Page 123 of 125 FirstFirst ... 2373113119120121122123124125 LastLast
Results 1,221 to 1,230 of 1248

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1221
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake Email account notice - Phish

    FYI...

    Fake Email account notice – Phish
    ... 'Your Mailbox Will Be Terminated'
    - https://myonlinesecurity.co.uk/your-...l-credentials/
    16 Jun 2017 - "We see lots of phishing attempts for email credentials. This one is slightly different...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...er.co_.uk-.png

    If you follow the link you see a webpage looking like this:
    https ://deadsocial .com//media/email_updatep1/login.php?userid=ans@ thespykiller .co.uk
    (you can put any email address at the end of the link & get the same page with email already filled in).
    The red countdown continues to decrease in time while the page is open:
    > https://myonlinesecurity.co.uk/wp-co...ail_update.png

    ... After you input your email address and password, you get told 'incorrect details' and forwarded to an almost identical looking page where you can put it in again and it does that on a continual loop:
    > https://myonlinesecurity.co.uk/wp-co...il_update2.png

    ... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

    deadsocial .com: 184.154.216.243: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/71...24c7/analysis/

    Last edited by AplusWebMaster; 2017-06-17 at 14:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1222
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake DHL SPAM

    FYI...

    Fake DHL SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    20 Jun 2017 - "An email with the subject of 'Commercial Invoice' pretending to come from export@ dhl-invoice .com with a malicious Excel XLS spreadsheet attachment delivers some sort of malware... I am being told that -other- subjects in this malspam run -spoofing- DHL include: 'DHL Commercial Invoice' and 'DHL poforma invoice'. There appear to be several different -spoofed- senders @dhl-invoice .com...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...spam-email.png

    dhl_commercial_invoice_.xls - Current Virus total detections 5/55*. Payload Security** shows a download from
    http ://travel-taxi .net/test/edf.exe (VirusTotal 51/62[3]), (Payload Security[4]).
    Other download locations -embedded- in other versions of the macro include
    http ://okinawa35 .net/m/iop.exe
    The XLS file looks like:
    > https://myonlinesecurity.co.uk/wp-co...nvoice_xls.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1497948303/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    202.218.50.130

    3] https://www.virustotal.com/en/file/1...e217/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    travel-taxi .net: 203.183.93.149: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/2b...c1d5/analysis/

    okinawa35 .net: 202.218.50.130: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/8b...fd1c/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1223
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake 'Invoice', 'Receipt to print' SPAM

    FYI...

    Fake 'Invoice' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/the-r...nvoice-emails/
    21 Jun 2017 - "... an email with the subject of 'Copy of Invoice 79898702' coming or pretending to come from noreply@ random email addresses with a semi-random named zip attachment in the format of 79898702.zip (random 8 digits). The zip matches the subject... Whether this is a permanent return to Locky or a one off, I don’t know... Locky has vanished for while before & returned. It is also very unusual for Locky to come as an executable file inside a zip...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-79898702.png

    79898702.zip: extracts to INV-09837592.zip which in turn Extracts to: INV-09837592.exe
    Current Virus total detections 10/60*. Payload Security**. None of the sandboxes are showing any encrypting activity or the usual Locky signs, so it looks like a -new- version with protections against analysis. We only know it is Locky because one of the analysts[1] extracted the Locky payload from the memory while running this file (Virustotal 39/60***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...9cd8/analysis/
    INV-09837592.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/b...is/1498057764/
    _005C0000.mem

    1] https://twitter.com/mpvillafranca94/...44503720247296

    - http://blog.talosintelligence.com/20...-campaign.html
    June 21, 2017 - "... The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems*. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky... we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam... it's always risky clicking-on-links or opening -attachments- in strange email messages..."
    > https://1.bp.blogspot.com/-O9IsDuPG5...600/image3.jpg
    ___

    Fake 'Receipt to print' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/recei...ivers-malware/
    21 Jun 2017 - "... an email with the subject of 'Receipt to print' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers some malware... Earlier WSF files today delivered Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...t-to-print.png

    Receipt_6706.zip: extracts to archive0124.zip which extracts to: 0923.wsf
    Current Virus total detections 11/57*. Payload Security** shows a download of an encrypted file from
    http ://tag27 .com/08345ug? which is converted by the script to IeEOifS6.exe (VirusTotal 11/57***).
    Manual examination and basic decoding of the WSF file shows these download locations:
    tag27 .com/08345ug? > 162.210.102.220
    78tguyc876wwirglmltm .net/af/08345ug > 119.28.86.18
    malamalamak9 .net/08345ug? > 74.122.121.8
    randomessstioprottoy .net/af/08345ug > 119.28.86.18
    shreveporttradingantiques .com/08345ug? > 74.220.215.225 ...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1498051603/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    162.210.102.220
    119.28.86.18
    74.122.121.8


    *** https://www.virustotal.com/en/file/1...is/1480617465/

    Last edited by AplusWebMaster; 2017-06-22 at 15:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1224
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake 'INVOICE' SPAM

    FYI...

    Fake 'INVOICE' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/confi...liver-malware/
    26 Jun 2017 - "An email with the subject of '*CONFIRM ORDER AND REVISE INVOICE*' pretending to come from admin@ random company with a malicious word doc attachment. This word doc is actually an RTF file that uses what looks like the CVE-2017-0199 exploit...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...SE-INVOICE.png

    Order Ref-22550.doc - Current Virus total detections 16/56*. Neither MALWR nor JoeSandbox could get any malicious content from it. Payload Security is still -down- this morning for maintenance that was hoped to be done over the weekend.
    Update: after a bit of manual editing & investigating I was able to find the download location:
    https ://dev.null .vg/OtoGQj9.hta (VirusTotal 13/56**) ( MALWR***) which should deliver
    http ://allafrance .com/ziko.exe but is currently giving me a 404... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1498451330/
    Order Ref-22550.doc

    ** https://www.virustotal.com/en/file/f...is/1498457573/
    OtoGQj9.hta

    *** https://malwr.com/analysis/ZDI4ZWFmY...YzMjAzNjBkNjY/

    dev.null .vg: 104.27.187.29: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/22...9263/analysis/
    104.27.186.29: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/22...9263/analysis/

    allafrance .com: 85.14.171.25: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/09...eb4e/analysis/
    ___

    Fake 'invoice' SPAM - links to malware doc file
    - https://myonlinesecurity.co.uk/more-...liver-malware/
    26 Jun 2017 - "... An email with the subject of 'Cust # 880767-00057' [redacted] pretending to come from Jackie Fill <vs1.kirchdorf@ eduhi .at> (probably random senders) with a -link- that downloads a malicious word doc. The subject and the link that appears in body of the email has the recipients name in it but the actual link doesn’t. The link in this case went to
    http ://facyl .com.br/Invoices-payments-and-questions-JBQHL-933-907247/ where it downloaded a macro enabled word doc (the link is very slow & does time out)...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...0767-00057.png

    Invoice-NUVKHC-227-980463.doc - Current Virus total detections 9/56*... Joesandbox** shows connections to numerous sites where a malicious file is downloaded using PowerShell, including:
    http ://carbeyondstore .com/cianrft/ > 72.52.246.64
    http ://motorgirlstv .com/kdm/ > 202.191.62.208
    http ://nonieuro .com/xauqt/ > 216.104.189.202
    http ://pxpgraphics .com/espzyurt/ > 69.65.3.206
    http ://studiogif .com.br/jedtvuziky/ > 192.185.216.153
    Eventually giving an .exe file (VirusTotal 10/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1498480442/

    ** https://jbxcloud.joesecurity.org/analysis/297919/1/html

    *** https://www.virustotal.com/en/file/b...is/1498478920/

    facyl .com.br: 187.45.187.130: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/f8...44e5/analysis/

    Last edited by AplusWebMaster; 2017-06-27 at 14:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1225
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake 'Fattura' SPAM, Protect Your Cloud, Petya Ransomware Infections Reported

    FYI...

    Fake 'Fattura' SPAM - delivers xls attachment malware
    - https://myonlinesecurity.co.uk/more-...nking-trojans/
    27 Jun 2017 - "An email with the subject of 'Fattura n.9171 del 27/06/17' pretending to come from random Italian email addresses with an Excel XLS spreadsheet attachment...
    Update: I am 100% assured* that this is Trickbot banking Trojan...
    * https://twitter.com/_operations6_/st...80802136707073

    Screenshot: https://myonlinesecurity.co.uk/wp-co...a_it_spam1.png

    Attachment: https://myonlinesecurity.co.uk/wp-co...a_it_spam2.png

    The xls file looks like this, with the instructions to 'enable content' in Italian. They obviously hope that the victim will 'enable content & macros' to see the washed out invoice details in full detail:
    > https://myonlinesecurity.co.uk/wp-co...nvoice-xls.png

    FATTURA num. 6655 del 27-=.xls - Current Virus total detections 6/56[1]. Payload Security[2] shows a download from
    https ://3eee22abda47 .faith/nvidia4.dvr (VirusTotal 11/61[3])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/d...9395/analysis/
    1_FATTURA num. 5999 del 27-06-2017.xls

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    46.173.218.138

    3] https://www.virustotal.com/en/file/8...19f8/analysis/
    nvidia4.dvr

    3eee22abda47 .faith: 46.173.218.138: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/a0...eca1/analysis/
    ___

    Protect Your Cloud - from Ransomware
    > http://www.darkreading.com/cloud/9-w...d/d-id/1329221
    6/27/2017
    ___

    Multiple Petya Ransomware Infections Reported
    - https://www.us-cert.gov/ncas/current...tions-Reported
    June 27, 2017

    - http://blog.talosintelligence.com/20...e-variant.html
    June 27, 2017 - "... a new malware variant has surfaced..."

    - https://www.helpnetsecurity.com/2017...ya-ransomware/
    June 27, 2017

    - http://www.reuters.com/article/us-cy...-idUSKBN19I1TD
    Jun 27, 2017 | 4:35pm EDT

    - http://www.telegraph.co.uk/news/2017...cyber-attack1/
    27 June 2017 • 8:50pm GMT

    Last edited by AplusWebMaster; 2017-06-27 at 22:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1226
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake 'UPS cannot deliver' SPAM, 'Blank Slate' ransomware

    FYI...

    Fake 'UPS cannot deliver' SPAM - delivers ransomware
    - https://myonlinesecurity.co.uk/retur...ovter-payload/
    29 Jun 2017 - "The 'UPS failed to deliver' messages have come back... it looks like the Kovter gang have taken advantage of the Petya outbreak to add to the mix. They have updated the nemucod ransomware version to make it, on first look, impossible to decrypt at this time without paying the ransom. Thanks to Michael Gillespie* a well known anti-ransomware campaigner for his assistance and pointing me in the right direction about the new nemucod ransomware version...
    * https://twitter.com/demonslay335
    If you get infected by this or any other ransomware please check out the ID Ransomware service** which will help to identify what ransomware you have been affected by and offer suggestions for decryption...
    ** https://id-ransomware.malwarehunterteam.com/index.php

    The emails are the same as usual (you only have to look through this blog and search for UPS[1] or FedEx[2] or USPS[/3]... hundreds of different examples and subjects)...
    1] https://myonlinesecurity.co.uk/?s=UPS

    2] https://myonlinesecurity.co.uk/?s=fedex

    3] https://myonlinesecurity.co.uk/?s=usps

    Screenshot: https://myonlinesecurity.co.uk/wp-co...to_deliver.png

    ... there is a difference in the .js files that are coming in the (attachment) zips... The initial js looks very similar to previous but has much longer vars (var zemk) that is used to download the other files...
    Showing a high level of encryption that at this time appears unable to be decrypted without paying the ransom.
    This ransom note (or something similar with different links) gets displayed on the victim’s desktop:
    >> https://myonlinesecurity.co.uk/wp-co...structions.jpg

    The original js downloads 3 files - 1 is Kovter as usual, the second is unknown and there is a massive 6.7mb php interpreter. The 2nd file won’t run without the php interpreter. It looks like it also belongs to PHP and both php files together are needed to run the downloaded php counter files to encrypt the computer...
    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (406)

    5] https://jbxcloud.joesecurity.org/analysis/300085/1/html
    UPS-Delivery-005156577.doc.js

    6]https://www.virustotal.com/en/file/d167368409c3fa244e17cef06eb83174b03fc0397cb0d907daf30dfdba5e100e/analysis/1498629470/
    UPS-Delivery-005156577.doc.js
    Detection ratio: 9/55

    ... The Kovter download looks like it works separately to the ransomware but might actually be involved somewhere along the line:
    7] https://www.virustotal.com/en/file/2...is/1498630707/
    da40c167cd75d.png
    Detection ratio: 25/62

    8] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (398)

    ... Sites involved in this campaign found so far this week:
    resedaplumbing .com > 166.62.58.18
    modx.mbalet .ru> 95.163.101.104
    artdecorfashion .com > 107.180.0.125
    eventbon .nl > 109.106.167.212
    elita5 .md > 217.26.160.15
    goldwingclub .ru > 62.109.17.210
    www .gloszp .pl > 87.98.239.19
    natiwa .com > 115.84.178.83
    desinano .com.ar > 190.183.59.228
    amis-spb .ru > 77.222.61.227
    perdasbasalti .it > 94.23.64.3
    120.109.32.72: https://www.virustotal.com/en/ip-add...2/information/
    calendar-del .ru > 77.222.61.227
    indexsa.com .ar > 190.183.59.228 ..."
    ___

    'Blank Slate' - malspam campaign -ransomware-
    - https://isc.sans.edu/forums/diary/Ca...+strong/22570/
    Last Updated: 2017-06-29 - "'Blank Slate' is the nickname for a malicious spam (malspam) campaign pushing -ransomware- targeting Windows hosts... Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign. Today's Blank Slate malspam was pushing Cerber and GlobeImposter ransomware... -fake- Chrome pages sent victims zip archives containing malicious .js files designed to infect Windows hosts with ransomware... potential -victims- must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations..."
    (More detail at the isc URL above.)
    ___

    - https://www.bitdefender.com/news/mas...ages|goldeneye
    Update 6/28 08.00 GMT+3 - "There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction..."

    Last edited by AplusWebMaster; 2017-06-29 at 22:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1227
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake 'Documents', 'Customer message', 'invoice' SPAM, 'AdGholas' malvertising

    FYI...

    Fake 'Documents' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    5 Jul 2017 - "An email with the subject of 'Important Account Documents' pretending to come from Lloyds bank but actually coming from a look-a-like domain Lloyds Bank Documents <no-reply@ lloydsbankdocs .co.uk> with a malicious word doc attachment... So far we have only found 1 site sending these today:
    lloydsbankdocs .co.uk
    As usual they are registered via Godaddy as registrar and the emails are sent via IP 37.46.192.51 which doesn’t have any identifying details except AS47869 Netrouting in Netherlands...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-Documents.png

    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...count-docs.png

    AccountDocs.doc - Current Virus total detections 7/57*. Payload Security** shows a download from
    http ://pilotosvalencia .com/sergollinhols.png which of course is -not- an image file but a -renamed- .exe file that gets renamed to fsrtat.exe and autorun (VirusTotal 14/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...43f6/analysis/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.169.217.4
    167.114.174.158
    197.248.210.150


    *** https://www.virustotal.com/en/file/2...0a11/analysis/
    ___

    Fake 'Customer message' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    5 July 2017 - "... delivering banking Trojans is an email with the subject of 'Customer message' pretending to come from 'Nat West Bank' but actually coming from a series of look alike domains - NatWest Bank Plc <alert@ natwest-serv478 .ml> with a malicious word doc attachment... criminals sending these have registered various domains that look-like-genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate-the-bank or some message sending service... we have found 6 but it is highly likely there could be hundreds, because they are -free- domains that don’t need any checkable registration details:
    natwest-serv478 .ml > 81.133.163.165
    natwest-serv347 .ml > 185.100.68.185
    natwest-serv305 .ml > 72.21.246.90
    natwest-serv303 .ml > 47.42.101.137
    natwest-serv505 .ml > 98.191.98.153
    natwest-serv490 .ml > 128.95.65.99
    These are registered via freenom .com as registrar and the emails are sent via a series of what are most likely compromised email accounts or mail servers:
    > https://myonlinesecurity.co.uk/wp-co..._spam_list.png

    Screenshot: https://myonlinesecurity.co.uk/wp-co...er-message.png

    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...ent283_doc.png

    message_payment283.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
    http ://armor-conduite .com/34steamballons.png which of course is -not- an image file but a renamed .exe file that gets renamed to nabvwhy.exe and autorun (VirusTotal 16/62***) which is a slightly different -Trickbot- payload... An alternative download location is
    http ://teracom .co.id/34steamballons.png ...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1499266638/
    message_payment283.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    202.169.44.149
    94.42.91.27


    *** https://www.virustotal.com/en/file/d...ff7f/analysis/
    nabvwhy.exe

    armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/93...2e47/analysis/

    teracom .co.id: 202.169.44.149: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/9c...dd04/analysis/
    ___

    'AdGholas' malvertising ...
    - https://blog.malwarebytes.com/cyberc...are-outbreaks/
    July 5, 2017 - "... other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific -malvertising- gang of the moment, dubbed 'AdGholas'... A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the -malvertising- operators are able to quickly roll out and activate a -fake- advertising infrastructure for a few days before getting banned...
    > https://blog.malwarebytes.com/wp-con...7/06/certs.png
    ... We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of -redirect- is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity...
    IOCs:
    AdGholas:
    expert-essays[.]com
    jet-travels[.]com
    5.34.180.73
    162.255.119.165

    Astrum Exploit Kit:
    uniy[.]clamotten[.]com
    comm[.]clamotten[.]com
    comp[.]computer-tutor[.]info
    lexy[.]computer-tutor[.]info
    sior[.]ccnacertification[.]info
    kvely[.]our-health[.]us
    nuent[.]mughalplastic[.]com
    mtive[.]linksaffpixel[.]com
    cons[.]pathpixel[.]com
    sumer[.]pathlinkaff[.]com
    nsruc[.]ah7xb[.]com
    ction[.]ah7xb[.]com
    nstru[.]onlytechtalks[.]com
    const[.]linksaffpixel[.]com
    quely[.]onlytechtalks[.]com
    coneq[.]modweave[.]com
    94.156.174.11 ..."
    (More detail at the malwarebytes URL above.)
    ___

    Fake 'invoice' SPAM - delivers java adwind malware
    - https://myonlinesecurity.co.uk/fake-...g-java-adwind/
    4 Jul 2017 - "... fake 'invoices' rather then their more usual method of fake 'MoneyGram' or 'Western Union money transfer' reports or updates...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-invoices.png

    Payment Dunmore 27.26.170001.jar (566kb) - Current Virus total detections 12/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1499145423/

    ** https://malwr.com/analysis/ZTI2MTE2M...BiNWE0NmNlNGE/

    Last edited by AplusWebMaster; 2017-07-05 at 20:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1228
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake 'wire request', 'eFax' SPAM

    FYI...

    Fake 'wire request' SPAM - delivers banking trojan
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    6 Jul 2017 - "An email with the subject of 'The wire request is unsuccessful!' pretending to come from Billing Support using random senders & email addresses with a malicious word doc attachment delivers Chthonic banking trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ng-support.png

    printed_ty_0717.doc - Current Virus total detections 12/58*. Payload Security** shows a download from
    http ://185.117.73.105 /bofasup.exe (VirusTotal 13/57***)... alternative doc detections [1] [2]. Other download locations include: (there are 3 download locations hard coded in the macro):
    http ://185.45.192.116 /bofasup.exe
    http ://185.117.72.251 /bofasup.exe
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1499318502/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/d...e397/analysis/
    bofasup.exe

    1] https://www.virustotal.com/en/file/b...3968/analysis/
    printed_copy_da_0717.doc
    Detection ratio: 13/57

    2] https://www.virustotal.com/en/file/8...is/1499319821/
    copy_wt_0717.doc
    Detection ratio: 11/57
    ___

    Fake 'eFax' SPAM - malicious doc/xls attachment
    - https://myonlinesecurity.co.uk/more-...ivers-malware/
    6 Jul 2017 - "... spoofed eFax message from 1 month ago[1], the same gang are using a similar range of fake e-faxcorporatexxx.top domains to send these malspam emails. Today’s comes with the usual typical subject of 'eFax message from “0300 200 3822” – 2 page(s)' coming from eFax <message@ e-faxcorporate102 .top> with a malicious word doc attachment which delivers some sort of malware...
    1] https://myonlinesecurity.co.uk/fake-...-and-trickbot/

    Screenshot: https://myonlinesecurity.co.uk/wp-co.../efax_nest.png

    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...gedoc_nest.png

    SecureMessage.doc - Current Virus total detections 6/57*... Joesandbox** shows a download from
    http ://5.149.252.155 /parcelon13.exe (VirusTotal 15/63***)...
    This email attachment contains what appears to be a genuine word doc -or- Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1499264264/
    SecureMessage.doc

    ** https://jbxcloud.joesecurity.org/analysis/304760/1/html

    *** https://www.virustotal.com/en/file/c...is/1499306577/

    e-faxcorporate102 .top: 46.8.221.104: https://www.virustotal.com/en/ip-add...4/information/

    Last edited by AplusWebMaster; 2017-07-06 at 12:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1229
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake 'BACs documents' SPAM

    FYI...

    Fake 'BACs documents' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    7 Jul 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from Royal Bank of Scotland but actually coming from a look-a-like domain <Secure.Delivery@ rbsdocs .co.uk> with a -link- to a malicious zip attachment containing a .js file... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine Bank domains. Normally there are 3 or 4 newly registered domains that -imitate- the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today:
    rbsdocs .co.uk > 160.153.162.130
    As usual they are registered via Godaddy as registrar and hosted by Godaddy on ip 160.153.162.130 but the emails are being sent via host Europe 85.93.88.125...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...s_trickbot.png

    Rbs_Account_BACs.js - Current Virus total detections 1/57*. Payload Security** shows a download from
    http ://mutfakdolabisitesi .com/grandsergiostalls.png which of course is -not- an image file but a renamed .exe file that gets renamed to qkY5ijY.exe and autorun (VirusTotal 12/64***)... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1499423876/
    Rbs_Account_BACs.js

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    46.235.11.61
    50.19.227.215
    37.120.182.208
    78.47.139.102


    *** https://www.virustotal.com/en/file/b...is/1499422646/

    mutfakdolabisitesi .com: 46.235.11.61: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/f9...b157/analysis/

    rbsdocs .co.uk: 160.153.162.130: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/8d...dfec/analysis/
    ___

    'Facebook Lottery' - Scam
    - https://myonlinesecurity.co.uk/facebook-lottery-scam/
    7 Jul 2017 - "'Oh look I have won the Facebook Lottery', or might have done if there actually was such a thing. Unfortunately it is all a big scam. If you were unwise enough to reply, all you would get is a request for a sum of money for Post & packing and the transfer fee for the money. To make it more attractive than usual, apart from the just over $1m money they are giving you a Facebook cap, tee shirt and wallet, 'Wow! how exciting!'. To show how clueless or how they don’t filter or check email addresses they send to, this was sent to a spam-trap-email address...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ok-lottery.png

    Email Headers:
    124.153.79.193 - mailgw.notvday .in...
    188.207.76.172 - static.kpn .net...

    Last edited by AplusWebMaster; 2017-07-07 at 22:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1230
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,685

    Thumbs down Fake 'Delivery Status', 'Secure Communication' SPAM

    FYI...

    Fake 'Delivery Status' SPAM - delivers ransomware
    - https://myonlinesecurity.co.uk/new-p...unce-messages/
    10 July 2017 - "We were notified of a new ransomware version* last night. This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a -fake- 'Delivery Status Notification, failed to deliver' email bounce message. The .js file in the email attachment is a PowerShell -script- and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent 'UPS failed to deliver'** nemucod ransomware versions...
    * https://twitter.com/SecGuru_OTX/stat...36470910562304

    ** https://myonlinesecurity.co.uk/retur...ovter-payload/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...re_email-1.png

    There is also a section in the script... causes a fake pop up message making the victim think that the file isn’t running properly:
    > https://myonlinesecurity.co.uk/wp-co...ot_found-1.png

    After the file has run and encrypted your files, you get a message left called _README-Encrypted-Files .html:
    > https://myonlinesecurity.co.uk/wp-co...mware_note.jpg

    As well as encrypting the usual image, music, video and document files this also encrypts databases files, email, and very unusually many executable file types. It also encrypts your bitcoin wallet and other similar financial files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/7...is/1499666506/
    Readable Msg-j8k5b798d4.js

    2] https://www.reverse.it/sample/7a6d5a...ironmentId=100
    Readable Msg-j8k5b798d4.js

    The sender domain is also the C2 http ://joelosteel .gdn/pi.php currently hosted by digitalocean .com on 165.227.1.206 ..."

    joelosteel .gdn: 165.227.1.206: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/66...e150/analysis/
    ___

    Fake 'Secure Communication' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/yet-a...anking-trojan/
    10 Jul 2017 - "An email with the subject of 'Secure Communication' pretending to come from HM Revenue & Customs but actually coming from a look-alike-domain < Secure.Communication@ hrmccommunication .co.uk > with a malicious word doc attachment... delivering Trickbot banking Trojan... a very important site involved in today’s campaign with images being hosted on www .libdemvoice .org/wp-content/uploads/2012/06/HMRC-logo-300×102.jpg... they have been hosting an HMRC logo since 2012...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...rc_10_july.png

    HMRC3909308823743.doc - Current Virus total detections 6/57*. Payload Security** shows a download from one of these 2 locations:
    http ://pilotosvalencia .com/grazlocksa34.png -or- http ://ridderbos .info/grazlocksa34.png
    which of course is -not- an image file but a renamed .exe file that gets renamed to Sonqa.exe and
    autorun (VirusTotal 10/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1499682599/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.169.217.4
    107.22.214.64
    93.99.68.140
    195.133.197.179


    *** https://www.virustotal.com/en/file/9...c9cf/analysis/

    pilotosvalencia .com: 81.169.217.4: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/47...a61a/analysis/

    ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/e6...e526/analysis/

    libdemvoice .org: 104.28.31.9: https://www.virustotal.com/en/ip-add...9/information/
    104.28.30.9: https://www.virustotal.com/en/ip-add...9/information/

    Last edited by AplusWebMaster; 2017-07-10 at 14:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •