Page 109 of 132 FirstFirst ... 95999105106107108109110111112113119 ... LastLast
Results 1,081 to 1,090 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1081
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Transaction declined', 'New Fax', 'Your Invoice' SPAM, Win 0-day, Malvertising

    FYI...

    Fake 'Transaction declined' SPAM - leads to Locky
    - https://myonlinesecurity.co.uk/malsp...elivers-locky/
    1 Nov 2016 - "... Locky downloader... an email with the subject of 'Transaction declined' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with transaction-details_ containing a VBS file that pretends to be a PDF... One of the emails looks like:
    From: Elena Cooper <Cooper52780@ centraldetraducao .com>
    Date: Thu 01/09/2016 19:22
    Subject: Transaction declined
    Attachment: transaction-details_e78be58f7.zip
    Dear [redacted],
    This is to inform that the transaction you made yesterday is declined.
    Please look through the attachment for the verification of the card details.
    Best Regards,
    Elena Cooper


    Manual decoding of this slightly obfuscated vbs script shows Download locations are:
    http ://17173wang .com/f6w0p
    http ://cdxybg .com/iribzm
    http ://51qudu .com/mqy2pj4
    http ://sonsytaint .com/4mgxlrf
    http ://koranjebus .net/4rwg5
    1 November 2016: paytransaction-details_e78be58f7.zip: Extracts to: transaction_details_39B163E4_PDF.vbs
    delivers [VirusTotal 8/55*].. f6w0p [VirusTotal 7/55**]. Neither MALWR nor Payload Security[3] seem able to actually get the download locations or any payload in these VBS files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1477997125/

    ** https://www.virustotal.com/en/file/a...is/1477997325/

    3] https://www.hybrid-analysis.com/samp...ironmentId=100

    17173wang .com: 120.27.107.115: https://www.virustotal.com/en/ip-add...5/information/
    cdxybg .com: 125.88.190.31: https://www.virustotal.com/en/ip-add...1/information/
    51qudu .com: 118.123.18.92: https://www.virustotal.com/en/ip-add...2/information/
    sonsytaint .com: 67.171.65.64: https://www.virustotal.com/en/ip-add...4/information/
    138.201.244.4: https://www.virustotal.com/en/ip-add...4/information/
    koranjebus .net: 67.171.65.64: https://www.virustotal.com/en/ip-add...4/information/
    138.201.244.4: https://www.virustotal.com/en/ip-add...4/information/

    - http://blog.dynamoo.com/2016/11/malw...form-that.html
    1 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject: Transaction declined
    From: Chandra Frye
    Date: Tuesday, 1 November 2016, 10:48
    Dear [redacted],
    This is to inform that the transaction you made yesterday is declined.
    Please look through the attachment for the verification of the card details.
    Best Regards,
    Chandra Frye


    The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs)... communicates with the URLs below, but you can be sure that there are many more examples:
    51qudu .com/mqy2pj4
    bjzst .cn/qgq4dx
    danapardaz .net/zrr8rtz
    litchloper .com/66qpos7m
    creaciones-alraune .es/dx8a5
    adasia .my/f5qyi10
    alecrim50 .pt/g28w495t
    zizzhaida .com/a0s9b
    silscrub .net/07ifycb
    Hybrid Analysis is inconclusive*.
    If I get hold of the C2s or other download locations then I will post them here."
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    UPDATE: My usual reliable source tells me that these are all the download locations...
    (Long list of domain-names at the dynamoo URL above.)
    ... These are the C2s:
    91.234.32.202/linuxsucks .php (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
    81.177.22.164/linuxsucks .php (NETPLACE, Russia)
    Recommended blocklist:
    91.234.32.202
    81.177.22.164
    "
    ___

    Fake 'New Fax' SPAM - leads to TrickBot
    - http://blog.dynamoo.com/2016/11/malw...x-message.html
    1 Nov 2016 - "This -fake- fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

    Screenshot: https://3.bp.blogspot.com/-DtzfLWMDT...ential-fax.png

    Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54*. Both the Malwr report** and Hybrid Analysis*** give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:
    www .tessaban .com/img/safafaasfasdddd.exe
    This is a -hacked- legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr[4] and Hybrid Analysis reports[5] give the following suspect traffic:
    91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
    193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
    37.1.209.51 (3NT Solutions LLP, UK)
    138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
    23.23.107.79 (Amazon EC2, US)
    ... 3NT Solutions (aka Inferno Solutions/inferno .name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit... If we excise the domestic IPs and blackhole the 3NT/Inferno/uadomen .com ranges we get a recommended blocklist of:
    37.1.208.0/21
    46.22.211.0/24
    91.219.28.0/22
    104.250.138.192/27
    138.201.44.28
    188.116.23.98
    188.138.1.53
    193.9.28.0/24

    However, there's more to this... The original email message is actually signed by local-fax .com and it turns out that this domain was created just -today- with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking. All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously..."
    * https://virustotal.com/en/file/8e365...8347/analysis/

    ** https://malwr.com/analysis/NjliZDdmZ...dlMjk1NGEzZjQ/
    Hosts
    61.19.247.54
    78.47.139.102
    54.197.246.207
    64.182.208.181
    66.171.248.178
    188.40.53.51
    91.219.28.77
    193.9.28.24


    *** https://www.hybrid-analysis.com/samp...ironmentId=100

    4] https://malwr.com/analysis/MWQxYWFiM...RjODQ1YjRjMzU/
    Hosts
    78.47.139.102
    23.23.107.79
    64.182.208.182
    64.182.208.184
    64.182.208.183
    64.182.208.181
    66.171.248.178
    188.40.53.51
    91.219.28.77
    193.9.28.24
    37.1.209.51


    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    91.219.28.77
    193.9.28.24
    37.1.209.51
    138.201.44.28


    - https://myonlinesecurity.co.uk/malsp...ivers-malware/
    1 Nov 2016 - "An email with the subject of 'GDS – New Fax Message' pretending to come from GDS Fax <service@ gov-fax. co .uk> with a malicious word doc containing macros which downloads what looks like Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x555.png

    1 November 2016: gvt_uk_01112016.doc - Current Virus total detections 3/54*
    MALWR** shows a download from http ://www .tessaban .com/img/safafaasfasdddd.exe (VirusTotal 10/56***)
    Payload Security [1] [2] Dynamoos blog[3] gives details of a slightly different email delivering the same word docs & malware payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
    * https://www.virustotal.com/en/file/4...is/1477997908/

    ** https://malwr.com/analysis/ZTI2ZjM1O...g4YWQxYzM2Mzc/
    Hosts
    61.19.247.54
    78.47.139.102
    54.243.164.241
    64.182.208.182
    66.171.248.178
    188.40.53.51
    91.219.28.77
    193.9.28.24
    37.1.209.51


    *** https://www.virustotal.com/en/file/0...is/1478011826/

    1] https://www.hybrid-analysis.com/samp...ironmentId=100

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    91.219.28.77
    193.9.28.24
    37.1.209.51
    138.201.44.28


    3] http://blog.dynamoo.com/2016/11/malw...x-message.html
    ___

    Fake 'Your Invoice' SPAM - delivers yet more Locky
    - https://myonlinesecurity.co.uk/malsp...somware-today/
    1 Nov 2016 - "... Locky downloader... an email with the subject of 'Your Invoice: SIPUS16-953639' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with SIPUS16 containing a wsf file... One of the emails looks like:
    From: invoicing@ costruzionieimpianti .com
    Date: Tue 01/11/2016 15:47
    Subject: Your Invoice: SIPUS16-953639
    Attachment: SIPUS16-953639.zip
    Dear Sirs,
    Please find your invoice enclosed. We kindly ask you to respect our payment terms.
    For questions please contact our sales office.
    Kind regards,
    Dorema UK Ltd.


    1 November 2016: SIPUS16-953639.zip: Extracts to: INV_NO_79980148.wsf - Current Virus total detections 11/55*
    .. MALWR** shows a download of an encrypted file from
    http ://bappeda .palangkaraya .go.id/87yfhc?xFqceIrSlI=MNKhDTrM
    which is transformed by the script to GdxPTYAwwe1.dll (VirusTotal 12/56***). Same malware and delivery method as this earlier malspam run[4] using fake invoices... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1478009132/

    ** https://malwr.com/analysis/YzFkZTIzN...JkNTE5YjEzNWU/
    Hosts
    180.250.3.118
    185.82.217.88
    51.255.107.20


    *** https://www.virustotal.com/en/file/a...is/1477647176/

    4] https://myonlinesecurity.co.uk/malsp...elivers-locky/
    ___

    Windows 0-day vuln - CVE-2016-7855
    - https://www.helpnetsecurity.com/2016...dows-zero-day/
    Nov 1, 2016 - "Google has disclosed to the public the existence of a Windows zero-day vulnerability (CVE-2016-7855*) that is being actively exploited in the wild... The same vulnerability has been shared with both Microsoft and Adobe on October 21st, as it also affected Flash Player. But while Adobe has already pushed out an update with the patch[1], Microsoft has not been so quick.
    1] https://helpx.adobe.com/security/pro...apsb16-36.html
    ... They have advised users to update Flash and implement the Microsoft patch as soon as it is made available..."
    >> https://security.googleblog.com/2016...o-protect.html

    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-7855
    11/01/2016 - "... as exploited in the wild in October 2016.
    ___

    HookAds malvertising ...
    - https://blog.malwarebytes.com/cyberc...sing-campaign/
    Nov 1, 2016 - "... we wrote about a new piece of malware called ‘Trick Bot‘ which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered -another- malvertising campaign that started at least in mid August, and which leverages decoy adult portals to spread malware. Internally, we call it the 'HookAds campaign' based on a string found within the delivery URL... upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects... much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month... We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an -iframe- to adult banner is injected dynamically. The ad is served from a third-party server which performs -cloaking- in order to detect whether this is legitimate new traffic or not...
    The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in:
    > https://blog.malwarebytes.com/wp-con...016/10/206.png
    185.51.244.206 / 185.51.244.207 / 185.51.244.208
    ... The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF)...
    Conclusion: The HookAds malvertising campaign is -still- running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit..."
    IOCs
    IPs:
    185.51.244.206
    185.51.244.207
    185.51.244.208
    ..."
    (More detail at the malwarebytes URL above.)

    Last edited by AplusWebMaster; 2016-11-02 at 18:00.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1082
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Transactions', 'part 4', 'Companies House', 'Blank body' SPAM, Sundown EK

    FYI...

    Fake 'Transactions' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/email...elivers-locky/
    2 Nov 2016 - "... Locky downloader... an email with the subject of 'Transactions' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with last_transactions_ containing a VBS file that pretends to be a PDF... One of the emails looks like:
    From: Berry Rutledge <Rutledge35@ shakedownbarvail .com>
    Date: Wed 02/11/2016 09:32
    Subject: Transactions
    Attachment: last_transactions_fb079ee.zip
    Hi [redacted]
    [random name]called me yesterday updating about the transactions on company’s account from last month.
    Examine the attached transaction record. Please let me know if you need more help.
    Best Regards,
    Berry Rutledge


    2 November 2016: last_transactions_fb079ee.zip: Extracts to: last_transactions_2EA31C0_PDF.vbs
    Current Virus total detections 9/54*. Manual analysis of the vbs shows a download of a file from one of these locations:
    http ://bddja .com/p0u44p8z | http ://akira-sushi34 .ru/przgzq | http ://3rock .ie/qdq1fv4c
    http ://cokealong .com/0l609 | http ://fiveclean .com/14msj3
    which is renamed by the script to a dll and autorun (VirusTotal 7/55**). Neither MALWR nor Payload Security*** ever seem able to display the download URLs or obtain any payload form these VBS scripts, although manual analysis shows it very easily with minimal de-obfuscation of the VBS code...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1478080807/

    ** https://www.virustotal.com/en/file/b...is/1478083429/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'part 4' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/malsp...elivers-locky/
    2 Nov 2016 - "... Locky downloader... an email with the subject of 'part 4' (random numbers between 0 & 9) coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the emails looks like:
    From: TRACIE MACALLISTER <traciemacallister@ perceptualproductions .com>
    Date: Thu 01/09/2016 19:22
    Subject: part 4
    Attachment: JLJEWM918399.zip
    As promised
    TRACIE


    2 November 2016: JLJEWM918399.zip: Extracts to: PTKBJH1522.wsf - Current Virus total detections 12/54*
    MALWR** shows a download of an encrypted file from
    http ://aifgroup .jp/43ftybb8?eOcQFhG=ytopbCntxmF which is transformed by the script to BdJXwnO1.dll
    (VirusTotal 12/56***). C2 are
    http ://194.28.87.26 /linuxsucks.php | http ://51.255.107.20 /linuxsucks.php
    http ://194.1.239.152 /linuxsucks.php
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1478081153/

    ** https://malwr.com/analysis/ZDI2ZjEyY...VlNmI3YmI3NjE/
    Hosts
    122.200.219.36
    194.28.87.26
    51.255.107.20
    194.1.239.152


    *** https://www.virustotal.com/en/file/6...is/1478084176/
    ___

    Fake 'Companies House' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/malsp...anking-trojan/
    2 Nov 2016 - "An email with the subject of 'Companies House – new company complaint' pretending to come from Companies House <noreply@ companieshouses .co.uk> with a malicious word doc with macros delivers Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...t-1024x553.png

    2 September 2016: Complaint.doc - Current Virus total detections 4/54*
    Payload security** shows a download of sweezy.exe from futuras .com/img/dododocdoc.exe (VirusTotal 6/57***)...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1478089229/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    203.199.134.21
    78.47.139.102
    193.107.111.164
    91.219.28.58
    193.124.177.117
    91.219.28.77
    193.9.28.24


    *** https://www.virustotal.com/en/file/d...is/1478089108/

    - http://blog.dynamoo.com/2016/11/malw...house-new.html
    2 Nov 2016 - "This fake Companies House spam leads to TrickBot malware... Unlike recent Locky spam runs, this TrickBot run has gone to a lot of effort to look authentic:

    Screenshot: https://2.bp.blogspot.com/-wBSmA67_O...nies-house.png

    The sender is either noreply@ companies-house .me.uk or noreply@ companieshouses .co.uk - both those domains have actually been registered by the spammers with -fake- WHOIS details... All the emails that I have seen have been sent via servers at 172.99.84.190 and 172.99.88.226 (a Rackspace customer apparently called OnMetal v2 IAD PROD). I recommend that you -block- email traffic from those IPs.
    Attached is a Word document Complaint.doc (MD5 21AEA31907D50EE6F894B15A8939A48F) [VT 7/55[2]] which according to this Hybrid Analysis[1] downloads a binary from:
    futuras .com/img/dododocdoc.exe
    This is saved as sweezy.exe and has a detection rate of 7/57[3]. At present that download location is down, probably due to exceeding bandwidth quota. The Hybrid Analysis identifies several C2s which overlap with this TrickBot run from yesterday[4]:
    78.47.139.102 (Unknown customer of Hetzner, Germany)
    91.219.28.58 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
    91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
    193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
    193.107.111.164 (PP "Kremen Alliance", Ukraine)
    193.124.177.117 (MAROSNET, Russia)
    The uadomen .com IP ranges (as discussed yesterday) are a sea of badness and I recommend you block traffic to them.
    Recommended blocklist:
    78.47.139.96/28
    91.219.28.0/22
    193.9.28.0/24
    193.107.111.164
    193.124.177.117
    "
    1] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    203.199.134.21
    78.47.139.102
    193.107.111.164
    91.219.28.58
    193.124.177.117
    91.219.28.77
    193.9.28.24


    2] https://virustotal.com/en/file/985e9...b407/analysis/

    3] https://www.virustotal.com/en/file/d...9c6d/analysis/

    4] http://blog.dynamoo.com/2016/11/malw...x-message.html
    ___

    Fake 'DSCF6693' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/blank...elivers-locky/
    1 Nov 2016 - "... Locky downloader... a totally -blank- email with the subject of 'DSCF6693.pdf' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with DSCF that matches the subject containing a wsf file... One of the emails looks like:
    From: ROXIE LANGBAINE <roxie.3506@ madebuynana .nl>
    Date: Tue 01/11/2016 19:51
    Subject: DSCF6693.pdf
    Attachment: DSCF6693.zip


    Body content: totally blank/empty

    1 November 2016: DSCF6693.zip: Extracts to: DSCF1121.wsf - Current Virus total detections 8/54*
    MALWR** shows a download of a file from
    http ://el-sklep .com/76vvyt?JazeMXLjl=JXhbIC which is transformed by the script to YHvwcTj1.dll
    (VirusTotal 5/57***). C2 are
    http ://194.28.87.26 /linuxsucks.php | http ://51.255.107.20 /linuxsucks.php
    http ://qiklchkunuhhbrk .org/linuxsucks.php | http ://194.1.239.152 /linuxsucks.php ...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1477646733/

    ** https://malwr.com/analysis/NTQzZWMxM...diMTdmZWI5ZDc/
    Hosts
    88.198.110.138
    194.28.87.26
    51.255.107.20
    194.1.239.152
    69.195.129.70


    *** https://www.virustotal.com/en/file/3...is/1478031176/
    ___

    Sundown EK ...
    - http://blog.talosintel.com/2016/10/sundown-ek.html
    Oct 31, 2016 - "... IOC - Subdomains not included due to usage of domain wildcarding during campaign
    Conclusion: The last couple of months have lead to major shifts in the exploit kit landscape with major players disappearing rapidly. We are now in a place where only a handful of exploit kits remain active and kits that would have previously been part of a second tier of EKs have started to rise to prominence. Sundown is a far more widely distributed exploit kit than was initially thought. Even though it doesn't have a huge footprint from an infrastructure perspective, there are lots of users interacting with these kits."
    - https://blogs.cisco.com/wp-content/u...undown_ips.txt
    109.236.87.40
    109.236.92.187
    217.23.7.27
    93.190.139.250
    217.23.7.26
    212.92.127.207
    185.106.120.86
    185.104.8.168
    185.104.8.167
    185.104.8.166


    Last edited by AplusWebMaster; 2016-11-02 at 19:22.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1083
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Urgent payment', More Locky, 'Summons', 'Bill', 'Order' SPAM

    FYI...

    Fake 'Urgent payment' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/11/malw...t-request.html
    3 Nov 2016 - "This spam comes from random senders, the name in the "From" field always matches the fake email signature. The number of exclamation marks varies, and the payload is Locky ransomware.
    Subject: !!! Urgent payment request
    From: erika.whitwell@ hillcrestlife .org (erika.whitwell@ hillcrestlife .org)
    Date: Thursday, 3 November 2016, 10:01
    ERIKA WHITWELL ...


    Attached is a file with a long name made of random numbers (e.g. 5148202750-2115939053-201611153218-5476.zip) which contains a similarly-named malicious javascript file (e.g. 8357243996-7378883150-201611233647-0661.js)...
    UPDATE: This Hybrid Analysis* shows the script downloading from:
    dornovametoda .sk/jhb6576?jPUTusVX=GXNaiircxm
    There will be lots of other download locations too. That same report shows the malware phoning come to the following C2 servers (that overlaps somewhat with those found here):
    194.28.87.26/message.php (Hostpro Ltd, Ukraine)
    93.170.123.119/message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
    109.234.34.227/message.php (McHost .Ru, Russia)
    Recommended blocklist:
    194.28.87.26
    93.170.123.119
    109.234.34.0/24
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.0.217.3
    194.28.87.26
    93.170.123.119
    109.234.34.227
    54.192.185.153


    - https://myonlinesecurity.co.uk/urgen...en-more-locky/
    3 Nov 2016 - "... Locky downloader... an email with the subject of '!! Urgent payment request' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .js file... One of the emails looks like:
    From: christi.hayton@ artemisridge .com
    Date: Thu 01/09/2016 19:22
    Subject: !! Urgent payment request
    Attachment: ea05237624050-3072993672-201611145320-0296.zip
    CHRISTI HAYTON Telefon: +49 1743 / 51-9283 Fax: +49 1743 / 5166-9283 ...


    3 November 2016: 5237624050-3072993672-201611145320-0296.zip
    Extracts to: 2119873724-8372344101-201611211525-3816.js - Current Virus total detections 8/55*
    MALWR** shows a download of an encrypted file from
    http ://centinel .ca/jhb6576?rigWApln=iwDykXRT which is converted by the script to lpFtmm1.dll (VirusTotal 9/56***)
    C2 http ://194.28.87.26 /message.php . Payload Security[4] shows additional C2... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1478165027/

    ** https://malwr.com/analysis/ZmY0ZmM2Y...c5NWI0MzI3Nzg/
    Hosts
    64.34.157.170
    194.28.87.26


    *** https://www.virustotal.com/en/file/0...is/1478166325/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    64.34.157.170
    109.234.34.227
    93.170.123.119
    194.28.87.26
    54.192.48.225

    ___

    More Locky ...
    - http://blog.dynamoo.com/2016/11/moar...016-11-03.html
    3 Nov 2016 - "... Locky runs overnight... here is a data dump of download locations and C2s (at the bottom) from my usual reliable source:
    (Long list of domain-names at the dynamoo URL above.)
    ... C2s:
    51.255.107.20 /message .php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
    85.143.215.209 /message.php (PrdmService LLC / Comfortel Ltd / Trader soft LLC, Russia)
    91.230.211.103 /message .php (Optibit LLC, Russia)
    91.239.232.171 /message .php (Hostpro Ltd, Ukraine)
    93.170.123.119 /message.php (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
    194.28.87.26 /message.php (Hostpro Ltd, Ukraine)
    51.255.107.20 /linuxsucks.php (Webhost LLC Dmitrii Podelko, Russia / OVH, Germany)
    194.1.239.152 /linuxsucks.php (Internet Hosting Ltd aka majorhost.net, Russia)
    194.28.87.26 /linuxsucks.php (Hostpro Ltd, Ukraine)
    Recommended blocklist:
    51.255.107.20
    85.143.215.209
    91.230.211.103
    91.239.232.171
    93.170.123.119
    194.1.239.152
    194.28.87.26
    "
    ___

    Fake 'Summons' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/spoof...ivers-malware/
    3 Nov 2016 - "... updated run of the old 'You’ve been witness summoned to court / You are hereby summoned to appear to court to give evidence' is spreading today... Once you insert the “captcha” numbers into the submit box and press submit, you get a random numbered zip file that extracts to a js.file...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...8-1024x781.png

    3 November 2016: 66504.zip: Extracts to: Case Details.js - Current Virus total detections 3/55*
    MALWR** shows a download of a file from
    http ://rudarskiinstituttuzla .ba/modules/mod_stat/bidkemjarf/localbbrs.exe (VirusTotal 4/57***)
    Payload Security[4]... earlier this week, this sort of -spoofed- UK Government emails were used to deliver Trickbot banking Trojan. This malware payload looks somewhat different to those: MALWR[5].. Payload Security[6] analysis of downloaded malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1478169130/

    ** https://malwr.com/analysis/N2U3Y2Q0M...VmOTlmYzUzZWE/
    Hosts
    176.9.10.243

    *** https://www.virustotal.com/en/file/b...is/1478169467/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    176.9.10.243
    208.118.235.148
    148.163.112.203
    148.163.112.203


    5] https://malwr.com/analysis/NWYyZGU0O...EzZTg1NmM4NTU/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    208.118.235.148
    148.163.112.203

    ___

    Fake 'Bill' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/pay-y...elivers-locky/
    3 Nov 2016 - "... Locky downloader... an email telling you to pay your maintenance bill with the subject of 'Bill' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with november_bill_ containing a VBS file that pretends to be a PDF... One of the emails looks like:
    From: Ericka Oneill <Oneill000@ soundsolutionsrecording .com>
    Date: Thu 03/11/2016 13:40
    Subject: Bill
    Attachment: november_bill_450e7d7f0.zip
    Dear [redacted]
    To continue using our maintenance service, please pay for last month’s fee by 4th of November.
    The bill is attached in the email.
    Please keep it for later purposes.
    King Regards,
    Ericka Oneill


    3 November 2016: november_bill_450e7d7f0.zip: Extracts to: TN E3E6314.vbs - Current Virus total detections 8/55*
    Manual analysis shows a download of a file from one of these locations:
    http ://aurora.cdl-sc .org.br/gj789z
    http ://davidart .com.tw/haa4vt4u
    http ://artlab .co.il/hgm0chod
    http ://dingeabyss .com/1jawie
    http ://sehyokette.net/1t6ywcjb
    ... which is renamed by the script to a DLL (VirusTotal 8/57**). Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1478181547/

    ** https://www.virustotal.com/en/file/5...is/1478181696/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    220.229.238.7
    130.208.19.136
    188.127.237.66
    195.123.211.65

    ___

    Fake 'Order' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/order...elivers-locky/
    3 Nov 2016 - "... Locky downloader... an email with the subject of 'Order 903644 (Acknowledgement)' [random numbers] coming as usual from random companies, names and email addresses with a zip attachment that starts with several random letters then a series of numbers that matches the subject order number containing a VBS file... One of the emails looks like:
    From: CORA FRANZKE <eml@ durellaw .com>
    Date: Thu 03/11/2016 14:50
    Subject: Order 903644 (Acknowledgement)
    Attachment: jf903644.zip
    Please find document attached


    3 November 2016: jf903644.zip: Extracts to: KUnyn699-32121.vbs - Current Virus total detections 5/55*
    Payload Security**...Manual analysis shows a download of a file from one of these locations
    albakrawe-uae .com/i9jnrc
    cosywall .pl/i9jnrc
    eldamennska .is/i9jnrc
    irk.24abcd .ru/i9jnrc
    schuhdowdy .net/i9jnrc
    teriisawa .com/i9jnrc
    (VirusTotal 11/56***). C2 are 109.234.35.230 | 176.103.56.119 /message.php. This also uses the Tor network... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1478185057/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.186.246.98
    109.234.35.230
    176.103.56.119
    54.240.184.221
    80.239.137.72


    *** https://www.virustotal.com/en/file/0...is/1478192229/

    Last edited by AplusWebMaster; 2016-11-03 at 21:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1084
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Please verify', 'Payroll Payslip' SPAM

    FYI...

    Fake 'Please verify' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/i-hav...elivers-locky/
    4 Nov 2016 - "... Locky downloader... an email that pretends to be about proofreading the technical document you sent with the subject of 'Please verify' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with tech_doc_ containing a VBS file... very similar to recent Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just -renames- it to the -dll- name... Payload Security report[2]...
    1] https://myonlinesecurity.co.uk/pleas...-thor-version/
    One of the emails looks like:
    From: Coleen Barr <Barr84@ homedesigners171 .com>
    Date: Fri 04/11/2016 09:49
    Subject: Please verify
    Attachment: tech_doc_dc405d482.zip
    Hey [redacted], as you requested, I have proofread the technical document you sent.
    There are some confused parts in it.
    Please verify the parts highlighted in the attached document.
    Best Wishes,
    Coleen Barr


    4 November 2016: tech_doc_dc405d482.zip: Extracts to: NRV4MO04.vbs - Current Virus total detections 10/55*
    Manual analysis shows a download of a file from one of these locations:
    http ://good-gamess .ru/qz7at0 | http ://astrotranspersonal .com.ar/rhiup3j | http ://goldendogs .nl/s6ymz2k
    http ://bahutnorma .net/2pceo6 | http ://rangyinby .com/3ixr99t (VirusTotal 7/57**)...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1478253546/

    ** https://www.virustotal.com/en/file/7...is/1478253708/

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'Payroll Payslip' SPAM - delivers Java Adwind
    - https://myonlinesecurity.co.uk/spoof...wind-jacksbot/
    4 Nov 2016 - "... fake financial themed emails containing java adwind/Java Jacksbot Trojan attachments... can only be active or infect you -if- you have Sun/Oracle Java installed... The email looks like:
    From: wu.paymaster@ westernunion .com <postmaster@ fanavaelecomp .com>
    Date: Fri 04/11/2016 06:37
    Subject: Payroll Payslip (NO-REPLY)
    Attachment: Details.zip
    Dear agent,
    Attached is your payslip for the payroll period of 01 October 2016 to 01 November 2016.To view your Payslip, simply type in your Personal Password when asked for a password. If you did not submit your personal password, just type in your last name followed by the birthday (Format: MMddyyyy) and the last four (4) digits of your employee id number when asked for a password (e.g., ocampo011320141234). Please make sure to use lowercase letters, no spaces and no special characters when typing your password, name suffix is also part of your lastname...
    Sincerely,
    Accounting Department


    4 November 2016: Payrol Payslip.jar (323 kb) - Current Virus total detections 17/56* - Payload Security**...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1478239741/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.107.152.224

    Last edited by AplusWebMaster; 2016-11-04 at 14:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1085
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Financial documents', 'Scanned image', 'Scan' SPAM, AMEX phish

    FYI...

    Fake 'Financial documents' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/11/malw...nts-leads.html
    7 Nov 2016 - "The never-ending Locky ransomware onslaught continues. This -fake- financial spam has a malicious attachment:
    Subject: Financial documents
    From: Judy Herman
    To: [redacted]
    Date: Monday, 7 November 2016, 10:53
    Hi [redacted],
    These financial documents need to be uploaded on the system.
    Please let me know if you experience any technical problems.
    Best Wishes,
    Judy Herman


    Sender names will probably vary. In the sample I saw there was an attachment named fin_docs_f73856f4.zip containing a malicious script NRV_A194008F_.vbs ... This particular script (and there will be others like it) attempts to download from:
    http ://coachatelier .nl/lg8s2
    http ://bechsautomobiler .dk/m8idi9j
    http ://desertkingwaterproofing .com/ma4562
    http ://zapashydro .net/6sgto2bd
    http ://owkcon .com/6xgohg6i
    According to this Hybrid Analysis*, the malware then phones home to:
    195.123.211.229 /message .php [hostname: panteleev.zomro .com] (Layer6 Networks, Bulgaria / ITLDC, Latvia)
    185.67.0.102 /message .php [hostname: endgo .ru] (Hostpro Ltd. / hostpro .com.ua, Ukraine)
    188.65.211.181 /message .php (Knopp, Russia)
    Recommended blocklist:
    195.123.211.229
    185.67.0.102
    188.65.211.181
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    141.138.169.200
    195.123.211.229
    185.67.0.102
    188.65.211.181


    - https://myonlinesecurity.co.uk/finan...elivers-locky/
    7 Nov 2016 - "... Locky downloader... an email with the subject of 'Financial documents' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with fin_docs_ containing a VBS file... One of the emails looks like:
    From: Delbert Mckay <Mckay8375@ purrfectsports .com>
    Date: Mon 07/11/2016 10:57
    Subject: Financial documents
    Attachment: fin_docs_c605c39a.zip
    Hi [redacted]
    These financial documents need to be uploaded on the system.
    Please let me know if you experience any technical problems.
    Best Wishes,
    Delbert Mckay


    7 November 2016: fin_docs_c605c39a.zip: Extracts to: NRV_3O63MI_.vbs - Current Virus total detections 5/54*
    Payload Security** shows downloads of a file from the same locations which is renamed by the script to qltoUhLp0.dll (VirusTotal 9/57***). C2 are:
    188.65.211.181 | 185.67.0.102 | 195.123.211.229 .. all use /message.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1478516808/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    213.176.241.230
    188.65.211.181
    185.67.0.102
    195.123.211.229


    *** https://www.virustotal.com/en/file/6...is/1478517111/
    ___

    Fake 'Scanned image' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...elivers-locky/
    7 Nov 2016 - "... Locky downloader... an email with the subject of 'Scanned image' from MX2310U@ your-own email domain pretending to come from office@ your-own email domain with a semi-random named zip attachment in the form of office@ your-own email domain _random numbers.zip containing a .JS file... One of the emails looks like:
    From: office@ ...
    Date: Mon 07/11/2016 14:16
    Subject: Scanned image from MX2310U@ ...
    Attachment: office@ ...zip
    Reply to: office@ ... <office@ ...>
    Device Name: MX2310U@ ...
    Device Model: MX-2310U
    Location: Reception
    File Format: PDF MMR(G4)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in PDF format...


    7 November 2016: office@ ...zip: Extracts to: JYF16212-1319.js - Current Virus total detections 8/53*
    Payload Security** shows a download of an encrypted file from henrytye .com /hgf65g?ymWrOm=LeFqAxKmfIY
    which is renamed by the script to bRewBexBO1.dll ...
    C2: 81.177.180.53 /message.php and 176.103.56.120 /message.php. Unfortunately the free web version of Payload Security does not give the actual downloaded file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1478531957/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    103.6.196.80
    81.177.27.222
    176.103.56.120
    81.177.180.53
    52.34.245.108
    52.222.171.240

    ___

    Fake 'Scan' SPAM - more Locky
    - https://myonlinesecurity.co.uk/sent-...en-more-locky/
    7 Nov 2016 - "... Locky downloader... an email with the subject of '[Scan] 2016-1107 17:29:49' coming as usual from random companies, names and email addresses with a zip attachment named after todays date and a time containing a wsf file... One of the emails looks like:
    From: MAURICIO BLUM <mauricio.blum.72@ tullochcapital .com>
    Date: Mon 07/11/2016 22:30
    Subject: [Scan] 2016-1107 17:29:49
    Attachment: 2016-1107 17-29-49.zip
    Sent with Genius Scan for iOS.


    7 November 2016: 2016-1107 17-29-49.zip: Extracts to: UNA516807-3039.wsf - Current Virus total detections 8/55*
    MALWR** and Payload Security*** both show a download of an encrypted file from
    http ://futuregroup .cz/98ynhce?IspgpFMAU=eJftALCrAxBwhich is converted by the script to
    cflaTvC1.dll (VirusTotal 11/56[4]). C2: http ://81.177.27.222 /message.php and 176.103.56.120 /message.php ...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1478558924/

    ** https://malwr.com/analysis/YTBhZmU3Z...MxMjBhZTU3OGU/
    Hosts
    85.207.99.25
    81.177.27.222


    *** https://www.reverse.it/sample/09340a...ironmentId=100
    Contacted Hosts
    85.207.99.25
    81.177.27.222
    176.103.56.120
    52.222.157.74


    4] https://www.virustotal.com/en/file/9...is/1478556970/
    ___

    Fake 'American Express' phish
    - https://myonlinesecurity.co.uk/impor...ress-phishing/
    7 Nov 2016 - "... American Express phishing email...

    Screenshot: https://i1.wp.com/myonlinesecurity.c...3%2C1033&ssl=1

    ... shows a website that looks like this included in a frame so it is never actually on your computer at all.
    (I had to split the screenshot into 2 parts to get all the information they want, Which is a lot more than normal.)
    >> https://i0.wp.com/myonlinesecurity.c...24%2C625&ssl=1

    >>> https://i0.wp.com/myonlinesecurity.c...24%2C548&ssl=1

    ... It will NEVER be a genuine email from American Express or any other bank or credit card company so don’t ever follow the links or fill in the html (webpage) form that comes attached to the email... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email.."

    Last edited by AplusWebMaster; 2016-11-08 at 12:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1086
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Parcel2Go', 'Statement', 'Suspicious movements', 'Order' SPAM

    FYI...

    Fake 'Parcel2Go' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/25024...ivers-malware/
    8 Nov 2016 - "An email with the subject of '#25024552 Parcel2go delivery announce' (random numbers) pretending to come from random senders with a -link- to Google Drive that downloads a malicious word doc delivers malware... The link is still live at the time of posting despite being reported yesterday to Google...

    Screenshot: https://i2.wp.com/myonlinesecurity.c...24%2C743&ssl=1

    8 November 2016: parchel2go567313.doc - Current Virus total detections 3/54*
    Both MALWR** and Payload Security*** show a connection to & download from
    http ://findserviceapp .com.br/mr6.exe but only Payload Security actually managed to retrieve the malware but doesn’t describe it as malicious, only describing it as informative... (VirusTotal 6/56[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1478535435/

    ** https://malwr.com/analysis/ZDkxODRlY...E2ZGRlOWY5MTA/
    Hosts
    192.185.208.115

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.208.115

    4] https://www.virustotal.com/en/file/6...is/1478602406/
    ___

    Fake 'Statement' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/11/malw...-to-locky.html
    8 Nov 2016 - "Another terse fake financial spam leading to Locky ransomware:
    Subject: Statement
    From: accounts@ somedomain .tld
    Date: Tuesday, 8 November 2016, 10:59
    For your Information.


    The sender domain varies. Attached is a ZIP file with a name similar to Statement PDF - 56765041263.zip which in turn contains a malicious WSF script... named in a format similar to SLM245260-0214.wsf. Hybrid Analysis* of this one sample shows a download occurring from:
    gpstrackerbali .com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG
    There will no doubt be many other locations, if I get more information then I will post it here. The script drops a DLL with a detection rate of 14/56** and the malware appears to phone home to:
    185.118.66.90 /message.php (vpsville.ru, Russia)
    158.69.223.5 /message.php (OVH, Canada)
    Recommended blocklist:
    185.118.66.90
    158.69.223.5
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    219.83.68.90
    185.118.66.90
    158.69.223.5
    52.34.245.108
    52.85.209.44


    ** https://virustotal.com/en/file/7e6c0...is/1478605400/

    - https://myonlinesecurity.co.uk/state...elivers-locky/
    8 Nov 2016 - "... Locky downloader... an email with the subject of 'Statement' coming from accounts@ random companies, names and email addresses with a semi-random named zip attachment starting with Statement PDF containing a WSF file... One of the emails looks like:
    From: accounts@ energycontrol .gr
    Date: Tue 08/11/2016 10:58
    Subject: Statement
    Attachment: Statement PDF – 9022558992.zip
    For your Information.


    8 November 2016: Statement PDF – 9022558992.zip: Extracts to: SLM245260-0214.wsf - Current Virus total detections 9/55*
    Payload Security** shows a download of an encrypted file from
    http ://gpstrackerbali .com/67j5hg?LzQWruaaLHv=dIYfuCrkfcG which is converted by the script to
    GMbsdHBsIX1.dll (VirusTotal 14/56***)... A list of alternative download sites so far discovered by another researcher[4] has been posted on pastebin[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1478604149/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    219.83.68.90
    185.118.66.90
    158.69.223.5
    52.34.245.108
    52.85.209.44


    *** https://www.virustotal.com/en/file/7...is/1478604056/

    4] https://twitter.com/Racco42/status/795949000352497664

    5] http://pastebin.com/VGvZafjs
    ___

    Fake 'Suspicious movements' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/suspi...elivers-locky/
    8 Nov 2016 - "... Locky downloader... an email that pretends to be a notification from U.S. Office of Personnel Management with the subject of 'Suspicious movements' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of pdf_recipients name_random numbers.zip containing a .JS file... One of the emails looks like:
    From: Cristobal Johns <Johns.Cristobal@ autoimmunkrankheit .de>
    Date: Tue 08/11/2016 12:17
    Subject: Suspicious movements
    Attachment: pdf_forum_534e144e2.zip
    Dear[redacted], Angel from the bank notified us about the suspicious movements on out account.
    Examine the attached scanned record. If you need more information, feel free to contact me.

    King regards,
    Cristobal Johns
    Account Manager ...
    U.S. Office of Personnel Management
    1265 E Street, NW
    Washington, DC 20415-1000


    8 November 2016: pdf_forum_534e144e2.zip: Extracts to: NRV_AM00I_.js - Current Virus total detections 6/55*
    MALWR** shows a download of a file from http ://dowfrecap .net/3muv7 which is renamed by the script to a DLL and autorun (VirusTotal 9/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1478607538/

    ** https://malwr.com/analysis/YmJmMjg2Y...hhMDYzN2Q0Nzk/
    Hosts
    67.171.65.64

    *** https://www.virustotal.com/en/file/b...is/1478609031/

    - http://blog.dynamoo.com/2016/11/malw...nts-leads.html
    8 Nov 216 - "This fake financial spam leads to Locky ransomware:
    Subject: Suspicious movements
    From: Marlene Parrish
    Date: Tuesday, 8 November 2016, 12:52
    Dear [redacted], Leroy from the bank notified us about the suspicious movements on out account.
    Examine the attached scanned record. If you need more information, feel free to contact me.
    ---
    King regards,
    Marlene Parrish
    Account Manager...
    U.S. Office of Personnel Management
    1189 E Street, NW
    Washington, DC 20415-1000


    The names, addresses and telephone numbers will vary from message to message. Attached is a ZIP file (e.g. pdf_recipient_3608c4a.zip) which contains a malicious javascript (e.g. NRV_J51E8_.js)... That particular script downloads a malicious component from one of the following locations:
    vexerrais .net/6sbdh
    centinel .ca/wkr1j6n
    3-50-90 .ru/u4y5t
    alpermetalsanayi .com/vuvls
    flurrbinh .net/6mz3c5q
    There will probably be other download locations. This Hybrid Analysis* and this Malwr report** show the Locky ransomware in action. This version of Locky does not appear to use C2 servers, but instead drops a malicious DLL with an MD5 of 75e6faf192d00b296d89df2cd56c454a and a detection rate of 9/56***."
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    67.171.65.64
    52.34.245.108
    52.85.184.253


    ** https://malwr.com/analysis/NGFjZjIxN...I1YzEwMTZmNzc/
    Hosts
    213.176.241.230

    *** https://virustotal.com/en/file/79d41...is/1478613989/
    ___

    Fake 'Order' SPAM - more Locky
    - https://myonlinesecurity.co.uk/order...en-more-locky/
    8 Nov 2016 - "... Locky onslaught continues... an email with the extremely generic subject of 'Order 88222889 (random numbers)' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the emails looks like:
    From: TUAN LILLIE <eml@ woolleymarket .com>
    Date: Tue 08/11/2016 16:12
    Subject: Order 88222889
    Attachment: jAlR88222889.zip
    Please find document attached


    8 November 2016: jAlR88222889.zip: Extracts to: XWZ429433-2034.wsf - Current Virus total detections 10/55*
    MALWR** shows a download of an encrypted file from
    http ://inzt .net/67j5hg?nrxLhJ=HYkWYO -or- http ://all-kaigo .com/67j5hg?nrxLhJ=HYkWYO
    which is converted by the script to woxUgKy2.dll (VirusTotal 12/56***). C2: http ://158.69.223.5 /message.php...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1478621842/

    ** https://malwr.com/analysis/YTMzZjdhY...E2NjM2YmI5NTE/
    Hosts
    219.94.203.182
    193.24.220.4
    185.118.66.90
    158.69.223.5


    *** https://www.virustotal.com/en/file/a...is/1477647176/

    Last edited by AplusWebMaster; 2016-11-08 at 19:05.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1087
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Amazon order', 'FedEx', 'Account suspended', 'E-bill' SPAM

    FYI...

    Fake 'Amazon order' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/11/malw...order-has.html
    9 Nov 2016 - "Overnight there has been a massive -fake- Amazon spam run leading to Locky ransomware:
    From: Amazon Inc [auto-shipping27@ amazon .com]
    Date: 8 November 2016 at 23:10
    Subject: Your Amazon .com order has dispatched (#021-3323415-8170076)
    Dear Customer,
    Greetings from Amazon.com,
    We are writing to let you know that the following item has been sent using DHL Express.
    For more information about delivery estimates and any open orders, please visit...
    Your order #021-3323415-8170076 (received November 8, 2016)
    Your right to cancel ...


    All the versions I have seen contain those same formatting errors. Details vary from message to message (e.g. carrier, reference numbers). Attached is a malicious ZIP file (e.g. ORDER-608-0848796-6857907.zip) containing a malicious javascript file (e.g. F-9295287522-9444213500-201611165156-2601.js)... My usual source (thank you) tells me that the various scripts download a component...
    (Long list of domain-names at the dynamoo URL above.)
    ... It appears to drop a malicious DLL with a detection rate of 32/56*. The following C2 servers have been identified:
    85.143.212.23 /message.php (PrdmService LLC, Russia)
    158.69.223.5 /message.php (OVH, Canada)
    UPDATE: According to the Hybrid Analysis** the dropped Locky binary actually has an MD5 of ad6fb318002df4ffc80795cc31d529b4 and a detection rate of 28/56***.
    Recommended blocklist:
    85.143.212.23
    158.69.223.5
    "
    * https://virustotal.com/en/file/7e6c0...0007/analysis/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    5.9.189.68
    85.143.212.23
    158.69.223.5
    52.34.245.108
    52.222.157.37
    61.213.151.43


    *** https://virustotal.com/en/file/57a0f...is/1478684633/

    - https://myonlinesecurity.co.uk/your-...elivers-locky/
    8 Nov 2016 - "... Locky downloader... an email with the subject of 'Your Amazon .com order has dispatched (#324-3101580-5413719) [random numbers]' pretending to come from Amazon .com <auto-shipping6@ amazon .com>... The js file inside the zip and the downloaded Locky file are identical to this slightly earlier malspam run[1]...
    1] https://myonlinesecurity.co.uk/fax-t...elivers-locky/
    One of the emails looks like:
    From: Amazon .com <auto-shipping6@ amazon .com>
    Date: Thu 01/09/2016 19:22
    Subject: Your Amazon .com order has dispatched (#324-3101580-5413719)
    Attachment: ORDER-324-3101580-5413719.zip
    Dear Customer,
    Greetings from Amazon .com,
    We are writing to let you know that the following item has been sent using DHL Express.
    For more information about delivery estimates and any open orders, please visit...
    Your order #324-3101580-5413719 (received November 8, 2016)
    Your right to cancel...


    1] 8 November 2016: F-9456818814-1332384076-201611050929-1010.zip: Extracts to: F-8526972159-4046871521-201611111127-2039.js
    Current Virus total detections 12/55*. MALWR** shows a download of an encrypted file from
    http ://masiled .es/7845gf?ukORpqyil=ukORpqyil which is converted by the script to
    ukORpqyil1.dll (VirusTotal 14/57***). C2 http ://158.69.223.5 /message.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1478643166/

    ** https://malwr.com/analysis/MWMwYzNkN...M3YWVkZjJlNTQ/
    Hosts
    185.76.77.219
    158.69.223.5


    *** https://www.virustotal.com/en/file/5...is/1478643306/
    ___

    Fake 'FedEx' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/fedex...ky-ransomware/
    9 JNov 2016 - "... Locky downloader... an email with the subject of 'We could not deliver your parcel, #551196' (random numbers) pretending to come from -FedEx- Standard Overnight with a malicious word doc downloading Locky... The email looks like:
    From: FedEx Standard Overnight <cbrecareers@ cbre .com>
    Date: Wed 09/11/2016 07:50
    Subject: We could not deliver your parcel, #551196
    Attachment: FedEx.doc
    Hello,
    We could not deliver your item. Please, download Delivery Label attached to this email.
    Kaja Helscher – Area Manager FedEx , CA
    Regards


    9 November 2016: FedEx.doc - Current Virus total detections 18/55*
    Payload Security** shows a download from http ://perfectionbm .top/ll/ldd.php which is saved as 0.7055475 and autorun by the macro (VirusTotal 9/55***). Payload Security[4]. C2 are 51.255.107.6 /message.php and
    81.177.27.222 /message.php... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1478674872/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    46.22.220.32
    51.255.107.6
    81.177.27.222


    *** https://www.virustotal.com/en/file/f...is/1478676422/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    51.255.107.6
    81.177.27.222

    ___

    Fake 'Account temporarily suspended' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/accou...elivers-locky/
    9 Nov 2016 - "... Locky downloader... an email with the subject of 'Account temporarily suspended' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of recipients name_random numbers.zip containing a .JS file... One of the emails looks like:
    From: Ethan Talley <Talley.Ethan@ glycomicscenter .com>
    Date: Wed 09/11/2016 09:43
    Subject: Account temporarily suspended
    Attachment: ea00ba32a5.zip
    Dear Customer.
    You have exceeded the limit of operations on your credit card.
    Thus, we have temporarily blocked your account.
    The full itemization of transactions and instructions are given in the document attached to this message.
    Best regards.


    9 November 2016: hp_printer_e1b837ff1.zip: Extracts to: 6011290KI.js - Current Virus total detections 8/55*
    MALWR** shows a download of a file from http ://locook .com/n8kacjjc which is renamed by the script to hC0VoiB2fRYyoJt8.dll (VirusTotal 9/57***). Payload security[4] shows C2 81.177.26.136 | 185.118.164.125
    95.46.8.109
    /message.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1478684678/

    ** https://malwr.com/analysis/YmE0OTAyY...MwODRlODM5YTQ/
    Hosts
    123.57.33.148

    *** https://www.virustotal.com/en/file/e...is/1478685279/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    123.57.33.148
    67.171.65.64
    81.177.26.136
    185.118.164.125
    95.46.8.109


    - http://blog.dynamoo.com/2016/11/malw...mporarily.html
    9 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
    From: Nicole Roman
    Date: 9 November 2016 at 10:44
    Subject: Account temporarily suspended
    Dear Customer.
    You have exceeded the limit of operations on your credit card.
    Thus, we have temporarily blocked your account.
    The full itemization of transactions and instructions are given in the document attached to this message.
    Best regards.


    The name of the sender varies. In the sample I looked at, the attachment was named after the recipient plus a random number, containing a randomly-named malicious .js script... That particular script attempts to download a binary... This Hybrid Analysis* and this Malwr report** show a DLL being dropped with an MD5 of f86d98b1a67952f290c550db1c0bdcbc and a detection rate of 9/56***..."
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    67.171.65.64
    52.32.150.180
    54.230.197.17
    63.245.215.95
    52.35.54.251


    ** https://malwr.com/analysis/MWIzNjZiZ...Y3MDMzNzA4NGQ/
    Hosts
    67.171.65.64

    *** https://virustotal.com/en/file/a5ec6...is/1478689362/
    ___

    Fake 'E-bill' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/11/malw...rd-e-bill.html
    9 Nov 2016 - "This spam has an interestingly malformed subject, however the attachment leads to Locky ransomware:
    Subject: Shell Fuel Card E-bill 8089620 for Account (rnd(B,S,F,H,A,D,C,N,M,L)}}776324 08/11/2016
    From: KELLY MOORHOUSE (kelly.moorhouse@ edbn .org)
    Date: Wednesday, 9 November 2016, 12:52
    KELLY MOORHOUSE
    Last & Tricker Partnership
    3 Lower Brook Mews
    Lower Brook Street
    Ipswich Suffolk IP4 1RA
    T: 01473 252961 F: 01473 233709 M: 07778464004 ...


    Sender names vary, but the error in the subject persists in all versions. Attached is a ZIP file with a name beginning with "ebill" (e.g. ebill209962.zip) which contains a malicious .WSF script (e.g. 18EQ13378042.wsf)... For one sample script, the Hybrid Analysis* and Malwr report** indicate a binary is downloaded from one of the following locations:
    alamanconsulting .at/0ftce4?aGiszrIV=gRLYYDHSna
    naka-dent .mobi/0ftce4?aGiszrIV=gRLYYDHSna
    This drops a malicious DLL with an MD5 of c1b0b1fb4aa56418ef48421c58ad1b58 and a detection rate of 13/56***.
    85.143.212.23 /message.php (PrdmService LLC, Russia)
    158.69.223.5 /message.php (OVH, Canada)
    These are the same C2s as seen here[4]."
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.98.7.100
    120.136.10.80
    85.143.212.23
    158.69.223.5
    52.32.150.180
    52.85.184.199


    ** https://malwr.com/analysis/ZGI5ZGEyY...NjMGM5YmRjMTU/
    Hosts
    185.98.7.100
    120.136.10.80
    85.143.212.23
    158.69.223.5


    *** https://virustotal.com/en/file/32a24...is/1478698613/

    4] http://blog.dynamoo.com/2016/11/malw...order-has.html

    Last edited by AplusWebMaster; 2016-11-09 at 18:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1088
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Receipt', 'Document' SPAM

    FYI...

    Fake 'Receipt' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...ail-addresses/
    10 Nov 2016 - "... Locky downloader... a -Blank- email with the subject of 'Receipt 93-241363' (random numbers) pretending to come from random names @ Gmail.com with a zip attachment containing a WSF file... One of the emails looks like:
    From: brianna.simister@ gmail .com
    Date: Thu 10/11/2016 10:14
    Subject: Receipt 93-241363
    Attachment: Receipt 93-241363.zip


    Body content: Totally empty/Blank

    10 November 2016: Receipt 93-241363.zip: Extracts to: FGNTHQ253308.wsf - Current Virus total detections 8/55*
    MALWR** shows a download of an encrypted file from http ://livinghealthyworld .com/845yfgh?nivGYcwhUYT=mCDCzF
    which is converted by the script to idJsCdj1.dll (VirusTotal 8/55***). C2 http ://107.181.174.34 /message.php...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1478772972/

    ** https://malwr.com/analysis/ZTRmMTQ2Z...E5MmU2ZGU0ZDE/
    Hosts
    104.37.35.78
    107.181.174.34


    *** https://www.virustotal.com/en/file/9...is/1478773545/
    ___

    Fake 'Document' SPAM - more Locky
    - https://myonlinesecurity.co.uk/locky...ail-addresses/
    10 Nov 2016 - "... Locky downloader... a -blank- email with the subject of 'Document from Amparo' (random names) pretending to come from random names @ Gmail .com with a zip attachment containing a WSF file... One of the emails looks like:
    From: Amparo ormerod <Amparo734987@ gmail .com>
    Date: Thu 10/11/2016 14:38
    Subject: Document from Amparo
    Attachment: DOC-20161110-WA000458.zip


    Body content: Totally empty/blank

    10 November 2016: DOC-20161110-WA000458.zip: Extracts to: RPPMS171825.wsf - Current Virus total detections 8/55*
    Payload Security** shows a download of an encrypted file from
    project-group .pro/845yfgh?eKSrkxbtC=rewwnkHmjMh which is converted by the script to idJsCdj1.dll
    (VirusTotal 11/56***). C2 107.181.174.34 /message.php and others... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1478793348/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.43.5.211
    188.127.237.175
    86.110.117.244
    107.181.174.34
    85.143.212.23
    69.195.129.70
    52.84.13.31
    74.216.233.251
    52.35.54.251
    71.19.173.112
    165.254.32.128
    23.4.187.27


    *** https://www.virustotal.com/en/file/d...is/1478794808/
    ___

    Ransomware doesn’t mean 'game over'
    - https://blog.malwarebytes.com/101/20...ean-game-over/
    Nov 10, 2016 - "... Over the course of just a few years, this threat has evolved from an annoying pop-up to a screen freezer that utilizes disturbing imagery to a sophisticated malicious program that encrypts important files. New technologies are popping up all the time that combat the ransomware issue, however most (if not all) require active protection -before- you get infected. But what do you do if your company has already been infected?... at least in the criminal’s eyes, once a user gets infected, there is no recovery option other than paying the ransom. Also, victims actually pay-the-ransom directly to the criminal, cutting out any need for middlemen or having to sell piles of stolen credit card information on darknet forums... It’s likely that the future of ransomware will include things like blackmail (threats to post trade secrets or company intel online or releasing customer information), more aggressive infection and AV evasion techniques, and better target identification—all techniques that we know how to combat. However, while the news of how to stop the malware is spreading, millions of people are still going to get infected because they didn’t 'get the memo'...
    > Option 1: Backups: ... make -sure- you keep some kind of file history enabled in your -backup- solution so you can revert to a previous backup if necessary. Also, utilize off-site and/or cloud backups[1] rather than storing everything on a network drive, since many ransomware families are capable of reaching through mapped connections and connected drives to encrypt files outside of the victim HD...
    1] http://www.csoonline.com/article/307...ansomware.html
    > Option 2: Decryption: ... If you get hit once, your files are encrypted and there is nothing you can do about it — or so many people think. Thanks to the diligent efforts of our information security community, there are actually many decryptors available online[2]. This software, when matched with the correct ransomware family, can decrypt files for free...
    2] https://www.nomoreransom.org/
    > Option 3: Negotiate: ... At the end of the day, the bad guys just want to get paid, which means that historically they have been open to negotiating and returning a few files for a smaller amount of profit. To be absolutely clear, I do -not- endorse or support paying cybercriminals the ransom. However, it has to be understood that for some folks, the loss of files would be far more damaging than just paying the ransom fee...
    > Conclusion: So there you have it, the three methods, outside of utilizing modern anti-ransomware security software to prevent infection, that can help you recover from a ransomware attack. They might not be absolute solutions, but anything is better than losing valuable data to cybercriminals. Maybe knowing how disappointing the recovery methods are for a ransomware attack will motivate some folks to actually use proactive protection and anti-ransomware technology, which remains the best option for fighting ransomware infection* -not- allowing the malware to encrypt your files in the first place."
    * https://www.malwarebytes.com/pdf/inf..._medium=social

    Last edited by AplusWebMaster; 2016-11-11 at 16:08.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1089
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Tech Support Order', 'Blank or NO subject', 'Virtual card' SPAM

    FYI...

    Fake 'Tech Support Order' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...support-order/
    11 Nov 2016 - "... Locky downloader... an email with the subject of 'Order' pretending to come from Technical Support at random companies, and email addresses with zip attachment in the format of order_ < recipients name >.zip containing a .js file... One of the emails looks like:
    From: Technical Support <Hogan.Terrance@ dl0349 .screaming .net>
    Date: Fri 11/11/2016 11:42
    Subject: Order
    Attachment: order_scans.zip
    Dear Customer
    The item you’ve ordered is on delay due to the unknown problem regarding your bank account you paid from.
    Please check you data in the attachment as soon as you can.
    Best Wishes,
    Terrance Hogan
    Technical Support


    11 November 2016: order_scans.zip: Extracts to: -91Q99QFW2H2-.js - Current Virus total detections 7/55*
    Manual analysis shows a download of a file from one of these locations:
    http ://g2el .com/grj2qqih | http ://gusi .biz/gu7h38t | http ://nsrcconsulting .com/dumu1sl
    http ://thirlnak .net/5crdsr | http ://scupwail .com/5ghkmmf which is renamed by the script and autorun
    (VirusTotal 10/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1478866769/

    ** https://www.virustotal.com/en/file/9...is/1478865179/

    g2el .com: 167.88.3.113: https://www.virustotal.com/en/ip-add...3/information/
    gusi .biz: 88.85.81.9: https://www.virustotal.com/en/ip-add...9/information/
    nsrcconsulting .com: 113.197.39.189: https://www.virustotal.com/en/ip-add...9/information/
    thirlnak .net: 67.171.65.64: https://www.virustotal.com/en/ip-add...4/information/
    213.176.241.230: https://www.virustotal.com/en/ip-add...0/information/
    scupwail .com: 213.176.241.230
    67.171.65.64
    ___

    Blank or NO subject SPAM - malformed/broken email delivers Locky
    - https://myonlinesecurity.co.uk/locky...th-no-subject/
    11 Nov 2016 - "... Locky downloader... a damaged/malformed/broken email with either a -blank- subject line or the subject of <no subject> coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of todays date and loads of random numbers containing a .JS file. Despite the delivered email being malformed or damaged, the actual attachment works fine and will encrypt your computer if you open or run the .js file inside the zip...

    Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C965&ssl=1

    11 November 2016: 20161111174617885403.zip: Extracts to: 201611111333125461862851.js
    Current Virus total detections 10/55*. MALWR** shows a download of an encrypted file from
    http ://ibluegreen .com/487ygfh?hpuarlLJK=hpuarlLJK which is converted by the script to hpuarlLJK1.dll
    (VirusTotal 9/57***). C2: http ://85.143.212.23 /message.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1478868610/

    ** https://malwr.com/analysis/ODM5YmZkN...RlYjBjMDMzZGQ/
    Hosts
    222.231.31.195: https://www.virustotal.com/en/ip-add...5/information/
    85.143.212.23: https://www.virustotal.com/en/ip-add...3/information/

    *** https://www.virustotal.com/en/file/b...is/1478867406/
    ___

    Fake 'Virtual card' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...-card-malspam/
    11 Nov 2016 - "... Locky downloader... an email with the subject of 'Virtual card' coming as usual from random companies, names and email addresses with a zip attachment in the format of virtualcard_recipient name.zip containing a .js file... One of the emails looks like:
    From: Carmella Sandoval <Sandoval.Carmella@ usstidewater .org>
    Date:Fri 11/11/2016 18:37
    Subject: Virtual card
    Attachment: virtualcard_wellsybolujou.zip
    Dear Client! A virtual card you have ordered is now ready but not active.
    In order to activate it, please open the attached document and specify your personal data when it’s possible.


    11 November 2016: virtualcard_wellsybolujou.zip: Extracts to: 6KO1G7XU-3827P1594ZITKI6G51.js
    Current Virus total detections 7/55*. Manual analysis shows a download of a file from one of these locations:
    spoiltgirlsclub .com/x6usth1 | eddermiaul .net/2yr5egml | mangdesign .com/ud7gv4 | hzcysw .net/u1qmyaw
    darbyreis .com/39hv30q9 which is renamed by the script (VirusTotal 11/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1478889495/

    ** https://www.virustotal.com/en/file/8...is/1478889911/

    spoiltgirlsclub .com: 64.69.219.91: https://www.virustotal.com/en/ip-add...1/information/
    eddermiaul .net: 213.176.241.230: https://www.virustotal.com/en/ip-add...0/information/
    67.171.65.64: https://www.virustotal.com/en/ip-add...4/information/
    mangdesign .com: 121.40.24.159: https://www.virustotal.com/en/ip-add...9/information/
    hzcysw .net: 116.255.152.112: https://www.virustotal.com/en/ip-add...2/information/
    darbyreis .com: 213.176.241.230
    67.171.65.64
    ___

    Malicious SPAM volume hits two year high
    - https://www.helpnetsecurity.com/2016...s-spam-volume/
    Nov 11, 2016 - "According to the Kaspersky Lab Spam and Phishing in Q3 report*, the company’s products blocked 73,066,751 attempts to attack users with malicious attachments. This is the largest amount of malicious spam since the beginning of 2014 and is a 37 percent increase compared to the previous quarter. The majority of those attachments were ransomware Trojan downloaders:
    > https://www.helpnetsecurity.com/imag...12016-spam.jpg
    ... the percentage of spam in global email traffic in September hit an all-time high for the year so far at 61.25 percent..."
    * https://securelist.com/analysis/quar...ng-in-q3-2016/
    Proportion of spam in email traffic
    > https://cdn.securelist.com/files/201...016_eng_11.png
    Sources of spam by country
    >> https://cdn.securelist.com/files/201...016_eng_12.png
    Countries -targeted- by malicious mailshots
    >>> https://cdn.securelist.com/files/201...016_eng_15.png
    ___

    Ransomware doesn’t mean 'game over'
    - https://blog.malwarebytes.com/101/20...ean-game-over/
    Nov 10, 2016 - "... Over the course of just a few years, this threat has evolved from an annoying pop-up to a screen freezer that utilizes disturbing imagery to a sophisticated malicious program that encrypts important files. New technologies are popping up all the time that combat the ransomware issue, however most (if not all) require active protection -before- you get infected. But what do you do if your company has already been infected?... at least in the criminal’s eyes, once a user gets infected, there is no recovery option other than paying the ransom. Also, victims actually pay-the-ransom directly to the criminal, cutting out any need for middlemen or having to sell piles of stolen credit card information on darknet forums... It’s likely that the future of ransomware will include things like blackmail (threats to post trade secrets or company intel online or releasing customer information), more aggressive infection and AV evasion techniques, and better target identification—all techniques that we know how to combat. However, while the news of how to stop the malware is spreading, millions of people are still going to get infected because they didn’t 'get the memo'...
    > Option 1: Backups: ... make -sure- you keep some kind of file history enabled in your -backup- solution so you can revert to a previous backup if necessary. Also, utilize off-site and/or cloud backups[1] rather than storing everything on a network drive, since many ransomware families are capable of reaching through mapped connections and connected drives to encrypt files outside of the victim HD...
    1] http://www.csoonline.com/article/307...ansomware.html
    > Option 2: Decryption: ... If you get hit once, your files are encrypted and there is nothing you can do about it — or so many people think. Thanks to the diligent efforts of our information security community, there are actually many decryptors available online[2]. This software, when matched with the correct ransomware family, can decrypt files for free...
    2] https://www.nomoreransom.org/
    > Option 3: Negotiate: ... At the end of the day, the bad guys just want to get paid, which means that historically they have been open to negotiating and returning a few files for a smaller amount of profit. To be absolutely clear, I do -not- endorse or support paying cybercriminals the ransom. However, it has to be understood that for some folks, the loss of files would be far more damaging than just paying the ransom fee...
    > Conclusion: So there you have it, the three methods, outside of utilizing modern anti-ransomware security software to prevent infection, that can help you recover from a ransomware attack. They might not be absolute solutions, but anything is better than losing valuable data to cybercriminals. Maybe knowing how disappointing the recovery methods are for a ransomware attack will motivate some folks to actually use proactive protection and anti-ransomware technology, which remains the best option for fighting ransomware infection -not- allowing the malware to encrypt your files in the first place."

    Last edited by AplusWebMaster; 2016-11-11 at 21:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1090
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake -Blank- SPAM

    FYI...

    Fake -Blank- SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...ed-attachment/
    12 Nov 2016 - "... Locky downloader... a blank email with the subject of '18026 sandra' pretending to come from r.gaffney@ mmu. ac.uk with a zip attachment containing -another- zip that eventually extracts to a .JS file that delivers Locky... One of the emails looks like:
    From: r.gaffney@ mmu. ac.uk
    Date: Thu 01/09/2016 19:22
    Subject: 18026 sandra
    Attachment: MESSAGE_43437218629_sandra.zip


    Body content: completely empty/blank

    12 November 2016: MESSAGE_43437218629_sandra.zip: which extracts to ALERT_23367_ZIP.zip which in turn extracts to: ALERT_23367.js - Current Virus total detections 7/54*
    Payload Security shows a download of a file from www .parametersnj .top/user.php?f=1.dat which gave user.exe
    (VirusTotal 3/57**). Payload Security***. C2 107.181.174.34 | 85.143.212.23 | 185.82.217.29 | 107.181.174.34
    all using /message.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1478957028/

    ** https://www.virustotal.com/en/file/3...is/1478957725/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    107.181.174.34
    85.143.212.23
    185.82.217.29
    52.32.150.180
    52.222.171.99
    35.160.111.237
    77.109.131.232


    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •