Fake 'Invoice', 'Incoming Docs' SPAM, Locky ransomware campaign
FYI...
Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-...ky-ransomware/
4 Sep 2017 - "... Locky downloader... an email with the subject of 'Invoice INV-000379' from Property Lagoon Limited for Gleneagles Equestrian Centre (random numbers) pretending to come from a random name that matches the name in the email body but appearing to come from messaging-service@ post.xero .com...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ian-Centre.png
Invoice INV-000379.7z: Extracts to: INV-000626.vbs - Current Virus total detections 13/59*. Payload Security**
Locky download (VirusTotal ***). These all have a 7z attachment and a link-in-email-body to download the zip. The invoice amounts are random as well.... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1504521374/
INV-000626.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
clubdeautores .es: 91.121.165.214
*** https://www.virustotal.com/en/file/3...is/1504516547/
BSmIimqLX.exe
___
Fake 'Invoice' SPAM - delivers Globeimposter ransomware
- https://myonlinesecurity.co.uk/fake-...er-ransomware/
4 Sep 2017 - "... an email with the subject of '45653946 – True Telecom Invoice for August 2017' (random numbers) pretending to come from billing@ true-telecom .com. This is coming via the Necurs botnet but instead of delivering Locky today, this 2nd malspam run is delivering Globeimposter ransomware... In the same way that today’s earlier malspam run that delivered Locky ransomware[1], these have a-link-in-the-body to download the zip and a zip (7z) attachment as well...
1] https://myonlinesecurity.co.uk/fake-...ky-ransomware/
Screenshot: https://myonlinesecurity.co.uk/wp-co...ugust-2017.png
2017-08-45653946-Bill.7z: 2017-08-41840179-Bill.vbs - Current Virus total detections 8/57*. Payload Security**
Another version (VirusTotal 10/58***) | (Payload Security[4]) | downloaded & xor’d binary - VirusTotal 18/64[5] | Payload Security[6]...
The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1504533698/
2017-08-41840179-Bill.vbs
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
world-tour2000 .com: 103.53.172.3
naturofind .org: 85.192.177.103
www .world-tour2000 .com: 103.53.172.3
proyectogambia .com: 87.106.65.247
*** https://www.virustotal.com/en/file/b...4b3b/analysis/
2017-08-92918095-Bill.vbs
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
49.50.240.107
5] https://www.virustotal.com/en/file/b...6f47/analysis/
zojzoefi.exe
6] https://www.hybrid-analysis.com/samp...ironmentId=100
___
Fake 'Incoming Docs' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-...vers-trickbot/
4 Sep 2017 - "An email with the subject of 'Important: Incoming BACs Documents' pretending to come from NatWest Bank but actually coming from a look-a-like domain Natwest <message@ natwestbacs .co.uk> or Natwest <message@ natwestbacs .com> with a password protected malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ed-NatWest.png
SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** | JoeSandBox***
This malware file downloads from
http ://6-express .ch/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to execute.exe (VirusTotal [4]). An alternative download location is
http ://checkpointsystems .de/ser.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co..._bacs_docs.png
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/4...is/1493724795/
SecureMessage.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86
*** https://jbxcloud.joesecurity.org/analysis/355644/1/html
4] https://www.virustotal.com/en/file/e...is/1504524050/
ser.png
6-express .ch: 77.236.96.52: https://www.virustotal.com/en/ip-add...2/information/
> https://www.virustotal.com/en/url/7e...429f/analysis/
checkpointsystems .de: 87.106.183.214: https://www.virustotal.com/en/ip-add...4/information/
___
Locky ransomware campaign
- https://www.helpnetsecurity.com/2017...ns-new-tricks/
Sep 1, 2017 - "... the newest variant adds the .lukitus extension to the encrypted files:
> https://www.helpnetsecurity.com/imag...y-appriver.jpg
... AppRiver researchers explained*. The malware arrives in inboxes attached to emails with vague subject lines like “please print”, “documents”, “scans”, “images”, and so on, And, unfortunately for those who get infected, there are no publicly shared methods to reverse this Locky strain. The crooks behind this malware campaign are asking 0.5 Bitcoin to deliver the decryption key..."
* https://blog.appriver.com/2017/08/lo...acks-increase/
Aug 30, 2017 - "... In the past 24 hours we have seen over 23-million-messages sent in this attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017... a massive malicious email campaign began attempting to reach their inboxes. A large spike in malware traffic began this morning just after 7 am CST... The emails utilized one of the following subject lines:
please print
documents
photo
images
scans
pictures
Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file..."
> https://blog.appriver.com/2017/05/yo...at-ransomware/
