Fake 'transaction' SPAM, CrypMIC ransomware, Business sites hijacked
FYI...
Fake 'transaction' SPAM - Java Adwind Trojan
- https://myonlinesecurity.co.uk/java-...alspam-emails/
20 July 2016 - "Overnight we received 2 separate sets of malspam emails both eventually leading to the same Java Adwind Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...n-1024x568.png
Update: I am also getting some of these 'Pending Sendout Transaction' emails coming through pretending to come from amirmuhammed @almuzaniexchange .ae "
Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x617.png
20 July 2016: Sendout-Copy.zip: Extracts to: Sendout_copy..js - Current Virus total detections 1/54*
.. Payload Security**. This is a JavaScript file that automatically downloads and runs
http ://ebhar .net/css/new_file_jacob.jar Which is the -same- Java Adwind Trojan as the Java.jar file in the second email.
20 July 2016: Sendout-Report.rar: Extracts to: Sendout-Copy.jar - Current Virus total detections 18/55[3]
.. Payload Security [4].
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...is/1468989481/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.194.169.160
3] https://www.virustotal.com/en/file/d...is/1468989622/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
ebhar .net: 216.194.169.160: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/5c...9851/analysis/
___
CrypMIC ransomware follows CryptXXX ...
- http://blog.trendmicro.com/trendlabs...llow-cryptxxx/
July 20, 2016 - "... a new ransomware family that mimics CryptXXX in terms of entry point, ransom notes and payment site UIs. CrypMIC’s perpetrators are possibly looking for a quick buck owing to the recent success of CryptXXX...
Comparison of CrypMIC (left) and CryptXXX (right) ransom notes and user interfaces of their payment sites
> https://blog.trendmicro.com/trendlab...cryptxxx08.png
CrypMIC and CryptXXX share many similarities; both are spread by the Neutrino Exploit Kit and use the same format for sub-versionID/botID (U[6digits]/UXXXXXX]) and export function name (MS1, MS2). Both threats also employed a custom protocol via TCP Port 443 to communicate with their command-and-control (C&C) servers... The demise of the Angler exploit kit from crypto-ransomware activity has made CryptXXX migrate to Neutrino exploit kit, which have been recently reported to be delivering -other- ransomware families such as CryptoWall, TeslaCrypt, CryptoLocker and Cerber. We have observed that CrypMIC and CryptXXX were distributed by Neutrino interchangeably over the course of a week. CrypMIC was first pushed by Neutrino on July 6th before switching back to delivering CryptXXX 4.001 on July 8th. It started redistributing CrypMIC on July 12th before reverting to CryptXXX the next day. On the same week, Neutrino also distributed Cerber via -malvertising- as well as -other- malware from other cybercriminal groups. By July 14th, Neutrino has started to distribute an apparently newer version of CryptXXX (5.001)... CryptXXX automatically scans the machine for network-drives then proceeds to encrypt files stored on them. CryptXXX 4.001 also downloads and executes an information-stealing module on its process memory — named fx100.dll ... the decryptor created by CrypMIC’s developers has been reported to be not functioning properly. Additionally, paying the ransom only makes businesses and users susceptible to more ransomware attacks. Besides regularly backing up files, keeping systems updated with the latest patches is another means of mitigating the risks of ransomware. A multilayered defense that can secure systems, servers and networks is also recommended..."
> https://www.proofpoint.com/us/threat...xxx-ransomware
July 14, 2016 - "... detected an email campaign with document attachments containing malicious macros. If opened, these attachments download and install CryptXXX ransomware..."
___
Business sites hijacked to deliver ransomware ...
- http://arstechnica.com/information-t...to-ransomware/
7/19/2016, 5:56 PM - "If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for*. These sites are -redirecting- visitors to a -malicious- website that attempts to install CryptXXX — a strain of cryptographic ransomware first discovered in April. The sites were most likely exploited by a botnet called SoakSoak* or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea**. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin. In this recent wave of compromises, SoakSoak planted code that -redirects- visitors to a website hosting the Neutrino Exploit Kit... Even as those organizations try to regain control of their websites, others are likely to be rapidly compromised because of the vast number of sites that are behind on patching site add-ons like WordPress plugins."
* https://storify.com/BelchSpeak/soaks...ptxxx-ransomwa
** https://www.invincea.com/2016/07/maj...xx-ransomware/
