SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/05/malw...-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
From: PGOMEZ@polyair .co .uk
Date: 21 May 2015 at 08:58
Subject: Invoice# 2976361 Attached
Invoice Attached - please confirm..

Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that -other- versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195 "
* https://www.virustotal.com/en/file/7...is/1432196986/

** https://www.virustotal.com/en/file/4...is/1432197071/

*** https://www.virustotal.com/en/file/5...is/1432198215/


- http://myonlinesecurity.co.uk/invoic...sheet-malware/
21 May 2015
> https://www.virustotal.com/en/file/7...is/1432194451/
000001.DOC

mercury.powerweave .com: 50.97.147.195: https://www.virustotal.com/en/ip-add...5/information/
___

Fake 'Travel order confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/travel...sheet-malware/
21 May 2015 - "'Travel order confirmation 0300202959' pretending to come from overseastravel@ caravanclub .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Thank you for your travel order.
Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
Now you have booked your trip why not let The Club help you make the most of your stay?
Did you know The Club has a wide selection of travel advice on the website as well as directions to all our overseas sites?
Want some inspiration on more sites across Europe? Take a look at our Caravan Europe Guides.
If you’ve not already taken out holiday insurance why not let The Club give you a Red Pennant quote online .
Yours sincerely
The Caravan Club
This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA...

21 May2015 : Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads -same- Dridex malware as today’s other word doc malspam run Invoice# 2976361 Attached – word doc or excel xls spreadsheet malware:
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1432197951/

- http://blog.dynamoo.com/2015/05/malw...firmation.html
21 May 2015 - "... Travel Order Confirmation - 0300202959.doc, however the payload seems to be identical to the one found in this earlier spam run*."
* http://blog.dynamoo.com/2015/05/malw...-attached.html
___

Fake 'Pampered Chef' SPAM – PDF malware
- http://myonlinesecurity.co.uk/recipe...e-pdf-malware/
21 May 2015 - "'Recipes for your new Pampered Chef Baker' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hello!
I know you’ll love your new Pampered Chef baker! Thank you for your order.
Attached are Deep Covered Baker recipes.
Many Deep Covered Baker Recipes can also be made in the smaller, Round Covered Baker.
For microwave recipes, use half the ingredients and half the bake time suggested. For oven recipes, use half the
ingredients but follow recommended bake times or visual indicators in the recipe.
Enjoy!
Please contact me if you have questions or concerns.
Thank you,
Robbin

21 May 2015: Pampered_ingredients.zip: Extracts to: Pampered_ingredients.exe
Current Virus total detections: 3/57* . There are several different versions of the malware floating around. This is just one example. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1432205437/
___

Fake 'Unpaid Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/unpaid...e-pdf-malware/
21 May 2015 - "'Unpaid Invoice' pretending to come from HMRC .gov .uk <application@ hmrc .gov .uk> with a zip attachment is another one from the current bot runs... The email looks like:
Please pay this invoice at your earliest opportunity.

21 May 2015: invoice_8467_08202014.zip: Extracts to: invoice_8467_08202014.scr
Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1432226961/
___

Fake 'Invoice# 2976361' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/05/malw...-attached.html
21 May 2015 - "So far I have only seen one sample of this. The sender and subject may vary.
From: PGOMEZ@ polyair .co .uk
Date: 21 May 2015 at 08:58
Subject: Invoice# 2976361 Attached
Invoice Attached - please confirm...

Attached is a malicious file with the not-very-imaginative name 00001.doc [VT 4/56*] which contains this malicious macro [pastebin] that downloads a component from the following location:
http ://mercury.powerweave .com/72/11.exe
This download site is hosted on 50.97.147.195 (Softlayer Technologies, US / Powerweave Software Services, India), although be aware that other versions of the macro may download from other locations. This file is saved as %TEMP%\ribasiml.exe and has a VirusTotal detection rate of 5/57**. Automated analysis tools... show attempted communications with the following IPs:
78.24.218.186 (TheFirst-RU, Russia)
78.46.60.131 (Hetzner, Germany)
87.236.215.151 (OneGbits, Lithuania)
94.242.58.146 (Fishnet Communications, Russia)
130.208.166.65 (The University of Iceland, Iceland)
176.31.28.250 (OVH, France / Bitweb LLC, Russia)
185.12.95.191 (RuWeb, Russia)
The Malwr report shows that it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
78.46.60.131
87.236.215.151
94.242.58.146
130.208.166.65
176.31.28.250
185.12.95.191
50.97.147.195 "
* https://www.virustotal.com/en/file/7...is/1432196986/

** https://www.virustotal.com/en/file/4...is/1432197071/

*** https://www.virustotal.com/en/file/5...is/1432198215/
___

Exploit kits delivering Necurs
- https://isc.sans.edu/diary.html?storyid=19719
2015-05-21 - "In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering -malware- identified as Necurs... Necurs is a type of malware that opens a back door on the infected computer [1]. It may also disable antivirus products as well as download additional malware [1][2]... I saw Necurs as a malware payload from Nuclear and Angler EKs last week... In each case, traffic went through a gate on 185.14.30.218 (between the compromised website and the EK landing page). We ran across Nuclear EK delivering Necurs again on 2015-05-20. In this example, the gate was on 91.121.63.249..."
(More detail at the isc URL above.)

1] https://www.symantec.com/security_re...121212-2802-99

2] https://www.microsoft.com/security/p...n:Win32/Necurs

185.14.30.218: https://www.virustotal.com/en/ip-add...8/information/

91.121.63.249: https://www.virustotal.com/en/ip-add...9/information/
___

“Facebook Recovery” accounts share Phishing link, offer Tech Support
- https://blog.malwarebytes.org/fraud-...-tech-support/
May 21, 2015 - "We’ve seen a certain j.mp -shortened- URL being shared by what we believe are
-rogue- (if not compromised) accounts within Facebook a couple of days ago. In the below sample we recovered, the URL in question is part of a message from another account called “Facebook recovery” — a truly -fake- one... that is up to task of notifying users that their accounts have been reported for abuse and will likely be disabled if they don’t act on the notice ASAP:
> https://blog.malwarebytes.org/wp-con...-spam-post.png
The URL, of course, hides the below phishing page:
> https://blog.malwarebytes.org/wp-con...ge-default.png
The blurb on the page is the same as the spammed message on Facebook. Once a user entered the credentials asked and click Log In, data is posted to recovery.php, and then users are -redirected- to this payment page, which asks for his/her full name, credit card details, and billing address:
> https://blog.malwarebytes.org/wp-con...ng-payment.png
We have no idea why all of a sudden the account that claims to be a legitimate entity from Facebook is asking for a form of monetary compensation for the recovery of accounts. Perhaps that is what the phishers meant when they said “help us do more for security and convenience for everyone”. We have looked at the stats for the j.mp URL and found that it didn’t yield that many clicks from the time of its creation up to the present... It’s highly likely that the URL is not shared during these days, making it less visible than your average malicious URL. Less visibility also means that potentially less companies would be able to block it due to flying under the radar. VT results for the j.mp URL shows this*.
* https://www.virustotal.com/en/url/b5...is/1432202719/
Furthermore, the majority of clicks are mostly from Asian countries and the United States:
> https://blog.malwarebytes.org/wp-con...er-country.png
We did a simple search on Facebook for accounts that may contain the string “Facebook recovery”. To date, we found more than 40... If you see posts on your feed that appear similar to the Facebook post we discussed here, whether it continues to bear the same URL or not, it’s best to -ignore- it and warn your network about an on-going -spam- campaign."

recovery-page-php .zz .mu: 185.28.21.145: https://www.virustotal.com/en/ip-add...5/information/
___

"Logjam"...
- https://blog.malwarebytes.org/securi...-need-to-know/
May 20, 2015 - "... Dubbed as Logjam, the vulnerability affects home users -and- corporations alike, and over 80,000 of the top one million domains worldwide were found to be vulnerable. The original report on Logjam can be found here:
- https://weakdh.org/
... While much of the research is performed against a Diffie-Hellman 512-bit key group, the researchers behind the Logjam discovery also speculate that 1024-bit groups could be vulnerable to those with “nation-state” resources, making a suggestion that groups like the NSA might have already accomplished this... . A comprehensive look at all of their research can be found here:
- https://weakdh.org/imperfect-forward-secrecy.pdf
... At the time of this writing, patches are still in works for all the major web browsers, including Chrome, Firefox, Safari, and Internet Explorer. They should be released in the next day or two, so ensure your browser updates correctly once its released. These updates should reject Diffie-Hellman key lengths that are less that 1024-bits..."

Also see:
- https://isc.sans.edu/diary.html?storyid=19717
2015-05-20

[AplusWebMaster]

FYI...

Fake 'Australian Tax' SPAM – PDF malware
- http://myonlinesecurity.co.uk/austra...e-pdf-malware/
22 May 2015 - "'Australian Taxation Office – Remittance Advisory Email' pretending to come from Australian Taxation Office <noreply@ ato .gov .au> with a link to download a zip file is another one from the current bot runs... The bots seem to be getting very confused today and are mixing up Lloyds Bank with Australian Taxation Office and even using a date 1 year in the past. Nobody should fall for these. The links in the emails currently are set to download from:
- https ://storage-ec2-13.sharefile .com/download.ashx?dt=dt8fdfcdfa200a4b01b93e2643fa61fcc1&h=xw9ZAT0fvavEwl7uRL2DX3xEJcw6II19IbZfNyN1ix0%3d
Update: we are now seeing several different sharefile .com download links. All appear to be the same malware, regardless of the link. The same set of download links are being spammed out in other emails from the same bot net with subjects of 'You’ve received a new fax' appearing to come from fax@ your own domain and 'Internal ONLY' pretending to come from Administrator@ your own domain both alleging to contain a fax message. The email looks like:

Monday 22 May 2014
This is a Remitter Advice following the submission of a payment instruction by Lloyds Bank Plc. Please review the details of the payment here.
Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0845 603 1637
Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813...

22 May 2015 : FAX_82QPL932UN_771.zip: Extracts to: FAX_82QPL932UN_771.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1432286982/

storage-ec2-13.sharefile .com: 54.84.9.118: https://www.virustotal.com/en/ip-add...8/information/

- http://blog.dynamoo.com/2015/05/malw...er-advice.html
22 May 2015
"... Recommended blocklist:
209.15.197.235
217.23.194.237 "
___

Fake 'Invoice IN278577' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-i...sheet-malware/
22 May 2015 - "'Your Invoice IN278577 from Out of Eden pretending to come from sales@ outofeden .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...ut-of-Eden.png

22 May 2015 : Invoice IN278577 (emailed 2015-05-21).doc
Current Virus total detections: 1/57*... Which downloads www .footingclub .com/85/20.exe which is a Dridex banking Trojan (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1432288366/

** https://www.virustotal.com/en/file/4...is/1432288878/
... Behavioural information
TCP connections
185.12.95.191: https://www.virustotal.com/en/ip-add...1/information/
2.18.213.208: https://www.virustotal.com/en/ip-add...8/information/

[AplusWebMaster]

FYI...

Fake 'Blank 11' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/blank-...sheet-malware/
26 May 2015 - "'Blank 11' pretending to come from hannah.e.righton@ gmail .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a completely blank body.

26 May 2015: Blank 11.doc - Current Virus total detections: 2/57*
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/3...is/1432633538/
___

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-i...sheet-malware/
26 May 2015 - "'Your Invoice (ref: INV232654) from thomsonlocal' pretending to come from Pleasedonotreply@ thomsonlocal .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...al_corrupt.png

... It is supposed to look like or read:
> http://myonlinesecurity.co.uk/wp-con...mson_local.png

26 May 2015: Invoice INV232654.doc - Current Virus total detections: 2/56*
... downloads the same Dridex banking malware as described in today’s other word macro malware downloaders being spammed out 'Blank 11 hannah.e.righton' – word doc or excel xls spreadsheet malware**. This particular macro version downloads from http ://crestliquors .com/73/20.exe
(VirusTotal***) but all the downloads are identical, just from multiple different locations.The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1432634028/

** http://myonlinesecurity.co.uk/blank-...sheet-malware/

*** https://www.virustotal.com/en/file/e...is/1432631807/
File name: 20_exe
... Behavioural information
TCP connections
144.76.238.214: https://www.virustotal.com/en/ip-add...4/information/
88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/

crestliquors .com: 64.29.151.221: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'Underreported Income' SPAM – PDF malware
- http://myonlinesecurity.co.uk/notice...e-pdf-malware/
26 May 2015 - "'Notice of Underreported Income' pretending to come from Australian Taxation Office <noreply@ ato .gov .au> and 'Outdated Invoice' pretending to come from Sage Invoice <invoice@ sage .com> with a -link- in the body of the email to download a zip file is another one from the current bot runs... The Australian Taxation Office email looks like:

Taxpayer ID: ufwsd-000008882579UK Tax Type: Income Tax Issue: Unreported/Underreported Income (Fraud Application) Please review your tax income statement on HM Revenue and Customs ( HMRC). Download your HMRC statement. Please complete the form...

The links in these emails go to https ://a .uguu .se/hivjca_Invoice_00471200.zip (Note the HTTPS) which gives a not found message. If you drop the S and just use a standard HTTP link then you get the malware. The Sage invoice looks like:

Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:
https ://invoice .sage .co.uk/Account?769525=Invoice_090914.zip
If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@ sage .com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.
The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies...

26 May 2015: ytuads_Invoice_00471206.zip: Extracts to: Invoice_00471206.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1432638854/
Invoice_00471203.scr
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en/ip-add...0/information/
93.185.4.90: https://www.virustotal.com/en/ip-add...0/information/
66.215.30.118: https://www.virustotal.com/en/ip-add...8/information/
88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/

uguu .se:
104.28.24.2: https://www.virustotal.com/en/ip-add...2/information/
104.28.25.2: https://www.virustotal.com/en/ip-add...2/information/
___

Fake 'Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/775-we...e-pdf-malware/
26 May 2015 - "'775 Westminster Avenue APT D5 Fw: Invoice' coming from random email addresses and names with a zip attachment is another one from the current bot runs... The email looks like:
Name: Invoice
Customer ID: 718527
Street Address
775 Westminster Avenue APT D5
Brooklyn, NY, 01748
Phone: (235) 194-2842

The customer ID number, The NY code and the Phone numbers are all random and different in each email. The attachment zip names are also random but all extract to the same invoice_company.exe
26 May 2015: 030018-.zip: Extracts to: invoice_company.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1432647309/
___

Tesco – Phish ...
- http://myonlinesecurity.co.uk/collec...esco-phishing/
26 May 2015 - "'Collect a 80GBP reward!' pretending to come from Tesco <postmaster@ tescoina .com>. It is the end of May, just after the bank holiday. You have spent up to your limit on the credit cards and are wondering how to pay they bills until the next pay cheque arrives, when what looks like a miracle happens. An email arrives apparently from Tesco saying Collect a 80GBP reward! that offers you £80 for filling in a Tesco customer satisfaction -survey... it is a -scam- and is a phishing fraud designed to steal your bank and credit card details... If you open the link you see a webpage looking like this: (I had to split it into 2 parts to take a screenshot):

> http://myonlinesecurity.co.uk/wp-con...co-survey1.png

> http://myonlinesecurity.co.uk/wp-con...co-survey2.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or follow links in them..."

[AplusWebMaster]

FYI...

Fake 'INV-152307' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/anthon...sheet-malware/
27 May 2015 - "'Anthony Alexandra Associates MAY INV-152307 GBP 418.80' pretending to come from Lauren Braisby <lauren.braisby@ reed .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...GBP-418.80.png

25 February 2015: logmein_pro_receipt.xls - Current Virus total detections: 1/57*
... which downloads Dridex banking malware from http ://wingtouch .com/776/331.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1432725577/

** https://www.virustotal.com/en/file/a...is/1432727693/
... Behavioural information
TCP connections
185.11.247.226: https://www.virustotal.com/en/ip-add...6/information/
88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/

wingtouch .com: 64.29.151.221: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'Invoice charge' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/announ...sheet-malware/
27 May 2015 - "'Announce of importance: Invoice charge' coming from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The emails looks like:
Hi,
Please see attached the copy of invoice from 22/05/2015.
Please can you send a revised statement so we can settle any outstanding balances.
Kind Regards,
Mason Lloyd
-Or-
Your monthly Rainbow Communications invoice is attached to this mail.
This bill is for account RT963382
Please note that for those who receive multiple reports you may need to check your attachment field on your e-mail program to ensure that you have received them all.
Louie Hood
Business Account Manager
-Or-
Good morning,
Our billing department have identified that you are getting both a hard copy and an e-mail copy of your bill. As a result you will be getting a monthly £3 hard copy fee.
Can you let me know if the hard copy can be removed?
Kind regards
Angie Ayers
Business Account Manager

27 May 2015 : F6F0_C6C7DE4EE83EDC.doc - No detections anywhere and all automatic analysis has failed. The file appears to be base 64 encoded text that I haven’t yet managed to decode and find a working content...
Update: 2nd version 25B5F_7B101029E76005.doc (VirusTotal*), so far I haven’t found a payload and the only automatic analysis hasn’t found anything... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/a...is/1432729315/
File name: 25B5F_7B101029E76005.doc
Detection ratio: 0/57
___

Fake 'Statement' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/statem...sheet-malware/
27 May 2015 - "'Statement from [random company]' coming from random companies, names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please see attached statement.
Please be advised that our company is now incorporated andtrades as DOMINO’S PIZZA GROUP PLC. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:
Sort Code: 98-12-30
Account Number: 10991670
Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.
Our company number isNI624042.
DOMINO’S PIZZA GROUP PLC VAT registration number: GB184578365.
We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.
Regards,
Della Medina
Accounts Dept.
-Or-
Please see attached statement.
Please be advised that our company is now incorporated andtrades as Cleantec Equipment Ltd. Ourbank is still Ulster Bank, 14 High Street, Omagh, Co. Tyrone, BT78 1BJ with newaccount details as follows:
Sort Code: 98-12-30
Account Number: 10991670
Ulster Bank has switched over our direct debits etc. for usso please take this letter as notification of same.
Our company number isNI624042.
Cleantec Equipment Ltd VAT registration number: GB184578365.
We would also like to take this opportunity to thank you for your continuedsupport. If you should need any further information then please do not hesitateto contact us.
Regards,
Dallas Dickerson
Accounts Dept.

27 May 2015: 0A15_968CD62833A4B.doc - Current Virus total detections: 0/56*
... Once again today Analysis -fails- to give any download locations. It looks like the same behaviour as today’s earlier attempt Announce of importance: Invoice charge – word doc or excel xls spreadsheet malware**... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/5...is/1432735276/

** http://myonlinesecurity.co.uk/announ...sheet-malware/
___

Chrome Lure used in Facebook Attack ...
- http://blog.trendmicro.com/trendlabs...es-new-policy/
May 26, 2015 - "... cybercriminals keep using Google Chrome and Facebook to infect their victims with malware... We’ve already seen both platforms be used as parts of malicious social engineering schemes. Both Google and Facebook are aware of this and have taken steps to protect their users. The number of times malicious Chrome extensions have sprouted, for example, has driven Google to restrict the use of any extension not available on the Chrome Web Store. Unfortunately, initiatives like these have not deterred cybercriminal efforts. Our findings also show that many of these platforms users still get tricked.
Message on Facebook: Clicking the link led us to a site with a page designed to mimic the look and feel of Facebook. The page even pretends to have content from YouTube. Visiting the -malicious- site led to the automatic download of a file titled Chrome_Video_installer.scr. The filename used makes it seem that it’s a harmless Chrome browser plugin required to play videos.
Malicious page with the Facebook design: This supposed video installer file is detected as TROJ_KILIM.EFLD. This variant attempts to download another file — possibly the final payload — but the site is currently down. However, it should be noted that KILIM malware are known to be -malicious- Chrome extensions and plugins. KILIM variants have also been observed to spam Facebook messages and cause system infection... We checked the landing page and found out that the Philippines had the most number of users who visited the site, followed by those from Indonesia, India, Brazil, and the U.S... these countries are the same ones reported to have the highest percentage in terms of Facebook penetration... Given the popularity of Facebook, members of the site must be discerning when it comes to dealing with the content they come across with. -Never- click links from unknown or unverified sites, especially if the content sounds too interesting to be true. Cybercriminals often use shocking or eye-catching content to convince users to visit malicious websites. It’s far better to click links that lead to a reputable source than some random blog or site. The Trend Micro Site Safety Center* can also be used to check if websites are safe or not. The same can be said for links or attachments sent by friends. It’s worth the effort to first confirm the message before clicking the link or opening the attachment..."
* http://global.sitesafety.trendmicro.com/

[AplusWebMaster]

FYI...

Fake 'latest invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-l...sheet-malware/
28 May 2015 - "'Your latest invoice from The Fuelcard Company UK Ltd' pretending to come from invoicing@ fuelcards .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find your latest invoice attached.
If you have any queries please do not hesitate to contact our Customer
Service Team at invoicing@ fuelcards .co .uk
Regards
The Fuelcard Compa

28 May 2015: invoice.doc - Current Virus total detections: 2/57*
... This malicious macro downloads http ://contesafricains .com/01/59.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/3...is/1432800000/

** https://www.virustotal.com/en/file/2...is/1432800544/
... Behavioural information
TCP connections
134.0.115.157: https://www.virustotal.com/en/ip-add...7/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/

contesafricains .com: 213.186.33.19: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'Chasing delivery' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/212-b5...sheet-malware/
28 May 2015 - "'212-B59329-23A – Chasing delivery' pretending to come from Rachel.Hopkinson@ anixter .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...g-delivery.png

28 May 2015 : RR1A240D.doc - Current Virus total detections: 2/57*
... downloads http ://swiftlaw .com/01/59.exe** which is same Dridex banking malware as today’s earlier malicious word doc malspam run 'Your latest invoice from The Fuelcard Company UK Ltd – word doc or excel xls spreadsheet malware'**... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/3...is/1432811062/

** http://myonlinesecurity.co.uk/your-l...sheet-malware/

swiftlaw .com: 216.251.32.98: https://www.virustotal.com/en/ip-add...8/information/

[AplusWebMaster]

FYI...

Fake email SPAM - doc/xls malware attachment
- http://myonlinesecurity.co.uk/uplata...sheet-malware/
1 Jun 2015 - "'Uplata po pon 43421' pretending to come from Mirjana Prgomet <mirjana@ fokus-medical .hr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally -blank- body with just an attachment.

1 June 2015: report20520159260[1].doc - Current Virus total detections: 1/56*
... downloads Dridex banking malware from http ://jcmartz .com/1/09.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1433147275/

** https://www.virustotal.com/en/file/8...is/1433147275/
... Behavioural information
TCP connections
31.186.99.250: https://www.virustotal.com/en/ip-add...0/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/

jcmartz .com: 66.175.58.9: https://www.virustotal.com/en/ip-add...9/information/

- http://blog.dynamoo.com/2015/06/malw...pon-43421.html
1 Jun 2015
"... Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214 "
___

Fake 'slide1' SPAM - doc/xls malware attachment
- http://myonlinesecurity.co.uk/emaili...sheet-malware/
1 Jun 2015 - "'Emailing: slide1 Date: Mon, 01 Jun 2015 14:36:47 +0200' pretending to come from Simon Harrington <simonharrington@ talktalk .net> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...ing-slide1.png

1 Jun 2015 : slide1.doc - Current Virus total detections:2/56*
... which connects to and downloads http ://216.22.14.37/~congafx/1/09.exe which is an updated Dridex banking malware (VirusTotal**)... It is using the same file name as today’s earlier malspam run but is a totally different file size Uplata po pon 43421 -Mirjana Prgomet – fokus-medical – word doc or excel xls spreadsheet malware***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1433162360/

** https://www.virustotal.com/en/file/4...ab09/analysis/

*** http://myonlinesecurity.co.uk/uplata...sheet-malware/

216.22.14.37: https://www.virustotal.com/en/ip-add...7/information/

- http://blog.dynamoo.com/2015/06/malw...lktalknet.html
1 Jun 2015
"... Recommended blocklist:
31.186.99.250
107.170.1.205
146.185.128.226
144.76.238.214 ..."
___

Fake 'Order confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/order-...sheet-malware/
1 Jun 2015 - "'Order confirmation 300-2015001469' with no apparent -from- address or -sender- & a
-blank- empty body that is addressed to:
To: <p.pichler@ allfi .com<randomname>@ Your email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely blank body.

1 June 2015: Order confirmation 300-2015001469.doc - Current Virus total detections: 4/56* ... downloads the same Dridex banking Trojan as one of today’s earlier word based malspam runs Emailing: slide1 Date: Mon, 01 Jun 2015 14:36:47 +0200 – Simon Harrington – word doc or excel xls spreadsheet malware**. The single version I examined downloaded from http ://irpanet .com/1/09.exe but there are -multiple- download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/7...is/1433170304/

** http://myonlinesecurity.co.uk/emaili...sheet-malware/

irpanet .com: 64.29.151.221: https://www.virustotal.com/en/ip-add...1/information/

[AplusWebMaster]

FYI...

DYRE Banking Malware Upsurge - Europe and North America Most Affected
- http://blog.trendmicro.com/trendlabs...most-affected/
June 2, 2015 - "Online banking users in Europe and North America are experiencing the upsurge of DYRE*, a malware family notorious for the multiple ways it steals data and its ties to parcel mule scams, among others. There has been a 125% increase of DYRE-related infections worldwide this quarter compared to the last, proving that cybercriminal interest in online banking has only continued to grow... We looked closely at the financial institutions whose URLs were contained in the DYRE malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like... What’s troubling with this recent spam run is that it shows how online banking malware continue to come up with versions designed to defeat detection. UPATRE, the known precursor to DYRE, is part of the infection chain in this threat. Historically, UPATRE has been known to be the downloader or middleman malware of sorts for other infamous malware like ZBOT, CRILOCK, and ROVNIX. This time, UPATRE has grown beyond being just a downloader of other malware. Its new variant can -disable- detection, thus making it easier for the download of DYRE or other malware into user systems. Specifically, its additional functions include the following:
- Disabling firewall/network related security by modifying some registry entries.
- Disabling firewall/network related security via stoppage of related services.
- Disabling window’s default anti-malware feature (WinDef)
Recently, we have also seen a UPATRE variant (detected TROJ_UPATRE.HM) being dropped as a Microsoft Compiled HTML/ Help file (.CHM) on a spam run victimizing JPMorgan Chase & Co. customers. Looking at the content of the spam mail, we notice that it follows a typical social engineering ruse. It specifically tries to -scare- users into opening an attached .EXE file to find out about a non-existent law that supposedly doubles their tax. When it comes to tax, people can get worried enough to succumb to the scam. Seeing that most samples we have seen so far use the English language, it is likely that users of the DYRE malware have been sending out similar messages to a variety of regions, without specifically tweaking according to language and banking preferences... It pays to be prepared especially when consequences are literally DYRE. As we have previously advocated, banking malware that spread via -spammed- mails can be fought off by knowing your banking policies, downloading a full-featured antimalware solution, immediately changing passwords and monitoring online banking transactions in case of infections, and alerting the bank when you spot suspicious transactions..."
* http://blog.trendmicro.com/trendlabs...alware-part-1/
___

Fake 'Rental Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/june-2...sheet-malware/
2 Jun 2015 - "'June 2015 Rental Invoice' pretending to come from Alex Batts <abatts@ bbsp .co .uk> is being delivered mangled and malformed. It is supposed to come with a malicious word doc or Excel XLS spreadsheet attachment but that is being embedded as a base 64 encoded set of text in the mangled body of the email, rather than being attached. Most users should be protected from this malware, but be aware that some mail servers will automatically fix this sort of garbled corruption and deliver the email as a warning email with a zip of the extracted content. Do-not-click on or open the word doc inside the zip... The email which comes in -garbled- looks like:
[Garbled text...]
Hi
Please find attached the Rental Invoice for June 2015 – which is due for pa=
yment on or before 10st June.
Have a lovely afternoon.
Kind regards
Alex Batts
Forum Receptionist
Telephone : 0117 370 7700
Mobile : 0750 083 5323 ...
[More garbled text...]

2 June 2015: June 2015 Rental Invoice – Inv 103756.doc - Current Virus total detections: 1/56* | 2/57**
The second -malicious- macro downloads http ://amagumori.3dfxwave .com/7/8.exe Which is a Dridex banking malware (VirusTotal***). The first will also download the same malware but from a different location... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/e...is/1433243825/

** https://www.virustotal.com/en/file/0...is/1433250642/

*** https://www.virustotal.com/en/file/d...is/1433248974/
... Behavioural information
TCP connections
31.186.99.250: https://www.virustotal.com/en/ip-add...0/information/
5.178.43.49: https://www.virustotal.com/en/ip-add...9/information/

amagumori.3dfxwave .com: 202.129.207.121: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'Invoice ID' SPAM - malware attachment
- http://blog.mxlab.eu/2015/06/02/emai...ntains-trojan/
June 2, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Invoice ID”. This email is sent from a -spoofed- address and has the following short body:
INVOICE
Invoice ID: 6568469164
Store id: 9135

The attached file 6568469164_9135.zip contains the 156 kB large file invoice_company.exe. The trojan is known as PE:Malware.Obscure!1.9C59 or Trojan.Win32.Qudamah.Gen.24. At the time of writing, 2 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/d...is/1433259213/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en/ip-add...1/information/
188.120.194.101: https://www.virustotal.com/en/ip-add...1/information/
173.243.255.79: https://www.virustotal.com/en/ip-add...9/information/
90.84.60.99: https://www.virustotal.com/en/ip-add...9/information/
188.120.194.101: https://www.virustotal.com/en/ip-add...1/information/
___

2015 Malvertising infected millions of users
- http://net-security.org/malware_news.php?id=3049
June 2, 2015 - "New research from Malwarebytes has found that -malvertising- is one of the primary infection vectors used to reach millions of consumers this year. The analysis looked at the three large scale zero-day attacks affecting Flash Player*, and the results have been presented at Infosecurity Europe 2015:
> http://www.net-security.org/images/a...s-02062015.jpg
Analysis of one particular zero-day attack instigated using the HanJuan Exploit Kit showed that cybercriminals paid an average of 49p for every 1,000 infected adverts impressions on major websites at highly trafficked times of day. This amount could even drop as low as 4p per infected ad impression on lesser-known websites and during quieter times of day. Malicious adverts placed on popular websites including The Huffington Post, Answers.com and Daily Motion, which all boast monthly unique users in the millions, are responsible for exposing vast numbers of consumers to zero-day attacks. Even consumers and businesses running the -latest- versions of Internet Explorer, Firefox and Flash Player are susceptible to becoming immediately infected when exposed to this type of threat which makes it particularly lucrative for the criminal community. Further, with one zero-day remaining active for almost two months of the analysis period there is scope for exploits to have especially wide-reaching effects. The nefarious use of the online ad industry is facilitated by real-time bidding as this allows advertisers to bid in real-time for specific targets and weed out non-genuine users or those that should not be targeted by exploits... This is especially important with the kind of malware that is dropped by exploit kits, and in particular ransomware. Companies can literally be crippled by such malware, lose customers and in some cases put their business in jeopardy."
* https://www.malwarebytes.org/threezerodays/
"... new vulnerabilities are found and weaponized at a much faster rate. Combine this trend with the fact that rolling out patches requires time and testing for businesses and you see the issue: A window of opportunity to exploit systems emerges... While keeping systems up to date remains one of the most important pieces of advice against exploits, zero-days make it completely irrelevant... To face this new reality, businesses and consumers must adapt as well by adopting new tools to safeguard their assets..."

[AplusWebMaster]

FYI...

Fake 'your receipt' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-r...sheet-malware/
3 Jun 2015 - "'your receipt' pretending to come from Amy Morley <amymorley@ howardcundey .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...ur-receipt.png

3 June 2015: 20150414151213550.doc - Current Virus total detections: 3/57*
The malicious macro in this version connects to and downloads anthonymaddaloni .com/~web/5/0.exe which is a Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1433318349/

** https://www.virustotal.com/en/file/5...is/1433318155/
... Behavioural information
TCP connections
37.140.195.177: https://www.virustotal.com/en/ip-add...7/information/
5.178.43.34: https://www.virustotal.com/en/ip-add...4/information/

anthonymaddaloni .com: 69.72.240.66: https://www.virustotal.com/en/ip-add...6/information/
___

Myfax malspam wave - links to malware and Neutrino exploit kit
- https://isc.sans.edu/diary.html?storyid=19759
2015-06-03 - "... there have been more waves of malicious spam (malspam) spoofing myfax .com. On Tuesday 2015-06-02, the messages contained links to a zip archive of a Pony downloader. Tuesday's messages also had links pushing Neutrino exploit kit (EK). Spoofed myfax emails are nothing new. They've been around for years. This is yet another wave in the continuous onslaught of malspam that organizations face every day... I noticed similar messages last week, but they were all blocked. At that time, I wasn't able to investigate any further. On 2015-06-02, checking my employer's spam filters revealed spoofed myfax messages were coming in again after a 3 day break... Below is an example of the messages blocked by my organization's spam filters on 2015-06-02:
> https://isc.sans.edu/diaryimages/ima...-image-03a.jpg
The above example shows 2 types of URLs. The first points to a zip file. The second points to URLs ending in fax.php that push Neutrino EK. Last week's malspam only had links to the zip files... In a lab environment, those links ending with fax.php returned HTML with iframes leading to Neutrino EK..."
(More detail at the isc URL above.)
___

Fake email “Fax to” contains trojan
- http://blog.mxlab.eu/2015/06/03/fake...ntains-trojan/
June 3, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Fax to”.
This email is send from a -spoofed- address and has the following body:
Fax Massege:
Fax ID: 1500566473
User ID: 429286424

The attached file fax-1500566473_429286424.zip contains the 148 kB large file Document_invoice.exe.
The trojan is known as Downloader-FAVN!A43A201F788E, Trj/Genetic.gen, PE:Malware.Obscure!1.9C59 or Win32.Trojan.Fakedoc.Auto. At the time of writing, 4 the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/e...is/1433353970/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-add...5/information/
188.120.194.101: https://www.virustotal.com/en/ip-add...1/information/
92.38.41.38: https://www.virustotal.com/en/ip-add...8/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/

[AplusWebMaster]

FYI...

Fake 'Scan' SPAM – PDF malware
- http://myonlinesecurity.co.uk/scan-n...e-pdf-malware/
4 June 2015 - "'Scan number: 3744444093' [all the numbers are random] coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:

Scan number: 3744444093
Pages: 54

4 June 2015: scan-3744444093_54.zip: Extracts to: Document_invoice.exe
Current Virus total detections: 0/58* | 1/57** This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1433413368/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-add...5/information/
188.120.194.101: https://www.virustotal.com/en/ip-add...0/information/
94.103.54.19: https://www.virustotal.com/en/ip-add...9/information/
5.178.43.35: https://www.virustotal.com/en/ip-add...5/information/

** https://www.virustotal.com/en/file/a...is/1433412921/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-add...5/information/
188.120.194.101: https://www.virustotal.com/en/ip-add...0/information/
185.47.89.249: https://www.virustotal.com/en/ip-add...9/information/
5.178.43.49: https://www.virustotal.com/en/ip-add...9/information/
188.120.194.101: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/eclips...sheet-malware/
4 June 2015 - "'Eclipse Internet Invoice – 17987580EC' pretending to come from customer@ eclipse .net .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Thank you for choosing to receive your invoice by email. Please find this attached.
If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password, at www .eclipse .net.uk/billing. Alternatively, you can contact our Customer Service Team, Monday to Friday 9am – 5.30pm, on the telephone number...
Kind regards
Eclipse Internet
This email has been scanned for all viruses. Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company or any of its subsidiaries or businesses in any... [blah, blah, blah]

4 June 2015 : invoice_EC_17987580_20141013081054.doc - Current Virus total detections: 2/57*
... the macro connects to http ://empreinte .com.ar/42/91.exe which is a Dridex banking malware (virusTotal***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1433415353/

** https://www.virustotal.com/en/file/2...is/1433415107/

empreinte .com.ar: 200.68.105.31: https://www.virustotal.com/en/ip-add...1/information/
___

Dyre banking Trojan infections up 125%
- http://net-security.org/malware_news.php?id=3050
June 4, 2015 - "Cybercriminal interest in online banking continues to grow, and crooks wielding the Dyre/Dyreza banking Trojan continue spewing out spam emails delivering a new variant of the malware:
> http://www.net-security.org/images/a...e-04062015.jpg
'There has been a 125% increase of Dyre-related infections worldwide this quarter compared to the last', Trend Micro researchers have noted*. 'Roughly 7 in 10 users infected during the last three months came from the European (39% of the total count) and North American (38%) regions. Asia Pacific came in third, with 19% of the infections.' In early May, there was a considerable spike in these spam emails targeting the APAC region. 'We looked closely at the financial institutions whose URLs were contained in the Dyre malware samples. We noted URLs associated with several multinational banks, including their varied country branches, divisions, and the like,' the researchers shared. As before, Dyre is -not- delivered directly via email. Instead, the malicious attachments hold the Upatre downloader, which then downloads Dyre. Upatre also got updated, and these newer versions have the ability to disable firewall/network related security by modifying some registry entries and via -stoppage- of related services, and to disable Windows' default anti-malware feature (Windows Defender). The emails delivering the malware try to -scare- users into opening the attached file by claiming that the recipients' tax payments have doubled. So far, they have been mostly in English, but Trend Micro expects more regionalized messages in the future, as the attackers are looking to expand globally."
* http://blog.trendmicro.com/trendlabs...most-affected/

[AplusWebMaster]

FYI...

Fake 'PPL invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-p...sheet-malware/
5 June 2015 - "'Your PPL invoice is attached' pretending to come from no-reply@ PPLUK .COM with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please find attached your PPL invoice for your licence to use recorded music (whether via CDs, Radio/TV broadcasts, background music systems or other sources) at your premises.
Permission to use PPL repertoire under the terms of the licence will only be effective once payment has been made. Payment of your invoice can be made online at ppluk.com/payonline or you can call us on 020 7534 1070 to pay by credit or debit card. All payment methods can be found on the back of your invoice.
This is an automated email. If you have any queries about the invoice or requirements for a PPL licence, please refer to the contact information below.
Yours faithfully,
PPL Customer Services
PPL
1 Upper James Street London W1F 9DE
T +44 (0)20 7534 1070 ...

5 June 2015 : P_PP_INVN_02573466_01-43-52_03657322_NEWBUS_O_E.DOC
Current Virus total detections: 3/57* . The malicious macro in this version downloads Dridex banking malware from http ://g6000424 .ferozo .com/25/10.exe (VirusTotal**). Other download locations downloading the same Dridex banking malware that I have been informed about are:
http ://zolghadri-co .com/25/10.exe
http ://elkettasandassociates .com/25/10.exe
http ://segurosdenotebooks .com.br/25/10.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1433498590/

** https://www.virustotal.com/en/file/4...is/1433496324/
... Behavioural information
TCP connections
203.151.94.120: https://www.virustotal.com/en/ip-add...0/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'General Election 2015 Invoices' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/genera...sheet-malware/
5 June 2015 - "'General Election 2015 Invoices' pretending to come from SIMSSL@ st-ives .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Sir/Madam
Please find attached your invoice 62812 for GE2015
Please could payment be quoted with your constituency name/Invoice numbers
Our Bank Details are:
St Ives Management Services Limited
HSBC
Sort Code: 40-04-24
Account Number: 71419501
Account Name: St Ives Management Services Limited
Remittance advices should be emailed to simsAR@ st-ives .co.uk
If paying by cheque, please kindly remit to the address below and not to 1 Tudor Street:
St Ives Management Services Limited
c/o Branded3
2nd Floor, 2180 Century Way
Thorpe Park
Leeds
LS 8ZB
If you have already paid by credit card then there is no need for you to make payment again.
For payment queries please contact Steven Wilde 0113 306 6966
For invoice queries please contact Emily Villiers 0207 902 6449
Kind Regards
SIMS Sales Ledger...

5 June 2015 : 1445942147T0.doc ... which is -exactly- the same malware as described in 'Your PPL invoice is attached – word doc or excel xls spreadsheet malware'*
* http://myonlinesecurity.co.uk/your-p...sheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

- http://blog.dynamoo.com/2015/06/malw...tion-2015.html
5 June 2015
"... Recommended blocklist:
203.151.94.120
31.186.99.250
146.185.128.226
185.12.95.40 "