Page 111 of 132 FirstFirst ... 1161101107108109110111112113114115121 ... LastLast
Results 1,101 to 1,110 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1101
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Urgent bill', 'Attached Image' SPAM

    FYI...

    Fake 'Urgent bill' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/urgen...elivers-locky/
    30 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the emails looks like:
    From: Adolfo Alexander <Alexander.Adolfo@ escondidohistory .org>
    Date: Wed 30/11/2016 09:06
    Subject: Urgent
    Attachment: unpaid_forum.zip
    Dear forum, our accountant informed me that in the bill you processed, the invalid account number had been specified.
    Please be guided by instructions in the attachment to fix it up.


    30 November 2016: unpaid_forum.zip: Extracts to: -snk-284042943.js - Current Virus total detections 10/55*
    MALWR** shows a download of an encrypted file from http ://revaitsolutions .com/ij1driqioc which is converted by the script to K3GepPJAfH.tdb (VirusTotal 5/57***). Payload Security[4]. The tdb file is actually a dll file that is run by rundll32 but given a different extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1480496588/

    ** https://malwr.com/analysis/MmFiNzdjM...E3ODJmZGYyMWI/
    Hosts
    166.62.28.127

    *** https://www.virustotal.com/en/file/9...is/1480498073/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    166.62.28.127
    185.75.46.138
    91.201.41.145
    91.142.90.46
    52.42.26.69
    54.240.162.193
    52.35.54.251

    ___

    Fake 'Attached Image' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/attac...elivers-locky/
    30 Nov 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky... The email looks like:
    From: canon@ thespykiller .co.uk
    Date: Wed 30/11/2016 09:23
    Subject: Attached Image
    Attachment: 6479_005.docm


    Body content: Totally blank/empty

    30 November 2016: 6479_005.docm - Current Virus total detections 9/55*
    Both MALWR** and Payload Security*** show a download from satherm .pt/873nf3g which is converted by the macro to ajufr51.dll (VirusTotal 5/57[4]). Manual analysis shows an attempt to download from
    http ://travelinsider .com.au/021ygs7 which is currently giving me a 404. There are normally 5 or 6 download locations buried inside the macro or scrpt files with these Locky versions.
    C2 http ://91.142.90.61 /information.cgi | 95.213.195.123 /information.cgi... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1480498411/

    ** https://malwr.com/analysis/MjEwOGQ3Y...g0NmRjZWQzNTQ/
    Hosts
    80.172.235.175
    91.142.90.61


    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    80.172.235.175
    95.213.195.123
    91.142.90.61
    2.16.4.33
    52.42.26.69
    54.240.162.55
    52.35.54.251
    91.198.174.192
    91.198.174.208


    4] https://www.virustotal.com/en/file/9...is/1480499902/
    ___

    Forced install - Chrome extension...
    - https://blog.malwarebytes.com/cyberc...ome-extension/
    Nov 29, 2016 - "We have found a number of websites whose sole purpose is to try and force an extension on anyone visiting that site with Chrome. Most often, you can likely land on one of these sites after a -redirect- from a crack, keygen, or adult entertainment site... site runs a JavaScript producing this dialog box, telling you you’ll have to 'Add Extension to Leave':
    > https://blog.malwarebytes.com/wp-con...11/prompt1.png
    Clicking “Cancel” once changes it to add a tick box marked “Prevent this page from creating additional dialogs”:
    > https://blog.malwarebytes.com/wp-con.../warning2w.png
    Thinking that this is the ticket out of the page, you will tick that box and click “OK”. At this point, your tab will go into “Full Screen” mode, and you can see which extension they want you to install:
    > https://blog.malwarebytes.com/wp-con.../warning3w.png
    The app is called Veritasi and a big arrow pointing to the “Add extension” button is displayed on the site. Clicking the said button initiates the installation of the app:
    > https://blog.malwarebytes.com/wp-con...1/warning4.png
    When I looked up Veritasi, we noticed it was added to the “Web Store” the same day we found it and it’s supposedly meant to improve your sound quality online:
    > https://blog.malwarebytes.com/wp-con...undimprove.png
    A similar extension was found and described by Botcrawl.com who classified it as adware. It has the permission “Read and change all your data on the websites you visit”, which is not unusual for a browser extension, but it’s all what -adware- needs to do its job:
    > https://blog.malwarebytes.com/wp-con...rmissionsw.png
    If your Windows machine gets stuck on a site like this, use the Ctrl-Alt-Del key combination to invoke the Task Manager. Use “End Process” on every active “chrome.exe” process until the browser shuts down. When you restart Chrome, it will ask if you want to “Restore” the open tabs. I would recommend -not- to, unless it’s really necessary. We have sent in an abuse report and blocked the sites involved to protect as many possible victims as we could..."
    > https://blog.malwarebytes.com/wp-con...6/11/abuse.png
    ... A full removal guide can be found on our forums*..."
    * https://forums.malwarebytes.org/topi...-for-veritasi/

    Last edited by AplusWebMaster; 2016-11-30 at 13:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1102
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'efax', 'Invoices' SPAM, Cybercrime raids

    FYI...

    Fake 'efax' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/efax-...known-malware/
    1 Dec 2016 - "... an email with the subject of 'efax message from unknown – 2 page(s)' pretending to come from eFax <message@ inbound-efax-au .org> with a link-to-download-a-zip-file that extracts to 2 identical .js files named fax page 1 and fax page 2...

    Screenshot: https://i2.wp.com/myonlinesecurity.c...24%2C773&ssl=1

    1 December 2016: Fax.zip: Extracts to: Fax_page1.js - Current Virus total detections 3/55*
    MALWR** shows a download of a file from ‘http ://mohdsuhaimy .com/wp-content/uploads/2006/06/background.png’ which is -not- a png (image file) but a -renamed- .exe which is renamed back by the script to an .exe file (VirusTotal 15/57***). (Payload Security [4]). Previously this trick & delivery method has delivered Trickbot banking Trojan. However this binary looks different and gives some indication of ransomware behaviour...
    Update: I am reliably informed that this is Dridex Banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1480579221/

    ** https://malwr.com/analysis/NDdiMjI1M...JhYmMwMWZjYWU/
    Hosts
    173.247.245.31

    *** https://www.virustotal.com/en/file/e...is/1480579728/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    173.247.245.31
    111.69.33.166
    104.236.219.229
    185.8.165.33

    ___

    Fake 'Invoices' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/more-...elivers-locky/
    1 Dec 2016 - "... Locky downloader... an email with the subject of 'E-Mailed Invoices Invoice_87313391' (random numbers) coming or pretending to come from random companies, names and email addresses with what appears to be a word docm attachment - In reality this attachment is a standard zip file that has been erroneously named as a word macro doc. It will not open in word or any other word processing program. This zip contains a VBS file. Trying to open the alleged word doc in Word gives this error message:
    > https://i2.wp.com/myonlinesecurity.c...ng?w=524&ssl=1
    ... One of the emails looks like:
    From: WAUGH, HORACIO <HORACIO.WAUGH@ originalyin .ca>
    Date: Thu 01/12/2016 09:23
    Subject: E-Mailed Invoices Invoice_87313391
    Attachment: Invoice_87313391.docm
    Please find attached your latest purchase invoice...
    Any queries with either the quantity or price MUST be notified immediately to the department below.
    Yours sincerely, Sales Ledger Department...
    This email has been scanned by the Symantec Email Security.cloud service...


    1 December 2016: Invoice_87313391.docm (actually a zip file): Extracts to: fGDpAMD-0438.vbs
    Current Virus total detections on docm(zip) VirusTotal on VBS 20/55*. Payload Security** shows a download of an encrypted file from speckftp .de/978t6rve which is converted by the script to nhbzalOHj.343 (VirusTotal 37/56***)
    Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 etc or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1480587704/
    fGDpAMD-0438.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    87.106.247.11
    95.213.195.123
    91.142.90.61
    54.240.162.180


    *** https://www.virustotal.com/en/file/8...is/1480587701/
    ___

    Fake 'Invoice' SPAM - links to Dridex
    - https://myonlinesecurity.co.uk/invoi...anking-trojan/
    1 Dec 2016 - "... an email with the subject of 'Invoice INV-01823 (Amended)' from Fleurs (random numbers and random companies) coming from Accounts <messaging-service@ post-xero .org>. There is no zip attachment but a -link- in the email to download a zip... post-xero .org is a newly created domain that is registered to a Chinese entity with probably -fake- details. It appears to be hosted on OVH in France... One of the emails looks like:
    From: Accounts <messaging-service@ post-xero .org>
    Date: Thu 01/12/2016 08:02
    Subject: Invoice INV-01823 (Amended) from Fleurs
    Attachment: link-in-email to INV-01823.zip
    Dear Customer, Please find attached invoice INV-01823 (Amended) for 421.59 GBP. This invoice was sent too early in error. The payment date should be 7th December 2016. Kindly accept our apologies for the oversight and for any inconvenience caused. The amount outstanding of 421.59 GBP is due on 07 Dec 2016. View and pay your bill:
    https ://in.xero .com/vjNPxBRausdmfvsgnZKOMWvyHsISTwYm If you have any questions, please do not hesitate to contact us. Kind regards, Accounts Department ...


    The link in the body does -not- go to xero .com which is a legitimate small business accounting software but to a criminal controlled site on SharePoint: ‘https :// ryandixon-my.sharepoint .com personal/judy_dixonconstructionwa_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=k9xc1qR8YuAKTF6D2%2bMExORcjRIY3nQj8RB7WhdXaSw%3d&docid=09d01294b7e434b2aad87127682150354&rev=1’

    1 December 2016: INV-01823.zip: Extracts to: INV-01823.js - Current Virus total detections 6/54*
    .. where comments show this downloads the same Dridex banking Trojan from the -same- locations as described in THIS earlier post:
    > https://myonlinesecurity.co.uk/efax-...known-malware/
    The basic rule is NEVER open any attachment to an email [OR click-on-links in the body] unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1480587854/
    INV-01823.js

    post-xero .org: 46.105.101.84: https://www.virustotal.com/en/ip-add...4/information/

    ryandixon-my.sharepoint .com: 104.146.222.33: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/fb...e61f/analysis/
    1/68
    ___

    Fake 'Payment Information' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/payme...elivers-locky/
    1 Dec 2016 - "... Locky downloader... an email with the subject of 'Payment Information' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of P_recipient’s name.zip... One of the emails looks like:
    From: Helga Hull <Hull.Helga@ dreamactunion .org>
    Date: Thu 01/12/2016 18:23
    Subject: Payment Information
    Attachment: P_rek.zip
    Good afternoon. Thank you for sending the bill.
    Unfortunately, you have forgotten to specify insurance payments.
    So, we cannot accept the payment without them.
    All details are in the attachment.


    1 December 2016: P_rek.zip: Extracts to: -6dt874p53077.js - Current Virus total detections 16/55*
    MALWR** shows a download of an encrypted file from http ://trewincefarm .co.uk/xlyy7 which is converted by the script to 0UBE8YF7q1BcN.zk (VirusTotal 11/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1480616575/

    ** https://malwr.com/analysis/Njg0ZmViN...c4MWI5ZWVmYjU/
    Hosts
    82.211.96.24

    *** https://www.virustotal.com/en/file/1...is/1480617465/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    82.211.96.24
    91.201.41.145
    46.8.29.155
    31.41.47.50
    52.32.150.180
    54.240.162.129
    35.160.111.237

    ___

    Worldwide cyber-crime network hit in coordinated raids
    - http://www.reuters.com/article/us-ge...-idUSKBN13Q4Z6
    Dec 1, 2016 - "One of the world's biggest networks of hijacked computers, which is suspected of being used to attack online banking customers, has been taken down following police swoops in 10 countries, German police said on Thursday. In an internationally coordinated campaign, authorities carried out the raids on Wednesday, seized servers and website domains and arrested suspected leaders of a criminal organization, said police and prosecutors in northern Germany. Officials said they had seized 39 servers and several hundred thousand domains, depriving criminals of control of more than 50,000 computers in Germany alone. These hijacked computers were used to form a 'botnet' to knock out other websites. Two people who are believed to have been the administrators of the botnet infrastructure known as 'AVALANCHE' were arrested in Ukraine, investigators said. Another person was arrested in Berlin, officials added. The strike came in the same week that hackers tried to create the world's biggest botnet, or an army of zombie computers, by infecting the routers of 900,000 Deutsche Telekom (DTEGn.DE) with malicious software. The attack failed but froze the routers, causing outages in homes, businesses and government offices across Germany on Sunday and Monday, Deutsche Telekom executives said. Police said criminals had used the 'AVALANCHE' botnet targeted in Wednesday's international raids since 2009 to send phishing and spam emails. More than a million emails were sent per week with malicious attachments or links. When users opened the attachment or clicked on the link, their infected computers became part of the botnet. Investigators said the suspects had operated the commandeered network and made it available to other criminal groups, who had used it to send spam and phishing mails, defraud online banking user and to spread ransomware, a form of online extortion scheme. Officials estimated worldwide damages at upward of several hundred million euros. Authorities have identified 16 suspected leaders of the organization from 10 different countries. A court in Verden, northern Germany, has issued arrest warrants for seven people on suspicion of forming a criminal organization, commercial computer fraud and other criminal offences. The raids came after more than four years of intensive investigation by specialists in 41 countries."

    Last edited by AplusWebMaster; 2016-12-01 at 21:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1103
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Pay Attention', 'Emailing' SPAM

    FYI...

    Fake 'Pay Attention' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/pleas...elivers-locky/
    2 Dec 2016 - "... Locky downloader... an email with the subject of 'Please Pay Attention' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of SCAN_recipient’s name.zip... One of the emails looks like:
    From: Claud Hopper <Hopper.Claud@ jvaclub .com>
    Date: Fri 02/12/2016 09:35
    Subject: Please Pay Attention
    Attachment: SCAN_ard.zip
    Greetings! Informing you that the contractor requires including VAT in the service receipt.
    Sending the new invoice and payment details in the attached file.
    Please open and study it as soon as possible – we need your decision.


    2 December 2016: SCAN_ard.zip: Extracts to: -uvk3166985727v.js - Current Virus total detections 8/55*
    MALWR** shows a download of an encrypted file from http ://supermarkety24 .pl/levsyp8vp which is converted by the script to 5viAGx9N.zk (VirusTotal 8/56***) | Payload Security[4] | Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1480674917/

    ** https://malwr.com/analysis/Njg0ZmViN...c4MWI5ZWVmYjU/
    Hosts
    82.211.96.24

    *** https://www.virustotal.com/en/file/6...is/1480676872/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    193.106.106.169
    95.46.98.25
    91.201.41.145
    46.8.29.173

    ___

    Fake 'Emailing..." SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/email...elivers-locky/
    2 Dec 2016 - "An email with the subject of 'Emailing: EPS000007' (random numbers) pretending to come from random names at your-own-email-address with a malicious word doc attachment delivers Locky... The email looks like:
    From: edmund <edmund.simister@ malware-research .co.uk>
    Date: Fri 02/12/2016 12:39
    Subject: Emailing: EPS000007
    Attachment: EPS000007.docm
    Please find attachment.

    This email has been checked for viruses by Avast antivirus software...


    2 December 2016: EPS000007.docm - Current Virus total detections 10/56*
    MALWR** shows a download of an encrypted file from http ://solid-consulting .nl/74t3nf4gv4 which is converted by the macro to likyir1.exe (VirusTotal 8/57***). Payload security[4]. C2: http ://195.19.192.99 /information.cgi
    Other download locations seen on manual analysis of the macro include:
    solid-consulting .nl/74t3nf4gv4 | taikosushibar .com.br/74t3nf4gv4 | tatooshsfds .com/74t3nf4gv4
    sudeepgurtu .com/74t3nf4gv4 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1480682348/

    ** https://malwr.com/analysis/MWJmZDk3M...dlMzg0YjlmYjA/
    Hosts
    149.210.133.178
    195.19.192.99


    *** https://www.virustotal.com/en/file/6...is/1480680017/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    149.210.133.178
    195.19.192.99
    91.142.90.61
    31.41.47.50
    52.34.245.108
    54.240.162.246

    ___

    Fake 'Attached Document' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/attac...elivers-locky/
    2 Dec 2016 - "A -blank- email with the subject of 'Attached Document' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky. This series of malspam emails contain the same macro downloaders and end up delivering the -same- Locky payload as described in THIS* earlier post where they used an Epson scanner/printer... The email looks like:
    From: canon@ my onlinesecurity .co.uk
    Date: Fri 02/12/2016 15:52
    Subject: Attached Document
    Attachment: 0160_004.docm


    Body content: Totally blank/empty

    * https://myonlinesecurity.co.uk/email...elivers-locky/
    2 Dec 2016

    Last edited by AplusWebMaster; 2016-12-02 at 18:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1104
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake blank body, 'No subject', 'Consider This', 'Sage invoice', 'Shipping status SPAM

    FYI...

    Fake blank body SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/blank...elivers-locky/
    5 Dec 2016 - "... Locky downloader... a completely -blank- email with the subject consisting of random numbers coming or pretending to come from random companies, names and email addresses with a zip attachment that matches the subject line numbers. I have received about 1500 copies of this malspam overnight. All the ones that I have seen start with either 051220160 or 041220161... One of the emails looks like:
    From: Monica clare <Monica.clare85349@ fit4elegance .com>
    Date: Mon 05/12/2016 00:47
    Subject: 051220160746377790277
    Attachment: 051220160746377790277.zip


    Body content: totally blank/empty

    5 December 2016: 051220160746377790277.zip: Extracts to: 201612031200123557933004.vbs
    Current Virus total detections 14/55*. Payload Security** shows a download of an encrypted file from
    http ://natashacollis .com/8765r which is converted by the script to yqUePnct.343 (VirusTotal 11/53***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1480911167/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    46.16.59.177
    91.142.90.61


    *** https://www.virustotal.com/en/file/1...is/1480922615/
    ___

    Fake 'No subject' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/12/malw...924272-no.html
    5 Dec 2016 - "This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension '.osiris'. The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attached to that is an XLS file of the same name and it includes this body text:
    Your message is ready to be sent with the following file or link
    attachments:
    _9376_924272
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments. Check your e-mail
    security settings to determine how attachments are handled.


    The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xls . The macro in the malicious Excel file downloads a component...
    (Long list of domain-names at the dynamoo URL above.)
    ... You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:
    185.82.217.28 /checkupdate [hostname: olezhkakovtony11.example .com] (ITL, Bulgaria)
    91.142.90.61 /checkupdate (Miran, Russia)
    195.19.192.99 /checkupdate (OOO EkaComp, Russia)
    Recommended blocklist:
    185.82.217.28
    91.142.90.61
    195.19.192.99
    "
    1] https://malwr.com/analysis/YTQzZjMwN...lmYTg3YzBjZjA/
    Hosts
    66.96.147.105
    91.142.90.61


    2] https://malwr.com/analysis/ZWVhM2RjN...AyNDQ4N2IzNjU/
    Hosts
    94.152.38.41
    185.82.217.28


    - https://myonlinesecurity.co.uk/blank...elivers-locky/
    5 Dec 2016 - "... Locky downloader... another -blank- email with no-subject coming or pretending to come from random companies, names and email addresses with an XLS spreadsheet attachment... One of the emails looks like:
    From: Rolf titterington <Rolf.titterington91@ prestonlegacy .com>
    Date: Mon 05/12/2016 09:44
    Subject: no subject
    Attachment: 2016120502434302394842.xls


    Body content: empty

    5 December 2016: 2016120502434302394842.xls - Current Virus total detections 16/55*
    MALWR** shows a download of an encrypted file from http ://soulscooter .com/87t34f which is converted by the script to shtefans1.spe (VirusTotal 6/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to. I am informed that Locky is now using .Osiris file extensions on the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1480616575/

    ** https://malwr.com/analysis/MzA4NDllN...I1YWU5MDQ3NTk/
    Hosts
    212.97.132.199
    195.19.192.99
    91.142.90.61
    185.82.217.28


    *** https://www.virustotal.com/en/file/7...is/1480932128/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'Consider This' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/12/malw...his-leads.html
    5 Dec 2016 - "This -fake- financial spam leads to malware:
    From: Aimee Guy
    Date: 5 December 2016 at 13:32
    Subject: Please Consider This
    Dear [redacted],
    Our accountants have noticed a mistake in the payment bill #DEC-5956047.
    The full information regarding the mistake, and further recommendations are in the attached document.
    Please confirm the amount and let us know if you have any questions.


    Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date. The scripts download another component...
    (Long list of domain-names at the dynamoo URL above.)
    ... It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54*. The malware then phones home to the following locations:
    91.142.90.61 /information.cgi [hostname: smtp-server1 .ru] (Miran, Russia)
    195.19.192.99 /information.cgi (EkaComp, Russia)
    These IPs were also used in this earlier attack**.
    Recommended blocklist:
    185.82.217.28
    91.142.90.61
    195.19.192.99
    "
    * https://virustotal.com/en/file/6a186...473e/analysis/

    ** http://blog.dynamoo.com/2016/12/malw...924272-no.html
    ___

    Fake 'Sage invoice' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    5 Dec 2016 - "... an email with the subject of 'Outdated invoice' coming or pretending to come from Sage invoice <no-reply@ sage-uk .org> . There is no zip attachment with this Dridex delivery today, but a-link-in-the-body to download an invoice.zip from a hacked/compromised/fraudulently set up sharepoint site... from a site set up by the criminals to malspam the Dridex banking Trojan. The site is registered to a Chinese entity and hosted on an OVH server in France (SAGE-UK .ORG 46.105.101.84 ns3060005.ip-188-165-252.eu). One of the emails looks like:
    From: Sage invoice <no-reply@ sage-uk .org>
    Date: Mon 05/12/2016 12:48
    Subject: Outdated invoice
    Attachment: link in email to download invoice.zip
    Software for business
    Sage Account & Payroll
    You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link below to download your account invoice:
    https ://invoice.sage .co.uk/Account?864394=xUzlmOHtPY
    If we have any information about you which is incorrect or if there are any changes to your details please let us know so that we could keep our records accurate...


    5 December 2016: Invoice.zip: Extracts to: Invoice.js - Current Virus total detections 3/53*
    Payload Security** shows a download from ‘http ://neelkanthelevators .com/images/about1.png’ (VirusTotal 10/56***). Payload Security[4]. This is -not- a png (image file) but a -renamed- .exe file, which the script renames to LzG7FzcEz.exe and runs... The basic rule is NEVER open any attachment to an email [OR click-a-link in it] unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1480944742/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    104.219.248.77
    195.154.92.54
    185.8.165.33
    104.236.219.229
    91.201.40.33


    *** https://www.virustotal.com/en/file/f...1a54/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    195.154.92.54
    185.8.165.33
    104.236.219.229
    91.201.40.33


    46.105.101.84: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake 'Shipping status' SPAM - delivers Vawtrak malware
    - http://blog.dynamoo.com/2016/12/malw...s-changed.html
    5 Dec 2016 - "This -fake- UPS spam has a malicious attachment:
    From: UPS Quantum View [ups@ ups-service .com]
    Date: 5 December 2016 at 17:38
    Subject: Shipping status changed for your parcel # 1996466
    Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.
    There must be someone present at the destination address, on the delivery day, to receive the parcel.
    Shipping type: UPS 3 Day Select
    Box size: UPS EXPRESS BOX
    Date : Nov 14th 2016
    You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.
    The delivery invoice can be downloaded from our website ...
    Thank you for shipping with UPS
    Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.


    The link-in-the-email actually goes to a URL vantaiduonganh .vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain. This DOC file contains a malicious macro, the Malwr report* indicates that it downloads components from:
    parkovka-rostov .ru/inst.exe
    stela-krasnodar .ru/wp-content/uploads/pm22.dll
    Those two locations are legitimate -hacked- sites. This has a detection rate of 7/56** plus a DLL with a detection rate of 37/56***. The malware appears to be Hancitor/Pony/Vawtrak, phoning home to:
    cothenperci .ru/borjomi/gate.php
    madingtoftling .com/ls5/forum.php
    Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia)... malicious domains are also hosted on the same IP...
    (List of domain-names at the dynamoo URL above.
    ... Recommended blocklist:
    185.31.160.11
    parkovka-rostov .ru
    stela-krasnodar .ru
    "
    * https://malwr.com/analysis/YmM1OGI0M...M1OTg2MmYyM2I/
    Hosts
    54.243.91.166
    185.31.160.11
    77.222.42.115
    81.177.165.101


    ** https://www.virustotal.com/en/file/6...is/1480963673/

    *** https://www.virustotal.com/en/file/7...is/1480964472/
    ___

    Fake 'Urgent Data' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/urgen...elivers-locky/
    5 Dec 2016 - "... Locky downloader... an email with the subject of 'Urgent Data' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment random numbers.zip... One of the emails looks like:
    From: Consuelo Wells <Wells.Consuelo@ skriverconsult .ch>
    Date: Mon 05/12/2016 20:20
    Subject: Urgent Data
    Attachment: payment9095450.zip
    Dear [redacted],
    The error occurred during payment. Sending you details of the transaction.
    Please pay the remaining amount as soon as possible.
    King Regards,
    Consuelo Wells


    5 December 2016: payment9095450.zip: Extracts to: ~3X072I792ZJ.js - Current Virus total detections 4/55*
    MALWR** shows a download of an encrypted file from http ://prosperer .mg/3n7uihwc0p which is converted by the script to yQC6CSDVn.zk (VirusTotal 5/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1480969517/

    ** https://malwr.com/analysis/YTdkZmVjN...Y5NzE0ZDFkOGE/
    Hosts
    212.83.148.70
    46.4.63.6


    *** https://www.virustotal.com/en/file/a...is/1480970106/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    212.83.148.70
    46.4.63.6
    185.146.168.13
    95.46.114.147


    Last edited by AplusWebMaster; 2016-12-05 at 23:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1105
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'PO', 'Recent order' SPAM, Amazon, 'AppIe ID' phish

    FYI...

    Fake 'PO' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/inv-1...elivers-locky/
    6 Dec 2016 - "An email with the subject of 'Inv# 1465095170 for PO# 0AC27757' (random numbers) pretending to come from random senders with a malicious word doc spreadsheet attachment delivers Locky osiris... The email looks like:
    From: From: pettengell, judith <judith.pettengell@ ds54 .com>
    Date: Tue 06/12/2016 12:18
    Subject: Inv# 1465095170 for PO# 0AC27757
    Attachment: 0AC27757_1465095170.docm
    Please do not respond to this email address. For questions/inquires, please
    contact our Accounts Receivable Department.
    This email has been scanned by the MessageLabs outbound
    Email Security System for CIRCOR International Inc...


    6 December 2016: 0AC27757_1465095170.docm - Current Virus total detections 8/51*
    MALWR** shows a download of an encrypted file from http ://union1 .cn/0bgsvtr3 which is converted by the script to dipund1.rap (VirusTotal 9/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
    C2 http ://185.115.140.210 /checkupdate | http ://91.142.90.46 /checkupdate | http ://213.32.66.16 /checkupdate ...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1481027450/

    ** https://malwr.com/analysis/MmNkMTBmZ...UzYTMyNTQ0YTk/
    Hosts
    139.129.41.209
    185.66.12.43
    91.142.90.46
    185.115.140.210
    213.32.66.16


    *** https://www.virustotal.com/en/file/4...is/1481027967/

    4] https://www.reverse.it/sample/f8f226...ironmentId=100
    ___

    Fake 'Recent order' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/recen...elivers-locky/
    6 Dec 2016 - "... an email with the subject of 'Recent order' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of order random numbers.zip which delivers Locky ransomware... One of the emails looks like:
    From: Jocelyn Dodson <Dodson.Jocelyn@ netpalouse .com>
    Date: Tue 06/12/2016 09:29
    Subject: Recent order
    Attachment: order3202227.zip
    Dear adkins,
    The counteragent has conducted the checking and found no confirmed payment for the recent order...
    All details are in the attachment.
    Feel free to email us if you have any inquiry.
    King Regards,
    Jocelyn Dodson


    6 December 2016: order3202227.zip Extracts to: ~8FX934T59F85.js - Current Virus total detections 6/54*
    MALWR** shows a download of an encrypted file from http ://steffweb .dk/bkjybit which is converted by the script to AEyjwjkWiBbl6.zk (VirusTotal 7/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1481018575/

    ** https://malwr.com/analysis/ZmU5MGNkM...Q3OWQwMWQxMjQ/
    Hosts
    94.231.108.252

    *** https://www.virustotal.com/en/file/9...173b/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    94.231.108.252
    91.203.5.176
    85.143.213.71
    176.112.219.101
    95.46.114.147

    ___

    Amazon - phish
    - https://myonlinesecurity.co.uk/new-r...8845-phishing/
    6 Dec 2016 - "'New Return Requested on Amazon for order 502-2849265-1928845' pretending to come from Amazon .co.uk <annazon@ amazonaws .co.uk> is one of the latest -phish- attempts to steal your Amazon Account. This one only wants your Amazon log in details... The link leads to http ://tolmasoft .ru/ViewListingAccount-dvk@ [redacted].co.uk.html...

    Screenshot: https://i0.wp.com/myonlinesecurity.c...24%2C608&ssl=1

    When you fill in your user name and password you get immediately -redirected- to the genuine Amazon.co.uk home page, where you think that you have logged in properly. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    tolmasoft .ru: 5.187.1.187: https://www.virustotal.com/en/ip-add...7/information/
    ___

    'AppIe ID' phish
    - http://blog.dynamoo.com/2016/12/sms-...is-due-to.html
    6 Dec 2016 - "This SMS spam is actually a phishing message:

    Screenshot: https://2.bp.blogspot.com/-OF33yrXOb...pple-phish.png

    This is one of those odd SMSes that doesn't seem to come from an actual number. If you follow through the link you end up on a straightforward Apple phishing page:
    > https://2.bp.blogspot.com/-wsiOA1HPC...pple-phish.jpg

    The website appieid-support .com is hosted on 108.167.141.128 which is a customer of WebsiteWelcome... no-doubt-fake WHOIS details... The domain was created just today. Avoid."

    108.167.141.128: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/01...6b4d/analysis/

    Last edited by AplusWebMaster; 2016-12-06 at 19:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1106
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoices', 'Card Receipt' SPAM, Stegano EK, AdGholas malvertising

    FYI...

    Fake 'Invoices' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/three...elivers-locky/
    7 Dec 2016 - "... an email with the subject of 'Invoices' pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Locky ransomware... One of the emails looks like:
    From: Margery Hinton <Hinton.Margery@ bluelinedesignoh .com>
    Date: Wed 07/12/2016 10:10
    Subject: Invoices
    Attachment: invoices0660953.zip
    Dear zowm,
    By today, three invoices (4282, $284; 4283, $99; 4287, $564) are not paid.
    Starting tomorrow, fines will be charged. Please make appropriate payments.
    All details are in the attachment.
    Best Regards,
    Margery Hinton
    Sales Director


    7 December 2016: invoices0660953.zip: Extracts to: ~8G9Z5BP2U18O48QKC6O54YE4.js
    Current Virus total detections 2/55* Payload Security** shows a download of an encrypted file from
    sagaoil .ro/jv5f0mrnea which is converted by the script to BQODhCNNx.zk ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1481105284/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    123.232.111.58
    91.210.80.80
    85.143.213.71
    91.203.5.176
    176.112.219.101
    194.67.215.228
    52.34.245.108
    52.222.157.179

    ___

    Fake 'Card Receipt' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...-locky-osiris/
    7 Dec 2016 - "An email spoofing Aquaid with the subject of 'Card Receipt' coming from random senders with a malicious word doc attachment delivers Locky Osiris...

    Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C673&ssl=1

    7 December 2016: CARD547 8914860.docm - Current Virus total detections 12/56*
    MALWR** shows a download of an encrypted file from http ://unilite .ro/hfycn33 which is converted by the script to spircent1.mda (Payload Security ***) (virusTotal 10/54[4]). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1481104682/

    ** https://malwr.com/analysis/ZGIzNTQ1Z...E3NWNlODEwYWM/
    Hosts
    188.213.21.75
    91.142.90.46
    213.32.66.16


    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    188.213.21.75
    91.142.90.46
    88.214.236.182
    213.32.66.16
    52.42.26.69
    52.222.157.29
    52.35.54.251


    4] https://www.virustotal.com/en/file/c...is/1481105595/
    ___

    Stegano EK hiding in pixels of malicious ads
    - http://www.welivesecurity.com/2016/1...malicious-ads/
    Dec 6, 2016 - "Millions of readers who visited popular news websites have been targeted by a series of malicious ads -redirecting- to an exploit kit exploiting several -Flash- vulnerabilities. Since at least the beginning of October, users might have encountered ads promoting applications calling themselves 'Browser Defence' and 'Broxu' using banners similar to the ones below:
    1] http://www.welivesecurity.com/wp-con...12/1-xlch3.png
    ...
    2] http://www.welivesecurity.com/wp-con...12/2-y0vbp.png
    These advertisement banners were stored on a remote domain with the URL hxxps ://browser-defence .com and hxxps ://broxu .com. Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin. The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel... After successful redirection, the landing page checks the userAgent looking for Internet Explorer, loads a Flash file, and sets the FlashVars parameters via an encrypted JSON file. The landing page also serves as a middleman for the Flash and the server via ExternalInterface and provides basic encryption and decryption functions. The Flash file has another Flash file embedded inside and, similarly to the -Neutrino- exploit kit, it comes with three different exploits based on the Flash version... Conclusion: The Stegano exploit kit has been trying to fly under the radar since at least 2014. Its authors have put quite some effort into implementing several techniques to achieve self-concealment. In one of the most recent campaigns we detected, which we traced back at least to the beginning of October 2016, they had been distributing the kit through advertisement banners using steganography and performing several checks to confirm that they were not being monitored. In the event of successful exploitation, the vulnerable victims’ systems had been left exposed to -further- compromise by various malicious payloads including backdoors, spyware and banking Trojans. Exploitation by the Stegano kit, or any other known exploit kit for that matter, can often be avoided by running fully patched software and by using a reliable, updated internet security solution..."
    (More detail at the welivesecurity/ESET URL above.)

    browser-defence .com: Could not find an IP address for this domain name...

    broxu .com: 162.255.119.66: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/a9...e098/analysis/
    ___

    AdGholas malvertising ...
    - https://blog.malwarebytes.com/cyberc...ness-as-usual/
    Dec 6, 2016 - "... A group identified as AdGholas* by Proofpoint which has been involved in the stealthiest attacks we have seen in recent history, was caught again and exposed by Eset**... The last bit of activity from AdGholas after the Proofpoint exposé was July 20th of this year. However, according to our telemetry, less than two months later the group was back at it with some of the -largest- malvertising attacks we have ever documented... The interesting aspect about this malvertising campaign is that the US was -not- one of the targets. Instead we saw Canada, the UK, Australia, Spain, Italy, and Switzerland as the most active geolocations. We observed most attacks happen in Canada and the UK as seen below on this heat map:
    > https://blog.malwarebytes.com/wp-con...12/heatmap.png
    Despite not targeting the US, the latest AdGholas campaign has once again reached epic proportions and unsuspecting users visiting top trusted portals like Yahoo or MSN (not to mention many top level publishers) were exposed to malvertising and malware if they were not protected..."
    * https://www.proofpoint.com/us/threat...in-plain-sight

    ** http://www.welivesecurity.com/2016/1...malicious-ads/

    Last edited by AplusWebMaster; 2016-12-07 at 20:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1107
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Emailing', 'Order', 'Scan' SPAM, Tax refund - phish

    FYI...

    Fake 'Emailing' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/email...email-address/
    8 Dec 2016 - "An email with the subject of 'Emailing: MX62EDO 08.12.2016' pretending to come from documents@ your-own-email-address with a malicious word doc delivers Locky Osiris... The email looks like:
    From: documents@ thespykiller .co.uk
    Date: Thu 08/12/2016 10:05
    Subject: Emailing: MX62EDO 08.12.2016
    Attachment:
    Your message is ready to be sent with the following file or link
    attachments:
    MX62EDO 08.12.2016
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments. Check your e-mail
    security settings to determine how attachments are handled.
    This email has been checked for viruses by Avast antivirus software...


    8 December 2016: MX62EDO 08.12.2016.docm - Current Virus total detections 10/54*
    MALWR** shows a download of an encrypted file from http ://netfun .be/hb74 which is converted by the script to clsooach1.feds (VirusTotal 11/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1481192959/

    ** https://malwr.com/analysis/NmZhYjk5M...JkODUyYTU2NzU/
    Hosts
    81.4.68.175
    176.121.14.95


    *** https://www.virustotal.com/en/file/d...is/1481193005/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    188.93.230.41
    185.127.24.247
    213.32.66.16
    91.142.90.46
    176.121.14.95
    52.42.26.69
    52.222.157.29

    ___

    Fake 'Order' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/more-...elivers-locky/
    8 Dec 2016 - "... an email with the subject of 'Order #0850834' (random numbers) coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment matching the subject line which delivers Locky ransomware... One of the emails looks like:
    From: Latoya Byrd <Byrd.Latoya@ flceo .com>
    Date: Thu 08/12/2016 11:29
    Subject: Order #0850834
    Attachment: order-0850834.zip
    Hello ard, your order #0850834 ...
    Sending you the receipt. Please pay it prior to next week.
    The receipt is in the attachment.
    Best Wishes,
    Latoya Byrd
    Delivery Manager


    8 December 2016: order-0850834.zip: Extracts to: ~5Z36TWQXK9014CO228K8V0C.js
    Current Virus total detections 6/55*. MALWR** shows a download of an encrypted file from
    http ://file4hosti .info/ne92o1u which is converted by the script to 7JpjNVpwmyeHv.zk (VirusTotal 4/53***).
    Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1481196535/

    ** https://malwr.com/analysis/YTMwODJkZ...UxMjVjODQ0ZWY/
    Hosts
    107.172.55.203

    *** https://www.virustotal.com/en/file/f...is/1481197588/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    104.168.87.215
    107.172.55.203
    178.159.42.248
    185.46.11.236
    52.34.245.108
    52.32.150.180
    35.160.111.237
    91.198.174.192
    91.198.174.208
    54.239.168.21

    ___

    Fake 'Scan' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/scan-...-locky-osiris/
    8 Dec 2016 - "... an email with the subject of 'Scan' from a Samsung MFP coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of Untitled_date_random numbers.zip which delivers Locky ransomware... One of the emails looks like:
    From: GARRY MENZIES <garry.menzies.1825@ pricemarketresearch .com>
    Date: Wed 07/12/2016 21:41
    Subject: Travel expense sheet
    Attachment: Untitled_07122016_46160.zip
    Regards
    Garry
    Please open the attached document. It was scanned and sent to you using a
    Samsung MFP. For more information on Samsung products and solutions, please
    visit ...
    This message has been scanned for malware by Websense...


    8 December 2016: Untitled_07122016_46160.zip: Extracts to: N396390423.jse - Current Virus total detections 19/55*
    MALWR** shows a download of an encrypted file from http ://raivel .pt/45gdfgf?SEOtErERwE=yLVujYkT which is converted by the script to XtPmJmcsvIP1.dll (VirusTotal 24/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries... DLL files... rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1481168279/

    ** https://malwr.com/analysis/YTE5NDM2Y...Q0YTM3YThkMjY/
    Hosts
    188.93.230.41
    91.142.90.46


    *** https://www.virustotal.com/en/file/1...e217/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    188.93.230.41
    185.127.24.247
    213.32.66.16
    91.142.90.46
    176.121.14.95
    52.42.26.69
    52.222.157.29

    ___

    Tax refund - phish
    - https://myonlinesecurity.co.uk/tax-r...ency-phishing/
    8 Dec 2016 - "... DVLA Vehicle Licensing Agency phishing email trying to get your information...

    Screenshot: https://i2.wp.com/myonlinesecurity.c...24%2C712&ssl=1

    If you follow the links you end up on an identical copy of the gov .uk site asking for usual identity and financial details:
    > https://i1.wp.com/myonlinesecurity.c...24%2C533&ssl=1
    Phishing sites so far discovered include (email links go to a site which -redirects- you to other sites):
    - https ://cissdemexico .com/.2DriverLicence2ADM2/2y2Driving2e2Licences2acc2/24w823w82Driving2w25and22w2Transport2w826w2gov28uk25/23Lega2r28obligations62Apply2refund2x82driving24/Refund.php
    - https ://chadena .com/.cha/
    - https ://fyfe-interiors .com/.lol/
    - https ://partnersinsharing .com/.124DL828ADM825/2384x48390Driving9019x319Licences0638cbd419/7836Lega523x92148obligations639Apply915x3420/517x9427c481Driving827x5and32v0417Transport71x5638x319gov31uk24/Refund "

    cissdemexico .com: 162.211.127.202: https://www.virustotal.com/en/ip-add...2/information/

    chadena .com: 109.163.208.100: https://www.virustotal.com/en/ip-add...0/information/

    fyfe-interiors .com: 202.129.244.101: https://www.virustotal.com/en/ip-add...1/information/

    partnersinsharing .com: 69.16.221.200: https://www.virustotal.com/en/ip-add...0/information/

    Last edited by AplusWebMaster; 2016-12-08 at 15:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1108
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Firewall Software', 'See attached' SPAM, 400,000 phish

    FYI...

    Fake 'Firewall Software' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/12/malw...-leads-to.html
    9 Dec 2016 - "This spam appears to come from multiple senders and leads to Locky ransomware:
    From: Herman Middleton
    Date: 9 December 2016 at 07:40
    Subject: Firewall Software
    Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
    Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
    Please check it out.
    King Regards,
    Herman Middleton
    IT Support Manager


    Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated. The Hybrid Analysis* and Malwr report** show that the script analysed downloads a component from welte .pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56***. That Hybrid Analysis also detections C2 traffic to:
    107.181.187.97 /checkupdate [hostname: saluk1.example .com] (Total Server Solutions, US)
    51.254.141.213 /checkupdate (OVH, France)
    It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:
    91.142.90.46 /checkupdate [hostname: mrn46.powerfulsecurities .com] (Miran, Russia)
    195.123.209.23 /checkupdate [hostame: prujio .com] (Layer6, Latvia)
    185.127.24.247 /checkupdate [hostname: free.example .com] (Informtehtrans, Russia)
    176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
    185.46.11.236 /checkupdate (Agava, Russia)
    178.159.42.248 /checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)
    Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are at least a couple of bad /24 blocks in there.
    Recommended blocklist:
    51.254.141.213
    91.142.90.46
    107.181.187.97
    176.121.14.95
    178.159.42.248
    185.46.11.0/24
    185.127.24.247
    195.123.209.0/24
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    79.96.68.245
    107.181.187.97
    178.159.42.248
    51.254.141.213
    54.239.168.239
    91.198.174.192
    91.198.174.208


    ** https://malwr.com/analysis/ZGI2MDNlZ...Q1MmM2ODI0MTQ/
    Hosts
    79.96.68.245

    *** https://virustotal.com/en/file/fb5cd...is/1481273887/

    - https://myonlinesecurity.co.uk/firew...elivers-locky/
    9 Dec 2016 - "... an email with the subject of 'Firewall Software' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of f_license_numbers.zip which delivers Locky ransomware... One of the emails looks like:
    From: Curtis Jarvis <Jarvis.Curtis@ irishcitytours .com>
    Date: Fri 09/12/2016 07:22
    Subject: Firewall Software
    Attachment: f_license_5875331.zip
    Hey emis2000, it is Curtis. You’ve asked me to order new firewall software for our office computers.
    Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
    Please check it out.
    King Regards,
    Curtis Jarvis
    IT Support Manager


    9 December 2016: f_license_5875331.zip: Extracts to: ~S911UGV716O1J3CSTB471C.js
    Current Virus total detections 16/55*. MALWR** shows a download of an encrypted file from
    http ://www .pgringette .ca/a8crrwrc2t which is converted by the script to z7dWO4eQFUHRtg.zk (VirusTotal 4/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1480616575/

    ** https://malwr.com/analysis/NWE4MjY5Y...EwMDhkMTFmYmM/
    Hosts
    69.28.199.160

    *** https://www.virustotal.com/en/file/6...is/1481268678/
    ___

    Fake 'See attached' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...elivers-locky/
    9 Dec 2016 - "An email spoofing the Business Advisory Service Ltd with the subject of 'See attached – I will call you in 10 mins' (random times) with a malicious Excel XLS spreadsheet attachment delivers Locky Osiris ransomware...

    Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C547&ssl=1

    9 December 2016: Invoice_392618_final.xlsm - Current Virus total detections *
    MALWR** shows a download of an encrypted file from http ://djelixir .com/34f43 which is converted by the script to XtPmJmcsvIP1.dll (VirusTotal 10/56***). Payload Security [4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    *

    ** https://malwr.com/analysis/MDdmOWU2Y...U2NDA1NmNmYjk/
    Hosts
    108.174.153.189
    185.102.136.67


    *** https://www.virustotal.com/en/file/1...is/1481278691/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    108.174.153.189
    185.102.136.67
    176.121.14.95
    31.202.128.199
    52.34.245.108
    54.239.168.194

    ___

    Another 'Apple phish' ...
    - https://myonlinesecurity.co.uk/your-...pple-phishing/
    9 Dec 2016 - "... mass Apple phish today, telling you that you have added ghost00@ hotmail .com as a new rescue email address for your Apple ID and you need to verify it... received about 200 so far this morning, some of which are getting past spam filters...

    Screenshot: https://i0.wp.com/myonlinesecurity.c...24%2C588&ssl=1

    The links in the body go to:
    http ://opelpart .hu/media/system/swf/o.html
    which -redirects- to numerous sites including:
    http ://ushindicounselling .ca/winter/Itunes/apple/
    http ://volleyballsaskatoon .ca/winter/Itunes/apple/
    ... There will no doubt be lots of other sites active in this phishing campaign... follow-the-link [DON'T] you see a webpage looking like this screenshot (taken form a previous example):
    > https://i1.wp.com/myonlinesecurity.c...24%2C565&ssl=1 "

    opelpart .hu: 87.229.45.133: https://www.virustotal.com/en/ip-add...3/information/
    ushindicounselling .ca: 67.212.91.221
    volleyballsaskatoon .ca: 67.212.91.221: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Phish in-the-cloud ...
    - http://www.darkreading.com/endpoint/...d/d-id/1327673
    Dec 8, 2016 - "Everything else has gone to the cloud, so why not faux emails* and their malicious payloads?... phishing emails have become a way to infect desktops and servers with ransomware, which infosec professionals continually cite as their biggest ongoing concern and defense priority..."
    * http://blog.imperva.com/2016/12/can-...reined-in.html
    Dec 6, 2016 - "Phishing is the starting point for most data breaches... cybercriminals are lowering the cost of phishing by enabling Phishing as-a-Service (PhaaS) using compromised web servers..."
    > http://imperva.typepad.com/.a/6a0115...2c51970c-800wi
    ___

    400,000 phishing sites - every month in 2016
    - https://www.helpnetsecurity.com/2016...observed-2016/
    Dec 7, 2016 - "84 percent of phishing sites observed in 2016 existed for less than 24 hours, with an average life cycle of under 15 hours... data collected by Webroot*:
    > https://www.helpnetsecurity.com/imag...g-122016-1.jpg "

    * https://www.webroot.com/blog/2016/12...for-christmas/
    Dec 7, 2016 - "... Webroot has observed an average of over 400,000 phishing sites each month... Google, PayPal, Yahoo, and Apple are heavily targeted for attacks. Cybercriminals know to impersonate sites that people trust and use regularly... Google was impersonated in 21 percent of -all- phishing sites between January and September 2016, making it the most heavily targeted. Emails to avoid:
    With the holiday season in full swing and the New Year fast approaching, hackers are up to their old tricks... we should all be wary of emails containing UPS, USPS, and FedEx shipping alerts; 401k/benefit enrollment notices; and miscellaneous tax documents from now through the end of January..."

    Last edited by AplusWebMaster; 2016-12-09 at 17:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1109
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice', 'New(910)', 'Software License', 'Amazon', 'Order' SPAM

    FYI...

    Fake 'Invoice' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/12/malw...er-947781.html
    12 Dec 2016 - "This fake financial spam comes from -multiple- senders and leads to Locky ransomware:
    From: AUTUMN RHINES
    Date: 12 December 2016 at 10:40
    Subject: Invoice number: 947781
    Please find attached a copy of your invoice...


    The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56*. Automated analysis of a couple of these files [1] [2]... show the macro downloading a component from miel-maroc.com/874ghv3 (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57**. All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:
    176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
    88.214.236.218 /checkupdate (Overoptic Systems, UK / Russia)
    91.219.31.14 /checkupdate (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
    Recommended blocklist:
    176.121.14.95
    88.214.236.218
    91.219.31.14
    "
    * https://virustotal.com/en/file/3ce3a...7759/analysis/

    1] https://malwr.com/analysis/NzVmODQ1N...UwMTkwNDM5Y2U/
    Hosts
    5.153.23.8
    176.121.14.95
    88.214.236.218
    91.219.31.14


    2] https://malwr.com/analysis/YzViZjg5Z...E4MWU3NzMxMjA/
    Hosts
    5.153.23.8
    176.121.14.95
    91.219.31.14


    ** https://virustotal.com/en/file/9efdf...43df/analysis/
    ___

    Fake 'New(910)' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/12/malw...-to-locky.html
    12 Dec 2016 - "This spam leads to Locky ransomware:
    From: Savannah [Savannah807@ victimdomain .tld]
    Reply-To: Savannah [Savannah807@ victimdomain .tld]
    Date: 12 December 2016 at 09:50
    Subject: New(910)
    Scanned by CamScanner
    Sent from Yahoo Mail on Android


    The spam appears to come from a sender within the victim's-own-domain, but this is just a simple forgery. The attachment name is a .DOCM file matching the name in the subject. Automated analysis [1] [2] indicates that it works in a similar way to this other Locky ransomware run today*."
    1] https://malwr.com/analysis/ODYwMGRjM...Q5YjQwMDJhMGU/
    Hosts
    208.113.172.228
    176.121.14.95


    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    208.113.172.228
    91.219.31.14
    35.163.57.6
    52.222.171.57
    35.160.111.237


    * http://blog.dynamoo.com/2016/12/malw...er-947781.html
    ___

    Fake 'Software License' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/softw...elivers-locky/
    12 Dec 2016 - "... an email with the subject of 'Software License' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of softlic_0600353.zip which delivers Locky ransomware... One of the emails looks like:
    From: Deloris Santos <Santos.Deloris@ terebinthtreeportraits .com>
    Date: Mon 12/12/2016 09:59
    Subject: Software License
    Attachment: softlic_0600353.zip
    Hello scans, it is Deloris.
    Sending you the scan of the software license agreement (Order #0600353).
    It is in the attachment. Please look into it ASAP.
    Best Regards,
    Deloris Santos


    12 December 2016: softlic_0600353.zip: ~50Y70PZ821IW1H6QS6R5K4P.wsf - Current Virus total detections 5/55*
    Racco42** has posted a list of found download sites on pastebin***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1481540340/

    ** https://twitter.com/Racco42/status/808280355895529473

    *** http://pastebin.com/cCeYpZsd
    ... C2:
    POST http ://185.46.11.236/ checkupdate
    POST http ://91.200.14.109/ checkupdate
    POST http ://93.170.104.23 /checkupdate
    POST http ://95.213.224.117 /checkupdate

    185.46.11.236: https://www.virustotal.com/en/ip-add...6/information/ - RU
    91.200.14.109: https://www.virustotal.com/en/ip-add...9/information/ - UA
    93.170.104.23: https://www.virustotal.com/en/ip-add...3/information/ - NL
    95.213.224.117: https://www.virustotal.com/en/ip-add...7/information/ - RU
    ___

    Fake 'Amazon Transactions' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...ky-ransomware/
    12 Dec 2016 - "Following on from the continual series of spoofed FedEx Locky downloaders detailed in this POST[1]... using the same method have changed to a very bad imitation of Amazon .co.uk with an email with the subject of 'Transactions_Report__by_users_from_2016-11-18_to_2016-11-20' pretending to come from EGCTechServer <nf@ ammaazon .co.uk> with a malicious word doc attachment continues to deliver Locky ransomware...
    1] https://myonlinesecurity.co.uk/fedex...ky-ransomware/
    9 Nov 2016

    Screenhot: https://i2.wp.com/myonlinesecurity.c...g?w=1254&ssl=1

    12 December 2016: Your_requested_Report_is_attached_Here.doc - Current Virus total detections 20/56*
    Payload Security** contacts http ://triumphantul .top/2/ldd.php (185.101.218.162)... which actually downloads
    http ://triumphantul .top/2/565.exe (VirusTotal 4/57***) which is the same Locky version that they malspammed out on Sunday 11 Dec 2016... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1481530568/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/c...is/1481450464/

    185.101.218.162: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/56...9478/analysis/
    > https://www.virustotal.com/en/url/eb...496f/analysis/ | 2016-12-11
    ___

    Fake 'Order' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/order...ky-ransomware/
    12 Dec 2016 - "... an email -spoofing- Hexstone Ltd with the subject of 'Order Confirmation 81110319 Hexstone Ltd' (random numbers)... pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of Ord81110319.dzip which delivers Locky ransomware... One of the emails looks like:
    From: Leonor rede <Leonor6@ fiveoaks .com>
    Date: Mon 12/12/2016 16:23
    Subject: Order Confirmation 81110319 Hexstone Ltd
    Attachment: Ord81110319.dzip
    This message is intended only for the individual or entity to which it is
    addressed and may contain information that is private and confidential. If
    you are not the intended recipient, you are hereby notified that any
    dissemination, distribution or copying of this communication and its
    attachments is strictly prohibited.


    12 December 2016: Ord81110319.dzip: Extracts to: Receipt(546).jse - Current Virus total detections 12/54*
    Payload Security** shows a download of an encrypted file from
    http ://indigenouspromotions .com.au /874ghv3?qSzzdCEa=EIWRey which is converted by the script to fQuANqFwqs1.dll (VirusTotal 16/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1481560496/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    111.67.22.192
    176.121.14.95
    52.32.150.180
    54.239.168.239
    52.35.54.251


    *** https://www.virustotal.com/en/file/7...b265/analysis/
    ...adaa.exe

    Last edited by AplusWebMaster; 2016-12-12 at 19:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1110
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'documents', 'Intuit invoice', 'fax', 'picture', 'Fixed invoices' SPAM

    FYI...

    Fake 'documents' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/total...elivers-locky/
    13 Dec 2016 - "... an email with the subject of 'Total Gas & Power documents 0/5' (random numbers) pretending to come from totadonotreply@ netsend .biz with a semi-random named zip attachment in the format of 3000566547_invoice_139920043-09.zip which delivers Locky ransomware. The dates on the emails are 12 days old...

    Screenshot: https://i0.wp.com/myonlinesecurity.c...g?w=1258&ssl=1

    13 December 2016: 3000566547_invoice_139920043-09.zip: Extracts to: 3000566547_invoice_139920047-55.jse
    Current Virus total detections 9/55*. MALWR** shows a download of an encrypted file from
    http ://94.127.33.126 /knby545?bVoaEKQ=DtsfPK which is converted by the script to JWvpjx1.dll (VirusTotal 10/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1481622006/

    ** https://malwr.com/analysis/MDgyOTYxN...M0NWQ4NDE5M2Y/
    Hosts
    94.127.33.126
    176.121.14.95


    *** https://www.virustotal.com/en/file/8...is/1481622948/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    94.127.33.126
    109.234.34.212
    52.39.24.163
    35.160.111.237

    ___

    Fake 'Intuit invoice' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    13 Dec 2016 - "... an email -spoofing- Intuit/QuickBooks with the subject of 'Invoice 00341 from Gas Safety Plus' (random numbers and random companies) pretending to come from the random company in subject line <notification@ global-intuit .com> with zip attachment which delivers Dridex banking Trojan... All the ones I have seen seem to be actually coming from various IP numbers on the OVH SAS network using fake, spoofed or newly registered domain identifications:
    193.70.50.59
    193.70.117.190
    176.31.130.77
    176.31.130.74
    51.254.63.185
    91.121.114.211
    92.222.182.70
    94.23.58.107
    ...
    Some of the subject lines & companies include:
    Invoice 00476 from Gaswise (Lincoln) Ltd
    Invoice 00845 from Moss Florist
    Invoice 00668 from Linda Leary Estate Agents
    Invoice 00475 from Urban Merchants, Your Fine Food Supplier
    Invoice 00969 from Ballon Wise ...
    One of the emails looks like:
    From: Gas Safety Plus <notification@ global-intuit .com>
    Date: Thu 01/09/2016 19:22
    Subject: Invoice 00341 from Gas Safety Plus
    Attachment: link-in-email body
    Gas Safety Plus
    Invoice 00341
    Due date 14/12/2016
    Balance due 335.00
    View invoice
    Dear Customer, Here’s your invoice. We appereciate your prompt payment. Thank’s for your business! Gas Safety Plus
    Intuit. Inc. All right reserved...



    13 December 2016: Invoice.zip: Extracts to: Invoice.js - Current Virus total detections 16/55*.
    MALWR** shows a download from http ://195.238.172.213 /~iceskate/images/manual.pdf which is -not- a pdf but a renamed .exe file It gets renamed by the script to PPqFp2Bl32.exe and autorun (VirusTotal 9/57***). Payload Security[4]...
    The -links- in the email body goes to a hacked/compromised fraudulently set up sharepoint address:
    “https ://telstrastorecorio-my.sharepoint .com/personal/rebecca_telstrashopcorio_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=nlZdrO0WUpP2BvOovx5%2bkQFaMQk87jAFOPGDI79ApoA%3d&docid=0508e7d01f6e144528e3b4e23521272d1&rev=1”
    ... Never just blindly click on the link/file in your email..."
    * https://www.virustotal.com/en/file/7...is/1480616575/

    ** https://malwr.com/analysis/NGI1NDAyO...NiYTZkZTlhMjM/
    Hosts
    188.165.230.126
    195.238.172.213


    *** https://www.virustotal.com/en/file/4...is/1481626327/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    82.196.5.27
    109.74.9.119
    192.188.58.163


    telstrastorecorio-my.sharepoint .com: 104.146.164.28: https://www.virustotal.com/en/ip-add...8/information/
    ___

    Fake 'fax' SPAM - leads to malware
    - https://myonlinesecurity.co.uk/blank...known-malware/
    13 Dec 2016 - "... a -blank- email with the subject of 'fax copia' coming or pretending to come from 910663334@ fax.vodafone .es with a semi-random named zip attachment in the format of 201612130917585473299351.zip
    (which is date_randomnumbers.zip) which delivers... Sharik Trojan... Other subjects include:
    Confirmacion
    datos ...
    One of the emails looks like:
    From: from910663334@ fax.vodafone .es
    Date: Tue 13/12/2016 08:47shows
    Subject: fax copia
    Attachment: 201612130917585473299351.zip


    Body content: totally empty/blank

    13 December 2016: 201612130917585473299351.zip: Extracts to: 201612130913339837772661.pdf.exe
    Current Virus total detections 6/56*. Payload Security** shows several connections which confirms Sharik...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1481619230/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    146.0.72.73
    172.227.109.213

    ___

    Fake 'picture' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/a-pic...ky-ransomware/
    13 Dec 2016 - "... an email with the subject of 'a picture for you' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of 2016-12-1640.zip which delivers Locky ransomware. other subjects in this malspam run include:
    a image for you
    a photos for you ...
    One of the emails looks like:
    From: Delia <Delia.6@ mountainbikecup .dk>
    Date: Tue 13/12/2016 15:22
    Subject: a picture for you
    Attachment: 2016-12-1640.zip
    resized


    13 December 2016:2016-12-1640.zip: Extracts to: 2016-12-14473.jse - Current Virus total detections 11/50*
    MALWR** shows a download of an encrypted file from http ://jrgolfbuddy .com/knby545?MoxfoYUn=neDsPVdRB which is converted by the script to GDJpPJ1.dll (VirusTotal 9/56***). Payload Security[4]. C2 http ://176.121.14.95 /checkupdate
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1481643767/

    ** https://malwr.com/analysis/MzgwN2M0Z...QyMWYwYmQ4ZWQ/
    Hosts
    192.185.225.117
    176.121.14.95


    *** https://www.virustotal.com/en/file/f...is/1481643297/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.225.117
    176.121.14.95
    35.163.57.6
    52.85.184.150
    35.160.111.237

    ___

    Fake 'Fixed invoices' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/fixed...elivers-locky/
    13 Dec 2016 - "... an email with the subject of 'Fixed invoices'... pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of inv4665150.zip which delivers Locky ransomware... One of the emails looks like:
    From: Julia Weiss <Weiss.Julia@ interfacialsolutions .com>
    Date: Tue 13/12/2016 20:28
    Subject: Fixed invoices
    Attachment: inv4665150.zip
    Dear [redacted],
    Sorry for mistakes in the invoice. The number is 362, the amount came to $289.26.
    Please check out the details in the attachment.
    Best Regards,
    Julia Weiss


    13 December 2016: inv4665150.zip: Extracts to: ~_C4RM8B_~.wsf - Current Virus total detections 2/54*
    ... Payload Security**... does show locky ransomware and C2 sites... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1481661940/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    104.168.87.215
    54.187.5.20
    213.32.113.203
    52.34.245.108
    52.35.54.251
    91.198.174.192
    91.198.174.208


    Last edited by AplusWebMaster; 2016-12-13 at 23:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •