SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2016-11-30, 11:17

FYI...

Fake 'Urgent bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/urgen...elivers-locky/
30 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the emails looks like:
From: Adolfo Alexander <Alexander.Adolfo@ escondidohistory .org>
Date: Wed 30/11/2016 09:06
Subject: Urgent
Attachment: unpaid_forum.zip
Dear forum, our accountant informed me that in the bill you processed, the invalid account number had been specified.
Please be guided by instructions in the attachment to fix it up.

30 November 2016: unpaid_forum.zip: Extracts to: -snk-284042943.js - Current Virus total detections 10/55*
MALWR** shows a download of an encrypted file from http ://revaitsolutions .com/ij1driqioc which is converted by the script to K3GepPJAfH.tdb (VirusTotal 5/57***). Payload Security[4]. The tdb file is actually a dll file that is run by rundll32 but given a different extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480496588/

** https://malwr.com/analysis/MmFiNzdjM...E3ODJmZGYyMWI/
Hosts
166.62.28.127

*** https://www.virustotal.com/en/file/9...is/1480498073/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
166.62.28.127
185.75.46.138
91.201.41.145
91.142.90.46
52.42.26.69
54.240.162.193
52.35.54.251
___

Fake 'Attached Image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attac...elivers-locky/
30 Nov 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky... The email looks like:
From: canon@ thespykiller .co.uk
Date: Wed 30/11/2016 09:23
Subject: Attached Image
Attachment: 6479_005.docm

Body content: Totally blank/empty

30 November 2016: 6479_005.docm - Current Virus total detections 9/55*
Both MALWR** and Payload Security*** show a download from satherm .pt/873nf3g which is converted by the macro to ajufr51.dll (VirusTotal 5/57[4]). Manual analysis shows an attempt to download from
http ://travelinsider .com.au/021ygs7 which is currently giving me a 404. There are normally 5 or 6 download locations buried inside the macro or scrpt files with these Locky versions.
C2 http ://91.142.90.61 /information.cgi | 95.213.195.123 /information.cgi... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1480498411/

** https://malwr.com/analysis/MjEwOGQ3Y...g0NmRjZWQzNTQ/
Hosts
80.172.235.175
91.142.90.61

*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
80.172.235.175
95.213.195.123
91.142.90.61
2.16.4.33
52.42.26.69
54.240.162.55
52.35.54.251
91.198.174.192
91.198.174.208

4] https://www.virustotal.com/en/file/9...is/1480499902/
___

Forced install - Chrome extension...
- https://blog.malwarebytes.com/cyberc...ome-extension/
Nov 29, 2016 - "We have found a number of websites whose sole purpose is to try and force an extension on anyone visiting that site with Chrome. Most often, you can likely land on one of these sites after a -redirect- from a crack, keygen, or adult entertainment site... site runs a JavaScript producing this dialog box, telling you you’ll have to 'Add Extension to Leave':
> https://blog.malwarebytes.com/wp-con...11/prompt1.png
Clicking “Cancel” once changes it to add a tick box marked “Prevent this page from creating additional dialogs”:
> https://blog.malwarebytes.com/wp-con.../warning2w.png
Thinking that this is the ticket out of the page, you will tick that box and click “OK”. At this point, your tab will go into “Full Screen” mode, and you can see which extension they want you to install:
> https://blog.malwarebytes.com/wp-con.../warning3w.png
The app is called Veritasi and a big arrow pointing to the “Add extension” button is displayed on the site. Clicking the said button initiates the installation of the app:
> https://blog.malwarebytes.com/wp-con...1/warning4.png
When I looked up Veritasi, we noticed it was added to the “Web Store” the same day we found it and it’s supposedly meant to improve your sound quality online:
> https://blog.malwarebytes.com/wp-con...undimprove.png
A similar extension was found and described by Botcrawl.com who classified it as adware. It has the permission “Read and change all your data on the websites you visit”, which is not unusual for a browser extension, but it’s all what -adware- needs to do its job:
> https://blog.malwarebytes.com/wp-con...rmissionsw.png
If your Windows machine gets stuck on a site like this, use the Ctrl-Alt-Del key combination to invoke the Task Manager. Use “End Process” on every active “chrome.exe” process until the browser shuts down. When you restart Chrome, it will ask if you want to “Restore” the open tabs. I would recommend -not- to, unless it’s really necessary. We have sent in an abuse report and blocked the sites involved to protect as many possible victims as we could..."
> https://blog.malwarebytes.com/wp-con...6/11/abuse.png
... A full removal guide can be found on our forums*..."
* https://forums.malwarebytes.org/topi...-for-veritasi/

**AplusWebMaster** · 2016-12-01, 15:19

FYI...

Fake 'efax' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/efax-...known-malware/
1 Dec 2016 - "... an email with the subject of 'efax message from unknown – 2 page(s)' pretending to come from eFax <message@ inbound-efax-au .org> with a link-to-download-a-zip-file that extracts to 2 identical .js files named fax page 1 and fax page 2...

Screenshot: https://i2.wp.com/myonlinesecurity.c...24%2C773&ssl=1

1 December 2016: Fax.zip: Extracts to: Fax_page1.js - Current Virus total detections 3/55*
MALWR** shows a download of a file from ‘http ://mohdsuhaimy .com/wp-content/uploads/2006/06/background.png’ which is -not- a png (image file) but a -renamed- .exe which is renamed back by the script to an .exe file (VirusTotal 15/57***). (Payload Security [4]). Previously this trick & delivery method has delivered Trickbot banking Trojan. However this binary looks different and gives some indication of ransomware behaviour...
Update: I am reliably informed that this is Dridex Banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1480579221/

** https://malwr.com/analysis/NDdiMjI1M...JhYmMwMWZjYWU/
Hosts
173.247.245.31

*** https://www.virustotal.com/en/file/e...is/1480579728/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
173.247.245.31
111.69.33.166
104.236.219.229
185.8.165.33
___

Fake 'Invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-...elivers-locky/
1 Dec 2016 - "... Locky downloader... an email with the subject of 'E-Mailed Invoices Invoice_87313391' (random numbers) coming or pretending to come from random companies, names and email addresses with what appears to be a word docm attachment - In reality this attachment is a standard zip file that has been erroneously named as a word macro doc. It will not open in word or any other word processing program. This zip contains a VBS file. Trying to open the alleged word doc in Word gives this error message:
> https://i2.wp.com/myonlinesecurity.c...ng?w=524&ssl=1
... One of the emails looks like:
From: WAUGH, HORACIO <HORACIO.WAUGH@ originalyin .ca>
Date: Thu 01/12/2016 09:23
Subject: E-Mailed Invoices Invoice_87313391
Attachment: Invoice_87313391.docm
Please find attached your latest purchase invoice...
Any queries with either the quantity or price MUST be notified immediately to the department below.
Yours sincerely, Sales Ledger Department...
This email has been scanned by the Symantec Email Security.cloud service...

1 December 2016: Invoice_87313391.docm (actually a zip file): Extracts to: fGDpAMD-0438.vbs
Current Virus total detections on docm(zip) VirusTotal on VBS 20/55*. Payload Security** shows a download of an encrypted file from speckftp .de/978t6rve which is converted by the script to nhbzalOHj.343 (VirusTotal 37/56***)
Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 etc or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1480587704/
fGDpAMD-0438.vbs

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
87.106.247.11
95.213.195.123
91.142.90.61
54.240.162.180

*** https://www.virustotal.com/en/file/8...is/1480587701/
___

Fake 'Invoice' SPAM - links to Dridex
- https://myonlinesecurity.co.uk/invoi...anking-trojan/
1 Dec 2016 - "... an email with the subject of 'Invoice INV-01823 (Amended)' from Fleurs (random numbers and random companies) coming from Accounts <messaging-service@ post-xero .org>. There is no zip attachment but a -link- in the email to download a zip... post-xero .org is a newly created domain that is registered to a Chinese entity with probably -fake- details. It appears to be hosted on OVH in France... One of the emails looks like:
From: Accounts <messaging-service@ post-xero .org>
Date: Thu 01/12/2016 08:02
Subject: Invoice INV-01823 (Amended) from Fleurs
Attachment: link-in-email to INV-01823.zip
Dear Customer, Please find attached invoice INV-01823 (Amended) for 421.59 GBP. This invoice was sent too early in error. The payment date should be 7th December 2016. Kindly accept our apologies for the oversight and for any inconvenience caused. The amount outstanding of 421.59 GBP is due on 07 Dec 2016. View and pay your bill:
https ://in.xero .com/vjNPxBRausdmfvsgnZKOMWvyHsISTwYm If you have any questions, please do not hesitate to contact us. Kind regards, Accounts Department ...

The link in the body does -not- go to xero .com which is a legitimate small business accounting software but to a criminal controlled site on SharePoint: ‘https :// ryandixon-my.sharepoint .com personal/judy_dixonconstructionwa_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=k9xc1qR8YuAKTF6D2%2bMExORcjRIY3nQj8RB7WhdXaSw%3d&docid=09d01294b7e434b2aad87127682150354&rev=1’

1 December 2016: INV-01823.zip: Extracts to: INV-01823.js - Current Virus total detections 6/54*
.. where comments show this downloads the same Dridex banking Trojan from the -same- locations as described in THIS earlier post:
> https://myonlinesecurity.co.uk/efax-...known-malware/
The basic rule is NEVER open any attachment to an email [OR click-on-links in the body] unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1480587854/
INV-01823.js

post-xero .org: 46.105.101.84: https://www.virustotal.com/en/ip-add...4/information/

ryandixon-my.sharepoint .com: 104.146.222.33: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/fb...e61f/analysis/
1/68
___

Fake 'Payment Information' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/payme...elivers-locky/
1 Dec 2016 - "... Locky downloader... an email with the subject of 'Payment Information' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of P_recipient’s name.zip... One of the emails looks like:
From: Helga Hull <Hull.Helga@ dreamactunion .org>
Date: Thu 01/12/2016 18:23
Subject: Payment Information
Attachment: P_rek.zip
Good afternoon. Thank you for sending the bill.
Unfortunately, you have forgotten to specify insurance payments.
So, we cannot accept the payment without them.
All details are in the attachment.

1 December 2016: P_rek.zip: Extracts to: -6dt874p53077.js - Current Virus total detections 16/55*
MALWR** shows a download of an encrypted file from http ://trewincefarm .co.uk/xlyy7 which is converted by the script to 0UBE8YF7q1BcN.zk (VirusTotal 11/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480616575/

** https://malwr.com/analysis/Njg0ZmViN...c4MWI5ZWVmYjU/
Hosts
82.211.96.24

*** https://www.virustotal.com/en/file/1...is/1480617465/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
46.8.29.155
31.41.47.50
52.32.150.180
54.240.162.129
35.160.111.237
___

Worldwide cyber-crime network hit in coordinated raids
- http://www.reuters.com/article/us-ge...-idUSKBN13Q4Z6
Dec 1, 2016 - "One of the world's biggest networks of hijacked computers, which is suspected of being used to attack online banking customers, has been taken down following police swoops in 10 countries, German police said on Thursday. In an internationally coordinated campaign, authorities carried out the raids on Wednesday, seized servers and website domains and arrested suspected leaders of a criminal organization, said police and prosecutors in northern Germany. Officials said they had seized 39 servers and several hundred thousand domains, depriving criminals of control of more than 50,000 computers in Germany alone. These hijacked computers were used to form a 'botnet' to knock out other websites. Two people who are believed to have been the administrators of the botnet infrastructure known as 'AVALANCHE' were arrested in Ukraine, investigators said. Another person was arrested in Berlin, officials added. The strike came in the same week that hackers tried to create the world's biggest botnet, or an army of zombie computers, by infecting the routers of 900,000 Deutsche Telekom (DTEGn.DE) with malicious software. The attack failed but froze the routers, causing outages in homes, businesses and government offices across Germany on Sunday and Monday, Deutsche Telekom executives said. Police said criminals had used the 'AVALANCHE' botnet targeted in Wednesday's international raids since 2009 to send phishing and spam emails. More than a million emails were sent per week with malicious attachments or links. When users opened the attachment or clicked on the link, their infected computers became part of the botnet. Investigators said the suspects had operated the commandeered network and made it available to other criminal groups, who had used it to send spam and phishing mails, defraud online banking user and to spread ransomware, a form of online extortion scheme. Officials estimated worldwide damages at upward of several hundred million euros. Authorities have identified 16 suspected leaders of the organization from 10 different countries. A court in Verden, northern Germany, has issued arrest warrants for seven people on suspicion of forming a criminal organization, commercial computer fraud and other criminal offences. The raids came after more than four years of intensive investigation by specialists in 41 countries."

**AplusWebMaster** · 2016-12-02, 12:42

FYI...

Fake 'Pay Attention' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/pleas...elivers-locky/
2 Dec 2016 - "... Locky downloader... an email with the subject of 'Please Pay Attention' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of SCAN_recipient’s name.zip... One of the emails looks like:
From: Claud Hopper <Hopper.Claud@ jvaclub .com>
Date: Fri 02/12/2016 09:35
Subject: Please Pay Attention
Attachment: SCAN_ard.zip
Greetings! Informing you that the contractor requires including VAT in the service receipt.
Sending the new invoice and payment details in the attached file.
Please open and study it as soon as possible – we need your decision.

2 December 2016: SCAN_ard.zip: Extracts to: -uvk3166985727v.js - Current Virus total detections 8/55*
MALWR** shows a download of an encrypted file from http ://supermarkety24 .pl/levsyp8vp which is converted by the script to 5viAGx9N.zk (VirusTotal 8/56***) | Payload Security[4] | Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1480674917/

** https://malwr.com/analysis/Njg0ZmViN...c4MWI5ZWVmYjU/
Hosts
82.211.96.24

*** https://www.virustotal.com/en/file/6...is/1480676872/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
193.106.106.169
95.46.98.25
91.201.41.145
46.8.29.173
___

Fake 'Emailing..." SPAM - delivers Locky
- https://myonlinesecurity.co.uk/email...elivers-locky/
2 Dec 2016 - "An email with the subject of 'Emailing: EPS000007' (random numbers) pretending to come from random names at your-own-email-address with a malicious word doc attachment delivers Locky... The email looks like:
From: edmund <edmund.simister@ malware-research .co.uk>
Date: Fri 02/12/2016 12:39
Subject: Emailing: EPS000007
Attachment: EPS000007.docm
Please find attachment.
—
This email has been checked for viruses by Avast antivirus software...

2 December 2016: EPS000007.docm - Current Virus total detections 10/56*
MALWR** shows a download of an encrypted file from http ://solid-consulting .nl/74t3nf4gv4 which is converted by the macro to likyir1.exe (VirusTotal 8/57***). Payload security[4]. C2: http ://195.19.192.99 /information.cgi
Other download locations seen on manual analysis of the macro include:
solid-consulting .nl/74t3nf4gv4 | taikosushibar .com.br/74t3nf4gv4 | tatooshsfds .com/74t3nf4gv4
sudeepgurtu .com/74t3nf4gv4 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1480682348/

** https://malwr.com/analysis/MWJmZDk3M...dlMzg0YjlmYjA/
Hosts
149.210.133.178
195.19.192.99

*** https://www.virustotal.com/en/file/6...is/1480680017/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
149.210.133.178
195.19.192.99
91.142.90.61
31.41.47.50
52.34.245.108
54.240.162.246
___

Fake 'Attached Document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attac...elivers-locky/
2 Dec 2016 - "A -blank- email with the subject of 'Attached Document' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky. This series of malspam emails contain the same macro downloaders and end up delivering the -same- Locky payload as described in THIS* earlier post where they used an Epson scanner/printer... The email looks like:
From: canon@ my onlinesecurity .co.uk
Date: Fri 02/12/2016 15:52
Subject: Attached Document
Attachment: 0160_004.docm

Body content: Totally blank/empty

* https://myonlinesecurity.co.uk/email...elivers-locky/
2 Dec 2016

**AplusWebMaster** · 2016-12-05, 12:07

FYI...

Fake blank body SPAM - delivers Locky
- https://myonlinesecurity.co.uk/blank...elivers-locky/
5 Dec 2016 - "... Locky downloader... a completely -blank- email with the subject consisting of random numbers coming or pretending to come from random companies, names and email addresses with a zip attachment that matches the subject line numbers. I have received about 1500 copies of this malspam overnight. All the ones that I have seen start with either 051220160 or 041220161... One of the emails looks like:
From: Monica clare <Monica.clare85349@ fit4elegance .com>
Date: Mon 05/12/2016 00:47
Subject: 051220160746377790277
Attachment: 051220160746377790277.zip

Body content: totally blank/empty

5 December 2016: 051220160746377790277.zip: Extracts to: 201612031200123557933004.vbs
Current Virus total detections 14/55*. Payload Security** shows a download of an encrypted file from
http ://natashacollis .com/8765r which is converted by the script to yqUePnct.343 (VirusTotal 11/53***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1480911167/

** https://www.hybrid-analysis.com/samp...ironmentId=100
46.16.59.177
91.142.90.61

*** https://www.virustotal.com/en/file/1...is/1480922615/
___

Fake 'No subject' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malw...924272-no.html
5 Dec 2016 - "This spam comes in a few different variants, and it leads to Locky ransomware encrypting files with an extension '.osiris'. The more word version comes from random senders with a subject like _9376_924272 or some other randomly-numbered sequence. Attached to that is an XLS file of the same name and it includes this body text:
Your message is ready to be sent with the following file or link
attachments:
_9376_924272
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.

The second version has no body text and the subject No subject or (No subject). The XLS file is named in a format incorporating the date, e.g. 2016120517082126121298.xls . The macro in the malicious Excel file downloads a component...
(Long list of domain-names at the dynamoo URL above.)
... You can see some of the things done in these two Malwr reports [1] [2]. The Locky ransomware dropped then phones home to one of the following locations:
185.82.217.28 /checkupdate [hostname: olezhkakovtony11.example .com] (ITL, Bulgaria)
91.142.90.61 /checkupdate (Miran, Russia)
195.19.192.99 /checkupdate (OOO EkaComp, Russia)
Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99 "
1] https://malwr.com/analysis/YTQzZjMwN...lmYTg3YzBjZjA/
Hosts
66.96.147.105
91.142.90.61

2] https://malwr.com/analysis/ZWVhM2RjN...AyNDQ4N2IzNjU/
Hosts
94.152.38.41
185.82.217.28

- https://myonlinesecurity.co.uk/blank...elivers-locky/
5 Dec 2016 - "... Locky downloader... another -blank- email with no-subject coming or pretending to come from random companies, names and email addresses with an XLS spreadsheet attachment... One of the emails looks like:
From: Rolf titterington <Rolf.titterington91@ prestonlegacy .com>
Date: Mon 05/12/2016 09:44
Subject: no subject
Attachment: 2016120502434302394842.xls

Body content: empty

5 December 2016: 2016120502434302394842.xls - Current Virus total detections 16/55*
MALWR** shows a download of an encrypted file from http ://soulscooter .com/87t34f which is converted by the script to shtefans1.spe (VirusTotal 6/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to. I am informed that Locky is now using .Osiris file extensions on the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480616575/

** https://malwr.com/analysis/MzA4NDllN...I1YWU5MDQ3NTk/
Hosts
212.97.132.199
195.19.192.99
91.142.90.61
185.82.217.28

*** https://www.virustotal.com/en/file/7...is/1480932128/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
___

Fake 'Consider This' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malw...his-leads.html
5 Dec 2016 - "This -fake- financial spam leads to malware:
From: Aimee Guy
Date: 5 December 2016 at 13:32
Subject: Please Consider This
Dear [redacted],
Our accountants have noticed a mistake in the payment bill #DEC-5956047.
The full information regarding the mistake, and further recommendations are in the attached document.
Please confirm the amount and let us know if you have any questions.

Attached is a ZIP file with a name somewhat matching the reference in the email, containing a malicious VBS script with a filename made up in part of the date. The scripts download another component...
(Long list of domain-names at the dynamoo URL above.)
... It drops a payload with an MD5 of 529789f27eb971ff822989a5247474ce and a current detection rate of just 1/54*. The malware then phones home to the following locations:
91.142.90.61 /information.cgi [hostname: smtp-server1 .ru] (Miran, Russia)
195.19.192.99 /information.cgi (EkaComp, Russia)
These IPs were also used in this earlier attack**.
Recommended blocklist:
185.82.217.28
91.142.90.61
195.19.192.99 "
* https://virustotal.com/en/file/6a186...473e/analysis/

** http://blog.dynamoo.com/2016/12/malw...924272-no.html
___

Fake 'Sage invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
5 Dec 2016 - "... an email with the subject of 'Outdated invoice' coming or pretending to come from Sage invoice <no-reply@ sage-uk .org> . There is no zip attachment with this Dridex delivery today, but a-link-in-the-body to download an invoice.zip from a hacked/compromised/fraudulently set up sharepoint site... from a site set up by the criminals to malspam the Dridex banking Trojan. The site is registered to a Chinese entity and hosted on an OVH server in France (SAGE-UK .ORG 46.105.101.84 ns3060005.ip-188-165-252.eu). One of the emails looks like:
From: Sage invoice <no-reply@ sage-uk .org>
Date: Mon 05/12/2016 12:48
Subject: Outdated invoice
Attachment: link in email to download invoice.zip
Software for business
Sage Account & Payroll
You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link below to download your account invoice:
https ://invoice.sage .co.uk/Account?864394=xUzlmOHtPY
If we have any information about you which is incorrect or if there are any changes to your details please let us know so that we could keep our records accurate...

5 December 2016: Invoice.zip: Extracts to: Invoice.js - Current Virus total detections 3/53*
Payload Security** shows a download from ‘http ://neelkanthelevators .com/images/about1.png’ (VirusTotal 10/56***). Payload Security[4]. This is -not- a png (image file) but a -renamed- .exe file, which the script renames to LzG7FzcEz.exe and runs... The basic rule is NEVER open any attachment to an email [OR click-a-link in it] unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1480944742/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
104.219.248.77
195.154.92.54
185.8.165.33
104.236.219.229
91.201.40.33

*** https://www.virustotal.com/en/file/f...1a54/analysis/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
195.154.92.54
185.8.165.33
104.236.219.229
91.201.40.33

46.105.101.84: https://www.virustotal.com/en/ip-add...4/information/
___

Fake 'Shipping status' SPAM - delivers Vawtrak malware
- http://blog.dynamoo.com/2016/12/malw...s-changed.html
5 Dec 2016 - "This -fake- UPS spam has a malicious attachment:
From: UPS Quantum View [ups@ ups-service .com]
Date: 5 December 2016 at 17:38
Subject: Shipping status changed for your parcel # 1996466
Your parcel has arrived, but we were unable to successfully deliver it because no person was present at the destination address.
There must be someone present at the destination address, on the delivery day, to receive the parcel.
Shipping type: UPS 3 Day Select
Box size: UPS EXPRESS BOX
Date : Nov 14th 2016
You can reschedule the delivery over the phone, but you will have to confirm the information on the delivery invoice.
The delivery invoice can be downloaded from our website ...
Thank you for shipping with UPS
Copyright © 1994-2016 United Parcel Service of America, Inc. All rights reserved.

The link-in-the-email actually goes to a URL vantaiduonganh .vn/api/get.php?id= plus a Base 64 encoded part of the URL (e.g. aGVscGRlc2tAZmJpLmdvdg==) and it downloads a Word document with the recipients email address included in it. This type of malware is typically seen using hacked but legitimate Vietnamese sites for this stage in the infection chain. This DOC file contains a malicious macro, the Malwr report* indicates that it downloads components from:
parkovka-rostov .ru/inst.exe
stela-krasnodar .ru/wp-content/uploads/pm22.dll
Those two locations are legitimate -hacked- sites. This has a detection rate of 7/56** plus a DLL with a detection rate of 37/56***. The malware appears to be Hancitor/Pony/Vawtrak, phoning home to:
cothenperci .ru/borjomi/gate.php
madingtoftling .com/ls5/forum.php
Both of these are hosted on the same IP address of 185.31.160.11 (Planetahost, Russia)... malicious domains are also hosted on the same IP...
(List of domain-names at the dynamoo URL above.
... Recommended blocklist:
185.31.160.11
parkovka-rostov .ru
stela-krasnodar .ru "
* https://malwr.com/analysis/YmM1OGI0M...M1OTg2MmYyM2I/
Hosts
54.243.91.166
185.31.160.11
77.222.42.115
81.177.165.101

** https://www.virustotal.com/en/file/6...is/1480963673/

*** https://www.virustotal.com/en/file/7...is/1480964472/
___

Fake 'Urgent Data' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/urgen...elivers-locky/
5 Dec 2016 - "... Locky downloader... an email with the subject of 'Urgent Data' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of payment random numbers.zip... One of the emails looks like:
From: Consuelo Wells <Wells.Consuelo@ skriverconsult .ch>
Date: Mon 05/12/2016 20:20
Subject: Urgent Data
Attachment: payment9095450.zip
Dear [redacted],
The error occurred during payment. Sending you details of the transaction.
Please pay the remaining amount as soon as possible.
King Regards,
Consuelo Wells

5 December 2016: payment9095450.zip: Extracts to: ~3X072I792ZJ.js - Current Virus total detections 4/55*
MALWR** shows a download of an encrypted file from http ://prosperer .mg/3n7uihwc0p which is converted by the script to yQC6CSDVn.zk (VirusTotal 5/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1480969517/

** https://malwr.com/analysis/YTdkZmVjN...Y5NzE0ZDFkOGE/
Hosts
212.83.148.70
46.4.63.6

*** https://www.virustotal.com/en/file/a...is/1480970106/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
212.83.148.70
46.4.63.6
185.146.168.13
95.46.114.147

**AplusWebMaster** · 2016-12-06, 14:57

FYI...

Fake 'PO' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/inv-1...elivers-locky/
6 Dec 2016 - "An email with the subject of 'Inv# 1465095170 for PO# 0AC27757' (random numbers) pretending to come from random senders with a malicious word doc spreadsheet attachment delivers Locky osiris... The email looks like:
From: From: pettengell, judith <judith.pettengell@ ds54 .com>
Date: Tue 06/12/2016 12:18
Subject: Inv# 1465095170 for PO# 0AC27757
Attachment: 0AC27757_1465095170.docm
Please do not respond to this email address. For questions/inquires, please
contact our Accounts Receivable Department.
This email has been scanned by the MessageLabs outbound
Email Security System for CIRCOR International Inc...

6 December 2016: 0AC27757_1465095170.docm - Current Virus total detections 8/51*
MALWR** shows a download of an encrypted file from http ://union1 .cn/0bgsvtr3 which is converted by the script to dipund1.rap (VirusTotal 9/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it to...
C2 http ://185.115.140.210 /checkupdate | http ://91.142.90.46 /checkupdate | http ://213.32.66.16 /checkupdate ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1481027450/

** https://malwr.com/analysis/MmNkMTBmZ...UzYTMyNTQ0YTk/
Hosts
139.129.41.209
185.66.12.43
91.142.90.46
185.115.140.210
213.32.66.16

*** https://www.virustotal.com/en/file/4...is/1481027967/

4] https://www.reverse.it/sample/f8f226...ironmentId=100
___

Fake 'Recent order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/recen...elivers-locky/
6 Dec 2016 - "... an email with the subject of 'Recent order' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of order random numbers.zip which delivers Locky ransomware... One of the emails looks like:
From: Jocelyn Dodson <Dodson.Jocelyn@ netpalouse .com>
Date: Tue 06/12/2016 09:29
Subject: Recent order
Attachment: order3202227.zip
Dear adkins,
The counteragent has conducted the checking and found no confirmed payment for the recent order...
All details are in the attachment.
Feel free to email us if you have any inquiry.
King Regards,
Jocelyn Dodson

6 December 2016: order3202227.zip Extracts to: ~8FX934T59F85.js - Current Virus total detections 6/54*
MALWR** shows a download of an encrypted file from http ://steffweb .dk/bkjybit which is converted by the script to AEyjwjkWiBbl6.zk (VirusTotal 7/57***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1481018575/

** https://malwr.com/analysis/ZmU5MGNkM...Q3OWQwMWQxMjQ/
Hosts
94.231.108.252

*** https://www.virustotal.com/en/file/9...173b/analysis/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
94.231.108.252
91.203.5.176
85.143.213.71
176.112.219.101
95.46.114.147
___

Amazon - phish
- https://myonlinesecurity.co.uk/new-r...8845-phishing/
6 Dec 2016 - "'New Return Requested on Amazon for order 502-2849265-1928845' pretending to come from Amazon .co.uk <annazon@ amazonaws .co.uk> is one of the latest -phish- attempts to steal your Amazon Account. This one only wants your Amazon log in details... The link leads to http ://tolmasoft .ru/ViewListingAccount-dvk@ [redacted].co.uk.html...

Screenshot: https://i0.wp.com/myonlinesecurity.c...24%2C608&ssl=1

When you fill in your user name and password you get immediately -redirected- to the genuine Amazon.co.uk home page, where you think that you have logged in properly. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

tolmasoft .ru: 5.187.1.187: https://www.virustotal.com/en/ip-add...7/information/
___

'AppIe ID' phish
- http://blog.dynamoo.com/2016/12/sms-...is-due-to.html
6 Dec 2016 - "This SMS spam is actually a phishing message:

Screenshot: https://2.bp.blogspot.com/-OF33yrXOb...pple-phish.png

This is one of those odd SMSes that doesn't seem to come from an actual number. If you follow through the link you end up on a straightforward Apple phishing page:
> https://2.bp.blogspot.com/-wsiOA1HPC...pple-phish.jpg

The website appieid-support .com is hosted on 108.167.141.128 which is a customer of WebsiteWelcome... no-doubt-fake WHOIS details... The domain was created just today. Avoid."

108.167.141.128: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/01...6b4d/analysis/

**AplusWebMaster** · 2016-12-07, 13:58

FYI...

Fake 'Invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/three...elivers-locky/
7 Dec 2016 - "... an email with the subject of 'Invoices' pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Locky ransomware... One of the emails looks like:
From: Margery Hinton <Hinton.Margery@ bluelinedesignoh .com>
Date: Wed 07/12/2016 10:10
Subject: Invoices
Attachment: invoices0660953.zip
Dear zowm,
By today, three invoices (4282, $284; 4283, $99; 4287, $564) are not paid.
Starting tomorrow, fines will be charged. Please make appropriate payments.
All details are in the attachment.
Best Regards,
Margery Hinton
Sales Director

7 December 2016: invoices0660953.zip: Extracts to: ~8G9Z5BP2U18O48QKC6O54YE4.js
Current Virus total detections 2/55* Payload Security** shows a download of an encrypted file from
sagaoil .ro/jv5f0mrnea which is converted by the script to BQODhCNNx.zk ... Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1481105284/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
123.232.111.58
91.210.80.80
85.143.213.71
91.203.5.176
176.112.219.101
194.67.215.228
52.34.245.108
52.222.157.179
___

Fake 'Card Receipt' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...-locky-osiris/
7 Dec 2016 - "An email spoofing Aquaid with the subject of 'Card Receipt' coming from random senders with a malicious word doc attachment delivers Locky Osiris...

Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C673&ssl=1

7 December 2016: CARD547 8914860.docm - Current Virus total detections 12/56*
MALWR** shows a download of an encrypted file from http ://unilite .ro/hfycn33 which is converted by the script to spircent1.mda (Payload Security ***) (virusTotal 10/54[4]). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1481104682/

** https://malwr.com/analysis/ZGIzNTQ1Z...E3NWNlODEwYWM/
Hosts
188.213.21.75
91.142.90.46
213.32.66.16

*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
188.213.21.75
91.142.90.46
88.214.236.182
213.32.66.16
52.42.26.69
52.222.157.29
52.35.54.251

4] https://www.virustotal.com/en/file/c...is/1481105595/
___

Stegano EK hiding in pixels of malicious ads
- http://www.welivesecurity.com/2016/1...malicious-ads/
Dec 6, 2016 - "Millions of readers who visited popular news websites have been targeted by a series of malicious ads -redirecting- to an exploit kit exploiting several -Flash- vulnerabilities. Since at least the beginning of October, users might have encountered ads promoting applications calling themselves 'Browser Defence' and 'Broxu' using banners similar to the ones below:
1] http://www.welivesecurity.com/wp-con...12/1-xlch3.png
...
2] http://www.welivesecurity.com/wp-con...12/2-y0vbp.png
These advertisement banners were stored on a remote domain with the URL hxxps ://browser-defence .com and hxxps ://broxu .com. Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin. The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel... After successful redirection, the landing page checks the userAgent looking for Internet Explorer, loads a Flash file, and sets the FlashVars parameters via an encrypted JSON file. The landing page also serves as a middleman for the Flash and the server via ExternalInterface and provides basic encryption and decryption functions. The Flash file has another Flash file embedded inside and, similarly to the -Neutrino- exploit kit, it comes with three different exploits based on the Flash version... Conclusion: The Stegano exploit kit has been trying to fly under the radar since at least 2014. Its authors have put quite some effort into implementing several techniques to achieve self-concealment. In one of the most recent campaigns we detected, which we traced back at least to the beginning of October 2016, they had been distributing the kit through advertisement banners using steganography and performing several checks to confirm that they were not being monitored. In the event of successful exploitation, the vulnerable victims’ systems had been left exposed to -further- compromise by various malicious payloads including backdoors, spyware and banking Trojans. Exploitation by the Stegano kit, or any other known exploit kit for that matter, can often be avoided by running fully patched software and by using a reliable, updated internet security solution..."
(More detail at the welivesecurity/ESET URL above.)

browser-defence .com: Could not find an IP address for this domain name...

broxu .com: 162.255.119.66: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/a9...e098/analysis/
___

AdGholas malvertising ...
- https://blog.malwarebytes.com/cyberc...ness-as-usual/
Dec 6, 2016 - "... A group identified as AdGholas* by Proofpoint which has been involved in the stealthiest attacks we have seen in recent history, was caught again and exposed by Eset**... The last bit of activity from AdGholas after the Proofpoint exposé was July 20th of this year. However, according to our telemetry, less than two months later the group was back at it with some of the -largest- malvertising attacks we have ever documented... The interesting aspect about this malvertising campaign is that the US was -not- one of the targets. Instead we saw Canada, the UK, Australia, Spain, Italy, and Switzerland as the most active geolocations. We observed most attacks happen in Canada and the UK as seen below on this heat map:
> https://blog.malwarebytes.com/wp-con...12/heatmap.png
Despite not targeting the US, the latest AdGholas campaign has once again reached epic proportions and unsuspecting users visiting top trusted portals like Yahoo or MSN (not to mention many top level publishers) were exposed to malvertising and malware if they were not protected..."
* https://www.proofpoint.com/us/threat...in-plain-sight

** http://www.welivesecurity.com/2016/1...malicious-ads/

**AplusWebMaster** · 2016-12-08, 13:11

FYI...

Fake 'Emailing' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/email...email-address/
8 Dec 2016 - "An email with the subject of 'Emailing: MX62EDO 08.12.2016' pretending to come from documents@ your-own-email-address with a malicious word doc delivers Locky Osiris... The email looks like:
From: documents@ thespykiller .co.uk
Date: Thu 08/12/2016 10:05
Subject: Emailing: MX62EDO 08.12.2016
Attachment:
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 08.12.2016
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
This email has been checked for viruses by Avast antivirus software...

8 December 2016: MX62EDO 08.12.2016.docm - Current Virus total detections 10/54*
MALWR** shows a download of an encrypted file from http ://netfun .be/hb74 which is converted by the script to clsooach1.feds (VirusTotal 11/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1481192959/

** https://malwr.com/analysis/NmZhYjk5M...JkODUyYTU2NzU/
Hosts
81.4.68.175
176.121.14.95

*** https://www.virustotal.com/en/file/d...is/1481193005/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
188.93.230.41
185.127.24.247
213.32.66.16
91.142.90.46
176.121.14.95
52.42.26.69
52.222.157.29
___

Fake 'Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-...elivers-locky/
8 Dec 2016 - "... an email with the subject of 'Order #0850834' (random numbers) coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment matching the subject line which delivers Locky ransomware... One of the emails looks like:
From: Latoya Byrd <Byrd.Latoya@ flceo .com>
Date: Thu 08/12/2016 11:29
Subject: Order #0850834
Attachment: order-0850834.zip
Hello ard, your order #0850834 ...
Sending you the receipt. Please pay it prior to next week.
The receipt is in the attachment.
Best Wishes,
Latoya Byrd
Delivery Manager

8 December 2016: order-0850834.zip: Extracts to: ~5Z36TWQXK9014CO228K8V0C.js
Current Virus total detections 6/55*. MALWR** shows a download of an encrypted file from
http ://file4hosti .info/ne92o1u which is converted by the script to 7JpjNVpwmyeHv.zk (VirusTotal 4/53***).
Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1481196535/

** https://malwr.com/analysis/YTMwODJkZ...UxMjVjODQ0ZWY/
Hosts
107.172.55.203

*** https://www.virustotal.com/en/file/f...is/1481197588/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
104.168.87.215
107.172.55.203
178.159.42.248
185.46.11.236
52.34.245.108
52.32.150.180
35.160.111.237
91.198.174.192
91.198.174.208
54.239.168.21
___

Fake 'Scan' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scan-...-locky-osiris/
8 Dec 2016 - "... an email with the subject of 'Scan' from a Samsung MFP coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of Untitled_date_random numbers.zip which delivers Locky ransomware... One of the emails looks like:
From: GARRY MENZIES <garry.menzies.1825@ pricemarketresearch .com>
Date: Wed 07/12/2016 21:41
Subject: Travel expense sheet
Attachment: Untitled_07122016_46160.zip
Regards
Garry
Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit ...
This message has been scanned for malware by Websense...

8 December 2016: Untitled_07122016_46160.zip: Extracts to: N396390423.jse - Current Virus total detections 19/55*
MALWR** shows a download of an encrypted file from http ://raivel .pt/45gdfgf?SEOtErERwE=yLVujYkT which is converted by the script to XtPmJmcsvIP1.dll (VirusTotal 24/56***). Payload Security[4]. Locky has recently started to use non standard file extensions on the binaries... DLL files... rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1481168279/

** https://malwr.com/analysis/YTE5NDM2Y...Q0YTM3YThkMjY/
Hosts
188.93.230.41
91.142.90.46

*** https://www.virustotal.com/en/file/1...e217/analysis/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
188.93.230.41
185.127.24.247
213.32.66.16
91.142.90.46
176.121.14.95
52.42.26.69
52.222.157.29
___

Tax refund - phish
- https://myonlinesecurity.co.uk/tax-r...ency-phishing/
8 Dec 2016 - "... DVLA Vehicle Licensing Agency phishing email trying to get your information...

Screenshot: https://i2.wp.com/myonlinesecurity.c...24%2C712&ssl=1

If you follow the links you end up on an identical copy of the gov .uk site asking for usual identity and financial details:
> https://i1.wp.com/myonlinesecurity.c...24%2C533&ssl=1
Phishing sites so far discovered include (email links go to a site which -redirects- you to other sites):
- https ://cissdemexico .com/.2DriverLicence2ADM2/2y2Driving2e2Licences2acc2/24w823w82Driving2w25and22w2Transport2w826w2gov28uk25/23Lega2r28obligations62Apply2refund2x82driving24/Refund.php
- https ://chadena .com/.cha/
- https ://fyfe-interiors .com/.lol/
- https ://partnersinsharing .com/.124DL828ADM825/2384x48390Driving9019x319Licences0638cbd419/7836Lega523x92148obligations639Apply915x3420/517x9427c481Driving827x5and32v0417Transport71x5638x319gov31uk24/Refund "

cissdemexico .com: 162.211.127.202: https://www.virustotal.com/en/ip-add...2/information/

chadena .com: 109.163.208.100: https://www.virustotal.com/en/ip-add...0/information/

fyfe-interiors .com: 202.129.244.101: https://www.virustotal.com/en/ip-add...1/information/

partnersinsharing .com: 69.16.221.200: https://www.virustotal.com/en/ip-add...0/information/

**AplusWebMaster** · 2016-12-09, 11:03

FYI...

Fake 'Firewall Software' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malw...-leads-to.html
9 Dec 2016 - "This spam appears to come from multiple senders and leads to Locky ransomware:
From: Herman Middleton
Date: 9 December 2016 at 07:40
Subject: Firewall Software
Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
Please check it out.
King Regards,
Herman Middleton
IT Support Manager

Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated. The Hybrid Analysis* and Malwr report** show that the script analysed downloads a component from welte .pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56***. That Hybrid Analysis also detections C2 traffic to:
107.181.187.97 /checkupdate [hostname: saluk1.example .com] (Total Server Solutions, US)
51.254.141.213 /checkupdate (OVH, France)
It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:
91.142.90.46 /checkupdate [hostname: mrn46.powerfulsecurities .com] (Miran, Russia)
195.123.209.23 /checkupdate [hostame: prujio .com] (Layer6, Latvia)
185.127.24.247 /checkupdate [hostname: free.example .com] (Informtehtrans, Russia)
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
185.46.11.236 /checkupdate (Agava, Russia)
178.159.42.248 /checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)
Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are at least a couple of bad /24 blocks in there.
Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24 "
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
79.96.68.245
107.181.187.97
178.159.42.248
51.254.141.213
54.239.168.239
91.198.174.192
91.198.174.208

** https://malwr.com/analysis/ZGI2MDNlZ...Q1MmM2ODI0MTQ/
Hosts
79.96.68.245

*** https://virustotal.com/en/file/fb5cd...is/1481273887/

- https://myonlinesecurity.co.uk/firew...elivers-locky/
9 Dec 2016 - "... an email with the subject of 'Firewall Software' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of f_license_numbers.zip which delivers Locky ransomware... One of the emails looks like:
From: Curtis Jarvis <Jarvis.Curtis@ irishcitytours .com>
Date: Fri 09/12/2016 07:22
Subject: Firewall Software
Attachment: f_license_5875331.zip
Hey emis2000, it is Curtis. You’ve asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
Please check it out.
King Regards,
Curtis Jarvis
IT Support Manager

9 December 2016: f_license_5875331.zip: Extracts to: ~S911UGV716O1J3CSTB471C.js
Current Virus total detections 16/55*. MALWR** shows a download of an encrypted file from
http ://www .pgringette .ca/a8crrwrc2t which is converted by the script to z7dWO4eQFUHRtg.zk (VirusTotal 4/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480616575/

** https://malwr.com/analysis/NWE4MjY5Y...EwMDhkMTFmYmM/
Hosts
69.28.199.160

*** https://www.virustotal.com/en/file/6...is/1481268678/
___

Fake 'See attached' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...elivers-locky/
9 Dec 2016 - "An email spoofing the Business Advisory Service Ltd with the subject of 'See attached – I will call you in 10 mins' (random times) with a malicious Excel XLS spreadsheet attachment delivers Locky Osiris ransomware...

Screenshot: https://i1.wp.com/myonlinesecurity.c...24%2C547&ssl=1

9 December 2016: Invoice_392618_final.xlsm - Current Virus total detections *
MALWR** shows a download of an encrypted file from http ://djelixir .com/34f43 which is converted by the script to XtPmJmcsvIP1.dll (VirusTotal 10/56***). Payload Security [4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
*

** https://malwr.com/analysis/MDdmOWU2Y...U2NDA1NmNmYjk/
Hosts
108.174.153.189
185.102.136.67

*** https://www.virustotal.com/en/file/1...is/1481278691/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
108.174.153.189
185.102.136.67
176.121.14.95
31.202.128.199
52.34.245.108
54.239.168.194
___

Another 'Apple phish' ...
- https://myonlinesecurity.co.uk/your-...pple-phishing/
9 Dec 2016 - "... mass Apple phish today, telling you that you have added ghost00@ hotmail .com as a new rescue email address for your Apple ID and you need to verify it... received about 200 so far this morning, some of which are getting past spam filters...

Screenshot: https://i0.wp.com/myonlinesecurity.c...24%2C588&ssl=1

The links in the body go to:
http ://opelpart .hu/media/system/swf/o.html
which -redirects- to numerous sites including:
http ://ushindicounselling .ca/winter/Itunes/apple/
http ://volleyballsaskatoon .ca/winter/Itunes/apple/
... There will no doubt be lots of other sites active in this phishing campaign... follow-the-link [DON'T] you see a webpage looking like this screenshot (taken form a previous example):
> https://i1.wp.com/myonlinesecurity.c...24%2C565&ssl=1 "

opelpart .hu: 87.229.45.133: https://www.virustotal.com/en/ip-add...3/information/
ushindicounselling .ca: 67.212.91.221
volleyballsaskatoon .ca: 67.212.91.221: https://www.virustotal.com/en/ip-add...1/information/
___

Phish in-the-cloud ...
- http://www.darkreading.com/endpoint/...d/d-id/1327673
Dec 8, 2016 - "Everything else has gone to the cloud, so why not faux emails* and their malicious payloads?... phishing emails have become a way to infect desktops and servers with ransomware, which infosec professionals continually cite as their biggest ongoing concern and defense priority..."
* http://blog.imperva.com/2016/12/can-...reined-in.html
Dec 6, 2016 - "Phishing is the starting point for most data breaches... cybercriminals are lowering the cost of phishing by enabling Phishing as-a-Service (PhaaS) using compromised web servers..."
> http://imperva.typepad.com/.a/6a0115...2c51970c-800wi
___

400,000 phishing sites - every month in 2016
- https://www.helpnetsecurity.com/2016...observed-2016/
Dec 7, 2016 - "84 percent of phishing sites observed in 2016 existed for less than 24 hours, with an average life cycle of under 15 hours... data collected by Webroot*:
> https://www.helpnetsecurity.com/imag...g-122016-1.jpg "

* https://www.webroot.com/blog/2016/12...for-christmas/
Dec 7, 2016 - "... Webroot has observed an average of over 400,000 phishing sites each month... Google, PayPal, Yahoo, and Apple are heavily targeted for attacks. Cybercriminals know to impersonate sites that people trust and use regularly... Google was impersonated in 21 percent of -all- phishing sites between January and September 2016, making it the most heavily targeted. Emails to avoid:
With the holiday season in full swing and the New Year fast approaching, hackers are up to their old tricks... we should all be wary of emails containing UPS, USPS, and FedEx shipping alerts; 401k/benefit enrollment notices; and miscellaneous tax documents from now through the end of January..."

**AplusWebMaster** · 2016-12-12, 14:23

FYI...

Fake 'Invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malw...er-947781.html
12 Dec 2016 - "This fake financial spam comes from -multiple- senders and leads to Locky ransomware:
From: AUTUMN RHINES
Date: 12 December 2016 at 10:40
Subject: Invoice number: 947781
Please find attached a copy of your invoice...

The name of the sender varies, as does the fake invoice number. Attached is a .DOCM file with a filename matching that invoice number. Typical detection rates for the DOCM file are 13/56*. Automated analysis of a couple of these files [1] [2]... show the macro downloading a component from miel-maroc.com/874ghv3 (there are probably many more locations). A DLL is dropped with a current detection rate of 11/57**. All those analyses indicate that this is Locky ransomware (Osiris variant), phoning home to:
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
88.214.236.218 /checkupdate (Overoptic Systems, UK / Russia)
91.219.31.14 /checkupdate (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
Recommended blocklist:
176.121.14.95
88.214.236.218
91.219.31.14 "
* https://virustotal.com/en/file/3ce3a...7759/analysis/

1] https://malwr.com/analysis/NzVmODQ1N...UwMTkwNDM5Y2U/
Hosts
5.153.23.8
176.121.14.95
88.214.236.218
91.219.31.14

2] https://malwr.com/analysis/YzViZjg5Z...E4MWU3NzMxMjA/
Hosts
5.153.23.8
176.121.14.95
91.219.31.14

** https://virustotal.com/en/file/9efdf...43df/analysis/
___

Fake 'New(910)' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/12/malw...-to-locky.html
12 Dec 2016 - "This spam leads to Locky ransomware:
From: Savannah [Savannah807@ victimdomain .tld]
Reply-To: Savannah [Savannah807@ victimdomain .tld]
Date: 12 December 2016 at 09:50
Subject: New(910)
Scanned by CamScanner
Sent from Yahoo Mail on Android

The spam appears to come from a sender within the victim's-own-domain, but this is just a simple forgery. The attachment name is a .DOCM file matching the name in the subject. Automated analysis [1] [2] indicates that it works in a similar way to this other Locky ransomware run today*."
1] https://malwr.com/analysis/ODYwMGRjM...Q5YjQwMDJhMGU/
Hosts
208.113.172.228
176.121.14.95

2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
208.113.172.228
91.219.31.14
35.163.57.6
52.222.171.57
35.160.111.237

* http://blog.dynamoo.com/2016/12/malw...er-947781.html
___

Fake 'Software License' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/softw...elivers-locky/
12 Dec 2016 - "... an email with the subject of 'Software License' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of softlic_0600353.zip which delivers Locky ransomware... One of the emails looks like:
From: Deloris Santos <Santos.Deloris@ terebinthtreeportraits .com>
Date: Mon 12/12/2016 09:59
Subject: Software License
Attachment: softlic_0600353.zip
Hello scans, it is Deloris.
Sending you the scan of the software license agreement (Order #0600353).
It is in the attachment. Please look into it ASAP.
Best Regards,
Deloris Santos

12 December 2016: softlic_0600353.zip: ~50Y70PZ821IW1H6QS6R5K4P.wsf - Current Virus total detections 5/55*
Racco42** has posted a list of found download sites on pastebin***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1481540340/

** https://twitter.com/Racco42/status/808280355895529473

*** http://pastebin.com/cCeYpZsd
... C2:
POST http ://185.46.11.236/ checkupdate
POST http ://91.200.14.109/ checkupdate
POST http ://93.170.104.23 /checkupdate
POST http ://95.213.224.117 /checkupdate

185.46.11.236: https://www.virustotal.com/en/ip-add...6/information/ - RU
91.200.14.109: https://www.virustotal.com/en/ip-add...9/information/ - UA
93.170.104.23: https://www.virustotal.com/en/ip-add...3/information/ - NL
95.213.224.117: https://www.virustotal.com/en/ip-add...7/information/ - RU
___

Fake 'Amazon Transactions' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...ky-ransomware/
12 Dec 2016 - "Following on from the continual series of spoofed FedEx Locky downloaders detailed in this POST[1]... using the same method have changed to a very bad imitation of Amazon .co.uk with an email with the subject of 'Transactions_Report__by_users_from_2016-11-18_to_2016-11-20' pretending to come from EGCTechServer <nf@ ammaazon .co.uk> with a malicious word doc attachment continues to deliver Locky ransomware...
1] https://myonlinesecurity.co.uk/fedex...ky-ransomware/
9 Nov 2016

Screenhot: https://i2.wp.com/myonlinesecurity.c...g?w=1254&ssl=1

12 December 2016: Your_requested_Report_is_attached_Here.doc - Current Virus total detections 20/56*
Payload Security** contacts http ://triumphantul .top/2/ldd.php (185.101.218.162)... which actually downloads
http ://triumphantul .top/2/565.exe (VirusTotal 4/57***) which is the same Locky version that they malspammed out on Sunday 11 Dec 2016... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1481530568/

** https://www.hybrid-analysis.com/samp...ironmentId=100

*** https://www.virustotal.com/en/file/c...is/1481450464/

185.101.218.162: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/56...9478/analysis/
> https://www.virustotal.com/en/url/eb...496f/analysis/ | 2016-12-11
___

Fake 'Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/order...ky-ransomware/
12 Dec 2016 - "... an email -spoofing- Hexstone Ltd with the subject of 'Order Confirmation 81110319 Hexstone Ltd' (random numbers)... pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of Ord81110319.dzip which delivers Locky ransomware... One of the emails looks like:
From: Leonor rede <Leonor6@ fiveoaks .com>
Date: Mon 12/12/2016 16:23
Subject: Order Confirmation 81110319 Hexstone Ltd
Attachment: Ord81110319.dzip
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.

12 December 2016: Ord81110319.dzip: Extracts to: Receipt(546).jse - Current Virus total detections 12/54*
Payload Security** shows a download of an encrypted file from
http ://indigenouspromotions .com.au /874ghv3?qSzzdCEa=EIWRey which is converted by the script to fQuANqFwqs1.dll (VirusTotal 16/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1481560496/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
111.67.22.192
176.121.14.95
52.32.150.180
54.239.168.239
52.35.54.251

*** https://www.virustotal.com/en/file/7...b265/analysis/
...adaa.exe

**AplusWebMaster** · 2016-12-13, 12:17

FYI...

Fake 'documents' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/total...elivers-locky/
13 Dec 2016 - "... an email with the subject of 'Total Gas & Power documents 0/5' (random numbers) pretending to come from totadonotreply@ netsend .biz with a semi-random named zip attachment in the format of 3000566547_invoice_139920043-09.zip which delivers Locky ransomware. The dates on the emails are 12 days old...

Screenshot: https://i0.wp.com/myonlinesecurity.c...g?w=1258&ssl=1

13 December 2016: 3000566547_invoice_139920043-09.zip: Extracts to: 3000566547_invoice_139920047-55.jse
Current Virus total detections 9/55*. MALWR** shows a download of an encrypted file from
http ://94.127.33.126 /knby545?bVoaEKQ=DtsfPK which is converted by the script to JWvpjx1.dll (VirusTotal 10/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1481622006/

** https://malwr.com/analysis/MDgyOTYxN...M0NWQ4NDE5M2Y/
Hosts
94.127.33.126
176.121.14.95

*** https://www.virustotal.com/en/file/8...is/1481622948/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
94.127.33.126
109.234.34.212
52.39.24.163
35.160.111.237
___

Fake 'Intuit invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
13 Dec 2016 - "... an email -spoofing- Intuit/QuickBooks with the subject of 'Invoice 00341 from Gas Safety Plus' (random numbers and random companies) pretending to come from the random company in subject line <notification@ global-intuit .com> with zip attachment which delivers Dridex banking Trojan... All the ones I have seen seem to be actually coming from various IP numbers on the OVH SAS network using fake, spoofed or newly registered domain identifications:
193.70.50.59
193.70.117.190
176.31.130.77
176.31.130.74
51.254.63.185
91.121.114.211
92.222.182.70
94.23.58.107 ...
Some of the subject lines & companies include:
Invoice 00476 from Gaswise (Lincoln) Ltd
Invoice 00845 from Moss Florist
Invoice 00668 from Linda Leary Estate Agents
Invoice 00475 from Urban Merchants, Your Fine Food Supplier
Invoice 00969 from Ballon Wise ...
One of the emails looks like:
From: Gas Safety Plus <notification@ global-intuit .com>
Date: Thu 01/09/2016 19:22
Subject: Invoice 00341 from Gas Safety Plus
Attachment: link-in-email body
Gas Safety Plus
Invoice 00341
Due date 14/12/2016
Balance due 335.00
View invoice
Dear Customer, Here’s your invoice. We appereciate your prompt payment. Thank’s for your business! Gas Safety Plus
Intuit. Inc. All right reserved...

13 December 2016: Invoice.zip: Extracts to: Invoice.js - Current Virus total detections 16/55*.
MALWR** shows a download from http ://195.238.172.213 /~iceskate/images/manual.pdf which is -not- a pdf but a renamed .exe file It gets renamed by the script to PPqFp2Bl32.exe and autorun (VirusTotal 9/57***). Payload Security[4]...
The -links- in the email body goes to a hacked/compromised fraudulently set up sharepoint address:
“https ://telstrastorecorio-my.sharepoint .com/personal/rebecca_telstrashopcorio_com_au/_layouts/15/guestaccess.aspx?guestaccesstoken=nlZdrO0WUpP2BvOovx5%2bkQFaMQk87jAFOPGDI79ApoA%3d&docid=0508e7d01f6e144528e3b4e23521272d1&rev=1”
... Never just blindly click on the link/file in your email..."
* https://www.virustotal.com/en/file/7...is/1480616575/

** https://malwr.com/analysis/NGI1NDAyO...NiYTZkZTlhMjM/
Hosts
188.165.230.126
195.238.172.213

*** https://www.virustotal.com/en/file/4...is/1481626327/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
82.196.5.27
109.74.9.119
192.188.58.163

telstrastorecorio-my.sharepoint .com: 104.146.164.28: https://www.virustotal.com/en/ip-add...8/information/
___

Fake 'fax' SPAM - leads to malware
- https://myonlinesecurity.co.uk/blank...known-malware/
13 Dec 2016 - "... a -blank- email with the subject of 'fax copia' coming or pretending to come from 910663334@ fax.vodafone .es with a semi-random named zip attachment in the format of 201612130917585473299351.zip
(which is date_randomnumbers.zip) which delivers... Sharik Trojan... Other subjects include:
Confirmacion
datos ...
One of the emails looks like:
From: from910663334@ fax.vodafone .es
Date: Tue 13/12/2016 08:47shows
Subject: fax copia
Attachment: 201612130917585473299351.zip

Body content: totally empty/blank

13 December 2016: 201612130917585473299351.zip: Extracts to: 201612130913339837772661.pdf.exe
Current Virus total detections 6/56*. Payload Security** shows several connections which confirms Sharik...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1481619230/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
146.0.72.73
172.227.109.213
___

Fake 'picture' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/a-pic...ky-ransomware/
13 Dec 2016 - "... an email with the subject of 'a picture for you' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of 2016-12-1640.zip which delivers Locky ransomware. other subjects in this malspam run include:
a image for you
a photos for you ...
One of the emails looks like:
From: Delia <Delia.6@ mountainbikecup .dk>
Date: Tue 13/12/2016 15:22
Subject: a picture for you
Attachment: 2016-12-1640.zip
resized

13 December 2016:2016-12-1640.zip: Extracts to: 2016-12-14473.jse - Current Virus total detections 11/50*
MALWR** shows a download of an encrypted file from http ://jrgolfbuddy .com/knby545?MoxfoYUn=neDsPVdRB which is converted by the script to GDJpPJ1.dll (VirusTotal 9/56***). Payload Security[4]. C2 http ://176.121.14.95 /checkupdate
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1481643767/

** https://malwr.com/analysis/MzgwN2M0Z...QyMWYwYmQ4ZWQ/
Hosts
192.185.225.117
176.121.14.95

*** https://www.virustotal.com/en/file/f...is/1481643297/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.185.225.117
176.121.14.95
35.163.57.6
52.85.184.150
35.160.111.237
___

Fake 'Fixed invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fixed...elivers-locky/
13 Dec 2016 - "... an email with the subject of 'Fixed invoices'... pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of inv4665150.zip which delivers Locky ransomware... One of the emails looks like:
From: Julia Weiss <Weiss.Julia@ interfacialsolutions .com>
Date: Tue 13/12/2016 20:28
Subject: Fixed invoices
Attachment: inv4665150.zip
Dear [redacted],
Sorry for mistakes in the invoice. The number is 362, the amount came to $289.26.
Please check out the details in the attachment.
Best Regards,
Julia Weiss

13 December 2016: inv4665150.zip: Extracts to: ~_C4RM8B_~.wsf - Current Virus total detections 2/54*
... Payload Security**... does show locky ransomware and C2 sites... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1481661940/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
104.168.87.215
54.187.5.20
213.32.113.203
52.34.245.108
52.35.54.251
91.198.174.192
91.198.174.208

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake 'Urgent bill', 'Attached Image' SPAM

Fake 'efax', 'Invoices' SPAM, Cybercrime raids

Fake 'Pay Attention', 'Emailing' SPAM

Fake blank body, 'No subject', 'Consider This', 'Sage invoice', 'Shipping status SPAM

Fake 'PO', 'Recent order' SPAM, Amazon, 'AppIe ID' phish

Fake 'Invoices', 'Card Receipt' SPAM, Stegano EK, AdGholas malvertising

Fake 'Emailing', 'Order', 'Scan' SPAM, Tax refund - phish

Fake 'Firewall Software', 'See attached' SPAM, 400,000 phish

Fake 'Invoice', 'New(910)', 'Software License', 'Amazon', 'Order' SPAM

Fake 'documents', 'Intuit invoice', 'fax', 'picture', 'Fixed invoices' SPAM

Posting Permissions