Fake 'Remittance Advice', 'CHRISTMAS OFFERS.docx' SPAM, NTP ...
FYI...
Fake 'Remittance Advice' SPAM - malicious Excel attachment
- http://blog.dynamoo.com/2014/12/remi...omes-with.html
23 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
From: Whitney
Date: 23 December 2014 at 09:12
Subject: Remittance Advice -DPRC93
Confidentiality and Disclaimer: This email and its attachments are intended for the addressee only and may be confidential or the subject of legal privilege.
If this email and its attachments have come to you in error you must take no action based on them, nor must you copy them, distribute them or show them to anyone.
Please contact the sender to notify them of the error...
The reference in the subject varies, and the name of the attachment always matches (so in this case DPRC93.xls). There are in fact three different versions of the document, all of which have a malicious macro. At the moment, none of these are detected by anti-virus vendors [1] [2] [3]... the macro has now changed completely, as it now loads some of the data from the Excel spreadsheet itself and puts it into a file %TEMP%\windows.vbs. So far I have seen three different scripts... which download a component from one of the following locations:
http ://185.48.56.133:8080/sstat/lldvs.php
http ://95.163.121.27:8080/sstat/lldvs.php
http ://92.63.88.100:8080/sstat/lldvs.php
It appears that this email is downloaded as test.exe and is then saved as %TEMP%\servics.exe. The ThreatExpert report shows traffic to the following:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer AG, Germany)
VirusTotal indicates a detection rate of just 3/54*, and identifies it as Dridex.
Recommended blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
185.48.56.133
95.163.121.27
92.63.88.100
92.63.88.106
Note that there are two IPs acting as downloaders in the 92.63.88.0/24 range (MWTV, Latvia). It may be that you would also want to block that range as well."
1] https://www.virustotal.com/en/file/2...is/1419330172/
2] https://www.virustotal.com/en/file/8...is/1419330170/
3] https://www.virustotal.com/en/file/2...is/1419330172/
* https://www.virustotal.com/en/file/a...is/1419333104/
- http://myonlinesecurity.co.uk/remitt...l-xls-malware/
23 Dec 2014
> 22 Dec 2014 : PZDF16.xls Current Virus total detections: 0/55*:
TKBJ98.xls Current Virus total detections: 0/55**
* https://www.virustotal.com/en/file/2...is/1419328785/
** https://www.virustotal.com/en/file/e...is/1419329398/
- http://blog.mxlab.eu/2014/12/23/emai...licious-macro/
Dec 23 2014
> https://www.virustotal.com/en/file/e...e6b5/analysis/
___
Fake 'CHRISTMAS OFFERS.docx' SPAM - Word doc malware
- http://myonlinesecurity.co.uk/jayne-...d-doc-malware/
23 Dec 2014 - "'CHRISTMAS OFFERS.docx' pretending to come from Jayne <Jayne@ route2fitness .co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email body is completely -blank- . As per usual there are at least 2 different file sizes of this malware although all are named exactly the same.
22 Dec 2014: CHRISTMAS OFFERS.doc (41 kb) . Current Virus total detections: 0/55* : CHRISTMAS OFFERS.doc (44 kb) . Current Virus total detections: 0/56**
Downloads dridex Trojan from microinvent .com//js/bin.exe which is moved to and run from %temp%1\V2MUY2XWYSFXQ.exe Virus total*** ..."
* https://www.virustotal.com/en/file/0...is/1419327481/
** https://www.virustotal.com/en/file/2...is/1419327349/
*** https://www.virustotal.com/en/file/d...is/1419334606/
- http://blog.mxlab.eu/2014/12/23/empt...licious-macro/
Dec 23, 2014
> https://www.virustotal.com/en/file/2...5d9c/analysis/
___
Network Time Protocol Vulnerabilities
- https://ics-cert.us-cert.gov//advisories/ICSA-14-353-01
Dec 22, 2014 - "... vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available. Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.
IMPACT: Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process..."
- https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-9295 - 7.5 (HIGH)
- http://arstechnica.com/security/2014...rvers-at-risk/
Dec 19 2014
