Page 103 of 132 FirstFirst ... 3539399100101102103104105106107113 ... LastLast
Results 1,021 to 1,030 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1021
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'project status report', 'New invoices', 'Confirmation letter' SPAM

    FYI...

    Fake 'project status report' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...ct-status.html
    3 Aug 2016 - "This spam leads to Locky ransomware:
    From: Keri Jarvis [Jarvis.64030@ bac.globalnet .co.uk]
    Date: 2 August 2016 at 22:13
    Subject: report
    Hi,
    I attached the project status report in order to update you about the last meeting
    Best regards,
    Keri Jarvis


    Attached is a randomly named ZIP file containing a malicious .js script beginning with the word "report". This downloads an evil binary... (MANY locations listed)...
    (Thank you to my usual source for this data). The malware phones home to:
    37.139.30.95/php/upload.php (Digital Ocean, Netherlands) [hostname: belyi.myeasy .ru]
    93.170.128.249/php/upload.php (Krek Ltd, Russia)
    93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm .in]
    Recommended blocklist:
    37.139.30.95
    93.170.128.249
    93.170.104.20
    "

    37.139.30.95: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/a6...10fa/analysis/
    93.170.128.249: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/de...a6b6/analysis/
    93.170.104.20: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/8a...537f/analysis/
    ___

    Fake 'New invoices' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...ed-i-send.html
    3 Aug 2016 - "Another day, another Locky ransomware run:
    From: Marian Mcgowan
    Date: 3 August 2016 at 11:15
    Subject: Fw: New invoices
    As you directed, I send the attachment containing the data about the new invoices


    Attached is a randomly-named ZIP file which contains a highly obfuscated .js script which according to this Malwr analysis downloads a binary from..
    blog-aida .cba .pl/2zensi7t
    ..when decrypted it creates a binary with a detection rate of 4/54*. That same Malwr analysis shows it phoning home to:
    93.170.104.20/php/upload.php (Breezle LLC, Netherlands) [hostname: pundik.rus.1vm .in]
    This IP was seen last night** and it seems that there is a concurrent Locky spam run phoning home to:
    185.129.148.19/php/upload.php (MWTV, Latvia)
    89.108.127.160/php/upload.php (Agava, Russia) [hostname: srv1129.commingserv .com]
    Both those IPs are in known-bad-blocks.
    Recommended blocklist:
    93.170.104.20
    185.129.148.0/24
    89.108.127.0/24
    "
    * https://virustotal.com/en/file/dd8d6...is/1470220208/

    ** http://blog.dynamoo.com/2016/08/malw...ct-status.html

    93.170.104.20: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/8a...537f/analysis/

    185.129.148.19: https://www.virustotal.com/en/ip-add...9/information/
    89.108.127.160: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Confirmation letter' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...ter-leads.html
    3 Aug 2016 - "Another -spam- run leading to Locky ransomware..
    From: Mavis Howe [Howe.4267@ croestate .com]
    Date: 3 August 2016 at 13:32
    Subject: Confirmation letter
    Hi [redacted],
    I attached the employment confirmation letter I prepared.
    Please check it before you send it out.
    Best regards
    Mavis Howe


    The name of the sender varies from email to email. The malicious attachment and payload seem very close to the one described here*."
    * http://blog.dynamoo.com/2016/08/malw...ed-i-send.html

    Last edited by AplusWebMaster; 2016-08-03 at 17:11.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1022
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'business card', 'Sheet/Document/Invoice', 'Please sign' SPAM

    FYI...

    Fake 'business card' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...rd-i-have.html
    4 Aug 2016 - "This spam email has a malicious attachment:
    From: Glenna Johnson
    Date: 4 August 2016 at 10:18
    Subject: Business card
    Hello [redacted],
    I have attached the new business card design.
    Please let me know if you need a change
    King regards,
    Glenna Johnson
    c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7


    Sender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card"... The payload appears to be Locky ransomware. This Hybrid Analysis* of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
    escapegasmech .com/048220y5
    goldjinoz .com/0a3tg
    platimunjinoz .ws/13fo8lnl
    regeneratewert .ws/1qvvu9lu
    traveltotre .in/2c4ykij7
    This drops a binary with a detection rate of 8/54**. The earlier Hybrid Analysis report shows it phoning home to:
    31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost .ru]
    185.129.148.19/php/upload.php (MWTV, Latvia)
    91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers .com]
    All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.
    Recommended blocklist:
    31.41.40.0/21
    185.129.148.0/24
    91.219.28.0/22
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100

    ** https://virustotal.com/en/file/2fea3...is/1470304914/
    ___

    Fake 'Sheet/Document/Invoice' SPAM - .docm leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...-document.html
    4 Aug 2016 - "This malware-laden spam comes with a variety of subjects, for example:
    Emailing: Invoice (79).xls
    Emailing: Sheet (189).doc
    Emailing: Sheet (3352).tiff
    Emailing: Document (79).doc
    Emailing: Invoice (443).doc
    Emailing: Sheet (679).xls
    Emailing: Document (291).pdf

    There is -no- body text. Attached is a .docm file with the same prefix as the subject (e.g. Document (291).pdf.docm) which contains a macro that downloads a malicious component... (Thank you to my usual source for this). The payload is Locky ransomware and the C2 servers are those found here*."
    * http://blog.dynamoo.com/2016/08/malw...rd-i-have.html
    ___

    Fake 'Please sign' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...n-receipt.html
    4 Aug 2016 - "Yet another Locky campaign today..
    From: Erica Hutchinson
    Date: 4 August 2016 at 12:34
    Subject: please sign
    Dear [redacted]
    Please sign the receipt attached for the arrival of new office facilities.
    Best regards,
    Erica Hutchinson


    This drops Locky ransomware through a malicious attachment. It appears to be largely the same as found in this earlier spam run*."
    * http://blog.dynamoo.com/2016/08/malw...rd-i-have.html

    Last edited by AplusWebMaster; 2016-08-04 at 16:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1023
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Zeus Panda variant, Fake Apple, Walmart Phish

    FYI...

    Zeus Panda variant targets Brazil - wants to steal everything
    - https://www.helpnetsecurity.com/2016...ls-everything/
    Aug 5, 2016 - "A new Zeus Trojan variant dubbed Panda Banker has been specially crafted to target users of 10 major Brazilian banks, but also other locally popular services. 'Zeus Panda’s Brazilian configuration file has a notable local hue. Aside from including the URLs of major banks in the country, Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce', IBM researchers* have found..."
    * https://securityintelligence.com/pan...s-into-brazil/
    Aug 4, 2016

    Top Financial Malware per Attack Volume (Source: IBM Trusteer)
    > https://static.securityintelligence....6_families.png
    ___

    Fake Apple ‘Thank You For Your Order’ Phish
    - http://www.hoax-slayer.net/apple-sto...er-scam-email/
    Aug 5, 2016 - "Email purporting to be from the Apple Store thanks you for your order of an iPhone and notes that you can click a cancel link if you did not make the order... The email is -not- from Apple and it does not reference a real Apple Store order. Instead, it is a phishing scam designed to steal your Apple ID and password, your credit card details, and other personal information:
    > https://i0.wp.com/www.hoax-slayer.ne...der-scam-2.jpg
    According to this email, which purports to be from the Apple Store, your order of an Apple iPhone 5c is about to be dispatched. The email does not contain your shipping and billing address but rather those of a person you do not know. It also includes a ‘cancel order’ link’ . The email features the Apple logo and is quite professionally presented. However, the email is not from Apple. Instead, it is a phishing scam designed to steal your personal and financial information. When you receive the email, you may mistakenly believe that the person named as the recipient of the iPhone has hijacked your Apple Account and made purchases in your name. Therefore, your first reaction might be to click the ‘cancel’ link in the hope of dealing with the issue. If you do click-the-link, you will be taken to a fraudulent website designed to emulate the genuine Apple website. Once on the -fake- site, you will be asked to ‘login’ with your Apple ID and password. Next, you will be taken to a -bogus- ‘Cancel Order’ form that asks you to provide your credit card details and other personal and financial information. After submitting the requested information, you may be told that you have successfully cancelled the order. But, now, the criminals can steal the information that you supplied and use it to -hijack- your Apple account, commit credit card fraud in your name, and attempt to steal your identity..."
    ___

    Walmart phish ...
    - https://bgr.com/2016/08/05/walmart-p...ry-email-scam/
    Aug 5, 2016 - "Over the past couple of days*, Walmart users have been seeing unsolicited password recovery emails pop up in their inboxes. There’s clearly something 'phishy' going on, but it doesn’t seem to be a simple hack: it’s likely the precursor to an ambitious phishing attack on Walmart .com users... a Walmart spokesperson confirmed that there’s an increase in password recovery emails, but doesn’t think that any accounts have been compromised — yet. Instead, Walmart thinks that a hacker is using Walmart’s password recovery system to prepare for a -future- phishing attack. Walmart’s password recovery system is like most others: input an email address, and it sends a recovery code to that email address. But unlike some others, Walmart’s system confirms or denies whether there’s a Walmart .com account associated with that email... Seeing the groundwork for a phishing attack being laid is worrying, but the steps for customers to remain safe are simple... Walmart’s spokesperson also emphasized that it’s 'very unlikely' that any user accounts have been breached so far, and all customers need to do in the future is remain vigilant. If you’re particularly concerned, you can change the email address and password associated with your Walmart account."
    * https://bgr.com/2016/08/04/walmart-e...assword-reset/
    Aug 4, 2016

    Last edited by AplusWebMaster; 2016-08-05 at 23:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1024
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Fraud Policy, Exceeded send Limit' SPAM

    FYI...

    Fake 'Fraud Policy, Exceeded send Limit' SPAM - lead to Java Adwind Trojan
    - https://myonlinesecurity.co.uk/the-p...alspam-emails/
    8 Aug 2016 - "We continue to be plagued daily by fake financial themed emails containing java adwind attachments. I mentioned these HERE*. We have been seeing those emails almost every day and there was nothing to update. Today’s have stepped up a notch with multiple emails, subjects and slightly different subjects and email content to previous ones. There are 2 different Java Adwind versions in these emails...
    * https://myonlinesecurity.co.uk/java-...alspam-emails/
    The first one of the emails looks like:
    From: admin@moneygram .ae
    Date: Mon 08/08/2016 06:20
    Subject: Attention To All Agents (Fraud Policy)
    Attachment: Antifraud-policy.zip ( extracts to 2 identical files Antifraud-Agent-User-manual.jar and Antifraud-policy..jar )
    Dear Agent,
    Please find attached a self-explanatory letter and the Dodd-Frank Compliance,
    Fraud Policy and Procedures which will be in effect from 20th January, 2016.
    Please do not hesitate to revert to us should you require any further information.
    Regards,
    Senzo Dlamini
    Regional Operations Executive
    MoneyGram International ...


    The next example looks like:
    From: XM Accounts & Finance <xm.accounts@ xpressmoney .com>
    Date: Mon 08/08/2016 07:58
    Subject: Exceeded send Limit
    Attachment: Settlement Sheet – Exceeded send Limit.zip ( extracts to Sendout Limit Exceded.jar and index.jpg ( which is a logo image for xpressmoney .com )
    Dear Sir/ Madam,
    It came to our notice that your agent terminal exceeded it’s send limit.
    As a result of this, We want you to verify your transaction report as attached.
    Respond urgently if you feel there is an error during our server computation.
    XM Accounts & Finance
    Xpress Money Services Ltd. | 8th Floor, Al Ameri Building TECOM
    P.O. Box 643996, Sheikh Zayed Road, Dubai, UAE ...


    8 August 2016: Payment_Details_00H675B0017485.jar (119kb) - Current Virus total detections 30/55* Payload Security**

    8 August 2016: Antifraud-Agent-User-manual.jar (235kb) - Current Virus total detections 12/55*** Payload Security[4]

    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1470633115/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.231.23.176: https://www.virustotal.com/en/ip-add...6/information/

    *** https://www.virustotal.com/en/file/8...is/1470633100/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1025
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Documents Requested' SPAM, Facebook Scams

    FYI...

    Fake 'Documents Requested' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/anoth...to-ransomware/
    9 Aug 2016 - "An email with the subject of 'FW: Documents Requested' pretending to come from a random name at your own email domain with a malicious word doc attachment is another Locky/zepto ransomware dropper...
    The email looks like:
    From: random name at-your-own-domain
    Date: Tue 09/08/2016 09:50
    Subject: FW: Documents Requested
    Attachment: Untitled(1).docm
    Dear [ your name ] ,
    Please find attached documents as requested.
    Best Regards,
    Lizzie


    9 August 2016: Untitled(1).docm - Current Virus total detections 5/55*.. Payload security** shows a download of the encrypted Locky/zepto binary from www .fliegendergaertner .at/09uh8ny which gets converted to a working .exe file by the malicious macro in the original word doc. to give zorgins .exe
    (VirusTotal 4/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1470732585/

    ** https://www.reverse.it/sample/42cb80...ironmentId=100
    Contacted Hosts
    81.19.145.43: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/99...2078/analysis/
    159.203.182.129: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/3f...23e6/analysis/
    185.129.148.19: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/98...60ca/analysis/
    188.166.150.176: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/e2...6e20/analysis/

    *** https://www.virustotal.com/en/file/8...is/1470733027/
    ___

    Facebook Scams ...
    - https://blog.malwarebytes.com/cyberc...hits-facebook/
    Aug 9, 2016 - "... yet another celebrity death hoax. This time, the personality in question is Will Smith’s son, Jaden. Using one of our test accounts, below is a captured screenshot of what this Facebook post would look like if a user sees it in their feed:
    > https://blog.malwarebytes.com/wp-con...-hoax-post.png
    ... (and) iwilltryeverything[DOT]site (pictured below), and clicking any of the five boxes claiming to contain the same news:
    > https://blog.malwarebytes.com/wp-con...el-600x396.png
    Also, clicking anywhere on the page redirects users to ads, which may not be ideal if you’re worried about malvertising. Users are then directed to a goaheadnow[DOT]press page. From here, two things can happen: one, the user may choose to scroll down and check out the video on that page or, two, the user can choose to -share- the -false- news straight away... Choosing to share the news straight away directs users to Facebook’s login page for them to enter their credentials, if they’re not logged in it already. And then, the site asks for the user permission to post on their wall:
    > https://blog.malwarebytes.com/wp-con...016/08/005.png
    ... As more people share and spread such false news, the likelihood of others falling for online threats like scams and malware, or signing up for something they’d regret in the end also increases.If you see the Jaden Smith death “news” in your feed, inform the sharer that it’s a -hoax- and avoid sharing it further."

    iwilltryeverything[DOT]site: 192.138.19.74: https://www.virustotal.com/en/ip-add...4/information/
    >> https://www.virustotal.com/en/url/34...3b86/analysis/

    goaheadnow[DOT]press: 192.138.19.74

    “Five Free Tickets” Facebook Scam
    - http://www.hoax-slayer.net/vue-cinem...facebook-scam/
    Aug 8, 2016 - "Post being shared on Facebook claims that you can click to get 5 free tickets from UK based cinema chain Vue Cinemas. The post is fraudulent. It is not associated with Vue Cinemas and participants will never receive the promised movie tickets. The post is a -scam- designed to trick people into divulging their personal information on suspect survey websites:
    > https://i2.wp.com/www.hoax-slayer.ne...ook-scam-1.jpg
    ... the post has no connection to the UK based cinema chain and those who participate will never receive the promised tickets. The post is designed to trick you into firstly spamming your friends with the same fraudulent giveaway and then submitting your personal information via decidedly dodgy “survey” websites..."
    > https://i1.wp.com/www.hoax-slayer.ne...ook-scam-2.jpg

    Last edited by AplusWebMaster; 2016-08-09 at 22:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1026
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scanned', 'Dear client' SPAM

    FYI...

    Fake 'Scanned' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...canned-by.html
    11 Aug 2016 - "This spam has a malicious attachment:
    From: Ashley [Ashley747@ victimdomail .tld]
    Date: 11 August 2016 at 11:13
    Subject: New Doc 6-6
    Scanned by CamScanner
    Sent from Yahoo Mail on Android


    The sender name and numbers in the subject vary, and it appears to come from within the sender's own domain (this is just a simple forgery). Attached is a malicious Word document with a name similar to New Doc 666-9.docm. A Hybrid Analysis* of one sample shows a download location of fcm-makler .de/4GBrdf6 and my sources (thank you) tell me that there are -many- others, giving the following list:
    151 .ru/4GBrdf6
    antonello.messina .it/4GBrdf6
    fcm-makler .de/4GBrdf6
    iceninegr.web.fc2 .com/4GBrdf6
    mccrarys .us/4GBrdf6
    momoselok .ru/4GBrdf6
    sando.oboroduki .com/4GBrdf6
    www .EastsideAutoSalvage .com/4GBrdf6
    www .fasulo .org/4GBrdf6
    www .halloweenparty.go .ro/4GBrdf6
    www .tommasobovone .com/4GBrdf6
    The malware is Locky ransomware, and it phones home to the following locations:
    185.129.148.19/php/upload.php (MWTV, Latvia)
    195.16.90.23/php/upload.php (WIBO International s.r.o., Ukraine) [hostname: vz1.hostlife .net]
    136.243.237.197/php/upload.php (Hetzner, Germany)
    Recommended blocklist:
    185.129.148.0/24
    195.16.90.23
    136.243.237.197
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    217.119.54.192: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/14...da1f/analysis/
    185.129.148.19: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/85...6e32/analysis/
    195.16.90.23: https://www.virustotal.com/en/ip-add...3/information/
    >>> https://www.virustotal.com/en/url/34...9bf5/analysis/
    136.243.237.197: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/b4...2e73/analysis/
    ___

    Fake 'Dear client' SPAM - malicious link
    - https://myonlinesecurity.co.uk/dear-...-word-malspam/
    11 Aug 2016 - "A series of emails saying 'Dear client! We have detected the attempt of transaction from your bank account', coming from random senders with a -link- to a malicious word doc is another one from the current bot runs... Some of the subjects seen include:
    Detected suspicious transaction on your account
    Locked transaction
    Online Banking informs
    Barclays Personal Banking
    Incomplete transaction

    One of the emails looks like:
    From: yvvelez@ gracehill .org
    Date:
    Subject: Detected suspicious transaction on your account
    Attachment ( link ): payment.doc
    Hello!
    Dear client! We have detected the attempt of transaction from your bank
    account. You may find details of the transaction in the
    http ://vividlightingandliving .com.au/bank-info/payment.doc
    Please download this document. If this transaction was yours, please,
    contact us via contacts in the loaded file. If this transaction was not
    yours, notify our safety service shortly. Contacts of the safety service
    may be found in the loaded file. Also, you can contact us through the
    Personal Account of your bank.
    Attention: if you ignore our request, your account will be blocked on
    20.08.2016.


    Alternative download locations from other emails include:
    http ://guestlistalamode .com/bank/payment.doc: 192.185.75.239: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/06...fe50/analysis/
    http ://www.1800cloud .com/infos/report.doc: 65.49.52.99: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/d5...1a04/analysis/
    http ://www.monparfum .it/payments/info.doc: 80.88.88.149: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/14...c39a/analysis/

    11 August 2016: payment.doc - Current Virus total detections 2/53*. MALWR** shows a download from
    http ://88.119.179.160 /1biycuhoqetzowaawneab.exe (VirusTotal 7/53***) MALWR[4]..
    Update: I am informed that it appears to be 'Panda Banker' which is a banking password/credential stealer.
    See Proofpoint[5] and Arbor[6] for more details of this new threat..."
    5] https://www.proofpoint.com/us/threat...its-the-market
    "... Some of the Panda Banker C&C servers use Fast flux DNS, and have numerous IP addresses associated with a single malicious domain, making the malware more resistant to counter-measures..."

    6] https://www.arbornetworks.com/blog/a...eus-zeus-zeus/
    "... Not only is it built on a proven banking malware platform (Zeus), there are already a number of samples and botnets in the wild. In addition, Panda Banker is actively being developed with 9 distinct versions known..."

    * https://www.virustotal.com/en/file/4...is/1470917056/

    ** https://malwr.com/analysis/YWJhYTUxN...M4NGYzZGJiNDU/
    Hosts
    88.119.179.160: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/6a...cf53/analysis/

    *** https://www.virustotal.com/en/file/b...is/1470916592/

    4] https://malwr.com/analysis/NmRlNzAyN...YzOTgwNGE0YzU/
    Hosts
    No hosts contacted.

    vividlightingandliving .com.au: 192.185.37.232: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/cb...3754/analysis/

    Last edited by AplusWebMaster; 2016-08-12 at 00:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1027
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Xpress Money Certificate', 'scanner' SPAM, ITunes, Netflix phish

    FYI...

    Fake 'Xpress Money Certificate' SPAM - leads to JAVA Jacksbot
    - https://myonlinesecurity.co.uk/new-x...y-certificate/
    12 Aug 2016 - "An email with the subject of 'New Xpress Money Certificate' pretending to come from akash.kushwah@xpressmoney .com <xm.ca@ xpressmoney .com> with a zip attachment which downloads a JAVA Jacksbot... This is a slight change to the usual java.jar files that are normally attached to these emails. Today’s version has a .exe file which is actually a SFX (self extracting RAR file) which extracts to an identically named .exe file which in turn when run drops the java files and runs them. AV detections call this one a Java Jacksbot rather than the “normal” Java Adwind we have been seeing in this sort of financial malspam.
    One of the emails looks like:
    From: akash.kushwah@ xpressmoney .com <xm.ca@ xpressmoney .com>
    Date: Thu 16/06/2016 11:09
    Subject: New Xpress Money Certificate
    Attachment: New Xpress Money Certificate Signed And Sealed.exe
    Dear Agent,
    We have attached the New Certificate with installation details , Sign the branch seal on the attach authorization for security updates.
    Best regards,
    AKASH KUSHWAH | Xpress Money Operations
    Xpress money services Ltd| P.O. Box 170,
    Tel: +971 2 6580989 |Ex: 371 | Fax: +971 2 989564 ...


    12 August 2016: New Xpress Money Certificate Signed And Sealed.exe - Extracts to: New Xpress Money Certificate Signed And Sealed..exe - Current Virus total detections 29/55*. MALWR**
    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1470995213/

    ** https://malwr.com/analysis/MGYzMDc3Y...dmMWFkZWViYjc/
    ___

    Fake 'scanner' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...sent-from.html
    12 Aug 2016 - "This spam comes with a malicious attachment:
    Subject: Message from "CUKPR0317276"
    From: scanner@ victimdomain .tld (scanner@ victimdomain .tld)
    To: webmaster@ victimdomain .tld
    Date: Friday, 12 August 2016, 14:00
    This E-mail was sent from "CUKPR0329001" (Aficio MP C305).
    Scan Date: 17.11.2015 09:08:40 (+0000)
    Queries to: <scanner@ victimdomain .tld


    The email appears to come from within the victim's own domain (but this is just a simple forgery). Attached is a ZIP file with a name similar to 201608120908.zip which contains a malicious .WSF script with a name similar to
    doc(171)-12082016.wsf . This Hybrid Analysis* shows the script downloading a file from www .hi-segno .com/02bjJBHDs?WUubFbrItd=ratyCr (and also the same location on bonmoment.web.fc2 .com and www .homesplus .nf.net) but a trusted source tells me that the following download locations appear in different scripts... (see URL above for long list).
    The malware phones home to:
    185.129.148.19/php/upload.php (MWTV, Latvia)
    138.201.56.190/php/upload.php (Hetzner, Germany)
    That Latvian network range is -all- bad, I recommend that you -block- the lot. The payload is Locky ransomware.
    Recommended blocklist:
    185.129.148.0/24
    138.201.56.190
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    213.205.40.169
    138.201.56.190
    185.129.148.19
    208.71.106.49
    216.251.43.11

    ___

    ITunes, Netflix phishing
    - https://myonlinesecurity.co.uk/apple...flix-phishing/
    12 Aug 2016 - "The latest Apple/ITunes phish pretends to be confirmation of an ITunes order for Netflix.

    Screenshot: https://myonlinesecurity.co.uk/wp-co...x-06285490.png

    The links go to
    http ://hiperkarma .hu/download/g.html where you are -redirected- to
    http ://margotbai .com/UnitedKingdom/Itunes/apple/ and see a page looking like this, where if you fill in the ID and password then asks for all other financial information:
    > https://myonlinesecurity.co.uk/wp-co...pple_phish.png "

    hiperkarma .hu: 87.229.45.133: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/71...835f/analysis/
    margotbai .com: 67.212.91.221: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/da...4543/analysis/

    Last edited by AplusWebMaster; 2016-08-12 at 20:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1028
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Beware of browser hijacker, Oracle POS Breach

    FYI...

    Beware of browser hijacker - comes bundled with legitimate software
    - https://www.helpnetsecurity.com/2016...acker-bing-vc/
    Aug 12, 2016 - "Lavians, a 'small software vendor team' is packaging its offerings with a variant of browser-hijacking malware Bing .vc. The company sells and offers for free different types of software (drivers and other kinds of utilities) on their own website*, but also on popular download sites. Unfortunately, most of them come bundled with the aforementioned malware, which installs itself into Internet Explorer, Firefox, and Chrome -without- the user’s consent..."
    * http:// www. lavians .com/product/

    lavians .com: 45.79.77.19: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/7c...2bc3/analysis/
    bing .vc: 65.75.147.228: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/58...46ed/analysis/
    2016-08-13
    ___

    Visa Alert - Oracle POS Breach
    - http://krebsonsecurity.com/2016/08/v...oracle-breach/
    Aug 13, 2016 - "Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle‘s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang:
    > http://krebsonsecurity.com/wp-conten...VSA-oracle.png
    The Visa alert is the first substantive document that tries to help explain what malware and which malefactors might have hit Oracle — and by extension many of Oracle’s customers... MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels. In short, tens of millions of credit cards are swiped at MICROS terminals monthly, and a breach involving the theft of credentials that might have granted remote access to even just a small percentage of those systems is potentially a big and costly problem for all involved:
    > http://krebsonsecurity.com/wp-conten...sp-580x476.png "

    Last edited by AplusWebMaster; 2016-08-14 at 02:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1029
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Order Confirmation', 'Documents' SPAM

    FYI...

    Fake 'Order Confirmation' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...nesabcouk.html
    15 Aug 2016 - "This -fake- financial spam does -not- come from ESAB but is instead a simple -forgery- with a malicious attachment.
    From: orderconfirmation@ esab .co.uk
    Date: 15 August 2016 at 10:37
    Subject: Order Confirmation-7069-2714739-20160815-292650 ...


    Attached is a file with a name similar to Order_Confirmation-7069-2714739-20160815-292650.docm which contains a malicious macro. There are various versions, which according to my source (thank you) download a component...
    The payload is Locky ransomware with a very low detection rate* at present. It phones home to:
    185.129.148.19/php/upload.php (MWTV, Latvia)
    138.201.56.190/php/upload.php (Hetzner, Germany)
    46.148.26.77/php/upload.php (Infium UAB, Ukraine)
    The MWTV block is -all- bad. Recommended blocklist:
    185.129.148.0/24
    138.201.56.190
    46.148.26.77
    "
    * https://www.virustotal.com/en/file/0...21c5/analysis/
    File name: ferdoxs.exe
    Detection ratio: 1/55

    138.201.56.190: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/4a...c05b/analysis/
    46.148.26.77: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/be...d79a/analysis/

    - https://myonlinesecurity.co.uk/order...ky-ransomware/
    15 Aug 2016 - "An email with the subject of 'Order Confirmation-9355-8379094-20160815-474623' pretending to come from orderconfirmation@ esab .co.uk with a malicious word doc attachment downloads Locky ransomware...
    The email looks like:
    From: orderconfirmation@ esab .co.uk
    Date: Mon 15/08/2016 10:33
    Subject: Order Confirmation-9355-8379094-20160815-474623
    Attachment: Order Confirmation-9355-8379094-20160815-474623.docm ...


    15 August 2016: Order Confirmation-9355-8379094-20160815-474623.docm - Current Virus total detections 7/56*
    There are several different versions of this Locky downloader which all download an encrypted data file that is transformed by the macro to the same Locky Ransomware (virustotal 4/54*)..."
    * https://www.virustotal.com/en/file/a...is/1471258818/

    ** https://www.virustotal.com/en/file/0...21c5/analysis/
    ___

    Fake from 'Emma Critchley' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...critchley.html
    15 Aug 2016 - "This -fake- financial spam has a malicious attachment. It does -not- come from Advantage Finance but is instead a simple forgery.
    Subject: Emailing - 9104896607509
    From: Emma Critchley (emmacritchley@ advantage-finance .co.uk)
    Date: Monday, 15 August 2016, 13:28
    Hi
    Vicky has asked me to forward you the finance documents (Please see attached)
    Many Thanks


    Attached is a DOCM file with a name that matches the subject. There are various versions, all of which download Locky ransomware... This phones home to the same servers as mentioned in this post*."
    * http://blog.dynamoo.com/2016/08/malw...nesabcouk.html
    ___

    Fake 'Documents' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/08/malw...officecom.html
    15 Aug 2016 - "These -fake- financial documents have a malicious attachment:
    From: Jen [Jen@ purple-office .com]
    Date: 15 August 2016 at 14:10
    Subject: Documents from Purple Office - IN00003993
    Please find attached invoice/credit from Purple Office.
    Best regards,
    Purple Office


    Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here[1] and here[2]."
    1] http://blog.dynamoo.com/2016/08/malw...critchley.html

    2] http://blog.dynamoo.com/2016/08/malw...nesabcouk.html

    - https://myonlinesecurity.co.uk/docum...ky-ransomware/
    15 Aug 2016
    > https://malwr.com/analysis/M2RhNDAxZ...FiOGMwNWViNzI/
    Hosts
    80.150.6.138: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/2f...79d7/analysis/

    Last edited by AplusWebMaster; 2016-08-15 at 19:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1030
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scan/Document/Receipt' SPAM, ITunes Phish

    FYI...

    Fake 'Scan/Document/Receipt' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/gener...ky-ransomware/
    16 Aug 2016 - "Today’s first Locky ransomware example is a blank/empty email with the subject saying something like 'File: Scan(86)' or 'Emailing: Document(2)' or 'Emailing: Receipt(8)' [random numbered] or other similar generic subjects pretending to come from random names at your own email domain with a zip attachment containing a random numbered WSF (script file) which downloads an encrypted Locky ransomware version that gets converted by the script file to a fully working .exe... One of the emails looks like:
    From: Random names at your own email domain or company
    Date: Tue 16/08/2016 10:11
    Subject: File: Scan(86)
    Attachment: Scan(86).zip


    Body content: Totally blank/empty

    16 August 2016: Scan(86): Extracts to: 572310451803.wsf - Current Virus total detections 3/56*
    .. MALWR** shows a download of an encrypted file from one of these 3 locations (there will be multiple others) that is transformed by the script to eaoJlwhPcR.exe (random depending on the version you get) (VirusTotal 3/56***)
    http ://zarexbytonia.cba .pl/nJHbj0266b?coHDErXiOn=ldRhoj
    http ://fereastrazmeilor .go.ro/nJHbj0266b?coHDErXiOn=ldRhoj
    http ://www .lefaos.50webs .com/nJHbj0266b?coHDErXiOn=ldRhoj
    ... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1471338738/

    ** https://malwr.com/analysis/ODAyODBjM...FmYjJhYmJiNTA/
    Hosts
    192.151.153.26
    81.196.20.134
    95.211.144.65


    *** https://www.virustotal.com/en/file/7...is/1471340178/
    ___

    ITunes Phish
    - https://myonlinesecurity.co.uk/apple...ot-premium-hd/
    16 Aug 2016 - "The latest Apple/ITunes phish pretends to be confirmation of an ITunes order for CoPilot premium HD.

    Screenshot: https://myonlinesecurity.co.uk/wp-co...t-1024x654.png

    The links go to
    http ://monthlyincomeformula .com/.GB/db/ where you are -redirected- to
    http ://missclaudia .net/.GB/apple-store-refund/appsrefund/ and see a page looking like this, where -if- you fill in the ID and password then asks for all other financial information:
    > https://myonlinesecurity.co.uk/wp-co...t-1024x555.png "

    monthlyincomeformula .com: 162.144.84.124: https://www.virustotal.com/en/ip-add...4/information/

    missclaudia .net: 174.136.50.43: https://www.virustotal.com/en/ip-add...3/information/

    Last edited by AplusWebMaster; 2016-08-16 at 14:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •