Page 105 of 132 FirstFirst ... 55595101102103104105106107108109115 ... LastLast
Results 1,041 to 1,050 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1041
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scan', 'bank transactions' SPAM, SWIFT security, Dropbox hacked

    FYI...

    Fake 'Scan' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/sent-...ky-ransomware/
    31 Aug 2016 - "... received a massive malspam run of an email with the subject of 'FW: [Scan] 2016-08-13 15:49:12' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... One of the emails looks like:
    From: Bertha <Bertha34@ your own email domain>
    Date: Wed 31/08/2016 06:14
    Subject: FW: [Scan] 2016-08-13 15:49:12
    Attachment: 2016-08-30 436 663 415.zip
    From: “Bertha” <Bertha34@[REDACTED]>
    Sent: 2016-08-13 15:49:12
    To: [REDACTED]
    Subject: [Scan] 2016-08-13 15:49:12
    Sent with Genius Scan for iOS ...


    31 August 2016: 2016-08-30 436 663 415.zip: Extracts to: Yd95ozed8.hta - Current Virus total detections 9/56*
    .. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to QXkcpj1.dll by the instructions inside the HTA/JavaScript (VirusTotal 19/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1472620428/

    ** https://www.reverse.it/sample/15cf22...ironmentId=100
    Contacted Hosts
    210.157.28.18
    80.150.6.138
    195.208.0.137
    95.85.19.195
    188.127.249.32
    58.158.177.102


    *** https://www.virustotal.com/en/file/d...is/1472623964/
    ___

    Fake 'bank transactions' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/attac...elivers-locky/
    31 Aug 2016 - "... Locky continues with an email with the subject of 'bank transactions' coming from random senders, companies and email addresses with a random named zip attachment containing a JS file... One of the emails looks like:
    From: Marlene Carrillo <Carrillo.170@ veloxzone. com.br>
    Date: Wed 31/08/2016 07:35
    Subject: bank transactions
    Attachment: b231f370cf0.zip
    Good morning gold.
    Attached is the bank transactions made from the company during last month.
    Please file these transactions into financial record.
    Yours truly,
    Marlene Carrillo


    31 August 2016: b231f370cf0.zip: Extracts to: CC1BB558_bank_transactions.js - Current Virus total detections 3/56*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://www.instalacionesjosearteaga .com/s7yy5 | http ://enigmes4saisons.perso. sfr .fr/dilveh
    http ://mambarambaro .ws/1m202 | http ://www.meta. metro .ru/uumr65 which gets transformed into the Locky ransomware by the script KzgOzqkkKOZ.dll (VirusTotal 7/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1472629007/

    ** https://malwr.com/analysis/ZDI1NjIzZ...c4OGI3NTk5MzU/
    Hosts
    62.42.230.17
    86.65.123.70
    195.91.160.34
    45.59.114.100
    158.69.147.88


    *** https://www.virustotal.com/en/file/e...is/1472629326/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    62.42.230.17
    86.65.123.70
    95.85.19.195
    188.127.249.203
    138.201.191.196
    188.127.249.32
    91.223.180.66


    - http://blog.dynamoo.com/2016/08/malw...nsactions.html
    31 Aug 2016 - "This -fake- financial spam comes with a malicious attachment:
    From: Rueben Vazquez
    Date: 31 August 2016 at 10:06
    Subject: bank transactions
    Good morning petrol.
    Attached is the bank transactions made from the company during last month.
    Please file these transactions into financial record.
    Yours truly,
    Rueben Vazquez


    The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js ... According to the Malwr report of these three samples [1] [2] [3] the scripts download... Each one of those samples drops a -different- DLL... these phone home to:
    95.85.19.195/data/info.php [hostname: vps-110831.freedomain .in .ua] (Digital Ocean, Netherlands)
    138.201.191.196/data/info.php [hostname: u138985v67.ds-servers .com] (Hetzner, Germany)
    188.127.249.203/data/info.php [hostname: it.ivanovoobl .ru] (SmartApe, Russia)
    188.127.249.32/data/info.php (SmartApe, Russia)
    cufrmjsomasgdciq .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
    The payload is probably the Locky ransomware.
    Recommended blocklist:
    95.85.19.195
    138.201.191.196
    188.127.249.0/24
    91.223.180.0/24
    "
    1] https://malwr.com/analysis/YzQyYzA2N...k0ZmVmZjE5Mzg/

    2] https://malwr.com/analysis/YTVhMjg2N...RmNWEwZDFjY2E/

    3] https://malwr.com/analysis/ZjM5YTNhO...ViOWM4YTNmOTQ/
    ___

    Fake 'flight tickets' SPAM - delievers Locky
    - https://myonlinesecurity.co.uk/i-am-...elivers-locky/
    31 Aug 2016 - "This latest Locky ransomware malspam is a little bit more believable than some recent attempts and might actually fool a few recipients. An email with the subject of 'flight tickets' pretending to come from random companies, senders and email addresses with a random name zip attachment containing a JavaScript file... One of the emails looks like:
    From: Wallace Hampton <Hampton.7365@writers-india.com>
    Date: Wed 31/08/2016 18:37
    Subject: flight tickets
    Attachment: 4e0302044044.zip
    Good evening admin.
    I am sending you the flight tickets for your business conference abroad next month.
    Please see the attached and note the date and time.
    Respectfully,
    Wallace Hampton


    31 August 2016: 4e0302044044.zip: Extracts to: CE14A812_flight_tickets.js - Current Virus total detections 3/56*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://roger.pierrieau.perso. sfr .fr/68d8ti | http ://virmalw .name/31fwt4cs
    http ://simo62.web. fc2 .com/yywcdpbu | http ://www.francogatta .it/npoa0lzw which is converted to a working Locky ransomware file & autorun by the script 20mrgwO23alMfJvj.dll (VirusTotal 8/58***). Payload Security[4]...
    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1472665164/

    ** https://malwr.com/analysis/Y2U2MmYxO...Q2OWU2N2VmOGQ/
    Hosts
    158.69.147.88
    208.71.106.61
    195.78.215.76
    86.65.123.70


    *** https://www.virustotal.com/en/file/5...is/1472665518/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.99.111.28
    208.71.106.61
    95.85.19.195
    138.201.191.196
    188.127.249.203
    188.127.249.32
    91.223.180.66
    69.195.129.70

    ___

    SWIFT discloses more cyber thefts, pressures banks on security
    - http://www.reuters.com/article/us-cy...-idUSKCN11600C
    Aug 31, 2016 - "SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank... The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers... A SWIFT spokeswoman declined to elaborate on the recently uncovered incidents or the security issues detailed in the letter, saying the firm does not discuss affairs of specific customers. All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter. Accounts of the attack on Bangladesh Bank suggest that weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers. The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police..."
    ___

    Hacks steal account details for 60M Dropbox Users
    - https://it.slashdot.org/story/16/08/...-dropbox-users
    Aug 31, 2016 - "Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard* obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts..."
    * https://motherboard.vice.com/read/ha...opbox-accounts

    Last edited by AplusWebMaster; 2016-09-01 at 00:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1042
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Shipping info', 'invoice', 'Travel expense sheet' SPAM, Cerber - Malvertising

    FYI...

    Fake 'Shipping info' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/our-s...elivers-locky/
    1 Sep 2016 - "... the Locky onslaught continues with ever increasing frequency and complexity. The first of today’s Malspam is an email with the subject of 'Shipping information' coming from random names, companies and email addresses with a random named zip attachment containing a heavily obfuscated/encrypted JavaScript file... One of the emails looks like:
    From: Celina Mccarty <Mccarty.8737@ spebs .com>
    Date: Thu 01/09/2016 09:12
    Subject: Shipping information
    Attachment: 2020f266fc.zip
    Dear customer,
    Our shipping service is sending the order form due to the request from your company.
    Please fill the attached form with precise information.
    Very truly yours,
    Celina Mccarty


    1 September 2016: 2020f266fc.zip: Extracts to: 91CF4D63_shipping_service.js - Current Virus total detections 4/56*
    .. MALWR* shows a download of an encrypted file from one of these locations:
    http ://www.oltransservice .org/wxyig4v | http ://kreativmanagement.homepage. t-online .de/anlaok1d
    http ://mambarambaro .ws/1zvqoqf which is transformed by the script to naXFQvt9.dll (VirusTotal 11/58***)
    Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1472717463/

    ** https://malwr.com/analysis/Mjg1YzAyN...QwY2JmNWIwOGM/
    Hosts
    213.205.40.169
    192.99.111.28
    80.150.6.138


    *** https://www.virustotal.com/en/file/3...is/1472718234/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    213.205.40.169
    95.85.19.195
    212.109.192.235
    5.34.183.211
    188.127.249.32
    188.127.249.203
    91.223.180.66


    - http://blog.dynamoo.com/2016/09/malw...ervice-is.html
    1 Sep 2016 - "This -fake- shipping email comes with a malicious attachment:
    Subject: Shipping information
    From: Charles Burgess
    Date: Thursday, 1 September 2016, 9:30
    Dear customer,
    Our shipping service is sending the order form due to the request from your company.
    Please fill the attached form with precise information.
    Very truly yours,
    Charles Burgess


    The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js. Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
    joeybecker.gmxhome .de/430j1t
    ngenge.web. fc2 .com/vs1qc0
    mambarambaro .ws/1zvqoqf
    timetobuymlw .in/2dlqalg0
    peetersrobin.atspace .com/t2heyor1
    www .bioinfotst. cba .pl/u89o4
    Between those four reports, there are three -different- DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis* shows the malware phoning home to:
    5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
    212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
    188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
    xattllfuayehhmpnx .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
    The payload is probably Locky ransomware.
    Recommended blocklist:
    5.34.183.211
    212.109.192.235
    188.127.249.0/24
    91.223.180.0/24
    "
    1] https://malwr.com/analysis/MzA5NTllN...lhYjlhNDQ0YjA/
    Hosts
    82.165.58.83
    192.99.111.28
    208.71.106.37


    2] https://malwr.com/analysis/Nzg4YTM0O...NhZDJjMTUxNTE/
    Hosts
    82.197.131.109
    158.69.147.88
    95.211.144.65


    3] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    82.165.58.83

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    82.197.131.109
    95.85.19.195
    5.34.183.211
    212.109.192.235
    188.127.249.203
    188.127.249.32
    91.223.180.66


    5] https://virustotal.com/en/file/59bd7...is/1472720135/

    6] https://virustotal.com/en/file/03f50...is/1472720153/

    7] https://virustotal.com/en/file/cd8a2...8380/analysis/

    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    82.197.131.109
    95.85.19.195
    5.34.183.211
    212.109.192.235
    188.127.249.203
    188.127.249.32
    91.223.180.66

    ___

    Fake 'invoice' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/09/malw...-attached.html
    1 Sep 2016 - "This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.
    Subject: Please find attached invoice no: 329218
    From: victim@ victimdomain .tld
    To: victim@ victimdomain .tld
    Date: Thursday, 1 September 2016, 12:42
    Attached is a Print Manager form.
    Format = Portable Document Format File (PDF)
    Disclaimer ...


    Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download... The payload appears to be Locky ransomware... This is similar to the list here*.
    Recommended blocklist:
    5.34.183.211
    212.109.192.235
    95.85.19.195
    188.127.249.0/24
    91.223.180.0/24
    "
    * http://blog.dynamoo.com/2016/09/malw...ervice-is.html
    1 Sep 2016
    ___

    Fake 'Travel expense sheet' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/trave...elivers-locky/
    1 Sep 2016 - "... never ending series of Locky downloaders is an email with the subject of 'Travel expense sheet' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
    From: Hilario Walton <Walton.571@ afirstclassmove .com>
    Date: Thu 01/09/2016 19:22
    Subject: Travel expense sheet
    Attachment: ea00ba32a5.zip
    Dear karen,
    Here is the travel expense sheet for your upcoming company field trip. Please write down the approximate costs in the attachment.
    Warm wishes,
    Hilario Walton


    1September 2016: ea00ba32a5.zip: Extracts to: Travel_expense_sheet_E492D6CB.js - Current Virus total detections 6/56*
    .. MALWR shows a download of an encrypted file from one of these locations:
    http ://www .cortesidesign .com/v1vmxyj | http ://www .aktion-zukunft-gestalten .info/hfgo3x
    http ://portadeenrolar .ind.br/rbfr26 | http ://timetobuymlw .in/57h8t6it which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 21/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1472753839/

    ** https://malwr.com/analysis/YTU5OWRkM...ZkYjY3MTE0MDI/
    Hosts
    213.205.40.169
    186.202.126.199
    81.169.145.224
    158.69.147.88
    66.85.27.250


    *** https://www.virustotal.com/en/file/1...is/1472755942/
    ___

    Cerber dropped via Malvertising
    - http://blog.trendmicro.com/trendlabs...-malvertising/
    Aug 31, 2016 - "... The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits. Users are typically -redirected- to these exploit kit servers via ads appearing in a pop-up window after clicking a video to play. This ultimately leads to the download of Cerber. While this malvertisment campaign has affected several countries already, the attack is heavily concentrated in Taiwan. And although this malvertising campaign has been running for months, it was only now that it dropped Cerber 3.0 as its payload. In the case of Magnitude, a simple redirect script was used. Rig, on the other hand, opened a website in the background that contained a screenshot of legitimate US clothing shopping sites, perhaps to make the ad look less suspicious... Cerber demands 1.24 BTC (~US$523, as of March 4, 2016) and gave affected entities seven days. Cerber 3.0 asks for 1 BTC right away, but if the user waits more than five days the ransom doubles to 2 BTC:
    > https://blog.trendmicro.com/trendlab...erber-v3-3.png
    ... The most fundamental defense against ransomware is still backing up. With proper backups in place, organizations need not worry about any data loss that may be incurred. At the very least, important files should be backed up on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location. A good defense against malvertising (and exploit kits in general) is to keep the software in use up-to-date with all security patches. This will reduce the risk against a wide variety of attacks, not just ransomware. This includes both the operating system and any applications in use. A security solution that can proactively provide defense against attacks targeting vulnerabilities in the system’s software is also recommended..."

    Last edited by AplusWebMaster; 2016-09-01 at 23:00.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1043
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'old office facilities', 'Scanned image', 'Body content empty/blank' SPAM

    FYI...

    Fake 'old office facilities' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/09/malw...acilities.html
    2 Sep 2016 - "This spam has a malicious attachment:
    Subject: old office facilities
    From: Kimberly Snow (Snow.741@ niqueladosbestreu .com)
    Date: Friday, 2 September 2016, 8:55
    Hi Corina,
    Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
    Best wishes,
    Kimberly Snow


    The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number. Analysis is pending, but this Malwr report* indicates attempted communications to:
    malwinstall .wang
    sopranolady7 .wang
    ..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
    UPDATE 1: According to this Malwr report** it drops a DLL with a detection rate of 10/58***. Also those mysterious .wang domains appear to be multihomed on the following IPs:
    23.95.106.195 (New Wave NetConnect, US)
    45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
    66.85.27.250 (Crowncloud, US)
    104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
    107.161.158.122 (Net3, US)
    158.69.147.88 (OVH, Canada)
    192.99.111.28 (OVH, Canada)
    Recommended blocklist:
    23.95.106.195
    45.59.114.100
    66.85.27.250
    104.36.80.104
    107.161.158.122
    158.69.147.88
    192.99.111.28
    "
    * https://malwr.com/analysis/OGI2NWI3Z...A3YWRkMzZmNGE/
    Hosts
    66.85.27.250
    23.95.106.195


    ** https://malwr.com/analysis/OTA3MDk3Z...BhM2I4MTE0OTE/
    Hosts
    66.85.27.250
    23.95.106.195


    *** https://virustotal.com/en/file/9dc5a...c5c7/analysis/
    VQpnPCqe.dll

    - https://myonlinesecurity.co.uk/old-o...elivers-locky/
    2 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'old office facilities' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
    From: Angelina Nielsen <Nielsen.83382@ parklawnsprinklers .com>
    Date: Fri 02/09/2016 08:27
    Subject: old office facilities
    Attachment: 1fade4423b3a.zip
    Hi Chasity,
    Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
    Best wishes,
    Angelina Nielsen


    2 September 2016: 1fade4423b3a.zip: Extracts to: office_facilities_059AB2E9.js - Current Virus total detections 8/56*
    .. MALWR** shows a download of an encrypted file from http ://malwinstall .wang/ezr08tjd which is transformed by the script to VQpnPCqe.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1472801143/

    ** https://malwr.com/analysis/MzJkY2EzN...g4OGVhMzAyMDQ/
    Hosts
    23.95.106.195
    66.85.27.250


    *** https://www.virustotal.com/en/file/9...is/1472801991/
    ___

    Fake 'Scanned image' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/09/malw...mage-from.html
    2 Sep 2016 - "This -fake- document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.
    Subject: Scanned image from MX2310U@ victimdomain .tld
    From: office@victimdomain.tld (office@ victimdomain .tld)
    To: webmaster@victimdomain.tld;
    Date: Friday, 2 September 2016, 2:29
    Reply to: office@ victimdomain .tld [office@ victimdomain .tld]
    Device Name: MX2310U@victimdomain.tld
    Device Model: MX-2310U
    Location: Reception
    File Format: PDF MMR(G4)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in PDF format.
    Use Acrobat(R)Reader(R) ...


    Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component... The payload is Locky ransomware, phoning home to:
    212.109.192.235/data/info.php [hostname: take. ru .com] (JSC Server, Russia)
    149.154.152.108/data/info.php [hostname: 407.AT.multiservers .xyz] (EDIS, Austria)
    Recommended blocklist:
    212.109.192.235
    149.154.152.108
    "
    ___

    Fake 'Body content empty/blank' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/blank...s-locky-zepto/
    2 Sep 2016 - "... Locky/Zepto downloaders... empty/blank email with the subject random numbers and either .jpg, gif, pdf, img, docx, tif, png etc. coming as usual from random names @ icloud .com with a random named zip attachment that is named the -same- as the numbers in the subject line containing a wsf file... One of the emails looks like:
    From: Alejandra_6526@ icloud .com
    Date: Fri 02/09/2016 12:27
    Subject: 26889jpg
    Attachment: 26889.zip


    Body content: Empty/blank

    2 September 2016: 26889.zip: Extracts to: W64pP.wsf - Current Virus total detections 8/56*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://maxshoppppsr .biz/js/y54g3tr?NxMSERb=asaGYkQ | http ://illaghettodelcircoletto .it/flkekqs?NxMSERb=asaGYkQ
    http ://vimp.hi2 .ro/xqbqjyn?NxMSERb=asaGYkQ which is transformed by the script to vTFEncqFbOk1.dll (VirusTotal 5/58***)
    All of them contact the C2 centre http ://149.154.152.108 /data/info.php to get & store the encryption key that is used to encrypt your files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1472815578/

    ** https://malwr.com/analysis/YzJkMzM2M...ljNjI1ODBjNTY/
    Hosts
    89.42.39.81
    195.110.124.188
    66.85.27.252
    149.154.152.108


    *** https://www.virustotal.com/en/file/8...is/1472817060/
    ___

    Bogus Windows error site - for iPad
    - https://blog.malwarebytes.com/cyberc...ndows-fakeout/
    2 Sep 2016 - "... The bogus error site is located at:
    ipad-error-9023(dot)com
    Given the URL, you’d expect to see some sort of iPad related shenanigans taking place – an interesting twist on the well worn theme of tech-support-scams. Who needs Windows desktops when you can go after the tablet market, right? Unfortunately for our scammers, it all goes a bit wrong in terms of being convincing with that whole iPad URL thing. Let me count the ways... text reads as follows:
    Windows Security Error !
    Your Hard drive will be DELETED if you close this page
    You have a ZEUS virus! Please call Support Now!
    Call Now to Report This Threat.
    Do not Click ‘OK’ button below, doing so will start the hacking process.

    ... 'didn’t put much thought into this whole iPad thing, did they?...
    > https://blog.malwarebytes.com/wp-con...al-dialogs.jpg
    ... a “prevent additional dialog” message from the browser? I’m guessing my PC hasn’t exploded yet. Maybe if I close the box and then hit the OK button:
    > https://blog.malwarebytes.com/wp-con...age-locked.jpg
    ... While the attempted fakeout up above isn’t one of the best ones we’ve seen, there are plenty out there which succeed in their attempts at convincing device owners that they have a problem. From there, phone calls to “tech support” and payments to have the non-existent virus cleaned up are only a hop, step and jump away. If you think you may have been targeted by such scams – or just want to avoid such antics in the future – feel free to give our guide to Tech Support Scams* a read. It could well save you time and money – and a lot of increasingly infuriating phone calls..."
    * https://blog.malwarebytes.com/tech-support-scams/

    ipad-error-9023(dot)com: 107.180.21.58: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/15...5616/analysis/

    Last edited by AplusWebMaster; 2016-09-02 at 21:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1044
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Credit card receipt', 'Malware in .pub files' SPAM

    FYI...

    Fake 'Credit card receipt' SPAM - leads tp Locky
    - https://myonlinesecurity.co.uk/we-ar...ft-netmsg-dll/
    5 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'Credit card receipt' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the emails looks like:
    From: Wilda Hayden <Hayden.80411@ monicamatthews .com>
    Date: Mon 05/09/2016 08:29
    Subject: Credit card receipt
    Attachment: 6aec8732b803.zip
    Dear mrilw,
    We are sending you the credit card receipt from yesterday. Please match the card number and amount.
    Sincerely yours,
    Wilda Hayden
    Account manager


    5 September 2016: 6aec8732b803.zip: Extracts to: credit_card_receipt_9F44E80E.js - Current Virus total detections 6/56*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://darkestzone2 .wang/1i0i75gq | http ://canonsupervideo4k .ws/1bcpr7xx
    .. which is transformed by the script to aXZnmnI3ES.dll (VirusTotal 9/57***). This is also downloading the genuine Microsoft netmsg.dll in an attempt to confuse antiviruses and researchers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1473060526/

    ** https://malwr.com/analysis/YTU5OWRkM...ZkYjY3MTE0MDI/
    Hosts
    213.205.40.169
    186.202.126.199
    81.169.145.224
    158.69.147.88
    66.85.27.250


    *** https://www.virustotal.com/en/file/3...is/1473062169/

    - http://blog.dynamoo.com/2016/09/malw...ou-credit.html
    5 Sep 2016 - "This -fake- financial spam has a malicious attachment:
    From: Tamika Good
    Date: 5 September 2016 at 08:43
    Subject: Credit card receipt
    Dear [redacted],
    We are sending you the credit card receipt from yesterday. Please match the card number and amount.
    Sincerely yours,
    Tamika Good
    Account manager


    The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_
    A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
    canonsupervideo4k .ws/1bcpr7xx
    This appears to be multihomed on the following IP addresses:
    23.95.106.206 (New Wave NetConnect, US)
    107.173.176.4 (Virtual Machine Solutions LLC, US)
    192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
    217.13.103.48 (1B Holding ZRT, Hungary) ...
    Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57*. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
    91.211.119.71/data/info.php [hostname: data .ru .com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
    158.255.6.109/data/info.php (Mir Telematiki, Russia)
    185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
    185.162.8.101/data/info.php (Eurohoster, Netherlands)
    uxfpwxxoyxt .pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
    The payload is probably Locky ransomware.
    Recommended blocklist:
    23.95.106.206
    107.173.176.4
    192.3.7.198
    217.13.103.48
    91.211.119.71
    158.255.6.109
    185.154.15.150
    185.162.8.101
    188.120.232.55
    "
    1] https://malwr.com/analysis/MjA4OWI5O...lhYzZlNGExZjg/
    Hosts
    107.173.176.4

    2] https://malwr.com/analysis/NjNjMTIyN...IyOTk2MDcyNTk/
    Hosts
    23.95.106.206
    107.173.176.4


    3] https://malwr.com/analysis/MTZmNjgyM...M1NjY0MGNlYWE/
    Hosts
    107.173.176.4

    * https://virustotal.com/en/file/3068b...c2f6/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.95.106.206
    107.173.176.4
    91.211.119.71
    158.255.6.109
    185.154.15.150
    185.162.8.101
    188.120.232.55


    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.95.106.206
    107.173.176.4
    91.211.119.71
    185.162.8.101
    158.255.6.109
    185.154.15.150
    188.120.232.55


    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.95.106.206
    107.173.176.4
    158.255.6.109
    185.154.15.150
    185.162.8.101
    91.211.119.71

    ___

    Malware in '.pub files' SPAM
    - https://isc.sans.edu/diary.html?storyid=21443
    2016-09-05 - "While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it also supports macros. By using .pub files, attackers make one step forward because potential victims don't know the extension ".pub" (which can be interpreted as "public" or "publicity" and make the document less suspicious), Spam filters do -not- block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze! A sample of a malicious .pub file is already available on VT[4] with a low detection score (5/55). Stay safe!"
    [1] https://isc.sans.edu/forums/diary/Vo...somware/21397/
    [2] https://isc.sans.edu/forums/diary/To...pt+File/21423/
    [3] https://products.office.com/en/publisher
    [4] https://www.virustotal.com/en/file/2...37fd/analysis/

    Last edited by AplusWebMaster; 2016-09-05 at 19:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1045
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice', 'August invoice', 'Message.. scanner', 'Suspected Purchases' SPAM

    FYI...

    Fake 'Invoice' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/invoi...elivers-locky/
    6 Sep 2016 - "... series of Locky downloaders... an email with the subject of 'Invoice INV0000385774' (random numbers) coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the emails looks like:
    From: Earlene conyers <Earlene859@ pickledlizards .com>
    Date: Tue 06/09/2016 10:27
    Subject: INV0000385774
    Attachment: ea00ba32a5.zip
    Please find our invoice attached.


    6 September 2016: Invoice_INV0000385774.zip: Extracts to: 14Tf5zYWx67.wsf - Current Virus total detections 6/56*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://around4percent.web .fc2 .com/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
    http ://zse2 .pl/j8fn3rg3?jXRJazVGV=TBojQIxnjJC | http ://marcotormento .de/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
    which is transformed by the script to pfRMaJgsGEL1.exe (VirusTotal 4/58***) which according to MALWR[4] creates/downloads/ drops another encrypted file... Payload Security reports [5] [6]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1472753839/

    ** https://malwr.com/analysis/MjI1MzM4Y...BkNzFhOTgyNWM/
    14Tf5zYWx67.wsf
    Hosts
    208.71.106.48
    66.85.27.108
    13.107.4.50
    216.126.225.149
    93.157.100.25
    81.169.145.157


    *** https://www.virustotal.com/en/file/a...is/1473154258/

    4] https://malwr.com/analysis/OTNjNjQ1O...BiZDk3MWJlMmI/
    pfRMaJgsGEL1.exe
    Hosts
    66.85.27.108
    13.107.4.50
    216.126.225.149


    5] https://www.reverse.it/sample/e586ae...ironmentId=100
    14Tf5zYWx67.wsf
    Contacted Hosts
    216.239.120.224
    208.71.106.48
    66.85.27.108
    216.126.225.149


    6] https://www.reverse.it/sample/adc7cc...ironmentId=100
    pfRMaJgsGEL1.exe
    Contacted Hosts
    66.85.27.108
    ___

    Fake 'August invoice' SPAM - Locky
    - https://myonlinesecurity.co.uk/xxxx-...pears-to-fail/
    6 Sep 2016 - "... next in the never ending series of Locky downloaders is an email with the subject of 'August invoice' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
    From: Douglas Holmes <Holmes.850@ redbridgeconcern .org>
    Date: Tue 06/09/2016 09:50
    Subject: August invoice
    Attachment: fe1afed4aa6f.zip
    Hello montag, Brigitte asked me to send you invoice for August. Please look over the attachment and make a payment ASAP.
    Best Regards,
    Douglas Holmes


    6 September 2016: fe1afed4aa6f.zip: Extracts to: August_invoice 2AAB15F0. pdf~.js - Current Virus total detections 4/56*
    ..Update: it looks like Payload security** have tweaked their system and managed to bypass the protection elements in today’s Locky and are now finding & getting the payloads... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1473151857/

    ** https://www.reverse.it/sample/078909...ironmentId=100
    Contacted Hosts
    107.173.176.4
    23.95.106.220
    192.3.150.178
    91.211.119.71
    158.255.6.109
    185.162.8.101
    185.154.15.150
    188.120.232.55

    ___

    Fake 'Message.. scanner' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/messa...elivers-locky/
    6 Sep 2016 - "... Locky downloaders.. email with the subject of 'Message from “CUKPR0959703' pretending to come from scanner @ your own email domain with a random named zip attachment based on todays date containing a WSF file... One of the emails looks like:
    From: scanner@ ...
    Date: Tue 06/09/2016 16:11
    Subject: Message from “CUKPR0959703”
    Attachment: 20160906221127.zip
    This E-mail was sent from “CUKPR0959703” (Aficio MP C305).
    Scan Date: Tue, 06 Sep 2016 22:11:27 +0700
    Queries to: <scanner@ ...


    6 September 2016: 20160906221127.zip: Extracts to: 18YrNk1xk28.wsf - Current Virus total detections 16/55*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://www.alpstaxi .co .jp/j8fn3rg3?IxurVQb=sHiOGcukdY
    http ://zui9reica.web .fc2 .com/j8fn3rg3?IxurVQb=sHiOGcukdY
    which is transformed by the script to mUExMjQPwmL1.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1473175613/

    ** https://malwr.com/analysis/Njk1YjRlN...IzYjFkNGJiOTI/
    Hosts
    208.71.106.45
    216.126.225.149
    8.254.207.14
    211.134.181.38

    ___

    Fake 'Suspected Purchases' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/suspe...elivers-locky/
    6 Sep 2016 - "... Locky downloaders... email with the subject of 'Suspected Purchases' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files starting with random characters and then Suspected_Purchases_PDF.js ... One of the emails looks like:
    From: Alyssa English <English.55@ heritagehomebuyers .net>
    Date: Thu 01/09/2016 19:22
    Subject: Suspected Purchases
    Attachment: 3adec1d16a7e.zip
    Dear enrico,
    We have suspected irregular purchases from the company’s account.
    Please take a look at the attached account balance to see the purchase history.
    Best Regards,
    Alyssa English
    Support Manager


    6 September 2016: 3adec1d16a7e.zip: Extracts to: FAAD4310 Suspected_Purchases_PDF.js
    Current Virus total detections 3/55*. MALWR** shows a download of an encrypted file from one of these locations:
    http ://canonsupervideo4k .ws/2sye3alf
    http ://virmalw .name/uw2vyhpd
    http ://tradesmartcoin .xyz/rwevvv3a
    which is transformed by the script to 4fWrgKKcG.dll (VirusTotal 9/58***). This also downloads the genuine Microsoft netmsg.dll... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1473179859/

    ** https://malwr.com/analysis/YWRjYjM0O...YzMTFiMWFiNjU/
    Hosts
    51.255.227.230
    185.101.218.49
    107.173.176.24


    *** https://www.virustotal.com/en/file/0...is/1473180787/
    ___

    Paypal - PHISH
    - https://myonlinesecurity.co.uk/your-...qued-phishing/
    6 Sep 2016 - "... daily -phishing- emails trying to steal your PayPal account. This one is worth mentioning because of the bad spelling and grammar that proves this does not come from an English speaking criminal. The original email looks like this:

    Screenshot: https://myonlinesecurity.co.uk/wp-co...d-1024x563.png

    From: no-reply@ paypal .com
    Date: Tue 06/09/2016 14:59
    Subject: Your PayPal access bloqued
    
    Dear Customer,
    Your account is temporarily suspended.
    We are working to protect our users against fraud!
    Your account has been selected for verification, we need to confirm that you are the real owner of this account
    To conclude the recovery of his account and service interruption card with number 4*** **** **** ****..
    Please consider that if you do not confirm your data now, we are forced to lock this account for your protection
    Must follow two steps, in case you have any questions during the execution of this process can be supported support team .
    Confirm account NAW
    Regards,
    Eduard Swards


    The link behind 'confirm account NAW' goes to a well known-phishing-site, which has been reported so many times..
    http ://paypal-securidad .com/informations/l/l/Index/
    This one wants your personal details, your Paypal account log in details and your credit card and bank details..."

    paypal-securidad .com: 192.185.128.24: https://www.virustotal.com/en/ip-add...4/information/
    >> https://www.virustotal.com/en/url/9b...59e6/analysis/

    Last edited by AplusWebMaster; 2016-09-06 at 21:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1046
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Agreement form', 'Invoice', 'Free sports player' SPAM

    FYI...

    Fake 'Agreement form' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/agree...eads-to-locky/
    7 Sep 2016 - "... series of Locky downloaders... email with the subject of 'Agreement form' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
    From: Staci Cruz <Cruz.5000@ stluc-esa-bxl .org>
    Date: Wed 07/09/2016 09:06
    Subject: Agreement form
    Attachment: 23ad34e21057.zip
    Hi there,
    [ random name] assigned you to make the payment agreement for the new coming employees.
    Here is the agreement form. Please finish it urgently.
    Best Regards,
    Staci Cruz
    Support Manager


    7 September 2016: 23ad34e21057.zip: Extracts to: C3AB68A4 agreement_form_doc.js - Current Virus total detections 3/56*
    .. MALWR** was unable to get any downloads but shows connections to
    tradesmartcoin .xyz 216.244.68.195
    virmalw .name 51.255.227.230
    listofbuyersus .co .in
    brothermalw .ws

    Payload Security analysis*** which took an extremely long time (unusually) also doesn’t show any direct downloads or files. This is likely to mean that the Locky gang are using an ever more restrictive anti-analysis protection. Payload did detect some more unusually Apt named domains. Contacted Domains: tradesmartcoin .xyz, listofbuyersus .co.in, malwinstall .wang, brothermalw .ws, virmalw .name
    Contacted Hosts: 216.244.68.195, 51.255.227.230 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1473235341/

    ** https://malwr.com/analysis/M2QzMjJiN...Y0ZDQ5MWUzZjk/
    Hosts
    51.255.227.230
    216.244.68.195


    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.244.68.195
    51.255.227.230


    - http://blog.dynamoo.com/2016/09/malw...-probably.html
    7 Sep 2016 - "This -fake- financial spam leads to malware:
    Subject: Agreement form
    From: Marlin Gibson
    Date: Wednesday, 7 September 2016, 9:35
    Hi there,
    Roberta assigned you to make the payment agreement for the new coming employees.
    Here is the agreement form. Please finish it urgently.
    Best Regards,
    Marlin Gibson
    Support Manager


    The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..
    308F92BC agreement_form_doc - 1.js
    308F92BC agreement_form_doc.js
    Automated analysis [1] [2] shows that the scripts... attempt to download a binary from one of the following locations:
    donttouchmybaseline .ws/ecf2k1o
    canonsupervideo4k .ws/afeb6
    malwinstall .wang/fsdglygf
    listofbuyersus .co .in/epzugs
    Of those locations, only the first three resolve, as follows:
    donttouchmybaseline .ws 216.244.68.195 (Wowrack, US)
    canonsupervideo4k .ws 51.255.227.230 (OVH, France / Kitdos)
    malwinstall .wang 51.255.227.230 (OVH, France / Kitdos) ...
    The following also presumably evil sites are also hosted on those IPs:
    bookinghotworld .ws
    clubofmalw .ws
    darkestzone2 .wang
    donttouchmybaseline .ws
    canonsupervideo4k .ws
    malwinstall .wang
    wangmewang .name
    tradesmartcoin .xyz
    virmalw .name

    Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:
    51.255.227.228/30
    23.95.106.206
    107.173.176.4
    192.3.7.198
    216.244.68.195
    217.13.103.48
    bookinghotworld .ws
    clubofmalw .ws
    darkestzone2 .wang
    donttouchmybaseline .ws
    canonsupervideo4k .ws
    malwinstall .wang
    wangmewang .name
    tradesmartcoin .xyz
    virmalw .name
    "
    1] https://malwr.com/analysis/MjE5MmNhY...ZlMTc5Yzk0NTE/
    Hosts
    216.244.68.195
    51.255.227.230


    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    51.255.227.230
    216.244.68.195


    'UPDATE: My trusted source (thank you) says that it phones home to the following IPs and URLs:
    91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
    185.162.8.101/data/info.php (Eurohoster, Netherlands)
    158.255.6.109/data/info.php (Mir Telematiki, Russia)
    185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
    gsejeeshdkraota .org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
    sraqpmg .work/data/info.php
    balichpjuamrd .work/data/info.php
    mvvdhnix .biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
    kifksti .work/data/info.php
    iruglwxkasnrcq .pl/data/info.php
    xketxpqxj .work/data/info.php
    qkmecehteogblx .su/data/info.php
    bbskrcwndcyow .su/data/info.php
    nqjacfrdpkiyuen .ru/data/info.php
    ucjpevjjl .work/data/info.php
    nyxgjdcm .info/data/info.php
    In -addition- to the IPs listed above, I also recommend blocking:
    69.195.129.70
    91.211.119.71
    158.255.6.109
    185.154.15.150
    185.162.8.101
    188.120.232.55
    '
    ___

    Fake 'Invoice' SPAM - JS malware attachment
    - https://myonlinesecurity.co.uk/invoi...igned-malware/
    7 Sep 2016 - "An email with the subject of 'Invoice 00014904; From CHALICE GOLD MINES LIMITED' [random numbered] pretending to come from CHALICE GOLD MINES LIMITED <AccountRight@ appsmyob .com> with a link in the email body to download a zip file containing a .JS file. The .js file downloads a digitally signed .exe file...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...D-1024x647.png

    7 September 2016: 00014904.zip: Extracts to: 00014904.js - Current Virus total detections 2/55*
    .. Payload Security** shows a download from
    littlelionstudio .com/images/LLS-Landing-Image2.jpg which is actually a -renamed- .exe file which gets copied to
    2 other file names and locations on the victim computer (VirusTotal 6/57***) | Payload Security[4]
    This file is digitally signed with a valid signature so Windows will allow it to run without alerts from smart screen or other security software:
    > https://myonlinesecurity.co.uk/wp-co...1-1024x713.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1473221665/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    209.51.136.27
    62.75.195.103
    178.255.83.2
    91.213.126.113
    62.75.195.118
    91.213.126.113


    *** https://www.virustotal.com/en/file/0...is/1473215063/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    62.75.195.103
    178.255.83.2
    91.213.126.113
    62.75.195.118
    91.213.126.113

    ___

    Fake 'Free sports player' SPAM - delivers malware via hta files
    - https://myonlinesecurity.co.uk/free-...via-hta-files/
    7 Sep 2016 - "... I have seen 3 distinct subject lines:
    ****Dont’t miss this fantastic free sport media player****
    **** You wished you had this sport media player sooner****
    Amazing**** Free “Sport media Player”**

    All the emails come from Splayer XXXXX where XXXX can be team, company, player, command, online or any other similar word. The rest of the email address is -spoofed- and random...

    Screenshot: https://myonlinesecurity.co.uk/wp-co....-1024x556.png

    ... I have only found 3 base domains that contain the downloads, with hundreds of different random named folders and player versions. Each version appears to have a slightly different .hta file inside the zip and a strong warning should be given that they are using an unusual method of zipping the hta file so it extracts to computer-root and possibly/probably -autoruns- when you double click the zip:
    http ://splayering .pw/download/ziefmz8dgi7/splayer-rc10.zip
    http ://softship .online/download/6243onsblfasbatsr/splayer-rc21.zip
    http ://itgnome .online/download/bm437mgs37khxmfzdivv/splayer-rc1.zip
    > https://myonlinesecurity.co.uk/wp-co...ip_warning.png

    ... analysed 1 version of the .hta file so far but I am sure all the others will give similar results.
    7 September 2016: splayer-rc10.zip: Extracts to: splayer.hta - Current Virus total detections 2/56*
    .. Payload Security** shows a download from splayeracy .online/50d5fdc6-7ed5-4272-b148-fcade183219e/splayer.bin
    (VirusTotal 16/58***). Payload Security[4] which shows this is using the same file, file names & behaviour that was described in THIS post[5] which look like some sort of password stealer and backdoor trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1473198884/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.3.150.197

    *** https://www.virustotal.com/en/file/d...is/1473199782/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    5] https://myonlinesecurity.co.uk/invoi...igned-malware/

    splayering .pw: 192.3.150.197: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/bb...761e/analysis/

    softship .online: 192.3.150.197: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/e2...44b3/analysis/

    itgnome .online: 192.3.150.197: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/e2...44b3/analysis/

    // … as of 9/8/2016.

    Last edited by AplusWebMaster; 2016-09-08 at 15:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1047
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'voice mail', 'Lloyds Banking' SPAM, Malvertising w/EK's

    FYI...

    Fake 'voice mail' SPAM - Locky
    - http://blog.dynamoo.com/2016/09/malw...new-voice.html
    8 Sep 2016 - "This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.
    Subject: [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
    From: voicemail@ victimdomain .tld (voicemail@ victimdomain .tld)
    To: webmaster@ victimdomain .tld
    Date: Thursday, 8 September 2016, 13:15
    Dear webmaster :
    There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
    You might want to check it when you get a chance.Thanks!


    Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:
    158.195.68.10/g76gyui
    209.41.183.242/g76gyui
    dashman .web .fc2.com/g76gyui
    dcqoutlet .es/g76gyui
    dpskaunas .puslapiai .lt/g76gyui
    fidelitas .heimat .eu/g76gyui
    gam-e20 .it/g76gyui
    ghost-tony .com.es/g76gyui
    josemedina .com/g76gyui
    kreativmanagement.homepage. t-online .de/g76gyui
    olivier.coroenne.perso .sfr .fr/g76gyui
    portadeenrolar .ind .br/g76gyui
    sitio655.vtrbandaancha .net/g76gyui
    sp-moto .ru/g76gyui
    srxrun.nobody .jp/g76gyui
    thb-berlin.homepage .t-online .de/g76gyui
    tst-technik .de/g76gyui
    unimet.tmhandel.com/g76gyui
    www .agridiving .net/g76gyui
    www .alanmorgan .plus.com/g76gyui
    www .aldesco .it/g76gyui
    www .alpstaxi .co.jp/g76gyui
    www .association-julescatoire .fr/g76gyui
    www .bytove.jadro .szm .com/g76gyui
    www .ccnprodusenaturiste .home .ro/g76gyui
    www .gebrvanorsouw .nl/g76gyui
    www .gengokk .co .jp/g76gyui
    www .hung-guan .com .tw/g76gyui
    www .idiomestarradellas .com/g76gyui
    www .laribalta.org/g76gyui
    www .mikeg7hen.talktalk .net/g76gyui
    www .one-clap .jp/g76gyui
    www .radicegioielli .com/g76gyui
    www .rioual .com/g76gyui
    www .spiritueelcentrumaum .net/g76gyui
    www .texelvakantiehuisje .nl/g76gyui
    www .threshold-online .co .uk/g76gyui
    www .whitakerpd .co.uk/g76gyui
    www .xolod-teplo .ru/g76gyui
    Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu). Unusually, this version of -Locky- does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above -or- you could monitor for the string g76gyui in your logs.
    UPDATE: the Hybrid Analysis of the script can be found here[1]."
    1] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    211.134.181.38
    81.24.34.9
    62.24.202.31
    93.184.220.29
    54.192.203.242

    ___

    Fake 'Lloyds Banking' SPAM - .doc malware
    - https://myonlinesecurity.co.uk/lloyd...ivers-malware/
    8 Sep 2016 - "An email with the subject of 'Lloyds Banking Group encrypted email pretending to come from GRP Lloydsbank Tech <info@ lloydsbanking52 .us> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... A little bit of digging around tells us that lloydsbanking52 .us was registered about 2 weeks ago...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x775.png

    8 September 2016: PGPMessage04834838.doc - Current Virus total detections 4/56*
    .. Payload Security didn’t find any sites to download the malware.. a manual analysis & de-obfuscation of the macro you can see here original on Pastebin** shows a download from http ://aclawgroup .com .au/2.zip which gives 2.exe (VirusTotal 1/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it...
    Update: I am being told it is a smoke loader AKA Dofoil[1] which will eventually download another banking Trojan."
    1] https://blog.malwarebytes.com/threat...n-still-alive/

    * https://www.virustotal.com/en/file/5...is/1473344346/

    ** http://pastebin.com/ZuRM9iaN

    *** https://www.virustotal.com/en/file/f...is/1473344266/

    aclawgroup .com .au: 50.87.145.150: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/4e...5872/analysis/
    ___

    Quick look at recent malvertising exploit chains
    - https://www.zscaler.com/blogs/resear...exploit-chains
    Sep 7, 2016 - "... during our daily exploit kit (EK) tracking, have been seeing some changes in both RIG and Sundown EKs. We recently encountered a malvertising chain serving both EKs on subsequent visits, and decided to compile a quick look at the these cases:
    Graph showing the malvertising chains
    > https://cdn-3.zscaler.com/cdn/farfut...sing-graph.PNG
    ... they quickly integrated the exploit into the more typical Sundown landing page format. In a more recent episode, Trustwave's Spiderlabs spotted the addition of a fingerprinting code*, however we have not seen this feature in our captured cycles, so the operators may have opted for the simpler, non-fingerprinted landing page since then...
    * https://www.trustwave.com/Resources/...ay-to-the-Top/
    ... In the wake of both Angler and Nuclear disappearing, RIG has taken a dominant position in the EK landscape. The RIG operators appear content, however, to iterate more slowly, with changes to the EK itself happening less frequently. That said, RIG EK authors have now made noticable changes to the landing page structure... At this point, it's clear that the exploit kit landscape has been thoroughly shaken up since the disappearance of Angler and Nuclear (as we have covered in our round-ups and other EK-related blogs). This small update is meant to give a quick look at the latest techniques and trends used by RIG and Sundown. We will continue to monitor the situation, and provide updates to the community as usual."
    {More detail at the zscaler blogs URL at the top.)

    Last edited by AplusWebMaster; 2016-09-08 at 21:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1048
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Order Confirmation', 'MS acct sign-in', 'Documents Requested' SPAM

    FYI...

    Fake 'Order Confirmation' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/order...elivers-locky/
    9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order Confirmation 9226435' [random number] coming as usual from random companies, names and email addresses with a random named zip attachment containing an HTA file... One of the emails looks like:
    From: Meagan carnochan <Meagan4@ insightsundertwo .com>
    Date: Fri 09/09/2016 09:01
    Subject: Order Confirmation 9226435
    Attachment: Ord9226435.dzip extracts to 2015jozE.hta
    This message is intended only for the individual or entity to which it is
    addressed and may contain information that is private and confidential. If
    you are not the intended recipient, you are hereby notified that any
    dissemination, distribution or copying of this communication and its
    attachments is strictly prohibited.


    9 September 2016: Ord9226435.dzip: Extracts to: 2015jozE.hta - Current Virus total detections 5/55*
    .. Payload Security** shows a download of an encrypted file from walkerandhall .co .uk/7832ghd?TtrISozIzi=CemUQBnTyeQ
    which is transformed by the script to a working locky version. Unfortunately Payload security isn’t showing the converted /decrypted file amongst the downloads although the screenshots definitely show locky... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1473408597/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    5.10.105.44
    52.32.150.180
    93.184.220.29
    54.192.203.56


    - http://blog.dynamoo.com/2016/09/malw...ion-xxxxx.html
    9 Sep 2016 - "This -fake- financial spam leads to malware:
    From: Ignacio le neve
    Date: 9 September 2016 at 10:31
    Subject: Order Confirmation 355050211
    --
    This message is intended only for the individual or entity to which it is
    addressed and may contain information that is private and confidential. If
    you are not the intended recipient, you are hereby notified that any
    dissemination, distribution or copying of this communication and its
    attachments is strictly prohibited.


    The name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip. Contained within the ZIP file is a malicious .HTA script with a random name... This simply appears to be an encapsulated Javascript... my trusted source (thank you) says that the various scripts download from...
    (many random URLs listed at the dynamoo URL above)...
    The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a ...
    This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above -or- monitoring/blocking access attempts with 7832ghd in the string.
    UPDATE: The Hybrid Analysis* of one of the scripts does not add much except to confirm that this is ransomware."
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.196.41
    93.114.64.41
    50.112.202.19
    72.21.91.29
    54.192.203.144

    ___

    Fake 'MS account - Unusual sign-in activity' malspam using JSE - delivers Locky
    - https://myonlinesecurity.co.uk/micro...elivers-locky/
    9 Sep 2016 - "... this being used to spread Locky ransomware is a step in the wrong direction. This sort of email ALWAYS catches out the unwary. To make it even worse a JSE file is an encoded/encrypted jscript file that runs in the computer properly but is unreadable to humans (looks like garbled text) and because of the garbled txt the majority of antiviruses do -not- see it as a threat. Jscript is a Microsoft specific interpretation of JavaScript. They use email addresses and subjects that will entice a user to read the email and open the attachment. Locky tries new techniques on a small scale to “test the waters” - we have seen several similar small scale attacks this week. They will use the results & returns from them to tweak and refine the techniques before mass malspamming them...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...y-1024x414.png

    9 September 2016: 24549.zip: Extracts to: 24549.jse - Current Virus total detections 3/56*
    .. Payload Security** shows a download from sonysoftn .top/log.php?f=3.bin which gave me log.exe (VirusTotal 20/57***).
    Payload Security[4]. Many antiviruses are only detecting this malware heuristically (generic detections based on the NSIS packer used to create it). All indications suggest that it is a new variant of Locky ransomware. The IP numbers and sites it contacts have been used this week in other Locky ransomware versions. The problems are coming in the anti-analysis protections that Locky appear to have built-in to the new version of their horrifically proliferate ransomware. Although Payload security does show screenshots of a Locky ransomware file. NOTE: For some weird reason screenshots and images on payload security are -not- showing up in Internet explorer, although they do in Chrome and Firefox... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1473349038/

    ** https://www.reverse.it/sample/0adc7a...ironmentId=100
    Contacted Hosts
    155.94.209.82
    91.211.119.71
    158.255.6.109
    185.162.8.101
    52.32.150.180
    93.184.220.29
    54.192.203.50


    *** https://www.virustotal.com/en/file/6...is/1473398861/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.162.8.101
    158.255.6.109
    91.211.119.71
    52.34.245.108
    93.184.220.29
    54.192.203.209
    52.33.248.56

    ___

    Fake 'Documents Requested' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/pleas...elivers-locky/
    9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Documents Requested' or 'FW: Documents Requested' pretending to come from a random name at your own email domain or company with a zip file named either Untitled(6).zip or newdoc(1).zip containing a HTA file (random numbers)... One of the emails looks like:
    From: random name at your own email domain or company
    Date: Fri 09/09/2016 14:03
    Subject: FW:Documents Requested
    Attachment: Untitled(6).zip
    Dear addy,
    Please find attached documents as requested.
    Best Regards,
    Gilbert


    9 September 2016: Untitled(6).zip: Extracts to: 2809tib.hta - Current Virus total detections 6/58*
    .. Payload Security** shows a download of an encrypted file from stylecode .co .in/7832ghd?KQWbOiH=QuwOGqnGpyL
    which is transformed by the script to UcyxmkpQ1.dll (VirusTotal 21/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1473420208/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    43.242.215.197
    50.112.202.19
    93.184.220.29
    54.192.13.29


    *** https://www.virustotal.com/en/file/1...is/1472755942/

    Last edited by AplusWebMaster; 2016-09-09 at 17:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1049
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Budget report' SPAM, Bank SMS Phish

    FYI...

    Fake 'Budget report' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/09/malw...-leads-to.html
    12 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
    From: Lauri Gibbs
    Date: 12 September 2016 at 15:11
    Subject: Budget report
    Hi [redacted],
    I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.
    With many thanks,
    Lauri Gibbs


    Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:
    921FA0B8 Budget_report_xls - 1.js
    921FA0B8 Budget_report_xls.js
    The scripts are highly obfuscated however the Hybrid Analysis* and Malwr report** show that it downloads a component from:
    lookbookinghotels .ws/a9sgrrak
    trybttr .ws/h71qizc
    These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked. A DLL is dropped with a detection rate of about 8/57*** [3] [4] which appears to phone home to:
    51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
    185.154.15.150/data/info.php [hostname: tyte .ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
    95.85.29.208/data/info.php [hostname: ilia909.myeasy .ru] (Digital Ocean, Netherlands)
    46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
    91.214.71.101/data/info.php (ArtPlanet LLC, Russia) ...
    Recommended minimum blocklist:
    23.95.106.128/25
    51.255.105.2
    185.154.15.150
    95.85.29.208
    46.173.214.95
    91.214.71.101
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.95.106.223
    95.85.29.208
    46.173.214.95
    91.214.71.101
    51.255.105.2
    185.154.15.150


    ** https://malwr.com/analysis/M2M4NzY4M...YzZTFkODlmODM/
    Hosts
    23.95.106.223

    1] http://blog.dynamoo.com/2016/09/malw...ou-credit.html

    2] http://blog.dynamoo.com/2016/09/malw...acilities.html

    *** https://virustotal.com/en/file/76438...is/1473694538/

    3] https://virustotal.com/en/file/76438...is/1473694538/

    4] https://virustotal.com/en/file/a7c5d...is/1473694540/
    ___

    Avoid: BofA, Wells Fargo - SMS Phishing
    - https://blog.malwarebytes.com/cyberc...-sms-phishing/
    Sep 12, 2016 - "It always pays to be cautious where -unsolicited- text messages are concerned, as conniving phishers don’t always stick to the tried and tested route of email scams. For example, here’s two random texts sent out to one of our burner phones:
    > https://blog.malwarebytes.com/wp-con...bofa-phish.jpg
    ...
    > https://blog.malwarebytes.com/wp-con...ells-phish.jpg
    The targets here are customers of Bank of America and Wells Fargo. The messages read as follows:
    BofA customer your account has been disabled!!!
    Please read this readmybank0famerica.cipmsg-importantnewalertt(dot)com


    I think I’d probably be faintly worried if my otherwise sober and business-like bank started sending out messages with more than two exclamation marks in a sentence, but even without that, observant recipients would notice they also added an extra “t” onto the end of “alert”. The other message reads as follows:
    The other message reads as follows:
    (wells fargo) important message from security department! Login
    vigourinfo(dot)com/secure.well5farg0card(dot)html

    The above URL -redirects- clickers to the below website:
    denibrancheau(dot)com/drt/w311sfg0/
    > https://blog.malwarebytes.com/wp-con...ls-phish-2.jpg
    The phishers want a big slice of personal information, including name, DOB, driving license, social security number, mother’s maiden name, address, city, zipcode, card information, ATM PIN number, and even an email address.
    All this, from a simple text... SMS phishing is not new, but it does snag a lot of victims. Random messages from your “bank” asking you to visit a link should be treated with suspicion, especially if those links ask you to login. Banks are certainly not the only target of SMS phishers, but they’re one of the more valuable bullseye for scammers to sink their teeth into. Whether receiving messages by email, text, or phone, your logins are only as safe as you make them – don’t make it easy for bank phishers and delete that spam."

    readmybank0famerica.cipmsg-importantnewalertt(dot)com: A temporary error occurred during the lookup...

    vigourinfo(dot)com/secure.well5farg0card(dot)html: 166.62.26.11: https://www.virustotal.com/en/ip-add...1/information/

    denibrancheau(dot)com/drt/w311sfg0/ : 173.236.178.135: https://www.virustotal.com/en/ip-add...5/information/

    Last edited by AplusWebMaster; 2016-09-12 at 19:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1050
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Tax invoice', 'Accounts Documentation', 'Equipment receipts' SPAM

    FYI...

    Fake 'Tax invoice' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/tax-i...elivers-locky/
    13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Tax invoice' coming as usual from random companies, names and email addresses with a random named/numbered zip attachment containing 2 identical .WSF files. Payload Security* shows an error in the downloaded file so it might not actually deliver the Locky ransomware or it might be that it will not run on a sandbox or VM... One of the emails looks like:
    From: Anne Fernandez <Fernandez.8581@ starfamilymedicine .com>
    Date: Tue 13/09/2016 10:12
    Subject: Tax invoice
    Attachment: 1a45b45d76ed.zip
    Dear Client,
    Attached is the tax invoice of your company. Please do the payment in an urgent manner.
    Best regards,
    Anne Fernandez


    13 September 2016: 1a45b45d76ed.zip: Extracts to: tax_invoice_scan PDF.316AA.wsf
    Current Virus total detections 5/56**.. Payload Security shows a download of an encrypted file from smilehymy .com/f72gngb which is transformed by the script to c2BwHrtql2.dll (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.249.164.116
    95.85.29.208
    91.214.71.101
    51.255.105.2
    185.154.15.150
    46.173.214.95
    217.187.13.71


    ** https://www.virustotal.com/en/file/3...is/1473758776/

    *** https://www.virustotal.com/en/file/1...is/1473759502/

    - http://blog.dynamoo.com/2016/09/malw...nvoice-of.html
    13 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject: Tax invoice
    From: Kris Allison (Allison.5326@ resorts .com.mx)
    Date: Tuesday, 13 September 2016, 11:22
    Dear Client,
    Attached is the tax invoice of your company. Please do the payment in an urgent manner.
    Best regards,
    Kris Allison


    The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:
    adzebur .com/dsd7gk [37.200.70.6] (Selectel Ltd, Russia)
    duelrid .com/b9m1t [not resolving]
    madaen .net/e3ib4f [143.95.252.28] (Athenix Inc, US)
    morningaamu .com/6wdivzv [not resolving]
    smilehm .com/f72gngb [not resolving]
    The payload then phones home... Recommended blocklist:
    37.200.70.6
    91.214.71.101
    51.255.105.0/28
    185.154.15.150
    46.173.214.95
    95.85.29.208
    217.187.13.71
    "
    ___

    Fake 'Accounts Documentation' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/accou...elivers-locky/
    13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Accounts Documentation – Invoices' pretending to come from CreditControl @ your own email domain with a random named zip attachment containing an .HTA file... One of the emails looks like:
    From: CreditControl@...
    Date: Tue 13/09/2016 10:22
    Subject: Accounts Documentation – Invoices
    Attachment: ~0166.zip
    Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
    If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
    Alternatively if you do not know the name of the Credit Controller you can contact us at:
    CreditControl@...
    Please do not reply to this E-mail as this is a forwarding address only.


    13 September 2016: ~0166.zip: Extracts to: 22FrDra16.hta - Current Virus total detections 6/56*
    .. Payload Security** shows a download of an encrypted file from
    goldenladywedding .com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS which is transformed by the script to a working Locky ransomware (unfortunately Payload Security does not show or allow us to download the actual file)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1472753839/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.94.100
    93.184.220.29
    54.192.203.254

    ___

    Fake 'Equipment receipts' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/equip...elivers-locky/
    13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Equipment receipts' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the emails looks like:
    From: Stacey Aguirre <Aguirre.535@ coopenet .com.ar>
    Date: Tue 13/09/2016 17:36
    Subject: Equipment receipts
    Attachment: 5926f98c2d8d.zip
    Good day hyperbolasmappera, Molly asked you to file the office equipment receipts.
    Here is the photocopying equipment receipts purchased last week.
    Please send him the complete file as soon as you finish.
    Best regards,
    Stacey Aguirre


    13 September 2016: 5926f98c2d8d.zip: Extracts to: Equipment receipts 66BF9A.wsf - Current Virus total detections 5/55*
    .. Payload Security** shows a download of an encrypted file from latexuchee .net/c4i03t which is transformed by the script to B6fKnUsSQfkrS.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1473785537/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    31.210.120.153
    51.255.105.2
    95.85.29.208
    217.187.13.71


    *** https://www.virustotal.com/en/file/a...is/1473786095/

    Last edited by AplusWebMaster; 2016-09-13 at 21:46.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •