FYI...
Fake 'Confirmation' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...ky-ransomware/
14 Dec 2016 - "An email -spoofing- Kirklees Council with the subject of 'Booking Confirmation' pretending to come from random senders with a malicious word doc attachment delivers Locky ransomware... The email looks like:
From: jewell nethercote <jewell.nethercote@ luciafranca .com>
Date: Wed 14/12/2016 08:06
Subject: Booking Confirmation
Attachment: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
Booking Confirmation
This email and any attachments are confidential. If you have received it in error – notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.
14 December 2016: BookingConfirmation_331225_aberkinnuji@ thespykiller .co.uk.docm
Current Virus total detections 13/56*. MALWR** shows a download of an encrypted file from
http ://eastoncorporatefinance .com/nbv364 which is converted by the script to sonmoga2.rudf (VirusTotal 7/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1481706521/
** https://malwr.com/analysis/ZmQyMjMzY...JlNTBjYTEzYjY/
Hosts
217.160.231.206
176.121.14.95
*** https://www.virustotal.com/en/file/a...is/1481706902/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
217.160.231.206
176.121.14.95
185.117.72.105
52.34.245.108
52.85.184.150
35.160.111.237
___
Fake 'Certificate' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/parce...ky-ransomware/
14 Dec 2016 - "... an email with the subject of 'Parcel Certificate' pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of par_cert_5444211.zip which delivers Locky ransomware... One of the emails looks like:
From: Effie Bush <Bush.Effie@ adkime .com>
Date: Wed 14/12/2016 09:41
Subject: Parcel Certificate
Attachment: par_cert_5444211.zip
Dear hyperbolasmappera,
Please check the parcel certificate I am sending you in the attachment.
Order number is 477-F. Quite urgent, so please review it.
Best Regards,
Effie Bush
14 December 2016: par_cert_5444211.zip: Extracts to: ~_9UZONB_~.wsf - Current Virus total detections 3/54*
Payload Security** shows a download of an encrypted file from http ://ziskant .com/kqnioulnfj which is converted by the script to hIzFvc4Ek.zk (VirusTotal 4/56***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes .tdb or .zk or any other 2, 3 or 4 character or number extension. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1481708404/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.210.89.38
185.129.148.56
86.110.117.155
213.32.113.203
35.160.111.237
*** https://www.virustotal.com/en/file/4...is/1481709795/
___
Fake 'e-fax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
14 Dec 2016 - "An email with the subject of 'eFax message from +611300786102 – 4 page(s), Caller-ID: +611300786102' (random numbers) pretending to come from eFax <inbound@ efax .delivery> with a malicious word doc attachment delivers Trickbot banking Trojan...
Screenshot: https://i2.wp.com/myonlinesecurity.c...g?w=1308&ssl=1
14 December 2016: InboundMessage.doc - Current Virus total detections 10/53*
Payload Security** shows a download from ‘http ://cendereci .com/dasphdasodasopjdaspjdasdasa.png’ which is -not- a png (image file) but -renamed- .exe (VirusTotal 41/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1481698402/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
85.159.66.172
23.21.228.240
36.37.176.6
202.5.50.55
*** https://www.virustotal.com/en/file/a...78f8/analysis/