Page 106 of 132 FirstFirst ... 65696102103104105106107108109110116 ... LastLast
Results 1,051 to 1,060 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1051
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Account report', 'Delivery Confirmation', 'Renewed License','payment copy' SPAM

    FYI...

    Fake 'Account report' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/accou...elivers-locky/
    14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Account report' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... Payload Security[1] shows an error in running the dll file... One of the emails looks like:
    From: Kimberley Witt <Witt.0236@ shopscissors .com>
    Date: Wed 14/09/2016 08:31
    Subject: Travel expense sheet
    Attachment: 667b8951c871.zip
    Dear nohdys, we have detected the cash over and short in your account.
    Please see the attached copy of the report.
    Best regards,
    Kimberley Witt
    e-Bank Manager


    14 September 2016: 667b8951c871.zip: Extracts to: Account report 2311EEF4.wsf - Current Virus total detections 5/55**
    .. MALWR*** unable to get any content. Payload security[1] shows a download of an encrypted file from
    maydayen .net/l835ztl which is transformed by the script to RjN1UKDIQLzodBg.dll (VirusTotal 21/58[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    178.212.131.10

    ** https://www.virustotal.com/en/file/e...is/1473838191/

    *** https://malwr.com/analysis/YTRlNjk0Y...JlYTkxNTFlYWI/

    4] https://www.virustotal.com/en/file/1...is/1472755942/
    ___

    Fake 'Delivery Confirmation' SPAM - delivers Locky/Zepto
    - https://myonlinesecurity.co.uk/deliv...rs-lockyzepto/
    14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Delivery Confirmation: 00336499' [random numbers] coming as usual from ship-confirm@ random companies, names and email addresses with a random named zip attachment containing a .JS file. These are slightly better done than some recent ones. The attachment number Shipping Notification matches the subject Delivery Confirmation number... One of the emails looks like:
    From: ship-confirm@ laughlinandbowen .com
    Date: Wed 14/09/2016 10:55
    Subject: Delivery Confirmation: 00336499
    Attachment: Shipping Notification 00336499.zip
    PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
    Attached is a pdf file containing items that have shipped
    Please contact us if there are any questions or further assistance we can provide


    14 September 2016: Shipping Notification 00336499.zip: Extracts to: WOIMKE51915.js
    Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from one of these locations:
    http ://adventurevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU | http ://morerevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU
    which is transformed by the script to TKuAgcqe3.dll (VirusTotal 6/57***)... There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1473847035/

    ** https://malwr.com/analysis/MWE1OWVkZ...ljOTFmNjkxYTk/
    Hosts
    204.93.163.87
    23.236.238.227


    *** https://www.virustotal.com/en/file/d...is/1473848281/
    ___

    Fake 'Renewed License' SPAM - more Locky
    - https://myonlinesecurity.co.uk/renew...elivers-locky/
    14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Renewed License' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the emails looks like:
    From: Stella Henderson <Henderson.70579@ siamesegear .com>
    Date: Wed 14/09/2016 17:58
    Subject: Renewed License
    Attachment: 4614d82776.zip
    Here is the company’s renewed business license.
    Please see the attached license and send it to the head office.
    Best regards,
    Stella Henderson
    License Manager


    14 September 2016: 4614d82776.zip: Extracts to: renewed business license 3D956A.wsf
    Current Virus total detections 2/55*. MALWR** seems unable to cope with WSF files like this. Payload Security*** shows a download of an encrypted file from moismdheri .net/jqpxub which is transformed by the script to a working locky file, which unfortunately isn’t being shown or made available... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1473872609/

    ** https://malwr.com/analysis/MmFlNDUzM...M1MzE3ZjhlNzY/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    37.200.70.6
    52.32.150.180
    93.184.220.29
    54.192.203.123

    ___

    Fake 'payment copy' SPAM - delivers Locky/Zepto
    - https://myonlinesecurity.co.uk/payme...s-locky-zepto/
    13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'payment copy' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file. The email body has -no- content except 'Best Regards' and the alleged senders name... One of the emails looks like:
    From: Eddie screen <Eddie450@ hidrolats .lv>
    Date: Tue 13/09/2016 22:02
    Subject: payment copy
    Attachment: PID6650.zip

    Best Regards, _________
    Eddie screen


    13 September 2016: PID6650.zip: Extracts to: OCRXIB2826.wsf - Current Virus total detections 7/56*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://allchannel .net/jpqhvig?eGkOBjIQFz=dEVDXjWYjjH | http ://feechka .ru/wdxwxoa?eGkOBjIQFz=dEVDXjWYjjH
    http ://jonathankimsey .com/rptyswr?eGkOBjIQFz=dEVDXjWYjjH
    which is transformed by the script to yvXjbqxs1.dll (VirusTotal 7/58***). Payload security[4] is showing a different dll downloaded & converted... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1473800782/

    ** https://malwr.com/analysis/MzNiNjBmY...IzMjQyNDJmNjk/
    Hosts
    94.73.146.80
    5.61.32.143
    143.95.41.185


    *** https://www.virustotal.com/en/file/7...is/1473801197/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    94.73.146.80
    5.61.32.143
    143.95.41.185
    52.24.123.95
    93.184.220.29
    54.192.203.254
    91.198.174.192
    91.198.174.208
    52.33.248.56


    Last edited by AplusWebMaster; 2016-09-14 at 22:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1052
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'financial report', 'SCAN' SPAM, Bitcoin Phish

    FYI...

    Fake 'financial report' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/finan...elivers-locky/
    15 Sep 2016 - "... Locky downloaders... an email with the subject of 'financial report' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the emails looks like:
    From: Lenora Preston <Preston.03846@ tarquinm .com>
    Date: Thu 15/09/2016 09:13
    Subject: financial report
    Attachment: b3fe1958be4e.zip
    Annabelle is urging you to get the financial report done within this week.
    Here are some accounting data I have collected. Please merge it into your report.
    Best regards,
    Lenora Preston


    15 September 2016: b3fe1958be4e.zip: Extracts to: financial report 6AD1543.js - Current Virus total detections 3/55*
    .. MALWR** shows a download of an encrypted file from http ://wyvesnarl .info/1gtqiyj which is transformed by the script to bNvbVc5R8fy.dll (VirusTotal 15/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1473927705/

    ** https://malwr.com/analysis/ZDkyZTdmM...JlMWZlMTZhNjM/
    Hosts
    37.200.70.6

    *** https://www.virustotal.com/en/file/9...is/1473928074/
    ___

    Fake 'SCAN' SPAM - delivers Locky/Zepto
    - https://myonlinesecurity.co.uk/scan-...s-locky-zepto/
    15 Sep 2016 - "... Locky downloaders... an email with the subject of 'SCAN' coming from logistics@ random companies, names and email addresses with a random named zip attachment starting with SCAN _ todays date containing a WSF file... One of the emails looks like:
    From: Elaine woolley <logistics@ kemindo-international .com>
    Date: Thu 15/09/2016 10:37
    Subject: Scan
    Attachment: SCAN_20160915_8952113428.zip
    Elaine woolley
    Logistics Department
    ALGRAFIKA SH.P.K ...


    15 September 2016: SCAN_20160915_8952113428.zip: Extracts to: QATZEQE1822.wsf - Current Virus total detections 6/55*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://lullaby-babies .co.uk/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC
    http ://iassess .net/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC
    http ://techboss .net/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC which is transformed by the script to
    UloAJcCuAfq1.dll (VirusTotal 6/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1473932344/

    ** https://malwr.com/analysis/YTU5OWRkM...ZkYjY3MTE0MDI/
    Hosts
    213.205.40.169
    186.202.126.199
    81.169.145.224
    158.69.147.88
    66.85.27.250


    *** https://www.virustotal.com/en/file/f...is/1473932910/
    ___

    Bitcoin Phishing
    - https://blog.opendns.com/2016/09/15/...ing-next-wave/
    Sep 15, 2016 - "... Through this investigation, we found more than 280 Bitcoin phishing domains, so it is clear here that your Bitcoins are under attack. Additionally, criminals are using different methods and tricks to stay under the radar, such as using reverse proxy services to hide the IPs serving the illegal content..."
    (More at the opendns URL above.)

    Last edited by AplusWebMaster; 2016-09-15 at 20:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1053
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'request', 'Booking confirmation' SPAM, Locky download locations

    FYI...

    Fake 'request' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/here-...elivers-locky/
    16 Sep 2016 - "... Locky downloaders... an email with the subject of 'Re: request' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
    From: Leroy Dillard <Dillard.65@ airtelbroadband .in>
    Date: Fri 16/09/2016 08:15
    Subject: Re: request
    Attachment: 819533a5b1ac.zip
    Dear adkins, as you inquired, here is the invoice from September 2016.
    Let me know whether it is the correct invoice number you needed or not.


    16 September 2016: 819533a5b1ac.zip: Extracts to: september_2016_details_~2CB6B4~.js
    Current Virus total detections 1/55*. Payload Security** shows a download of an encrypted file from
    satyrwelf .net/27d4l09which is transformed by the script to a working locky ransomware file. Unfortunately Payload security does not show or download the file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1474009965/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    178.212.131.10
    52.32.150.180
    93.184.220.29
    54.192.203.192
    52.33.248.56

    ___

    Fake 'Booking confirmation' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/booki...elivers-locky/
    15 Sep 2016 8:39 pm - "... Locky downloaders... an email with the subject of 'Booking confirmation' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 files. 1 is a .JS file. The other is a 4kb file with a single character name that is full of 0 byte padding... One of the emails looks like:
    From: Avery Moses <Moses.17671@ domainedelunard .com>
    Date: Thu 15/09/2016 19:58
    Subject: Booking confirmation
    Attachment: 426c7ce21e1.zip
    Hi there allan.dickie, it’s Avery. I booked the ticket for you yesterday.
    See the attachment to confirm the booking.
    King regards,
    Avery Moses


    15 September 2016: 426c7ce21e1.zip: Extracts to: Booking confirmation ~0D68BA0~.js
    Current Virus total detections 1/54*. Payload Security** shows a download of an encrypted file from
    satyrwelf .net/27d4l09 which is transformed by the script to a working locky ransomware file. Unfortunately Payload security does not show or download the file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1473966399/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    178.212.131.10
    52.32.150.180
    93.184.220.29
    54.192.203.192
    52.33.248.56

    ___

    Locky download locations 2016-09-16
    - http://blog.dynamoo.com/2016/09/lock...016-09-16.html
    16 Sep 2016 - "I haven't had a chance to look at Locky today, but here are the current campaign download locations (thanks to my usual source)..
    (Many domain-names shown at the dynamoo URL above.)
    The first two lists are legitimate hacked sites, the last list are hosted on the following two IPs which are -definitely- worth blocking:
    178.212.131.10 (21 Century Telecom Ltd, Russia)
    37.200.70.6 (Selectel Ltd, Russia) "

    178.212.131.10: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/e3...4461/analysis/
    37.200.70.6: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/71...8c1a/analysis/
    ___

    Email tips - from Malwarebytes ...
    - https://blog.malwarebytes.com/101/20...are-infection/
    "... Read emails with an-eagle-eye. Check the sender’s address. Is it from the actual company he or she claims? Hover over links provided in the body of the email. Is the URL legit? Read the language of the email carefully. Are there weird line breaks? Awkwardly constructed sentences that sound foreign? And finally, know the typical methods of communication for important organizations. For example, the IRS will never contact you via email. When in doubt, call your healthcare, bank, or other potentially-spoofed organization directly.
    > Bonus mobile phone tip: Cybercriminals love spoofing banks via SMS/text message or -fake- bank apps. Do not confirm personal data via text, especially social security numbers. Again, when in doubt, contact your bank directly..."
    ___

    Amex users hit with phish offering anti-phish
    - https://www.helpnetsecurity.com/2016...ng-protection/
    Sep 15, 2016 - "American Express users are being actively targeted with phishing emails impersonating the company and advising users to create an 'American Express Personal Safe Key' to improve the security of their accounts:
    > https://www.helpnetsecurity.com/imag...ekey-email.jpg
    Users who fall for the scheme are directed to a -bogus- Amex login page (at http ://amexcloudcervice .com/login/). Once they enter their user ID and password, they are taken to a bogus page that ostensibly leads them trough the SafeKey setup process. The victims are asked to input their Social Security number, date of birth, mother’s maiden name, mother’s date of birth, their email address, the Amex card info and identification number, and the card’s expiration date and 3-digit code on the back of the card:
    > https://www.helpnetsecurity.com/imag...ogus-setup.jpg
    The victims will be taken through the setup process even if they enter incorrect login credentials. And, after they finish entering all the information asked of them, they are redirected to the legitimate Amex website, making them believe they were using it the whole time..."

    amexcloudcervice .com: 104.255.97.117: https://www.virustotal.com/en/ip-add...7/information/
    104.36.80.16: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Ransomware Trends
    - https://atlas.arbor.net/briefs/index#337041686
    Sep 15, 2016 - "... Analysis: Money is seemingly easy to make with ransomware and more variants continue to appear. $121 million in six months is no longer out of the realm of possibility with larger variants possibly making more and in less time. Developers are keen to exploit large-scale business and hospital networks, in hopes of taking advantage of deeper pockets. As they move forward, more traditional malware spreading methods will likely be employed, including web app vulnerability scanning and SQL database vulnerability scans. Ransomware-as-a-Service is quickly becoming popular. These service offerings significantly lower the barrier of entry so that almost anyone can now take advantage of this criminal activity. Unlike other malware-as-a-service offerings that usually charge fees upfront for access, most ransomware services are simply affiliate based, aiming to gain as many customers as possible in hopes of compromising more victims. These ransomware services have no monetary barrier to entry, only that most of the customers distribute their packages themselves. Ransomware may be growing leaps and bounds but the same basic mitigation principles exist. Users are encouraged to avoid unsolicited emails and attachments, -never- enable macros in documents unless you have a legitimate reason to, maintain up-to-date system backups that are stored offline, and update systems with the latest patches and security elements as quickly as possible..."
    ___

    Azure outage...
    - https://azure.microsoft.com/en-us/status/history/
    9/15 ...

    Last edited by AplusWebMaster; 2016-09-17 at 15:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1054
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Express Parcel service', 'Order' SPAM

    FYI...

    Fake 'Express Parcel service' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/09/malw...l-service.html
    19 Sep 2016 - "This spam has a malicious attachment:
    From: Marla Campbell
    Date: 19 September 2016 at 09:09
    Subject: Express Parcel service
    Dear [redacted], we have sent your parcel by Express Parcel service.
    The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
    Thank you.


    Attached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing. The Hybrid Analysis* for one sample shows a download location of:
    178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)
    There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
    195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
    46.38.52.225/data/info.php (TCTEL, Russia)
    ajsrbomqrrlra .pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)
    It drops a DLL with a detection rate of 8/54*.

    UPDATE: These Hybrid Analysis reports of other samples [1] [2]... show -other- download locations... All of these domains are hosted on evil IPs:
    178.212.131.10 (21 Century Telecom Ltd, Russia)
    91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)...

    Recommended blocklist:
    195.64.154.202
    46.38.52.225
    91.223.88.209
    178.212.131.10

    91.194.250.131 "
    The last one listed in italics is part of the update.

    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    91.194.250.131
    46.38.52.225
    195.64.154.202
    91.223.88.209


    ** https://virustotal.com/en/file/49881...is/1474275264/

    1] https://www.hybrid-analysis.com/samp...ironmentId=100

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'Order' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/tvh-u...eads-to-locky/
    19 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order: 19487600/00 – Your ref.:11893 [random order number, random reference number] coming as usual from random companies, names and email addresses with a macro enabled word doc attachment...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...3-1024x624.png

    19 September 2016: OffOrd_19487600-00-35879-972570.docm - Current Virus total detections 11/55*
    .. MALWR** shows a download of an encrypted file from http ://sarayutechnologies .com/67SELbosjc358
    which is transformed by the macro to chrendokss.dll and autorun (VirusTotal 8/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1474284844/

    ** https://malwr.com/analysis/YjA5Zjc0N...Y3ZDExNTExM2Q/
    Hosts
    89.163.249.205

    *** https://www.virustotal.com/en/file/f...is/1474288204/

    - http://blog.dynamoo.com/2016/09/malw...-your-ref.html
    19 Sep 2016 - "This -fake- financial spam has a malicious attachment that leads to Locky ransomware.
    Subject: Order: 28112610/00 - Your ref.: 89403
    From: Melba lochhead (SALES1@ krheadshots .com)
    Date: Monday, 19 September 2016, 16:05
    Dear customer,
    Thank you for your order.
    Please find attached our order confirmation.
    Should you be unable to open the links in the document, you can download the latest version of Adobe Acrobat Reader for free...
    Should you have any further questions, do not hesitate to contact me.
    Kind Regards,
    Melba lochhead
    Internal Sales Advisor - Material Handling Equipment Parts & Accessories...


    I have only seen a single sample so far, but I understand that reference numbers and names vary. Attached is a malicious .DOCM file with a name in the format OffOrd_87654321-00-1234567-654321.docm, my trusted source says that the various versions download a component...
    (Many domain-names listed at the dynamoo URL above.)
    It drops a DLL which had a moderate detection rate earlier[8/57]*. This version of Locky does -not- communicate with C2 servers, so if you want to block or monitor traffic perhaps you should use the string 67SELbosjc358."
    * https://www.virustotal.com/en/file/1...0417/analysis/
    chrendokss.dll.3860.dr

    Last edited by AplusWebMaster; 2016-09-19 at 18:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1055
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Tracking data', 'documents', 'Out of stock' SPAM, Evil network, Fake AV

    FYI...

    Fake 'Tracking data' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/09/malw...-leads-to.html
    20 Sep 2016 - "This spam has a malicious attachment leading to Locky ransomware:
    From: Loretta Gilmore
    Date: 20 September 2016 at 08:31
    Subject: Tracking data
    Good afternoon [redacted],
    Your item #9122164-201609 has been sent to you by carrier.
    He will arrive to you on 23th of September, 2016 at noon.
    The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.


    The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name...
    UPDATE: Hybrid Analysis of various samples [1] [2].. shows the script downloading from various locations... All of these are hosted on:
    178.212.131.10 (21 Century Telecom Ltd, Russia)
    95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)
    The malware then phones home to the following locations:
    91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
    176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
    46.38.52.225/data/info.php (TCTEL, Russia)
    195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
    kixxutnpikppnslx .xyz/data/info.php [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)
    A DLL is dropped with a detection rate of 13/57*.
    Recommended blocklist:
    178.212.131.10
    95.173.164.205
    91.223.88.0/24
    46.38.52.225
    195.64.154.202
    "
    1] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    178.212.131.10
    91.223.88.205
    176.103.56.105
    46.38.52.225
    195.64.154.202
    91.223.88.209


    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    178.212.131.10
    46.38.52.225
    91.223.88.205
    176.103.56.105
    195.64.154.202
    91.223.88.209


    * https://virustotal.com/en/file/e5bea...e7e2/analysis/
    RwjjKUw5U4bU.dll
    ___

    Fake 'documents' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/docum...s-locky-zepto/
    20 Sep 2016 - "... Locky downloaders... an email with the subject of 'documents' pretending to come from random names @ cableone .net with a random named zip attachment containing a WSF file... One of the emails looks like:
    From: Brandi theakston <Brandi.theakston@ cableone .net>
    Date: Tue 20/09/2016 14:27
    Subject: documents
    Attachment: 5040_98991330.zip

    Brandi theakston
    Office Manager
    Box Rentals LLC
    Sanibel Executive Suites
    Crestwood Apts.
    Cleveland Apts...


    20 September 2016: 5040_98991330.zip: Extracts to: YPBUJSS17703.wsf - Current Virus total detections 5/55*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://steyjixie .net/yCTb6zqTQ?bJiuYAR=nFrDER | http ://writewile .su/CTb6zqTQ?bJiuYAR=nFrDER
    http ://wellyzimme .com/CTb6zqTQ?bJiuYAR=nFrDER which is transformed by the script to NTlCmBVJkD1.dll
    (VirusTotal 9/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1474375101/

    ** https://malwr.com/analysis/YTU5OWRkM...ZkYjY3MTE0MDI/
    Hosts
    213.205.40.169
    186.202.126.199
    81.169.145.224
    158.69.147.88
    66.85.27.250


    *** https://www.virustotal.com/en/file/2...is/1474383107/
    ___

    Evil network: 178.33.217.64/28 ... exploit kit
    - http://blog.dynamoo.com/2016/09/evil...428-et-al.html
    20 Sep 2016 - "This customer of OVH appears to be registered with -fake- details, and are distributing-malware via a block at 178.33.217.64/28. Currently, the following IPs are distributing some sort of unidentified exploit kit:
    178.33.217.64
    178.33.217.70
    178.33.217.71
    178.33.217.78
    178.33.217.79
    A list of the domains associated with those IPs can be found here [pastebin*]... Checking the evolution-host .com... an invalid address with a different street number from before and an Irish telephone number... The Evolution Host website appears to have no contact details at all. RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block -all- of them:
    91.134.220.108/30
    92.222.208.240/28
    149.202.98.244/30
    176.31.223.164/30
    178.33.217.64/28
    "
    * http://pastebin.com/9QGvmRVt
    ___

    Fake 'Out of stock' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/we-ar...elivers-locky/
    20 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Out of stock' coming as usual from random companies, names and email addresses with a random named zip attachment containing a.JS file... One of the emails looks like:
    From: Steven Goodman <Goodman.55291@ 70-static.tedata .net>
    Date: Tue 20/09/2016 20:25
    Subject: Out of stock
    Attachment: 050f0ba31ac.zip
    Dear [REDACTED], we are very sorry to inform you that the item you requested is out of stock.
    Here is the list of items similar to the ones you requested.
    Please take a look and let us know if you would like to substitute with any of them.


    20 September 2016: 050f0ba31ac.zip: Extracts to: updated order ~3F369A12~ pdf.js - Current Virus total detections 4/55*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://vumdaze .com/pknjo995 | http ://youthmaida .net/7ewhtm6 which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1474400445/

    ** https://malwr.com/analysis/MjEyODUzM...RlOGY5N2JhODk/
    Hosts
    95.173.164.205
    178.212.131.10


    *** https://www.virustotal.com/en/file/5...is/1474398913/
    ___

    'Just For Men' website - serves malware
    - https://blog.malwarebytes.com/cyberc...erves-malware/
    Sep 20, 2016 - "The website for Just For Men, a company that sells various products for men as its name implies, was serving malware to its visitors. Our automated systems detected the drive-by download attack pushing the RIG exploit kit, eventually distributing a password stealing Trojan. In this particular attack chain we can see that the homepage of justformen[.]com has been injected with obfuscated code. It belongs to the EITest campaign* and this gate is used to perform the -redirection- to the exploit kit. EITest is easy to recognize (although it has changed URL patterns) for its use of a Flash file in its redirection mechanism.
    * https://blog.malwarebytes.com/threat...ware-campaign/
    RIG EK has now taken over Neutrino EK as the most commonly used and seen toolkit in the wild... We replayed the attack in our lab as shown in the video below:
    > https://youtu.be/F5uRosn8E58
    ... We reported this incident to Combe, the parent company for Just For Men. Between the time we collected our traffic capture and writing of this blog, we noticed the site had changed. As of now, the site is running the latest version of WordPress according to this scan from Sucuri** and does not appear to be compromised any more..."
    ** https://sitecheck.sucuri.net/results/justformen.com
    ... C2 callbacks:
    217.70.184.38: https://www.virustotal.com/en/ip-add...8/information/
    Country: FR / Autonomous System: 29169 (Gandi SAS)
    173.239.23.228: https://www.virustotal.com/en/ip-add...8/information/
    Country: US / Autonomous System: 27257 (Webair Internet Development Company Inc.)

    ... see "Latest detected URLs" shown in the virustotal links.
    ___

    Fake AV on Google Play ...
    - https://blog.malwarebytes.com/cyberc...o-google-play/
    Sep 19, 2016 - "Every once in a while, a -fake- antivirus pops up on the Google Play store. Most of the time, it’s just a fake scanner that doesn’t detect anything because it doesn’t actually look for anything to detect. Show a scan that simply lists all the apps on your device and it’s pretty easy to look legit. They serve up some -ads- for revenue, and you are given the false sense your phone isn’t infected — kind of a win-win unless you actually want malicious apps to be detected/removed. These apps are often ignored by real AV scanners because, technically, they aren’t doing anything malicious. It’s only when malicious intent is found that these apps are classified as bad. With a clean design and look, Antivirus Free 2016 could very easily be confused for a legitimate AV scanner:
    > https://blog.malwarebytes.com/wp-con...creenshot1.png
    ...
    > https://blog.malwarebytes.com/wp-con...creenshot4.png
    Looking deeper though, one would see its true intent. To start, Antivirus Free 2016 is given permission to read, write, send, and receive SMS messages. It isn’t usual for an AV scanner to have receive SMS permission; but to read, write, or send SMS is another story. Unfortunately, any code that deals with SMS has been obfuscated/removed from being seen. The app’s receiver and service names, such as com.xxx.message.service.receiver.SmsReceiver, com.xxx.message.service.receiver.MmsReceiver, and com.xxx.message.service.RespondService, containing these codes raises enough suspicion on their own. What isn’t hidden in the code is the use of a complex decryption algorithm used to -hide- a URL and a string named “remotePackageName”. This could possibly be used to download and install -other- apps onto the device. According to our records, 'Antivirus Free 2016' is seen in the Google Play Store between August 14th to the 31st of this year, but has been removed since. Because of its extensive malicious intent, we have classified it as Android/Trojan.FakeAV. The act of using a -fake- Antivirus product to infect customers is far from a new trick. Still, it’s scary to think that a product that is meant to protect you can be the one doing the most damage. Make sure to do your research while picking a good AV product..."

    Last edited by AplusWebMaster; 2016-09-21 at 00:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1056
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Receipt' SPAM, Waves of Locky

    FYI...

    Fake 'Receipt' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/recei...elivers-locky/
    21 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt 40247' from The Music Zoo pretending to come from The Music Zoo <shipping3363@ themusiczoo .com> with a random numbered zip attachment (that matches the subject number) containing a .WSF file... One of the emails looks like:
    From: The Music Zoo <shipping3363@ themusiczoo .com>
    Date: Wed 21/09/2016 03:54
    Subject: Receipt 40247 from The Music Zoo
    Attachment: Receipt 40247.zip
    Thank you for your order! Please find your final sales receipt attached to
    this email.
    Your USPS Tracking Number is: 1634888147633172932951
    This order will ship tomorrow and you should be able to begin tracking
    tomorrow evening after it is picked up. If you have any questions or
    experience any problems, please let us know so we can assist you. Thanks
    again and enjoy!
    Thanks,
    The Music Zoo ...


    21 September 2016: Receipt 40247.zip: Extracts to: IOABB32501.wsf - Current Virus total detections 17/54*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://awaftaxled .com/JHG67g32udi?DnzmQJqbM=ncEcxrIem | http ://uphershoji .net/JHG67g32udi?DnzmQJqbM=ncEcxrIem
    which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1474436523/

    ** https://malwr.com/analysis/MzY1MjIyM...IxNjUxMGI2ZmY/
    Hosts
    62.84.69.75: https://www.virustotal.com/en/ip-add...5/information/
    Domains
    awaftaxled .com: 193.150.247.12: https://www.virustotal.com/en/ip-add...2/information/
    uphershoji .net: 62.84.69.75

    *** https://www.virustotal.com/en/file/e...is/1474435608/
    ___

    Those never-ending waves of Locky malspam
    - https://isc.sans.edu/diary.html?storyid=21505
    2016-09-21 - "Malicious spam (malspam) campaigns sending Locky ransomware are nothing new. We see reports of it on a near daily basis [1, 2]. But last month, Locky ransomware changed. It used to be downloaded as an executable file, but now it's being implemented as a DLL [3].... The malspam all contained zip archives as file attachments. Those zip archives contained either a .js file or a .wsf file. The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file. The .wsf file extension is used for a Windows Script File. These .wsf files can also be run by double-clicking on them in a Windows environment... some of these emails make it through, and people still get infected. All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away. A solid strategy for any sort of ransomware is to make-regular-backups of any important files. Remember to test those backups, so you're certain to recover your data. These .js and .wsf files are -designed- to download Locky and run the ransomware as a DLL..."
    1] http://blog.dynamoo.com/search/label/Locky

    2] https://myonlinesecurity.co.uk/tag/locky/

    3] http://www.bleepingcomputer.com/news...ed-from-a-dll/

    Last edited by AplusWebMaster; 2016-09-21 at 20:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1057
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Receipt of payment', 'Package #..' SPAM, Rising Tides of SPAM

    FYI...

    Fake 'Receipt of payment' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/recei...elivers-locky/
    22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt of payment' coming as usual from random companies, names and email addresses with a random numbered zip attachment containing a HTA file...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...t-1024x636.png

    22 September 2016: (#721632093) Receipt.zip: Extracts to: A2LOCTI1203.hta - Current Virus total detections 7/54*
    .. MALWR** is unable to analyse HTA files. Payload Security*** shows a download of an encrypted file from
    ringspo .com/746t3fg3 which is transformed by the script to a working locky file. Unfortunately Payload security free version does not show us or allow download of the locky ransomware itself... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1474506588/

    ** https://malwr.com/analysis/ODJkM2M0M...BhZmU3NzExMWI/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    67.205.36.188
    52.24.123.95
    93.184.220.29
    52.85.173.119

    ___

    Fake 'Package #..' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/packa...elivers-locky/
    22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Package #DH4946376' [random numbers] pretending to come from DHL but actually coming as usual from random email addresses with a random named zip attachment containing a .JS file... One of the emails looks like:
    From: DHL Express <Murray.64@ yj .By>
    Date: Thu 22/09/2016 12:03
    Subject: Package #DH4946376
    Attachment: 4023cd96fe5.zip
    Dear helloitmenice,
    The package #DH4946376 you ordered has arrived today. There is some confusion in the address you provided.
    Please review the address in the attached order form and confirm to us. We will deliver as soon as we receive your reply.
    —–
    Beulah Murray
    DHL Express Support


    22 September 2016: 4023cd96fe5.zip: Extracts to: package dhl express ~0EAD6~.js - Current Virus total detections 6/55*
    .. MALWR** shows a download of an encrypted file from:
    http ://affordabledentaltours .com/g8xa1lt which is transformed by the script to UNDLiWCqgT.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1474542522/

    ** https://malwr.com/analysis/OWUxOWViM...gwN2YwMWYwOTM/
    Hosts
    69.162.148.70: https://www.virustotal.com/en/ip-add...0/information/

    *** https://www.virustotal.com/en/file/5...is/1474544725/
    ___

    RAR to JavaScript: Ransomware - Email attachments
    - http://blog.trendmicro.com/trendlabs...l-attachments/
    Sep 22, 2016 - "... Based on our analysis, 71% of known ransomware families arrive via email... Over the first half of the year, we observed how cybercriminals leveraged file types like JavaScript, VBScript, and Office files with macros to evade traditional security solutions... Trend Micro has already blocked and detected 80-million-ransomware-threats during the first half of the year; 58% of which came from email attachments. Throughout this year, we followed Locky’s spam campaign and how its ever changing email file attachments contributed to its prevalence. Based on our monitoring, the rising number of certain file types in email attachments is due to Locky. The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky:
    > https://blog.trendmicro.com/trendlab.../Months-01.jpg
    In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download -other- ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments — which could explain how WSF became the second file type attachment most used by threats. With WSF, two different scripting languages can be combined. The tactic makes it difficult to detect since it’s not a file type that endpoint solutions normally monitor and flag as malicious. Cerber was also spotted using this tactic in May 2016:
    > https://blog.trendmicro.com/trendlab...r-Graph-01.jpg
    The latest strains of Locky were seen using DLLs and .HTA file attachments for distribution purposes. We surmise that malware authors abuse the .HTA file extension as it can bypass filters, given that it is not commonly known to be abused by cybercriminals:
    > https://blog.trendmicro.com/trendlab...copy_locky.jpg
    Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat... One critical aspect of a ransomware attack is its delivery mechanism. Once ransomware-laced emails enter the network and execute on the system, they can encrypt important files..."

    "The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    ___

    Rising Tides of SPAM
    > http://blog.talosintel.com/2016/09/t...s-of-spam.html
    Sep 21, 2016 - "... According to CBL*, the last time spam volumes were this high was back in mid-2010:
    * http://www.abuseat.org/totalflow.html
    ... An internal graph generated by SpamCop which illustrates the overall size of the SpamCop Block List (SCBL) over the past year. Notice how the SCBL size hovers somewhere under 200K IP addresses pre-2016, and more recently averages closer to 400K IP addresses, spiking to over 450K IPs in August:
    > https://1.bp.blogspot.com/-F_KsOhc5l...40/image01.png
    ... We cannot predict the future and stop spam attacks before they start. Therefore, in any reasonably well-designed spam campaign there will always exist a very narrow window of time between when that spam campaign begins, and when anti-spam coverage is deployed to counter that campaign. In most anti-spam systems, this "window of opportunity" for spammers may be on the order of seconds or even minutes. Rather than make their email lists more targeted, or deploying snowshoe style techniques to decrease volume and stay under the radar, for these spammers it has become a race. They transmit as much email as cyberly possible, and for a short time they may successfully land malicious email into their victims' inboxes. For evidence of this, we need not look very far. Analyzing email telemetry data from the past week, we can readily see the influence of these high-volume spam campaigns:
    > https://4.bp.blogspot.com/-irvFPvK7I...40/image00.jpg
    ... Conclusion: Email threats, like any other, constantly evolve. As we grow our techniques to detect and block threats, attackers are simultaneously working towards evading detection technology. Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be -critical- to an organization's survival. Restoration plans need to be regularly reviewed -and- tested to ensure no mistakes have been made and that items have not been overlooked. Lastly, reach out to your users and be sure they understand that strange attachments are -never- to be trusted!"

    Last edited by AplusWebMaster; 2016-09-22 at 17:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1058
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Transactions', 'Photo', 'Document' SPAM

    FYI...

    Fake 'Transactions' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/trans...elivers-locky/
    23 Sep 2016 - "... Locky downloaders... an email with the subject of 'Transactions details' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file named Transactions details scan {random characters}.js... One of the emails looks like:
    From: Lora Mooney <Mooney.771@ gallerystock .com>
    Date: Fri 23/09/2016 06:35
    Subject: Transactions details
    Attachment: 9fc2fd82d4e.zip
    Dear xerox.774, this is from the bank with reference to your email yesterday.
    As you requested, attached is the scan of all the transactions your account made in September 2016.
    Please let us know if you need further assistance.

    Lora Mooney
    Credit Controller ...


    23 September 2016: 9fc2fd82d4e.zip: Extracts to: Transactions details scan 358AD50.js
    Current Virus total detections 6/55*. MALWR** shows a download of an encrypted file from
    http ://prospower .com/kqp479c7 which is transformed by the script to L12I1sh9pd9X2.dll (VirusTotal 11/57***)...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1474609615/

    ** https://malwr.com/analysis/MTU3YWFiN...M3YWJjODM0OWQ/
    Hosts
    207.7.95.142

    *** https://www.virustotal.com/en/file/b...is/1474609924/
    ___

    Fake 'Photo' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/blank...s-locky-zepto/
    23 Sep 2016 - "... Locky downloader with a blank/empty email with the subject of 'Photo from Ryan (random name)' coming as usual from random companies, names and email addresses with a random named zip attachment named along the lines of IMG- today’s/yesterday’s date - 2 characters and several numbers .zip containing a WSF file. The “photo from” name in the subject matches the alleged senders name... One of the emails looks like:
    From: Ryan nock <Ryan9244@ gmail .com>
    Date: Fri 23/09/2016 00:51
    Subject: Photo from Ryan
    Attachment: IMG-20160922-WA000752.zip


    Body content: Totally blank/empty

    23 September 2016: IMG-20160922-WA000752.zip: Extracts to: AGRN0718.wsf - Current Virus total detections 9/55*
    .. MALWR** shows a download of an encrypted file from one of these locations:
    http ://allcateringservices .in/8rcybi43?rRffpf=NrdcbOsmH | http ://klop .my/8rcybi43?rRffpf=NrdcbOsmH
    http ://williamstarnetsys .org/8rcybi43?rRffpf=NrdcbOsmH which is transformed by the script to
    raDSyGb1.dll (VirusTotal 8/57***). These WSF files post back to C&C http ://94.242.57.152 /data/info.php
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1474598473/

    ** https://malwr.com/analysis/ZmMwYzRjN...kzZDNlZDA2OTk/
    Hosts
    103.231.41.127
    103.8.25.156
    142.4.4.160
    94.242.57.152


    *** https://www.virustotal.com/en/file/9...is/1474605834/
    ___

    Fake 'Document' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/blank...s-locky-zepto/
    23 Sep 2016 - "... another set of blank/empty emails with the subject of 'Document from Horacio (random name)' pretending to come from random names @ gmail .com with a malicious word doc attachment delivers Locky ransomware... These are NOT coming from Gmail... One of the email looks like:
    From: Horacio minto <Horacio92942@ gmail .com>
    Date: Fri 23/09/2016 11:06
    Subject: Document from Horacio
    Attachment:DOC-20160923-WA0008360.docm


    Body content: Totally empty/blank

    23 September 2016: DOC-20160923-WA0008360.docm - Current Virus total detections 8/55*. Malwr** shows a download of an encrypted file from http ://rutlandhall .com/bdb37 which is transformed by the macro to hupoas.dll
    (VirusTotal 10/57***) posts back to C&C at http ://158.255.6.129 /data/info.php ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://virustotal.com/en/file/d9f73...a421/analysis/

    ** https://malwr.com/analysis/ZWI2YTQzM...E5ZDdjOGUyMzU/
    Hosts
    217.160.5.7
    94.242.57.152
    158.255.6.129


    *** https://www.virustotal.com/en/file/9...is/1474629008/

    Last edited by AplusWebMaster; 2016-09-23 at 18:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1059
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Locky changed - now an .odin extension

    FYI...

    Locky changed - now an .odin extension
    - https://myonlinesecurity.co.uk/locky...din-extension/
    26 Sep 2016 - "... the file extension to the encrypted files which is now .odin . They are still using .wsf files inside zips today... first series pretends to come from your-own-domain with a subject of:
    Re: Documents Requested and the body saying:
    Dear [redacted],
    Please find attached documents as requested.
    Best Regards,
    [redacted]


    The second series comes from random senders with a subject of 'Updated invoice #[random number]' and random names, job positions and companies in the body with a body content:
    Our sincere apology for the incorrect invoice we sent to you yesterday.
    Please check the new updated invoice #3195705 attached.
    We apologize for any inconvenience.
    ——-
    Socorro Bishop
    Executive Director Marketing PPS ...


    See MALWR* which does show the encrypted files and Payload Security** which does not but shows the downloads...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://malwr.com/analysis/OWEzOWI5Z...Y4YmNiZmNmNmI/
    Hosts
    94.23.97.227
    62.173.154.240


    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    94.23.97.227
    62.173.154.240
    5.196.200.247
    86.110.118.114
    52.34.245.108


    - https://blog.opendns.com/2016/09/26/...atest-persona/
    Sep 26, 2016

    Last edited by AplusWebMaster; 2016-09-27 at 19:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1060
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Locky - rtf files, Fake 'Post For Amendment', 'Attached:Scan' SPAM, RIG malvertising

    FYI...

    Locky malware office rtf files - new delivery method
    - https://myonlinesecurity.co.uk/new-m...ual-passwords/
    27 Sep 2016 - "... a major change this morning in what I assume is a Locky or Dridex delivery system. The files come as RTF files but each rtf file has an individual password. None of the online automatic analysers or Virus Total, see any malicious content, because they cannot get past the password. Once you insert the password, you can then get to the macro, but I haven’t managed to decode it..
    Update: I am being told it is Dridex, but am waiting on confirmation via analysis by several other researchers.
    Once you insert the password you see a file looking like this. (This was opened in LIbre Office and not Microsoft word for safety reasons, where there is no enable content button):
    > https://myonlinesecurity.co.uk/wp-co...e-1024x590.png
    ... Individual passwords for the file names inside the zips are:
    Final Notice#i4qb43c.rtf tRgHs8UOo
    Invoice-a00h.rtf TVOS3v8
    Statementj34f-69g_%l13te91u.rtf xpaGK1x0r

    We are seeing various subjects on these emails all using random names in subject line that matches the name of the alleged sender, including:
    Fwd:Invoice from Driscoll Welch
    Fw:Final Notice from Zane Reyes
    Marvin Yates Statement
    Re:Bill from Richard Contreras
    Statement from Lionel Roth
    Howard Cantrell Notice

    They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. One of the emails looks like:
    From: Driscoll Welch <emma.qe@ ntlworld .com>
    Date: Tue 27/09/2016 08:47
    Subject: Fwd:Invoice from Driscoll Welch
    Attachment: Invoice-a00h.rtf
    The Transfer should appear within 2 days. Please check the document attached.
    You may also need Document Pwd: TVOS3v8
    Driscoll Welch


    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    ___

    Fake 'Post For Amendment' SPAM - Java Adwind Trojan
    - https://myonlinesecurity.co.uk/post-...s-java-adwind/
    27 Sep 2016 - "We continue to see Java Adwind Trojans daily.. This one is an email with the subject of
    'Post For Amendment' pretending to come from danny.chunn@ westernunion .com <accounts@ petnet .com.ph> with a genuine PDF attachment which contains a link, that when clicked downloads a rar file containing a Java.jar file... The particular difference is the PDF attachment is a genuine PDF which pretends to be a notice from Google Drive to download another PDF. The actual link-behind-the-download is -not- to Google drive but to a hacked/compromised WordPress site
    https ://www.makgrills .com/wp-content/Transaction-Ref0624193.rar
    which downloads the rar file containing the Java Adwind Trojan. Note the HTTPS: The RAR file extracts to Agent Sendout Report.PDF.Doc.XLS.TXT.jar and if you have the windows default setting of “don’t show file extensions” set, you will think it is either a plain text file. The malspammer has added belts & braces though by naming it as report.PDF.Doc.XLS.TXT ... WARNING: Java Adwind is a very dangerous remote access backdoor Trojan, that has cross OS capabilities and can potentially run and infect any computer or operating system including windows, Apple Mac, Android and Linux. It however can only be active or infect you if you have Sun/Oracle Java installed*...
    * https://www.theguardian.com/technolo...ack-technology
    ... One of the emails looks like:
    From: danny.chunn@ westernunion .com <accounts@ petnet .com.ph>
    Date: Mon 26/09/2016 09:41
    Subject: Post For Amendment
    Attachment: Transaction-Ref06214193.pdf
    Agent,
    View and post request for amendment. The Western union transaction is returned from a recieving agent. Details of the transaction has been attached
    Thanks & Regards,
    Danny Chunn
    Asst Mgr|Operations
    Branch Operations,
    Western Union Money Transfer
    Door – 26,Street- 920,Roudat Al Khail
    P O Box ? 5600,Doha,State of Qatar ...


    The PDF when opened looks like this image which pretends to say that you need to click the link to download the PDF from Goggle Drive:
    [ spoof_google_drive ]
    > https://myonlinesecurity.co.uk/wp-co...ogle_drive.png

    27 September 2016: Transaction-Ref06214193.pdf: downloads: Transaction-Ref0624193.rar which extracts to
    Agent Sendout Report.PDF.Doc.XLS.TXT.jar - Current Virus total detections 16/55* for .jar file...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1474955483/
    ___

    Fake 'Attached:Scan' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/09/malw...nd-others.html
    27 Sep 2016 - "This -fake- scanned document leads to Locky ransomware:
    Subject: Attached:Scan(70)
    From: Zelma (Zelma937@ victimdomain .tld)
    To: victim@ victimdomain .tld;
    Date: Tuesday, 27 September 2016, 14:15


    There does not appear to be any body text. My trusted source tells me that the subject is a combination of the words Attached/Copy/File/Emailing and Document/Receipt/Scan plus a random two-digit number. Attached is a ZIP file with a name similar to the subject, containing a malicious .wsf script. This script then downloads components...
    (Long list at the dynamoo URL above.)
    The payload is Locky ransomware, phoning home to:
    5.196.200.247/apache_handler.php (OVH, Ireland / Just Hosting, Russia)
    62.173.154.240/apache_handler.php (JSC Internet-Cosmos, Russia)
    uiwaupjktqbiwcxr .xyz/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
    rflqjuckvwsvsxx .click/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
    dypvxigdwyf .org/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
    ntqgcmkmnratfnwk .org/apache_handler.php
    wababxgqgiyfrho .su/apache_handler.php
    ytqeycxnbpuygc .ru/apache_handler.php
    ocuhfpcgyg .pl/apache_handler.php
    cifkvluxh .su/apache_handler.php
    sqiwysgobx .click/apache_handler.php
    yxmagrdetpr .biz/apache_handler.php
    xnoxodgsqiv .org/apache_handler.php
    vmibkkdrlnircablv .org/apache_handler.php
    Recommended blocklist:
    5.196.200.0/24
    62.173.154.240
    86.110.118.114
    "
    ___

    RIG EK on large malvertising campaign
    - https://blog.malwarebytes.com/cyberc...sing-campaign/
    Sep 27, 2016 - "... spotted a malvertising attack on popular website answers .com (2 million visits daily) via the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub .com). Some visitors that browsed the knowledge-based website were exposed to the fraudulent and malicious advert and could have been infected -without- even having to click on it:
    > https://blog.malwarebytes.com/wp-con...6/09/flow2.png
    ... In early September we noticed a change in how RIG drops its malware payload. Rather than using the iexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary... domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to -bypass- traditional defences at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel. Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs... Indicators of compromise:

    ads.retradio .com: 184.168.165.1: https://www.virustotal.com/en/ip-add...1/information/
    63.141.242.35: https://www.virustotal.com/en/ip-add...5/information/

    RIG Exploit Kit Distributing CrypMIC Ransomware
    - https://atlas.arbor.net/briefs/index#1789371819
    Sep 22, 2016

    Last edited by AplusWebMaster; 2016-09-27 at 21:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •