Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Exploit kits - Nuclear EK, Fake 'Accounts Payable', Fake 'NUCSOFT-Payroll' SPAM

    FYI...

    Exploit kits on Choopa LLC / Gameservers .com IP addresses
    - http://blog.dynamoo.com/2015/01/expl...hoopa-llc.html
    7 Jan 2015 - "... The characterstics of these malicious landing pages is that they use free domains (currently .co.vu) and seem to have a very short lifespan. As I write this, the following malicious domains are LIVE:
    ooshuchahxe .co.vu
    ahjoneeshae .co.vu
    phamiephim .co.vu
    kaemahchuum .co.vu
    pahsiefoono .co.vu
    kaghaingai .co.vu
    buengaiyei .co.vu
    ohmiajusoo .co.vu
    oodeerahshe .co.vu
    paotuchepha .co.vu
    aedeequeekou .co.vu
    eikoosiexa .co.vu
    phielaingi .co.vu
    thohbeekee .co.vu
    A typical exploit landing page looks like this* [URLquery report] which appears to be the Nuclear EK. These are hosted on the following Choopa LLC / Gamservers .com IP addresses (it is the same company with two different trading names) [clicking the IP leads to the VirusTotal results, ones identified as malicious are highlighted]:
    108.61.165.69: https://www.virustotal.com/en/ip-add...9/information/
    108.61.165.70: https://www.virustotal.com/en/ip-add...0/information/
    108.61.165.96: https://www.virustotal.com/en/ip-add...6/information/
    108.61.167.160: https://www.virustotal.com/en/ip-add...0/information/
    108.61.172.139: https://www.virustotal.com/en/ip-add...9/information/
    108.61.175.125: https://www.virustotal.com/en/ip-add...5/information/
    108.61.177.107: https://www.virustotal.com/en/ip-add...7/information/
    108.61.177.89: https://www.virustotal.com/en/ip-add...9/information/
    ... these domains see to have a very short life. I identified nearly 3000 domains using these nameservers, the following of which are flagged as malicious by Google... Recommended minimum blocklist (Choopa LLC IPs are highlighted):
    108.61.123.219
    108.61.165.69
    108.61.165.70
    108.61.165.96
    108.61.167.160
    108.61.172.139
    108.61.172.145
    108.61.175.125
    108.61.177.107
    108.61.177.89
    108.61.198.148
    108.61.211.121

    64.187.225.245
    104.224.147.220
    UPDATE: Choopa LLC say they have terminated those IPs**. However, it may still be worth reviewing your logs for traffic to these servers as they might identify machines that have been compromised."
    * http://urlquery.net/report.php?id=1420560803160

    ** https://2.bp.blogspot.com/-6jzwvTDMi...600/choopa.png
    ___

    Huffington Post and Gamezone vistors targeted with malvertising, infected with ransomware
    - http://net-security.org/malware_news.php?id=2936
    Jan 7, 2015 - "The last days of the past and the first days of the current year have been unlucky for visitors of several popular sites including the Huffington Post and Gamezone .com, which were unknowingly serving malicious ads that ultimately led to a ransomware infection. Cyphort Lab researchers first spotted the malvertising campaign on New Year's Eve on the HuffPo's Canadian website. A few days later, the ads were served on HuffingtonPost .com. The ensuing investigation revealed that the source of the ads is advertising .com, an AOL ad-network. Visitors to the sites who were served the ads were automatically redirected to a landing page hosting either the Neutrino or the Sweet Orange exploit kit. The kits served several exploits, and if one of them was successful, a new variant of the Kovter ransowmare was downloaded and executed. Kovter* blocks the targeted computer's keyboard and mouse, usually demands a ransom of around $300, and searches the web browser's history for URLs of adult content sites to include in the ransom note. AOL has been notified of the problem, and has removed the malicious ads from rotation both in their advertising.com ad-network as well as in their adtech .de one... This is not the first time that Kovter was delivered in this way. Another malvertising campaign targeting YouTube users** was spotted in October 2014."
    * http://www.net-security.org/malware_news.php?id=2450

    ** http://www.net-security.org/malware_news.php?id=2883
    Sweet Orange exploit kit/NeutrinoEK: http://blog.trendmicro.com/trendlabs...it-us-victims/

    >> http://www.cyphort.com/huffingtonpost-serving-malware/
    ___

    Fake 'Accounts Payable - Remittance Advice' SPAM - doc malware
    - http://myonlinesecurity.co.uk/senior...d-doc-malware/
    7 Jan 2015 - "'Remittance Advice for 945.66 GBP' (random amounts) pretending to come from a random named Senior Accounts Payable Specialist at a random company with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Update: we are also seeing a slightly different version with the subject Invoice 2907.51 GBP (random amounts) with an Excel XLS attachment... The email looks like:

    Please find attached a remittance advice for recent BACS payment of 945.66 GBP.
    Any queries please contact us.
    Katie Carr
    Senior Accounts Payable Specialist
    BUSHVELD MINERALS LTD


    7 January 2015 : REM_5160JW.doc - Current Virus total detections: 4/56*
    ... [1]connects to 193.136.19.160 :8080//mans/pops.php and downloads the usual dridex to %temp%\1V2MUY2XWYSFXQ.exe Current VirusTotal definitions 4/56**
    RBAC_2856PJ.xls Current Virus total detections: 3/56***
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1420634098/

    ** https://www.virustotal.com/en/file/f...is/1420635840/
    ... Behavioural information:
    TCP connections
    194.146.136.1: https://www.virustotal.com/en/ip-add...1/information/

    *** https://www.virustotal.com/en/file/f...is/1420636228/

    1] 193.136.19.160: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'NUCSOFT-Payroll' SPAM - doc malware
    - http://myonlinesecurity.co.uk/eliza-...d-doc-malware/
    7 Jan 2015 - "'NUCSOFT-Payroll December 2014' pretending to come from Eliza Fernandes <eliza_fernandes@ nucsoft .co.in> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... DO NOT follow the advice they give to enable macros to see the content... The email looks like:

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ember-2014.jpg

    7 January 2015 : Payroll Dec’14.doc . Current Virus total detections: 2/56*
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1420619222/

    - http://blog.dynamoo.com/2015/01/malw...s-nucsoft.html
    7 Jan 2015
    > https://www.virustotal.com/en/file/7...is/1420623113/

    >> https://www.virustotal.com/en/file/4...is/1420624521/

    Recommended blocklist:
    59.148.196.153: https://www.virustotal.com/en/ip-add...3/information/
    74.208.11.204: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Malformed AndroidManifest.xml in Apps Can Crash Mobile Devices
    - http://blog.trendmicro.com/trendlabs...obile-devices/
    Jan 7, 2015 - "Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, “information the system must have before it can run any of the app’s code.” We came across a vulnerability related to the manifest file that may cause an affected device to experience a -continuous- cycle of rebooting — rendering the device nearly useless to the user. The Manifest File Vulnerability: The vulnerability can cause the OS to crash through two different ways. The first involves very long strings and memory allocation. Some apps may contain huge strings in their .XML files, using document type definition (DTD) technology. When this string reference is assigned to some of the tags in AndroidManifest.xml (e.g., permission name, label, name of activity), the Package Parser will require memory to parse this .XML file. However, when it requires more memory than is available, the PackageParser will crash. This triggers a chain reaction wherein all the running services stops and the whole system consequently reboots once. The second way involves .APK files and a specific intent-filter, which declares what a service or activity can do. An icon will be created in the launcher if the manifest file contains an activity definition with this specific intent-filter:
    <intent-filter>
    <action android:name=”android.intent.action.MAIN”/>
    <category android:name=”android.intent.category.LAUNCHER”/>
    </intent-filter>
    If there are many activities defined with this intent-filter, the same number of icons will be created in the home page after installation. However, if this number is too large, the .APK file will trigger a loop of rebooting. If the number of activities is bigger than 10,000:
    For Android OS version 4.4, the launcher process will undergo the reboot.
    For version L, the PackageParser crashes and reboots. The malformed .APK will be installed by no icon will be displayed. If the number of activities is larger than 100,000, the devices will undergo the -loop- of rebooting...
    We have tested and proven that this created APK could -crash- both Android OS 4.4.4, Android OS L, -and- older versions of the platform... While this vulnerability isn’t a technically a security risk, it does put devices at risk in terms of functionality. This vulnerability can essentially leave devices useless. Affected devices can be “rescued” but -only- if the Android Debug Bridge (ADB) is activated or enabled. The only solution would be to connect the device to a computer, boot the phone in fastboot mode, and flash the ROM. Unfortunately, such actions can only be done by highly technical users as a mistake can possibly brick a device. For this issue, we recommend that users contact customer service (if their devices are still under warranty) or a reputable repair shop. We have notified Google about this issue."
    ___

    Fake Flight QZ8501 Video on Facebook
    - https://blog.malwarebytes.org/fraud-...o-on-facebook/
    Jan 6, 2015 - "... If you’re waiting on information with regards what caused the tragic crash of AirAsia Flight QZ8501, please be aware that the inevitable fake Facebook video links are now putting in an appearance. Here’s one, located at: bergkids(dot)com/qz8501 - The page is pretty bare, save for the imagery of what they claim is the plane in question and the following text:
    [CRASH VIDEO] AirAsia Flight QZ8501 Crashed near east coast of Sumatera.
    > https://blog.malwarebytes.org/wp-con...01/fakeqz1.jpg
    Clicking the play button encourages Facebook users to share it, before being redirected to an -imitation- YouTube page located at: urvashi(dot)altervista(dot)org/video/vid(dot)php
    > https://blog.malwarebytes.org/wp-con...01/fakeqz2.jpg
    While visitors might think this would be the video in question, in actual fact they’re looking at a sort of -fake- video -farm- where clicking the link takes them to a wide variety of phony clip scams... From there, they’re then (re)directed to one of the links in the screenshot above. There’s everything from “You won’t eat [product x] again after seeing this” to non-existent leaked celebrity tapes. Disturbingly, two of the pages claim to show car accidents and one of them uses a rather graphic photograph. Given that people could be arriving there from a personal need to find out more information about the plane crash, this is just more proof that the people behind these pages couldn’t care less... All of the above pages return the visitor to the “main” Altervista URL, where they’ll be asked to share then be sent to another of the links in the -redirect- code. It seems to be a way of trying to drop the links on as many feeds as possible (assuming the Facebook account owner changes the share option from “just me” to people in their social circles). Should the weary clicker grow tired of this digital roundabout and simply sit on the altervista page too long, they’ll find that they’re automatically sent to a page called “Horrific Video”:
    > https://blog.malwarebytes.org/wp-con...01/fakeqz5.jpg
    Unlike the other pages which simply loop potential victims around while asking them to share links, this one will take them to a -survey- page if the video “player” is clicked... As with all other survey pages, the links could lead to everything from offers and personal questions to ringtone signups or software installs and are usually served up according to region... If you want to know the latest information on the AirAsia crash, please stick to news sources you know and trust. It’s extremely unlikely someone is going to have exclusive footage sitting on some video website you’ve near heard of, and the moment you’re caught in a loop of “Share this on Facebook to view” messages you can bet there’s nothing on offer except someone trying to make a fast buck."

    Last edited by AplusWebMaster; 2015-01-07 at 21:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •