Page 101 of 132 FirstFirst ... 5191979899100101102103104105111 ... LastLast
Results 1,001 to 1,010 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1001
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scanned image' SPAM

    FYI...

    Fake 'Scanned image' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/scann...ivers-locky-2/
    4 July 2016 - "An email with the subject of 'Scanned image' pretending to come from random names at your own email domain or company with a malicious word doc macro attachment delivers Locky Ransomware... The email looks like:
    From: Random names at your own email domain
    Date: Mon 04/07/2016 11:33
    Subject: Scanned image
    Attachment: 04-07-2016_rndnum(4,9)}}.docm
    Image data has been attached to this email.


    4 July 2016: 04-07-2016_rndnum(4,9)}}.docm - Current Virus total detections 6/54*
    .. MALWR** shows a download from http ://clear-sky .tk/nb4vervge which is Locky Ransomware although not showing in the sandbox analysis. This means that once again the Locky gang have upped the stakes and changed their anti-analysis/ anti-sandbox protections to make it more difficult to detect and protect against (VirusTotal 3/53***).. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1467628388/

    ** https://malwr.com/analysis/ZTJmMTIwO...I0NmRlNjAxOTY/
    Hosts
    213.239.227.58: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/25...1d09/analysis/

    *** https://www.virustotal.com/en/file/0...is/1467627485/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1002
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Rechnung', 'Scanned image' SPAM, Fake 'Quick cash' fraud SCAM/PHISH

    FYI...

    Fake 'Rechnung' SPAM - downloads Locky
    - https://myonlinesecurity.co.uk/rechn...ky-ransomware/
    5 July 2016 - "An email partly in German and partly in English pretending to be a-mobile-phone-bill with the subject of 'Rechnung 2016-93910' [random numbered] pretending to come from mpsmobile GmbH <info@ mpsmobile .de> with a zip attachment which downloads Locky ransomware... One of the emails looks like:
    From: mpsmobile GmbH <info@mpsmobile .de>
    Date: Tue 05/07/2016 10:45
    Subject: Rechnung 2016-93910
    Attachment: 52751_Rechnung_2016-93910_20160705.zip
    Sehr geehrte Damen und Herren, anbei erhalten Sie das Dokument ‘Rechnung 2016-93910′ im PDF-Format. Um es betrachten und ausdrucken zu können, ist der PDF Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren. Mit freundlichen Grüssen mpsmobile Team ...
    Dear Ladies and Gentlemen, please find attached document ”Rechnung 2016-93910’ im PDF-Format. To view and print these forms, you need the PDF Reader, which can be downloaded on the Internet free of charge. Best regards mpsmobile GmbH ...


    5 July 2016: 52751_Rechnung_2016-93910_20160705.zip: Extracts to: 63227_2016-53001_20160705.js
    Current Virus total detections 23/56*. Payload Security** | MALWR*** was unable to find anything but manual analysis shows a download from http ://brewinbooks .com/98uhnvcx4x (VirusTotal 3/53[4]) which looks like Locky Ransomware but MALWR[5] doesn’t show any activity which is probably due to anti-sandbox protection in the file. Other download locations so far found include:
    http ://brazilmart .com/98uhnvcx4x
    http ://brewinbooks .com/98uhnvcx4x
    http ://thecorporate .gift/98uhnvcx4x
    http ://lojaeberlin .com/98uhnvcx4x
    http ://topbag .com.au/98uhnvcx4x
    http ://hangusaxachtay .com/98uhnvcx4x
    http ://flyingcarts .com/98uhnvcx4x
    http ://imbagscanta .com/98uhnvcx4x
    http ://foxprint .ro/98uhnvcx4x
    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1441173827/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    79.170.44.88
    185.106.122.46
    185.106.122.38
    192.42.116.41
    5.196.70.240


    *** https://malwr.com/analysis/MTViYTEyZ...E3N2I4MTczNjQ/

    4] https://www.virustotal.com/en/file/f...is/1467711259/

    5] https://malwr.com/analysis/MTczYmY2M...MyZGZkNjkyYmI/
    ___

    Fake 'Scanned image' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...-leads-to.html
    5 July 2016 - "This -fake- document scan appears to come from within the victim's own domain but has a malicious attachment.
    From: administrator8991@ victimdomain .com
    Date: 5 July 2016 at 12:47
    Subject: Scanned image
    Image data has been attached to this email.


    Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52* and 6/52**. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:
    leafyrushy .com/98uhnvcx4x
    sgi-shipping .com/98uhnvcx4x
    There will be a lot more locations too. This drops a binary with a detection rate of 5/55[3] which appears to be Locky ransomware. Hybrid Analysis[4] shows it phoning home to:
    185.106.122.38 (Host Sailor, Romania / UAE)
    185.106.122.46 (Host Sailor, Romania / UAE)
    185.129.148.6 (MWTV, Latvia)
    Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be Locky ransomware.
    Recommended blocklist:
    185.106.122.0/24
    185.129.148.0/24
    "
    * https://virustotal.com/en/file/26202...is/1467721871/

    ** https://virustotal.com/en/file/34c92...is/1467721877/

    1] https://malwr.com/analysis/ZTNkYzVmM...NkZWYzZDliYTM/
    Hosts
    209.222.76.2

    2] https://malwr.com/analysis/Y2RlMTJlY...lmMWMwZGJjYjk/
    Hosts
    160.153.74.199

    3] https://virustotal.com/en/file/2a92e...34f0/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.106.122.38
    185.106.122.46
    185.129.148.6

    ___

    Fake 'Quick cash' fraud SCAM/PHISH
    - https://myonlinesecurity.co.uk/fake-...s-fraud-scams/
    5 July 2016 - "... Instead of the usual spam emails, we are seeing loads of -fake- invoices, all with links to various companies that pass through or redirect the user to
    http ://www.quickcashsystem .biz/?offerID=1062&p=10274a38b6a0b47645075132d8d48c (They are probably affiliate references so the scummy scammers can pay the evil fraudsters who send victims to them). The reference number is different, depending on the “victim’s IP number”. I visited via different proxies and got a different reference number each visit... This all starts off with an email like one of these:
    This first one pretends to be an Account Balance Warning from an unnamed bank. All the links go to
    http ://beckham7 .com/lists/link.php?M=28914&N=33&L=18&F=H where you are -redirected- (eventually) to
    http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e where a video immediately starts playing offering you, showing you a big mansion, expensive cars and the chance to make $$$$$.

    Screenshot: https://myonlinesecurity.co.uk/wp-co...7-1024x733.png

    This one pretends to be an electronics invoice and at a first quick glance, you could quite easily mistake it for an Ebay invoice and follow the links to see what on earth has happened, because you don’t remember ordering anything. This one leads to http ://a2cd .com/lists/link.php?M=29114&N=33&L=18&F=H which -redirects- to
    http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
    > https://myonlinesecurity.co.uk/wp-co...1-1024x608.png
    This 3rd example is so generic that almost anyone receiving it would click through to see what or how this mistake could have been made. This goes to
    http ://steps123 .com/lists/link.php?M=29215&N=41&L=20&F=H and -redirects- to
    http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
    > https://myonlinesecurity.co.uk/wp-co...3-1024x580.png
    You eventually end up on this page, whichever link you follow to start with:
    > https://myonlinesecurity.co.uk/wp-co...h-1024x644.png
    If you look at the small print at the very bottom of the page, you just see in very light type a link to disclaimer and privacy:
    > https://myonlinesecurity.co.uk/wp-co...aimer_link.png
    Following the disclaimer link, you get a page that does warn you “The www .quickcashsystem .biz sales video is fictitious and was produced to portray the potential of the www .quickcashsystem .biz 3rd party signals software. Actors have been used to present this opportunity and it should be viewed for entertainment purposes. We do not guarantee income or success, and example results in the video and anywhere else on this website do not represent an indication of future success or earnings.”

    quickcashsystem .biz: 5.189.129.65: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/67...0189/analysis/

    Last edited by AplusWebMaster; 2016-07-05 at 17:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1003
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'random hex numbers' SPAM, CryptXXX ransomware updated

    FYI...

    Fake 'random hex numbers' SPAM - Locky ransomware
    - http://blog.dynamoo.com/2016/07/malw...xadecimal.html
    6 July 2016 - "I only have a couple of samples of this very minimalist spam, consisting of just a "Subject" with a random hex number (e.g. 90027696CCCC611D) and a matching .DOCM attachment (e.g. 90027696CCCC611D.docm).
    My trusted analysis source (thank you) says that these DOCM files contain a macro (no surprises there) that downloads a binary from the following locations:
    blingberry24 .com/90ujn3b8c3
    danseduchat .com/90ujn3b8c3
    harveyventuresltd .com/90ujn3b8c3
    noveltybella .com/90ujn3b8c3
    www .proxiassistant-ao .com/90ujn3b8c3
    www .sacandolalengua .com/90ujn3b8c3
    The payload is Locky ransomware with a detection rate of 3/52*. The same source says that C2 locations are:
    89.108.84.42 (Agava JSC, Russia)
    148.163.73.29 (GreencloudVPS JSC, Vietnam)
    Agava in particular is a regular source of badness, and I would suggest that you consider blocking the entire 89.108.80.0/20 range, or at least this minimum recommended blocklist:
    89.108.84.42
    148.163.73.29
    "
    * https://www.virustotal.com/en/file/6...a2b6/analysis/
    ___

    CryptXXX ransomware updated
    - https://isc.sans.edu/diary.html?storyid=21229
    2016-07-06 - "When generating exploit kit (EK) traffic earlier today, I noticed a change in post-infection activity on a Windows host infected with CryptXXX ransomware. This happened after an infection caused by Neutrino EK triggered from the pseudoDarkleech campaign:
    Flow chart for Neutrino EK/CryptXXX caused by pseudoDarkleech
    > https://isc.sans.edu/diaryimages/ima...y-image-01.jpg
    This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. As I write this, I haven't found anything online yet describing these recent changes, so this diary takes a quick look at the traffic:
    An infected Windows desktop from earlier today
    > https://isc.sans.edu/diaryimages/ima...-image-02a.jpg
    Details: Today's EK traffic was on 198.71.54.211 using the same domain shadowing technique we've seen before from various campaigns using Neutrino EK... Post-infection traffic was over 91.220.131.147 on TCP port 443 using custom encoding, a method CryptXXX has used since it first appeared earlier this year..."
    (More detail at the isc URL above.)

    198.71.54.211: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/f2...ea55/analysis/

    91.220.131.147: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/04...0571/analysis/

    Last edited by AplusWebMaster; 2016-07-07 at 14:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1004
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'AU Fedcourts' SPAM, Fake updates, Crimeware Shake-up, Cybercrime - UK

    FYI...

    Fake 'AU Fedcourts' SPAM - Malware
    - https://isc.sans.edu/diary.html?storyid=21241
    2016-07-08 - "Earlier today people have started reporting that they have received a subpoena email from the Australian Federal courts:
    > https://isc.sans.edu/diaryimages/images/Capture.PNG
    The email links through to a various compromised sites which -redirect- the user to a federalcircuitcourt .net web server. Once on the web server you are expected to enter a number and the captcha shown before a case.js file is downloaded:
    > https://isc.sans.edu/diaryimages/ima...dc-captcha.png
    ... feel free to -block- the domain federalcircuitcourt .net in your web proxies. This is -not- a legitimate domain. The federal circuit court has issued a media release:
    > http://www.federalcircuitcourt.gov.a.../news/mr080716
    'Media Release - Spam Warning...
    If you receive one of these emails:
    Do not click on any of the links as they may contain viruses or malware
    Delete the item from your inbox and Deleted folder...'"

    federalcircuitcourt .net: 192.3.21.105: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/43...9082/analysis/
    104.223.53.210: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/1d...adf1/analysis/
    ___

    Malware masquerades as Firefox update
    - https://www.helpnetsecurity.com/2016...rades-firefox/
    July 8, 2016 - "Click-ad-fraud Kovter malware, packaged as a legitimate Firefox browser update, is being delivered to unsuspecting victims via drive-by-download attacks. Kovter, which also occasionally installs other malware, has been around for a few years now, and has gone through many changes that keep it a current threat:
    > https://www.virustotal.com/en/file/4...827a/analysis/
    'firefox-patch.exe
    Detection ratio: 27/53 ...'
    Users are advised always to be wary of random pop-ups telling them some software needs an update. Most software by now – and popular browsers especially – have in-software mechanisms for downloading and implementing updates. If, for whatever reason, they don’t want to use it, updates should be picked up directly from the vendors’ official websites or from well-reputed download sites..."
    ___

    Crimeware Shake-up ...
    - http://blog.talosintel.com/2016/07/l...nnections.html
    July 7, 2016 - "For a couple of weeks in June the threat landscape was changed. Several high profile threats fell off the scene, causing a shake-up that hadn't been seen before. For a period of three weeks the internet was safer, if only for a short time. Still to date the Angler exploit kit has not returned and the threat outlook appears to be forever changed... Earlier this month a group of individuals were arrested in Russia. The arrest was linked to a Russian-specific piece of malware named Lurk, a banking trojan that was specifically targeting Russian banks. Due to the malware being restricted to Russia there wasn't a lot of public information regarding the threat itself... The Necurs botnet is back online and delivering both Locky & Dridex. It was down for approximately three weeks, but it's resurgence shows that again these threats are making far too much money to -not- be resilient. In time it's likely all of the major threats that we've seen be hindered or disappear will return:
    > https://3.bp.blogspot.com/-bEajbYmyI...eline_blog.png
    ... There is no way to say for certain that all of these threats are connected, but there is one single registrant account that owned domains attached to all of them. If this one group was running all of these activities this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars. However, the celebration will be short lived as we've seen in the past, when a group this size is taken down a vacuum is created. All of these threats will come back, in some form or another, and will have learned from the mistakes of their predecessors. The best evidence of this was the author of Blackhole exploit kit being arrested, for a time there was an arms race between exploit kits to see who would take the top spot. That eventually gave rise to Angler, which took the sophistication of exploit kits and drive-by-downloads to a level not seen with Blackhole. We expect the same thing to occur now as Angler and possibly Nuclear leave the threat landscape. Other lesser known kits will likely try to fill the void, which we have already seen with Rig and Neutrino, as well as the new kits that are likely already under development... despite all the variety and different actors making use of these technologies there potentially was a much smaller group responsible for a far larger chunk of the crimeware space than previously estimated..."
    ___

    Cybercrime surpasses traditional crime in UK
    - http://www.darkreading.com/threat-in...d/d-id/1326208
    July 8, 2016 - "Cybercrime is currently outpacing traditional crime in the United Kingdom in terms of impact spurred on by the rapid pace of technology and criminal cyber-capability, according to the UK’s National Crime Agency. The trend suggests the need for a more collective response from government, law enforcement, and industry to reduce vulnerabilities and prevent crime, the NCA report says:
    > http://www.nationalcrimeagency.gov.u...ment-2016/file
    ... The UK’s Office of National Statistics included cybercrime for the first time in its 2015 annual Crime Survey of England and Wales. The survey estimated that there are 2.46 million cyber incidents and 2.11 million victims of cybercrime in the UK last year... The assessment shows that cybercrime activity is growing fast and evolving, with the threats from Distributed Denial of Service (DDoS) and ransomware attacks increasing significantly in 2015. The threats from DDoS and ransomware attacks have increased, driven by ready access to easy to-use tools and by wider criminal understanding of its potential for profit through extortion. Ransomware attacks have also increased in frequency and complexity, and now include threats to publish victim data online, as well as the permanent encryption of valuable data, the assessment states. The most advanced and serious cybercrime threat to the UK is the direct or indirect result of a few hundred international cybercriminals who target UK businesses to commit highly profitable, malware-facilitated fraud... Under-reporting continues to obscure the full impact of cybercrime in the UK. This shortfall in reporting hampers the ability of law enforcement to understand the operating methods of cyber criminals and most effectively respond to the threat. As a result, the NCA is urging businesses to view cybercrime not only as a technical issue but as a board-level responsibility, and to make use of the reporting paths available to them, sharing intelligence with law enforcement and each other... most security tools have been reversed-engineered and bypassed by cybercriminal crews. So the emphasis should be on intrusion suppression, where security professionals decrease the dwell time the adversaries have to freely roam their organizations networks..."

    Fraud News:
    - http://www.actionfraud.police.uk/news

    Last edited by AplusWebMaster; 2016-07-10 at 16:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1005
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'bill enclosed', 'excel file' SPAM, State cyberattacks, ProcessExplorer

    FYI...

    Fake 'bill enclosed' SPAM - malspam word doc
    - https://myonlinesecurity.co.uk/pleas...known-malware/
    12 July 2016 - "An email with the subject of 'Re: senders name' pretending to come from random senders with a malicious word doc attachment is another one from the current bot runs... There are a multitude of single line body content with this malspam run. Some of the ones I have seen so far include:
    Please find the bill enclosed with this msg. The Payment will be posted in 1 hours.
    Please check the IOU attached to this email. The Transfer should appear in 40 minutes.
    Check the report enclosed with this msg. The Transaction will be posted in 15 minutes
    Find the voucher enclosed with this msg. The Funds will be posted in 5 days
    Find the voucher enclosed with this email. The Transfer should appear within 6 hours
    Find the invoice attached to this message. The Funds will be posted in 4 days
    Please check the report attached to this msg. The Funds will be posted in 5 days
    Check the check attached to this email. The Transaction should appear in 3 days
    Find the bill enclosed with this msg. The Payment will be posted in 5 days

    One of the emails looks like:
    From: Lacey Jefferson <kithuat4@ centec .vn>
    Date: Tue 12/07/2016 06:34
    Subject: Re:Lacey Jefferson
    Attachment: MF1H6N-Lacey Jefferson.dotm
    Please find the bill enclosed with this msg. The Payment will be posted in 1 hours.


    12 July 2016: MF1H6N-Lacey Jefferson.dotm - Current Virus total detections 3/55*
    .. MALWR** crashes every time. Hybrid Analysis*** also doesn’t show or give any download or dropped files.
    Manual attempts using Libre office also crash LIbre office, so it is possible that either the macro is malformed and not running properly or a new anti-analysis protection or a 0 day is being used
    - Update: Manual analysis by one of the analysts on Twitter[4] (thanks) has discovered this download
    bring-me .in/su.jpg which is a jpg containing Steganographically embedded malware. We are still waiting for fuller analysis to extract the malware from the jpg file. This is normally done by the macro inside the word doc.
    - Further Update: to decode jpg & get the Dridex banking Trojan use offset 0x13CC XOR: 0x68
    The jpg looks like this screenshot:
    > https://myonlinesecurity.co.uk/wp-co...g_me_in_su.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1468303224/

    ** https://malwr.com/analysis/YTRhZWQ1Y...k3Yjk1ZWZmMTg/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100

    4] https://twitter.com/malwrhunterteam/...57247642566656

    bring-me .in: 213.186.33.18: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/a8...fdaa/analysis/
    ___

    Fake 'excel file' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...xcel-file.html
    12 July 2016 - "This -fake- financial spam leads to Locky ransomware:
    From: Benita Clayton
    Date: 12 July 2016 at 15:04
    Subject: Fw:
    hi [redacted],
    Here's that excel file (latest invoices) that you wanted.
    Best regards,
    Benita Clayton
    Vice President US Risk Management


    Sender details vary from message to message. Attached is a ZIP file containing part of the recipient's email address plus some other elements, within which is a malicious. js script beginning with -SWIFT-. Trusted external analysis (thank you again) shows the scripts download an obfuscated binary... Locky then phones home to one of the following locations:
    5.196.189.37 (Just Hosting, Russia / OVH, Ireland)
    77.222.54.202 (SpaceWeb CJSC, Russia)
    109.234.34.146 (McHost.Ru, Russia)
    192.71.249.220 (EDIS, Sweden)
    Recommended blocklist:
    5.196.189.37
    77.222.54.202
    109.234.34.0/24
    192.71.249.220
    "
    ___

    Google notifies users of 4,000 state-sponsored cyber attacks per month ...
    - http://www.reuters.com/article/us-go...-idUSKCN0ZR2IU
    Jul 12, 2016 - "A senior executive of Alphabet Inc's Google unit said on Monday that the company was notifying customers of 4,000 state-sponsored cyber attacks per month... Google senior vice president and Alphabet board member Diane Greene mentioned the figure... The internet search leader, which develops the Android mobile system and also offers email and a range of other applications for consumers, has led the way in notifying users of government spying. Others, including Microsoft Corp, have since followed suit. Google had previously said that it had been issuing tens of thousands of warnings every few months and that customers often upgraded their security in response."
    ___

    Using Process Explorer to detect malware
    - https://isc.sans.edu/forums/diary/Pr...rusTotal/19931
    "Did you know you can have all EXEs of running processes scanned with VirusTotal?...
    Enable VirusTotal checks... And accept the VirusTotal terms...
    (... by default Process Explorer only submits hashes to VirusTotal, not files, unless you explicitly instruct it to submit a file)
    ... now you can see the VirusTotal scores..."
    (More detail at the isc URL above.)
    ___

    Akamai - Network Traffic Overview
    > https://www.akamai.com/us/en/solutio...eb-monitor.jsp
    July 12, 2016 09:10:28 PM GMT - "44% above normal..."

    Last edited by AplusWebMaster; 2016-07-13 at 00:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1006
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake ransomware SCAM

    FYI...

    Fake ransomware SCAM, malware just deletes victims’ files
    Tagged as 'Ranscam', Powershell and script-based malware is a botched smash-and-grab
    - http://arstechnica.com/security/2016...victims-files/
    Jul 12, 2016 - "... 'Ranscam' is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for 'encrypted' files that were actually just plain -deleted- by a batch command. 'Once it executes it, it pops up a ransom message looking like any other ransomware', Earl Carter, security research engineer at Cisco Talos, told Ars. 'But then what happens is it forces a reboot, and it just deletes-all-the-files. It doesn't try to encrypt anything — it just -deletes- them all'. Talos discovered* the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address..."
    * http://blog.talosintel.com/2016/07/ranscam.html
    July 11, 2016 - "... The unfortunate reality is, all of the user’s files have already been deleted and are unrecoverable by the ransomware author as there is no capability built into Ranscam that actually provides recovery functionality. The author is simply relying on 'smoke and mirrors'. in an attempt to convince victims that their files can be recovered in hopes that they will choose to pay the ransom..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1007
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Kovter- click-fraud malware, Exploit kits

    FYI...

    Kovter’s persistence methods
    - https://blog.malwarebytes.com/threat...ngling-kovter/
    July 14, 2016 - "Kovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious modules in PowerShell scripts as well as in registry keys to make detection and analysis difficult... Authors of Kovter put a lot of effort in making their malware stealth and hard to detect. During the initial assessment of some of the Kovter samples we could notice that it is signed by valid Comodo certificate (it was stolen, got revoked later)... After the sample gets deployed, Kovter runs PowerShell and installs itself in the system... Observing it via Process Explorer we can find the command passed to PowerShell. It’s purpose is to execute a code stored in an environment variable (names are random, new on each run)... Conclusion: Thanks to the techniques employed by Kovter, no executable needs to be dropped on the disk – that’s why is known as “fileless”. Even the file to which the initial link leaded does not contain any code to be executed. Instead, it is used just for the flow obfuscation. Running it, in reality leads to running the code stored in the registry, that is sufficient to unpack and re-run the real payload. Persistence used by this malware is creatively designed and exceptional in comparison to most of the malware. Not only it is scattered into several layers, but also obfuscated at every stage and containing tricks that slow down the analysis process..."
    (More detail at the malwarebytes URL above.)
    ___

    Exploit kits - cyber-crime marketplace
    - http://www.theregister.co.uk/2016/07...t_kit_updates/
    13 Jul 2016 - "Cybercrooks behind the Sundown Exploit Kit are rapidly updating the hacking tool in a bid to exploit a gap in the market created by the demise of the Angler and Nuclear exploit kits. While RIG and Neutrino have been the primary protagonists in the void left by Angler and Nuclear, Sundown is also vying for an increased share in the exploit kit marketplace. Security researchers at Zscaler ThreatLabZ* reckon the miscreants behind Sundown have accelerated the evolution of what started out as a fairly rudimentary exploit kit since the beginning of 2016. The crooks behind Sundown used stolen code from the rival RIG exploit kit for a short time before subsequently knitting together their own code, security researchers at cloud security firm Zscaler ThreatLabZ report. Elements of the latest version of the cybercrime toolkit include an image referencing the self-styled Yugoslavian Business Network – likely a reference to the infamous Russian Business Network cybercrime group... Exploit kits in general are used to booby-trap websites in order to sling malware at visiting surfers through drive-by-download attacks. The tactic relies on exploiting security holes in typically Windows PCs, browser vulnerabilities and (increasingly) Flash flaws."
    * https://www.zscaler.com/blogs/resear...kits-evolution

    Last edited by AplusWebMaster; 2016-07-14 at 23:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1008
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Ransomware review, EK adopts IE flaw

    FYI...

    Ransomware - Threat Activity Review
    - https://atlas.arbor.net/briefs/index#-811293044
    July 14, 2016 - "... Analysis: Locky ransomware has seen unprecedented distribution attempts over the last week and coupled with the new ability to encrypt systems -without- an internet connection, will likely see successes not previously seen... While casting a wide distribution net and having a well-coded product make for a great potential return on investment, creating less expensive variants can be profitable too. Stampado*, with its low price, could lead to even more individuals attempting to make money with ransomware. While the overall quality of Stampado has yet to be determined, the price tag will potentially lead to substantial purchases and usage. Understanding these new threats in a timely fashion can allow researchers to create mitigations before these new variants see widespread distribution... Currently, there is no magic one stop fix for ransomware threats. However, companies and individuals can thwart ransomware operations by applying system updates in an expedient manner, avoiding macro-enabled documents, avoiding attachments containing JavaScript and by performing routine backups that are maintained offline."
    Source: http://www.inforisktoday.com/researc...ilation-a-9255

    * https://heimdalsecurity.com/blog/sec...mware-on-sale/
    ___

    Neutrino EK adopts IE flaw
    - https://www.fireeye.com/blog/threat-...s_quickly.html
    July 14, 2016 - "A security researcher recently published source code for a working exploit for CVE-2016-0189* and the Neutrino Exploit Kit (EK) quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows. Microsoft patched CVE-2016-0189 in May on Patch Tuesday**. Applying this patch will protect a system from this exploit...."
    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-0189
    Last revised: 05/11/2016

    MS16-051: Cumulative Security update for Internet Explorer: May 10, 2016
    ** https://support.microsoft.com/en-us/kb/3155533
    Last Review: 05/10/2016 17:12:00 - Rev: 1.0

    Last edited by AplusWebMaster; 2016-07-16 at 23:11.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1009
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'bank account report', 'Scan**' SPAM, Compromised Joomla sites, 'Insider Threat'

    FYI...

    Fake 'bank account report' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...ort-leads.html
    18 July 2016 - "This -fake- financial spam has a malicious attachment:
    From "Boyd Dennis"
    Date Mon, 18 Jul 2016 11:34:11 +0200
    Subject bank account report
    How is it going?
    Thank you very much for responding my email in a very short time. Attached is the
    bank account report. Please look at it again and see if you have any disapproval.
    --Yours faithfully,Boyd DennisHSBC HLDGSPhone: +1 (593) 085-57-81, Fax: +1 (593)
    085-57-41


    The sender name and details vary, although it all follows the same pattern. Attached is a ZIP file containing elements of the recipients email address and some random digits. Contained within is a .wsf script that downloads a file... I don't have a copy of the payload at present, but it does phone home to:
    77.222.54.202 (SpaceWeb CJSC, Russia)
    91.240.86.221 (JSC Server, Russia)
    176.111.63.51 (United Networks Of Ukraine Ltd , Ukraine)
    209.126.112.14 (MegaHosterNetwork, Ukraine)
    The payload appears to be Locky ransomware.
    Recommended blocklist:
    77.222.54.202
    91.240.86.221
    176.111.63.51
    209.126.112.14
    "

    - https://myonlinesecurity.co.uk/bank-...ky-ransomware/
    18 July 2016 - "... an email with the subject of 'bank account report' pretending to come from random senders with a zip attachment containing a WSF file which downloads Locky Ransomware... One of the emails looks like:
    From: Greta Lowe <Lowe.14640@ swimthebridge .com>
    Date: Mon 18/07/2016 09:58
    Subject: bank account report
    Attachment: rob_22285.zip
    Hi
    Thank you very much for responding my email in a very short time. Attached is the bank account report. Please look at it again and see if you have any disapproval.

    Yours truly,
    Greta Lowe
    BT GROUP
    Phone: +1 (371) 956-22-56, Fax: +1 (371) 956-22-38


    18 July 2016: rob_22285.zip: Extracts to: account_report 883.wsf - Current Virus total detections 3/55*
    .. MALWR** as usual cannot decode or run these Js or WSF files without crashing due to the protections inside them. Payload Security*** shows a download of an encrypted file from my-result .ru/0j1nlpj8 which has to be decrypted by the WSF file to give ypnI2jnqVVbmiz.exe (VirusTotal 3/54[4])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1468832454/

    ** https://malwr.com/analysis/MzcwMTAyM...Q2Nzc2Y2IwNjM/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    95.163.18.88

    4] https://www.virustotal.com/en/file/1...is/1468832994/

    my-result .ru: 95.163.18.88: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/05...fa7b/analysis/
    ___

    Fake 'Scan**' SPAM - word macro delivers Locky
    - https://myonlinesecurity.co.uk/sent-...elivers-locky/
    18 July 2016 - "... from THIS earlier Malspam[1] delivering Locky ransomware via WSF files inside a zip we are also seeing a concurrent malspam run using Word Docs with macros. They are very terse and simple emails with a subject of 'Scan******' (random numbers) pretending to come from random senders with a malicious word docm attachment where the attachment name -matches- the subject...
    1] https://myonlinesecurity.co.uk/bank-...ky-ransomware/
    The email looks like:
    From: Lynnette <clearke0303@ vinyl-lps .com>
    Date: Mon 18/07/2016 11:28
    Subject: SCAN0000467
    Attachment: SCAN0000467.docm
    Sent from my Samsung device


    18 July 2016: SCAN0000467.docm - Current Virus total detections 8/52* - Payload Security** shows a download from yifruit .com/54ghnnuo (VirusTotal 3/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1468837749/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    211.149.194.192

    *** https://www.virustotal.com/en/file/6...is/1468836377/

    yifruit .com: 211.149.194.192: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/81...caea/analysis/

    - http://blog.dynamoo.com/2016/07/malw...y-samsung.html
    18 JUuly 2016 - "This rather terse spam has a malicious attachment:
    From: Ila
    Date: 18 July 2016 at 13:01
    Subject: scan0000511
    Sent from my Samsung device


    The sender and subject vary, but the subject seems to be in a format similar to the following:
    scan0000511
    SCAN000044
    COPY00002802

    Attached is a .DOCM file with the -same- name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading... The payload is Locky with a detection rate of 4/53*. It phones home to:
    77.222.54.202 (SpaceWeb CJSC, Russia)
    91.240.86.221 (JSC Server, Russia)
    That's a subset of the IPs found here**, so I recommend you block the following IPs:
    77.222.54.202
    91.240.86.221
    176.111.63.51
    209.126.112.14
    "
    * https://www.virustotal.com/en/file/6...c5b3/analysis/

    ** http://blog.dynamoo.com/2016/07/malw...ort-leads.html
    ___

    Compromised Joomla sites are foisting ransomware on visitors
    - https://www.helpnetsecurity.com/2016...es-ransomware/
    July 18, 2016 - "Administrators of WP and Joomla sites would do well to check for specific -fake- analytics code injected into their properties, as a ransomware delivery campaign taking advantage of vulnerable sites has been going strong for over a month now... Sucuri CTO Daniel Cid noted*: '... We recommend checking your logs for requests from 46 .183 .219 .91 – if you find requests similar to the ones in this post, consider your website compromised. At this point you should take steps to remove the malware immediately and prevent reinfection.'"
    * https://blog.sucuri.net/2016/07/new-...mla-sites.html

    46.183.219.91: https://www.virustotal.com/en/ip-add...1/information/

    > https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-8562
    Last revised: 06/28/2016 - "Joomla! 1.5.x, 2.x, and 3.x before 3.4.6... as exploited in the wild in December 2015."
    ___

    'Delilah' – first 'Insider Threat' Trojan
    - http://blogs.gartner.com/avivah-lita...threat-trojan/
    July 14, 2016 - "Criminal recruitment of insiders is becoming an industry now with the release of a new Trojan called “Delilah”. Delilah recruits targeted insiders via social engineering and/or extortion, sometimes using ransomware techniques... Diskin Advanced Technologies (DAT) reports that the bot is delivered to victims via downloads from multiple popular adult and gaming sites... instructions to victims usually involve usage of VPN services, TOR and comprehensive deletion of browser history (probably to remove audit trails). These -bots- still require a high level of human involvement to identify and prioritize individuals who can be -extorted- into operating as insiders at desirable target organizations. Criminals who want to use the bot can also acquire managed social engineering and fraudster services to help them out, in case they lack those specific skills... Organizations should also seek to prevent endpoints from getting infected in the first place by preventing employees from visiting high risk adult and gaming sites using organizational systems... Conclusion: Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web. With Trojans like Delilah, organizations should expect insider recruitment to escalate further and more rapidly. This will only add to the volume of insider threats caused by disgruntled employees selling their services on the Dark Web in order to harm their employers."

    Last edited by AplusWebMaster; 2016-07-18 at 18:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1010
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'business analysis', 'documents attached' SPAM, Magnitude EK malvertising

    FYI...

    Fake 'business analysis' SPAM - .wsf script / ransomware
    - http://blog.dynamoo.com/2016/07/malw...-detailed.html
    19 July 2016 - "This spam has a malicious attachment. And also mismatched (brackets}.
    From "Lynnette Slater"
    Date Tue, 19 Jul 2016 10:47:09 +0200
    Subject Business Analysis
    Message text
    I attached the detailed business analysis (updated}
    King regards,
    Lynnette Slater
    Briglin Pottery ...


    The message will appear to be "from" different individuals, varying from message to message. However, the main part of the body text is always the same. Attached is a ZIP file containing elements of the recipients email address and some random letters and numbers. I have been unable to obtain a copy of the attachment at the moment, but it is likely to be Locky ransomware and if I get further details I will post them here.
    UPDATE: My usual trusted source for analysis (thank you) reports that these ZIP files contain a malicious .wsf script which downloads a component... I don't have a decrypted sample of the binary at present, although the C2 locations are reported as:
    77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
    194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
    185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
    176.111.63.51/upload/_dispatch.php (United Networks of Ukraine, Ltd, Ukraine)
    Recommended blocklist:
    77.222.54.202
    194.1.236.126
    185.117.153.176
    176.111.63.51
    "
    ___

    Fake 'documents attached' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/07/malw...ie-pywell.html
    19 July 2016 - "This spam does not come from Abbey Glass UK, but is instead a simple forgery with a malicious attachment:
    From Natalie Pywell [Natalie.Pywell6@ abbeyglassuk .com]
    Date Tue, 19 Jul 2016 15:27:20 +0530
    Subject Documents
    Dear Customer
    Please find your documents attached.
    If you have any questions please reply by email or contact me on 01443 238787.
    Kind regards
    Natalie Pywell
    **This email has generated from an automated system**
    This email has been sent via the Fusemail mail filtering service provided by Pro-Copy
    Limited


    The sender's email address varies somewhat. Attached is a randomly named ZIP file which contains a malicious .js script. Analysis is pending, but it looks like Locky ransomware and is probably similar to the one found in this spam run*."
    * http://blog.dynamoo.com/2016/07/malw...-detailed.html
    19 July 2016
    ___

    Fake 'Documents from work' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/07/malw...from-work.html
    19 July 2016 - "This rather terse spam appears to come from the victim themselves (but doesn't). It has a malicious attachment.
    From: recipient@ victim .tld
    To: recipient@victim.tld
    Subject: Documents from work.
    Date: 19 July 2016 at 12:20


    There is -no- body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component... The dropped payload has a detection rate of 3/54* and it phones home to the following locations:
    77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
    194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
    185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
    That's a subset of the locations found here**. The payload is Locky ransomware.
    Recommended blocklist:
    77.222.54.202
    194.1.236.126
    185.117.153.176
    176.111.63.51
    "
    * https://www.virustotal.com/en/file/0...b0db/analysis/

    ** http://blog.dynamoo.com/2016/07/malw...-detailed.html
    19 July 2016

    77.222.54.202: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/8d...fca9/analysis/
    194.1.236.126: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/d9...138c/analysis/
    185.117.153.176: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/2a...49bd/analysis/
    176.111.63.51: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/cc...b353/analysis/
    ___

    Magnitude EK malvertising not affected by slowdown in EK activity
    - https://blog.malwarebytes.com/cyberc...n-ek-activity/
    July 19, 2016 - "We have been tracking a malvertising campaign distributing the Cerber ransomware linked to the actor behind the Magnitude exploit kit for months. It will pop on one ad network, then onto another and come back again... Despite a global slowdown in exploit kit activity, this particular distribution channel has remained active and strong... One of this attackers’ favourite spot has been on torrent or streaming sites but also via monetized URL shorteners that use a pay-per-view/click model when people open up a shortened URL and have to wait for an advert to load before getting to their destination. It is no surprise that more ads – and low quality ones especially – means chances of drive-by downloads are dramatically increased... For ad networks to stop this continuing onslaught for good would require no longer accepting risky customers and closing up their platform for arbitrage with unknown buyers. Playing whack-a-mole with crooks wearing many different hats is simply an ineffective solution where malicious ads always end up making it through..."
    (Long list of IOC's at the malwarebytes URL above.)

    Last edited by AplusWebMaster; 2016-07-19 at 19:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •