Page 119 of 132 FirstFirst ... 1969109115116117118119120121122123129 ... LastLast
Results 1,181 to 1,190 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1181
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'USPS, UPS, DHL, FEDEX' SPAM, Kelihos Botnet takedown

    FYI...

    Fake 'USPS, UPS, DHL, FEDEX' SPAM - delivers mole ransomware
    - https://myonlinesecurity.co.uk/more-...le-ransomware/
    12 Apr 2017 - "... USPS, UPS, DHL, FEDEX and all the other delivery companies being spoofed and emails pretending to be from them delivering all sorts of malware, usually via zip attachments containing JavaScript files. I saw this post on Sans Security blog*... and expected that I would soon see them...they started to flood in today.
    * https://isc.sans.edu/diary.html?storyid=22290
    There are a multitude of different subjects. Some of then ones I received today are:
    ' Official notice regarding your order
    IMPORTANT USPS MONEYBACK INFO IN REGARDS TO YOUR PARCEL
    AUTOMATED notice in regards to your parcel’s status
    WARNING: INFO ABOUT A LATEST REFUND '

    These subjects today are different to the unusual subjects we see listed in the sans blog post.
    Typical senders -imitating- USPS include:
    USPS Delivery <huo4@ doverealty .net>
    USPS Express Delivery <ooyyomq57575452@ avensonline .org>
    USPS Priority Parcels <rejunwuj75324281@ vki-interiors .com>
    USPS Ground Support <heyluogf13136286@ parcerianet .com.br> ...
    ... these -all- use various subdomains of ideliverys .com... you see what looks like a word online website and you are invited to download then latest 'plugin' version to read the documents online:
    > https://myonlinesecurity.co.uk/wp-co...ine-plugin.png

    plugin.exe - Current Virus total detections 29/60**. Payload Security***.. I assume this is the same mole ransomware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    ** https://www.virustotal.com/en/file/8...7b11/analysis/

    *** https://www.hybrid-analysis.com/samp...ironmentId=100

    ideliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/16...9d0f/analysis/

    - https://myonlinesecurity.co.uk/chang...ering-malware/
    13 Apr 2017 - "... USPS, UPS, DHL, FEDEX SPAM... a -hybrid- campaign mixing elements of all the previous campaigns...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...EFUND-INFO.png

    ... These all use various subdomains of maildeliverys .com to divert to
    http ://tramplinonline .ru/counter/1.htm where you see what looks like a word online website and you are invited to download then -latest- 'plugin' version to read the documents online:
    > https://myonlinesecurity.co.uk/wp-co...trampoline.png
    ... this is where the hybrid element comes into play. Once you press download, you get a zip file plugin.zip which extracts to plugin.js ... starts with the first site in the array (var ll) and then downloads these (if the first site cannot be contacted or the file is missing) it moves on to next site and so on, eventually giving -3- malware files.
    /counter/exe1.exe (mole ransomware) VirusTotal 6/62[1]
    /counter/exe2.exe delivers kovter/powerliks VirusTotal 7/62[2]
    /counter/exe3.exe VirusTotal 0/61[3] | VirusTotal 3/62[4] (first one possibly corrupt)
    Today’s sites are:
    forum-turism .org.ro/images/layout
    boorsemsport .be/templates/yoo_aurora/less/uikit
    eurostandard .ro/pics/size1
    alita .kz/tmp/installation/language/cs-CZ
    sportbelijning .be/libraries/joomla/application/web
    tramplinonline .ru
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/3...is/1492102514/

    2] https://www.virustotal.com/en/file/2...is/1492110707/

    3] https://www.virustotal.com/en/file/9...is/1492110713/

    4] https://www.virustotal.com/en/file/b...is/1492109005/

    maildeliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/71...b637/analysis/

    tramplinonline .ru: 92.242.42.146: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/aa...991e/analysis/
    ___

    Kelihos.E Botnet – Takedown
    - http://blog.shadowserver.org/2017/04/12/kelihos-e/
    April 12, 2017 - "On Monday April 10th 2017, The US Department of Justice (DOJ) announced* a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator. The Kelihos botnet (and its predecessor Waledec) was one of the most active spamming botnets. Earlier versions of the malware were also involved in delivering trojan horses, stealing user credentials and crypto currency wallets, and in crypto currency mining. The Kelihos botnet was made up of a network of tens of thousands of infected Windows hosts worldwide. It used its own peer-to-peer (P2P) protocol, along with backup DNS domains, to provide resilient command and control (C2) facilities... The Kelihos.E botnet takedown occurred on Friday April 8th 2017, with 100% of the peer-to-peer network being successfully taken over by law enforcement and C2 traffic redirected to our sinkholes, C2 backend server infrastructure being seized/disrupted, as well as multiple fallback DNS domains being successfully sinkholed under US court order..."
    * https://www.justice.gov/opa/pr/justi...lihos-botnet-0
    April 10, 2017 - "The Justice Department today announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software..."

    Last edited by AplusWebMaster; 2017-04-14 at 01:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1182
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'MONEY GRAM' SPAM

    FYI...

    Fake 'MONEY GRAM' SPAM - delivers java adwind
    - https://myonlinesecurity.co.uk/urgen...s-java-adwind/
    14 Apr 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... Slight change to previous examples today where these are being addressed to tamuna.khaduri@ basisbank .ge or mdzirkvelishvili@ tbcbank .com .ge ... looks like random names @ random bank .ge and BCC to the actual recipient... coming via compromised accounts on Godaddy...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...NFIRMATION.png

    URGENT MONEYGRAM CONFIRMATION.jar (479kb) - Current Virus total detections 19/59*. MALWR** ...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1492148381/

    ** https://malwr.com/analysis/YzRlZjM3N...MyNTc3NGYyYTI/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1183
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down DropBox – Phish

    FYI...

    DropBox – Phish
    - https://myonlinesecurity.co.uk/congr...pbox-phishing/
    15 Apr 2017 - "... phishing attempts for email credentials...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...hish-email.png

    If you follow the -link- you see a webpage looking like this:
    http ://magioangeles .com/mo/DropBoxPhoto/
    > https://myonlinesecurity.co.uk/wp-co...pbox-phish.png

    Select -any- of the email services and you get:
    > https://myonlinesecurity.co.uk/wp-co...box-phish1.png

    Then you get sent to a signup page on the genuine dropbox site..."

    magioangeles .com: 209.133.208.250: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/bb...eda0/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1184
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'order proforma invoice' SPAM

    FYI...

    Fake 'order proforma invoice' SPAM - delivers 'RAT'
    - https://myonlinesecurity.co.uk/reque...ty-link-r-a-t/
    16 Apr 2017 - "... -fake- 'Request for 1st new order proforma invoice' -scam- delivers luminosity link Remote Access Tool Trojan* which is being heavily misused...
    * http://researchcenter.paloaltonetwor...configuration/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ma-invoice.png

    ... The -link-in-the-email-body- goes to
    http ://bit .ly/2oWFVzK which directs to
    http ://www .internationalconfirmation .com/re-direct-live.php which downloads the malware from
    http ://redbulconfirm .host/LIST%20OF%20ORDERS%20FOR%20PROFORMA%20INVOICE .JPG .com...

    LIST OF ORDERS FOR PROFORMA INVOICE.JPG .com - Current Virus total detections 16/60*. Payload Security** which is describing it as luminosity link Trojan... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1492341398/

    ** https://www.reverse.it/sample/c67e5f...ironmentId=100
    Contacted Hosts
    192.166.218.230

    internationalconfirmation .com: 69.65.33.119: https://www.virustotal.com/en/ip-add...9/information/

    redbulconfirm .host: 68.65.122.167: https://www.virustotal.com/en/ip-add...7/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1185
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'ftc refund' SPAM, Many PayPal Phish

    FYI...

    Fake 'ftc refund' SPAM - leads to malware
    - http://blog.dynamoo.com/2017/04/malw...tc-refund.html
    17 Apr 2017 - "This -fake- FTC email leads to malware. Curiously, it was sent to a company that received a multimillion dollar FTC -fine- but this is almost definitely a coincidence:
    From: Federal Trade Commission [secretary@ ftccomplaintassistant .com]
    Date: 17 April 2017 at 15:25
    Subject: RE: RE: ftc refund
    It seems we can claim a refund from the FTC.
    Check this out and give me a call.
    https ://www .ftc .gov/refunds/company/companyname.com/FTC_refund_recipientname.doc
    Thank you
    James Newman
    Senior Accountant
    secretary@ ftccomplaintassistant .com ...


    The link-in-the-email actually goes to a URL beginning http ://thecomplete180 .com/view.php?id= followed by a Base 64 encoded string that appears to be 6281 + recipient email address + 5434 ... this downloaded document is up to no good, but the VirusTotal detection rates are only 5/56*. The Word document itself tries to persuade victims to 'enable macros', which would be a -bad- idea:
    > https://3.bp.blogspot.com/-ory5Evv0t.../fake-word.png

    * https://www.virustotal.com/en/file/c...is/1492451191/
    Automated analysis [1] [2] shows network traffic:
    1] https://malwr.com/analysis/YTBlYzI1M...E3OTUxNzYwN2I/
    Hosts
    54.235.135.158
    212.116.113.108
    186.202.127.62
    87.118.126.207


    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (18)

    ... This gives us a pretty useful minimum blocklist:
    178.170.189.254
    185.146.1.4
    185.48.56.63
    185.80.53.76
    188.127.237.232
    193.105.240.2
    194.1.239.63
    195.54.163.94
    212.116.113.108
    46.148.26.87
    47.90.202.88
    77.246.149.100
    87.118.126.207
    88.214.236.158
    91.230.211.67
    93.189.43.36
    "
    ___

    Many PayPal Phish
    - https://myonlinesecurity.co.uk/dont-...ypal-phishing/
    17 Apr 2017 - "... -lots- of phishing attempts for Paypal login account credentials... These definitely do
    -not- come from a “Trusted Sender”. The spelling and grammar mistakes in the email are more than enough to raise red flags...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...be-blocked.png

    ... If you follow-the-link when you use Internet Explorer you start with:
    http : //www .asclepiade .ch/sites/default/files/languages/red.html which -redirects- you to:
    https: //indimedia .co.uk/kasfolio/iceage3overlay/english/pp/
    you see a webpage looking like this:
    > https://myonlinesecurity.co.uk/wp-co...bitchboots.png

    BUT if you use Firefox or Google Chrome, then you get:
    http ://www .asclepiade .ch/sites/default/files/languages/red.html which -redirects- you to:
    https ://indimedia .co.uk/kasfolio/iceage3overlay/english/pp/ which -redirects- to:
    https ://indimedia .co.uk/kasfolio/iceage3overlay/english/pp/login?cmd=_signin&dispatch=8b262247e1b6f7c468c785df9&locale=en_GB and gives the typical PayPal phishing page
    (you get a different random dispatch= number each time):
    > https://myonlinesecurity.co.uk/wp-co...a-pp_phish.png

    ... Where pressing 'continue' takes you to the usual 'give me your credit card, bank account, address, phone number' and any other information they can think of, to be able to totally steal your identity and all financial accounts..."

    indimedia .co.uk: 216.222.194.4: https://www.virustotal.com/en/ip-add...4/information/

    > https://www.virustotal.com/en/url/b6...184e/analysis/

    > https://www.virustotal.com/en/url/29...b0f8/analysis/

    asclepiade .ch: 213.221.153.48: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/90...830a/analysis/

    Last edited by AplusWebMaster; 2017-04-18 at 14:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1186
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 'Protected View Mode' for MS Word docs

    FYI...

    'Protected View Mode' for MS Word docs
    > https://www.askwoody.com/2017/what-e...ge-of-malware/
    April 17, 2017 - "... 'Protected View Mode' is enabled by default in Word 2010 and later, but Word 2007 and earlier -don’t- have Protected View... See screenshot:
    > https://www.askwoody.com/wp-content/...iew-768x45.jpg
    If you click 'Enable Editing', the malware fires automatically — you don’t need to do anything more.
    If you open an attached DOC from Gmail, it’s harmless, -unless- you download the file, -then- open the DOC in Word and -then- click 'Enable Editing'. Moral of the story: Use Gmail*. Failing that, don’t click 'Enable Editing'..."
    * https://mail.google.com/mail/#inbox

    >> https://www.howtogeek.com/302740/how...-being-hacked/
    April 13, 2017

    Last edited by AplusWebMaster; 2017-04-18 at 22:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1187
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'USPS', 'invoice' SPAM, Malicious Excel Sheets

    FYI...

    Fake 'USPS' SPAM - delivers Zbot via fake Word online sites
    - https://myonlinesecurity.co.uk/more-...-online-sites/
    19 Apr 2017 - "... Today they have changed slightly again and now just have a link-to-a-site where you download a single executable file that pretends to be a plugin that allows you to read the documents online. Today (so far) are all Zbot/Panda Banking Trojans
    plugin_office_update_KB093211.exe (VirusTotal 7/61*) | Payload Security**...
    * https://www.virustotal.com/en/file/b...is/1492568116/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    Typical senders imitating USPS include:
    USPS Ground Support <zmesat742@ hetaudabazar .com>
    USPS Support Management <cykobezr0@ okamacr .com>
    USPS TechConnect <oysvuadv78382@ thewons .com>
    USPS Delivery <yrok10507057@ taviexport .com>
    USPS Support Management <gywer6@ nicolasprioux .com>
    USPS TechConnect <kapifa78036@ hashmkt .com>
    USPS Home Delivery <vyfhob22148305@ seedtech .co.in>
    USPS Priority Parcels <lameipgo65@ mtpub .com>
    USPS Priority <yhqez882670@ affection .org>

    There are a multitude of different subjects. Some of the ones I received today are:
    WARNING: TROUBLE WITH YOUR ITEM
    ATTENTION REQUIRED: DETAILS ABOUT A IMPENDING REFUND
    URGENT USPS MONEYBACK INFORMATION CONCERNING YOUR PARCEL
    WARNING: you’re legally obliged to review the status of your parcel
    URGENT: notification of delay of your parcel
    Official letter concerning your order
    Major problems reported to the USPS customer support
    WARNING: INFORMATION ON YOUR IMPENDING REFUND
    IMMEDIATE ACTION REQUIRED: your shipment’s been postponed
    URGENT USPS MONEYBACK INFO CONCERNING YOUR SHIPMENT
    AUTOMATED letter regarding your shipment’s location
    OFFICIAL USPS REFUND INFO
    Official notice from USPS
    WARNING: ISSUES WITH YOUR SHIPMENT
    USPS USER URGENT NEW INFO CONCERNING YOUR PACKAGE
    WARNING: PROBLEMS WITH YOUR ORDER
    OFFICIAL USPS system statement
    USPS official notice: major trouble with your parcel
    USPS customer support team notice: your shipment has been postponed


    Screenshots: https://myonlinesecurity.co.uk/wp-co...SPS-email1.png

    > https://myonlinesecurity.co.uk/wp-co...SPS-email2.png

    > https://myonlinesecurity.co.uk/wp-co...SPS-email3.png

    All have links-in-the-email body to a -fake- word online website and you are invited to download the latest plugin version to read the documents online:
    > https://myonlinesecurity.co.uk/wp-co...ine-plugin.png

    ... The basic rule is NEVER open any attachment (or -link-) in an email, unless you are expecting it..."
    ___

    Fake 'invoice' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    19 Apr 2017 - "An email with the subject of 'Copy of your 123-reg invoice (123-230044839)' [random numbers] pretending to come from no-reply@ 123-reg .co.uk with a malicious pdf attachment that contains an embedded word doc delivers Dridex banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ke-invoice.png

    123-230044839-reg-invoice.pdf - Current Virus total detections 10/57*. Payload Security** shows a download from
    http ://jeanevermore .com/6gfd43 that is converted by the macro to redchip2.exe (VirusTotal 10/61***)...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1492601252/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.117.150.240
    216.177.132.93
    152.66.249.132
    85.214.113.207
    192.184.84.119


    *** https://www.virustotal.com/en/file/7...is/1492594268/

    - http://blog.dynamoo.com/2017/04/malw...r-123-reg.html
    19 Apr 2017 - "This -fake- financial spam does not come from 123-Reg (nor is it sent to 123-Reg customers). It has a malicious attachment.
    From no-reply@ 123-reg .co.uk
    Date Wed, 19 Apr 2017 17:19:51 +0500
    Subject Copy of your 123-reg invoice ( 123-093702027 )
    Hi [redacted],
    Thank you for your order.
    Please find attached to this email a receipt for this payment.
    Help and support
    If you are still stuck why not contact our support team? Simply visit our 123-reg
    Support Centre and click on the Ask a Question tab.
    Thank you for choosing 123-reg.
    The 123-reg team...


    The invoice number is randomly generated. The attachment is a PDF file with a name matching the invoice number (e.g. 123-093702027-reg-invoice.pdf). This PDF file appears to drop an Office document according to VirusTotal results 12/56*. Hybrid Analysis** shows the document dropping a malicious executable with a detection rate of 15/61***. It appears to contact the following IPs (some of which contain legitimate sites):
    216.87.186.15 (Affinity Internet, US)
    216.177.132.93 (Alentus Corporation, US)
    152.66.249.132 (Budapest University of Technology and Economics, Budapest)
    85.214.113.207 (Strato AG, Germany)
    192.184.84.119 (RamNode LLC, US)
    The general prognosis seems to be that this is dropping the Dridex banking trojan.
    Recommended blocklist:
    216.87.186.15
    216.177.132.93
    152.66.249.132
    85.214.113.207
    192.184.84.119
    "
    * https://virustotal.com/en/file/49671...is/1492608695/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/7...7872/analysis/
    ___

    Malicious Excel Sheets...
    - https://isc.sans.edu/diary.html?storyid=22322
    2017-04-19 - "... found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file. The Excel file looked classic, asking the user to enable macros:
    > https://isc.sans.edu/diaryimages/images/xls1.png
    ... the macro was, as usual, to download the malicious PE file, to store it on the disk and to execute it. The PE file has a VT score of 10/60[1]. This is not the first time that I saw this way of passing data to the macro. It’s easy to configure campaigns with many URLs and samples without touching the macro. I had a bunch of 400 malicious Excel sheets to inspect... bad guys also use data stored in the document itself and access it from the VBA code. I also saw a few times white text on white background in Word documents..."
    (More detail at the isc URL above.)
    1] https://www.virustotal.com/en/file/3...is/1491843226/

    Last edited by AplusWebMaster; 2017-04-19 at 22:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1188
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Malvertising campaign

    FYI...

    Malvertising campaign - drops ISFB banking Trojan
    - https://blog.malwarebytes.com/threat...anking-trojan/
    April 20, 2017 - "We have been witnessing a series of malvertising attacks that keep a low profile with decoy websites and strong IP address filtering... There have been similar uses of -fake- façades as a gateway to exploit kits. For instance, Magnitude EK is known to use gates that have to do with Bitcoin, investment websites and such, as detailed in this Proofpoint blog entry*...
    * https://www.proofpoint.com/us/threat...eme-windows-10
    ... In this particular case, the threat actor stole the web template from “Capital World Option“, a company that provides a platform for trading binary options. Participants must predict whether the price of an asset will rise or fall within a given time frame, which defines whether or not they will make money. Binary options have earned a bad reputation though and some countries have even banned them. Below is a screenshot of the legitimate website that is being impersonated. There are some differences between the real one and the fakes; the former is using SSL and was registered a while ago. Also, some of the website functionality is not working properly with the decoy versions.
    Legitimate site: https://blog.malwarebytes.com/wp-con...7/04/real2.png
    ---
    Decoy site that ripped all the branding: https://blog.malwarebytes.com/wp-con...17/04/fake.png
    ---
    Those -fake- sites are only meant to be viewed if you are not a target of this particular malware campaign. In other words, if you load the infection chain from the malvertising call and see the site, you will not be infected. Infections happen when the fraudulent server forwards victims directly to a second gate, without showing them any of the site’s content. The same threat actor has registered -many- different domains all purporting to be lookalikes using a similar naming convention...
    Conclusion: This particular campaign focused on a very specific malvertising chain leading to the RIG exploit kit and – as far as we could tell – dropping the same payload each time, no matter the geolocation of the victim. Banking -Trojans- have been a little bit forgotten about these days as they are overshadowed by ransomware. However, they still represent a significant threat and actually do operate safely in the shadows, manipulating banking portals to perform -wire-transfers- unbeknownst to their victims or even the banks they are targeting...
    IOCs: ...
    ‘Binary options’ IP addresses:
    217.23.1.65
    217.23.1.66
    217.23.1.67
    217.23.1.104
    217.23.1.130
    217.23.1.187
    217.23.1.200
    ..."
    (More detail at the malwarebytes URL at the top.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1189
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Payment Receipt' SPAM

    FYI...

    Fake 'Payment Receipt' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/the-r...eipts-malspam/
    21 Apr 2017 - "... an email with the subject of 'Payment Receipt 2724' or something similar pretending to come from random companies with a pdf attachment containing an embedded malicious word macro enabled doc which will download an encrypted txt file that is -transformed- into the Locky ransomware file redchip2.exe... Some of the subjects include (all have random numbers):
    Receipt 435
    Payment Receipt 2724
    Payment-2677
    Payment Receipt_739
    Payment#229


    Screenshot: https://myonlinesecurity.co.uk/wp-co...nt-Receipt.png

    P2724.pdf - Current Virus total detections 9/57*. Payload Security** shows it drops an embedded macro enabled word doc (VirusTotal 12/59***) ... which downloads from
    sherwoodbusiness .com/9yg65 which is an encrypted-text-file that is converted-by-the-macro to redchip2.exe
    (Payload Security[4] (VirusTotal 6/62[5]). There are loads of other download locations for the encrypted txt file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1492775465/

    ** https://www.reverse.it/sample/d6aa22...ironmentId=100
    Contacted Hosts
    216.117.141.38

    *** https://www.virustotal.com/en/file/5...is/1492775793/

    4] https://www.reverse.it/sample/4ebc12...ironmentId=100

    5] https://www.virustotal.com/en/file/4...is/1492775821/
    redchip2.exe

    sherwoodbusiness .com: 216.117.141.38: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/35...a0d3/analysis/

    Embedded docs in PDF files can infect you
    > https://myonlinesecurity.co.uk/embed...ly-infect-you/
    22 Apr 2017

    Last edited by AplusWebMaster; 2017-04-22 at 15:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1190
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scan Data' SPAM, Interpol: 9,000 infected servers in SE Asia

    FYI...

    Fake 'Scan Data' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/locky...cro-word-docs/
    24 Apr 2017 - "... another mass malspam onslaught with 2 separate emails with the subject of 'Scan Data' or '12345678.pdf' (random numbers) pretending to come from random email addresses at your-own-email-domain with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware... See HERE[1] for safe settings to stop these from working...
    1] https://myonlinesecurity.co.uk/embed...ly-infect-you/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...data-locky.png

    Scan_066379.pdf - Current Virus total detections 13/55*. Payload Security** - drops 744951.doc
    (Virustotal 12/57***) - (Payload Security[4]) shows a download from
    http ://dorsetcountymaintenance .co.uk/87tgyu which is converted by the macro to redchip2.exe
    (VirusTotal 10/59[5]) (Payload Security [6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1493033052/

    ** https://www.reverse.it/sample/3abc2b...ironmentId=100
    Contacted Hosts
    188.65.115.102

    *** https://www.virustotal.com/en/file/a...is/1493033505/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    188.65.115.102

    5] https://www.virustotal.com/en/file/c...is/1493034283/
    redchip2.exe

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    dorsetcountymaintenance .co.uk: 188.65.115.102: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/10...4a1e/analysis/
    ___

    Locky ransomware comeback - Necurs botnet
    - https://www.helpnetsecurity.com/2017.../locky-necurs/
    April 24, 2017 - "The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims:
    > https://www.helpnetsecurity.com/imag...curs-locky.jpg
    The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousands upon thousands of emails in the last three or four days*...
    * http://blog.talosintelligence.com/20...ns-necurs.html
    ... In the first part of the spam campaign, the emails contain no text except in the Subject line, which simply says 'Receipt' or 'Payment', followed by random numbers. Those numbers are seen again in the name of the attached PDF file... Later, the emails were made to look like they contained a scanned image in PDF format... In both cases, the attached PDF contains embedded Word documents with macros... there is currently no way to decrypt the files without paying the ransom..."

    - https://isc.sans.edu/diary.html?storyid=22334
    2017-04-23 - "... The PDF contains JavaScript to extract the malicious Word document and launch Word. The user is prompted before this action takes place, but if you want to mitigate this, you can -disable- JavaScript. If you use Adobe Reader version 15.009.20069 or later, then the extracted Word document is marked with a mark-of-web, regardless if the containing PDF document is marked as such:
    > https://isc.sans.edu/diaryimages/ima...304-014929.png
    ... After applying Microsoft's patch for CVE-2017-0199, a downloaded HTA is no longer executed, but it is -still- downloaded without user interaction..."

    Cisco - Threat Outbreak Alerts
    > https://tools.cisco.com/security/cen...ing.x#~Threats
    April 24, 2017 - Email Messages Distributing Malicious Software...

    Locky has reemerged - borrowing attack techniques from Dridex
    - http://www.zdnet.com/article/the-god...ier-than-ever/
    April 24, 2017
    ___

    Interpol finds nearly 9,000 infected servers in SE Asia
    - http://www.reuters.com/article/us-si...-idUSKBN17Q1BT
    Apr 24, 2017 - "An anti-cybercrime operation by Interpol and investigators from seven southeast Asian nations revealed nearly 9,000 malware-laden servers and hundreds of compromised websites in the ASEAN region, Interpol said on Monday. Various types of malware, such as that targeting financial institutions, spreading ransomware, launching Distributed Denial of Service (DDoS) attacks and distributing spam were among the threats posed by the infected servers, the operation showed... Experts from seven private firms also participated in the operation run out of the Singapore-based Interpol Global Complex for Innovation (IGCI), with China providing some cyber intelligence, the international police body said on its website*...
    * https://www.interpol.int/News-and-me...2017/N2017-051
    DDoS attacks have always been among the most common on the Internet, making use of hijacked and virus-infected computers to target websites until they can no longer cope with the scale of data requested. The operation also identified nearly 270 websites infected with a malware code, among them several government websites that may have contained citizens' personal data, Interpol added..."

    Last edited by AplusWebMaster; 2017-04-24 at 23:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •