Page 120 of 132 FirstFirst ... 2070110116117118119120121122123124130 ... LastLast
Results 1,191 to 1,200 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1191
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'confirmation' SPAM, Phish - distributing ransomware

    FYI...

    Fake 'confirmation' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/the-l...cro-word-docs/
    25 Apr 2017 - "... another 2 mass malspam onslaughts with different email subjects. The first is 'confirmation_12345678.pdf' (random numbers) pretending to come from info@ random .tld with a PDF attachment that contains an embedded malicious word doc with macros that delivers Locky ransomware. The second is a -blank- email with the subject of 'paper', coming from random names, companies and email addresses. In all cases the alleged sending address is -spoofed- ... In both campaigns the PDF appears totally to be a -blank- page but still contains the embedded macro word doc that will infect you when opened. These macro enabled word docs embedded into PDF files can easily infect you, -IF- you have default PDF settings set in Adobe Reader. See HERE[1] for safe settings to stop these working...
    1] https://myonlinesecurity.co.uk/embed...ly-infect-you/
    ... 2 distinct malspam approaches today. First coming from 'scanner' (or other MFD, like scan, Epson, Printer, canon etc ) @ your-own-email-domain with a subject of 'scan data'. The second comes from totally random names @ your-own-email-domain with a subject of '12345678.pdf' (random numbers) and has a completely -empty- email body...

    Screenshot1: https://myonlinesecurity.co.uk/wp-co...nfirmation.png

    Screenshot2: https://myonlinesecurity.co.uk/wp-co...ocky_paper.png

    6446165b2.pdf - Current Virus total detections 13/56*. Payload Security** drops 216616.docm downloads from
    http ://parallelsolutions .nl/jhg67g which is converted by the macro to pitupi2.exe
    (VirusTotal 23/59***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1493096091/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    159.253.0.19

    *** https://www.virustotal.com/en/file/a...is/1493096408/
    pitupi2.exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    parallelsolutions .nl: 159.253.0.19: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/6d...c163/analysis/
    ___

    Phish attacks responsible for 3/4 of all malware
    - https://www.helpnetsecurity.com/2017...tacks-malware/
    April 25, 2017 - "With phishing now widely used as a mechanism for distributing ransomware, a new NTT Security reveals that 77% of all detected ransomware globally was in four main sectors – business & professional services (28%), government (19%), health care (15%) and retail (15%):
    > https://www.helpnetsecurity.com/imag...y-042017-2.jpg
    While technical attacks on the newest vulnerabilities tend to dominate the media, many attacks rely on less technical means. According to the GTIR, phishing attacks were responsible for nearly three-quarters (73%) of all malware delivered to organizations, with government (65%) and business & professional services (25%) as the industry sectors most likely to be attacked at a global level. When it comes to attacks by country, the U.S. (41%), Netherlands (38%) and France (5%) were the top three sources of phishing attacks. The report also reveals that just 25 passwords accounted for nearly 33% of all authentication attempts against NTT Security honeypots last year. Over 76% of log on attempts included a password known to be implemented in the Mirai botnet – a botnet comprised of IoT devices, which was used to conduct, what were at the time, the largest ever distributed denial of service (DDoS) attacks. DDoS attacks represented less than 6% of attacks globally, but accounted for over 16% of all attacks from Asia and 23% of all attacks from Australia. Finance was the most commonly attacked industry globally, subject to 14% of all attacks. The finance sector was the only sector to appear in the top three across all of the geographic regions analysed, while manufacturing appeared in the top three in five of the six regions. Finance (14%), government (14%) and manufacturing (13%) were the top three most commonly attacked industry sectors:
    > https://www.helpnetsecurity.com/imag...y-042017-1.jpg
    ... NTT Security summarizes data from over 3.5 -trillion- logs and 6.2 -billion- attacks for the 2017 Global Threat Intelligence Report (GTIR)*..."
    * https://www.nttcomsecurity.com/us/gtir-2017/
    ___

    Phish: PayPal Credit Service Security Check
    - https://security.intuit.com/index.ph...security-check
    24 April 2017 - "People are reporting receiving -fake- emails as found below. Please be aware that the From address as well as the Subject line may change; however, the content with in the body of the email will stay the same with the exception of a change to the malicious URL link, which may have many different variations. Below is an example of the email people are receiving:
    > https://security.intuit.com/images/2...4_14-51-41.png
    ... end of the -fake- email..."

    Last edited by AplusWebMaster; 2017-04-25 at 17:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1192
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'DHL' SPAM, JavaScript Malspam Campaigns

    FYI...

    Fake 'DHL' SPAM - delivers js malware
    - https://myonlinesecurity.co.uk/fake-...known-malware/
    26 Apr 2017 - "... email with the subject of 'DHL Shipment Notification: 1104749373' pretending to come from DHL Customer Support <support@ dhl .com> with a semi-random named zip attachment in the format of Pickup EXPRESS.Date2017-04-26.zip which delivers or tries to deliver some sort of malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...1104749373.png

    Pickup EXPRESS.Date2017-04-26.zip: Extracts to: Pickup DOMESTIC EXPRESS Date2017-04-26.pdf.js
    Current Virus total detections 4/57*. Payload Security** | JoeSandbox*** all of which do show a connection to 47.91.74.140 80 horcor .com which looks to be connected to or hosted by Chinese online company Alibaba.
    Payload Security shows an attempt to contact http ://horcor .com/gate.php?ff1 (ff1 – ff12) in turn via get requests BUT only when you expand the wscript.exe section and examine the script calls... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1493200305/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    47.91.74.140

    *** https://jbxcloud.joesecurity.org/analysis/259442/1/html

    horcor .com: 47.91.74.140: https://www.virustotal.com/en/ip-add...0/information/
    ___

    JavaScript Malspam Campaigns
    Multiple malicious JavaScript spam campaigns active in the wild
    - https://www.zscaler.com/blogs/resear...spam-campaigns
    April 25, 2017 - "... multiple active malspam campaigns with links to malicious JavaScript payloads in the wild. These JavaScript files when opened by the end user will trigger download and execution of malware executables belonging to various Dropper and Backdoor Trojan families. We have seen over 10,000 instances of malicious JavaScript payloads from these campaigns in last two weeks. The JavaScript files are highly obfuscated to avoid detection and on first look shared similarity to Angler EK's landing page. Two URL formats are commonly being used at this time, one with just alphanumeric characters in path and the other with string ‘.view’ in the path. The examples for these URLs are seen below:
    http ://yountstreetglass [.]com/TRucDEpdoO4jsaFaF4wCTxl8h/
    http ://unbunt [.]com/view-report-invoice-0000093/w0ru-bb26-w.view/
    The javascript files have names which try to masquerade as bills and receipts of various services like DHL, UPS and Vodafone to name a few... When we opened the JavaScript, we observed that it was heavily obfuscated with random strings and numbers assigned to variables, which makes very little sense...
    Conclusion: We should always be cautious when clicking on links or handling e-mail attachments received from an unknown sender. Threat actors keep changing their obfuscation techniques in an attempt to evade detection methods used by security engines. It is increasingly important to have multiple security layers to block these kinds of attacks..."
    (More detail at the zscaler URL above.)

    yountstreetglass .com: 107.180.2.25: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/67...64d9/analysis/

    unbunt .com: 5.153.24.46: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/17...3e79/analysis/

    Last edited by AplusWebMaster; 2017-04-26 at 16:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1193
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Secure email' SPAM, Intrusions - Multiple Victims/Sectors, Mac's - OSX malware

    FYI...

    Fake 'Secure email' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/more-...alspam-emails/
    28 Apr 2017 - "An email with the subject of 'Secure email communication' pretending to come from HM Revenue & Customs <GSRPCommunication@ govsecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine HMRC domains... So far we have found
    govsecure .co.uk
    gov-secure .co.uk
    ... they are registered via Godaddy as registrar and the emails are sent via City Network Hosting AB Sweden 89.46.82.3, 89.46.82.2, 89.42.141.46, 89.40.217.178, 89.40.217.179, 89.40.217.185 ...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...munication.png

    Unsuccessful_Payments_Documents.doc - Current Virus total detections 3/56*. Payload Security** shows a download via powershell from http ://elevationstairs .ca/fonts/60c5776c175c54d2.png which of course is
    -not- an image file but a renamed .exe (VirusTotal 8/61***) (Payload Security [4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1493381297/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    70.33.246.140
    107.22.214.64
    184.160.113.13
    217.31.111.153


    *** https://www.virustotal.com/en/file/f...is/1493382383/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    elevationstairs .ca: 70.33.246.140: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/e8...c048/analysis/
    ___

    Intrusions - Multiple Victims across Multiple Sectors
    - https://www.us-cert.gov/ncas/alerts/TA17-117A
    April 27, 2017 - "... Overview:
    The National Cybersecurity and Communications Integration Center (NCCIC) has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
    According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates, along with placing sophisticated malware implants on critical systems. Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments. Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.
    Although this activity is still under investigation, NCCIC is sharing this information to provide organizations information for the detection of potential compromises within their organizations.
    NCCIC will update this document as information becomes available.
    For a downloadable copy of this report and listings of IOCs, see:
    > https://www.us-cert.gov/sites/defaul...7-093-01C.xlsx
    IOCs (.xlsx)
    61.97.241.239 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    103.208.86.129 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    109.237.108.202 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
    109.237.111.175 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...5/information/
    109.248.222.85 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...5/information/
    95.47.156.86 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
    162.243.6.98 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
    160.202.163.78 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
    86.106.102.3 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    110.10.176.181 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
    185.133.40.63 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    185.14.185.189 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    95.183.52.57 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...7/information/
    185.117.88.78 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
    185.117.88.77 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...7/information/
    185.117.88.82 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
    109.237.108.150 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
    211.110.17.209 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    81.176.239.56 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
    151.236.20.16 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...6/information/
    107.181.160.109 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    151.101.100.73 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    158.255.208.170 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
    158.255.208.189 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    158.255.208.61 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
    160.202.163.79 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...9/information/
    160.202.163.82 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
    160.202.163.90 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...0/information/
    160.202.163.91 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
    185.117.88.81 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...1/information/
    185.141.25.33 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    31.184.198.23 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...3/information/
    31.184.198.38 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...8/information/
    92.242.144.2 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...2/information/
    183.134.11.84 IPv4 IP Watchlist: https://www.virustotal.com/en/ip-add...4/information/

    > https://www.helpnetsecurity.com/2017...tack-campaign/
    April 28, 2017
    ___

    Mac's - OSX.Dok malware intercepts web traffic
    > https://blog.malwarebytes.com/threat...s-web-traffic/
    April 28, 2017 - "Most Mac malware tends to be unsophisticated. Although it has some rather unpolished and awkward aspects, a new piece of Mac malware, dubbed 'OSX.Dok', breaks out of that typical mold. OSX.Dok, which was discovered by Check Point*, uses sophisticated means to monitor — and potentially alter — all HTTP and HTTPS traffic to and from the infected Mac. This means that the malware is capable, for example, of capturing account credentials for any website users log into, which offers many opportunities for theft of cash and data. Further, OSX.Dok could modify the data being sent and received for the purpose of -redirecting- users to malicious websites in place of legitimate ones...
    * http://blog.checkpoint.com/2017/04/2...https-traffic/
    Distribution method: OSX.Dok comes in the form of a file named Dokument.zip, which is found being -emailed- to victims in -phishing- emails. Victims primarily are located in Europe...
    Removal: Removal of the malware can be accomplished by simply removing the two aforementioned LaunchAgents files, but there are many leftovers and modifications to the system that -cannot- be as easily reversed...
    Consumers: Malwarebytes Anti-Malware for Mac will detect the important components of this malware as OSX.Dok, disabling the active infection. However, when it comes to the other changes that are not easily reversed, which introduce vulnerabilities and potential behavior changes, additional measures will be needed. For people who don’t know their way around in the Terminal and the arcane corners of the system, it would be wise to seek the assistance of an expert, or erase the hard drive and restore the system from a backup made prior to infection.
    Businesses: The impact on business could be much more severe, as it could expose information that could allow an attacker to gain access to company resources. For example, consider the potential damage if, while infected, you visited an internal company page that provided instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server. If you have been infected by this malware in a business environment, you should consult with your IT department, so they can be aware of the risks and begin to mitigate them."
    (More detail at the malwarebytes -and- checkpoint URL's above.)

    Last edited by AplusWebMaster; 2017-04-28 at 22:11.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1194
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'MoneyGram' SPAM

    FYI...

    Fake 'MoneyGram' SPAM - delivers new java Adwind
    - https://myonlinesecurity.co.uk/new-g...dwind-version/
    1 May 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... previously mentioned many of these HERE[1]... Today’s has a slightly different subject and email content to previous ones...
    1] https://myonlinesecurity.co.uk/?s=java+adwind

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-MoneyGram.png

    Updated Guidelines from MG.jar (480 kb) - Current Virus total detections 2/58*. MALWR **... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1493604843/

    ** https://malwr.com/analysis/YmU5OTliZ...A1NTM5MWZjMjE/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1195
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'DHL', 'Secure email' SPAM, Cerber Ransomware - evolution

    FYI...

    Fake 'DHL' SPAM - js script
    - http://blog.dynamoo.com/2017/05/malw...878382814.html
    2 May 2017 - "... another -fake- DHL message leading to an evil .js script.
    From: DHL Parcel UK [redacted]
    Sent: 02 May 2017 09:30
    To: [redacted]
    Subject: DHL Shipment 458878382814 Delivered
    You can track this order by clicking on the following link:
    https ://www .dhl .com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother
    Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.
    All weights are estimated.
    The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.
    This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.
    Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.


    In this case the link goes to parkpaladium .com/DHL24/18218056431/ and downloads a file
    DHL-134843-May-02-2017-55038-8327373-1339347112.js . According to Malwr* and Hybrid Analysis** the script downloads a binary from
    micromatrices .com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38 - UK2, UK) and then subsequently attempts communication with
    75.25.153.57 (AT&T, US)
    79.170.95.202 (XL Internet Services, Netherlands)
    87.106.148.126 (1&1, Germany)
    78.47.56.162 (Mediaforge, Germany)
    81.88.24.211 (dogado GmbH, Germany)
    92.51.129.235 (Host Europe, Germany)
    74.50.57.220 (RimuHosting, US)
    The dropped binary has a VirusTotal detection rate of 10/60***.
    Recommended blocklist:
    77.92.78.38
    75.25.153.57
    79.170.95.202
    87.106.148.126
    78.47.56.162
    81.88.24.211
    92.51.129.235
    74.50.57.220
    "
    * https://malwr.com/analysis/ODdmNWU5Y...QyOTA1ZjM3MjM/
    Hosts
    77.92.78.38
    79.170.95.202


    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    77.92.78.38
    75.25.153.57
    79.170.95.202
    87.106.148.126
    78.47.56.162
    81.88.24.211
    92.51.129.235
    74.50.57.220


    *** https://virustotal.com/en/file/33f31...is/1493719562/
    mlgih3wgw.exe
    ___

    Fake 'Secure email' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    2 May 2017 - "An email with the subject of 'Secure email message' pretending to come from Companies House but actually coming from a look alike domain <noreply@ cp-secure-message .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...re-message.png

    SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** shows a download from
    http ://gestionbd .com/fr/QMjJrcCrHGW9sb6uF.png which of course is -not- an image file but a renamed .exe file that gets renamed to Epvuyf.exe and autorun (VirusTotal 8/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1493724795/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.138.226.110
    50.19.97.123
    186.208.111.188
    82.146.94.86


    *** https://www.virustotal.com/en/file/c...is/1493725297/
    Epvuyf.exe

    gestionbd .com: 216.138.226.110: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/60...5290/analysis/
    ___

    Cerber Ransomware - evolution
    - http://blog.trendmicro.com/trendlabs...are-evolution/
    May 2, 2017 - "... enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries:
    Top countries affected by Cerber:
    > https://blog.trendmicro.com/trendlab.../cerber6-1.jpg
    Infection chain of Cerber Version 6:
    > https://blog.trendmicro.com/trendlab.../cerber6-2.jpg
    Adding a time delay in the attack chain enables Cerber to elude traditional sandboxes, particularly those with time-out mechanisms or that wait for the final execution of the malware. Other JS files we saw ran powershell.exe (called by wscript.exe) whose parameter is a PowerShell script — the one responsible for downloading the ransomware and executing it in the system:
    Sample Cerber 6-carrying spam email posing as a public postal service agency:
    > https://blog.trendmicro.com/trendlab.../cerber6-4.jpg
    ... Cerber was updated with the capability to integrate the infected system into botnets, which were employed to conduct distributed denial of service (DDoS) attacks. By July, a spam campaign was seen abusing cloud-based productivity platform Office 365 through Office documents embedded with a malicious macro that downloads and helps execute the ransomware. Exploit kits are also a key element in Cerber’s distribution. Cerber-related malvertising campaigns were observed in 2016 diverting users to Magnitude, Rig, and Neutrino — which has since gone private — exploit kits that target system or software vulnerabilities. This year, we’re seeing relatively new player Sundown exploit kit joining the fray... Cerber’s distribution methods remain consistent, we’ve seen newer variants delivered as self-extracting archives (SFX package) containing malicious Visual Basic Script (.VBS) and Dynamic-link library (.DLL) files that execute a rather intricate attack chain compared to other versions... it’s one of the signs of things to come for Cerber. It is not far-fetched for Cerber to emulate how Locky constantly changed email file attachments in its spam campaigns by expanding arrival vectors beyond JS files and PowerShell scripts — from JScript to HTML Application (.HTA) and compressed binary files (.BIN) — and exploiting file types that aren’t usually used to deliver malware... we’re currently seeing .HTA files being leveraged by a campaign that uses Cerber as payload. Our initial analysis indicates that the campaign, which we began monitoring by the third week of April, appears to be targeting Europe. We also found the same campaign attacking two Latin American countries. This campaign is notable for displaying Cerber’s ransom note in the local language of the infected system. It uses an .HTA file to show the online message/ransom note as well as detect the local language to be displayed...
    Cerber’s evolution reflects the need for organizations and end users to be aware of today’s constantly evolving threats. End users risk losing money and their important personal files to ransomware; it also threatens organizations’ business operations, reputation, and bottom line. While there is no silver bullet against ransomware, keeping systems up-to-date, taking caution against unsolicited and suspicious emails, regularly backing up important files, and cultivating a culture of cybersecurity in the workplace are just some of the best practices for defending against ransomware. IT/system administrators and information security professionals can further defend their organization’s perimeter by incorporating additional layers of security against suspicious files, processes, applications, and network activity that can be exploited and leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers..."
    (More detail at the trendmicro URL above.)

    Last edited by AplusWebMaster; 2017-05-02 at 23:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1196
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'PAYMENT', 'document', 'BACs Documents' SPAM, Trojan via js files

    FYI...

    Fake 'PAYMENT' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...-link-exploit/
    4 May 2017 - "An email with the subject of 'PAYMENT FOR YAREED' (I am assuming random names) coming from random names and email addresses with a malicious word doc attachment delivers some sort of malware via the CVE-2017-0199 word/rtf embedded ole -link- exploit...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...for-yareed.png

    PO NO- YAREED-2017.doc (30kb) - Current Virus total detections 16/56*. Payload Security** shows a download of an hta file from
    http ://alguemacultural .com/enessss.hta (VirusTotal 0/52***) (Payload Security[4])
    The smaller second word doc also contacts the -same- location & downloads the -same- file
    PO NO- YAREED-2017.doc (7kb) - Current Virus total detections 16/55[5] | Payload Security[6]
    ... The hta file is an executable html file that internet explorer -will- run... which is an encoded powershell script... which when decoded looks like this which downloads the genuine putty.exe from
    https ://the.earth .li/~sgtatham/putty/0.68/w32/putty.exe which is -renamed- to nextobad.exe and autorun...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1493869646/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    174.136.152.24

    *** https://www.virustotal.com/en/file/9...is/1493870176/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    46.43.34.31

    5] https://www.virustotal.com/en/file/8...is/1493869660/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    174.136.152.24

    alguemacultural .com: 174.136.152.24: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/fc...dfbf/analysis/

    the.earth .li: 46.43.34.31: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/87...faa1/analysis/
    ___

    Fake 'document' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/open-...de-of-malware/
    4 May 2017 - "... An email with the subject using -random- characters pretending to come from somebody that the recipient knows with a-link-to -download- a malicious word doc that delivers some sort of multi-stage malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...Q-03681348.png

    ZPDML-36-45320-document-May-04-2017.doc - Current Virus total detections 7/56*. Payload Security** shows a download from -numerous- different locations via powershell which gives 23905.exe (VirusTotal ***) (Payload Security[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1493873579/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    188.65.115.184
    75.25.153.57
    79.170.95.202
    87.106.148.126
    78.47.56.162
    81.88.24.211
    92.51.129.235


    *** https://www.virustotal.com/en/file/9...is/1493852073/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    75.25.153.57
    79.170.95.202
    87.106.148.126
    78.47.56.162
    81.88.24.211
    92.51.129.235
    74.50.57.220
    139.59.33.202

    ___

    Fake 'BACs Documents' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    4 May 2017 - "An email with the subject of 'Important BACs Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <secure@ lloydsbankdocuments .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-documents.png

    BACs.doc - Current Virus total detections 6/56*. Payload Security** shows a download from
    http ://www .247despatch .co.uk/grabondanods.png which of course is -not- an image file but a renamed .exe file that gets renamed to Gehsp.exe and autorun (VirusTotal 12/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1493896398/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    91.102.64.132
    50.19.97.123
    200.116.206.58
    91.247.36.80
    91.219.28.71
    91.247.36.79


    *** https://www.virustotal.com/en/file/1...is/1493896665/

    247despatch .co.uk: 91.102.64.132: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/89...6ed9/analysis/
    ___

    Fake multiple subjects/attachments SPAM - delivers Trojan via js files
    - https://myonlinesecurity.co.uk/massi...-via-js-files/
    4 May 2017 - "... There have been numerous -different- subjects and campaign themes... some of them here:
    'Our reference: 733092244' pretending to come from Eli Murchison <Hughchaplin@ yahoo .de>
    'Hotel booking confirmation (Id:022528)' pretending to come from Booking <noreply@ sgs.bookings .com>
    'DHL Shipment Notification : 0581957002' pretending to come from DHL Customer Support <support@ dhl .com>
    'Re: img' pretending to come from seisei-1@ yahoo .de
    'scan' pretending to come from stephen@ arrakis .es
    Some of the file attachment names, -all- extracting to .js files, include:
    reservation details 9I2XIIWTM.zip (VirusTotal [1]| Payload Security[2])
    info-DOMESTIC_EXPRESS Pickup Date2017-05-04.zip (VirusTotal [3]| Payload Security[4])
    img-A34401586965107279 jpeg.zip (VirusTotal [5]| Payload Security[6])
    CCPAY9196902168.zip (VirusTotal [7]| Payload Security[8])
    Scan P.1 0967945763.zip which is slightly different because it extracts -2- different .js files
    (VirusTotal[9]| Payload Security[10]) (VirusTotal[11]| Payload Security[12])

    Screenshots[1]: https://myonlinesecurity.co.uk/wp-co...-Id-022528.png

    2] https://myonlinesecurity.co.uk/wp-co...-733092244.png

    3] https://myonlinesecurity.co.uk/wp-co...0581957002.png

    4] https://myonlinesecurity.co.uk/wp-co.../05/re_img.png

    5] https://myonlinesecurity.co.uk/wp-co...birch_scan.png

    -All- of these download the -same- malware from
    http ://horcor .com/ese.tf -or-
    http ://www .nemcicenadhanou .cz/nvdtime.prs which are -renamed- .exe files that are -renamed- to an .exe file and autorun (VirusTotal[13]| Payload Security[14])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/4...is/1493904287/

    2] https://www.hybrid-analysis.com/samp...ironmentId=100

    13] https://www.virustotal.com/en/file/c...is/1493900783/

    14] https://www.hybrid-analysis.com/samp...ironmentId=100

    horcor .com: 47.91.92.64: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/aa...d426/analysis/
    Malicious site

    nemcicenadhanou .cz: Could not find an IP address for this domain name. [May have been taken down...]

    Last edited by AplusWebMaster; 2017-05-04 at 20:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1197
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Payment Advice' SPAM, 'update your mailbox' - phish

    FYI...

    Fake 'Payment Advice' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    8 May 2017 - "... an email with the subject of 'FW: Payment Advice – Advice Ref:[G32887529930] / Priority payment / Customer Ref:[03132394]' pretending to come from HSBC Advising Service <050717.advisingservice@ mail .com>....

    Screenshot: https://myonlinesecurity.co.uk/wp-co...vice-email.png

    Payment_Advice.zip: Extracts to: Payment_Advice.scr - Current Virus total detections 32/62*. MALWR**...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1494218279/

    ** https://malwr.com/analysis/ZGM1MWIxN...QwYTlmZGRkMzQ/
    ___

    Fake 'update your mailbox' - phish
    - https://myonlinesecurity.co.uk/fake-...phishing-scam/
    8 May 2017 - "... pretends to be a message from 'Email Support' to 'Update Your Mailbox'. Of course these do -not- come from Microsoft or Live .com but are -spoofed- to appear to come from them...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...hing-email.png

    If you follow the link inside the email you see a webpage looking like this:
    http ://www.mir-holoda .by/pic/fanc/en-gb/?email=jeremiah@ thespykiller .co.uk (where the email address the email was sent to is automatically inserted):
    > https://myonlinesecurity.co.uk/wp-co...5/mailbox1.png

    After you input your password, you first get get told “checking details” then “incorrect details” and forwarded to an almost identical looking page where you can put it in again:
    > https://myonlinesecurity.co.uk/wp-co...5/mailbox2.png

    > https://myonlinesecurity.co.uk/wp-co...5/mailbox3.png

    > https://myonlinesecurity.co.uk/wp-co...5/mailbox4.png

    ... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

    mir-holoda .by: 91.149.189.125: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/5d...8c26/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1198
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Loan Program' SPAM

    FYI...

    Fake 'Loan Program' SPAM - delivers js malware
    - https://myonlinesecurity.co.uk/fake-...vers-hancitor/
    10 May 2017 - "... an email with the subject of 'HSBC Bank – 24086 Loan Program Notification' coming from noreply9@ creditsupport .gdn which delivers what looks like hancitor malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...tification.png

    report_24086.7z: Extracts to: order_case_713b0e2.js - Current Virus total detections 2/57*. Payload Security** shows a download from
    http ://dacsanmiennuiphiabac .com/me.php?ff1 which delivers iscsmcbu .exe (VirusTotal 5/61***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1494433995/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    103.28.38.73

    *** https://www.virustotal.com/en/file/9...is/1494423788/

    dacsanmiennuiphiabac .com: 103.28.38.73: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/ca...caab/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1199
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'pdf attachment', 'DHL Statements', 'nm.pdf', DHL, 'invoice' SPAM

    FYI...

    Fake 'pdf attachment' SPAM - delivers Locky/Dridex
    - https://myonlinesecurity.co.uk/more-...f-attachments/
    11 May 2017 - "... well used email template with subjects varying from with literally hundreds if not thousands of subjects. These generally deliver either Locky ransomware or Dridex banking Trojan.
    File_69348406
    PDF_9859
    Scan_2441975
    Document_11048
    Copy_9762
    They -all- have a pdf attachment that drops a word doc with macros... all downloads from these locations which delivers an encrypted txt file that should be converted by the macro to a working.exe file but Payload security.... doesn’t seem able to convert it...
    wipersdirect .com/f87346b
    tending .info/f87346b
    julian-g .ro/f87346b

    I am being told this is a -new- ransomware called jaff ransomware*...
    * https://twitter.com/siri_urz/status/862586080507424769
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

    wipersdirect .com: 108.165.22.125: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/4a...9ec3/analysis/

    tending .info: 80.75.98.151: https://www.virustotal.com/en/ip-add...1/information/

    julian-g .ro: 86.35.15.215: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/46...2654/analysis/
    ___

    Fake 'DHL Statements' SPAM - delivers js malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    11 May 2017 - "... an email with the subject of '6109175302 Statements x Requests Required' (random numbers) pretending to come frombgyhub@ dhl .com with a zip attachment containing -2- differently named .js files which delivers some sort of malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...s-Required.png

    TYPE OF GOODS_DECLARATION.zip: Extracts to: DECLARATION (FORM).PDF.js -and- TYPE OF GOODS DOC.pdf.js
    Current Virus total detections [1] [2]: Payload Security [3] [4] shows a download from one or both of these locations:
    http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs which is renamed and autorun by the script (VirusTotal [5]) (Payload Security[6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/3...is/1494487534/

    2] https://www.virustotal.com/en/file/a...is/1494487531/

    3] https://www.hybrid-analysis.com/samp...ironmentId=100

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    5] https://www.virustotal.com/en/file/2...is/1494488118/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/45...c5ce/analysis/

    wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/5d...680e/analysis/
    ___

    Malware spam with 'nm.pdf' attachment
    - http://blog.dynamoo.com/2017/05/malw...ttachment.html
    11 May 2017 - "Currently underway is a malicious spam run with various subjects, for example:
    Scan_5902
    Document_10354
    File_43359
    Senders are random, and there is -no- body text. In -all- cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED -or- 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].
    The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58[5].
    Putting the .docm file back into Hybrid Analysis and Malwr [6] [7] shows the same sort of results, namely a download from:
    easysupport .us/f87346b ...
    UPDATE: A contact pointed out this Hybrid Analysis[X] which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which -matches- this Tweet[8] about something called "Jaff ransomware".
    That report also gives two other locations to look out for:
    trialinsider .com/f87346b
    fkksjobnn43 .org/a5/

    This currently gives a recommended blocklist of:
    47.91.107.213
    trialinsider .com
    easysupport .us
    "
    1] https://virustotal.com/en/file/e148f...is/1494492097/

    2] https://virustotal.com/en/file/0ee0b...is/1494492251/

    3] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    198.58.93.28 - easysupport .us
    - https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/23...e188/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    198.58.93.28 - easysupport .us

    5] https://virustotal.com/en/file/60446...is/1494492613/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    198.58.93.28 - easysupport .us

    > https://www.virustotal.com/en/url/23...e188/analysis/

    7] https://malwr.com/analysis/NjE5YjEyN...Y1NjU5ZDViNzk/

    8] https://twitter.com/malwrhunterteam/...97006363152385

    X] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    107.154.168.227 - trialinsider .com
    47.91.107.213 - fkksjobnn43 .org

    trialinsider .com: 107.154.161.227: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/5c...291a/analysis/
    107.154.168.227: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/5c...291a/analysis/

    fkksjobnn43 .org: 47.91.107.213: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/71...e012/analysis/
    ___

    Fake 'DHL' SPAM - delivers Trojan
    - https://myonlinesecurity.co.uk/more-...anking-trojan/
    11 May 2017 - "... an email with the subject of 'Fwd: DHL Redelivery Confirmation #574068024996' (random numbers) pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Ursnif banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...redelivery.png

    request-redelivery-2017053299810.pdf.js - Current Virus total detections 1/57*. Payload Security** shows a download from one of both of these locations
    http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
    which is -renamed- and autorun by the script (VirusTotal 9/62***) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1494500118/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    *** https://www.virustotal.com/en/file/2...is/1494488118/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/45...c5ce/analysis/

    wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/5d...680e/analysis/
    ___

    Fake 'invoice' SPAM - using docs with embedded ole objects
    - https://myonlinesecurity.co.uk/ursni...d-ole-objects/
    11 May 2017 - "... banking Trojans. This one is using a different delivery method to try to throw us off track... this has a word docx attachment that contains an embedded ole object that when you click on the blurry image in the word doc, thinking you are opening an invoice you actually open & run the embedded hidden .js file. This pretends to be an invoice coming from random senders:
    > https://myonlinesecurity.co.uk/wp-co...ole-object.png

    Screenshot: https://myonlinesecurity.co.uk/wp-co...zi-invoice.png

    7398219046.docx - Current Virus total detections 2/58*. Payload Security** shows the dropped .js file but doesn’t make it available for download. I had to get that manually (VirusTotal 1/55***) (Payload Security[4]) which shows
    the same connections and download from one or both of these locations
    http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
    which is renamed and autorun by the script (VirusTotal 9/62[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1494509580/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    ** https://www.virustotal.com/en/file/6...is/1494508789/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    5] https://www.virustotal.com/en/file/2...is/1494488118/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    schuetzen-neusalz .de: 85.13.146.159: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/45...c5ce/analysis/

    wersy .net: 217.29.53.99: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/5d...680e/analysis/
    ___

    New ‘Jaff’ ransomware via Necurs ...
    - https://blog.malwarebytes.com/cyberc...sks-for-2-btc/
    May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
    > https://blog.malwarebytes.com/wp-con...7/05/email.png
    ...
    > https://blog.malwarebytes.com/wp-con...Jaff_decoy.png
    ... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
    > https://blog.malwarebytes.com/wp-con.../encrypted.png
    ... the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."

    Last edited by AplusWebMaster; 2017-05-12 at 14:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1200
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scanned image' SPAM, Necurs botnet, U.K. Hospitals Hit - Ransomware

    FYI...

    Fake 'Scanned image' SPAM - delivers jaff ransomware
    - https://myonlinesecurity.co.uk/scann...ff-ransomware/
    12 May 2017 - "An email with the subject of 'Scanned image' coming or pretending to come from random email addresses with a pdf attachment that contains an embedded malicious word doc delivers jaff ransomware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-image_pdf.png

    20170512605164.pdf - which drops N5OSUHX.docm - Current Virus total detections [pdf*] [docm**]:
    Payload Security [pdf...] [docm(4)] shows a download of an encrypted txt file from
    http ://trebleimp .com/77g643 which is converted to by the macro to ratchet20.exe ... It also shows a connection to
    http ://h552terriddows .com/a5/ which gives a created message...
    >> Update: managed to get the ratchet20.exe file via:
    > https://jbxcloud.joesecurity.org/analysis/268338/1/html - (VirusTotal [5]) (Payload Security[6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1494559929/

    ** https://www.virustotal.com/en/file/4...is/1494562144/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    27.254.44.204
    47.91.107.213


    5] https://www.virustotal.com/en/file/0...is/1494559081/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    trebleimp .com: 27.254.44.204: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/69...c8ba/analysis/

    h552terriddows .com: 47.91.107.213: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/52...cafd/analysis/
    ___

    New ‘Jaff’ ransomware via Necurs ...
    - https://blog.malwarebytes.com/cyberc...sks-for-2-btc/
    May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
    > https://blog.malwarebytes.com/wp-con...7/05/email.png
    ...
    > https://blog.malwarebytes.com/wp-con...Jaff_decoy.png
    ... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
    > https://blog.malwarebytes.com/wp-con.../encrypted.png
    ... the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
    ___

    U.K. Hospitals Hit - Widespread Ransomware Attack
    - https://krebsonsecurity.com/2017/05/...omware-attack/
    May 12, 2017 - "At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware... there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft:
    Ransom note left behind on computers infected with the Wanna Decryptor ransomware strain.
    Image: BleepingComputer

    > https://krebsonsecurity.com/wp-conte...na-580x285.png
    In a statement*, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks... According to CCN-CERT, that flaw is MS17-010**, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another..."
    * https://www.digital.nhs.uk/article/1...S-cyber-attack

    ** https://technet.microsoft.com/en-us/.../ms17-010.aspx
    March 14, 2017

    Last edited by AplusWebMaster; 2017-05-12 at 23:01.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •