Fake 'Invoice' SPAM, Persistent drive-by cryptomining
FYI...
Fake 'Invoice' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/necur...fake-invoices/
30 Nov 2017 - "... from the Necurs botnet... an email with an -empty- body with the subject of 'FL-610025 11.30.2017' (random numbers) pretending to come from 'Invoicing' @ random email addresses. Today it is Globeimposter -not- Locky ransomware being delivered via this malspam campaign from the Necurs botnet...
One of the emails looks like:
From: Invoicing <Invoicing@random company >
Date: Thu 30/11/2017 09:18
Subject: FL-610025 11.30.2017
Attachment: FL-610025 11.30.2017.7z
Body content: Completely empty
FL-610025 11.30.2017.7z: Extracts to: FL-432927.vbs - Current Virus total detections 9/60*. Hybrid Analysis**...
Downloads from
http ://datenhaus .info/JHGcd476334? (as usual there will be dozens of different download sites - (VirusTotal 10/66[3])... Other download sites that I have been notified about:
mh-service .ru/JHGcd476334?
awholeblueworld .com/JHGcd476334?
... The ransom payment link is to
http ://n224ezvhg4sgyamb .onion/sup .php where you see a pretty bland page giving this link to make enquiries... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1512033616/
FL-432927.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
85.214.205.231
Contacted Hosts
85.214.205.231
3] https://www.virustotal.com/en/file/7...is/1512033503/
d4ddf8bf.exe
datenhaus .info: 85.214.205.231: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/1b...abcf/analysis/
mh-service .ru: 89.253.235.118: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/fa...725b/analysis/
awholeblueworld .com: 66.36.173.215: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/76...30eb/analysis/
___
Persistent drive-by cryptomining...
- https://blog.malwarebytes.com/cyberc...wser-near-you/
Nov 29, 2017 - "... we are witnessing more and more cases of abuse involving the infamous 'Coinhive' service that allows websites to use their visitors to mine the Monero cryptocurrency. Servers continue to get hacked with mining code, and plugins get hijacked and affect hundreds or even thousands of sites at once... we have come across a technique that allows dubious website owners or attackers that have compromised sites to keep mining for Monero even after the browser window is closed. Our tests were conducted using the latest version of the Google Chrome browser. Results may vary with other browsers. What we observed was the following:
A user visits a website, which silently loads cryptomining code.
CPU activity rises but is not maxed out.
The user leaves the site and closes the Chrome window.
CPU activity remains higher than normal as cryptomining continues:
> https://blog.malwarebytes.com/wp-con...den_mining.gif
The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a 'pop-under' which is sized to fit right under the taskbar and hides behind the clock. The hidden window’s coordinates will vary based on each user’s screen resolution... If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:
> https://blog.malwarebytes.com/wp-con...os_compare.png
... Mitigation: This type of 'pop-under' is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager* to ensure there is no remnant running browser processes and terminate them.
* https://www.howtogeek.com/66622/stup...-task-manager/
Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running:
> https://blog.malwarebytes.com/wp-con...mitigation.png
> https://blog.malwarebytes.com/wp-con...mitigation.png
... Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons. Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement. History shows us that trying to get rid of ads failed before, but only time will tell if this will be any different.
Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers."
Indicators of compromise:
145.239.64.86,yourporn[.]sexy,Adult site
54.239.168.149,elthamely[.]com,Ad Maven popunder
52.85.182.32,d3iz6lralvg77g[.]cloudfront.net,Advertiser's launchpad
54.209.216.237,hatevery[.]info,Cryptomining site
- https://centralops.net/co/DomainDossier.aspx
hatevery .info
52.72.157.243
54.156.6.169
52.200.89.230
52.54.161.204
54.84.183.12
34.237.128.64 ...
'Fast Flux' network: https://www.welivesecurity.com/2017/...networks-work/
- https://www.helpnetsecurity.com/2017...-close-window/
Nov 30, 2017
