Page 110 of 132 FirstFirst ... 1060100106107108109110111112113114120 ... LastLast
Results 1,091 to 1,100 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1091
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'EFax' SPAM

    FYI...

    Fake 'EFax' SPAM - delivers Trickbot banking Trojan
    - https://myonlinesecurity.co.uk/trick...email-address/
    15 Nov 2016 - "An email pretending to be an EFax delivery message with the subject of 'You have recevied a message' pretending to come from Fax Scanner <scanner@ victim domain .tld> with a malicious word doc delivers the latest Trickbot banking Trojan...

    Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C373&ssl=1

    15 November 2016: Message efax system-1332.doc - Current Virus total detections 4/54*
    Payload Security shows a download from ‘http :// www .tessaban .com/admin/images/ldjslfjsnot.png’ which is renamed by the macro script to wer5.exe and autorun (Payload Security **) (VirusTotal 9/56***)
    tessaban .com 61.19.247.54 has been used for malware spreading for some time now and really needs blocking
    [1] [2] [3] [4]... DO NOT follow the advice they give to enable macros or enable editing to see the content...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1479191384/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    78.47.139.102
    193.107.111.164
    81.177.13.236
    185.86.77.224


    *** https://www.virustotal.com/en/file/0...is/1479185920/

    1] https://virustotal.com/en/url/d517f6...is/1479194525/

    2] http://95.34.115.158/report.php?id=1478197500549
    IP: 61.19.247.54

    3] https://virustotal.com/en/url/3e835d...is/1479194687/

    4] http://95.34.115.158/report.php?id=1479194667714
    IP: 61.19.247.54

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1092
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'MoneyGram', 'QuickBooks' SPAM, 'Tax Refund' Phish

    FYI...

    Fake 'MoneyGram' SPAM - deliver java jacksbot
    - https://myonlinesecurity.co.uk/java-...ional-malspam/
    16 Nov 2016 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... The email looks like:
    From: GGCC Payment Discrepancy <GGCCPaymentDiscrepancy@ gmail .com>
    Date: Wed 16/11/2016 06:08
    Subject: Second request of Confirmation of payment, ref 3748155
    Attachment: REVIEW AND RELEASE TRANSACTION.zip (contains 2 identical java.jar files Branch Spreadsheet.jar and Cash Report.jar)
    Good afternoon,
    We need your assistance in obtaining documents for this transaction. The customer claims the funds were not received and we are conducting an investigation. Please provide the following documents:
    Receive documents
    Customers identification (if available)
    Any other information the agent may have
    Attached are the transaction details.
    In order to satisfy the customers claim we must receive the documentation no later than 18th November 2016. Failure to do so may result in a debit to your account. Please notify us immediately should you encounter any delays.
    *Also be sure to include the reference number in the subject field/body of email to avoid duplicate emails.*
    Thank you,
    Ilona Karamon
    Resolution Assurance Analyst I
    MoneyGram International
    P: 18003285678 ext: 582134
    MoneyGram International
    KBC, Konstruktorska 13
    Warsaw, 02-673 Poland ...


    16 November 2016: Branch Spreadsheet.jar (323 kb) - Current Virus total detections 22/56*
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1479280071/
    ___

    Fake 'QuickBooks' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/dride...dom-companies/
    16 Nov 2016 - "... an email with the subject of 'Invoice 00482' from Orrell Filtration Ltd (random companies) with a -link- in the email body to download a zip file that downloads Dridex banking Trojan... which delivers Invoice 00482.zip which extracts to Invoice 00482.js...

    Screenshot: https://i2.wp.com/myonlinesecurity.c...24%2C688&ssl=1

    16 November 2016: Invoice 00482.zip: Extracts to: Invoice 00482.js - Current Virus total detections 2/54*
    Payload Security** shows a download of a file from www .rtbh.bravepages .com/images/Manual.pdf which is -not- a pdf but a renamed .exe file which in turn is renamed by the script to GYGMgcC.exe (VirusTotal 10/56***). (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1479298844/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    69.27.174.10
    45.124.64.220
    110.138.108.142
    72.249.45.71
    216.234.115.137


    *** https://www.virustotal.com/en/file/5...is/1479299700/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    45.124.64.220
    110.138.108.142
    72.249.45.71
    216.234.115.137

    ___

    Fake 'Tax Refund' Phish
    - http://blog.dynamoo.com/2016/11/phis...d-service.html
    16 Nov 2016 - "Microsoft Office 365 offering a tax refund service? Really? No, of course not, it's a phishing scam..

    Screenshot: https://4.bp.blogspot.com/-pDmYR6qA9...ce-365-tax.png

    The link in the email leads to updatemicrosoftonline .com on 89.248.168.13 (Quasi Networks LTD, Seychelles). Despite the email and the domain name it leads to an HMRC-themed phishing page:
    > https://1.bp.blogspot.com/-TXxXnPQl6...hmrc-phish.png
    This multi-phish page has -twelve- UK banks set up on it:
    Barclays, Halifax, HSBC, Lloyds Bank, NatWest, Royal Bank of Scotland, Santander, TSB, Metro Bank, Clydesdale Bank, The Co-Operative Bank, Tesco Bank..
    Clicking on any of the links goes to a pretty convincing looking phish page, personalised for each bank and carefully extracting all the information they need for account theft. The screenshots below are the sequence if you choose TSB bank:
    > https://4.bp.blogspot.com/-iciyhkhyY...sb-phish-1.png
    (More examples shown at the 1st dynamoo URL at the top.)
    ... Once you have entered all the information, the process appears to -fail- and you are directed to a genuine HMRC site instead. A list of sites found in 89.248.168.0/24 can be found... I suggest that the entire network range looks questionable and should be -blocked-."
    ___

    'Mega' attacks on the Rise
    - http://fortune.com/2016/11/15/akamai-ddos-report/
    Nov 15, 2016 - "... hackers knocking websites offline with massive floods of Internet traffic is nothing new. But the pattern of these so-called DDoS attacks (for “distributed denial of service”) is changing, according to a new report* from internet provider Akamai...
    * https://content.akamai.com/pg7426-pr-soti-report.html
    ... the overall number of DDoS attacks has not risen significantly in 2016, but that the force of these attacks is increasing. Akamai says it confronted 19 “mega attacks” in the third quarter of this year, including the two biggest it has ever encountered in history... The prime targets for the -19- “mega” attacks, which Akamai defines as those that reach over 100 Gbps, were media and entertainment companies, though gaming and software firms were also hit. The two record-breaking attacks, reaching 623 Gbps and 555 Gbps, were directed at security blogger Brian Krebs. The attacks succeeded in taking down Krebs’ website until Jigsaw, a unit of Google’s parent company Alphabet... deployed its Project Shield service to deflect the attack. The reason for this recent surge in mega attacks is tied to security defects in the 'Internet of things'. This involves hackers taking over millions of everyday devices connected to the Internet — especially DVRs, security cameras and home routers — and conscripting them to be part of a botnet army, known as Mirai. Mirai gained widespread notoriety in October, after hackers briefly used it to obstruct consumers’ access to popular sites like Amazon and Twitter, and many of the devices under its control are still compromised. As Akamai suggests, the 'Internet of Things' problem may just be beginning..."

    Last edited by AplusWebMaster; 2016-11-16 at 19:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1093
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Sage Invoice', 'Please check' SPAM, AMEX Phish

    FYI...

    Fake 'Sage Invoice' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/trick...dated-invoice/
    17 Nov 2016 - "An email with the subject of ' pretending to come from 'Sage Invoice' with a malicious word doc delivers Trickbot banking Trojan... sageinvoices .com / sage-invoice .com /sage-invoices .com are all newly created -yesterday- ... domains sending these emails include:
    Sage Invoice <service@ sage-invoices .com>
    Sage Invoice <service@ sage-invoice .com>
    Sage Invoice <service@ sageinvoice .com> ...

    Screenshot: https://i0.wp.com/myonlinesecurity.c...24%2C689&ssl=1

    17 November 2016: SageInvoice.doc - Current Virus total detections 3/54*
    Payload Security** shows a download from http ://delexdart .com/images/gfjfgklmslifdsfnln.png which is not a png file but a renamed .exe file which is renamed by the macro to scsadmin.exe and auto run using PowerShell (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1479380615/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    182.50.132.43
    78.47.139.102
    193.107.111.164
    81.177.13.236
    185.86.77.224


    *** https://www.virustotal.com/en/file/5...is/1479381072/

    sage-invoices .com: 50.63.202.56: https://www.virustotal.com/en/ip-add...6/information/
    sage-invoice .com: 184.168.221.34: https://www.virustotal.com/en/ip-add...4/information/
    sageinvoice .com: 50.63.202.34: https://www.virustotal.com/en/ip-add...4/information/
    //

    - http://blog.dynamoo.com/2016/11/malw...rvicesage.html
    17 Nov 2016 - "This -fake- financial spam leads to Trickbot banking trojan...

    Screenshot: https://3.bp.blogspot.com/-swzy7zLG5...e-trickbot.png

    Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54*. Hybrid Analysis** shows malicious network traffic to:
    substan.merahost .ru/petrov.bin [185.86.77.224] (Mulgin Alexander Sergeevich aka gmhost .com.ua, Ukraine)
    A malicious file scsnsys.exe is dropped with a detection rate of 8/53***.
    The domain sage-invoices .com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication... I recommend that you -block- traffic from that domain or check your filters to see who may have it.
    Recommended blocklist:
    sage-invoices .com
    185.86.77.0/24
    "
    * https://virustotal.com/en/file/79ff9...0369/analysis/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    61.19.247.54
    78.47.139.102
    193.107.111.164
    81.177.13.236
    185.86.77.224


    *** https://virustotal.com/en/file/528a1...4f91/analysis/
    ___

    Fake 'Please check' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/pleas...anking-trojan/
    17 Nov 2016 - "... an email with the subject of 'Please check the information-3878358' (random numbers) pretending to come from random names at your-own-email-domain that tries to deliver Trickbot banking Trojan... tessaban .com 61.19.247.54 has been used for malware spreading for some time now and really needs blocking [1]...
    1] https://virustotal.com/en/url/d517f6...is/1479194525/
    One of the emails looks like:
    From: Brigitte Guidry <Brigitte.Guidry@ victim domain .tld >
    Date: Thu 17/11/2016 02:48
    Subject: Please check the information-3878358
    Attachment: invoice_2222.zip
    Hi,
    I have attached an invoice-4654 for you.
    Regards,
    Brigitte Guidry


    17 November 2016: invoice_2222.zip: Extracts to: invoice_1711.js - Current Virus total detections 2/54*
    MALWR** shows an attempted download of a file from http ://www .tessaban .com/admin/images/ospspps.png currently giving a 404 not found which should be renamed by the script to an .exe file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1479370770/

    ** https://malwr.com/analysis/YjU2ZGMzN...k0ZmZiNWQxYzI/
    Hosts
    61.19.247.54: https://www.virustotal.com/en/ip-add...4/information/
    > https://virustotal.com/en/url/d517f6...077a/analysis/
    ___

    Fake AMEX Phish
    - https://myonlinesecurity.co.uk/pleas...ress-phishing/
    17 Nov 2016 - "... The subject is 'Please activate your Personal Security Key' coming from American Express
    <welcome@ amex-mails .com>. Additional sending addresses so far found include:
    Amex-mails .com | amexmails .com | amex-emails .com | amexmails .com
    were -all- registered -today- by surprise, surprise: Godaddy .com. They currently do not have an IP number associated with them. When they were received, the emails came from:
    172.99.87.130 - San Antonio Texas US AS27357 Rackspace Hosting ...
    The weird thing is the emails appear -blank- when opened in Outlook, but using view source I can see the email in its full glory, including the links-to-click to get to the-phishing-site... A screenshot of the html is:
    > https://i1.wp.com/myonlinesecurity.c...78%2C913&ssl=1
    Alternative links in emails go to:
    http :// amexsafekeys .com | http ://americanexpressafekey .com | http ://amex-mails .com
    | http:// amexmails .com
    aexpsafekeys .com was registered -yesterday- 16 November 2016 and hosted on these IP addresses:
    95.163.127.249 | 188.227.18.142 which look like they belong to a -Russian- network.
    http ://amexsafekeys .com was also registered -yesterday- by the same Russian name and hosted on same IP addresses: 188.227.18.142 | 95.163.127.249
    http ://americanexpressafekey .com also registered -yesterday- same IP addresses. Following the link to aexpsafekeys .com, you get a typical phishing page like this, where they want all the usual information about you, your family and bank/credit cards etc.:
    > https://i2.wp.com/myonlinesecurity.c...24%2C603&ssl=1 "

    95.163.127.249: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/40...2a5d/analysis/
    188.227.18.142: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/40...2a5d/analysis/

    104.168.87.178: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/40...2a5d/analysis/

    Last edited by AplusWebMaster; 2016-11-18 at 00:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1094
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Western Union' SPAM

    FYI...

    Fake 'Western Union' SPAM - delivers jacksbot Trojan
    - https://myonlinesecurity.co.uk/java-...-limit-breach/
    18 Nov 2016 - "... an email with the subject of 'FINAL WARNING FOR SENDING LIMIT BREACH' pretending to come from Western Union – Agent Support Team <emeagentsupports.westernunion@ gmail .com> delivers java Adwind / Java Jacksbot...

    Screenshot: https://i0.wp.com/myonlinesecurity.c...24%2C624&ssl=1

    18 November 2016: Exceeded Limit Spreadsheet.exe - Current Virus total detections 15/57*
    Payload Security** shows lots of files being dropped/extracted from this file which is renamed by itself to winlogin.exe and in turn drops a multitude of identical xml files and a java.jar file which is Java Jacksbot (VirusTotal 23/56***)... All 3 links (there is one behind the image) go to:
    http ://webkamagi .com/admin/images/Send Limit Exceeded.html where you see this screenshot that starts off with a circle and the words scanning and ends up looking like this that auto-downloads a file from:
    http ://gicfamily .org/admin/file/Exceeded%20Limit%20Spreadsheet.exe (if for some reason it doesn’t auto-download then the download button delivers the malware):
    > https://i1.wp.com/myonlinesecurity.c...ng?w=863&ssl=1
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1479432563/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.107.152.224

    *** https://www.virustotal.com/en/file/a...is/1479453441/
    ___

    Ransomware hits record levels
    - https://www.helpnetsecurity.com/2016...record-levels/
    Nov 18, 2016 - "The amount of phishing emails containing a form of ransomware grew to 97.25 percent during the third quarter of 2016 up from 92 percent in Q1:
    > https://www.helpnetsecurity.com/imag...e-112016-1.jpg
    PhishMe’s Q3 2016 Malware Review identified three major trends previously recorded throughout 2016, but have come to full fruition in the last few months:
    Locky continues to dominate: While numerous encryption ransomware varieties have been identified in 2016, Locky has demonstrated adaptability and longevity.
    Ransomware encryption: The proportion of phishing emails analyzed that delivered some form of ransomware has grown to 97.25 percent, leaving only 2.75 percent of phishing emails to deliver all other forms of malware utilities. Increase in deployment of ‘quiet malware’: PhishMe identified an increase in the deployment of remote access Trojan malware like jRAT, suggesting that these threat actors intend to remain within their victims’ networks for a long time. During the third quarter of 2016, PhishMe Intelligence conducted 689 malware analyses, showing a significant increase over the 559 analyses conducted during Q2 2016. Research reveals that the increase is due, in large part, to the consistent deployment of the Locky encryption ransomware. Locky executables were the most commonly-identified file type during the third quarter, with threat actors constantly evolving the ransomware to focus on keeping this malware’s delivery process as effective as possible...
    > https://www.helpnetsecurity.com/imag...e-112016-2.jpg
    While ransomware dominates the headlines, PhishMe’s Q3 Malware Review reveals that other forms of malicious software delivered using remote access Trojans, keyloggers and botnets still represent a significant hazard in 2016. Unlike ransomware, so-called ‘quiet malware’ is designed to avoid detection while maintaining a presence within the affected organization for extended periods of time. While only 2.75 percent of phishing emails delivered non-ransomware malware, the diversity of unique malware samples delivered by these emails far exceeded that of the more numerous ransomware delivery campaigns..."
    > http://phishme.com/2016-q3-malware-review/

    Last edited by AplusWebMaster; 2016-11-18 at 13:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1095
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Spam mailout', 'Amazon', 'LogMein' SPAM, Evil network

    FYI...

    Fake 'Spam mailout' SPAM - delievers Locky
    - https://myonlinesecurity.co.uk/locky...notifications/
    21 Nov 2016 - "... Locky downloader... an email pretending to come from an ISP, saying that you have been sending spam with the subject of 'Spam mailout' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the form of logs_recipients name.zip... Locky has changed the encrypted file extension to .aesir - See:
    - https://myonlinesecurity.co.uk/locky...ged-c2-format/
    "... Locky has changed the encrypted file extension to .aesir as well as the C2 to “/information.cgi”. I am also informed there is a slight change to the name of the ransomware notification file that they drop on your desktop. It appears to now be _[number]-INSTRUCTION.html "
    One of the emails looks like:
    From: Lula Mcmahon <Mcmahon.Lula@ mtsallstream .net>
    Date:Mon 21/11/2016 07:37
    Subject: Spam mailout
    Attachment: logs_hajighasem1c.zip
    Dear hajighasem1c
    We’ve been receiving spam mailout from your address recently.
    Contents and logging of such messages are in the attachment.
    Please look into it and contact us.
    Best Regards,
    Lula Mcmahon
    ISP Support ...


    21 November 2016: logs_hajighasem1c.zip: Extracts to: M9JJW0NTAD20O3-D53D73LEXZG60.js
    Current Virus total detections 6/55*. Payload Security** and MALWR*** shows a download of an encrypted file from:
    iproaction .com/utg8md which is renamed by the script to 2INuijvClpaC.dll (VirusTotal 6/57[4]). C2 have changed in these & they now post to 46.8.29.175 /information.cgi. Other C2's in the Payload security report...
    ... difficult to see the changed extension to .aesir until you look at:
    - https://www.hybrid-analysis.com/samp...ironmentId=100
    and scroll down to Installation/Persistance and then dropped files...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1479717501/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    194.28.173.247
    213.32.66.16
    91.219.28.51
    46.8.29.175
    52.32.150.180
    54.192.46.61
    95.101.81.97


    *** https://malwr.com/analysis/YzU5ODQxM...E0ZTdkZmYyY2U/
    Hosts
    194.28.173.247

    4] https://www.virustotal.com/en/file/d...is/1479718456/
    ___

    Fake 'Amazon' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...as-dispatched/
    21 Nov 2016 - "... email with the subject of 'Your Amazon .com order has dispatched (#713-7377848-7745100)
    (random numbers) pretending to come from Amazon Inc <auto-shipping4@ amazon .com> with a zip attachment matching the subject. It looks like -Locky has- changed the encrypted file extension to .aesir as well as the C2 to “/information.cgi”... One of the emails looks like:
    From: Amazon Inc <auto-shipping4 @amazon .com>
    Date: Mon 21/11/2016 09:40
    Subject: Your Amazon .com order has dispatched (#713-7377848-7745100)
    Attachment: ORDER-713-7377848-7745100.zip
    Dear Customer,
    Greetings from Amazon .com,
    We are writing to let you know that the following item has been sent using Royal Mail.
    For more information about delivery estimates and any open orders, please visit...
    Your order #713-7377848-7745100 (received November 20, 2016)
    Note: this e-mail was sent from a notification-only e-mail address that can=
    not accept incoming e-mail. Please do not reply to this message.=20
    Thank you for shopping at Amazon .com ...


    21 November 2016: ORDER-713-7377848-7745100.zip: Extracts to: KBDGUB350132.js
    Current Virus total detections 11/55*. MALWR** shows a download of an encrypted file from
    http ://jmltda .cl/hfvg623?wCTlMeE=wCTlMeE which is renamed by the script to wCTlMeE1.dll
    (VirusTotal 9/57***). C2 are http :// 89.108.73.124 /information.cgi | http :// 91.211.119.98 /information.cgi
    http ://185.75.46.73 /information.cgi. Payload Security [4]shows the same... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1479721475/

    ** https://malwr.com/analysis/YzI3OTk0N...diMGRlMWMzZjY/
    Hosts
    186.103.213.249
    91.211.119.98
    185.75.46.73
    89.108.73.124


    *** https://www.virustotal.com/en/file/b...is/1479721490/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    186.103.213.249
    89.108.73.124
    91.211.119.98
    185.75.46.73
    52.42.26.69
    54.192.46.93
    35.160.111.237

    ___

    Fake 'LogMein' SPAM - leads to Hancitor/Vawtrak
    - http://blog.dynamoo.com/2016/11/malw...ogmeincom.html
    21 Nov 2016 - "This -fake- financial spam leads to malware:
    From: billing@ secure-lgm .com
    Date: 21 November 2016 at 18:35
    Subject: Your LogMein.com subscription has expired!
    Dear client,
    You are receiving this message because your subscription for LogMeIn Central has expired.
    We were not able to charge you with the due amount because your credit card was declined.
    You can download the bill directly from the LogMeIn website ...
    Please use another credit card or payment method in order to avoid complete service interruption.
    Event type: Credit Card Declined
    Account email: [redacted] .com
    At: 21/11/2016...
    © LogMeIn Inc


    The link in the email actually goes to a page at reg .vn /en/view_bill.php?id=encoded-email-address (where the last part is the email address in Base 64 encoding). It downloads a malicious document lgm_bill69290.doc with a current detection rate of 8/55*. Automated analysis [1] [2] shows malicious network traffic... A malicious executable is dropped with a detection rate of 7/57**. The payload appears to be Hancitor/Vawtrak. The domain secure-lgm .com appears to have been created for the purposes of sending the email... probably fake WHOIS details...
    Recommended blocklist:
    95.215.111.222
    newaronma .com
    libinvestusa .com
    "
    * https://www.virustotal.com/en/file/f...83ac/analysis/

    1] https://malwr.com/analysis/NGZlMzFkM...NhNTQ1ZGM4YmQ/
    Hosts
    95.215.111.222
    54.197.251.22
    69.89.31.104


    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    95.215.111.222
    54.235.212.238
    69.89.31.104


    ** https://www.virustotal.com/en/file/7...7dbe/analysis/
    inst.exe
    ___

    Something evil on 64.20.51.16/29...
    - http://blog.dynamoo.com/2016/11/some...-customer.html
    21 Nov 2016 - "I wrote about this evil network on 64.20.51.16/29 (a customer of Interserver, Inc) over a year ago*, identifying it as a hotbed of fraud. Usually these bad networks don't hang around for very long, but in this case it seems to be -very- persistent. This time it came to notice from a terse spam with a PDF attached:
    From: Lisa Liang [ineedu98@ hanmail .net]
    To: me@ yahoo .com
    Date: 20 November 2016 at 23:23
    Subject: 11/21/2016 Amended
    FYI


    Attached is a file Amended copy.pdf which when you open it (-not- recommended) looks blurry with "VIEW" in big red letters... The link-in-the-email goes to bit .ly/2fJbyol - if you put the "+" on the end of a Bitly link then you can see the number of -clickthroughs- and what the landing page is (www .serviceupgrade .tech/pdf.php in this case)... Clicking through gives you a login page for "Adobe PDF Online" which is of course a generic -phishing- page... Analysis of the 64.20.51.16/29 range finds -193- sites historically connected with it marked as being -phishing- or some other -malicious- activity. There are at least -284- sites currently within that range, of which the following are -both- hosted in that range currently and are malicious... 11% of the total sites in the range have been tagged by SURBL or Google as being -bad- and to be honest there are probably a LOT more but those services haven't caught up yet. In any case, there seems to be nothing of value in 64.20.51.16/29 and I strongly recommend that you -block- traffic to the entire range."
    * http://blog.dynamoo.com/2015/09/evil...erver-inc.html

    i.e.: serviceupgrade .tech: 64.20.51.22: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/7d...6402/analysis/

    Last edited by AplusWebMaster; 2016-11-22 at 00:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1096
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Delivery status', 'Invoice', 'Documents Requested', 'tax bill', 'DocuSign' SPAM

    FYI...

    Fake 'Delivery status' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...tatus-malspam/
    22 Nov 2016 - "... Locky downloader... an email with the subject of 'Delivery status' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of document_recipients name .zip... One of the emails looks like:
    From: Jocelyn Sears <Sears.Jocelyn@ teklinks .net>
    Date: Tue 22/11/2016 07:20
    Subject: Delivery status
    Attachment: document_mrilw.zip
    Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
    In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.


    22 November 2016: document_mrilw.zip: Extracts to: R9SZO3SDB89J399GW52V80-N2AXBG71NVG2XT.js
    Current Virus total detections 10/55*. MALWR** shows a download of a file from
    http ://sadhekoala .com/lvqh1 which is converted by the script to 7wYxQEPdqwq.dll (VirusTotal 5/56***).
    Payload Security [4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1479802918/

    ** https://malwr.com/analysis/MTU1NGMyY...AxOWVkMDMyNzk/
    Hosts
    67.171.65.64

    *** https://www.virustotal.com/en/file/6...is/1479803154/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    67.171.65.64
    188.120.250.138
    213.32.66.16
    91.201.202.130
    95.213.186.93
    52.32.150.180
    52.85.184.60
    35.160.111.237


    - http://blog.dynamoo.com/2016/11/malw...-leads-to.html
    22 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject: Delivery status
    From: Gilbert Hancock
    Date: Tuesday, 22 November 2016, 8:51
    Dear Client! Our delivery department could not accept your operation due to a problem with your current account.
    In order to avoid falling into arrears and getting charged, please fill out the document in the attachment as soon as possible and send it to us.


    In the sample I analysed there was an attachment named document_recipientname.zip (i.e. the first part of the recipient's email address was in the name), containing a malicious javascript with a random name. This particular script (and there are probably many others) attempts to download a component... According to this Malwr analysis*, a malicious DLL is dropped with an MD5 of ebf03567c2a907705a026ff0821d8e63 and a detection rate of 6/55**. The Hybrid Analysis*** reveals the following C2 locations:
    91.201.202.130 /information.cgi [hostname: dominfo.dp .ua] (FLP Anoprienko Artem Arkadevich aka host-ua.com, Ukraine)
    95.213.186.93 /information.cgi [hostname: djaksa.airplexalator .com] (Selectel, Russia)
    188.120.250.138 /information.cgi [hostname: olezhkakovtonyuk.fvds .ru] (TheFirst-RU, Russia)
    213.32.66.16 /information.cgi (OVH, France)
    For those Russian and Ukranian networks I would be tempted to block the entire /24 at least, but this is my minimum recommended blocklist:
    91.201.202.130
    95.213.186.93
    188.120.250.138
    213.32.66.16
    "
    * https://malwr.com/analysis/ZWYyZWY1Y...IzNTQ4NTgzZDA/
    Hosts
    187.45.240.4

    ** https://virustotal.com/en/file/22cfe...is/1479806600/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    187.45.240.4
    188.120.250.138
    91.201.202.130
    213.32.66.16
    95.213.186.93
    52.32.150.180
    52.85.184.195

    ___

    Fake 'Invoice' SPAM - delivers Locky
    - http://blog.dynamoo.com/2016/11/malw...om-random.html
    22 Nov 2016 - "This -fake- financial spam appears to come from a random sender in the victim's-own-domain, but this is just a simple forgery. The payload is Locky ransomware.
    Subject: Invoice 5639438
    From: random sender (random.sender@ victimdomain .tld)
    Date: Tuesday, 22 November 2016, 8:43
    Attached is the document 'Invoice 5639438'.


    The reference number varies from email to email, but is consistent in the subject, body and the name of the attachment (e.g. Invoice 5639438.zip). This ZIP file contains a malicious WSF script (e.g. Invoice 7868933153.wsf)... According the the Malwr analysis*, that script downloads from:
    manage .parafx .com/98y4h?AdIXigNCmu=UdJVux
    There are no doubt many other locations. That same analysis shows a DLL being dropped with an MD5 of de5d8250edf98262f335cd87fe6f6740 and a detection rate of 9/56**. The Hybrid Analysis*** of the same sample shows the malware contacting the following C2 locations:
    89.108.73.124 /information.cgi (Agava, Russia)
    91.211.119.98 /information.cgi (Zharkov Mukola Mukolayovuch aka 0x2a.com.ua, Ukraine)
    94.242.55.81 /information.cgi (RNet, Russia)
    Recommended blocklist:
    89.108.73.0/24
    91.211.119.98
    94.242.55.8
    1 "
    * https://malwr.com/analysis/YTdlYzE1N...k5YmRkZTQ1YmE/
    Hosts
    69.57.3.3
    91.211.119.98


    ** https://virustotal.com/en/file/1c31f...1ba1/analysis/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    69.57.3.3
    94.242.55.81
    89.108.73.124
    91.211.119.98
    35.160.111.237

    ___

    Fake 'Documents Requested' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/docum...elivers-locky/
    22 Nov 2016 - "... Locky downloader... an email with the subject of 'Documents Requested' pretending to come from random names at your-own-email-domain... One of the emails looks like:
    From: Darlene <Darlene2@ victim domain .uk>
    Date: Tue 22/11/2016 11:26
    Subject: Documents Requested
    Attachment: doc(598).zip
    Dear [redacted]
    Please find attached documents as requested.
    Best Regards,
    Darlene


    22 November 2016: doc(598).zip: Extracts to: 9932613_EUZCK_6312135.wsf - Current Virus total detections 12/53*
    Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1479814057/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    72.51.24.224
    94.242.55.81
    95.46.114.205
    54.240.162.83
    35.160.111.237

    ___

    Fake 'tax bill' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/your-...s-locky-aesir/
    22 Nov 2016 - "... Locky downloader... an email pretending to be a tax bill with the subject of 'Please note' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of tax_recipients name.zip... One of the emails looks like:
    From: Lance Barron <Barron.Lance@ dramaticallybetterhealth .com>
    Date: Tue 22/11/2016 17:41
    Subject: Please note
    Attachment: tax_goal.zip
    Dear goal
    Your tax bill debt due date is today . Please fulfill the debt.
    All the information and payment instructions can be found in the attached document.
    Best Wishes,
    Lance Barron
    Tax Collector ...


    22 November 2016: tax_goal.zip: Extracts to: 6WMK287O33R4XN6.js - Current Virus total detections 6/55*
    MALWR** shows a download of an encrypted file from:
    http ://govorokhm .ru/huz9ex2sd8 which is converted by the script to xHVh9Aflvj4.dll (VirusTotal 9/57***)
    Payload Security [4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1479836521/

    ** https://malwr.com/analysis/MTU1NGMyY...AxOWVkMDMyNzk/
    Hosts
    67.171.65.64

    *** https://www.virustotal.com/en/file/9...is/1479839432/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    94.142.140.191
    195.123.209.8
    213.32.66.16
    95.213.186.93
    52.42.26.69
    54.240.162.83
    35.160.111.237

    ___

    Fake 'DocuSign' SPAM - delivers ASN1 ransomware
    - https://myonlinesecurity.co.uk/spoof...n1-ransomware/
    21 Nov 2016 - "An email with the subject of 'You have a new Encrypted Document' pretending to come from DocuSign <service@ docusigndocuments .com> with a malicious macro enabled word doc tries to download ASN1 ransomware... These do -not- come from the genuine DocuSign company. docusigndocuments .com and the other domains listed have been registered -today- and hosted at Godaddy .com with what are probably -fake- details...
    The three domains and sending email addresses also used in this malspam ransomware attempt are:
    DocuSign <service@ DOCUSIGN-DOCUMENT .COM>
    DocuSign <service@ docusigndocument .com>
    DocuSign <service@ docusigndocuments .com> ...

    Screenshot: https://i0.wp.com/myonlinesecurity.c...24%2C560&ssl=1

    The enclosed word doc looks like:
    > https://i0.wp.com/myonlinesecurity.c...24%2C911&ssl=1

    21 November 2016: EncryptedDocument.doc - Current Virus total detections 18/54*
    Both MALWR** & Payload Security*** show it tries to download
    http ://majesticbrass .com/1061911a3e0a74827a76bbd7bfe16d20.exe which is currently giving a 404 not found. This site was used in an similar ransomware attack at the end of last week[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1479766715/

    ** https://malwr.com/analysis/Y2M1YWNlY...MyNjFhYWFkN2I/
    Hosts
    64.176.31.64
    184.51.0.241


    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    64.176.31.64

    4] https://myonlinesecurity.co.uk/unkno...ument-malspam/

    64.176.31.64: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/6d...5cb0/analysis/
    2016-11-22

    Last edited by AplusWebMaster; 2016-11-22 at 21:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1097
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Pay Attention', 'Bill', 'Scanned Documents', 'LETTER', 'subpoena' SPAM

    FYI...

    Fake 'Pay Attention' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/11/malw...ion-leads.html
    23 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject: Please Pay Attention
    From: Bill Rivera
    Date: Wednesday, 23 November 2016, 9:45
    Dear [redacted], we have received your payment but the amount was not full.
    Probably, this occurred due to taxes we take from the amount.
    All the details are in the attachment - please check it out.


    The name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
    lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script... According to this Malwr report* a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56**. The Hybrid Analysis*** clearly shows the ransomware in action and shows it communicating with the following URLs:
    95.213.186.93 /information.cgi [hostname: djaksa.airplexalator .com] (Selectel, Russia)
    195.123.209.8 /information.cgi [hostname: kostya234.itldc-customer .net] (Layer6, Latvia)
    213.32.66.16 /information.cgi (OVH, France)
    Recommended blocklist:
    95.213.186.93
    195.123.209.8
    213.32.66.16
    "
    * https://malwr.com/analysis/MWY5ZDY1M...MwN2UyMTMzYWQ/
    Hosts
    31.204.153.171

    ** https://virustotal.com/en/file/8ccdf...is/1479896120/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    31.204.153.171
    213.32.66.16
    195.123.209.8
    95.213.186.93
    52.34.245.108
    54.240.162.85
    92.122.214.10


    - https://myonlinesecurity.co.uk/pleas...elivers-locky/
    23 Nov 2016 - "... Locky downloader... an email pretending to tell you that you haven’t paid the full amount, with the subject of 'Please Pay Attention' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of lastpayment_recipient name.zip... One of the emails looks like:
    From: Gabriela Diaz <Diaz.Gabriela@ deepredmedia .com>
    Date: Wed 23/11/2016 08:27
    Subject: Please Pay Attention
    Attachment: lastpayment_lickit.zip
    Dear lickit, we have received your payment but the amount was not full.
    Probably, this occurred due to taxes we take from the amount.
    All the details are in the attachment – please check it out.


    23 November 2016: payment_history_64b96be.zip: Extracts to: 2BE46B4PX7ZU28.js
    Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from
    http ://risewh .com/pg31nkp which is renamed by the script to
    W0heF8ZofNrqpj9Z .dll (VirusTotal 5/56***). Payload Security[4]...
    Other download sites include:
    risewh .com/pg31nkp
    jinxlaze .com/rysuuttn
    naturalnepodlogi .cba .pl/utnnyduqa
    offerrat .com/12mi44q
    pineysprat .com/zqdjx ...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1479894064/

    ** https://malwr.com/analysis/ZGViZTZlN...UyNTU3YTE3MzQ/
    Hosts
    202.103.25.79

    *** https://www.virustotal.com/en/file/b...is/1479894314/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    202.103.25.79
    213.32.66.16
    95.213.186.93
    195.123.209.8
    52.42.26.69
    54.240.162.221

    ___

    Fake 'Bill' SPAM - delivers more Locky
    - https://myonlinesecurity.co.uk/rando...en-more-locky/
    23 Nov 2016 - "... Locky downloader... a -blank/empty- email with the subject of 'Bill-85548' (random numbers) pretending to come from random names at your-own-email-address/company or domain with a totally random numbered zip attachment... One of the emails looks like:
    From: paris hymer <paris.hymer@ victim domain .co .uk>
    Date: Thu 01/09/2016 19:22
    Subject: paris hymer ...
    Attachment: 7c8b9b79dd4ef599dd5d0c6db9b2d530.zip


    Body content: totally blank

    23 November 2016: 7c8b9b79dd4ef599dd5d0c6db9b2d530.zip: Extracts to: qivrlftajqpvl4kfverdv6vu8ecbwdxe.js
    Current Virus total detections 10/55*. MALWR** shows a download of an encrypted file from
    http ://parenclub-devilsenangels .nl/08yhrf3?ELghUu=ELghUu which is converted by the script to
    ELghUu1.dll (VirusTotal 8/55***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1479893531/

    ** https://malwr.com/analysis/MGM2OWFmM...FjMzYyZGI5YTI/
    Hosts
    195.211.74.100
    94.242.55.81
    80.87.202.49


    *** https://www.virustotal.com/en/file/6...is/1479895272/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    195.211.74.100
    80.87.202.49
    94.242.55.81
    95.46.114.205


    - http://blog.dynamoo.com/2016/11/moar...ctims-own.html
    23 Nov 2016 - "This spam has no-body-text and appears to come from within the sender's-own-domain. It leads to Locky ransomware. For example:
    From: julia newenham [julia.newenham@ victimdomain .tld]
    Date: 23 November 2016 at 10:44
    Subject: Bill-76137


    There is a randomly-named ZIP (e.g. 589af1aa1aaf4cb9ce571fced687b8ac.zip) containing a randomly-named malicious javascript... A malicious DLL is dropped with an MD5 of 4e207b30c5eae01fa136f3d89d59bbbe and
    a detection rate of 9/56*. The malware then communicates with:
    80.87.202.49 /information.cgi (JSC Server, Russia)
    94.242.55.81 /information.cgi (RNet, Russia)
    95.46.114.205 /information.cgi (PE Gornostay Mikhailo Ivanovich aka time-host .net, Ukraine)
    Recommended blocklist:
    80.87.202.49
    94.242.55.81
    95.46.114.205
    "
    * https://virustotal.com/en/file/675c6...3d0c/analysis/
    ___

    Fake 'Scanned Documents' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/trick...dress-malspam/
    23 Nov 2016 - "An email with the subject of 'Scanned Documents' pretending to come from HP Digital Device <HP_Printer@ victim domain .tld> with a malicious macro enabled word doc delivers Trickbot banking Trojan...
    The email looks like:
    From: HP Digital Device <HP_Printer@ victim domain .tld>
    Date: Wed 23/11/2016 04:27
    Subject: Scanned Documents
    Attachment: Scan552.doc
    Please open the attached document.
    This document was digitally sent to you using an HP Digital Sending device.
    This email has been scanned for viruses and spam.


    23 November 2016: Scan552.doc - Current Virus total detections 11/51*
    Payload Security**.. shows downloads from http ://wingsbiotech .com/images/kjcoiejceiwejf.png
    which is -not- an image file but a renamed .exe that the macro renames to newfle.exe and autoruns
    (VirusTotal 12/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1479879729/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    69.89.31.134
    78.47.139.102
    193.107.111.164
    37.1.213.189
    185.86.77.224


    *** https://www.virustotal.com/en/file/f...is/1479882669/
    ___

    Fake 'LETTER' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/more-...g-locky-aesir/
    23 Nov 2015 - "... Locky downloader... an email with the subject of 'Emailing: LETTER 5.pdf' (random numbers) pretending to come from random names at your-own-email-domain... One of the emails looks like:
    From: queen <queen.gaffney@ victim domain .tld >
    Date: Wed 23/11/2016 13:39
    Subject: Emailing: LETTER 5.pdf
    Attachment: LETTER 5.zip
    Please find attachment.

    This email has been checked for viruses by Avast antivirus software.


    23 November 2016: LETTER 5.zip: Extracts to: fnpqatfwistcg4r3ccoanyajwkqjlgq7.js
    Current Virus total detections 13/55*... Payload Security** shows a download of an encrypted file from
    http ://paulking .it/08yhrf3?yRLXgsuxJ=yRLXgsuxJ which is converted by the script to yRLXgsuxJ1.dll
    (VirusTotal 7/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1479908406/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    151.1.182.231
    95.46.114.205
    82.146.32.92
    91.107.107.165
    52.32.150.180
    54.240.162.106


    *** https://www.virustotal.com/en/file/d...is/1479909224/
    ___

    Fake 'subpoena' SPAM - leads to malware
    - http://blog.dynamoo.com/2016/11/malw...-subpoena.html
    23 Nov 2016 - "This spam purports to come from Michael T Diver who is a real Oklahoma attorney, but it doesn't really and is just a simple forgery:
    From: MICHAEL T. DIVER [michael -at- lawfirmofoklahoma .com]
    Date: 23 November 2016 at 15:24
    Subject: RE:RE: financial records subpoena
    See you in court !!!
    Subpoena for server
    Thank you,
    MICHAEL T. DIVER ...


    The telephone number and also potentially the email address are genuine, but they are certainly not being sent from this law firm. The link-in-the-email goes to a legitimate but -hacked- Vietnamese site at techsmart .vn/backup2/get.php?id=[base64-encoded-part] (the last bit is a Base 64 representation of the victim's email address). In testing the payload site was -down- but previous emails of this type have lead to the Vawtrak banking trojan."

    techsmart .vn: 103.18.6.140: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Payment confirmation' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...s-locky-aesir/
    23 Nov 2016 - "... Locky downloader... an email with the subject of 'Payment confirmation 7477' (random numbers) pretending to come from Standard Bank <ibsupport@ standardbank .co .za>...

    Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C716&ssl=1

    23 November 2016: PaymentConfirmation7477.zip: Extracts to: wbxz7lyfob8mwyygqstzfffj7aere8wz.js
    Current Virus total detections 13/54*. MALWR** shows a download of an encrypted file from
    http ://rdyy .cn/08yhrf3?OYxgQhzazR=OYxgQhzazR which is converted by the script to OYxgQhzazR1.dll
    (VirusTotal 12/56***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1479919853/

    ** https://malwr.com/analysis/MzZmNWE5N...IxMTA5MzViNGQ/
    Hosts
    103.28.44.206
    82.146.32.92
    91.107.107.165
    95.46.114.205


    *** https://www.virustotal.com/en/file/d...is/1479919518/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    103.28.44.206
    91.107.107.165
    82.146.32.92
    95.46.114.205

    ___

    Fake 'Attention Required' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/atten...e-locky-today/
    23 Nov 2016 - "... Locky malware... with the subject of 'Attention Required' coming as usual from random companies, names and email addresses with a semi-random named zip attachment in the format of receipt_recipient.name.zip... One of the emails looks like:
    From: Angela Holmes <Holmes.Angela@ murilobertini .com>
    Date: Wed 23/11/2016 16:14
    Subject: Attention Required
    Attachment: receipt_xerox.805.zip
    Dear xerox.805, our HR Department told us they haven’t received the receipt you’d promised to send them.
    Fines may apply from the third party. We are sending you the details in the attachment.
    Please check it out when possible.


    23 November 2016: receipt_xerox.805.zip: Extracts to: Z8B105E8IK89A9HX.js - Current Virus total detections 15/55*
    MALWR** shows a download of a file from http ://orantpamir .net/el3w488r9 which is converted by the script to
    fWk6epu1.dll (VirusTotal 9/57***). Payload Security[4]...
    Manual analysis shows these download locations
    orantpamir .net/el3w488r9
    oimeferio .net/sl60vci
    websdns .com/k0ais
    gigabothosting .com/kiltoonxqa
    gpsfiles .nl/lywk0py
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1479921317/

    ** https://malwr.com/analysis/ZGEyYjJkM...Q1YTg0NTA1NjI/
    Hosts
    67.171.65.64

    *** https://www.virustotal.com/en/file/6...is/1479921871/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    67.171.65.64
    95.46.8.175
    46.8.29.176
    52.32.150.180
    54.240.162.221
    52.35.54.251


    Last edited by AplusWebMaster; 2016-11-23 at 23:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1098
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Important Info', -blank/body-, 'New voice mail' SPAM, Moar Locky

    FYI...

    Fake 'Important Info' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/11/malw...formation.html
    25 Nov 2016 - "This spam leads to Locky ransomware:
    Subject: Important Information
    From: Etta Figueroa
    Date: Friday, 25 November 2016, 10:28
    Dear [redacted], your payment was not processed due to the problem with credentials.
    Payment details are in the attached document.
    Please check it out as soon as possible.


    The name of the sender varies. Attached is a ZIP file beginning with payment_ and then the first part of the victim's email address. This analysis comes from my trusted usual source (thank you!). It contains a randomly-named malicious javascript that downloads a component... The malware then phones home to:
    213.32.66.16 /information.cgi (OVH, France)
    89.108.118.180 /information.cgi (Datalogika / Agava, Russia)
    91.201.42.83 /information.cgi [hostname: aportom .com] (RuWeb, Russia)
    Recommended blocklist:
    213.32.66.16
    89.108.118.180
    91.201.42.83
    "

    - https://myonlinesecurity.co.uk/impor...e-locky-zzzzz/
    25 Nov 2016 - "... Locky downloader... an email with the subject of 'Important Information' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment_recipient’s name.zip... One of the emails looks like:
    From: Clay Clarke <Clarke.Clay@ static .vnpt .vn>
    Date: Thu 01/09/2016 19:22
    Subject: Important Information
    Attachment: payment_montag.zip
    Dear montag, your payment was not processed due to the problem with credentials.
    Payment details are in the attached document.
    Please check it out as soon as possible.


    25 November 2016: payment_montag.zip: Extracts to: HQ5q97uu9s2.js - Current Virus total detections 8/54*
    Payload Security**. MALWR*** shows a download of an encrypted file from
    http ://thinx .net/rkp2tpxlrg which is converted by the script to Oe3cTld33aTOQyLh.tdb (VirusTotal 15/56[4]). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[5] and Bleeping computer[6] has a good write up about the use of non standard file extensions by Locky... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1477646733/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    107.180.41.245
    213.32.66.16
    91.201.42.83
    54.240.162.31
    35.160.111.237


    *** https://malwr.com/analysis/M2IyNmIwY...YwNTc0OTEzNjc/
    Hosts
    133.130.109.98
    185.154.13.79
    83.217.11.193


    4] https://www.virustotal.com/en/file/f...is/1480069873/

    5] https://myonlinesecurity.co.uk/locky...le-extensions/

    6] http://www.bleepingcomputer.com/news...zzz-extension/
    ___

    Fake -blank/body- SPAM - more Locky
    - https://myonlinesecurity.co.uk/blank...e-locky-zzzzz/
    25 Nov 2016 - "... Locky downloader... a -blank- email with the subject of (random number recipient name) coming or pretending to come from recipient name_olive at random email addresses with a semi-random named zip attachment in the format of INFO_random number_recipients name.zip that contains another zip file... One of the emails looks like:
    From: derekolive@ blueyonder .co.uk
    Date: Fri 25/11/2016 08:10
    Subject: 57051 derek
    Attachment: INFO_052297_derek.zip


    Body content: Totally Blank/empty

    25 November 2016: INFO_052297_derek.zip: which extracts to MONEY_14189_ZIP.zip which in turn Extracts to:
    MONEY_14189.js. Current Virus total detections 3/55*. MALWR** shows a download of a file from
    http ://www .vollyuper .top/admin.php?f=2.dat which gave MALWR rad68D08.tmp (VirusTotal 4/57***)...
    Update: the same series of emails with these .js files also have -other- links that are currently downloading Cerber ransomware. These sites include:
    http ://otreytl .bid/search.php?f=x1.dat | http ://hqtrssx .top/search.php?f=x2.dat (VirusTotal 5/57[4])
    (Payload Security [5]). (MALWR [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1480061873/

    ** https://malwr.com/analysis/M2IyNmIwY...YwNTc0OTEzNjc/
    Hosts
    133.130.109.98
    185.154.13.79
    83.217.11.193


    *** https://www.virustotal.com/en/file/a...is/1480062381/

    4] https://www.virustotal.com/en/file/a...is/1480062381/

    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    63.55.11.0-31
    15.93.12.0-31
    194.165.16.0-255
    194.165.17.0-255
    194.165.18.0-255
    194.165.19.0-167


    6] https://malwr.com/analysis/YTA1YmY2N...EyNzc5MjE2OTA/
    Hosts
    63.55.11.0-31
    15.93.12.0-31
    194.165.16.0-255
    194.165.17.0-255
    194.165.18.0-255
    194.165.19.0-255

    ___

    Moar Locky 2016-11-25
    - http://blog.dynamoo.com/2016/11/moar...016-11-25.html
    25 Nov 2016 - "This data comes from my trusted usual source, so far I have only seen a single example. This morning's spam run has a -subject- with one of the following words:
    DOC, DOCUMENT, FAX, IMG, LABEL, ORD, PHOTO, PIC, SCAN, SHEET

    ..plus a four digit random number. Attached is a ZIP file with a name mating the subject, containing a randomly-named malicious javascript that attempts to download a component... The payload is Locky ransomware, phoning home to:
    185.118.167.144 /information.cgi [hostname: bogdankarpenko1998.pserver .ru] (Chelyabinsk-Signal, Russia)
    91.142.90.55 /information.cgi (Miran, Russia)
    Recommended blocklist:
    185.118.167.144
    91.142.90.55
    "
    ___

    Fake 'New voice mail' SPAM - leads to Locky
    - http://blog.dynamoo.com/2016/11/malw...new-voice.html
    25 Nov 2016 - "This -fake- voicemail spam leads to Locky ransomware and appears to come from within the victim's own domain, but this is just a simple forgery.
    Subject: [Vigor2820 Series] New voice mail message from 01435773591 on 2016/11/25 18:29:39
    From: voicemail@ victimdomain .tld
    To: victim@ victimdomain .tld
    Date: Friday, 25 November 2016, 12:58
    Dear webmaster :
    There is a message for you from 01435773591, on 2016/11/25 18:29:39 .
    You might want to check it when you get a chance.Thanks!


    The number in the message will vary, but is consistent throughout. Attached is a ZIP file referencing the same number, e.g. Message_from_01435773591.wav.zip which contains a malicious Javascript... This Malwr analysis* shows behaviour consistent with Locky ransomware... The C2s to block are the same as here**, namely:
    185.118.167.144 /information.cgi [hostname: bogdankarpenko1998.pserver .ru] (Chelyabinsk-Signal, Russia)
    91.142.90.55 /information.cgi (Miran, Russia)
    Recommended blocklist:
    185.118.167.144
    91.142.90.55
    "
    * https://malwr.com/analysis/YWU1NzQ4M...VmNTdlMzQ4NWU/
    Hosts
    92.60.224.52
    185.118.167.144
    91.142.90.55

    ** http://blog.dynamoo.com/2016/11/moar...016-11-25.html
    ___

    Locky hidden in image file hitting Facebook, LinkedIn
    - https://www.helpnetsecurity.com/2016...book-linkedin/
    Nov 25, 2016 - "Malware masquerading as an image file is still spreading on Facebook, LinkedIn, and other social networks. Check Point researchers have apparently discovered how cyber crooks are embedding malware in graphic and image files, and how they are executing the malicious code within these images to infect social media users with Locky ransomware variants... As they are searching for a solution, the Check Point research team advises* users not-to-open-any-image they have received from another user and have downloaded on their machine... A video demonstration of the attack can be viewed below:
    > https://youtu.be/sGlrLFo43pY "

    * http://blog.checkpoint.com/2016/11/2...alware-images/
    2016/11/24 - "... attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user -clicks- on the downloaded file..."

    Last edited by AplusWebMaster; 2016-11-25 at 18:06.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1099
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Purchase Order', 'Urgent Alert', 'Bill', 'Message' SPAM

    FYI...

    Fake 'Purchase Order' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...elivers-locky/
    28 Nov 2016 - "... Locky downloader... an email with the subject of 'Purchase Order No. 90373' (random numbers) coming or pretending to come donotreply@ south-staffordshire .com with a semi-random named zip attachment that matches the subject line... One of the emails looks like:
    From: donotreply@ south-staffordshire .com
    Date: Mon 28/11/2016 09:45
    Subject: Purchase Order No. 90373
    Attachment: PO90373.zip
    Please find attached Purchase Order No. 90373.
    PLEASE DO NOT REPLY TO THIS ADDRESS.
    If you have any queries in regards to your Purchase Order, please contact your requestor, Reinaldo horrocks on 01922 062460 ext 5580...


    28 November 2016: payment_history_64b96be.zip: Extracts to: 93410605.wsf - Current Virus total detections 8/55*
    MALWR* is not giving any payload or download sites. Payload Security*** shows a download of an encrypted file from
    restauranttajmahal .ca/87nft3?iNKevOML=ChKIolivpc which is converted by the script to a dll and autorun.
    Unfortunately Payload Security does not show or make the dll available for download in the free web version... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1480327255/

    ** https://malwr.com/analysis/M2U1OTFhO...Q5ZDI4MWEwMDY/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    76.74.128.120
    185.115.140.210
    185.118.67.162
    213.32.90.193
    52.34.245.108
    54.240.162.88

    ___

    Fake 'Urgent Alert' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/urgen...elivers-locky/
    28 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent Alert' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of ATM_recipients name.zip... One of the emails looks like:
    From: Tami Soto <Soto.Tami@ lelycentereast .com>
    Date: Mon 28/11/2016 09:22
    Subject: Urgent Alert
    Attachment: ATM_etgord34truew.zip
    Dear etgord34truew, we have detected a suspicious money ATM withdrawal from your card.
    For your security, we have temporarily blocked the card.
    All the details are in the attachment. Please open it when possible.


    28 November 2016: ATM_etgord34truew.zip: Extracts to: HQ6za5d7.js - Current Virus total detections 7/53*
    MALWR** shows a download of an encrypted file from http ://dodowiz .com/ynux4ac
    which is converted by the script to x3NzzWXgCcwO.tdb (VirusTotal 6/52***). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[4] and Bleeping computer[5] has a good write up about the use of non standard file extensions by Locky
    (Payload Security [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1480324767/

    ** https://malwr.com/analysis/ZDdlZTNiZ...k1MzY1YTIyZDc/
    Hosts
    183.98.152.2

    *** https://www.virustotal.com/en/file/f...is/1480329111/

    4] https://myonlinesecurity.co.uk/locky...le-extensions/

    5] http://www.bleepingcomputer.com/news...zzz-extension/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    213.176.241.230
    213.32.66.16
    91.201.42.83
    185.146.171.180
    52.32.150.180
    54.240.162.86
    52.35.54.251

    ___

    Fake 'Bill' SPAM - more Locky
    - https://myonlinesecurity.co.uk/more-...email-address/
    28 Nov 2016 - "... Locky downloader... another blank/empty malspam pretending to come from random names at your-own-email-address with the subject of 'Bill-4491989' (random numbers) with a random named zip attachment. All these emails have a To: line of resort@ doggiespalace .com with a hidden bcc: to your email address... One of the emails looks like:
    From: earlene mitchel <earlene.mitchel@ your-own-email-domain .co.uk>
    Date: Mon 28/11/2016 12:07
    Subject: Bill-4491989
    To: resort@ doggiespalace .com
    Attachment: d58e224b0e2266fb80b74c3b46f03fd1.zip


    Body content: totally blank/empty

    28 November 2016: d58e224b0e2266fb80b74c3b46f03fd1.zip: Extracts to: 64621603.wsf
    Current Virus total detections 8/50*. MALWR is unable to get any malware or download sites. Payload Security** shows a download of an encrypted file from sinmotor .com/87nft3?XztYNBph=nhYXdz which is converted by the script to MxoWCE1.dll (VirusTotal 9/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1480329075/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    61.7.236.41
    213.32.90.193
    185.115.140.210
    185.118.67.162
    2.16.4.42
    52.32.150.180
    54.240.162.245
    35.160.111.237


    *** https://www.virustotal.com/en/file/b...is/1480333048/
    ___

    Fake 'Message' SPAM - more Locky
    - https://myonlinesecurity.co.uk/even-...email-address/
    28 Nov 2016 - "... Locky downloader... another malspam pretending to come from donotreply at your-own-email-address that pretends to be an email from a scanner/printer with the subject of 'Message from RNP0024D5D73B3A' (random numbers) with a semi-random named zip attachment in the format of todays date random numbers_random numbers.zip... One of the emails looks like:
    From: donotreply@ your-own-email-address .co.uk
    Date: Mon 28/11/2016 11:30
    Subject: Message from “RNP0024D5D73B3A”
    Attachment: 201611281559326883_0033.zip
    This E-mail was sent from “RNP0024D5D73B3A” (Aficio MP 2352).
    Scan Date: Mon, 28 Nov 2016 15:59:32 +0430)
    Queries to: {redacted}


    28 November 2016: 201611281559326883_0033.zip: Extracts to: 95130643.wsf - Current Virus total detections 6/55*
    Payload Security** shows a download of an encrypted file from somersetautotints .co.uk/87nft3?viqtJpG=zELkPdJaI which is converted by the script to lkVpqyuH1.dll which VirusTotal 9/56*** shows is the same file as this concurrent malspam run[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1480336074/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    5.133.180.146
    213.32.90.193
    54.240.162.123
    91.198.174.192
    91.198.174.208


    *** https://www.virustotal.com/en/file/b...b90a/analysis/

    4] https://myonlinesecurity.co.uk/more-...email-address/

    Last edited by AplusWebMaster; 2016-11-28 at 15:32.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1100
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'XLS Invoice', 'For Your Consideration', 'Insufficient funds' SPAM, Apple phish

    FYI...

    Fake 'XLS Invoice' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/pleas...elivers-locky/
    29 Nov 2016 - "An email with the subject of 'Please find attached a XLS Invoice 293192' (random numbers) pretending to come from creditcontrol@ random companies with a malicious Excel XLS spreadsheet attachment delivers Locky... The email looks like:
    From: creditcontrol@ riversideglass .com
    Date: Tue 29/11/2016 08:01
    Subject: Please find attached a XLS Invoice 293192
    Attachment: INVOICE.TAM_293192_20161129_C415186AD.xls
    Please find attached your Invoice for Goods/Services recently delivered. If you have any questions, then pleasedo not hesitate in contacting us.Karen Lightfoot -Credit Controller, Ansell Lighting ...


    29 November 2016: INVOICE.TAM_293192_20161129_C415186AD.xls - Current Virus total detections 9/56*
    Payload Security** shows a download from thegarageteam .gr/087gbdv4 which is an encrypted file that gets converted by the macro to luswiacs1.dll. Unfortunately Payload Security does not make this file available in the free web version. MALWR*** did give the dll (VirusTotal 9/57[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1480406523/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    178.32.154.18
    95.213.195.123
    213.32.90.193
    185.115.140.210
    52.34.245.108
    54.240.162.84
    35.160.111.237


    *** https://malwr.com/analysis/NTMwNjg4Y...M5ZmJlYjc3ZTY/
    Hosts
    178.32.154.18
    213.32.90.193
    95.213.195.123
    185.115.140.210


    4] https://www.virustotal.com/en/file/8...is/1480407357/
    ___

    Fake 'For Your Consideration' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/for-y...elivers-locky/
    29 Nov 2016 - "... Locky downloader... an email with the subject of 'For Your Consideration' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the emails looks like:
    From: Elliott Osborn <Osborn.Elliott@ airtelbroadband .in>
    Date: Tue 29/11/2016 11:22
    Subject: For Your Consideration
    Attachment: unpaid_evf.zip
    Greetings! You paid for yesterday’s invoice – the total sum was $4636.
    Unfortunately, you hadn’t included the item #47089-14743 of $688.
    Please transfer the remainder as soon as possible.
    All details are in the attachment. Please check it out to see whether we are right.


    29 November 2016: unpaid_evf.zip: Extracts to: -snk-7030904.js - Current Virus total detections 12/55*
    MALWR** shows a download of an encrypted file from one of these 2 locations
    http ://tytswirl .com/u2asa61 and http ://kalbould .wa .gov.au/n9zz5r8 which is converted by the script to AddoClgYDJ4J3F.tdb (VirusTotal 6/57***). The tdb file is actually a dll file that is run by rundll32 but given a different extension... Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1480418735/

    ** https://malwr.com/analysis/MmNjODJjO...U3MzQ5NWJhM2Q/
    Hosts
    103.9.65.107
    67.171.65.64


    *** https://www.virustotal.com/en/file/2...is/1480419080/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    103.9.65.107
    67.171.65.64
    52.42.26.69
    54.240.162.193

    ___

    Fake 'File COPY' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/can-y...elivers-locky/
    29 Nov 2016 - "An email with the subject of 'File COPY.29112016.94400.XLS Sent 29/11/2016' (random numbers) pretending to come from random senders with a malicious Excel XLS spreadsheet attachment delivers Locky ransomware... The email looks like:
    From: ALLGREEN-USSING, RODOLFO <RODOLFO.ALLGREEN-USSING@ PARFEMY-ELNINO .SK>
    Date: Tue 29/11/2016 13:23
    Subject: File COPY.29112016.94400.XLS Sent 29/11/2016
    Attachment: COPY.29112016.94400.XLS
    can you please pass this invoice for payment thank you...


    29 November 2016: COPY.29112016.94400.XLS - Current Virus total detections 9/55*
    Payload Security** shows a download of an encrypted file from steffweb .dk/087gbdv4 which is converted by the macro to luswiacs1.dll (VirusTotal 10/56***). Although the Locky dll file -name- is the same as today’s earlier XLS malspam[1] run the file itself is different...
    1] https://myonlinesecurity.co.uk/pleas...elivers-locky/
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1480430599/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    94.231.108.252

    *** https://www.virustotal.com/en/file/f...9124/analysis/
    ___

    Fake 'eFax' SPAM - drops Nymaim variant
    - http://blog.dynamoo.com/2016/11/fake...harepoint.html
    29 Nov 2016 - "This -fake -fax leads to a malicious ZIP file:

    Screenshot: https://4.bp.blogspot.com/-wZb3FWqAD...s1600/efax.png

    The link in the email goes to a -hacked- Sharepoint account, in this case:
    https ://supremeselfstorage-my.sharepoint .com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1
    It seems to belong to a legitimate company, but maybe one that has suffered an Office 365 compromise[2]. The ZIP file it leads to is named Fax_11292016.zip (there may be other versions) containing two identical -scripts- named:
    Fax_11292016_page1.js
    Fax_11292016_page2.js
    ... Hybrid Analysis* of the script indicates this is Nymaim[3] downloading a component from:
    siliguribarassociation .org/images/staffs/documetns.png
    A malicious EXE is dropped with an MD5 of bdf952b2388bf429097b771746395a4c and a detection rate of 9/56**. The malware then phones home to:
    stengeling .com/20aml/index.php
    The domain stengeling .com appears to have been -created- for this malware and has -anonymous- registration details. It is apparently -multihomed- on the following IPs:
    4.77.129.110, 18.17.224.92, 31.209.107.100, 37.15.90.12, 43.132.208.7, 45.249.111.213, 52.61.200.235
    61.25.216.8, 67.25.164.206, 74.174.194.169, 88.214.198.162, 92.74.29.236, 111.241.115.90, 115.249.171.24
    119.71.196.177, 135.55.94.211, 143.99.241.18, 147.89.60.135, 156.180.11.60, 162.74.9.51, 168.227.171.254
    176.114.21.171, 184.131.179.44, 207.77.174.212
    Each of those IPs appears to be a -hacked- legitimate host, with a high turnover of IPs. Those IPs appear to be associated with the following domains that may be worth blocking:
    butestsis .com
    sievecnda .com
    specsotch .com
    crileliste .com
    stengeling .com
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.158.76.73
    115.249.171.24
    45.249.111.213
    168.227.171.254
    31.209.107.100


    ** https://www.virustotal.com/en/file/e...6c60/analysis/

    2] https://support.microsoft.com/en-us/kb/2551603

    3] http://cyber.verint.com/nymaim-malware-variant/
    ___

    Fake 'Insufficient funds' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/insuf...elivers-locky/
    28 Nov 2016 - "... Locky.. an email with the subject of 'Insufficient funds' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment-recipient name.zip... One of the emails looks like:
    From: Ruby Quinn <Quinn.Ruby@ villatk .gr>
    Date: Mon 28/11/2016 20:58
    Subject: Travel expense sheet
    Attachment: payment-gold.zip
    Dear gold,
    Your bill payment was rejected due to insufficient funds on your account.
    Payment details are given in the attachment.


    28 November 2016: payment-gold.zip: Extracts to: -snk-007064018.js - Current Virus total detections 14/55*
    MALWR** shows a download of an encrypted file from http ://leyuego .com/ejxgf1iy which is converted by the script to Ddrh0VO4W20.tdb (VirusTotal 7/57***). The tdb file is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. We describe this here[4] and Bleeping computer[5] has a good write up about the use of non standard file extensions by Locky (Payload Security [6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1480370317/

    ** https://malwr.com/analysis/NWU1NTBkO...YxM2I0MjkyN2E/
    Hosts
    121.201.23.80

    *** https://www.virustotal.com/en/file/8...is/1480371353/

    4] https://myonlinesecurity.co.uk/locky...le-extensions/

    5] http://www.bleepingcomputer.com/news...zzz-extension/

    6] https://www.reverse.it/sample/7eca0c...ironmentId=100
    Contacted Hosts
    121.201.23.80
    185.12.95.92
    213.32.66.16
    85.143.214.58
    52.34.245.108
    54.240.162.4
    35.160.111.237

    ___

    Apple ID – Phish
    - https://myonlinesecurity.co.uk/reset...e-id-phishing/
    29 Nov 2016 - "... mass Apple phish... received about 200 so far this morning. Many of which are getting past spam filters because they seem to have found some sending addresses that aren’t yet listed in spam databases and that don’t use SPF /DKIM /DMARC so authentication checks don’t fail. Most mail servers are set up to ignore lack of mail authentication, rather than automatically delete or quarantine...

    Screenshot: https://i0.wp.com/myonlinesecurity.c...24%2C644&ssl=1

    The links in the body go to
    http ://k4dot .biz/admindb/gi.html which -redirects- to http ://tkmarketingsolutions .com/skynet/Itunes/apple/

    k4dot .biz: 161.58.203.203: https://www.virustotal.com/en/ip-add...3/information/
    tkmarketingsolutions .com: 67.212.91.221: https://www.virustotal.com/en/ip-add...1/information/

    ... follow the link you see a webpage looking like:
    > https://i1.wp.com/myonlinesecurity.c...24%2C565&ssl=1
    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    Last edited by AplusWebMaster; 2016-11-29 at 23:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •