FYI...
Fake 'ACH' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spoof...ky-ransomware/
18 Jan 2017 - "... an email spoofing ACH (Automated Clearing House) with the subject of 'Blocked Transaction Case No 255275283' coming or pretending to come from random companies, names and email addresses with rar attachment extracting to a very heavily obfuscated .JS file delivers Locky ransomware after a long convoluted download system... One of the emails looks like:
From: Eufemia Quintyne <xefiuza03040150@ photogra .com>
Date: Wed 18/01/2017 14:08
Subject: Blocked Transaction. Case No 255275283
Attachment: doc_details.rar
The Automated Clearing House transaction (ID: 058133683), recently initiated
from your online banking account, was rejected by the other financial
institution.
Canceled ACH transaction
ACH file Case ID 04123240
Transaction Amount 1624.05 USD ...
18 January 2017: doc_details.rar: Extracts to: doc_details.js - Current Virus total detections 7/54*
Payload Security** shows it drops another .js file (Payload Security ***) (VirusTotal 7/53[4]) which in turn downloads Locky ransomware from unwelcomeaz .top/2/56.exe (VirusTotal 9/55[5])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1484760601/
** https://www.hybrid-analysis.com/samp...ironmentId=100
*** https://www.hybrid-analysis.com/samp...ironmentId=100
35.164.68.81
91.237.247.24
194.31.59.5
52.88.7.60
35.161.88.115
4] https://www.virustotal.com/en/file/9...is/1484757035/
5] https://www.virustotal.com/en/file/e...is/1484758078/
unwelcomeaz .top: 35.164.68.81: https://www.virustotal.com/en/ip-add...1/information/
54.149.186.25: https://www.virustotal.com/en/ip-add...5/information/
___
Fake 'signature required' SPAM - delivers hancitor
- https://myonlinesecurity.co.uk/spoof...vers-hancitor/
18 Jan 2017 - "An email pretending to come from a firm of -lawyers- with the subject of 'RE: settlement' pretending to come from a random firm of lawyers with a link-that-downloads a malicious word doc delivers hancitor [1]...
Screenshot: https://myonlinesecurity.co.uk/wp-co.../bracewell.png
18 January 2017: contract_submit.doc - Current Virus total detections 3/53*. Payload Security**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.fireeye.com/blog/threat-...ka_chanit.html
* https://www.virustotal.com/en/file/d...is/1484759676/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
23.23.117.228
109.120.170.116
188.212.255.49
78.47.141.185