Page 100 of 132 FirstFirst ... 509096979899100101102103104110 ... LastLast
Results 991 to 1,000 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #991
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice','RE:' SPAM, Locky

    FYI...

    Fake 'Invoice' SPAM - malicious attachment
    - https://myonlinesecurity.co.uk/fw-invoice_515002/
    21 June 2016 - "An email pretending to be a sage invoice with the subject of 'FW: Invoice_515002' coming from “postmaster@footballplayers19.gq”@ footballplayers19 .gq; on behalf of; Leanna Sage Whitaker <postmaster@footballplayers19 .gq> with a zip attachment... We have been seeing a few emails over the last couple of weeks from the footballplayers*.g* domains. Some pure spam, some phishing and some malware. It looks like a mailing list that must have some vulnerability to allow external users to be sent emails via them. One of the emails looks like:
    From:”postmaster@footballplayers19.gq”@ footballplayers19 .gq; on behalf of; Leanna Sage Whitaker <postmaster@ footballplayers19 .gq>
    Date: Tue 21/06/2016 10:05
    Subject: FW: Invoice_515002
    Attachment:
    Please see attached copy of the original invoice (sage_invoice_131340_711410101502668.pdf).


    21 June 2016: sage_invoice_515002_3841674267107.zip: Extracts to: sage_invoice_225224_4233.exe
    Current Virus total detections 6/56*.. Payload Security** shows it posts some information to a Ukrainian IP 217.12.199.87... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1466500334/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    217.12.199.87: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake 'RE:' SPAM - Locky .js attachment
    - https://myonlinesecurity.co.uk/it-lo...locky-is-back/
    21 June 2016 - "It looks like Locky ransomware is back tonight with a series of generic emails pretending to be invoices with the subject of 'RE:' pretending to come from random senders with a zip attachment which downloads what looks suspiciously like Locky Ransomware... None of the auto analysers can effectively decode these encrypted javascripts inside the zips... One of the emails looks like:
    From: Titus Sampson <Sampson.FAC43DD@ melhonretail .com>
    Date: Tue 21/06/2016 18:16
    Subject: RE:
    Attachment: wilbarger_invoice_181696.zip
    Dear wilbarger:
    Please find attached our invoice for services rendered and additional disbursements in the above-
    mentioned matter.
    Hoping the above to your satisfaction, we remain.
    Sincerely,
    Titus Sampson
    General Manager


    21 June 2016: wilbarger_invoice_181696.zip: Extracts to: addition-546.js - Current Virus total detections 2/56*
    .. I am being told one of sites containing an encrypted Locky binary is easysupport .us/fl85xie ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1466529396/

    easysupport .us: 198.58.93.28: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/08...d3b2/analysis/

    Last edited by AplusWebMaster; 2016-06-22 at 06:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #992
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Ransomware decrypter, Fake 'Corresponding Inv', 'invoice' SPAM, 'Documents' PHISH

    FYI...

    Ransomware decrypter released
    - https://www.helpnetsecurity.com/2016...-apocalypsevm/
    June 22, 2016 - "... Emsisoft has added yet another ransomware decrypter tool to its stable: a decrypter for ApocalypseVM*. The tool works on the latest versions of the ransomware in question:
    > https://www.helpnetsecurity.com/imag...ocalypseVM.jpg
    ... The victim can then decide to use it on one, some, or all encrypted files. The tool selects the C: partition of the disk by default, but victims can choose other partitions or files to be decrypted. Emsisoft recommends testing the key first on a few files, then to proceed decrypting the rest if everything goes well with the test..."
    * https://decrypter.emsisoft.com
    Jun, 18, 2016 - Version: 1.0.0.23
    ___

    Fake 'Corresponding Invoice' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/06/malw...g-invoice.html
    22 June 2016 - "This spam has a malicious attachment... leading to Locky ransomware:
    From: Althea Duke
    Date: 22 June 2016 at 16:00
    Subject: Corresponding Invoice
    Dear lisa:
    Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
    writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
    by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
    contact me.
    Also, our records show that we have not yet received payment for the previous order of 11 June,
    so I would be grateful if you could send payment as soon as possible. Please find attached the
    corresponding invoice.
    If there is anything else you require, our company would be pleased to help. Looking forward to
    hearing from you soon.
    Yours sincerely
    Althea Duke
    Managing Director


    UPDATE: A little bit of analysis, via these automated reports [1] [2].. show some download locations as:
    personal-architecture .nl/6gcpaey
    ding-a-ling-tel .com/b289dg
    plasticsmachine .com/d43ndxna
    hyip-all .com/9qwmc65
    Various files are dropped, including these samples [6] [7] the latter of which is a three week old version of Locky. Go figure. The comments in this report show C2 servers at:
    51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
    91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
    185.82.216.55 (ITL, Bulgaria)
    93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
    Three out of those four servers are the -same- as yesterday*.
    Recommended blocklist:
    51.254.240.48
    91.219.29.41
    185.82.216.55
    93.170.169.188
    ."
    * http://blog.dynamoo.com/2016/06/malw...ached-our.html

    1] https://malwr.com/analysis/NDE5YTY1M...E1ZmIyMTI5ZTE/

    2] https://malwr.com/analysis/NWUxOTBkO...UyZGE1MjhjMGI/

    6] https://virustotal.com/en/file/9d9ca...4b76/analysis/

    7] https://virustotal.com/en/file/ed2b4...b731/analysis/

    - https://myonlinesecurity.co.uk/thank...ky-ransomware/
    22 June 2016 - "An email with the subject of 'Corresponding Invoice' pretending to come from random senders with a zip attachment which downloads Locky ransomware... These contain a heavily obfuscated JavaScript inside the zip. It has several layers of obfuscation. The alleged senders name matches the name in the body of the email. The job title is also random and can be anything from Sales Director, Account Director or any other position that any company might think of... This Blog post* describes how to manually deobfuscate these horridly difficult & tricky JavaScript files.
    * https://malcat.moe/?p=53
    One of the emails looks like:
    From: Mariano Hoover <Hoover.20718@215-132 .thezone .bg>
    Date: Wed 22/06/2016 15:10
    Subject: Corresponding Invoice
    Attachment: rob_unpaid_673442.zip
    Dear rob:
    Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
    writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
    by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
    contact me.
    Also, our records show that we have not yet received payment for the previous order of 11 June,
    so I would be grateful if you could send payment as soon as possible. Please find attached the
    corresponding invoice.
    If there is anything else you require, our company would be pleased to help. Looking forward to
    hearing from you soon.
    Yours sincerely
    Mariano Hoover
    Regional Sales Director


    22 June 2016: rob_unpaid_673442.zip: Extracts to: unpaid-5967.js - Current Virus total detections 2/56**
    .. Payload Security*** shows us downloads from totalsportnetwork .com/kpbrp2mq or modelestrazackie .za.pl/zfww8nx which are encrypted files that get decrypted by the original JavaScript files to give
    %TEMP%\OVAkXuGy.exe (VirusTotal 12/55[4]). These encrypted files make it very difficult for an antivirus to prevent download because they are are plain text, albeit in total gibberish to a human reader... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."

    ** https://www.virustotal.com/en/file/c...is/1466604801/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.186.209.5
    193.203.99.113


    4] https://www.virustotal.com/en/file/f...bb7f/analysis/
    ___

    Fake 'On Hold Transactions' SPAM - malicious attachment
    - https://myonlinesecurity.co.uk/on-ho...oney-services/
    22 June 2016 - "An email with the subject of 'On Hold Transactions From 21.06.2016' pretending to come from Saeed Abugharbieh <saeed.abugharbieh@ xpressmoney .com> with a zip attachment that contains a Barys Trojan and a copy of the image in the email. The .exe file drops a JAVA jar file that is most likely Java Jacksbot Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...s-1024x552.png

    22 June 2016: On Hold Transactions From 21.06.2016.zip: Extracts to: On Hold Transactions From 21.06.2016.exe
    Current Virus total detections 15/56*.. MALWR** shows this drops a JAVA.jar file 812594500.jar which appears to be Java Jacksbot Trojan (VirusTotal 29/56***). MALWR[4]... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1466613297/

    ** https://malwr.com/analysis/MjgyMjg5N...Y1MjY3YmFiMzY/

    *** https://www.virustotal.com/en/file/9...is/1466613895/

    4] https://malwr.com/analysis/NzJmMmVkN...M0MTdhZDJhZjI/
    ___

    Fake 'Payment' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/our-r...elivers-locky/
    22 June 2016 - "An email with the subject of 'Payment' pretending to come from random senders with a zip attachment which downloads Locky ransomware... These contain a heavily obfuscated JavaScript inside the zip. It has several layers of obfuscation. The alleged senders name matches the name in the body of the email. The job title is also random and can be anything from Sales Director, Account Director or any other position that any company might think of... This Blog post* describes how to manually deobfuscate... JavaScript files. The JavaScript in this one is the -same- as THIS earlier run of Locky downloaders**...
    * https://malcat.moe/?p=53

    ** >> https://myonlinesecurity.co.uk/thank...ky-ransomware/
    One of the emails looks like:
    From: Luz Odonnell <Odonnell.198@ frionline .com.br>
    Date: Wed 22/06/2016 20:36
    Subject: Payment
    Attachment: details_rob_440235.zip
    Dear rob,
    Our records show that we have not yet received payment for the previous order #A-440235
    Could you please send payment as soon as possible?
    Please find attached file for details.
    Yours sincerely
    Luz Odonnell
    Head of Maintenance


    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    ___

    Fake 'documents for your reference' PHISH
    - https://myonlinesecurity.co.uk/pleas...-owa-phishing/
    22 June 2016 - "An email saying 'Please find below documents for your reference kindly sign' pretending to come from gccremittance@ emirates .net.ae is one of the latest -phish- attempts to steal your Outlook Web App log on details which is generally your Microsoft account details...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x471.png

    -If- you follow the link http ://intimeshop .com/reviews/cgi-bin/login sure owa/index.html which goes to you get a pop up message:
    > https://myonlinesecurity.co.uk/wp-co...1-1024x193.png
    .. press OK & you go to:
    > https://myonlinesecurity.co.uk/wp-co...2-1024x536.png
    After giving an email address & password you are sent to:
    http ://integrare .inf.br/images/Servicos/process/process.php which is currently giving a 404 error... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    intimeshop .com: 195.154.232.157: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/9f...4981/analysis/

    integrare .inf.br: 177.12.163.97: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake 'invoice' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/06/malw...ached-our.html
    21 June 2016 - "This malicious spam leads to Locky ransomware, something that we haven't seen for several weeks:
    From: Lilian Fletcher
    Date: 21 June 2016 at 20:01
    Subject: Re:
    Dear lisa:
    Please find attached our invoice for services rendered and additional disbursements in the above-
    mentioned matter.
    Hoping the above to your satisfaction, we remain.
    Sincerely,
    Lilian Fletcher
    Head of Maintenance


    These are being sent out in huge numbers at the moment. Details vary from message to message, but the body text is essentially the same. Attached is a ZIP file containing the words 'addition', 'invoice' or 'services' plus the recipients email address and a number (e.g. lisa_addition_278292.zip) containing a malicious script beginning with the word "addition"... Analysis.. shows that it phones home to:
    51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
    91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
    185.82.216.55 (ITL, Bulgaria)
    217.12.223.83 (ITL, Ukraine)
    As I mentioned before, this is Locky ransomware which has not been circulating at all since about 31st May.
    Recommended blocklist:
    51.254.240.48
    91.219.29.41
    185.82.216.55
    217.12.223.83
    "

    51.254.240.48: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/8c...e1d3/analysis/

    91.219.29.41: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/e7...2a51/analysis/

    185.82.216.55: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/25...2f8b/analysis/

    217.12.223.83: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/76...fd5e/analysis/

    Last edited by AplusWebMaster; 2016-06-23 at 00:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #993
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'report', 'swift copy' SPAM

    FYI...

    Fake 'report' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/06/malw...of-report.html
    23 June 2016 - "This spam leads to malware:
    From: Julianne Pittman
    Date: 23 June 2016 at 09:48
    Subject: Final version of the report
    Dear info,
    Patrica Ramirez asked me to send you the attached Word document, which contains the final version of the report.
    Please let me know if you have any trouble with the file, and please let Patrica know if you have any questions about the contents of the report.
    Kind regards
    Julianne Pittman
    Operations Director (CEO Designate)


    The names in each version of the email vary. Attached is a ZIP file with a filename containing some version of the recipients email address and the word "report" which contains in turn a malicious ZIP .js script beginning with the words "unpaid"...
    UPDATE... Hybrid Analysis of three sample scripts [1] [2].. show three download locations (you can bet there will be many more):
    bptec .ir/kvk9leho
    promoresults .com.au/gx4al
    boranwebshop .nl/ggc7ld
    Each one drops a slightly different binary (VirusTotal results [4] [5]..).. C2 servers are at:
    51.254.240.48 (Rackspace, US)
    91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
    217.12.223.88 (ITL, Ukraine)
    195.123.209.227 (ITL, Latvia)
    93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
    The malware uses the path /upload/_dispatch.php on the C2 servers.
    Recommended blocklist:
    51.254.240.48
    91.219.29.41
    217.12.223.88
    195.123.209.227
    93.170.169.188
    "
    1] https://www.hybrid-analysis.com/samp...ironmentId=100

    2] https://www.hybrid-analysis.com/samp...ironmentId=100

    4] https://www.virustotal.com/en/file/2...773e/analysis/

    5] https://www.virustotal.com/en/file/8...91e5/analysis/

    - https://myonlinesecurity.co.uk/final...ky-ransomware/
    23 June 2016 - "An email with the subject of 'Final version of the report' pretending to come from random senders with a zip attachment containing a JavaScript file which downloads Locky Ransomware... One of the emails looks like:
    From: Jeri Kline <Kline.35895@ moon-maker .com>
    Date: Thu 23/06/2016 09:41
    Subject: Final version of the report
    Attachment: rob_scan_report_094249.zip
    Dear rob,
    Randall Franks asked me to send you the attached Word document, which contains the final version of the report.
    Please let me know if you have any trouble with the file, and please let Randall know if you have any questions about the contents of the report.
    Kind regards
    Jeri Kline
    Key Account Director Municipalities


    23 June 2016: rob_scan_report_094249.zip: Extracts to: unpaid-068.js - Current Virus total detections 1/56*
    .. Payload security** shows a download of encrypted Locky from
    abligl .com/8v62l4i4 which the JavaScript from the email converts to 2oyWQ1WPdr1i.exe (VirusTotal 4/55***).
    These encrypted files make it very difficult for an antivirus to prevent download because they are just plain text, albeit in total gibberish to a human reader... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1466674224/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    160.153.73.196

    *** https://www.virustotal.com/en/file/9...is/1466674585/

    abligl .com: 160.153.73.196: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/d3...a652/analysis/
    ___

    Fake 'swift copy' SPAM - malspam RTF exploit
    - https://myonlinesecurity.co.uk/pleas...h-rtf-exploit/
    23 June 2016 - "An email with the subject of 'Fwd: Re: TT-USD78600.00' pretending to come from barat.mnupack@ mnubd .com with a malicious word doc attachment is an attempt to exploit CVE-2010-3333 which is a buffer overflow in word RTF files...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...0-1024x447.png

    23 June 2016: TRANSFER STATEMENT.doc - Current Virus total detections 15/55*
    .. where it is described as CVE-2010-3333[1] exploit which was fixed by Microsoft in 2010/2011...
    Update: The download site is http ://www.akkoprint .ro/wp-content/uploads/2016/06/office.exe (VirusTotal 43/55**)
    Payload Security*** ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1466692832/

    1] https://web.nvd.nist.gov/view/vuln/d...=CVE-2010-3333
    Last revised: 09/21/2011

    ** https://www.virustotal.com/en/file/1...is/1466711510/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    111.90.144.71

    akkoprint .ro: 5.2.228.65: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/0c...abbb/analysis/

    Last edited by AplusWebMaster; 2016-06-24 at 01:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #994
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Ransomware epidemic, SCAM emails

    FYI...

    Ransomware epidemic - 2014-2016
    - https://securelist.com/analysis/publ...-in-2014-2016/
    June 22, 2016 - "... Main findings:
    • The total number of users who encountered ransomware between April 2015 and March 2016 rose by 17.7% compared to the previous 12 months (April 2014 to March 2015) – from 1,967,784 to 2,315,931 users around the world;
    • The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware rose 0.7 percentage points, from 3.63% in 2014-2015 to 4.34% in 2015-2016;
    • Among those who encountered ransomware, the proportion who encountered cryptors rose dramatically – up 25 percentage points, from 6.6% in 2014-2015 to 31.6% in 2015-2016;
    • The number of users attacked with cryptors rose 5.5 times, from 131,111 in 2014-2015 to 718,536 in 2015-2016;
    • The number of users attacked with Win-lockers decreased 13.03%, from 1,836,673 in 2014-2015 to 1,597,395 in 2015-2016..."
    > https://noransom.kaspersky.com/

    > https://www.helpnetsecurity.com/2016...-700000-users/
    June 24, 2016 - "... increase in encryption ransomware attacks, with 718,536 users hit between April 2015 and March 2016. This is an increase of 5.5 times compared to the same period in 2014-2015, showing that crypto-ransomware has become an epidemic..."
    ___

    Piracy extortion SCAM emails
    - https://torrentfreak.com/piracy-phis...ribers-160624/
    Jun 24, 2016 - "... TorrentFreak was alerted to a takedown notice Lionsgate purportedly sent to a Cox subscriber, for allegedly downloading a pirated copy of the movie Allegiant. Under threat of a lawsuit, the subscriber was asked to pay a $150 settlement fee. This request is unique as neither Lionsgate nor its tracking company IP-Echelon are known to engage in this practice. When we contacted IP-Echelon about Lionsgate’s supposed settlement offer, we heard to our surprise that these emails are part of a large phishing scam, which has at least one large ISPs fooled. 'The notices are fake and not sent by us. It’s a phishing scam', IP-Echelon informed TorrentFreak. For a phishing scam the -fake- DMCA notice does its job well. At first sight the email appears to be legit, and for Cox Communications it was real enough to forward it to their customers... In response, a Cox representative confirmed that the email is real and explained that it was forwarded by the network security team. Apparently, the -phishing-scam- was good enough to have the security experts fooled. TorrentFreak alerted Cox to the -fake- notices but at the time of writing we have yet to receive a response. Whether any other ISPs have fallen for the same scam is unknown at this point..."

    Last edited by AplusWebMaster; 2016-06-25 at 00:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #995
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'DOC', 'Requested document' SPAM, Fake 'Barclays security update' – Phish

    FYI...

    Fake 'DOC' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/06/malw...ument4321.html
    27 June 2016 - "This rather terse spam run leads to Locky ransomware and appears to come from the sender's own email account (but doesn't*). The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.
    * http://blog.dynamoo.com/2011/09/why-...self-spam.html
    Some examples:
    Subject: DOC541887
    Attachment: DOC541887.zip

    Subject: document36168
    Attachment: document36168.zip

    Subject: Document453567810
    Attachment: Document453567810.zip


    Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:
    calcoastlogistics .com/09ujnb76v5?yNVICJbit=nFikKFve
    labthanhthanhpg .com/09ujnb76v5?yNVICJbit=nFikKFve
    patmagifts .asia/09ujnb76v5?yNVICJbit=nFikKFve
    shadowbi .com/09ujnb76v5?yNVICJbit=nFikKFve
    www .tmdmagento .com/09ujnb76v5?yNVICJbit=nFikKFve
    Detection rates for the dropped binary are 5/54**. The malware phones home to the following IPs:
    51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
    217.12.223.88 (ITL, Ukraine)
    195.123.209.227 (ITL, Latvia)
    185.82.216.61 (ITL, Bulgaria)
    Recommended blocklist:
    51.254.240.48
    217.12.223.88
    195.123.209.227
    185.82.216.61
    "
    ** https://www.virustotal.com/en/file/3...b8d0/analysis/
    ___

    Fake 'Requested document' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/06/malw...-document.html
    27 June 2016 - "This spam comes from various senders, and leads to Locky ransomware:
    From: Trudy Bonner
    Date: 27 June 2016 at 15:39
    Subject: Requested document
    Dear [redacted],
    The document you requested is attached.
    Best regards
    Trudy Bonner
    Group Director of Strategy


    Attached is a ZIP file containing elements of the recipients email address, the words "document", "doc" or "scanned" plus a random number. Contained within is a random .js script beginning with 'unpaid'. Trusted external analysis (thank you as ever) shows the scripts downloading... The malware phones home to the following hosts:
    51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
    109.234.35.71 (McHost.ru, Russia)
    185.82.216.61 (ITL, Bulgaria)
    185.146.169.16 (Pavel Poddubniy aka CloudPro, Russia)
    195.123.209.227 (ITL, Latvia)
    217.12.223.88 (ITL, Ukraine)
    217.12.223.89 (ITL, Ukraine)
    Lots of ITL recently... you might want to block /24s here instead of single IPs.
    Recommended blocklist:
    51.254.240.48
    109.234.35.71
    185.82.216.61
    185.146.169.16
    195.123.209.227
    217.12.223.88
    217.12.223.89
    "
    ___

    Fake 'Barclays security update' – Phish
    - https://myonlinesecurity.co.uk/new-b...phishing-scam/
    27 June 2016 - "After the Brexit vote on Thursday, we are starting to see the scammers and phishers using the uncertainty, fear and doubt about the UK and the EU to scam you. The first one today is an email pretending to come from Barclays bank saying New Barclays security update. The original email looks like this:
    From: Barclays Online <Barclays@ bt .co.uk>
    Date: Mon 27/06/2016 08:01
    Subject: New Barclays security update.
    Dear Customer
    Due to security and removal from the EU we have introduce the new look of Barclays Bank security to help maintain our customers profit
    You would be required to re – activate your online banking access to proceed
    Activate Your Online Security
    Thank you for choosing Barclays Bank.(c)2016


    The link behind the activate line goes to http ://whatdoesmybusinessneed .com/wp-admin/hhaa.html and -redirects-
    to another page on the same hacked site http ://whatdoesmybusinessneed .com/wp-admin/auth/b.htm
    where they have a fairly good imitation of a genuine Barclays bank site asking for all the usual personal data, log ins and financial information."

    whatdoesmybusinessneed .com: 104.244.124.101: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/42...4ba4/analysis/

    Last edited by AplusWebMaster; 2016-06-27 at 18:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #996
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'report', 'Money Certificate' SPAM

    FYI...

    Fake 'report' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/06/malw...ed-report.html
    28 June 2016 - "This spam has a weird problem with its apostrophe and comes with a malicious attachment:
    From: Kris Ruiz
    Date: 28 June 2016 at 10:38
    Subject: report
    Hi info,
    I致e attached the report you asked me to send.
    Regards
    Kris Ruiz
    Head of Finance UKGI Planning


    The details of the sender will vary from message to message. Attached is a ZIP file containing components of the recipient's email address and the words "report" and/or "pdf". Contained within is a malicious .js script file with a name starting with 'swift'. This analysis comes from a trusted third party (thank you again). The script downloads a file... The file is then decrypted (although I don't have a sample yet) and appears to be Locky ransomware. It phones home to the following servers:
    109.234.35.71 (McHost.ru, Russia)
    185.146.169.16 (Pavel Poddubniy aka Cloudpro LLC, Russia)
    193.9.28.254 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
    194.31.59.147 (HostBar, Russia)
    195.123.209.227 (Layer6 Networks, Latvia)
    217.12.223.88 (ITL, Ukraine)
    217.12.223.89 (ITL, Ukraine)
    Recommended blocklist:
    109.234.35.71
    185.146.169.16
    193.9.28.254
    194.31.59.147
    195.123.209.227
    217.12.223.88
    217.12.223.89
    "
    ___

    Fake 'Money Certificate' SPAM - java jacksbot Trojan
    - https://myonlinesecurity.co.uk/new-x...cksbot-trojan/
    28 June 2016 - "An email with the subject of 'New Xpress Money Certificate' pretending to come from xm.ca@ xpressmoney .com with a zip attachment which delivers a java jacksbot Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x536.png

    28 June 2016: New Xpress Money Certificate.zip: Extracts to: New Xpress Money Certificate.jar and a copy of the image in the email. Current Virus total detections 24/55*
    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1467110905/

    .JAR File: "... runs -if- the [Java] JRE is installed on the computer.."

    Last edited by AplusWebMaster; 2016-06-28 at 19:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #997
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Additional Order', 'Financial report' SPAM - Phish-JavaScript Google

    FYI...

    Fake 'Additional Order' SPAM - delivers Java Adwind backdoor Trojan
    - https://myonlinesecurity.co.uk/addit...ckdoor-trojan/
    29 June 2016 - "An email with the subject of 'Additional Order (Additional Items)' pretending to come from Ahmed <Ahmed@ malothgroups .com> with a java .jar which is a variant of Java Adwind Trojan. These are very nasty backdoor Remote Access, password stealers...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...s-1024x668.png

    29 June 2016: PO_70386804.jar - Current Virus total detections 15/56*. Payload Security** shows a contact with a Russian IP number 185.17.1.82 which is fairly well known for malicious activity over the last few weeks although nothing appearing on VirusTotal, until today... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1467176037/

    ** https://www.reverse.it/sample/5dea18...ironmentId=100
    Contacted Hosts
    185.17.1.82: https://www.virustotal.com/en/ip-add...2/information/
    > https://virustotal.com/en/url/f369d5...2e47/analysis/
    ___

    Fake 'Financial report' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/06/malw...rt-i-have.html
    29 June 2016 - "This spam appears to come from various sources, but has a malicious attachment:
    From: Hester Stanley
    Date: 29 June 2016 at 13:25
    Subject: Financial report
    Hello [redacted],
    I have attached the financial report you requested.
    Regards
    Hester Stanley
    Chief Executive Officer


    Attached is a ZIP file containing some version of the recipient's email address, the words "report" or "freport" or "financial" plus a number. This contains a malicious .js file beginning with "swift". Trusted analysis by another party (thank you as ever) gives download locations... The payload is Locky ransomware, phoning home to the following servers:
    93.170.123.219 (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
    149.154.159.125 (EDIS, Germany)
    151.236.17.45 (EDIS, Germany)
    151.236.17.47 (EDIS, Germany)
    194.31.59.147 (Hostbar, Russia)
    I don't currently have a copy of the payload.
    Recommended blocklist:
    93.170.123.219
    149.154.159.125
    151.236.17.45
    151.236.17.47
    194.31.59.147
    "

    - https://myonlinesecurity.co.uk/conti...d-via-malspam/
    29 June 2016 - "... continual Locky JavaScript downloaders... Today’s are no different so far coming in 2 batches. 1st about a financial report and the second with a totally blank body saying images, photos or pictures. The 1st ones contain a heavily obfuscated JavaScript inside the zip. It has several layers of obfuscation. The alleged senders name matches the name in the body of the email. The job title is also random and can be anything from Sales Director, Account Director or any other position that any company might think of... They all deliver Ransomware versions that encrypt your files and demand money...

    29 June 2016: photo42744.zip: Extracts to: NIKON00061473034407.js - Current Virus total detections 10/54*
    .. MALWR** shows a download from http ://www.cristaleriadominguez .com/8y7gvt65v?utajtJu=UwxvtvuRe which was -renamed- on download to spuMCzFlvvg.exe (VirusTotal 6/53***).

    29 June 2016: rob_report_xls_227699.zip: Extracts to: swift 7c7.js - Current Virus total detections 2/54[4]
    .. MALWR [5] shows a download from http ://www.oemsen.gmxhome .de/sh91u3a which gives an encrypted file that is detected as plain txt or data but gets -converted- by the javascript to ye6WVhz4F2H94WZX.exe (VirusTotal 5/56[6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1467205005/

    ** https://malwr.com/analysis/N2I2MTc2M...NmYWVhMzFiMmM/
    Hosts
    62.42.230.17

    *** https://www.virustotal.com/en/file/2...is/1467202241/

    4] https://www.virustotal.com/en/file/6...is/1467204977/

    5] https://malwr.com/analysis/MzNlNGI4Z...I0ZThlMGUwZTg/
    Hosts
    82.165.62.68

    6] https://www.virustotal.com/en/file/a...is/1467200971/

    cristaleriadominguez .com: 62.42.230.17: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/9e...8743/analysis/

    oemsen.gmxhome .de: 82.165.62.68: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/98...751b/analysis/
    ___

    Phish - via JavaScript Google
    - https://myonlinesecurity.co.uk/phish...me-not-paypal/
    29 June 2016 - "... This one fulfils our worst fears and the entire -phish- is performed on a website that actually is the genuine Google log in page and really makes you believe that you are entering your Google credentials only on the genuine Google page, but in fact you are sending your details to the phisher whilst on the genuine Google site... shortly after publishing this post & reporting the http ://goo .gl/NL4EmV to Google, they -removed- that short URL redirect. However the nwfacilities page is still-active & live and it will be trivial for the phisher to create other short urls on Goo .gl and malspam them out... This is the Genuine Google page that you are on while your browser still has the http ://nwfacilities .top pages & JavaScript still loaded but -hidden- to view completely and performing all the nefarious actions and stealing your information. The only difference between you going to the Google log in page yourself & this one are the words data:text/html, at the start of the url
    > https://myonlinesecurity.co.uk/wp-co...t-1024x791.png
    This only appears to work in Google Chrome because Internet Explorer gives this message and doesn’t know what to do with data:text/html commands in the browser (thankfully). Firefox just gives a blank page until you use the view source option:
    > https://myonlinesecurity.co.uk/wp-co...ogle_phish.png "

    Last edited by AplusWebMaster; 2016-06-30 at 01:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #998
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'WeTransfer' SPAM, Phish - Blurred Images

    FYI...

    Fake 'WeTransfer' SPAM - delivers Cerber ransomware
    - https://myonlinesecurity.co.uk/wetra...er-ransomware/
    30 June 2016 - "An email with the subject of 'name@ victim domain .tld' has sent you a file via 'WeTransfer' pretending to come from WeTransfer <noreply@ wetransfer .com> with a link to download a zip attachment which downloads Cerber Ransomware. Luckily Cerber doesn’t mass malspam in the same way that Locky does. These Cerber emails tend to be slightly more targeted (spear Phishing) at small business or organisations where IT might not be such a high priority or be so aware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x712.png

    The link behind the download goes to
    https ://www.cubbyusercontent .com/pl/Scanned+Documents.zip/_08fa4c28262f424b970037c786caf840 -not- to any WeTransfer page...
    30 June 2016: Scanned Documents.zip: Extracts to: 3 identical copies of Scan001.js
    Current Virus total detections 1/53*. MALWR** shows a download of Cerber Ransomware from
    http ://69.24.80.121 /Styles/ie7/header.css which is -not- a css file but a -renamed- .exe file
    (VirusTotal 4/53***).. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1467276692/

    ** https://malwr.com/analysis/MGQ5OTc2N...QwYTUyMmMxZmU/

    *** https://www.virustotal.com/en/file/1...is/1467276011/

    69.24.80.121: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/f1...dbd9/analysis/
    ___

    Phish - with Blurred Images
    - https://isc.sans.edu/diary.html?storyid=21207
    Last Updated: 2016-06-30 - "... seeing a lot of phishing emails that try to steal credentials from victims... this time, the scenario is quite different:
    - The malicious email contains an HTML body with nice logos and texts pretending to be from a renowned company or service provider. There is a link that opens a page with a -fake- document but -blurred- with a popup login page on top of it. The victim is enticed to enter his/her credentials to read the document. I found samples for most of the well-known office documents. Here are some screenshots:
    1] https://isc.sans.edu/diaryimages/images/isc_blurry1.png

    2] https://isc.sans.edu/diaryimages/images/isc_blurry2.png

    3] https://isc.sans.edu/diaryimages/images/isc_blurry3.png

    4] https://isc.sans.edu/diaryimages/images/isc_blurry4.png
    The strange fact is that it is -not- clear which credentials are targeted: Google, Microsoft or corporate accounts? The success of an efficient phishing is to take the victim by the hand and "force" him/her to -disclose- what we are expecting. So, nothing fancy behind this kind of phishing but it’s always interesting to perform further investigations and, for one of them, it was a good idea. Everybody makes mistakes and attackers too! The phishing page was hosted on a Brazilian website. Usually, such material is hosted on a -compromised- CMS like, not mentioning names but Wordpress, Joomla or Drupal. The Apache server had the feature 'directory indexing' enabled making all the files publicly available and, amongst the .php and .js files, a zip archive containing the "package" used by the attackers to build the phishing campaign. It was too tempting to have a look at it. The “blurred” effect was implemented in a very easy way: the -fake- document is a low-resolution screenshot displayed with a higher resolution. Like this:
    > https://isc.sans.edu/diaryimages/images/blurred.jpg
    ... the presence of a JavaScript function to validate the victim’s email address but also to check the TLD. Is it a targeted attack? The presence of .mil, .edu or .gov is interesting while .com included all major -free- email providers... Then, an HTTP -redirect- is performed to a second page: "phone.html" which mimics a Google authentication page and asks for the user phone number. Here again, POST data are processed via "phone.php" which sends a second email with the victim's phone number. Emails are sent to two addresses (not disclosed here):
    One @gmail .com account
    One @inbox .ru account ..."
    AVOID and DELETE.

    Last edited by AplusWebMaster; 2016-06-30 at 18:11.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #999
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Transactions' SPAM

    FYI...

    Fake 'Transactions' SPAM - Java adwind Trojans
    - https://myonlinesecurity.co.uk/malsp...dwind-trojans/
    1 July 2016 - "We are seeing emails -daily- with a zip attachment containing java jar file which are variants of Java Adwind Trojan(1)... There are 2 different emails that arrived overnight both containing the same Java Adwind Trojan, although both having different subjects, senders and file names. For some reason the image that appears in the -body- of the email is also included in the zip files...
    1) https://securelist.com/blog/research/73660/adwind-faq/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x660.png

    The Second email looks like:
    From: z.hraahleh@ shift-sg .com <sales@ planetacyber .psi.br>
    Date: Fri 01/07/2016 02:44
    Subject: Transactions for Amendment
    Attachment: PENDING REMITTANCE RECIEPTS FOR APPROVAL.zip extracts to PENDING REMITTANCE RECIEPTS FOR APPROVAL..jar
    kindly find attached listed trasactions for amendment,please do the corrections and send back to us. thanks


    Screenshot: NONE of the email but this logo was in the zip:
    > https://myonlinesecurity.co.uk/wp-co...6/07/logo1.png

    1 July 2016: Confirm Transactions.zip: Extracts to: Transactions on Hold.Reason because beneficiary last name is wrong..jar
    Current Virus total detections 15/56*. MALWR** shows the usual masses of files created/dropped and entries created on the computer. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1467206759/

    ** https://malwr.com/analysis/ZGY1N2NkM...NhMzgyYWQ0OTc/
    Hosts
    89.163.154.146: https://www.virustotal.com/en/ip-add...6/information/

    .JAR File: ... runs -if- the [Java] JRE is installed.

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1000
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'RE: info' SPAM

    FYI...

    Fake 'RE: info' SPAM - Cerber Ransomware
    - https://myonlinesecurity.co.uk/blank...known-malware/
    2 July 2016 - "A blank email with the subject of 'RE: info' pretending to come from asisianu@ pauleycreative .co.uk with a zip attachment with a jse file... Update: I am assured that it definitely is Cerber Ransomware... One of the emails looks like:
    From: asisianu@ pauleycreative .co.uk
    Date: Sat 02/07/2016 19:40
    Subject: RE: info
    Attachment: info_1218307442.zip


    Body content: Totally blank/empty

    2 July 2016: info_1218307442.zip: Extracts to: 5.jse - Current Virus total detections 2/55*
    .. PayLoad Security** | MALWR*** shows a download from
    http ://adiidiam .top/admin.php?f=1.jpg (which is -not- a jpg but a .exe file)
    (VirusTotal 1/56[4]) (MALWR[5]) (Payload Security[6])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1467464033/

    ** https://www.reverse.it/sample/a259fb...ironmentId=100
    Contacted Hosts
    202.9.68.138
    52.28.98.176
    31.184.232.*


    *** https://malwr.com/analysis/MjkyNWE0Z...A2M2Y1YTMwMWU/
    Hosts
    202.9.68.138

    4] https://www.virustotal.com/en/file/6...is/1467471194/

    5] https://malwr.com/analysis/OWYyYjhlY...FiNWY2MzJhZTE/

    6] https://www.reverse.it/sample/6df706...ironmentId=100
    Contacted Hosts
    52.58.188.104
    31.184.232.*


    adiidiam .top: 66.225.198.20: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/e7...1a4e/analysis/
    216.170.126.19: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/29...8843/analysis/

    Last edited by AplusWebMaster; 2016-07-03 at 15:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •