Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Confirmation', 'Certificate', 'e-fax' SPAM

    FYI...

    Fake 'Confirmation' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...ky-ransomware/
    14 Dec 2016 - "An email -spoofing- Kirklees Council with the subject of 'Booking Confirmation' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
    From: jewell nethercote <jewell.nethercote@ luciafranca .com>
    Date: Wed 14/12/2016 08:06
    Subject: Booking Confirmation
    Attachment: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
    Booking Confirmation
    This email and any attachments are confidential. If you have received it in error – notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.


    14 December 2016: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
    Current Virus total detections 13/56*. MALWR** shows a download of an encrypted file from
    http ://eastoncorporatefinance .com/nbv364 which is converted by the script to sonmoga2.rudf (VirusTotal 7/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1481706521/

    ** https://malwr.com/analysis/ZmQyMjMzY...JlNTBjYTEzYjY/
    Hosts
    217.160.231.206
    176.121.14.95


    *** https://www.virustotal.com/en/file/a...is/1481706902/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    217.160.231.206
    176.121.14.95
    185.117.72.105
    52.34.245.108
    52.85.184.150
    35.160.111.237

    ___

    Fake 'Certificate' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/parce...ky-ransomware/
    14 Dec 2016 - "... an email with the subject of 'Parcel Certificate' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of par_cert_5444211.zip which delivers Locky ransomware... One of the emails looks like:
    From: Effie Bush <Bush.Effie@ adkime .com>
    Date: Wed 14/12/2016 09:41
    Subject: Parcel Certificate
    Attachment: par_cert_5444211.zip
    Dear hyperbolasmappera,
    Please check the parcel certificate I am sending you in the attachment.
    Order number is 477-F. Quite urgent, so please review it.
    Best Regards,
    Effie Bush


    14 December 2016: par_cert_5444211.zip: Extracts to: ~_9UZONB_~.wsf - Current Virus total detections 3/54*
    Payload Security** shows a download of an encrypted file from http ://ziskant .com/kqnioulnfj which is converted by the script to hIzFvc4Ek.zk (VirusTotal 4/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1481708404/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    62.210.89.38
    185.129.148.56
    86.110.117.155
    213.32.113.203
    35.160.111.237


    *** https://www.virustotal.com/en/file/4...is/1481709795/
    ___

    Fake 'e-fax' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    14 Dec 2016 - "An email with the subject of 'eFax message from +611300786102 – 4 page(s), Caller-ID: +611300786102' (random numbers) pretending to come from eFax <inbound@ efax .delivery> with a malicious word doc attachment delivers Trickbot banking Trojan...

    Screenshot: https://i2.wp.com/myonlinesecurity.c...g?w=1308&ssl=1

    14 December 2016: InboundMessage.doc - Current Virus total detections 10/53*
    Payload Security** shows a download from ‘http ://cendereci .com/dasphdasodasopjdaspjdasdasa.png’ which is -not- a png (image file) but -renamed- .exe (VirusTotal 41/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1481698402/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    85.159.66.172
    23.21.228.240
    36.37.176.6
    202.5.50.55


    *** https://www.virustotal.com/en/file/a...78f8/analysis/

    Last edited by AplusWebMaster; 2016-12-14 at 16:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •