-named file with identical characterstics in each case. This has a VirusTotal detection rate of 1/55** and you can see the Malwr report for that file here***..."
    * http://blog.dynamoo.com/2015/01/myfa...-campaign.html

    ** https://www.virustotal.com/en/file/8...is/1420818425/

    *** https://malwr.com/analysis/ZjMwNTJiM...VjYWE0ZmQwZDU/

    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Bingham McCutchen Law Firm Spam
    - http://threattrack.tumblr.com/post/1...-law-firm-spam
    Jan 9, 2015 - "Subjects Seen:
    Judicial summons
    Typical e-mail details:
    Warrant to appear Please be informed that you are expected in the Hamilton County Court of Appeals on February 2nd, 2015 at 9:30 a.m. where the hearing of your case of illegal software use will take place. You may obtain protection of a lawyer, if necessary.
    Please bring your identity documents to the Court on the named day. Attendance is compulsory.
    The detailed plaint note is attached to this letter, please download and read it thoroughly.
    Clerk of court,
    Jacob Velez


    Malicious URLs:
    joalpe.firebearstudio .com/dir.php?bh=oBRzRrtM0A02ooUI1aER2YGsHzIP29bCneRZntfom+A=
    Malicious File Name and MD5:
    PlaintNote_BinghamMcCutchen_00588315.exe (E1A7061CCB8997EAB296AA84454B072B)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...DyH1r6pupn.png

    Tagged: law firm, Kuluoz
    ___

    Fake CNN Twitter Feeds SPAM weight loss links
    - https://blog.malwarebytes.org/fraud-...ht-loss-links/
    Jan 9, 2014 - "We’ve noticed a number of fake CNN-themed Twitter accounts driving traffic to a couple of different weight loss sites. The accounts in question are:
    CNNOnly
    TheCNNBreak
    MyCNNNews
    CNNHotline
    All of the above started posting their links in the last few hours... Curiously, they all stopped posting their random mish-mash of memes and joke images around December 18 or 19, so it’s possible they could be formally parked bots which have taken on a new lease of life in some way. We’ve also seen non CNN-themed accounts sending out the same links. To give you an idea of click totals, the stats for two of the links we’ve seen are as follows:
    bit(dot)ly/12NTPUP – 25,814 clicks
    bit(dot)ly/1zxVKtB – 37,262 clicks
    Worth noting that both of those links were created December 10, and as you now have to log into Bit.ly to see additional stats – and I can’t currently login – we can’t comment on what percentage of those clicks are very recent. All the same, we shouldn’t look to keep clicking now and encourage -more- spam as a result. Twitter spam runs are one of those things which will never go away, and it pays to have an idea of the kind of antics* spammers get up to. If you’re looking for some advice on how to keep your Twitter account safe you may wish to look at the latter half of this post** while you’re at it..."
    * https://blog.malwarebytes.org/?s=twitter+spam

    ** https://blog.malwarebytes.org/fraud-...-account-safe/

    Last edited by AplusWebMaster; 2015-01-09 at 23:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #614
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Summary Paid Against' SPAM - doc malware, TorrentLocker ransomware...

    FYI...

    Fake 'Summary Paid Against' SPAM - doc malware
    - http://myonlinesecurity.co.uk/jason-...d-doc-malware/
    12 Jan 2015 - "'Summary Paid Against' pretending to come from Jason Bracegirdle JPS Projects Ltd <jason.bracegirdle@ jpsprojectsltd .co.uk>with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email contains the same malware payload as today’s Invoice from 'simply carpets of Keynsham Ltd' - Word doc malware* although the file attachment has a different name...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...id-Against.jpg

    11 January 2015: Copy of Weekly Summary 28 12 2014 w.e 28.12.14.doc - Current Virus total detections: 3/54**
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * http://myonlinesecurity.co.uk/invoic...d-doc-malware/

    ** https://www.virustotal.com/en/file/1...is/1421063953/

    - http://blog.dynamoo.com/2015/01/this...ars-to-be.html
    12 Jan 2015
    1] https://www.virustotal.com/en/file/0...is/1421065786/

    2] https://www.virustotal.com/en/file/1...is/1421065795/

    > http://blog.dynamoo.com/2015/01/malw...om-simply.html
    12 Jan 2015
    Recommended blocklist:
    59.148.196.153
    74.208.11.204
    "
    ___

    Outlook Settings Spam
    - http://threattrack.tumblr.com/post/1...-settings-spam
    Jan 12, 2015 - "Subjects Seen:
    Important - New Outlook Settings
    Typical e-mail details:
    Please carefully read the downloaded instructions before updating settings.
    campusnut .com/outlook/settings.html
    This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@ Outlook-us.com and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it.


    Malicious URLs:
    campusnut .com/outlook/settings.html
    images .californiafamilyfitness.com/outlook/settings.html
    data.gamin .cz/outlook/settings.html
    capslik .com/outlook/settings.html
    duedisnc .it/outlook/settings.html
    cwvancouver .com/outlook/settings.html
    eu1.panalinks .com/outlook/settings.html
    indemnizaciongarantizada .com/outlook/settings.html
    dprofessionals .org/outlook/settings.html
    homewoodsuitestremblant .com/outlook/settings.html
    ig4mbeco .com/outlook/settings.html
    bestni .com/outlook/settings.html
    boryapim .com/outlook/settings.html
    hinchablessegarra .com/outlook/settings.html
    bonificachiana .it/outlook/settings.html
    Malicious File Name and MD5:
    outlook_setting_pdf.exe (9F2018FC3C7DE300D1069460559659F4)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...fD81r6pupn.png

    Tagged: Outlook, Upatre

    - http://blog.dynamoo.com/2015/01/malw...w-outlook.html
    12 Jan 2015
    ... outlook_setting_pdf.exe
    * https://www.virustotal.com/en/file/e...is/1421077347/
    "... Recommended blocklist:
    202.153.35.133
    morph-x .com
    coffeeofthemonth .biz
    "

    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    ___

    iPhone 6 SCAM
    - https://blog.malwarebytes.org/fraud-...-scam-returns/
    Jan 12, 2015 - "... a familiar -scam- on the verge of a come-back:
    > https://blog.malwarebytes.org/wp-con...15/01/brad.png
    ... we first encountered the spammed link on LinkedIn, thanks to a user named Kolko Kolko, who according to his profile is a coach and has the face of an A-list celebrity. Doing a quick online search using the Goog.gl shortened URL brings up other domains—Google Plus, Livejournal, and Picasa, specifically — where the list is also being posted and shared. Once users click-the-link, they are directed to a survey -scam- page. Below is an example:
    > https://blog.malwarebytes.org/wp-con.../01/survey.png
    The above page is a type of survey that gives users the option to skip. Doing so, however, opens additional layers of survey pages that needs skipping until such a point that users encounter a page they could not escape, such as this:
    > https://blog.malwarebytes.org/wp-con...re-surveys.png
    ... the surveys vary depending on the user’s location... Should you encounter any posts from random users on sites you frequent with regard to claiming an iPhone 6, don’t click-the-link... warn friends and contacts on that site to avoid falling for it..."
    ___

    Phish - Barclaycard Credit limit increase
    - http://myonlinesecurity.co.uk/barcla...ease-phishing/
    12 Jan 2015 - "'Credit limit increase' pretending to come from Barclaycard <barclaycard@ mail.barclaycard .co.uk>is one of the latest phish attempts to steal your Bank, credit card and personal details. We are seeing a quite big run of this email today. We see these phishing emails frequently, but today’s spam run of them has a much larger number than usual. This one only wants your personal details, Barclaycard log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ease-email.jpg

    If you open the attached html file you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...t-increase.jpg
    When you fill in your user name and password you get a page where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. They then send you on to the genuine Barclaycard website..."
    ___

    Google/Microsoft feud over latest 0-day disclosures
    - http://www.infoworld.com/article/286...microsoft.html
    Jan 12, 2015 - "... The subject is the long-running feud between Google and Microsoft over the handling of zero-day flaws. Google engineer Tavis Ormandy has built quite a reputation in security circles for finding zero days in Windows and notifying Microsoft. If no action is forthcoming from Microsoft in a pre-determined amount of time (usually 90 days), Ormandy releases the details (presumably with Google's permission), typically on the Full Disclosure mailing list... The process is now formally supported by Google, under the name Project Zero*. There's no better way I know to get Microsoft's attention. The latest instances actually concern two zero-day bugs, both reported by a Google researcher known as Forshaw... Here's how the argument boils down, in my estimation. If you trust Microsoft to fix the holes in Windows, then Coordinated Vulnerability Disclosure - where we, as customers, trust Microsoft to dig in and fix problems as soon as they're discovered - is a great idea. We would trust Microsoft to fix the problems expeditiously, because other people may have discovered the problem already. We also trust Microsoft to put enough money into the patching effort to make the fixes appear quickly and accurately. If you don't trust Microsoft, then the question becomes how best to hold Microsoft's feet to the fire. Although some believe in full, immediate disclosure, I don't buy that. There has to be a better way. Google's approach seems to me a reasonable one - although it's arguable that the zero-day notification window should be extended to 120 days..."
    * http://googleonlinesecurity.blogspot...ject-zero.html

    > http://blogs.technet.com/b/msrc/arch...isclosure.aspx
    ___

    TorrentLocker -ransomware- hits ANZ Region
    - http://blog.trendmicro.com/trendlabs...ts-anz-region/
    Jan 11, 2015 - "... the EMEA (Europe-Middle East-Africa) region experienced a surge in ransomware, specifically, crypto-ransomware attacks. It appears that these attacks are no longer limited to that region. Research from Trend Micro engineers shows that the ANZ (Australia-New Zealand) region is the latest to be greatly affected by this type of malware—this time by TorrentLocker ransomware. The Infection Chain:
    Infection diagram for ANZ attacks:
    > http://blog.trendmicro.com/trendlabs...ANZ-cryp11.jpg
    The malware arrives through -emails- that pretend to be penal notices from the New South Wales government (referred in this entry as “NSW”) -or- shipping information from the Australia Post. Once users click-the-link, they will be -redirected- to a -spoofed- page bearing a newly-registered domain similar to the official, legitimate one. The page instructs users to download a file by first entering a CAPTCHA code. If correctly entered, it triggers the download of the malicious file in a zipped format from SendSpace, a file-hosting site. If the user -opens- the zipped file and executes the malware, it will connect to secure command-and-control (C&C) servers. After successful sending and receiving of information, the malware will then encrypt files in the users’ machines using Elliptic Curve Cryptography Encryption and appends the string .encrypted. Afterwards, it drops an .HTML file with decryption instructions and displays a ransom page. It also deletes the shadow copy of the infected system by executing the command line instruction vssadmin.exe Delete Shadows /All /Quiet, thus preventing the user to restore their files from back-up. Based on feedback from the Smart Protection Network, 98.28% of the recipients are from Australia... ... we have identified several fake domains, 180 for Australia Post and 134 for NSW. These domains are hosted in the following Russian name servers, registered to certain email addresses:
    91.218.228.XX
    193.124.200.13X
    193.124.205.18X
    193.124.89.10X

    The C&C servers in these attacks are newly registered and hosted under IP addresses ranging from 46.161.30.17 to 46.161.30.49. We have also identified eight domains, including adwordshelper[.]ru and countryregion[.]ru... Sample hashes of the files supported by our detections:
    4d07581b5bdb3f93ff2721f2125f30e7d2769270
    6a46ff02b1a075c967939851e90dfb36329876fa
    9d71e27ad25dfe235dfaec99f6241673a6cff30e
    a0bbbd2c75e059d54d217c2912b56b1cb447ef31
    0ce7690a209796b530b89f3cac89c90626785b84
    09d5bc847f60ce3892159f717548d30e46cd53f0
    1816a65aa497877b8f656b87550110e04ac972cd
    bee66ab8460ad41ba0589c4f46672c0f8c8419f8 ..."
    (More detail at the trendmicro URL at the top of this post.)

    Last edited by AplusWebMaster; 2015-01-12 at 21:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #615
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Nat West Secure Message' SPAM – PDF malware

    FYI...

    Fake 'Nat West Secure Message' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/nat-we...e-pdf-malware/
    13 Jan 2013 - "'You have a new Secure Message' pretending to come from NatWest <secure.message@ natwest .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You have received a encrypted message from NatWest Customer Support
    In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus )
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 2313.


    13 January 2015: SecureMessage.pdf.zip: Extracts to: SecureMessage.pdf.scr
    Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1421155786/
    ___

    Fake 'Tax return' SPAM
    - http://blog.dynamoo.com/2015/01/malw...sgov-your.html
    13 Jan 2015 - "This -fake- tax return spam leads to malware:
    From: John Smith [mailto:john.smith@ mail-irs .gov]
    Sent: 13 January 2015 11:13
    Subject: Your tax return was incorrectly filled out
    Attention: Owner/ Manager
    We would like to inform you that you have made mistakes while completing the last tax form application (ID: 960164707883) .
    Please follow the advice of our tax specialists HERE
    Please amend the mistakes and send the corrected tax return to your tax agent as soon as possible.
    Yours sincerely


    The link in the email has a format such as:
    http ://marypageevans .com/taxadmin/get_doc.html
    http ://laser-support .co.uk/taxadmin/get_doc.html
    A journey through some heavily obfuscated javascript follows... which eventually leads to a download called message.zip which contains a malicious executable tax_guide_pdf.exe which changes slightly every time it is downloaded. Incidentally, there seems to be a download limit of about 6 times, after which nonsense text is displayed instead. The .exe file has a VirusTotal detection rate of just 2/57* and Norman identifies it as Upatre. According to the Malwr report it connects to the following URLs:
    http ://202.153.35.133 :19639/1301us23/HOME/0/51-SP3/0/
    http ://202.153.35.133 :19639/1301us23/HOME/1/0/0/
    http ://dstkom .com/mandoc/lit23.pdf
    http ://202.153.35.133 :19657/1301us23/HOME/41/7/4/
    It also drops a file (in this case called FbIpg60.exe) which has another low detection rate of just 2/57**. Fake IRS spam is quite common, if you don't deal with the IRS then blocking mail-irs .gov on your email gateway might help."
    * https://www.virustotal.com/en/file/b...is/1421160583/

    ** https://www.virustotal.com/en/file/9...is/1421161232/

    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Win7 - End of mainstream support
    - http://windowssecrets.com/top-story/...or-its-demise/
    Jan 8, 2015 - "... Most major Microsoft products have a formal life cycle that includes two key end-of-life dates. For Windows, those dates are listed on Microsoft’s “Windows lifecycle fact sheet” webpage.* The first date — End of mainstream support — effectively means that Microsoft will no longer offer free updates to the operating system. Once mainstream support ends for a specific version of Windows, it then enters its Extended support phase, during which Microsoft offers only essential fixes and security updates. (Companies can also pay for specific nonsecurity updates.) When an OS reaches its End of extended support milestone, all official support ends. Windows XP, as many Windows Secrets readers know, passed its “End of extended support” date on April 8, 2014. It has not had official updates of any kind since. (For more specifics on MS product life cycles, see the online “Microsoft support lifecycle policy FAQ.”) As noted in the “Windows lifecycle fact sheet,” Jan. 13 marks the end of mainstream support for all versions of Windows 7 SP1. What does that mean for the millions of us doing our daily computing on Win7 systems? Very soon, our operating systems will be essentially frozen — we’ll no longer receive any enhancements or nonessential fixes. We will, however, receive monthly security updates until Jan. 14, 2020, Win7’s official “End of extended support” date (at which point, Microsoft will want us on Windows 13 — or whatever it’s then called). Just as with XP this past April, Win7 systems should no longer receive updates of any kind after January 2020..."
    * http://windows.microsoft.com/en-us/windows/lifecycle

    - http://www.theinquirer.net/inquirer/...-for-windows-7
    Jan 13 2015

    Last edited by AplusWebMaster; 2015-01-14 at 01:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #616
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice' SPAM – doc malware

    FYI...

    Fake 'Invoice' SPAM – doc malware
    - http://myonlinesecurity.co.uk/les-mi...d-doc-malware/
    14 Jan 2015 - "'Les Mills Invoice' pretending to come from lmuk.accounts@ lesmills .com with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... As usual 2 slightly different -malware- versions. The email looks like:
    Dear Customer,
    Please find attached an invoice for Les Mills goods/services. Please note that for Licence Fee invoices the month being billed is the month in which the invoice has been raised unless otherwise stated within.
    If you have any queries please email lmuk.accounts@ lesmills .com or call 0207 264 0200 and select option 3 to speak to a member of the team.
    Best regards,
    Les Mills Finance Team


    14 January 2015 : Les Mills SIV035931.doc - Current Virus total detections: 0/57* : 0/55**
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...6564/analysis/

    ** https://www.virustotal.com/en/file/3...is/1421225265/

    - http://blog.dynamoo.com/2015/01/malw...s-invoice.html
    14 Jan 2015
    "... Recommended blocklist:
    59.148.196.153
    74.208.11.204
    81.27.38.97
    okurimono.ina-ka .com
    "
    ___

    Fake 'SEPA' SPAM – doc malware
    - http://myonlinesecurity.co.uk/senior...d-doc-malware/
    14 Jan 2015 - "'Senior Accounts Payable SEPA REMITTANCE ADVICE 2503.62 EUR 12 JAN 2014' with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Good Afternoon
    Please see attached a copy of remittance advice for SEPA payment of 2503.62 EUR made on 12/01/2015
    Regards,
    Victoria Mack
    Senior Accounts Payable


    14 January 2015 : SE827QR.doc - Current Virus total detections: 0/57*
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1421236177/
    ___

    Fake Fax SPAM - PDF malware
    - http://myonlinesecurity.co.uk/nextiv...e-pdf-malware/
    14 Jan 2015 - "'Fax Received: Fax Server | 1/14/2015 8:21 AM' pretending to come from Nextiva vFax <notifications@ nextivafax .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    HI ...
    Delivery Information:
    Message #: 131177970
    Local Number: 4853872678
    Remote CSID: Fax Server
    Total Pages: 2
    Transmit Time: 3 min 41.000 sec
    Click here to view this message ...
    Delivered by vFax… “When Every Fax is Mission Critical”


    14 January 2015: fax_message_01142015_784398443.pdf.zip ( 83kb): Extracts to: fax_message_01142015_784398443.pdf.scr - Current Virus total detections: 3/55*
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1421251998/
    ___

    Malware sites offering Oracle 'patches'
    - https://blogs.oracle.com/proactivesu...oracle_patches
    Jan 14, 2015 - "It has come to our attention that there are non-Oracle sites offering Oracle 'fixes' for genuine Oracle error messages... If you do encounter one of these sites please inform us immediately via Communities* or create a SR and we will rectify the situation... Proactive Support are already investigating some known sites..."
    * https://community.oracle.com/
    ___

    Outlook Phish
    - https://blog.malwarebytes.org/fraud-...outlook-phish/
    Jan 14, 2015 - "... phish mail in circulation... for Outlook accounts. The email reads as follows:
    Dear Microsoft User,
    Please note we have temporary blocked your account from receiving e-mails, because we detected fraudulent and spam activities from your mail box to some blacklisted email address, So for your own safety verify your account.
    If a verification respond is not gotten from you in the next 24 hours, we are sorry we will be forced to permanently disable and delete your account from Microsoft Account.
    To verify your Microsoft account, Click Here
    We regret Any inconvenience.
    Thanks,
    The Microsoft account team


    Clicking the link in the email – sbmarticles(dot)com/Z-zone/SigrypAmt2nd(dot)htm*, which has already popped up on Phishtank – takes potential victims to a spot of data URI phishing**.
    > https://blog.malwarebytes.org/wp-con...h1-300x186.jpg
    Don’t be tricked into filling in login details via these types of attack – any email asking you to login or enter personal information (especially when warning you about account suspensions, unusual activity or any other form of shenanigans) should be treated with a generous helping of caution."
    * 192.190.80.53: https://www.virustotal.com/en/ip-add...3/information/

    ** http://www.csoonline.com/article/215...-accounts.html

    Last edited by AplusWebMaster; 2015-01-14 at 19:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #617
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice', 'Payment request', 'ADP Invoice', 'HSBC' SPAM - malware attached

    FYI...

    Fake 'invoice' SPAM - malware attached
    - http://blog.dynamoo.com/2015/01/malw...d-invoice.html
    15 Jan 2015 - "This -fake- invoice has a malicious attachment. It does not comes from Hexis UK Ltd, it is a forgery. Hexis is not sending the spam, nor have their systems been compromised in any way.
    From: Invoice from Hexis [Invoice@ hexis .co.uk]
    Date: 15 January 2015 at 06:36
    Subject: Invoice
    Sent 15 JAN 15 08:30
    HEXIS (UK) LIMITED
    7 Europa Way
    Britannia Park
    Lichfield
    Staffordshire
    WS14 9TZ
    Telephone 01543 411221
    Fax 01543 411246


    Attached is a malicious Word document S-INV-CREATIFX-465219.doc which actually comes in -two- different versions (perhaps more) with low detection rates [1] [2] containing two slightly different macros... which download a component from one of the following locations:
    http ://dramakazuki.kesagiri .net/js/bin.exe
    http ://cassiope .cz/js/bin.exe
    This has a VirusTotal detection rate of 3/57*. That report shows the malware phoning home to 74.208.11.204:8080 (1&1 Internet, US) which is a familiar C&C server which you should definitely block traffic to. My sources also identify a couple of other IPs, giving a recommended blocklist of:
    59.148.196.153
    74.208.11.204
    81.27.38.97

    UPDATE: the Malwr report shows that it drops a DLL with a VirusTotal detection rate of just 1/57**."
    1] https://www.virustotal.com/en/file/6...is/1421314924/

    2] https://www.virustotal.com/en/file/7...is/1421314937/

    * https://www.virustotal.com/en/file/8...is/1421315774/

    ** https://www.virustotal.com/en/file/1...is/1421318457/


    - http://myonlinesecurity.co.uk/hexis-...d-doc-malware/
    15 Jan 2015
    * https://www.virustotal.com/en/file/6...is/1421309107/

    ** https://www.virustotal.com/en/file/7...is/1421309412/
    ___

    Fake 'Payment request' SPAM - malware attachments
    - http://blog.dynamoo.com/2015/01/malw...of-417694.html
    15 Jan 2015 - "This -spam- comes with a malicious Word document attached:
    from: Alan Case
    date: 15 January 2015 at 08:49
    subject: Payment request of 4176.94 (14 JAN 2015)
    Dear Sirs,
    Sub: Remitance of GBP 4176.94
    This is with reference to the above, we request you to kindly remit GBP 4176.94 in favor of our bank account.
    For more information on our bank details please refer to the attached document.
    Thanking you,
    Alan Case Remittance Manager


    Other names and job titles seen... The payment amount, name and job title change in each spam, as does the name of the attachment (although this following the format ADV0000XX). There are three malicious Word documents that I have seen, each with a low detection rate at VirusTotal [1] [2] [3] which in turn contain a slightly different macro... which attempt to download another component from one of the following locations:
    http ://95.163.121.71 :8080/mopsi/popsi.php
    http ://95.163.121.72 :8080/mopsi/popsi.php
    http ://136.243.237.204 :8080/mopsi/popsi.php
    Note the two adjacent IPs of 95.163.121.71 and 95.163.121.72 which belong to Digital Networks CJSC in Russia (aka DINETHOSTING), an IP range of 95.163.64.0/18 that I would recommend you consider blocking. 136.243.237.204 is a Hetzner IP. The macro downloads a file g08.exe from these locations which is then saved as %TEMP%\UGvdfg.exe. This has a VirusTotal detection rate of 4/57*. That VT report also shows the malware attempting to POST to 194.146.136.1:8080 (PE "Filipets Igor Victorovych", Ukraine) which is a well-known bad IP. The Malwr report is inconclusive, but this exectuable probably drops a Dridex DLL.
    Recommended blocklist:
    194.146.136.1
    95.163.121.71
    95.163.121.72
    136.243.237.204

    UPDATE: the following -are- Dridex C&C servers which you should also block:
    80.237.255.196 "
    1] https://www.virustotal.com/en/file/5...is/1421313787/

    2] https://www.virustotal.com/en/file/2...is/1421313798/

    3] https://www.virustotal.com/en/file/d...is/1421313810/

    * https://www.virustotal.com/en/file/f...is/1421313825/


    - http://myonlinesecurity.co.uk/paymen...d-doc-malware/
    15 Jan 2015
    15 January 2015 : ADV0291LO.doc - Current Virus total detections: 3/55*
    15 January 2015 : 57959SI.xls (35 kb) - Current Virus total detections: 3/57**
    | 3093720WF.xls (47 kb) - Current Virus total detections: 2/57***
    * https://www.virustotal.com/en/file/2...is/1421309631/

    ** https://www.virustotal.com/en/file/0...is/1421316140/

    *** https://www.virustotal.com/en/file/a...is/1421315881/
    ___

    Fake 'open24 .ie important changes alert' SPAM – malware
    - http://myonlinesecurity.co.uk/open24...alert-malware/
    15 Jan 2015 - "'Some important changes to some services' (email alert) pretending to come from Open24 <inf01@ open24 .ie> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Fwd: Software Upgrade
    Dear
    Open24 Customer,
    We have now implemented a number of
    changes to our Internet Banking service. This is to ensure the highest
    level of security of information passing between you and our server.
    To have access to this service, simply follow the button below and activate the service...
    Kind regards
    Open24
    This email is personal & confidential and is intended for the recipient only...


    15 January 2015: open24changes.zip (523 kb) : Extracts to: Payment.scr
    Current Virus total detections: 17/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1421332957/
    ___

    Fake 'ADP Invoice' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/johnny...e-pdf-malware/
    15 Jan 2015 - "'ADP Invoice for week ending 01/11/2015' pretending to come from Johnny.West@ adp .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Your most recent ADP invoice is attached for your review.
    If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
    Thank you for choosing ADP for your business solutions.
    Important: Please do not respond to this message. It comes from an unattended mailbox.


    15 January 2015: invoice_418270412.pdf.zip (11kb): Extracts to: invoice_418270412.pdf.scr
    Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1421335768/
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    174.120.16.66: https://www.virustotal.com/en/ip-add...6/information/
    69.49.101.51: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'HSBC Payment Advice' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/hsbc-p...e-pdf-malware/
    15 Jan 2015 - "'Payment Advice – Advice Ref:[GB956959] / CHAPS credits' pretending to come from HSBC Advising Service [mailto:Bankline.Administrator@ nutwest .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link or open the attachment... The email looks like:
    Sir/Madam,
    Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.
    Download link: <redacted>
    Yours faithfully,
    Global Payments and Cash Management
    HSBC ...


    When you follow the... link you get a page looking like this, where depending on which browser you are using, you might get a direct download of the zip file containing the -malware- or you might get the message to follow the link... which will give you the malware:
    Screenshot: http://myonlinesecurity.co.uk/wp-con...01/avralab.jpg
    15 January 2015: doc974_pdf.zip (11kb) : Extracts to: doc963_pdf.exe
    Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1421341083/
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    66.147.240.173: https://www.virustotal.com/en/ip-add...3/information/

    Last edited by AplusWebMaster; 2015-01-16 at 00:14.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #618
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Affordable Care Act Phish, Adobe Phish, Google malvertising ...

    FYI...

    Affordable Care Act Phishing Campaign
    - https://www.us-cert.gov/ncas/current...shing-Campaign
    Jan 15, 2015 - "US-CERT is aware of a phishing campaign purporting to come from a U.S. Federal Government Agency. The phishing emails reference the Affordable Care Act in the subject and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code. US-CERT encourages users to take the following measures to protect themselves:
    - Do not follow links or download attachments in unsolicited email messages.
    - Maintain up-to-date antivirus software.
    - Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip* for additional information on social engineering attacks..."
    * https://www.us-cert.gov/ncas/tips/ST04-014
    ___

    Fake 'voice mail' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/micros...e-pdf-malware/
    16 Jan 2015 -"'You have received a voice mail' pretending to come from Microsoft Outlook Voicemail <no-reply@your own domain>with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    You received a voice mail : VOICE549-693-8777.wav (20 KB)
    Caller-Id: 549-693-8777
    Message-Id: 8X3NI1
    Email-Id: a.j.lefeber14d @ ...
    This e-mail contains a voice message.
    Download and extract the attachment to listen the message.
    Sent by Microsoft Exchange Server


    They are not being sent by your own server or email server, but by one of the botnets...
    16 January 2015: VOICE44982109219.zip (11kb) : Extracts to: VOICE44982109219.scr
    Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1421413445/
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    192.185.16.192: https://www.virustotal.com/en/ip-add...2/information/
    UDP communications
    198.27.81.168: https://www.virustotal.com/en/ip-add...8/information/
    192.95.17.62: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Adobe Phish back in-the-Wild
    - https://blog.malwarebytes.org/fraud-...k-in-the-wild/
    Jan 15, 2015 - "We recently found a -compromised- site serving what appears to be an Adobe phish. Like most phishing campaigns, this one may have originated from a spammed email. Although we do not have the actual sample of said email, it pays to be familiar with what the fraud page looks like and its content, too. Please direct your attention to the screenshot below:
    > https://blog.malwarebytes.org/wp-con...00-default.png
    We can deduce from the page’s content that the spam may have originated from a spoofed Adobe address, promising an important document the recipient has to see. In order to do so, they are then instructed to access their Adobe account by entering their email credentials, specifically for AOL, Gmail, Outlook, and Yahoo! The page also caters to credentials for other email providers. Visitors clicking either of the email service brands at the right side of the page changes the user entry fields at the left side to match with the look of the real thing... Some of us may quickly and easily identify that the whole thing is a phishing campaign, but some may also not realize this until it’s too late. Be extra careful when dealing with emails purporting to have come from Adobe... It also pays to remain informed and read Adobe’s page here* on how to avoid falling for phishing schemes."
    * https://www.adobe.com/security/prevent-phishing.html
    ___

    North Korean News Agency site serves File Infector
    - http://blog.trendmicro.com/trendlabs...file-infector/
    Jan 16, 2015 - "We were recently alerted to reports* claiming that the website North Korea’s official news service, www.kcna .kp, had been delivering -malware- via embedded malicious code. One of the photo spreads on the website was found to contain malware that launched a watering hole attack on individuals who came to visit the website and its other pages. Below is an infection diagram for the malware associated with this attack:
    > http://blog.trendmicro.com/trendlabs...1/Diagram2.jpg
    The mother file in this attack is detected as PE_WINDEX.A-O. As seen in the diagram above, the executable file mscaps.exe drops wtime32.dll, which contains the infection code and backdoor routine. Another executable file mscaps.exe injects code to explorer.exe to stay memory resident. As such, every time the affected system reboots, the malware runs on the system and begins its infection routine. Explorer.exe executes the infection code and targets .EXE files in drive types that are removable or shared, with drive letters traversed from A-Z. We observed that it skips fixed drives. Apart from explorer.exe, this file infector looks for the following processes where it injects its malicious code:
    iexplore.exe
    ieuser.exe
    firefox.exe
    chrome.exe
    msimn.exe
    msnmsgr.exe
    outlook.exe
    winmail.exe
    yahoomessenger.exe
    ftp.exe
    The website contains an -infected- .ZIP file named FlashPlayer.zip. Our initial analysis shows that the outdated Flash Player installer drops the main file infector WdExt.exe, which we detect as PE_WINDEX.A-O. It copies and renames the file Ws2_32.dll, which is the file for the Windows Sockets API used by most Internet and network applications to handle network connections. PE_WINDEX.A-O also creates the file SP{random}.tmp, which contains system information that may be responsible for the malware’s information theft routines. It gathers data such as date and time, computer name, user name, OS information, MAC address, and more. The embedded malicious code runs on Internet Explorer version 11.0, Mozilla Firefox versions 10.0.9 and 36.0, Safari versions 7.0.3 and 4.0, Opera version 9.00 and 12.14, and Google Chrome 41.0.2228.0. The browsers we tested all displayed the code snippet that includes /download/FlashPlayer10.zip. Based on replicating the attack with an infected sample (calc.exe), we noticed that the file size is almost the same size as the mother file infector, PE_WINDEX.A-O. Additional analysis also shows that PE_WINDEX.A-O has developer metadata that lists its copyright as © Microsoft Corporation. All rights reserved with its publisher is listed as Microsoft Corporation. Its description and comments contain the text Windows Defender Extension, among other listed information. This may be a disguise for the malware so that users won’t be suspicious about the file..."
    * http://arstechnica.com/security/2015...s-malware-too/
    ___

    Google finally quashes month-Old Malvertising Campaign
    - http://it.slashdot.org/story/15/01/1...ising-campaign
    Jan 16, 2015 - "Since the middle of December, visitors to sites that run Google AdSense ads have intermittently found themselves -redirected- to other sites featuring spammy offerings for anti-aging and brain-enhancing products*. While webmasters who have managed to figure out which advertisers are responsible could quash the attacks on their AdSense consoles, only now has Google itself managed to track down the villains and -ban- them from the service."
    * http://www.itworld.com/article/28710...ng-attack.html
    Jan 14, 2015

    Last edited by AplusWebMaster; 2015-01-16 at 16:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #619
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down iTunes invoice – phish

    FYI...

    iTunes invoice – phish
    - http://myonlinesecurity.co.uk/itunes...175t-phishing/
    17 Jan 2015 - "'ITunes Your invoice #ID31WX175T' pretending to come from iTunes Store <do_not_reply@ btconnect .com> is one of the latest -phish- attempts to steal your Bank, credit card and personal details. This one is slightly different to usual ones in that it is designed to make you think that it is a mistake and that you need to enter all your bank/credit card details in order to -cancel- the transaction that you never made in the first place... persuading the recipient that somebody must have compromised their ITunes account and telling you to change all the details in it... not only would you lose a lot of money but could also end up losing a lot more. This one only wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well*...
    * http://myonlinesecurity.co.uk/how-to...hten-security/
    looks at first glance like the genuine Itunes website but you can clearly see in the address bar, that it is fake. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email. If you open the attached html file you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...nfirmation.png
    When you fill in your user name and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format...make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should -not- be run or opened."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #620
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'order payment slip', Fake 'Natwest' SPAM, “Zombie cookies”

    FYI...

    Fake 'order payment slip' SPAM - malware
    - http://myonlinesecurity.co.uk/pierre...-slip-malware/
    19 Jan 2015 - "'RE: order payment slip' coming from info@ bukasonventure .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This is just to inform you that we have made the payment as Requested.
    We try to contact you about the payment we made here in our office, but because the payment was made on Friday evening before the bank closed, and our server was down,
    PLEASE REFER TO THE ATTACHMENT SLIP
    Best regards,
    Mr Pierre Jude Genaral Manager
    323 Collier Road, Bayswater WA 6053
    Phone: (1) 9379 0811
    Fax: (1) 9379 0822 ...


    These actually look they they are coming from bukasonventure .com which is hosted in USA and was only registered on 15 January 2015. This might be compromised server, have an open relay allowing the emails to be sent or have been registered under a false set of details with the aim of sending malicious emails and spam. The more I look at this one, the more I am convinced the entire set up has been done with the aim of distributing malware. The domain was registered on 15 January 2015. The computer sending IP 120.140.55.192 is listed as Malaysia...
    19 January 2015: order-slip.rar : Extracts to: order-slip.exe
    Current Virus total detections: 23/56* ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1421652817/
    ___

    Verizon vuln exposed email accounts - “zombie cookies”
    - http://www.securityweek.com/verizon-...email-accounts
    Jan 19, 2015 - "... discovered the flaw while analyzing the Android app for Verizon’s fiber optic Internet, telephone and television service FiOS. While investigating the requests sent by the application, the expert noticed a username parameter called uid. By changing the value of this parameter with a different customer’s username, Westergren got the contents of the targeted user’s email account. The researcher* later determined that other API methods for this particular widget were affected as well. For example, by changing the values of the uid and mid parameters in a certain request, he could read individual emails. even managed to send out an email on another user’s behalf by exploiting the vulnerability... The proof-of-concept was sent to Verizon’s security team on January 14. The telecoms giant -confirmed- the existence of the issue by the next day. The vulnerability was fixed on January 16. For responsibly disclosing the security hole, Westergren was rewarded with free FiOS Internet for one year... had been using so-called “zombie cookies” to track subscribers even if they had used private browsing, cleared their cookies, or if they had opted out. The existence of Verizon’s controversial system came to light last year, but the company -denied- using the tracking method in its own business model. After being exposed... announced on Friday that it will suspend its “zombie cookies” program..."
    * http://randywestergren.com/critical-...mail-accounts/
    ___

    LockHeedMartin Fax Spam
    - http://threattrack.tumblr.com/post/1...artin-fax-spam
    Jan 19, 2015 - "Subjects Seen:
    [Lockheed Martin UK Ltd Integrated Systems] New fax message - LFQ.71021C670.3249
    Typical e-mail details:
    FAX: +07755-090107
    Date: 2015.01.18 17:33:18 CST
    Pages: 4
    Reference number: LFQ.71021C670.3249
    Filename: curbed.zip

    Lockheed Martin UK Ltd Integrated Systems Michaele Vivas


    Malicious URLs:
    breteau-photographe .com/tmp/pack.tar.gz
    voigt-its .de/fit/pack.tar.gz
    maisondessources .com/assets/pack.tar.gz
    pleiade.asso .fr/piwigotest/pack.tar.gz
    scolapedia .org/histoiredesarts/pack.tar.gz
    Malicious File Name and MD5:
    curbed .scr (BDFE7EB4A421B9A989C85BFFF7BACE2C)
    1715030703 .exe (4ebd076047a04290f23f02d6ecd16fee)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...aEr1r6pupn.png

    Tagged: LockHeedMartin, Citroni, dalexis
    ___

    Fake 'Natwest' SPAM - leads to malware
    - http://blog.dynamoo.com/2015/01/malw...m-natwest.html
    19 Jan 2015 - "This spam claiming to be from NatWest bank (or is it nEtwest?) leads to malware.
    From: NatWest [donotreply@ netwest .uk]
    Date: 19 January 2015 at 14:02
    Subject: Important - Please complete attached form ...
    Dear Customer
    Please find below your Banking Form for Bankline.
    <URL redacted>
    Please complete Bankline Banking Form :
    - Your Customer Id and User Id - which are available from your administrator if you have not already received them
    Additionally, if you wish to access Bankline training, simply follow the link below
    <URL redacted>
    If you have any queries or concerns, please telephone your Electronic Banking Help Desk.
    National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.
    Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority...


    In this case the link in the email goes to www .ipawclp .com/NEW-IMPORTANT-NATWEST_FORM/new.bankline_document .html where it hits a couple of scripts at:
    http ://restaurantratiobeach .ro/js/jquery-1.39.15.js
    http ://utokatalin .ro/js/jquery-1.39.15.js
    In turn, that leads to a ZIP file download which contains an EXE file which is slightly different each time it downloads, with low detection rates in all cases [1] [2] [3]. The name of the ZIP file and EXE varies, but is in the format doc12345.exe and doc54321.zip. Of note is a sort-of-informational screen on the download page:
    > https://2.bp.blogspot.com/-BbZFLI01z...ke-natwest.png
    Automated analysis is presently inconclusive...
    UPDATE:
    @snxperxero suggests blocking the following sites:
    202.153.35.133
    loveshopclothing .com
    credit490 .com
    "
    1] https://www.virustotal.com/en/file/2...is/1421678510/

    2] https://www.virustotal.com/en/file/c...is/1421678516/

    3] https://www.virustotal.com/en/file/7...is/1421678522/
    ___

    Fake 'Insurance Inspection' SPAM - doc malware
    - http://blog.dynamoo.com/2015/01/malw...esfmgcouk.html
    19 Jan 2015 - "This spam does -not- come from FMG Support Group Ltd, but instead it is a forgery. FMG are -not- sending out the spam, nor have their systems been compromised in any way. Instead, this spam has a malicious Word document attached.
    From: repairermessages@ fmg .co.uk
    Date: 19 January 2015 at 07:24
    Subject: Insurance Inspection Arranged AIG02377973
    FMG is committed to reducing its impact on the environment. Please don't print this email unless absolutely necessary.
    Have you been impressed by one of our people?
    If so, we'd love to hear about it. You can nominate someone for a Spirit award by emailing spirit@ fmg .co.uk
    FMG Support Group Ltd. Registered in England. No. 06489429.
    Registered office: FMG House, St Andrews Road, Huddersfield, HD1 6NA.
    Tel: 0844 243 8888 ...


    Attached is a Word document AIG02377973-InsuranceInspectionArranged.doc which comes in at least -two- different versions, neither of which are detected by AV vendors [1] [2]. These documents contain -two- slightly different malicious macros... which attempt to download a further component from:
    http ://chilan .ca/js/bin.exe
    http ://techno-kar .ru/js/bin.exe
    This is saved as %TEMP%\324234234.exe which has a VirusTotal detection rate of 2/57*. The Malwr report shows it attempting to communicate with the following IPs:
    59.148.196.153 (HKBN, Hong Kong)
    74.208.11.204 (1&1, US)
    These two IP addresses have been used by this -malware- for a long time, I strongly recommend you block them. Also, a malicious DLL is dropped on the infected system with a detection rate of just 2/53**."
    1] https://www.virustotal.com/en/file/2...is/1421656771/

    2] https://www.virustotal.com/en/file/5...is/1421657737/
    ___

    Fake '19TH JANUARY 2015.doc' SPAM - doc malware
    - http://blog.dynamoo.com/2015/01/malw...ci-wilson.html
    19 Jan 2015 - "This rather terse spam does -not- actually come from Davies Crane Hire, but it is a -forgery- with a malicious Word document attached. Davies Crane Hire have not been hacked or compromised, and they are -not- sending out this spam.
    From: Traci Wilson [t.wilson@ daviescranehire .co.uk]
    Date: 19 January 2015 at 09:05
    Subject: 19TH JANUARY 2015.doc


    There is -no- body text, just an attachment called 19TH JANUARY 2015.doc which contains a malicious macro.
    The documents in use and the payload are identical to this spam run* that proceeded it. At the moment, everything has a very low detection rate. The payload is the Dridex banking trojan."
    * http://blog.dynamoo.com/2015/01/malw...esfmgcouk.html

    - http://myonlinesecurity.co.uk/traci-...d-doc-malware/
    19 Jan 2015
    ___

    Fake 'tax refund' Phish...
    - http://myonlinesecurity.co.uk/hm-rev...ment-phishing/
    19 Jan 2015 - "'HM Revenue and Customs – You have received a tax refund payment !' is an email pretending to come from HM Revenue & Customs <tax@ hmrc .gov .uk> . One of the major common subjects in a phishing attempt is -Tax returns- where especially in the UK, you need to submit your Tax Return online before 31st December each year. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... If you follow the link you see a webpage looking like this where they want your email address and name:
    > http://myonlinesecurity.co.uk/wp-con...MRC_phish1.png
    They then pretend to do a search based on your name and email. Then you get sent on to the nitty gritty where they want -all- your banking and credit information:
    > http://myonlinesecurity.co.uk/wp-con...MRC_phish2.png
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    Last edited by AplusWebMaster; 2015-01-19 at 22:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •