Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2016-02-15, 14:24 #34
    AplusWebMaster
    AplusWebMaster is offline
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice', 'Overdue Invoice' SPAM, Dyre Trojan - gone dark

    FYI...

    Fake 'Invoice' SPAM - doc malware
    - http://myonlinesecurity.co.uk/invoic...d-doc-malware/
    15 Feb 2016 - "An email with the subject of 'Invoice (w/e 070216)' pretending to come from Kelly Pegg <kpegg@ responserecruitment .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    From: Kelly Pegg <kpegg@ responserecruitment .co.uk>
    Date: SKM_C3350160212101601 .docm
    Subject: Invoice (w/e 070216)
    Attachment: SKM_C3350160212101601 .docm
    Good Afternoon
    Please find attached invoice and timesheet.
    Kind Regards
    Kelly

    15 February 2016: SKM_C3350160212101601.docm - Current Virus total detections 7/54*
    MALWR** shows a download of Dridex banking Trojan from
    http ://216.158.82.149 /09u8h76f/65fg67n (VirusTotal 4/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1455537274/

    ** https://malwr.com/analysis/ZTViNjYyM...k2OTlkYmIyMWU/
    216.158.82.149: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/b3...a391/analysis/
    5.45.180.46
    13.107.4.50

    *** https://www.virustotal.com/en/file/c...is/1455536293/
    TCP connections
    5.45.180.46
    13.107.4.50

    - http://blog.dynamoo.com/2016/02/malw...216-kelly.html
    15 Feb 2016 - "... Attached is a file SKM_C3350160212101601.docm which comes in -several- different variants. The macro in the document attempts to download a malicious executable from:
    216.158.82.149 /09u8h76f/65fg67n
    sstv.go .ro/09u8h76f/65fg67n
    www .profildigital .de/09u8h76f/65fg67n
    This dropped a malicious executable with a detection rate of 6/54* which according to these automated analysis tools [1] [2] calls home to:
    5.45.180.46 (B & K Verwaltungs GmbH, Germany)
    I strongly recommend that you -block- traffic to that address. The payload is the Dridex banking trojan."
    * https://www.virustotal.com/en/file/c...433c/analysis/
    TCP connections
    5.45.180.46: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/56...85ee/analysis/
    13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

    1] https://malwr.com/analysis/ZWEyODc4Y...EyNDBjODRiNmI/
    5.45.180.46
    184.25.56.44

    2] https://www.hybrid-analysis.com/samp...nvironmentId=4
    ___

    Fake 'Overdue Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/02/malw...ce-012345.html
    15 Feb 2016 - "This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
    From: Brandi Riley [BrandiRiley21849@ horrod .com]
    Date: 15 February 2016 at 12:20
    Subject: Overdue Invoice 089737 - COMS PLC
    Dear Customer,
    The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Brandi Riley
    COMS PLC

    Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis* shows an attempted download from:
    node1.beckerdrapkin .com/fiscal/auditreport.php
    This is hosted on an IP that you can assume to be malicious:
    193.32.68.40 (Veraton Projects, BZ / DE)
    The dropped executable (detection rate 4/54**) then phones home to:
    194.58.92.2 (Reg.Ru Hosting, Russia)
    202.158.123.130 (Cyberindo Aditama, Indonesia)
    185.24.92.229 (System Projects LLC, Russia)
    The payload is the Dridex banking trojan.
    Recommended blocklist:
    193.32.68.40
    194.58.92.2
    202.158.123.130
    185.24.92.229     "
    1] https://www.virustotal.com/en/file/d...is/1455541445/

    2] https://www.virustotal.com/en/file/c...is/1455541455/

    3] https://www.virustotal.com/en/file/6...e6b1/analysis/

    * https://www.hybrid-analysis.com/samp...nvironmentId=4

    ** https://www.virustotal.com/en/file/f...is/1455542606/
    TCP connections
    202.158.123.130: https://www.virustotal.com/en/ip-add...0/information/
    81.52.160.146: https://www.virustotal.com/en/ip-add...6/information/
    185.24.92.229: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/65...02fa/analysis/
    ___

    Dyre Trojan - gone dark...
    - https://securityintelligence.com/dyr...ted-in-moscow/
    Feb 9, 2016 - "... Reuters reports* that a police raid took place in November 2015 in a downtown Moscow high-rise. The operation reportedly took place inside the offices of a film distribution and production company called 25th Floor, which is, ironically, in the midst of producing a movie called 'Botnet', loosely based on a 2010 cybercrime case... IBM X-Force researchers indicate that Dyre, which has been a constantly evolving threat, fell silent in November 2015. According to IBM Trusteer, malware infection rates dropped sharply in mid-November, with new user infections appearing in the single digits per day at most. Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration-update-servers and its real-time-webinjection-server were -both- disconnected from the Internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark:
    > https://static.securityintelligence....ks_Flatten.png
    It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November. Dyre is considered one of the most advanced banking Trojans active in the wild today. Beyond the technical level of its attacks, Dyre is prolific in different parts of the globe and has made its mark as the most active Trojan family in 2015, according to IBM Trusteer data:
    > https://static.securityintelligence....op_Bankers.png
    If the gang operating Dyre has indeed been apprehended in Russia, the event will go down as one of the most significant cybercrime busts in history. More than its magnitude in terms of the fraud losses that will be spared, it will be one of the most noteworthy operations carried out against cybercrime on Russian soil by Russian authorities... Dyre’s absence will also give a bigger market share to other malware like Dridex, for example, which, according to IBM X-Force researchers, has been enhancing its attack methods to match Dyre’s and focusing on high-value business and corporate accounts in the U.K. and the U.S., which closely resembles Dyre’s path through the year before the raid..."
    * http://www.reuters.com/article/us-cy...-idUSKCN0VE2QS

    Last edited by AplusWebMaster; 2016-02-15 at 20:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules