FYI...
Fake 'Invoice' SPAM - leads to malware/Trojan
- https://myonlinesecurity.co.uk/emote...oded-sections/
31 July 2017 - "Following on from THIS* -fake- invoice email is a -newer- version with a different word doc at the end of the link-in-the-email. Today’s email with the subject of 're: Invoice 622806' pretending to come from senders with a known connection to the recipient. The link-in-the-email leads to a malicious word doc that eventually delivers Emotet/Geodo banking Trojan...
* https://myonlinesecurity.co.uk/invoi...ivers-malware/
Screenshot: https://myonlinesecurity.co.uk/wp-co...ice-622806.png
ZDFRRI208.doc - Current Virus total detections 1/58[1]. Payload Security[2] doesn’t show any download... Twitter contacts Malwarehunterteam[3] and Antelox[4] have found some of the associated download urls and payload...
Theses word docs are using various tricks that make it difficult for the online sandboxes to decode/analyse, find the download sites and download the eventual payload. The url so far found is
http ://macsys.ca/ZQRZCy/ but... there are others.
1] https://www.virustotal.com/en/file/6...is/1501480309/
BNCKKK930.doc
2] https://www.hybrid-analysis.com/samp...ironmentId=100
3] https://twitter.com/malwrhunterteam/...13205047590913
4] https://twitter.com/Antelox/status/891914028246638592
Update: another contact[5] has found the complete list[5a] (pastebin[6])
http ://macsys .ca/ZQRZCy/ > 216.177.130.19
http ://paulplusa .com/jUiYKJFIuj/ > 216.97.239.25
http ://josephconst .com/cByNSVwsK/ > 67.228.48.40
http ://cs-skiluj.sanfre .eu/PSArDr/ > 185.5.98.24
http ://itdoctor .ca/jgaeQ/ > 67.205.112.177
5] https://twitter.com/phage_nz/status/891922001647894528
5a] https://twitter.com/phage_nz/status/891918128627597315
6] https://pastebin.com/Cdvat2Bp
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
> https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
207.210.245.164
___
Fake 'Receipt' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/more-...be-ransomware/
31 July 2017 - "... malware downloaders pretending to be a 'payment receipt' -or- a 'receipt' is an email with the subject of 'Receipt 21426' coming or pretending to come from donotreply@ random email addresses with a zip attachment containing a .vbs file that delivers globe ransomware. The zip name corresponds with the subject line. There are a mass of subject lines today. Some of the patterns include:
Receipt#83396
Receipt 21426
Payment-421
Payment Receipt 222
Payment Receipt#97481
Payment Receipt_8812
Receipt-351
Payment Receipt_03950 ...
One of the emails looks like:
From: donotreply@ blueprintrecruitment .co.uk
Date: Mon 31/07/2017 11:15
Subject: Receipt 21426
Attachment: P21426.zip
[Body content:]
Attached is the copy of your payment receipt.
P21426.zip: Extracts to: 20172.2017-07-31_75.20.68.vbs - Current Virus total detections 7/58*. Payload Security** shows a download of a txt file from
http ://koewege .de/98wugf56? > 81.169.145.77
which is simply renamed by the script to a random named .exe file (VirusTotal 14/64[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1501499651/
20172.2017-07-31_75.20.68.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.169.145.77
3] https://www.virustotal.com/en/file/a...is/1501501469/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Associated URLs: http ://okdomvrn .ru/98wugf56?
okdomvrn .ru: 92.53.96.9: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/7b...80ed/analysis/