Page 114 of 132 FirstFirst ... 1464104110111112113114115116117118124 ... LastLast
Results 1,131 to 1,140 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1131
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'ACH', 'signature required' SPAM

    FYI...

    Fake 'ACH' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...ky-ransomware/
    18 Jan 2017 - "... an email spoofing ACH (Automated Clearing House) with the subject of 'Blocked Transaction Case No 255275283' coming or pretending to come from random companies, names and email addresses with rar attachment extracting to a very heavily obfuscated .JS file delivers Locky ransomware after a long convoluted download system... One of the emails looks like:
    From: Eufemia Quintyne <xefiuza03040150@ photogra .com>
    Date: Wed 18/01/2017 14:08
    Subject: Blocked Transaction. Case No 255275283
    Attachment: doc_details.rar
    The Automated Clearing House transaction (ID: 058133683), recently initiated
    from your online banking account, was rejected by the other financial
    institution.
    Canceled ACH transaction
    ACH file Case ID 04123240
    Transaction Amount 1624.05 USD ...


    18 January 2017: doc_details.rar: Extracts to: doc_details.js - Current Virus total detections 7/54*
    Payload Security** shows it drops another .js file (Payload Security ***) (VirusTotal 7/53[4]) which in turn downloads Locky ransomware from unwelcomeaz .top/2/56.exe (VirusTotal 9/55[5])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1484760601/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    35.164.68.81
    91.237.247.24
    194.31.59.5
    52.88.7.60
    35.161.88.115


    4] https://www.virustotal.com/en/file/9...is/1484757035/

    5] https://www.virustotal.com/en/file/e...is/1484758078/

    unwelcomeaz .top: 35.164.68.81: https://www.virustotal.com/en/ip-add...1/information/
    54.149.186.25: https://www.virustotal.com/en/ip-add...5/information/
    ___

    Fake 'signature required' SPAM - delivers hancitor
    - https://myonlinesecurity.co.uk/spoof...vers-hancitor/
    18 Jan 2017 - "An email pretending to come from a firm of -lawyers- with the subject of 'RE: settlement' pretending to come from a random firm of lawyers with a link-that-downloads a malicious word doc delivers hancitor [1]...

    Screenshot: https://myonlinesecurity.co.uk/wp-co.../bracewell.png

    18 January 2017: contract_submit.doc - Current Virus total detections 3/53*. Payload Security**...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.fireeye.com/blog/threat-...ka_chanit.html

    * https://www.virustotal.com/en/file/d...is/1484759676/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.23.117.228
    109.120.170.116
    188.212.255.49
    78.47.141.185


    Last edited by AplusWebMaster; 2017-01-18 at 22:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1132
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Insolvency Service' SPAM, Twitter accts compromised

    FYI...

    Fake 'Insolvency Service' SPAM - delivers Cerber
    - http://blog.dynamoo.com/2017/01/malw...y-service.html
    19 Jan 2017 - "This malware spam in unusual in many respects. The payload may be some sort of ransomware (UPDATE: this appears to be Cerber ).

    Screenshot: https://3.bp.blogspot.com/-CvAb-WcwG...insolvency.png

    Sample subjects are:
    LSV 354EMPU31 - Investigations Inquiry Reminder
    JXI 647TESR39 - Investigations Inquiry Reminder
    SHV 622WYXP68 - Investigations Inquiry Notice
    QPY 661APWZ41 - Investigations Inquiry Notice
    FHF 338SYBV85 - Investigations Inquiry Notice
    EGY 318NHAR12 - Investigations Inquiry Notification
    IZJ 296CNWP92 - Investigations Inquiry Notice
    All the senders I have seen come from the chucktowncheckin .com domain. Furthermore, all of the sending servers are in the same /24: 194.87.216.* .. All the servers have names like kvm42.chapelnash .com in a network block controlled by Reg .ru in Russia. The link-in-the-email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect .com e.g. 2vo4 .uk-insolvencydirect .com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:
    > https://3.bp.blogspot.com/-qn0cYVJbc...ov-uk-fake.png
    Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js)... Hybrid Analysis* of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool). The script downloads a component from www .studiolegaleabbruzzese .com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53**. Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:
    soumakereceivedthiswith .ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
    sectionpermiathefor .ru (151.0.42.255 - Online Technologies, Ukraine)
    programuserandussource .ru (does not resolve)
    maytermsmodiall .ru (does not resolve)
    ... I recommend that you block email traffic from:
    194.87.216.0/24
    -and- block web traffic to
    uk-insolvencydirect .com
    studiolegaleabbruzzese .com
    176.98.52.157
    151.0.42.255
    "
    * https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    62.149.142.206
    208.118.235.148
    208.67.222.222
    5.58.153.190


    ** https://virustotal.com/en/file/ff060...309e/analysis/
    ___

    Verified Twitter accounts compromised ...
    - https://blog.malwarebytes.com/cyberc...busy-spamming/
    Jan 18, 2017 - "Verified Twitter accounts tend to be a little more secure than those belonging to non-verified users due to the amount of extra hoop jumping required to get one of those ticks in the first place. A number of security requirements, including providing a phone number and setting up 2FA, are all things a would-be verified Twitter user needs to do. In theory, it should be somewhat tricky to compromise those accounts – it wouldn’t really help Twitter if their theoretically appealing verified accounts were firing out Viagra spam all day long. Brand reputation and all that. And yet…in the space of a few hours last week, we had multiple verified users hitting the 'I’ve been compromised' wall of doom and gloom... 'rogue tweets' were, in theory, being sent to a combined audience of around 200,000+ people which could have been disastrous if the links had contained malicious files. Thankfully, these links were “just” porn spam and sunglasses, but the danger for something much worse is always present where a compromise is concerned. People trust the verified ticks in the same way they probably let their guard down around sponsored tweets, and in both cases a little trust can be a bad thing... scammers are doing it, always pay attention when your favorites start firing out URLs. Links are meant to be clicked, but that doesn’t mean we have to leap before looking – Twitter works best with shortened URLs, but you can usually see where they lead:
    > https://blog.malwarebytes.com/cyberc...nk-taking-you/
    Whether you’re verified or not, keep your wits about you and have a hopefully stress free experience on that most popular of social networks."

    Last edited by AplusWebMaster; 2017-01-19 at 21:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1133
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Western Union' SPAM

    FYI...

    Fake 'Western Union' SPAM - delivers java Adwind/Jacksbot
    - https://myonlinesecurity.co.uk/spoof...wind-jacksbot/
    20 Jan 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE:
    > https://myonlinesecurity.co.uk/?s=java+adwind
    The email looks like:
    From: WU-IT Department <csc.it.westernunion@ gmail .com>
    Date: Fri 20/01/2017 02:02
    Subject: WUPOS Agent Portal Upgrade For All Agents
    Attachment: Update Manual & Agent Certificate .pdf
    Dear All,
    Western Union ,IT Department data is posting upgrade for new version of WUPOS.Please download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen
    Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue. Thanks & Regards, IT Department Western Union Internet United Kingdom PO Box 8252 London United Kingdom W6 0BX..."


    Screenshot: https://myonlinesecurity.co.uk/wp-co...ents-email.png

    The attached PDF looks like:
    > https://myonlinesecurity.co.uk/wp-co.../wupos_pdf.png

    The link-in-the-PDF is to http ://phrantceena .com/wp-content/plugins/Update%20Manual%20&%20Agent%20Certificate%20.zip which will give you -2- identical (although named differently) java.jar files. Agent certificate & branch details..jar and Wupos manual and update file..jar ..

    20 January 2017: Agent certificate & branch details..jar (323kb) Current Virus total detections 26/55*
    Payload Security **... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1484897128/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    83.243.41.200

    phrantceena .com: 66.147.244.127: https://www.virustotal.com/en/ip-add...7/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1134
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Sage 2.0 ransomeware

    FYI...

    Sage 2.0 ransomeware
    - https://isc.sans.edu/diary.html?storyid=21959
    2017-01-21 - "On Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware I'd never seen before called 'Sage'. More specifically, it was 'Sage 2.0'... Sage is yet another family of ransomware in an already crowded field. It was noted on BleepingComputer forums back in December 2016 [1, 2]...
    1] https://www.bleepingcomputer.com/for...xtension-sage/

    2] https://www.bleepingcomputer.com/for...rt-help-topic/

    ... Emails from this particular campaign generally have -no- subject lines, and they always have -no- message text. The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware. Sometimes, I'll see a .js file instead of a Word document, but it does the same thing... attachments are often double-zipped. They contain -another- zip archive before you get to the Word document or .js file...
    Example of a Word document with a malicious macro:
    > https://isc.sans.edu/diaryimages/ima...y-image-05.jpg
    Another example of the Word document with a malicious macro:
    > https://isc.sans.edu/diaryimages/ima...y-image-06.jpg
    The Word document macros or .js files are designed to download and install ransomware. In most cases on Friday, the ransomware was Sage 2.0... Under default settings, an infected Windows 7 host will present a UAC window before Sage continues any further. It keeps appearing until you click 'yes':
    UAC pop-up caused by Sage: https://isc.sans.edu/diaryimages/ima...y-image-12.jpg
    The infected Windows host has an image of the decryption instructions as the desktop background. There's also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ".sage" is the suffix for all encrypted files:
    Desktop of an infected Windows host: https://isc.sans.edu/diaryimages/ima...y-image-13.jpg
    ... Following the decryption instructions should take you to a Tor-based domain with a decryptor screen. On Friday, the cost to decrypt the files was $2,000 US dollars (or 2.22188 bitcoin):
    The Sage 2.0 decryptor: https://isc.sans.edu/diaryimages/ima...y-image-15.jpg
    ... When the callback domains for Sage didn't resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses...
    Below are IOCs for Sage 2.0 from Friday 2017-01-20:
    Ransomware downloads caused by Word document macros or .js files:
    54.165.109.229 port 80 - smoeroota .top - GET /read.php?f=0.dat
    54.165.109.229 port 80 - newfoodas .top - GET /read.php?f=0.dat
    84.200.34.99 port 80 - fortycooola .top - GET /user.php?f=0.dat
    Post-infection traffic:
    54.146.39.22 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
    66.23.246.239 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
    mbfce24rgn65bx3g .rzunt3u2 .com (DNS queries did not resolve)
    Various IP addresses, UDP port 13655 - possible P2P traffic...
    ... not sure how widely-distributed Sage ransomware is. I've only seen it from this one malspam campaign, and I've only seen it one day so far. I'm also not sure how effective this particular campaign is. It seems these emails can easily be -blocked- so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals..."
    (More detail at the isc URL at the top of this post.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1135
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Tiket alert' SPAM

    FYI...

    Fake 'Tiket alert' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spoof...ky-ransomware/
    23 Jan 2017 - "An email spoofing the FBI with the subject of 'Tiket alert 331328222' pretending to come from random senders with a malicious word doc downloads locky ransomware... The email looks like:
    From: Ngoc Trane <dpeupyl0386@ eiv .cl>
    Date: Mon 23/01/2017 13:14
    Subject: Tiket alert 331328222
    Attachment: information.doc
    From: FBI service [dpeupyl0386@ fbi .com]
    Date: Mon, 23 Jan 2017 14:14:09 +0100
    Subject: Tiket alert
    Look at the attached file for more information.
    Assistant Vice President, FBI service
    Management Corporation


    23 January 2017: information.doc - Current Virus total detections 5/54*
    Payload Security** shows a download from http ://unwelcomeaz .top/2/56.exe (VirusTotal 3/56***).
    Payload Security[4]. Last week this site[1] was delivering Locky ransomware, which is continuing today. It also looks like this Locky version is trying to download & install opera browser as well... The actual 56.exe pretends to be an adobe flash player 13 file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://myonlinesecurity.co.uk/spoof...ky-ransomware/

    * https://www.virustotal.com/en/file/8...is/1485177870/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/c...is/1485178446/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    46.17.40.234
    52.88.7.60
    54.240.162.210
    35.161.88.115
    91.198.174.192
    91.198.174.208


    unwelcomeaz .top: 35.164.68.81: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/84...c689/analysis/
    154.16.247.115: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/84...c689/analysis/

    Last edited by AplusWebMaster; 2017-01-24 at 12:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1136
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Refund Unsuccessful', 'DHL Shipment', 'Online-Shop', 'Final payment' SPAM

    FYI...

    Fake 'Refund Unsuccessful' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/refun...elivers-locky/
    24 Jan 2017 - "... an email with the subject of 'Refund Unsuccessful 03246113' (random numbers) pretending to come from random companies, names and email addresses with a word doc attachment in the format of which delivers Locky ransomware... The email looks like:
    From: Stefania Collyer <heg64423837@ zinchospitality .com>
    Date: Tue 24/01/2017 01:53
    Subject: Refund Unsuccessful 03246113
    Attachment: information.doc
    Your order has been cancelled, however we are not able to proceed with the
    refund of $ 1371.48
    All the information on your case 527312277 is listed in the document below.


    Locky binary (virustotal 24/55*)
    Macro (VirusTotal 26/55**)
    Antivirus detections on these are still terrible, 24 hours after being submitted... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1485240808/

    ** https://www.virustotal.com/en/file/8...001e/analysis/
    ___

    Fake 'DHL Shipment' SPAM - delivers Cerber
    - https://myonlinesecurity.co.uk/spoof...er-ransomware/
    24 Jan 2017 - "... an email with the subject of 'DHL Shipment Notification: 6349701436' pretending to come from DHL Customer Support <support@ dhl .com> delivers Cerber ransomware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...tification.png

    There are several different named attachments with this campaign. _Dhl_expr. DATE20170120.zip -EXPRESS -Date20170120.zip and probably other variants.
    All extract to the same named .js file: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js...

    9 January 2017: P_rek.zip: Extracts to: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js
    Current Virus total detections 9/54*. Payload Security** shows a download from
    http ://bonetlozano .com/kvst.exe (VirusTotal 7/56***) which from the network noise looks like Cerber ransomware, although neither Payload Security nor any Antivirus on Virus total detect it as Cerber... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1485239971/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (695)

    *** https://www.virustotal.com/en/file/0...is/1485168150/

    bonetlozano .com: 217.76.130.248: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/ff...865c/analysis/
    ___

    Fake 'Online-Shop' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/beste...spam-delivers/
    24 Jan 2017 - "... email with the subject of 'Bestellung Online-Shop Auftr.Nr 02132596' (random numbers) coming or pretending to come from random companies, names and email addresses zip attachment containing a very heavily obfuscated JavaScript file which delivers an unknown malware... One of the emails looks like:
    From: waldemar.wysocki@ gmx .de
    Date: Tue 24/01/2017 10:53
    Subject: Bestellung Online-Shop Auftr.Nr 02132596
    Attachment: ea00ba32a5.zip
    Bestellung Nr.: 02132596 Datum: 24.01.2017


    24 January 2017: -Bestellpositionen[alle Preise in EUR].zip: Extracts to: -Bestellpositionen[alle Preise in EUR].pdf.js - Current Virus total detections 1/55*
    Payload Security** shows a download from volleymultdom .biz/fsgdhyrer6cdve8rv7hdsvkekvhbsdjh/cfhr.exe (VirusTotal 7/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1485255695/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    162.144.125.170
    212.2.153.190


    *** https://www.virustotal.com/en/file/4...1684/analysis/

    volleymultdom .biz: 162.144.125.170: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Final payment' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/spoof...known-malware/
    24 Jan 2017 - "... common email template pretending to come from HMRC, threatening enforcement action to recover unpaid tax... Update: being told this is Zurgop and Zbot spy...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...nt-request.png

    24 January 2017: Statement of Liabilities_7.doc - Current Virus total detections 3/54*
    Payload Security** shows a download from http ://sergiosuarezgil .com/adobe_upd7.exe (VirusTotal 4/56***)
    Payload Security[4].. nothing gives any real clue what it is or what it does... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1485264589/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    198.20.102.131

    *** https://www.virustotal.com/en/file/8...is/1485260445/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.63.140.108
    193.104.215.58
    185.162.9.59
    212.227.91.231
    104.87.224.175
    82.192.75.161
    37.252.227.51
    178.77.120.104
    169.50.71.245


    sergiosuarezgil .com: 198.20.102.131: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/e0...fedc/analysis/
    6/64

    email return URL: hmrcgsigov .org: 93.190.140.136: https://www.virustotal.com/en/ip-add...6/information/
    Country - NL << Fraud
    ___

    Android malware returns, gets >2M downloads on Google Play
    - http://arstechnica.com/security/2017...n-google-play/
    1/23/2017 - "A virulent family of malware that infected more than 10 million Android devices last year has made a comeback, this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users. HummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the name given to a family of malicious apps researchers documented in July invading non-Google app markets. HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000 fraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per month in revenue..."
    > http://blog.checkpoint.com/2017/01/2...ngbad-returns/

    Last edited by AplusWebMaster; 2017-01-24 at 21:00.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1137
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'DHL' SPAM, Sage 2

    FYI...

    Fake 'DHL' SPAM - delivers banking Trojan
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    25 Jan 2017 - "... an email with the subject of 'DHL prepared commercial invoice 9500238176 902694287308' (random numbers) pretending to come from ebillingcmf.td@ DHL .COM that delivers ursnif banking Trojan... One of the emails looks like:
    From: ebillingcmf.td@ DHL .COM
    Date: Wed 25/01/2017 07:49
    Subject: DHL prepared commercial invoice 9500238176 902694287308
    Attachment: Commercial.Form.25.01.2017.CVS.zip
    Attached notice amount customs charges
    Dear Customer,
    Attached your invoice in PDF format, dated 25/01/2017 and csv files for shipments and services provided by DHL Express.
    You can also display the details of his account and the historical invoices online.
    In case of substantial problems in the Annex, contact support at: support@dhl.com
    We expect to receive payment within the prescribed period, as indicated on the invoice.
    We send our thanks for having taken advantage of DHL Express services.
    Best regards,
    DHL Express


    25 January 2017: Commercial.Form.25.01.2017.CVS.zip: Extracts to: Commercial.Form.25.01.2017.CVS.wsf
    Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
    http :// www .cp4 .de/cp4/2401.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1485330508/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (16)
    81.169.145.165
    192.229.221.24
    195.93.42.3
    195.93.42.2
    217.79.188.60
    207.200.74.133
    217.79.188.46
    37.157.6.252
    172.227.147.7
    152.163.56.3
    217.79.188.60
    64.12.235.98
    151.101.192.249
    107.22.179.226
    104.94.37.243
    104.74.100.205

    ___

    Sage 2 ransomware - spreading in UK via malspam emails
    - https://myonlinesecurity.co.uk/sage-...alspam-emails/
    25 Jan 2017 - "... new entry to the market. Sage 2.0 ransomware. They are using the same basic email template telling you the order was cancelled but cannot give a refund. There are also 'ACH Blocked transaction' emails also spreading the same sage 2.0 ransomware. The security community has been warning about Sage2.0 ransomware for a few days now, but today is the first day we have seen malspam emails targeting UK users. All the emails so far received have contained the same zip file containing a very heavily encoded/obfuscated javascript file document_1.zip - there also appear to be 2 other files with no names inside the zip that don’t automatically extract and are probably there as padding or left over artefacts. They just appear to contain a list of txt characters, possibly a tracking identity or even the decryption key. I am attaching a couple of different document_1.zip versions to a zip file for researchers to look at P/W ”infected”
    25 jan_sage2 zip. Some subjects seen include:
    ' Refund Unsuccessful 26485806 ( random numbers)
    Blocked Transaction. Case No 15120544 ( random numbers)
    Re:
    Fw: '

    One of the emails looks like:
    Body content with 'Refund Unsuccessful' or 'FW' and 'RE:'
    Your order has been cancelled, however we are not able to proceed with the
    refund of $ 1460.01
    All the information on your case 652661070 is listed in the document below.

    Body content with 'Blocked Transaction'. 'Case No nnnn'
    The Automated Clearing House transaction (ID: 085112046), recently initiated
    from your online banking account, was rejected by the other financial
    institution.
    Canceled ACH transaction
    ACH file Case ID 07677730
    Transaction Amount 1436.17 USD
    Sender e-mail obqeygua57341@ scaledagile .com
    Reason of Termination See attached statement


    25 January 2017: document_1.zip: Extracts to: doc_details_jOiqRJ.js - Current Virus total detections 7/54*
    Payload Security** doesn’t show any download or file action, but the VT comments by @techhelplist[3] shows a download of sage 2.0 from http ://affections .top/ff/55.exe (VirusTotal 9/56[4]). Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1485324653/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    3] https://twitter.com/Techhelplistcom/...53746829291520

    4] https://www.virustotal.com/en/file/b...is/1485304233/

    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    54.149.186.25: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/1d...09d1/analysis/

    Last edited by AplusWebMaster; 2017-01-25 at 13:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1138
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'USPS', 'Microsoft' SPAM

    FYI...

    Fake 'USPS' SPAM - delivers Sage 2 ransomware
    - https://myonlinesecurity.co.uk/spoof...-2-ransomware/
    26 Jan 2017 - "... Sage 2 ransomware has started to use the same email template that we see daily that normally delivers Locky ransomware and Kovter Trojans HERE:
    > https://myonlinesecurity.co.uk/spoof...d-locky-sites/
    ... The only noticeable difference between the 2 campaigns (until you actually analyse the files inside the zip attachments) is the file size and file names. In the Locky/Kovter versions they were using .js files but now use lnk files... Locky /Kovter use a file name something like Delivery-Receipt-3793490.zip that extracts to another zip file Delivery-Receipt-3793490.doc..zip that eventually extracts to Delivery-Receipt-3793490.doc.lnk where the numbers change with each email received. There are numerous different download sites for the malware each day. Sage 2 ransomware uses a static named file for all emails, currently Delivery-Details.zip extracting to Delivery-Details.js - There is one download site each day... One of the emails looks like:
    From: USPS Ground <uwawsne253468@ netpetar .com>
    Date: Thu 26/01/2017 02:04
    Subject: Delivery problem, parcel USPS #40088683
    Attachment: Delivery-Details.zip
    Hello,
    Your item has arrived at Thu, 26 Jan 2017 03:04:09 +0100, but our courier
    was not able to deliver the parcel.
    You can download the shipment label attached!
    All the best.
    Leisha Marshman – USPS Support Agent.


    26 January 2017: Delivery-Details.zip: Extracts to: Delivery-Details.js - Current Virus total detections 14/53*
    Payload Security** shows a download from http ://affections .top/ff/55.exe (VirusTotal 14/56***) (Payload Security [4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1485410870/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/0...is/1485413961/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    54.211.245.199

    affections .top: 54.165.5.111: https://www.virustotal.com/en/ip-add...1/information/
    Country US / Autonomous System 14618 (Amazon.com, Inc.)
    > https://www.virustotal.com/en/url/1d...09d1/analysis/
    52.203.213.69: https://www.virustotal.com/en/ip-add...9/information/
    ___

    Fake 'Microsoft' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/spoof...known-malware/
    26 Jan 2017 - "A blank/empty email pretending to come from Microsoft with a subject like 'RE: 23337 Microsoft Free 23337' with zip attachment that extracts to another zip file that in turn contains a malicious word doc...
    Update: I am being told it is Ursnif banking Trojan... Update again: ... weird. This site is delivering different malware, almost at random it seems. Each visit gives a -different- file, although always the same name read.doc or read.php - currently all are 243kb but all have different file #. So far we have seen Cerber, Ursnif and the original unknown malware... The email looks like:
    From: tcmf.microsoft <suard-c@ vendome .pf>
    Date: Thu 26/01/2017 16:00
    Subject: RE: 23337 Microsoft Free 23337
    Attachment: 55554546637489.zip


    Body content: totally blank/empty

    > https://www.reverse.it/sample/aa8953...ironmentId=100
    Contacted Hosts
    208.67.222.222
    195.5.126.248
    46.150.69.43
    188.27.92.82


    > https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (576)

    26 January 2017: 55554546637489.zip: extracts to: 4446_ZIP.zip extracts to 4446.doc
    Current Virus total detections 2/55*. Payload Security shows a download from
    http ://vvorootad .top/read.php?f=0.dat which delivers read.doc (which is -not- a doc file, although having an icon looking like a word doc, but a renamed .exe) (VirusTotal 9/57**). Payload Security***... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1485447397/

    ** https://www.virustotal.com/en/file/7...is/1485448703/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100

    vvorootad .top: 52.203.115.53: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/11...6629/analysis/
    35.165.86.173: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/d1...1339/analysis/
    ___

    Spyware on a Chromebook ??
    - http://www.computerworld.com/article...hromebook.html
    Jan 25, 2017 - "... According to Google*, it means the extension 'can enable, disable, uninstall or launch themes, extensions, and apps you have installed'. Uninstall and disable other extensions? Are you kidding me? Why does Chrome even allow this? Web browsers do -not- allow a page on one website to interact with a page on another. Why does Chrome let an extension from Developer A disable or uninstall one from Developer B? Perhaps worse, is that Chrome does not warn, at installation time, about the modification to the New Tab page. This is inexcusable. And here's a sentence I never expected to write. When it comes to extensions modifying the New Tab page, Chrome on Windows is more secure than Chrome on Chrome OS..."
    * https://support.google.com/chrome_we...r/186213?hl=en

    (More detail at the computerworld URL above.)

    Last edited by AplusWebMaster; 2017-01-26 at 23:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1139
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Phish - using PDF attachments

    FYI...

    Phish - using PDF attachments
    - https://blogs.technet.microsoft.com/...f-attachments/
    Jan 26, 2017 - "... deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the heightened phishing activity that we have come to expect every year during the holiday season has not subsided. Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where -you- are then asked-to-divulge sensitive information...
    Example 1: One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity:
    > https://msdnshared.blob.core.windows...017/01/120.jpg
    When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel”. But it’s actually a link to a website:
    > https://msdnshared.blob.core.windows...reenshot-1.png
    Clicking the link opens your browser and brings you to a website, where the social engineering attack continues with a message that the document is protected because it is confidential, and therefore you need to sign in with your email credentials:
    > https://msdnshared.blob.core.windows...reenshot-2.png
    ... Don’t open attachments or click-links in suspicious emails. Even if the emails came from someone you know, if you are not expecting the email, be wary about opening the attachment, because spam and phishing emails may spoof the sender..."
    (More detail at the blogs.technet.microsoft URL at the top of this post.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1140
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Netflix Scam

    FYI...

    Netflix Scam delivers Ransomware
    - http://blog.trendmicro.com/trendlabs...rs-ransomware/
    Jan 29, 2017 - "Netflix has a 93 million-strong subscriber base in more than 190 countries, so it’s unsurprising that cybercriminals want a piece of the pie. Among their modus operandi: stealing user credentials that can be monetized in the underground, exploiting vulnerabilities, and more recently infecting systems with Trojans capable of pilfering the user’s financial and personal information. What other purposes can stolen Netflix credential serve? Offer them up as bargaining chip to fellow cybercriminals, for instance. Or more nefariously, use them as lure to trick certain users into installing malware (and turn a profit in the process).
    If you’re planning to free ride your way into binge-watching your favorite shows on Netflix, think again. Your computer’s files may end up getting held hostage instead. We came across a -ransomware- (detected by Trend Micro as RANSOM_ NETIX.A) luring Windows/PC users with a Netflix account via a login generator, one of the tools typically used in software and account membership piracy. These programs are usually found on suspicious websites sharing cracked applications and access to premium/paid web-based services:
    (The ransom note displayed as wallpaper in the affected system)
    > https://blog.trendmicro.com/trendlab...ansomware1.jpg
    (One of the ransom notes with instructions to victims)
    > https://blog.trendmicro.com/trendlab...ansomware2.jpg
    (Fake Netflix Login Generator)
    > https://blog.trendmicro.com/trendlab...ansomware3.jpg
    (The prompt window after clicking “Generate Login”)
    > https://blog.trendmicro.com/trendlab...ansomware4.jpg
    The ransomware starts as an executable (Netflix Login Generator v1.1.exe) that drops another copy of itself (netprotocol.exe) and then executed afterwards. Clicking the “Generate Login” button leads to another prompt window that purportedly has the login information of a genuine Netflix account. RANSOM_NETIX.A uses these fake prompts/windows as distraction while it performs its encryption routine on 39 file types under the C:\Users directory... The ransomware employs AES-256 encryption algorithm and appends the encrypted files with the .se extension. The ransom notes demand $100 worth of Bitcoin (0.18 BTC) from its victims... Interestingly, the ransomware terminates itself if the system is -not- running Windows 7 or Windows 10... This highlights the significance for end users to keep their subscription accounts safe from crooks. Keep to your service provider’s security recommendations. More importantly, practice good security habits: beware of -emails- you receive pretending to be legitimate, regularly update your credentials, use two-factor authentication, and download -only- from official sources... Does getting your important files encrypted worth the piracy? Netflix’s premium plan costs around $12 per month, and allows content to be streamed in four devices at the same time. Compare that with $100 you need to pay in order to get your files decrypted. Getting them back isn’t guaranteed either, as other ransomware families have shown... Bad guys need only hack a modicum of weakness for which no patch is available — the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download -or- click-ads promising the impossible. If the deal sounds too good to be true, it usually is."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •