Page 122 of 132 FirstFirst ... 2272112118119120121122123124125126 ... LastLast
Results 1,211 to 1,220 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1211
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Flash Update'

    FYI...

    Fake 'Flash Update' - malware
    - https://myonlinesecurity.co.uk/fake-...mate-websites/
    31 May 2017 - "... I was reading a page on my local newspaper... 'got a divert and a big red warning:
    > https://myonlinesecurity.co.uk/wp-co...fake-flash.png
    ... the page I was diverted to (a -fake- flash player update page) is
    https ://izaiye-interactive .net/6141452444727/01296f4851adb85de3a1ad2335c429c8/52ebc0f94a7674f6db533556c202e52f.html
    ... They are using a ssl prefix HTTPS but there is -no- padlock in the url to confirm this. An HTA file is automatically downloaded (or attempted to be) (VirusTotal 6/55*) (Payload Security**) - if allowed to run unfettered this hta file would download and autorun:
    https ://izaiye-interactive .net/6141452444727/1496218715917605/FlashPlayer.jse
    (VirusTotal [3]) (Payload Security[4])... similar attack recently documented:
    > https://myonlinesecurity.co.uk/fake-...on-legit-site/
    9 Apr 2017
    ...izaiye-interactive .net was registered yesterday on 30 May 2017 using what are obviously -fake- registrants details via PUBLICDOMAINREGISTRY .COM and hosted on 206.221.189.43 reliablesite .net ..."
    * https://www.virustotal.com/en/file/4...is/1496218758/
    FlashPlayer.hta

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    206.221.189.43

    3] https://www.virustotal.com/en/file/d...is/1496219889/
    FlashPlayer.jse

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    206.221.189.43
    192.35.177.195
    109.120.179.92
    84.42.243.20
    215.88.149.224
    132.121.74.105
    209.17.219.21


    izaiye-interactive .net: Could not find an IP address for this domain name. (May have been taken down.)

    206.221.189.43: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/77...607d/analysis/

    > https://www.virustotal.com/en/url/66...4594/analysis/

    Last edited by AplusWebMaster; 2017-05-31 at 15:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1212
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'FedEx USPS UPS' SPAM

    FYI...

    Fake 'FedEx USPS UPS' SPAM - delivers Kovter and ransomware
    - https://myonlinesecurity.co.uk/fake-...nd-ransomware/
    1 Jun 2017 - "... malware via the “cannot deliver your parcel notifications” or “check where your parcel is”
    -spoofing- FedEx, DHL, UPS, USPS etc. have changed the delivery method. The emails are still very similar to the ones we are used to seeing with this sort of subject line:
    USPS issue #06914074: unable to delivery parcel
    Parcel #006514814 shipment problem, please review
    USPS parcel #3150281 delivery problem
    Courier was not able to deliver your parcel (ID006976677, USPS)
    Parcel 05836911 delivery notification, USPS
    Delivery Status Notification

    ... What has changed is the -attachment- to the emails contains the malware. These now contain an HTML attachment that when opened displays a webpage on your computer that pretends to be a Microsoft Word online website and says you need to download the 'MSOffice365 Webview Plugin update', with a -blurry-image- of scrambled writing in the background with this message prominantly displayed:
    'This document cannot be read in your browser. Download and install latest plugin version':
    > https://i2.wp.com/myonlinesecurity.c...view.png?ssl=1

    Email screenshot: https://i2.wp.com/myonlinesecurity.c...tion.png?ssl=1

    ... 'previously described in THIS post from Mid April 2017* which shows the obfuscated/encoded nature of the files and how to decode/de-obfuscate them... At that time they linked to a remote website using the -fake- MSOffice365 scam. These malware gangs use a mix-and-match of different techniques to try to stay one step ahead of researchers and antivirus companies and gain more victims:
    * https://myonlinesecurity.co.uk/chang...ering-malware/
    ... Infection chain from 31 May 2017:
    1. FedEx-Delivery-Details-ID-8AXP4QH0.doc.html attachment (VirusTotal 2/56[1]) (Payload Security[2])
    2. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.zip extracts to:
    3. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js (VirusTotal 8/55[3]) (Payload Security[4])
    Counter.js (VirusTotal 5/56[5]) which downloads 2 files pretending to be png (image files that are -renamed- .exe files) 1.exe currently Cerber -Ransomware- (VirusTotal 8/61[6]) (Payload Security[7]) 2.exe currently Kovter
    (VirusTotal 12/60[8]) (Payload Security[9]). The 5 sites embeded in the original webview plugin.js are:
    leadsfunnel360 .com
    khushsingh .com
    kskazan .ru
    moodachainzgear .com
    thegreenbook .ca
    ... where you get counter.js ... that when decrypted gives these 5 sites:
    sharplending .com
    moodachainzgear .com
    buildthenewcity .biz
    valdigresta .com
    leadsfunnel360 .com
    ... Where <sitename)/counter/?1 gives the Cerber ransomware and <sitename)/counter/?2 gives Kovter... the js files try to contact the sites in order they are listed. It then tries each combination of sitename/counter/etc. and if any site fails to respond, then moves to next site in the list and continues to do that until the counter.js & the actual malware files are downloaded-and-run on the victim’s computer... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/6...is/1496239829/
    FedEx-Delivery-Details-ID-8AXP4QH0.doc.html

    2] https://www.hybrid-analysis.com/samp...ironmentId=100

    3] https://www.virustotal.com/en/file/4...is/1496240000/
    Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (1279)

    5] https://www.virustotal.com/en/file/0...is/1496296754/
    COUNTER[1].js

    6] https://www.virustotal.com/en/file/0...is/1496240581/
    60[1].png

    7] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (1089)

    8] https://www.virustotal.com/en/file/7...is/1496240649/
    11.exe

    9] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts (413)

    leadsfunnel360 .com: 50.63.124.1: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/a1...fb18/analysis/
    khushsingh .com: 72.167.131.40: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/a4...101d/analysis/
    kskazan .ru: 87.236.19.130: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/a4...13ca/analysis/
    moodachainzgear .com: 173.201.92.128: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/24...fc14/analysis/
    thegreenbook .ca: 50.62.160.59: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/5e...1d29/analysis/

    sharplending .com: 184.168.55.1: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/5f...f398/analysis/
    moodachainzgear .com: 173.201.92.128: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/24...fc14/analysis/
    buildthenewcity .biz: 50.62.114.1: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/da...047e/analysis/
    valdigresta .com: 64.202.169.211: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/bf...b8b0/analysis/
    leadsfunnel360 .com: 50.63.124.1: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/a1...fb18/analysis/

    Last edited by AplusWebMaster; 2017-06-01 at 18:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1213
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice', 'Message' SPAM

    FYI...

    Fake 'Invoice' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice INV-0790' (random numbers) pretending to come from random names and email address that delivers Dridex banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-inv-0790.png

    Invoice INV-0790.pdf - Current Virus total detections 12/56*. Payload Security** drops 231GEOHJWMQN935.docm
    (VirusTotal 10/59[3]) (Payload Security[4]) downloads an encrypted txt file from
    http ://lanphuong .vn\hH60bd which is converted by the script to miniramon8.exe
    (VirusTotal 8/62[5]) (Payload Security[6]).
    There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
    lanphuong .vn\hH60bd
    newserniggrofg .net\af\hH60bd
    resevesssetornument .com\af\hH60bd
    mountmary .ca\hH60bd
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1496395482/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    112.213.85.78
    185.141.25.23
    147.32.5.111
    192.99.108.183
    31.193.131.147


    3] https://www.virustotal.com/en/file/7...is/1496395712/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    112.213.85.78
    185.141.25.23
    147.32.5.111
    192.99.108.183
    31.193.131.147


    5] https://www.virustotal.com/en/file/f...is/1496396221/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.141.25.23
    147.32.5.111
    192.99.108.183
    31.193.131.147


    lanphuong .vn: 112.213.85.78: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/1b...a0ad/analysis/
    ___

    Fake 'Message' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/more-...email-address/
    2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is a blank/empty email with the subject of 'Message from KM_C224e' pretending to come from a -copier- at your email address that delivers Dridex banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...m-KM_C224e.png

    The payload & websites are exactly the -same- as described in today’s earlier Dridex malspam run using fake invoices*..."
    * https://myonlinesecurity.co.uk/fake-...anking-trojan/
    2 Jun 2017

    Last edited by AplusWebMaster; 2017-06-02 at 17:19.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1214
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice' SPAM, 'WakeMed' Phish

    FYI...

    Fake 'Invoice' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/spoof...anking-trojan/
    5 Jun 2017 - "... emails with random numbered -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice' pretending to come from a random first name Holmes at random email addresses but the body of the email imitates John Miller Ltd...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...er_-Holmes.png

    ... the PDF actually having some content that makes it almost look real:
    > https://myonlinesecurity.co.uk/wp-co...129303_pdf.png

    A4 Inv_Crd 21297.pdf - Current Virus total detections 9/56*. Payload Security**
    drops Invoice_129302.docm (VirusTotal 8/59[3]) (Payload Security[4]) downloads an encrypted txt file from
    http ://spaceonline .in\8yfh4gfff which is converted by the script to miniramon8.exe (VirusTotal 13/61[5])...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1496654801/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    111.118.212.86
    192.48.88.167
    89.110.157.78
    85.214.126.182
    46.101.154.177


    3] https://www.virustotal.com/en/file/b...is/1496654938/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    111.118.212.86
    192.48.88.167
    89.110.157.78
    85.214.126.182
    46.101.154.177


    5] https://www.virustotal.com/en/file/c...5e97/analysis/

    spaceonline .in: 111.118.212.86: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/e3...915b/analysis/
    ___

    - http://blog.dynamoo.com/2017/06/malw...d-invoice.html
    5 Jun 2017 - "This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does -not- match the company being spoofed, and varies from message to message.

    Screenshot: https://3.bp.blogspot.com/-mxosSM7W0...ohn-miller.png

    The attachment currently has a detection rate of about 9/56*. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis** shows the malicious file downloading a component from cartus-imprimanta .ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other -variants- possibly exist. A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61***. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:
    192.48.88.167 (Tocici LLC, US)
    89.110.157.78 (netclusive GmbH, Germany)
    85.214.126.182 (Strato AG, Germany)
    46.101.154.177 (Digital Ocean, Germany)
    The payload is not clear at this time, but it will be nothing good.
    Recommended blocklist:
    192.48.88.167
    89.110.157.78
    85.214.126.182
    46.101.154.177
    "
    * https://virustotal.com/en/file/d9a96...is/1496654625/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    176.126.200.56
    192.48.88.167
    89.110.157.78
    85.214.126.182
    46.101.154.177


    *** https://virustotal.com/en/file/c7dc1...is/1496655625/

    cartus-imprimanta .ro: 176.126.200.56: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/3d...0dc3/analysis/
    ___

    'WakeMed' Phish
    REAL 'WakeMed': http://www.wakemed.org/contact-us
    Raleigh, NC 27610

    FAKE/Phish: https://myonlinesecurity.co.uk/wakem...t-at-phishing/
    5 June 2017

    Screenshot: https://myonlinesecurity.co.uk/wp-co...RVICE-DESK.png

    "... If you follow the link you see a very badly designed webpage, complete with spelling errors, obviously created by a non English speaker, looking like this:
    (from: http ://itupdat.tripod .com/)
    > https://myonlinesecurity.co.uk/wp-co...ipod_phish.png

    ... the spam -email- is a -compromised- (may be spoofed) Canadian Nova Scotia Department of Education address... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    itupdat.tripod .com: 209.202.252.101: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/53...ddb7/analysis/

    ccrsb .ca: 142.227.247.226: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Police dismantle crime network - online payment SCAMS
    - https://www.helpnetsecurity.com/2017...crime-network/
    June 5, 2017 - "The Polish National Police, working in close cooperation with its law enforcement counterparts in Croatia, Germany, Romania and Sweden, alongside Europol’s European Cybercrime Centre (EC3), have smashed a Polish organised crime network suspected of online payment scams and money laundering... Operation MOTO on 29-31 May 2017 resulted in 9 arrests including the criminal network’s masterminds, as well as 25 house searches in Poland. The perpetrators were advertising online cars as well as construction or agricultural machinery/vehicles, but never delivered the advertised goods to interested buyers, despite having received advance fee payments..."

    Last edited by AplusWebMaster; 2017-06-05 at 22:44.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1215
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice', blank/empty, 'Message' SPAM, Office365 - Phish

    FYI...

    Fake 'Invoice' SPAM - pdf attachments drop malware
    - https://myonlinesecurity.co.uk/more-...nking-malware/
    7 Jun 2017 - "... emails with -pdf- attachments that drop a malicious macro enabled word doc... email with the subject of '32_Invoice_2220' (random numbers at start and end of invoice) pretending to come from random names and email addresses that delivers what looks like either Dridex or Emotet banking malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ff_invoice.png

    001_8951.pdf - Current Virus total detections 12/54*: Payload Security** drops 690UICEBVOFF735.docm
    ... downloads an encrypted txt file from
    http ://micolon .de/7gyb3ds which is converted by the script to krivokor8.exe
    (VirusTotal 8/61[3]) (Payload Security[4])...
    * https://www.virustotal.com/en/file/2...is/1496825964/
    001_0673.pdf

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.169.145.167
    37.120.182.208
    194.87.234.99
    192.157.238.15
    185.23.113.100
    178.33.146.207


    3] https://www.virustotal.com/en/file/7...d40c/analysis/
    krivokor8 - Copy.exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.218.206.69

    The -macros- in this example are very different to the ones we have previously seen. There are 3 hardcoded (slightly obfuscated) download sites in -each- macro (The first I examined had these 3):
    micolon .de/7gyb3ds
    essentialnulidtro .com/af/7gyb3ds
    suskunst .dk/7gyb3ds
    Thanks to Racco42[5], -other- download sites found include:
    5] https://twitter.com/Racco42/status/872384811301834752
    http ://adproautomation .in/7gyb3ds
    http ://camberwellroofing .com.au/7gyb3ds
    http ://caperlea .com/7gyb3ds
    http ://choralia .net/7gyb3ds
    http ://chqm168 .com/7gyb3ds
    http ://essentialnulidtro .com/af/7gyb3ds
    http ://luxcasa .pt/7gyb3ds
    http ://micolon .de/7gyb3ds
    http ://musee-champollion .fr/7gyb3ds
    http ://mytraveltrip .in/7gyb3ds
    http ://saheser .net/7gyb3ds
    http ://sanftes-reiten .de/7gyb3ds
    http ://shopf3 .com/7gyb3ds
    http ://shreekamothe .com/7gyb3ds
    http ://spocom .de/7gyb3ds
    http ://sumbermakmur .com/7gyb3ds
    http ://surgideals .com/7gyb3ds
    http ://suskunst .dk/7gyb3ds
    http ://sutek-industry .com/7gyb3ds
    http ://svagin .dk/7gyb3ds
    http ://xinding .com/7gyb3ds ...
    ... Malware IP's: https://pastebin.com/arUi7B1H
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    ___

    Fake blank/empty SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/more-...delivery-lure/
    7 Jun 2017 - "... an email with a blank/empty subject as well as a completely empty email body pretending to come from random senders with a malicious word doc attachment delivers Trickbot... One of the email looks like:
    From: random senders
    Date: Wed 07/06/2017 13:15
    Subject: none
    Attachment: SCAN_0636.doc


    Body content: Totally Blank/Empty

    SCAN_0636.doc - Current Virus total detections 12/59*. Payload Security** downloads an encrypted txt file from
    http ://beursgays .com\7gyb3ds
    Still delivering the same krivokor8.exe (VirusTotal 9/61[3]) (Payload Security[4]) which is Trickbot banking Trojan.
    So far We have found these additional sites:
    essentialnulidtro .com\af\7gyb3ds
    martos .pt\7gyb3ds
    castvinyl .ru\7gyb3ds ...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1496837651/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    178.237.37.40
    50.19.227.215
    185.86.150.185


    3] https://www.virustotal.com/en/file/7...d40c/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.218.206.69

    beursgays .com: 178.237.37.40: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/f9...e378/analysis/

    essentialnulidtro .com: 119.28.85.128: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/42...1088/analysis/

    martos .pt: 91.198.47.86: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/1c...aefd/analysis/

    castvinyl .ru: 89.111.176.244: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/ff...690f/analysis/
    ___

    Fake 'Message' SPAM - delivers ransomware
    - https://myonlinesecurity.co.uk/messa...er-ransomware/
    7 Jun 2017 - "... using 'Message from KM_C224e'... using the same subject and email template but with a zip attachment containing an .exe file... pretends to come from copier @ your-own-email-domain... Confirmed: this is JAFF ransomware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ip-version.png

    SKM_C224e03215953284.zip: Extracts to: SKM_C224e9930.exe - Current Virus total detections 12/61*
    Payload Security** | MALWR***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1496843658/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    52.15.162.35

    *** https://malwr.com/analysis/ZmE3YjMxM...QxZTI4NzZlOTM/
    Hosts
    52.15.162.35: https://www.virustotal.com/en/ip-add...5/information/
    > https://www.virustotal.com/en/url/7f...b9a6/analysis/
    ___

    Office365 - Phish
    - https://myonlinesecurity.co.uk/fake-...ired-phishing/
    7 Jun 2017 - "... pretends to be a message from Microsoft Office365 saying 'your mailbox is full'...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...hing-email.png

    -If- you follow the link in the email, you first get sent to:
    http ://ronaldsinkwell .com.br/js/Office365/Secure/ where you get an immediate -redirection- ... and you see a webpage looking like this:
    http ://www .ftc-network .com/js/Microsoft/Office365/ :
    > https://myonlinesecurity.co.uk/wp-co...5_phishing.png

    ... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    ronaldsinkwell .com.br: 192.185.214.91: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/9a...ff52/analysis/

    ftc-network .com: 103.13.240.186: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/b0...1b26/analysis/

    Last edited by AplusWebMaster; 2017-06-07 at 21:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1216
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'eFax' SPAM

    FYI...

    Fake 'eFax' SPAM - delivers smoke/sharik/dofoil and Trickbot
    - https://myonlinesecurity.co.uk/fake-...-and-trickbot/
    7 June 2017 - "An email with the subject of 'eFax message from 0300 200 3835' – 2 pages pretending to come from efax but actually coming from a look-alike-domain eFax <message@ mail.efaxcorporate254 .top> with a malicious word doc attachment...
    mail.efaxcorporate254 .top was registered on 5 June 2017 via publicdomainregistry .com using what are obviously -fake- details and hosted on a Russian server 185.186.141.227. Other -variants- of the domain are hosted on other IPs in the ‘109.248.200.0 – 109.248.203.255′ and ‘185.186.140.0 – 185.186.143.255’ ranges. Other -variants- of this were registered between 1st and 5th June 2017...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...35-2-pages.png

    FAX_20170607_1496754696_302.doc - Current Virus total detections 7/57* Payload Security** shows a download from
    http ://5.149.250.240 /jun7.exe gets -renamed- to Pvmzgo.exe and autorun (VirusTotal 35/61[3]) Payload Security[4]. The malware on http ://5.149.250.240 is being updated at frequent intervals (currently still using jun7.exe) but I have seen 2 different versions since I originally posted... VirusTotal 10/59[5] 14/61[6] Payload Security[7]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1496851706/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    5.149.250.240
    185.159.128.150


    3] https://www.virustotal.com/en/file/4...7736/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    95.101.187.176
    185.159.128.150


    5] https://www.virustotal.com/en/file/4...is/1496866638/
    jun7_exe

    6] https://www.virustotal.com/en/file/4...is/1496899315/
    jun7.exe

    7] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    212.227.91.231
    193.104.215.58
    185.159.128.150


    > Update 8 June 2017: -another- run of same email...
    fax_20170608_96784512_336.doc - Current Virus total detections 5/55[8]. Payload Security[9] shows a download from
    http ://185.81.113.94 /jun8.exe gets -renamed- to Gqkdau.exe and autorun
    (VirusTotal 14/61[10]) Payload Security[11]...
    8] https://www.virustotal.com/en/file/3...is/1496913428/

    9] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.81.113.94
    185.159.128.150
    192.150.16.117


    10] https://www.virustotal.com/en/file/d...is/1496924193/
    jun8.exe

    11] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.81.113.94: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/fa...40e6/analysis/
    185.81.113.94 /jun8.exe
    ___

    More Fake 'eFax' SPAM - delivers malware via ole rtf exploit
    - https://myonlinesecurity.co.uk/anoth...e-rtf-exploit/
    8 Jun 2017 - "Another -fake- eFax email... subject of 'eFax message from 116 – 921 – 1271' – 5 pages pretending to come from eFax Inc <noreply@ efax .com> with a zip attachment containing a malicious word doc...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...71-5-pages.png

    QSVN19945204621.zip extracts to pxsmnxd.doc - Current Virus total detections 11/57*. Payload Security**...
    ... 'found an embedded ole object in the rtf file. It will be using a recent rtf exploit... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1496924661/
    pxsmnxd.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    5.196.42.122: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/7f...a263/analysis/

    Last edited by AplusWebMaster; 2017-06-08 at 23:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1217
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Credit Note' SPAM

    FYI...

    Fake 'Credit Note' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    9 Jun 2017 - "... an email with the subject of 'Copy Credit Note' coming or pretending to come from Anna Mills anna.mills@ random email addresses with a semi-random named zip attachment which contains another zip file which delivers a wsf file eventually delivering what looks like emotet banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...anna_mills.png

    1763904.zip extracts to AA-213-RR.zip: Extracts to: AA-213-RR.wsf - Current Virus total detections 11/55*
    Payload Security** shows a download of an encrypted file from
    http ://sellitni .com/hjgf677??RqtfrQRDh=FirlRSoaCC which is converted by the script to emsjwIjFro1.exe
    (VirusTotal 22/61[3]) which suggests it might be emotet banking malware (Payload Security[4])...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1496999598/
    AA-213-RR.wsf

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    188.165.220.204: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/12...be34/analysis/

    3] https://www.virustotal.com/en/file/e...0ba0/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    Last edited by AplusWebMaster; 2017-06-09 at 16:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1218
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice' SPAM

    FYI...

    Fake 'invoice' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/more-...ing-wsf-files/
    12 Jun 2017 - "... an email with the subject of 'Invoice PIS0120650' (random numbers) coming or pretending to come from NoReplyMailbox @ random companies, names and email addresses with a zip attachment which matches the subject that contains another zip file, containing a WSF file which eventually delivers what looks like it will turn out to be either Dridex or Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...PIS0120650.png

    InvoicePIS0120650.zip: extracts to LZTFBQLX6G.zip which Extracts to: LZTFBQLX6G.wsf
    Current Virus total detections 12/56*. Payload Security** shows a download of an encrypted file from
    http ://ythongye .com/8yhf2ui? which is converted by the script to wvHyIX1.exe
    (VirusTotal 19/60[3]) Payload Security[4]... found 4 -different- WSF files amongst the 150 zips received:
    LZTFBQLX6G.wsf - Current Virus total detections 12/56[5]
    IZ7JAG6.wsf - Current Virus total detections 11/55[6]
    MVUN1W9FO1.wsf - Current Virus total detections 14/56[7]
    TOTAHZEQT.wsf - Current Virus total detections 14/56[8]
    Manual examination of the various WSF scripting files received shows these download Locations for the malware
    (obfuscated in the WSF file using base64 encoding & extra padding):
    78tguyc876wwirglmltm .net/af/8yhf2ui > 119.28.85.128
    e67tfgc4uybfbnfmd .org/af/8yhf2ui > 119.28.85.128
    sacrecoeur.bravepages .com/8yhf2ui? > 66.219.202.10
    ythongye .com/8yhf2ui? > 103.249.108.128
    sheekchilly .com/8yhf2ui? > 103.21.59.174
    lamartechnical .com/8yhf2ui? > 216.97.233.44
    syrianchristiancentre .org/8yhf2ui? > 103.21.58.130
    skveselka .wz.cz/8yhf2ui > 185.64.219.7
    svadba-tamada .de/8yhf2ui > 81.169.145.148
    aacom .pl/8yhf2ui? > 193.239.206.248
    smartzaa .com/8yhf2ui? > 103.21.58.252
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1497289622/
    LZTFBQLX6G.wsf

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    103.249.108.128

    3] https://www.virustotal.com/en/file/c...3277/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    103.249.108.128

    5] https://www.virustotal.com/en/file/d...is/1497289622/

    6] https://www.virustotal.com/en/file/8...is/1497281678/

    7] https://www.virustotal.com/en/file/e...is/1497294665/

    8] https://www.virustotal.com/en/file/0...is/1497294745/

    Last edited by AplusWebMaster; 2017-06-13 at 00:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1219
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Emailing' SPAM, 'Google Drive' - Phish

    FYI...

    Fake 'Emailing' SPAM - delivers pdf malware
    - https://myonlinesecurity.co.uk/malsp...liver-malware/
    14 Jun 2017 - "... an email with the subject of 'Emailing: 288639672' (random numbers) pretending to come from random names and email address that delivers some sort of malware. Over the last couple of weeks these have switched between Jaff ransomware, Dridex banking Trojans and Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-288639672.png

    288639672.pdf Current Virus total detections 11/56*. Payload Security** drops 000049764694.xlsm
    (VirusTotal 11/56[3]) (Payload Security[4]). JoeSandbox[5]: downloads an encrypted txt file from
    http ://mailblust .com\98tf77b which is converted by the script to fungedsp8.exe (VirusTotal 8/60[6])..
    There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
    mailblust .com\98tf77b > 162.251.85.92
    78tguyc876wwirglmltm .net\af\98tf77b > 119.28.85.128
    randomessstioprottoy .net\af\98tf77b > 119.28.85.128
    3456group .com\98tf77b > 69.49.96.24
    ... Other sites found so far have been posted HERE:
    - https://twitter.com/coldshell/status/874943588412653568
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1497432816/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    162.251.85.92

    3] https://www.virustotal.com/en/file/3...is/1497432816/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    162.251.85.92

    5] https://jbxcloud.joesecurity.org/analysis/291764/1/html

    6] https://www.virustotal.com/en/file/7...is/1497433869/
    ___

    'Google Drive' - Phish
    - https://myonlinesecurity.co.uk/impor...phishing-scam/
    14 Jun 2017 - "... phishing attempts for email credentials... pretends to be a message saying 'log in to Google Drive' to get some documents that have been sent to you...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-phishing.png

    If you follow the link (all are identical) you see a webpage looking like this:
    https ://www.mealcare .ca/gdrive/drive/drive/auth/view/share/ - but it is HTTPS so it is “safe“. That is nothing you give to the criminal can be intercepted, so your email log in details can’t be stolen by another criminal on the way. Remember a green padlock HTTPS does NOT mean the site is safe. All it means is secure from easy interception between your computer and that site:
    > https://myonlinesecurity.co.uk/wp-co...gle_phish1.png

    After you select 'click here' on this identical copy of the Google drive page (if you are not looking at the url bar) you get:
    > https://myonlinesecurity.co.uk/wp-co...gle_phish2.png

    After you input your details you get sent to a 404 not found page on Morgan Stanley website. I can only assume the phisher tried to link originally to a genuine pdf on Morgan Stanley who quickly removed it:
    > https://myonlinesecurity.co.uk/wp-co...tanley_404.png ..."

    mealcare .ca: 77.104.162.117: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/1f...8939/analysis/

    Last edited by AplusWebMaster; 2017-06-14 at 20:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1220
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Moneygram' SPAM

    FYI...

    Fake 'Moneygram' SPAM - delivers java adwind
    - https://myonlinesecurity.co.uk/fw-mo...s-java-adwind/
    15 Jun 2017 - "... a slightly different subject and email content to previous ones... These have a genuine PDF attachment with a -link- in it that downloads a zip containing the malware. The link goes to
    https ://www.domingosdandreaimoveis .com.br/wp-admin/images/Moneygram.transactions.12thJune.2017.zip
    which is almost certainly a compromised wordpress site...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-June-2017.png

    The pdf looks like:
    > https://myonlinesecurity.co.uk/wp-co...hedule_pdf.png

    Moneygram.transactions.12thJune.2017.jar (474kb) - Current Virus total detections 21/55*. Payload Security**...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1497502711/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.120.144.148

    domingosdandreaimoveis .com.br: 187.45.187.122: https://www.virustotal.com/en/ip-add...0/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •