SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake 'purchase order' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ering-malware/
23 Aug 2017 - "... an email with the subject of 'RFQ072017' coming from Stafford Shawn <staffordshawn1@ yahoo .com> (possibly random senders) but definitely coming via Yahoo email network with a zip attachment containing a file that pretends to be a pdf file but is an .exe file... All detections on VirusTotal are heuristic or generic detections but it is quite well detected.
Update: I am reliably informed it is nanocore RAT 1.2.2.0...

Screenshot: https://myonlinesecurity.co.uk/wp-co.../RFQ072017.png

SCAN_PO#20170823.PDF.z: Extracts to: SCAN_PO#20170823.PDF.z.exe - Current Virus total detections 23/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1503458477/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.12.45.79
___

Fake 'Ref' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
23 Aug 2017 - "An email with the subject of 'Ref: 72381821' pretending to come from Barclays Bank but actually coming from a look-a-like domain Barclays <message@ barclaysmail .co.uk> -or- Barclays <message@ barclays-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are barclaysmail .co.uk 46.21.147.128 AS35017 Swiftway Sp. z o.o. and barclays-mail .co.uk 85.93.88.35 malta2333.startdedicated .net AS8972 Host Europe GmbH...

Screenshot: https://myonlinesecurity.co.uk/wp-co...lays-email.png

Ref72381821.doc - Current Virus total detections 4/58*. Payload Security**... This malware file downloads from
http ://eva-wagner .net/picture_library/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to hgfudf.exe and autorun (VirusTotal 18/63***). An alternative download location is
http ://eva-poldi .at/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1503484026/
attachment20170823-17020-5y3sht.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.138.14.149
37.120.182.208
51.254.164.249
188.165.62.11

*** https://www.virustotal.com/en/file/6...e212/analysis/
hgfudf.exe

eva-wagner .net: 148.251.26.133: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/02...b542/analysis/

eva-poldi .at: 62.138.14.149: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/08...d639/analysis/
___

Fake 'Fax' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky...email-malspam/
22 Aug 2017 - "... series of Locky downloaders... an email with the subject of 'Fax from: (01242) 856225' [random numbers] pretending to come from Free Fax to Email <freefaxtoemail@ random email domain>...

Screenshot: https://myonlinesecurity.co.uk/wp-co...242-856225.png

Fax278044344f0dd0b.rar: Extracts to: Fax1423519vc18e7c3.js - Current Virus total detections 16/55*
Payload Security** - delivers /REjhb54 (VirusTotal ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480616575/
-6dt874p53077.js

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.169.226.106
82.118.17.218
5.196.99.239

*** https://www.virustotal.com/#/file/61...2471/detection
??

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malw...e-copy-of.html
23 Aug 2017 - "This fairly generic spam leads to Locky ransomware:
Subject: Copy of Invoice 3206
From: "Customer Service"
Date: Wed, August 23, 2017 9:12 pm
Please download file containing your order information.
If you have any further questions regarding your invoice, please call Customer Service.
Please do not reply directly to this automatically generated e-mail message.
Thank you.
Customer Service Department

A -link-in-the-email- downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis* has seen it all before. The download EXE (VT 21/64**) script POSTS to 5.196.99.239 /imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler*** last year, so I would recommend blocking all traffic to 5.196.99.0/24."
* https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
212.89.16.143
46.183.165.45
62.109.16.214
5.196.99.239
216.58.204.132
216.58.204.142

** https://www.virustotal.com/en/file/0...6cd1/analysis/

*** https://pastebin.com/D5pXvR1W

[AplusWebMaster]

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
24 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from Bank of America but actually coming from a look-a-like domain Bank of America <message@ bofamsg .com> or Bank of America <message@ bofa-msg .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-co...sage_email.png

SecureMessage.doc - Current Virus total detections 7/58*. Payload Security**. This malware file downloads from
http ://esp .jp/serca.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aoitas.exe (VirusTotal ***). An alternative download location is
http ://enyahoikuen .com/serca.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...1ffa/analysis/
SecureMessage.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
121.50.42.51
78.47.139.102
195.133.197.70
79.124.78.81

*** https://www.virustotal.com/en/file/0...4c77/analysis/
serca.png

esp .jp: 121.50.42.51: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/8d...3f3a/analysis/

enyahoikuen .com: 202.231.207.151: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/e6...4cd1/analysis/
___

Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky...-fake-bt-bill/
24 Aug 2017 - "... Locky downloader... an email with the subject of 'New BT Bill' pretending to come from BT Business <btbusiness@ bttconnect .com> with a-link-in-the-body- of the email to download a zip file...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ky_BT-bill.png

bill-201708.zip: Extracts to: bill-201708.exe - Current Virus total detections 19/65*. Payload Security**.
Currently all the copies I am seeing (hundreds of them) have -2- download links in the email body:
http ://kabbionionsesions .net/af/bill-201708.rar -and- http ://metoristrontgui .info/af/bill-201708.zip
-both- domains have been spreading Locky all day. The downloads are extremely slow but I eventually got the zip version. Also several emails with
http ://kabbionionsesions .net/af/download.php (currently 404) and
http ://kabbionionsesions .net/af/bill-201708.7z (also 404)...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1503597867/
bill-201708.exe

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.179.190.31
216.58.206.228
216.58.206.238

kabbionionsesions .net: 47.89.246.2: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/26...68bd/analysis/

[AplusWebMaster]

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
25 Aug 2017 - "An email with the subject of 'You have a new secure Message' pretending to come from Lloyds Bank but actually coming from a look-a-like domain Lloyds Bank <message@ lloydsbankmsg .com> or Lloyds Bank <message@ lloydsbank-msg .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are lloydsbankmsg .com 46.21.147.242 and lloydsbank-msg .com 109.235.52.44 ...

Screenshot: https://myonlinesecurity.co.uk/wp-co...sage-email.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...essage_doc.png

EncryptedMessage.doc - Current Virus total detections 6/58*. Payload Security**. This malware file downloads from
http ://fabianpfau .de/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to lnmflgf.exe (VirusTotal 13/65***). An alternative download location is
http ://evakrause .nl/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1503657342/
EncryptedMessage.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
176.28.13.220
216.239.32.21
131.153.40.196

*** https://www.virustotal.com/en/file/6...is/1503658322/
lnmflgf.exe

fabianpfau .de: 176.28.13.220: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/ff...94d1/analysis/

evakrause .nl: 94.126.70.16: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/3f...4f8c/analysis/
___

Fake 'Sage invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malw...scription.html
25 Aug 2017 - "This -fake- Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much[1] by the bad guys is a bit of a mystery.
[1] http://blog.dynamoo.com/search?q=sage

Screenshot: https://1.bp.blogspot.com/-d685K3apn...s1600/sage.png

The link-in-the-email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.
helpmatheogrow .com/SINV0709.rar
hendrikvankerkhove .be/SINV0709.rar
heinverwer .nl/SINV0709.rar
help .ads .gov.ba/SINV0709.rar
harvia .uz/SINV0709.rar
The RAR file itself contains a malicious VBS script... with a detection rate of 19/56*, which attempts to download another component from:
go-coo .jp/HygHGF
hausgerhard .com/HygHGF
hausgadum .de/HygHGF
bromesterionod .net/af/HygHGF
hartwig-mau .de/HygHGF
hecam .de/HygHGF
haboosh-law .com/HygHGF
hbwconsultants .nl/HygHGF
hansstock .de/HygHGF
heimatverein-menne .de/HygHGF
Automated analysis of the file [1] [2] shows a dropped binary with a 39/64** detection rate, POSTing to 46.183.165.45 /imageload.cgi (Reg.Ru, Russia)
Recommended blocklist:
46.183.165.45 "
* https://virustotal.com/en/file/aa75f...9b2c/analysis/
bill-201708.exe

1] https://malwr.com/analysis/ODY3NjZjZ...QyMTEzNDU0MWY/
SINV0709.vbs
Hosts
203.183.65.225
46.183.165.45

2] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
203.183.65.225
46.183.165.45

** https://www.virustotal.com/en/file/a...c86e/analysis/
bill-201708.exe

... Fake 'Sage invoice' variant - delivers Locky
> https://myonlinesecurity.co.uk/your-...ky-ransomware/
24 Aug 2017

Screenshot: https://myonlinesecurity.co.uk/wp-co...e-is-ready.png

> https://www.virustotal.com/en/file/a...is/1503606828/
SINV0709.vbs
15/57

SINV0711.docm - Current Virus total detections *. Payload Security**...

* https://www.virustotal.com/en/file/0...is/1503602547/
SINV0711.docm
9/59

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
83.169.35.187
185.179.190.31

help.ads .gov.ba: 80.65.162.70: https://www.virustotal.com/en/ip-add...0/information/
> https://www.virustotal.com/en/url/c6...8ebb/analysis/

hausverwaltungfrankfurt .de: 83.169.35.187: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/90...699b/analysis/
___

Fake 'Voicemail' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malw...rvice-new.html
25 Aug 2017 - "The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.
Subject: New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From: "Voicemail Service" [vmservice@ victimdomain .tdl]
Date: Fri, August 25, 2017 12:36 pm
Dear user:
just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance. Thanks!
--Voicemail Service

Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too... The VBS script is similar to this* (variable names seem to change mostly) with a detection rate of about 15/59**. Hybrid Analysis*** shows it dropping a Locky executable with a 18/65[4] detection rate which phones home to 46.17.44.153 /imageload.cgi (Baxnet, Russia) which I recommend that you block."
* https://pastebin.com/UK2MYHct

** https://virustotal.com/en/file/21207...0b55/analysis/
20170825_ID904754594.vbs

*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.58.208.206
92.51.164.62
185.179.190.31
46.17.44.153
216.58.213.132
216.58.206.238
95.141.44.61

4] https://www.virustotal.com/en/file/0...c251/analysis/
UYGgfhRDSaa

[AplusWebMaster]

FYI...

Fake 'DHL' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
26 Aug 2017 - "... an email with the subject of 'DHL GLOBAL FREIGHT CONSIGNMENT FORM' coming from DHL GLOBAL WORLD WIDE AGENT <deddi@ karebet-group .com> with an .ace attachment delivers malware... returns are coming back from several antivirus companies describing this as .Win32.SpyEyes[1]...
1] https://www.microsoft.com/en-us/wdsi...n:Win32/Spyeye

Screenshot: https://myonlinesecurity.co.uk/wp-co...NMENT-FORM.png

DHL GLOBAL Consignment form……………………………..ace: Extracts to: Purchase order.exe
Current Virus total detections 17/65*. Payload Security**. This drops a modified version of itself as win32.exe (VirusTotal 17/64***) it also contacts
http :// 98.142.221.58/~comsgautopart/.regedit/mail/home/gate.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1503723385/
Purchase order.exe

** https://www.hybrid-analysis.com/samp...ironmentId=100

*** https://www.virustotal.com/en/file/e...is/1503723627/
win32.exe

98.142.221.58: https://www.virustotal.com/en/ip-add...8/information/
___

Fake 'Purchase Contract' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/purch...s-java-adwind/
26 Aug 2017

Screenshot: https://myonlinesecurity.co.uk/wp-co...-PO30-PO31.png

Doc Purchase Contract of PO30PO31.jar (547kb) - Current Virus total detections *. Payload Security**...

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1503773842/
Doc Purchase Contract of PO30PO31.jar

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
5.178.43.16

[AplusWebMaster]

FYI...

Defray - New Ransomware targets Education and Healthcare
> https://www.helpnetsecurity.com/2017...are-delivered/
Aug 28, 2017

>> https://www.darkreading.com/applicat...d/d-id/1329725
8/25/2017

> https://www.proofpoint.com/us/threat...care-verticals
Aug 24, 2017 - "... distribution of Defray has several notable characteristics:
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
On August 22, Proofpoint researchers detected an email campaign targeted primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable... Defray may cause other general havoc on the system by -disabling- startup recovery and -deleting- volume shadow copies. On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers. We have not observed the same behavior on Windows XP..."
Indicators of Compromise (IOCs) [ ... more listed at the proofpoint URL above. ]
C&C IP
145.14.145.115: https://www.virustotal.com/en/ip-add...5/information/

[AplusWebMaster]

FYI...

Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
29 Aug 2017 - "... Locky downloader... email has the subject of 'Overdue BT bill' pretending to come from random names at your-own-email-address...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ue-BT-bill.png

Scan_201708293861.zip: Extracts to: scan_201708292366.zip which eventually extracts to scan_201708292366.vbs - Current Virus total detections 11/59*. Payload Security**... first attachment I chose leads to a site giving a 404 so the results are very good. Another attachment gives better results
(VirusTotal 0/58***) where another researcher has filled in all then blanks in the comments[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1503998928/
scan_201708292366.vbs

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.2.195.144

*** https://www.virustotal.com/en/file/6...is/1503999225/

4] https://twitter.com/Racco42/status/902465569965973504

> https://www.virustotal.com/en/file/a...is/1503999480/
9/65
___

Fake 'scan' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/you-h...ky-ransomware/
29 Aug 2017 - "... Locky downloader... an email with the subject of 'You have received a scan from AT Management' pretending to come from Scan @ AT Management <scan_754@ atmanagement .co.uk> [random numbers after the scan_]. All these are being addressed to Accounts: <name@ victiomdomain .tld>...

Screenshot: https://myonlinesecurity.co.uk/wp-co...Management.png

... same sites, file names and payload as today’s earlier ^malspam run^ delivering Locky ransomware:
> https://myonlinesecurity.co.uk/fake-...ky-ransomware/

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Amazon phish...
- https://myonlinesecurity.co.uk/you-s...shing-attempt/
29 Aug 2017 - "We see a lot of Amazon phishing attempts. This one is quite different to the usual ones we see. Although there are a lot of Amazon sellers, the chances of a mass malspam like this one actually being received by a seller is quite small compared with the more usual 'payment review' or 'your account was signed into from an unknown computer' or similar scams.
'You sold an item' pretending to come from Amazon <selleramazon@ reply.amazon .com> is one of the latest phish attempts to steal your Amazon Account and your Bank details. This one only wants your Amazon log in details and bank details. Many of them are also designed to specifically steal your email and other log in details as well...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ld_an_item.png

The link-in-the-email goes to:
https ://www.google .co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0ahUKEwiO9aOs-vvVAhXBZFAKHY3XCYgQFghJMAc&url=http%3A%2F%2Fwww.almatulum.com%2Fcontact-2%2F&usg=AFQjCNFdrv7025EsAfzW8QKj40lSrovIbA
which redirects to:
https ://directele .net/user_guide/documentation/amazon.co.uk/Amazon-Sign-In.htm?adenlankenadransakbnizwetmilrtuniietnnudbenwdiaateaaleeaallilaadmusmdzmnlelubbaalamzsnaittsndakaweiuidaawnamdlerendeuedimnailtrdtaknzeaanmleni4493782410

If you follow the link you see a webpage looking like:
> https://myonlinesecurity.co.uk/wp-co...ectele_net.png

When you fill in your user name and password you get a page looking like this, asking for your bank sort code and bank-account-number. I am not quite sure what they can do with this on its own without passwords or bank login details. However knowing that quite a high proportion of users do re-use login details and passwords on multiple sites, it is not beyond the realms of possibility that your Amazon account, email log in and bank log in all -share- a password:
> https://myonlinesecurity.co.uk/wp-co...tele_net_1.png

You then get -redirected- to the genuine Amazon suite for your country..."

directele .net: 166.62.73.164: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/78...1909/analysis/

[AplusWebMaster]

FYI...

Fake 'Emailing Payment' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-...01708-malspam/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'Emailing: Payment_201708-838 [the “Emailing: Payment_201708-” stays consistent but the final 3 to 5 digits are random] pretending to come from random names at your-own-email-address or company-domain-addresses to another random name at your-own-domain...

Screenshot: https://myonlinesecurity.co.uk/wp-co...201708-838.png

Payment_201708-838.7z: Extracts to: Payment_201708-2866.jse - Current Virus total detections 14/59*.
Payload Security**. Locky payload: (VirusTotal 31/65***).
Another researcher has posted already about this one with several links to download sites and C2 IP numbers:
> https://hazmalware.wordpress.com/201...ky-ransomware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1504067419/

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
81.90.36.32
46.183.165.45
74.125.206.106
8.250.3.254
74.125.206.106

*** https://www.virustotal.com/en/file/c...7886/analysis/
CuuDxa1.exe

146.120.110.46: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/5a...3b58/analysis/

46.183.165.45: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/7c...5f58/analysis/
___

Fake 'E-invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'E-invoice for your order #6377810026' [random numbers] pretending to come from do_not_reply@ random Apple email addresses.... the addresses I have seen include:
do_not_reply@ eu.apple .com
do_not_reply@ asia .apple.com
do_not_reply@us .apple .com ...

Screenshot: https://myonlinesecurity.co.uk/wp-co...6377810026.png

9891613510.7z: Extracts to: 9891611187.vbs - Current Virus total detections 10/59*. Payload Security**.
Locky Binary (VirusTotal 17/65***). These droppers have gone back to the old way of downloading Locky from the remote server, by downloading an encrypted text file that needs to be decoded by the script... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1504086697/
9891611187.vbs

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
66.36.173.159
146.120.110.46

*** https://www.virustotal.com/en/file/3...is/1504087141/
hJBoTJ.exe
___

Fake 'Secure email message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-...anking-trojan/
30 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from NatWest bank but actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 501 and 599 - .ml domains are -free- domains administered by freenom .com... I am seeing domains ranging from servicemessage501 .ml to servicemessage599 .ml all being hosted on -different- IP numbers & ranges all appearing to be -compromised- ISP IP numbers from major ISPs in UK, Europe & USA...

Screenshot: https://myonlinesecurity.co.uk/wp-co...message_ml.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...87_352_doc.png

natwest1753465723087_352.doc - Current Virus total detections 6/58*. Payload Security**.
This malware file downloads from
http ://campuslinne .com/pages/kasaragarban.png which of course is -not- an image file but a renamed .exe file that gets renamed to Buqtjkk.exe (VirusTotal 12/64***). An alternative download location is
http ://campusassas .com/fonction/kasaragarban.png
This email attachment contains a genuine word doc with a macro script that when run will infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...8d51/analysis/
natwest1753465723087_352.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
193.227.248.241
158.69.26.138
178.156.202.206

*** https://www.virustotal.com/en/file/f...02c5/analysis/
kasaragarban.png

campuslinne .com: 193.227.248.241: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/72...740d/analysis/

campusassas .com: 193.227.248.241
> https://www.virustotal.com/en/url/e8...e05c/analysis/
___

Fake 'BT OneBill' SPAM - leads to Dridex
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
30 Aug 2017 - "An email with the subject of 'Your latest BT OneBill is available now' pretending to come from BT but actually coming from a different domain ebilling4business@ btdnet .com that can just about be mistaken for a genuine BT email address is today’s latest spoof of a well-known company, bank or public authority delivering Dridex banking Trojan... Today’s example of the spoofed domains are, as usual, registered via eranet .com as registrar. This was registered on 29 August 2017 by the criminals:
btdnet .com hosted on 54.36.30.168 OVH
This particular email was sent from IP 54.36.30.230 but a quick look up of the domain details show that these criminals have also set a-whole-range of IP addresses to be able to send these emails and pass authentication checks:
91.121.174.196
54.36.30.0/24
94.23.212.72
54.36.30.0/24
188.165.227.13
54.36.30.0/24
94.23.208.20
54.36.30.0/24
176.31.240.50
54.36.30.0/24
37.59.50.201 ...

Screenshot: https://myonlinesecurity.co.uk/wp-co...ilable-now.png

The -link-in-the-email goes to a compromised or fraudulently set up SharePoint AKA onedrive for business address:
https ://mccabelawyers-my.sharepoint .com/personal/g_macneill_swslawyers_com_au/_layouts/15/guestaccess.aspx?docid=0cc833a8ff3b4411a986bfb04282f2ffb&authkey=AVpD74OXseK7zr4gaxr_UBE
which downloads the zip file containing the .js file that eventually delivers Dridex.

BT OneBill.zip extracts to: BT OneBill.js - Current Virus total detections 7/58*. Payload Security**.
This downloads Dridex banking Trojan but I am unable to determine the actual download site
(VirusTotal 17/64[3])... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1504105031/
BT_OneBill.js

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
13.107.6.151
185.203.118.198
31.31.77.229
178.62.199.166
144.76.62.10

3] https://www.virustotal.com/en/file/a...587c/analysis/
SdVoAfj.exe
___

Fake 'Sage' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
30 Aug 2017 - "An email with the subject of 'Your Sage subscription invoice is Due' pretending to come from Sage but actually coming from a look-a-like domain SAGE UK <message@ sagemailsupport14 .top> with a malicious word doc attachment is another one of today’s spoofs of a well-known company, bank or public authority... I am being told is it a smokeloader[1] which downloads a variety of -other- malware...
1] https://twitter.com/James_inthe_box/...79668239761408
... Today’s example of the spoofed domains are:
sagemailsupport14 .top hosted on 82.202.233.14 AS49505 OOO Network of data-centers Selectel
I have discovered a-whole-range of -fake- sagemailsupport## .top domains on this network. So far I can find sagemailsupport10 .top -to- sagemailsupport110-.top hosted on the corresponding IP address -range- between 82.202.233.10 and 82.202.233.110 all having an rdns set properly and pass email authentication...
[ 82.202.233.* ]

Screenshot: https://myonlinesecurity.co.uk/wp-co...ice-is-Due.png

INV0293083017.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
http ://5.149.252.152 /r37.exe (VirusTotal 16/64[3]) (Payload Security[/4]). An alternative download location is
http ://200.7.98.51 /r37.exe
This email attachment [i]contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...083017_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1504103297/
INV0293083017.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100

3] https://www.virustotal.com/en/file/a...is/1504116823/

4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
2.20.202.119
217.23.8.41

5.149.252.152: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/80...f56e/analysis/

200.7.98.51: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/f6...2409/analysis/

[AplusWebMaster]

FYI...

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/trick...bank-messages/
31 Aug 2017 - "... imitating NatWest Bank and using the same look-a-like domain as yesterday’s version[1]... using a slightly different email message. They have even re-used the same domains to deliver the actual payload, but with different file names.
[1] https://myonlinesecurity.co.uk/more-...anking-trojan/
An email with the subject of 'Customer message' pretending to come from NatWest bank but actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 1 and 599...

Screenshot: https://myonlinesecurity.co.uk/wp-co...er-message.png

natwest112543798124_21454.doc - Current Virus total detections 5/58*. Payload Security**.
This malware file downloads from
http ://campuslinne .com/maquette2/nataresonodor.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ubqwyc.exe (VirusTotal 15/65***). An alternative download location is
http ://campusassas .com/imagesv1/nataresonodor.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks identical to yesterday’s but with a different document name:
> https://myonlinesecurity.co.uk/wp-co...87_352_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/1...is/1504181231/
natwest112543798124_21454.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
193.227.248.241
216.239.32.21
67.21.84.23
216.58.209.228
216.58.209.238
66.85.27.170

*** https://www.virustotal.com/en/file/2...6ddd/analysis/
Ubqwyc.exe

campuslinne .com: 193.227.248.241: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/2a...bf64/analysis/

campusassas .com: 193.227.248.241
> https://www.virustotal.com/en/url/39...dd87/analysis/
___

Fake 'Important Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
31 Aug 2017 - "An email with the subject of 'Important – New Account Documents' pretending to come from Santander Bank but actually coming from a look-a-like domain Santander <account.documents@ santanderdoc .co.uk> or Santander <account.documents@ santandersec .co.uk> with a malicious word doc attachment is another spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-co...-Documents.png

Account_Documents_31082017.doc - Current Virus total detections 10/58*. Payload Security**.
This malware file downloads from
http ://evaluator-expert .ro/sergio.png which of course is -not- an image file but a renamed .exe file that gets renamed to bicprcv.exe (VirusTotal 17/64***).
An alternative download location is
http ://www.events4u .cz/sergio.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...082017_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/2...a505/analysis/
Account_Documents_31082017.doc

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
93.114.64.118
146.255.36.1
194.87.238.42
66.85.27.170
216.58.209.228
216.58.209.238

*** https://www.virustotal.com/en/file/5...5987/analysis/
bicprcv.exe

evaluator-expert .ro: 93.114.64.118: https://www.virustotal.com/en/ip-add...8/information/
> https://www.virustotal.com/en/url/24...99bb/analysis/

events4u .cz: 93.185.102.11: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/5b...d3f8/analysis/

[AplusWebMaster]

FYI...

Fake 'Dropbox' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
31 Aug 2017 10:03 pm - "We are seeing a run of a very different Locky delivery email tonight. This only seems to work properly in Google Chrome, Firefox gives a simple download file box and Internet Explorer gives error messages on clicking the “click here” link. This means that Internet Explorer users will be safe from this attack, but Google Chrome and Firefox users could be infected if they aren’t careful. The email pretends to be from -Dropbox- asking you to 'verify your email address to continue' the sign up...

Screenshot: https://myonlinesecurity.co.uk/wp-co...il-address.png

Win.JSFontlib09.js - Current Virus total detections 22/58*. Payload Security** |
Locky Binary (VirusTotal 17/65***)
There appear to be -hundreds- of different links-in-these-emails that go to -compromised- sites pretending to be Dropbox. They all however have the -same- few links to actually download the .js malware file...
The link in this particular example went to
http ://jakuboweb .com/dropbox.html but each email I received (so far 300+) has a multitude of different links.
Following the link in the email leads to a page looking like this, which is -different- in each commonly used browser. Lets start with Internet Explorer which gives an error on pressing “click here”:
> https://myonlinesecurity.co.uk/wp-co...dropbox_IE.png
... Firefox which gives a file download prompt:
> https://myonlinesecurity.co.uk/wp-co...dropbox_FF.png
... Google Chrome which displays the lure... telling you that The “HoeflerText” font was not found. The web page you are trying to load is displayed incorrectly, as it uses the “HoeflerText” font. To fix the error and display the next, you have to update the “Chrome Font Pack”:
> https://myonlinesecurity.co.uk/wp-co...box_chrome.png
The link from chrome went to
http ://gclubrace .info/json.php whereas the links from the other 2 versions went to
http ://dippydado .net/json.php all of which downloaded the -same- Win.JSFontlib09.js ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...4a37/analysis/
Win.JSFontlib09.js

** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
202.169.44.143
46.183.165.45
216.58.209.228
216.58.209.238

*** https://www.virustotal.com/en/file/1...is/1504207421/
pGDIWEKDHD2.exe

jakuboweb .com: 149.7.99.14: https://www.virustotal.com/en/ip-add...4/information/
> https://www.virustotal.com/en/url/f4...bb0a/analysis/

gclubrace .info: Could not find an IP address for this domain name...

dippydado .net: Could not find an IP address for this domain name...
___

RIG exploit kit > 'Princess' ransomware
- https://blog.malwarebytes.com/cyberc...ss-ransomware/
Aug 31, 2017 - "We have identified a new drive-by-download campaign that distributes the Princess-ransomware (AKA PrincessLocker), leveraging -compromised-websites-and the RIG-exploit-kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads... We are not so accustomed to witnessing compromised websites pushing exploit kits... some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from -legitimate- publishers and -malvertising- ... we observed an -iframe-injection- which redirected from the -hacked- site to a temporary gate...
Indicators of compromise:
RIG EK gate: 185.198.164.152
RIG EK IP address: 188.225.84.28 ..."
(More detail at the malwarebytes URL above.)