Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Account report', 'Delivery Confirmation', 'Renewed License','payment copy' SPAM

    FYI...

    Fake 'Account report' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/accou...elivers-locky/
    14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Account report' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... Payload Security[1] shows an error in running the dll file... One of the emails looks like:
    From: Kimberley Witt <Witt.0236@ shopscissors .com>
    Date: Wed 14/09/2016 08:31
    Subject: Travel expense sheet
    Attachment: 667b8951c871.zip
    Dear nohdys, we have detected the cash over and short in your account.
    Please see the attached copy of the report.
    Best regards,
    Kimberley Witt
    e-Bank Manager


    14 September 2016: 667b8951c871.zip: Extracts to: Account report 2311EEF4.wsf - Current Virus total detections 5/55**
    .. MALWR*** unable to get any content. Payload security[1] shows a download of an encrypted file from
    maydayen .net/l835ztl which is transformed by the script to RjN1UKDIQLzodBg.dll (VirusTotal 21/58[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    178.212.131.10

    ** https://www.virustotal.com/en/file/e...is/1473838191/

    *** https://malwr.com/analysis/YTRlNjk0Y...JlYTkxNTFlYWI/

    4] https://www.virustotal.com/en/file/1...is/1472755942/
    ___

    Fake 'Delivery Confirmation' SPAM - delivers Locky/Zepto
    - https://myonlinesecurity.co.uk/deliv...rs-lockyzepto/
    14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Delivery Confirmation: 00336499' [random numbers] coming as usual from ship-confirm@ random companies, names and email addresses with a random named zip attachment containing a .JS file. These are slightly better done than some recent ones. The attachment number Shipping Notification matches the subject Delivery Confirmation number... One of the emails looks like:
    From: ship-confirm@ laughlinandbowen .com
    Date: Wed 14/09/2016 10:55
    Subject: Delivery Confirmation: 00336499
    Attachment: Shipping Notification 00336499.zip
    PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
    Attached is a pdf file containing items that have shipped
    Please contact us if there are any questions or further assistance we can provide


    14 September 2016: Shipping Notification 00336499.zip: Extracts to: WOIMKE51915.js
    Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from one of these locations:
    http ://adventurevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU | http ://morerevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU
    which is transformed by the script to TKuAgcqe3.dll (VirusTotal 6/57***)... There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1473847035/

    ** https://malwr.com/analysis/MWE1OWVkZ...ljOTFmNjkxYTk/
    Hosts
    204.93.163.87
    23.236.238.227


    *** https://www.virustotal.com/en/file/d...is/1473848281/
    ___

    Fake 'Renewed License' SPAM - more Locky
    - https://myonlinesecurity.co.uk/renew...elivers-locky/
    14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Renewed License' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the emails looks like:
    From: Stella Henderson <Henderson.70579@ siamesegear .com>
    Date: Wed 14/09/2016 17:58
    Subject: Renewed License
    Attachment: 4614d82776.zip
    Here is the company’s renewed business license.
    Please see the attached license and send it to the head office.
    Best regards,
    Stella Henderson
    License Manager


    14 September 2016: 4614d82776.zip: Extracts to: renewed business license 3D956A.wsf
    Current Virus total detections 2/55*. MALWR** seems unable to cope with WSF files like this. Payload Security*** shows a download of an encrypted file from moismdheri .net/jqpxub which is transformed by the script to a working locky file, which unfortunately isn’t being shown or made available... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1473872609/

    ** https://malwr.com/analysis/MmFlNDUzM...M1MzE3ZjhlNzY/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    37.200.70.6
    52.32.150.180
    93.184.220.29
    54.192.203.123

    ___

    Fake 'payment copy' SPAM - delivers Locky/Zepto
    - https://myonlinesecurity.co.uk/payme...s-locky-zepto/
    13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'payment copy' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file. The email body has -no- content except 'Best Regards' and the alleged senders name... One of the emails looks like:
    From: Eddie screen <Eddie450@ hidrolats .lv>
    Date: Tue 13/09/2016 22:02
    Subject: payment copy
    Attachment: PID6650.zip

    Best Regards, _________
    Eddie screen


    13 September 2016: PID6650.zip: Extracts to: OCRXIB2826.wsf - Current Virus total detections 7/56*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://allchannel .net/jpqhvig?eGkOBjIQFz=dEVDXjWYjjH | http ://feechka .ru/wdxwxoa?eGkOBjIQFz=dEVDXjWYjjH
    http ://jonathankimsey .com/rptyswr?eGkOBjIQFz=dEVDXjWYjjH
    which is transformed by the script to yvXjbqxs1.dll (VirusTotal 7/58***). Payload security[4] is showing a different dll downloaded & converted... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1473800782/

    ** https://malwr.com/analysis/MzNiNjBmY...IzMjQyNDJmNjk/
    Hosts
    94.73.146.80
    5.61.32.143
    143.95.41.185


    *** https://www.virustotal.com/en/file/7...is/1473801197/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    94.73.146.80
    5.61.32.143
    143.95.41.185
    52.24.123.95
    93.184.220.29
    54.192.203.254
    91.198.174.192
    91.198.174.208
    52.33.248.56


    Last edited by AplusWebMaster; 2016-09-14 at 22:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •