SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

WSF email attachments - latest malware delivery vehicle
- https://www.helpnetsecurity.com/2016...ware-delivery/
Oct 13, 2016 - "Most users have by now learned not to open executable (.EXE), various MS Office, RTF and PDF files delivered via -unsolicited- emails, but malware peddlers are always trying out new ways to trick users, email filters and AV software... According to Symantec*, Windows Script Files (WSFs) are the latest file types to be exploited to deliver malware via email...
> https://www.helpnetsecurity.com/imag...ttachments.jpg
Number of blocked emails containing malicious WSF attachments by month "

Surge of email attacks using malicious WSF attachments
* https://www.symantec.com/connect/fr/...sf-attachments
12 Oct. 2016 - "Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files...
Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer...
> Tips on protecting yourself from ransomware
Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
Always keep your security software up to date to protect yourself against any new variants of malware.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email."

[AplusWebMaster]

FYI...

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/final...ivers-malware/
17 Oct 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ websitesage60 .us> with a malicious word doc attachment is another one from the current bot runs... I do not know exactly what malware this downloads... The website that the macro inside the malicious word doc connects to is not owned or controlled by HMRC or any other part of the UK government and has been registered to be used as a malware/fraud site http ://hmrc.gsigov .co.uk using false details:
- http://whois.domaintools.com/gsigov.co.uk .. on IP 185.81.113.102 ...

Screenshot: https://myonlinesecurity.co.uk/wp-co...c-1024x771.png

The word doc, which falsely states it was created in an earlier version of word and you 'should enable editing to view it', when opened safely pretends to be a VAT notice and surcharge liability and you need to pay £29,678:
> https://myonlinesecurity.co.uk/wp-co...7-1024x800.png

17 October 2016: 18066000010075130101.doc - Current Virus total detections 4/54*. MALWR** shows a download from
http ://hmrc.gsigov .co.uk/vat.exe (VirusTotal 4/56***). Payload Security [1] [2] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1476717095/

** https://malwr.com/analysis/NmViZmE4M...UzNDBiZGU2MTg/
Hosts
185.81.113.102: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/82...33a8/analysis/

*** https://www.virustotal.com/en/file/8...is/1476724305/

1] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.81.113.102

2] https://www.hybrid-analysis.com/samp...ironmentId=100

[AplusWebMaster]

FYI...

Fake 'RE: P/O' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/re-po...s-java-adwind/
19 Oct 2016 - "We continue to be plagued daily by -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Sales <order@ ncima-holding .ci>
Date: Tue 18/10/2016 18:28
Subject: RE: P/O
Attachment: NEW P.O.zip
Attached is the Purchase order list
please confirm so we can proceed.
Thank you.
——————————-
sent from my iPad ...

19 October 2016: New P.O.jar (273kb) - Current Virus total detections 9/56*. Payload Security**...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1476831444/

** https://www.hybrid-analysis.com/samp...ironmentId=100

[AplusWebMaster]

FYI...

Fake 'Credit Note' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecurity.co.uk/credi...anking-trojan/
20 Oct 2016 - "... an email with the subject of 'Credit Note CN-81553 from Nordstrom Inc (7907)' pretending to come from Accounts <message-service@ post. xero .com> with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the emails looks like:
From: Accounts <message-service@ post. xero .com>
Date: Thu 20/10/2016 01:21
Subject: Credit Note CN-81553 from Nordstrom Inc (7907)
Attachment:CN_81274.zip
Hi Orlando,
Attached document is your credit note CN-81553 for 508.18 AUD.
This has been allocated against invoice number.
If you have any questions, please let us know.
Thanks,
Staff Leasing Inc.

20 October 2016: CN_81274.zip: Extracts to: CN-81274.scr - Current Virus total detections 17/57*
.. Payload Security** shows a download/drop of another file RXGp0aqU55eY5AnMxB.exe.exe (VirusTotal 8/57***)
Payload Security[4] .. appears to be dyre/trickloader banking Trojan ... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1476937031/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.14.29.13
78.47.139.102
91.219.28.77

*** https://www.virustotal.com/en/file/3...is/1476932944/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77
80.79.114.179
___

Fake 'FedEx' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/fake-...er-ransomware/
20 Oct 2016 - "We are seeing an uptick in the 'FedEx - unable to deliver' malspam emails this week... they are so common and I always get 1 or 2 every day.. today I am receiving quite an increase in numbers over the usual amount... With the holiday season quickly approaching and many more people shopping online, we will see a dramatic increase in these over the next few weeks and months as more people wait for their deliveries... The sort of subjects that you see with this malspam nemucod ransomware campaign which will always have random numbers include:
Delivery Notification, ID 00898050
Shipment delivery problem #0000613766
Problem with parcel shipping, ID:0000857607
Problems with item delivery, n.00000693983
Unable to deliver your item, #0000274397

One of the emails looks like:
From: FedEx Ground <wade.barry@ hosteriasanpatricio .com .ar> or FedEx 2Day A.M. <ruben.morris@ hosteriasanpatricio .com .ar>
Date: Thu 01/09/2016 19:22
Subject: Shipment delivery problem #0000613766 or Delivery Notification, ID 00898050
Attachment: FedEx_ID_0000613766.zip
Dear Customer,
We could not deliver your item.
Please, open email attachment to print shipment label.
Sincerely,
Wade Barry,
Sr. Support Agent.
Or
Dear Customer,
We could not deliver your item.
Shipment Label is attached to email.
Warm regards,
Ruben Morris,
Sr. Operation Manager.

20 October 2016: FedEx_ID_0000613766.zip: Extracts to: FedEx_ID_0000613766.doc.wsf
Current Virus total detections 25/55*: Payload Security** shows downloads of the usual multiple files from
www .industrial-automation .at/counter/?ad=17MGS22ZVQcqSyHw4VU2NvC5SL4eCPhCJb&id=LZUB9RUv-KCRW63gDdZ5mD075Y_vJ1F6feiXr_Sv5Nbbhxr8QKIPLwoOhYdjCOIqaWV65TnMZepmeok-Renqlmw1ioeBLbM8&rnd=01
(with a range from 01–04 that delivers different parts of the malware package)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1476944618/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
212.152.181.199
___

Fake 'ACH Payment' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecurity.co.uk/ach-p...anking-trojan/
20 Oct 2016 - "... an email with the subject of 'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the emails looks like:
From: ap_vendor_pay2@ bankofamerica .com
Date: Thu 01/09/2016 19:22
Subject: ACH Payment Notification
Attachment: payment002828870.zip
LOGICEASE SOLUTIONS INC Vendor:10288253 Pay Dt: 20150903
Pay Ref Num: 2000548044
Please download and view payment document attached.
Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
The net amount deposited to account number ending XXXX3195
designated by you is $1019.93
IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.7486.
This message, and any attachments, is for the intended recipient’s only, may contain information that is privileged, confidential and/or proprietary and subject to important termsr. If you are not the intended recipient, please delete this message.

20 October 2016: payment002828870.zip: Extracts to: paymen1189d2028.scr . Current Virus total detections 8/56*
.. Payload Security** shows this is likely to be Trickbot/Dyre banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1476964410/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77

[AplusWebMaster]

FYI...

Fake 'Receipt' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...-leads-to.html
24 Oct 2016 - "Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example, spam with a format similar to the following is currently being sent out:
Date: Mon, 24 Oct 2016 16:03:30 +0530
From: christa.hazelgreave@ gmail .com
Subject: Receipt 68-508

Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta. You can see some of the malicious activity in this Hybrid Analysis*...
(List of domain-names at the dynamoo URL above.)
The malware is Locky ransomware phoning home to:
109.234.35.215/linuxsucks .php (McHost.ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy .example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt .work/linuxsucks .php [208.100.26.234] (Steadfast, US) ...
Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234 "
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
96.0.115.240
107.180.23.49
216.239.139.112
120.117.3.119

- https://myonlinesecurity.co.uk/blank...hit-extension/
24 Oct 2016 - "... Locky downloader.. a blank/empty email with the subject of 'Receipt 00180-6477' (random numbers) pretending to come from random names at gmail .com with a semi-random named zip attachment starting with 'receipt' that matches the subject containing a random numbered wsf file starting with 'receipt'... One of the emails looks like:
From: jennie.winzer@ gmail .com
Date: Mon 24/10/2016 15:05
Subject: Receipt 00180-6477
Attachment: Receipt 00180-6477.zip

Body content: Totally blank/empty

24 October 2016: Receipt 00180-6477.zip: Extracts to: Receipt 83357-830129.wsf
Current Virus total detections 11/55*.. MALWR** shows a download of an encrypted file from
http ://beyondhorizon .net/076wc?EVgYCyg=JQHYinB which is transformed by the script to uYYRbVgee1.dll
(VirusTotal 6/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1477318650/

** https://malwr.com/analysis/ZGI2ODk1M...ZlNDhkNzA4Yzc/
Hosts
192.185.96.52

*** https://www.virustotal.com/en/file/d...is/1477325610/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.185.96.52
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
208.100.26.234
___

Fake 'Complaint letter' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...-leads-to.html
24 Oct 2016 - "This spam leads to Locky ransomware:
From "Justine Hodge"
Date Mon, 24 Oct 2016 19:27:53 +0600
Subject Complaint letter
Dear [redacted],
Client sent a complaint letter regarding the data file you provided.
The letter is attached.
Please review his concerns carefully and reply him as soon as possible.
Best regards,
Justine Hodge

The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS script with a name starting with "saved letter"... scripts download...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to the following URLs:
109.234.35.215/linuxsucks .php (McHost .ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host .ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)...
... Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
81.177.22.221 "

- https://myonlinesecurity.co.uk/compl...hit-extension/
24 Oct 2016 - "... Locky downloader.. an email with the subject of 'Complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with saved_letter containing a js file... One of the emails looks like:
From: Mia Dickerson <Dickerson.0865@ pipelinemedia .com.au>
Date: Mon 24/10/2016 12:58
Subject: Complaint letter
Attachment: saved_letter_9ff72a60.zip
Dear [redacted], Client sent a complaint letter regarding the data file you provided. The letter is attached. Please review his concerns carefully and reply him as soon as possible. Best regards, Mia Dickerson

24 October 2016: saved_letter_9ff72a60.zip: Extracts to: saved letter 9A2B8.js
Current Virus total detections 11/55*.. MALWR* shows a download of an encrypted file from
http ://gruffcrimp .com/352gr0 which is transformed by the script to RuBjy2wiCxyLGr.dll (VirusTotal 9/57***).
Payload security[4] shows the download from
adultmagstore .com/itc0h81 and the c2 from load of different servers -all- using /linuxsucks .php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1477310600/

** https://malwr.com/analysis/NTZkNDY3N...RiM2U1NTNiNmU/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/c...is/1477329868/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
66.154.71.36
81.177.22.221
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
___

Trick Bot – spread via malvertising ...
- https://blog.malwarebytes.com/threat...zas-successor/
Oct 24, 2016 - "... payload was spread via a malvertising campaign, involving Rig Exploit Kit:
> https://blog.malwarebytes.com/wp-con...sing_chain.png
... After being deployed, Trick Bot copy itself into %APPDATA% and deletes the original sample... Trick Bot is composed of several layers. As usually, the first layer is used for the protection – it carries the encrypted payload and tries to hide it from AV software:
> https://blog.malwarebytes.com/wp-con...0/schema-1.png
... Below we can see it’s decrypted form revealing the attacked online-banking systems:
> https://gist.githubusercontent.com/h...cb1de/dinj.xml
Conclusion: Trick Bot have many similarities with Dyreza, that are visible at the code design level as well as the communication protocol level. However, comparing the code of both, shows, that it has been rewritten from scratch. So far, Trick Bot does not have as many features as Dyreza bot. It may be possible, that the authors intentionally decided to make the main executable lightweight, and focus on making it dynamically expendable using downloaded modules. Another option is that it still not the final version. One thigh is sure – it is an interesting piece of work, written by professionals. Probability is very high, that it will become as popular as its predecessor."
Appendix: http://www.threatgeek.com/2016/10/tr...onnection.html – analysis of the TrickBot at Threat Geek Blog
'Trickbot C2s:
188.138.1.53 :8082
27.208.131.97 :443
37.109.52.75 :443
91.219.28.77 :443
193.9.28.24 :443
37.1.209.51 :443
138.201.44.28 :443
188.116.23.98 :443
104.250.138.194 :443
46.22.211.34 :443
68.179.234.69 :443
5.12.28.0 :443
36.37.176.6 :443'
(More detail at the malwarebytes URL at the top of this post.)

[AplusWebMaster]

FYI...

Fake 'Budget forecast' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/budge...hit-extension/
25 Oct 2016 - "... Locky downloader.. an email with the subject of 'Budget forecast' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with 'budget' containing a vbs file that pretends to be an Excel .XLS file... One of the emails looks like:
From: Alejandra Rojas <Rojas.2910@ dsldevice .lan>
Date: Mon 24/10/2016 22:38
Subject: Budget forecast
Attachment: budget_xls_b71db945.zip
[redacted] asked me to send you the Budget forecast for next project. Please check and ask him if you are not clear with the task.

25 October 2016: budget_xls_b71db945.zip: Extracts to: budget 34A81F8A xls.vbs
Current Virus total detections 2/55*.. MALWR** shows a download of an encrypted file from
http ://fannyfuff .com/7qx9pmdt which is transformed by the script to QoTcrNU2qu051Uv0.dll (VirusTotal 21/57***).
Neither MALWR nor Payload Security[4] are showing the encrypted files... That might be due to a sandbox/ VM protection in the malware or it might not have run properly. Earlier versions yesterday [1] [2] using WSF, JS or HTA delivery methods did run fully in the online sandboxes. The vbs versions might not... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1477345935/

** https://malwr.com/analysis/MjY2NmFhM...JkM2YxNGYyYzk/
Hosts
67.171.65.64
77.123.137.221
91.200.14.124
91.226.92.225
185.102.136.77
69.195.129.70

*** https://www.virustotal.com/en/file/c...is/1477378265/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
201.238.211.140
91.226.92.225
185.102.136.77
77.123.137.221
91.200.14.124
69.195.129.70

1] https://myonlinesecurity.co.uk/compl...hit-extension/

2] https://myonlinesecurity.co.uk/blank...hit-extension/
___

Fake 'Scan Data' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...ile-image.html
25 Oct 2016 - "Perhaps minimalist spam works better - there is currently a Locky spam run with on of the subjects 'Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data' plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript... There is no body text... These automated analyses [1] [2]... show that it is Locky...
(Long list of domain-names at the dynamoo URL above.)
... The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh
A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56*. The malware then phones home to one of the following locations:
185.127.27.100/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks .php (Volia DataCentre, Ukraine)
... Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221 "
1] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
103.247.11.115
46.105.246.22
91.200.14.124
185.127.27.100
77.123.137.221

2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
203.190.54.3
91.200.14.124
77.123.137.221
185.127.27.100

* https://virustotal.com/en/file/5948c...is/1477405965/

- https://myonlinesecurity.co.uk/blank...elivers-locky/
25 Oct 2016 - "... Locky downloader... a blank empty email with a variety of subjects like scan, image, pic, doc etc. pretending to come form random names at Gmail .com with a zip attachment that matches the subject containing a js file... Some of the subjects seen include:
Image 249
Blank 962
Document 7
Pic 3
Scan Data 405
Picture 125
File 11
Doc 74
img 7

One of the emails looks like:
From: HUGH HALVERSON <hughhalverson94@ gmail .com>
Date: Tue 25/10/2016 14:47
Subject: Image 249
Attachment: Image 249.zip

Body content: totally empty/blank

25 October 2016: Image 249.zip: Extracts to: Pic 767.js - Current Virus total detections 9/54*
.. MALWR** shows a download of an encrypted file from
http ://rajashekharkubasad .com/g76dbf?ettSsUhngke=NlfFMTpqoQa which is transformed by the script to WgNUiSSFP1.dll (VirusTotal 3/56***). Payload Security[4] shows this version is using .thor extension for the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1477403985/

** https://malwr.com/analysis/NDRiZTdiZ...k3N2U0YzEyMjc/
Hosts
43.225.54.151

*** https://www.virustotal.com/en/file/5...is/1477405261/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
43.225.54.151
185.127.27.100
77.123.137.221
91.200.14.124
___

Fake 'Wrong model' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/wrong...elivers-locky/
25 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong model' coming as usual from random companies, names and email addresses with a semi random named zip attachment starting with fixed_invoice containing a vbs file... One of the emails looks like:
From: Randal Burks <Burks.3744@ pocketgreens .com>
Date: Tue 25/10/2016 19:45
Subject: Wrong model
Attachment: fixed_invoice_74957728.zip
We apologize for sending the wrong model of the product yesterday. Attached is the new invoice for your product No. 31066460.

25 October 2016: fixed_invoice_74957728.zip: Extracts to: fixed invoice 8A3254C.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://idesjot .net/3ab4af which is transformed by the script to B0HRoIuyMVXc7V.dll (VirusTotal 13/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1477421251/

** https://malwr.com/analysis/YjQyNWRmY...c2YjI5MzgxMzA/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/9...is/1477421558/
___

Another Day, Another Spam...
- https://isc.sans.edu/diary.html?storyid=21635
2016-10-25 - "... attackers have always new ideas to deliver their malicious content to us... Attached to this mail, a malicious ZIP file with a .pif file inside. The file is in fact a PE file (MD5: 2aa0d2ae9f8492e2b4acda1270616393). The hash was unknown to VT but once uploaded, it was reported as a very old worm, nothing very malicious... The second example was received by one of our readers is a -fake- SharePoint notification:
> https://isc.sans.edu/diaryimages/ima...point-spam.png
The link points to hxxp ://thekchencholing .org/.https/www/sharepoint.com/sites/shareddocument/SitePages/Home.aspx/index.php?wreply=YW5keS5nZXJhZXJ0c0BjZWdla2EuYmUN (the site has been cleaned up in the meantime). SharePoint is a common Microsoft tool used in big organizations and people could be lured by this kind of message. Most spam campaigns are easy to detect but some messages, when properly redacted, may lure the victim easily. We are never far from an unfortunate click. Stay safe!.."

thekchencholing .org: 180.210.205.66: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/c1...b208/analysis/

[AplusWebMaster]

FYI...

Fake 'Help Desk' SPAM - leads to Adwind
- http://blog.dynamoo.com/2016/10/malw...help-desk.html
26 Oct 2016 - "Just by way of a change, here's some -malspam- that doesn't lead to Locky:

Screenshot: https://3.bp.blogspot.com/-dlvhqYrMC...B/s1600/wu.png

In this case, the link in the email goes to:
linamhost .com/host/Western_Union_Agent_Statement_and_summary_pdf.jar
This is a Java file - if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it -won't- run. VirusTotal* identifies it as the Adwind Backdoor**. The Malwr report[3] shows it attempting to contact:
boscpakloka .myvnc .com [158.69.56.128] (OVH, US)
A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis[4]. Check the Dropped Files section of the Malwr Report[3] for more. Personally, I recommend blocking -all- dynamic DNS domains such as myvnc .com in corporate environments. At the very least I recommend blocking 158.69.56.128."
* https://virustotal.com/en/file/51d0f...is/1477480451/

** https://www.f-secure.com/v-descs/bac...a_adwind.shtml

3] https://malwr.com/analysis/ZGJmZTZmO...YzMTdmNjg2MDE/
Hosts
158.69.56.128: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/5f...e69c/analysis/

4] http://www.malware-traffic-analysis....23/index2.html

myvnc .com: 8.23.224.108: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/a5...1802/analysis/
___

Fake 'Your order' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...-has-been.html
26 Oct 2016 - "This curiously worded spam email leads to Locky ransomware:
Subject: Your order has been proceeded
From: Elijah Farrell
Date: Wednesday, 26 October 2016, 12:41
Your order has been proceeded.
Attached is the invoice for your order 2026326638.
Kindly keep the slip in case you would like to return or state your product's warranty.

The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name. The various scripts download a component... (thank you to my usual source for this)
(Long list of domain-names at the dynamoo URL above.)
The downloaded binary then phones home to:
78.46.170.94/linuxsucks .php [hostname: k-42 .ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks .php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost .hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks .php [hostname: weblinks-3424 .ru] (Sobis, Russia)
It also tries to phone home...
Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225 "

- https://myonlinesecurity.co.uk/your-...elivers-locky/
26 Oct 2016 - "... Locky downloader.. which is running concurrently with THIS[1] is an email with the subject of 'Your order has been proceeded' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with order_details containing a vbs file... typical subject line is 'Your order has been processed' -not- 'Your order has been proceeded'...
1] https://myonlinesecurity.co.uk/invoi...elivers-locky/
... One of the emails looks like:
From: Alex Gonzalez <Gonzalez.46337@ solardelaluna .com>
Date: Wed 26/10/2016 12:35
Subject: Your order has been proceeded
Attachment: order_details_56f220432.zip
Your order has been proceeded. Attached is the invoice for your order 9563076204. Kindly keep the slip in case you would like to return or state your product’s warranty.

26 October 2016: order_details_56f220432.zip: Extracts to: order details 144BAA.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://hankookm.com/lun77kyf which is transformed by the script to q3SAQ4aZNZ0p.dll ...
C2 are http ://95.46.98.25 /linuxsucks.php and http ://umjjvccteg .biz/linuxsucks.php
Payload Security[3] shows several others as well... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1477482479/

** https://malwr.com/analysis/NzE2YWY2Y...RjYjkyMTBlNzE/
Hosts
101.79.129.33
95.46.98.25
78.46.170.94
91.226.92.225
69.195.129.70

3] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
173.254.70.156
95.46.98.25
91.226.92.225
78.46.170.94
___

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/invoi...elivers-locky/
26 Oct 2016 - "... Locky downloader.. an email with the subject of 'Invoice-350797-93872806-090-9B5248A' (random numbers) pretending to come from invoice@ random companies and email addresses with a random numbered invoice zip attachment containing a jse file... One of the emails looks like:
From: invoices@ greyport .net
Date: Wed 26/10/2016 12:35
Subject: Invoice-350797-93872806-090-9B5248A
Attachment: 20161026_93872806_Invoice.zip
Dear Customer,
Please find attached Invoice 93872806 for your attention.
Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept’ ...

26 October 2016: 20161026_93872806_Invoice.zip: Extracts to: 167402123_Invoice.jse
Current Virus total detections 7/55*. MALWR was unable to show any connections or downloads. Payload Security** shows a download of an encrypted file from
glyderm .com.ph/t76f3g?awKAvfeuvvV=PyooUmcME but doesn’t show or allow download of the actual Locky binary... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1477481832/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
162.214.20.198
91.200.14.124
144.76.177.194
185.127.27.100
69.195.129.70
52.32.150.180
54.230.197.227
___

WhatsApp in-the-wild scams
- https://blog.malwarebytes.com/cyberc...the-wild-scam/
Oct 26, 2916

Other related post(s):
WhatsApp Elegant Gold Hits the Digital Catwalk
> https://blog.malwarebytes.com/cyberc...gital-catwalk/
Don’t Get Stuck on WhatsApp Stickers…
> https://blog.malwarebytes.com/cyberc...sapp-stickers/
Scams, PUPs Target Would-be WhatsApp Voice Users
> https://blog.malwarebytes.com/cyberc...p-voice-users/
WhatsApp Hack Promises Messages, Delivers PUPs
> https://blog.malwarebytes.com/cyberc...delivers-pups/
WhatsApp Spam Campaign Leads to Malware
> https://blog.malwarebytes.com/cyberc...ds-to-malware/

[AplusWebMaster]

FYI...

Fake 'Bill overdue' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/bill-...-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'Bill overdue' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with detailed_bill containing a vbs file... One of the emails looks like:
From: Edmund Parks <Parks.390@ airtelbroadband .in>
Date: Thu 27/10/2016 09:11
Subject: Bill overdue
Attachment: detailed_bill_251752d.zip
This is from the Telephone Company to remind you that your bill is overdue. Please see the attached bill for the fine charge.

27 October 2016: detailed_bill_251752d.zip: Extracts to: detailed bill 1C938E2.vbs
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from
http ://tahradeep .com/1tuqd which is transformed by the script to yNBjdb1LZklImF.dll (VirusTotal 11/57***).
C2 are http ://83.217.11.193 /linuxsucks.php | http ://91.201.42.24 /linuxsucks.php
Payload Security[4] shows a few different download locations for the encrypted files but no C2... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1477556155/

** https://malwr.com/analysis/ZTE3YTBhY...E0YWZiMmM2ODU/
Hosts
67.171.65.64
91.201.42.24
83.217.11.193

*** https://www.virustotal.com/en/file/b...is/1477557085/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
67.171.65.64
119.29.37.110
122.114.89.157

- http://blog.dynamoo.com/2016/10/malw...telephone.html
27 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Bill overdue
From: Alexandria Maxwell
Date: Thursday, 27 October 2016, 9:35
This is from the Telephone Company to remind you that your bill is overdue.
Please see the attached bill for the fine charge.

The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script... detailed bill C43A9.vbs. The Malwr Report* and Hybrid Analysis** for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download...
(Long list of domain-names at the dynamoo URL above.)
... A DLL is dropped with a detection rate of 11/56***, and the malware then phones home to:
91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150 "

* https://malwr.com/analysis/OWUyNjBhN...ZkNDI0YTNmMDM/
Hosts
92.53.96.20
91.201.42.24
83.217.11.193

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
67.171.65.64
83.217.11.193
91.230.211.150
91.201.42.24

*** https://virustotal.com/en/file/f81df...is/1477560896/
___

Fake 'Account Reactivation' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/accou...s-java-adwind/
27 Oct 2016 - "... -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Npc@ westernunion .com <accounts@ petnet .com .ph>
Date: Thu 27/10/2016 04:56
Subject: Account Reactivation
Attachment: Account Reactivation.zip
Dear Agent,
Our security team has detected a hacking attempt on your account /Terminal . Luckily, the attempt has been blocked and the account/ terminal has been suspended with no financial loss.
Now in order to reactivate the account and avoid the recurrence of such incident, we strongly recommend that you follow the reactivation process attached and share the outcome with our security team copied.
Let us know if you have any questions.
Kind regards,
Zineb Abdouss
Sr. Regional Operations Specialist, North, and Western Asia
Western Union
7th floor, shore 13
1100 Boulevard Al Qods-Quartier Sidi Maarouf
20270 Casablanca – Morocco ...

27 October 2016: Account Reactivation manual.jar (119kb) - Current Virus total detections 22/56*. MALWR**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1477547372/

** https://malwr.com/analysis/ZjI2YTVjO...NlMjZmZGM3MzM/
Hosts
216.107.152.224
___

Fake 'Order Details' SPAM - delivers malware
- https://myonlinesecurity.co.uk/james...s-office-docs/
27 Oct 2016 - "An email with the subject of 'Re: Order Details' pretending to come from James Correy <jamescorrey@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Update: I am reliably informed it is a pony dropper with the pony binary embedded inside the word doc using
http ://www .octpendant .org.in/chixthree-18oct-18nov/gate.php

27 October 2016: BL-06038711.DOC - Current Virus total detections 11/54*... a manual analysis of the macro enabled doc shows a connection to http ://travelinsider .com.au/021ygs7 which currently gives a php error... opens in Microsoft word with a message to 'enable editing to see content'... Payload Security** does show an informative download of an .exe file JF.cm d which VirusTotal 15/56*** detects...
> https://myonlinesecurity.co.uk/wp-co...1-1024x306.png

Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x621.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1477547380/

** https://www.hybrid-analysis.com/samp...ironmentId=100

*** https://www.virustotal.com/en/file/b...is/1477548223/
___

Fake 'E-TICKET' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...-leads-to.html
27 Oct 2016 - "More Locky ransomware today..
From "Matthew standaloft"
Date Thu, 27 Oct 2016 15:20:27 +0530
Subject E-TICKET 41648
Dear Sir ,
Please find the attached E-ticket as per your requested.
Thanks & Regards ,
Matthew standaloft

Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil... (according to my usual source):
(Long list of domain-names at the dynamoo URL above.)
... This drops a malicious DLL with a detection rate of 9/56*. The following C2 servers are contacts:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks .php (FLP Anoprienko Artem Arkadevich aka host-ua .com, Ukraine)
213.159.214.86/linuxsucks .php (JSC Server, Russia)
Recommeded blocklist (also see this other spam run** today):
83.217.11.193
91.201.202.12
213.159.214.86 "
* https://www.virustotal.com/en/file/f...8277/analysis/

** http://blog.dynamoo.com/2016/10/malw...telephone.html

- https://myonlinesecurity.co.uk/e-tic...-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'E-TICKET 0385' (random numbers) coming as usual from random companies, names and email addresses with a semi-random numbered zip attachment that matches the subject number containing a random numbered wsf file... One of the emails looks like:
From: Jacqueline lewis <Jacqueline.lewis022@ pro-youthrodeo .org>
Date: Thu 01/09/2016 19:22
Subject: E-TICKET 0385
Attachment: 0385.zip
Dear Sir ,
Please find the attached E-ticket as per your requested.
Thanks & Regards ,
Jacqueline lewis

27 October 2016: 0385.zip: Extracts to: 8910682.wsf - Current Virus total detections 9/55*
MALWR** shows a download of an encrypted file from http ://139.162.29.193 /g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
which is transformed by the script to mujVqbry1.dll (VirusTotal 9/56***). C2 is:
http ://83.217.11.193 /linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1477560672/

** https://malwr.com/analysis/NGVmYjM5Z...QyZTI2YWRlM2U/
Hosts
139.162.29.193
83.217.11.193

*** https://www.virustotal.com/en/file/f...is/1477559703/
___

Fake 'Receipt' SPAM - delivers locky
- https://myonlinesecurity.co.uk/blank...-thor-version/
27 Oct 2016 - "... Locky downloader... a -blank- email with the subject of 'Receipt' 1578-92517 (random numbers) once again pretending to come from random names at Gmail .com with a semi-random named/numbered zip attachment matching the subject line containing a WSF file... One of the emails looks like:
From: ashley.baring@ gmail .com
Date: Thu 27/10/2016 15:15
Subject: Receipt 1578-92517
Attachment: Receipt 1578-92517.zip

Body content: completely blank/empty

27 October 2016: Receipt 1578-92517.zip: Extracts to: Receipt 89598-1810311.wsf
Current Virus total detections 13/55*. MALWR** shows a download of an encrypted file from
http ://www .acclaimenvironmental .co.uk/g67eihnrv?TCwKroMse=uwIrKcwhz which is transformed by the script to TQTOMcCTi1.dll (VirusTotal 7/57***). C2 http ://83.217.11.193 /linuxsucks.php. Payload Security[4] shows additional C2 locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1477578664/

** https://malwr.com/analysis/ODdmMTZjN...NmM2YwNTlhZWY/
Hosts
89.145.76.9
83.217.11.193

*** https://www.virustotal.com/en/file/0...is/1477579336/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
89.145.76.9
213.159.214.86
83.217.11.193
91.201.202.12
192.42.116.41
52.32.150.180
54.192.11.30

[AplusWebMaster]

FYI...

Fake 'New fax received' SPAM - delivers Trickbot banking trojan
- https://myonlinesecurity.co.uk/impor...anking-trojan/
28 Oct 2016 - "... unusual email with the subject of 'Important – New fax received' pretending to come from Administrator <Administrator@ internalfax .net> or Administrator <Administrator@ internalfax .com> with either a malicious word doc attachment or a zip file containing a .js file which downloads Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-co...d-1024x545.png

Both emails pass all validation checks, SPF & DKIM so blow past spam filters and -both- domains are newly registered -today- with the sole aim of spreading malware. Domains are both registered by and hosted by Godaddy..

28 October 2016: InternalFax.js - Current Virus total detections 3/55*. MALWR** shows a download from
http ://www .tessaban .com/admin/images/jsjsjsihfsdkq.png which of course is -not- a png but a renamed .exe file. The JavaScript -renames- it to vQjiLVqR.exe and autoruns it. (VirusTotal 26/56***). Payload Security[4] was unable to contact any download sites or download the malware...

28 October 2016: InternalFax.doc - VirusTotal 2/52[5] | Payload Security[6] shows a download from
futuras.comdodocdoddus .exe which is -renamed- to 10575.exe and autorun by the macro in the word doc
(VirusTotal 8/56[7]) MALWR[8] shows the downloads from either
http ://futuras .com/dodocdoddus.exe or http ://fax-download .com/lindoc1.exe
(fax-download .com registered -yesterday- 27 October 2016 and hosted on 23.95.37.89 host.colocrossing .com)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

futuras .com: 203.199.134.21: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/e3...71fe/analysis/

23.95.37.89: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/9b...d8cd/analysis/

* https://www.virustotal.com/en/file/5...is/1477673159/

** https://malwr.com/analysis/Y2FhZTg2Y...IyYjM1NmUxNzQ/
Hosts
61.19.247.54
78.47.139.102
91.219.28.77
8.254.207.62
193.9.28.24
37.1.209.51
138.201.44.28
188.116.23.98
104.250.138.194
80.79.114.179

*** https://www.virustotal.com/en/file/7...is/1477671917/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
61.19.247.54
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

5] https://www.virustotal.com/en/file/f...is/1477672660/

6] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.95.37.89
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

7] https://www.virustotal.com/en/file/0...is/1477674272/

8] https://malwr.com/analysis/YjUwYzA0O...E0ZmVhODZhNmI/
Hosts
210.16.101.168
203.199.134.21
78.47.139.102
54.243.70.107
64.182.208.184
64.182.208.182
64.182.208.181
64.182.208.183
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
___

Fake 'Payment history' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/payme...-thor-version/
28 Oct 2016 - "... Locky downloader... an email with the subject of 'Payment history' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with payment_history containing a VBS file... This is very similar to last night’s Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just renames it to the dll name...
1] https://myonlinesecurity.co.uk/pleas...-thor-version/
One of the emails looks like:
From: Lionel Hall <Hall.748@ nrjleman .com>
Date: Fri 28/10/2016 09:58
Subject: Payment history
Attachment: payment_history_64b96be.zip
The payment history for the first week of October 2016 is attached as you requested. Please review it and let us know if you have any question.

28 October 2016: payment_history_64b96be.zip: Extracts to: payment history EE5B8 PDF.vbs
Current Virus total detections 8/54*. MALWR** shows a download of a file from
http ://92hanju .com /utl41nrt which is renamed by the script to r7vl3GrYKGPE0uLB0.dll (VirusTotal 12/56***).
C2 is http ://83.217.11.193 /linuxsucks.php . Payload Security[4] shows alternative download locations & C2 but for some strange reason isn’t showing the downloaded Locky binary as malicious... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1477646733/

** https://malwr.com/analysis/M2IyNmIwY...YwNTc0OTEzNjc/
Hosts
133.130.109.98
185.154.13.79
83.217.11.193

*** https://www.virustotal.com/en/file/a...is/1477647176/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
213.176.241.230
185.154.13.79
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150

- http://blog.dynamoo.com/2016/10/malw...-leads-to.html
28 Oct 2016 - "... another spam run pushing Locky ransomware:
Subject: Payment history
From: Theodore Wilkins
Date: Friday, 28 October 2016, 10:09
The payment history for the first week of October 2016 is attached as you requested.
Please review it and let us know if you have any question.

The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script... (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].
There are many different variants of the script, downloading components...
(Many domain-names listed at the dynamoo URL above.)
... (Thank you to my usual source for this data). The malware phones home to:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks .php [hostname: tarasik1.infium .net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks .php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks .php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks .php (Dunaevskiy Denis Leonidovich, Ukraine) ...
A DLL is dropped with a detection rate of 12/57*.
Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79 "
1] https://malwr.com/analysis/ZGFmYzVlM...NjZjRjNWQ4MmU/
Hosts
185.2.128.114
46.148.26.99

2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.2.128.114
185.154.13.79
83.217.11.193
194.1.239.152
91.230.211.150
46.148.26.99

* https://virustotal.com/en/file/7f18d...04b6/analysis/
___

Fake 'Document' SPAM - delivers trickbot banking Trojan
- https://myonlinesecurity.co.uk/docum...anking-trojan/
28 Oct 2016 - "An email with the subject of 'Document' from random names pretending to come from random name <random.name@ victim domain .tld> with a malicious word doc attachment delivers a trickbot banking Trojan... This uses a somewhat complicated method of delivery to try to bypass antivirus and content protection, but basically the macro inside the word doc creates a lnk file, calls on powershell to run the lnk file which connects to the web server to download a file, which is in turn renamed, moved & autorun by the powershell instruction inside the macro. The alleged senders name matches the subject line, the name in the body of the email and the document name... The email looks like:
From: Tommy Griggs <Tommy.Griggs@ oneknight .co.uk>
Date: Fri 28/10/2016 02:37
Subject: Document from Griggs
Attachment: Griggs-2810-824.doc
My company sent you a document. Check it attached.
Regards,
Tommy Griggs
Challenger Limited

28 October 2016: Griggs-2810-824.doc - Current Virus total detections 3/53*
Payload Security** shows a download from futuras .com/ksdjgdfhmsc.exe (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1477637824/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
203.199.134.21
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

*** https://www.virustotal.com/en/file/4...is/1477629101/
___

Dridex - new "0-Day-Distribution" method
- https://payload-security.blogspot.co...bution_27.html
Oct 27, 2016 - "The banking trojan Dridex (also known as Cridex, Feodo, Geodo, etc.) has been distributed in the past via malicious documents containing macros sent by E-Mail. Just yesterday we discovered a new distribution method that is undetected by the various Sandbox solutions we have access to and all AV engines. We were able to happily share and send those infected files via Skype, Gmail and other platforms. So while Dridex itself isn't new, the distribution method definitely is - and it will be very successful looking at current 0% detection ratio. In a sense, it is a "zero-day-distribution" method so we decided to use that term...
> https://3.bp.blogspot.com/-DTnOJp68-...B/s1600/vt.png
As has been a recent trend we see for targetted attacks (more on that later), this malicious Office file does not contain any macros (or exploits, actually) to execute the payload... Instead, the document contains an embedded file, which can be extracted from the "oleObject1.bin" file in the "embeddings" folder. In this case, as it is a Word file, the relative pathway would be word/embeddings/oleObject1.bin... Simply opening the document will cause nothing to happen initially. Instead, the embedded file has to be double-clicked. This is the first "hurdle" that most Sandbox systems will have difficulties with:
> https://3.bp.blogspot.com/-4gHVNlGDm...2B19.50.17.png
After double-clicking the file - on a default configured system - an additional prompt will have to be passed:
> https://2.bp.blogspot.com/-sjrRV6nAj...2B20.26.36.png
... only if we -click- "Open" on that prompt, the actual LNK file and consequently the Command Prompt -> Powershell execution chain will trigger and download Dridex..."
(More detail at the payload-security URL above.)

>> https://myonlinesecurity.co.uk/malfo...macro-viruses/
___

'Your Bill' is -Not- Overdue ... Locky
- https://isc.sans.edu/diary.html?storyid=21647
2016-10-27 - "... It looks like today's ransomware subject is 'Your Bill is Overdue'. But then again, don't bother blocking it. Block ZIP'ed visual basic scripts. This round of Locky makes blocking a tad harder by using 'application/octet-stream' as a Content-Type instead of 'application/zip'... I received just about 1,000 attachments like that, and about 4000 total..."

[AplusWebMaster]

FYI...

Fake 'Wrong tracking number' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...ng-number.html
31 Oct 2016 - "This spam email leads to Locky ransomware:
From "Samuel Rodgers"
Date Mon, 31 Oct 2016 15:21:22 +0530
Subject Wrong tracking number
It looks like the delivery company gave us the wrong tracking number.
Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.

The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script... named something like tracking number A99DB PDF.vbs... full list of download locations...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to:
91.107.107.241/linuxsucks .php [hostname: cfaer12.example .com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks .php [hostname: shifu05 .ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks .php (Ukrainian Internet Names Center aka ukrnames .com, Ukraine)
194.1.239.152/linuxsucks .php (Internet Hosting Ltd aka majorhost .net, Russia)
5.187.7.111/linuxsucks. php (Fornet Hosting, Spain)
Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152 "

- https://myonlinesecurity.co.uk/malsp...elivers-locky/
31 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong tracking number' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with tracking_number_ containing a VBS file that pretends to be a PDF... similar to recent Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just renames it to the dll name...
1] https://myonlinesecurity.co.uk/pleas...-thor-version/

31 October 2016: tracking_number_aa587827b.zip: Extracts to: tracking number A1964B3 PDF.vbs
Current Virus total detections 6/55*. Payload Security** seems unable to get any payload from this vbs although manual analysis easily revealed the download locations:
http ://business-cambodia .com/he8wtc | http ://archilog .at/imwjmt | http ://badznaptak .pl/inlgm49
http ://aconetrick .com/6yoajl7 | http ://ficussalm .com/8pmjmwp
All these files are executable files and the VBS just renames them to a DLL and autoruns it VirusTotal 14/57[3]...
One of the emails looks like:
From: Eldridge Beard <Beard.69896@ srimina .com>
Date: Mon 31/10/2016 09:05
Subject: Wrong tracking number
Attachment: tracking_number_aa587827b.zip
It looks like the delivery company gave us the wrong tracking number. Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1477906017/

** https://www.hybrid-analysis.com/samp...ironmentId=100

3] https://www.virustotal.com/en/file/5...is/1477908982/
___

Fake 'SureVoIP' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malw...mail-from.html
31 Oct 2016 - "This -fake- voicemail message leads to Locky ransomware:
Subject: Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
From: SureVoIP (voicemailandfax@[redacted])
Date: Monday, 31 October 2016, 11:17
Message From "Catalina rigby 02355270166" 02355270166
Created: 2016.10.31 14:46:53 PM
Duration: 00:01:22
Account: voicemailandfax@ [redacted]

Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component...
(Long list of domain-names at the dynamoo URL above.)
The C2 servers overlap with the ones found here.
91.107.107.241/linuxsucks .php [hostname: cfaer12.example .com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks .php [hostname: shifu05 .ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks .php (Ukrainian Internet Names Center aka ukrnames .com, Ukraine)
Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152 "
___

Fake 'electronic billing' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/malsp...elivers-locky/
31 Oct 2016 - "... Locky downloader... an email with the subject of 'Document No 50319282' (random numbers) pretending to come from accounts @ your own email address with a semi-random named zip attachment starting with file containing a WSF file... One of the emails looks like:
From: NANNIE DONNELLY <accounts@ [redacted] .co.uk>
Date: Thu 01/09/2016 19:22
Subject: Document No 50319282
Attachment: File 50319282.zip
Thanks for using electronic billing
Please find your document attached
Regards
NANNIE DONNELLY

31 October 2016: File 50319282.zip: Extracts to: XY4918-1310.wsf - Current Virus total detections 10/55*
MALWR** shows a download of a file from
http ://www .shavash .ir/g7cberv?LoeMqQM=BQqhBkykpgn which is renamed by the script to hndYhViGx1.dll
(VirusTotal 8/56***). C2 are http ://95.163.107.41 /linuxsucks.php and http ://tdhyjfxltpj .pw/linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1477916645/

** https://malwr.com/analysis/M2JiZTcwO...c2ZTdkYzEyMWU/
Hosts
136.243.80.209
146.120.89.98
91.107.107.241
95.163.107.41
192.42.116.41

*** https://www.virustotal.com/en/file/9...is/1477926737/
___

Fake 'BANK SLIP' SPAM - delivers Tesla keylogger
- https://myonlinesecurity.co.uk/malsp...known-malware/
31 Oct 2016 - "... malware delivery email... an email with the subject of 'BANK SLIP' coming as usual from what looks like random companies, names and email addresses with a zip attachment that contains some unknown malware. VirusTotal only shows generic detections...
Update: I am being reliably informed that it is Agent Tesla keylogger* that sends info home to aqeel@ ubsrwp .pk . A recent similar attack but using malicious word docs with macros to deliver the payload is described HERE** with screenshots and a good description of the information...
* https://twitter.com/malwrhunterteam/...18062953938944

** https://www.zscaler.com/blogs/resear...cybersquatting

31 October 2016: Bank Slip.zip: Extracts to: Bank Slip.exe - Current Virus total detections 9/57[3]
MALWR doesn’t show much [4]. | Payload Security[5]...
3] https://www.virustotal.com/en/file/f...is/1477892702/

4] https://malwr.com/analysis/YzNhYzBhY...M5YTkxZDIxZGM/

5] https://www.hybrid-analysis.com/samp...ironmentId=100

One of the emails looks like:
From: wagagrove@ otbsporti.com
Date: Thu 01/09/2016 19:22
Subject: BANK SLIP
Attachment: Bank Slip.zip
Dear Sir,
Pleased be informed payment done as attached.
Regards,
Waga
Sales/Account Department
MOTOTECHNICA SOLUTION LTD.
GST NO : 0018898212965 ...

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

ubsrwp .pk: 198.24.190.35: https://www.virustotal.com/en/ip-add...5/information/