Page 128 of 132 FirstFirst ... 2878118124125126127128129130131132 LastLast
Results 1,271 to 1,280 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1271
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Forskolin' SPAM

    FYI...

    Fake 'Forskolin' SPAM - using spoofed email addresses
    - https://myonlinesecurity.co.uk/anoth...ail-addresses/
    22 Sep 2017 - "... malspam campaign again today pushing the crappy, scummy, useless 'Forskolin weight loss' junk... Some subjects in the original emails include (there are hundreds of variants): These pretend to be Facebook notifications about missed private messages or pending notifications:
    You photos that will be deleted in 1 days
    You have notification that will be removed in 5 hours
    For You new message that will be removed in 6 days
    Private message that will be deleted in 3 hours
    You friend that will be deleted in 5 hours
    You have notification that will be deleted in 7 days


    The Hotmail emails look like:
    - https://myonlinesecurity.co.uk/wp-co...ects_email.png

    The original emails look like these:
    - https://myonlinesecurity.co.uk/wp-co.../support_3.png

    - https://myonlinesecurity.co.uk/wp-co.../support_2.png

    - https://myonlinesecurity.co.uk/wp-co.../support_1.png

    The links go to a multitude of -compromised- sites but all eventually end today on
    http ://weight4forlossdiet-4tmz .world/en/caus/forskolin/?bhu=8mczFswKd5ZrUCttf15dChmqRGCWobCch
    (with a different random reference number) where you see a page looking like this:
    > https://myonlinesecurity.co.uk/wp-co...tloss-scam.png
    This shows the importance of having correct authentication set up on your email server with DMARC* reporting, so you know when your email address is being spoofed and used in a mass malspam campaign:
    > https://myonlinesecurity.co.uk/wp-co...c_rejects2.png

    * https://myonlinesecurity.co.uk/anoth...uld-use-dmarc/ "

    weight4forlossdiet-4tmz .world: 192.254.79.249: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/5b...ec06/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1272
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'BL copy' SPAM

    FYI...

    Fake 'BL copy' SPAM - RTF exploit delivers malware
    - https://myonlinesecurity.co.uk/fwd-b...liver-malware/
    24 Sep 2017 - "An email with the subject of 'Fwd: BL copy' coming from pedro.estaba@ cindu .com.ve with a malicious word doc attachment delivers malware using the RTF exploit CVE-2017-0199. The word doc is actually a RTF doc. It is highly likely that recipients will get a similar email with different senders and email body content, imitating various innocent companies. These download -multiple- different malwares.
    > https://nvd.nist.gov/vuln/detail/CVE-2017-0199
    Last Modified: 04/12/2017
    CVSS v2 Base Score: 9.3 HIGH

    Screenshot: https://myonlinesecurity.co.uk/wp-co...09/BL-copy.png

    The CVE-2017-0199 exploit was plugged in all supported versions of Microsoft Office back in April 2017, with additional fixes in subsequent Security updates including September 2017. If you have not applied the patches, then simply opening or even just -previewing- these word docs in your email client or windows explorer might be enough to infect you...

    export.doc - Current Virus total detections 24/59[1]. Payload Security[2]. Both Payload Security and manual analysis shows a download of an HTA file from
    http ://birsekermasali .com/hta/docs.hta (VirusTotal 15/59[3]) (Payload Security[4]) which contains encoded / encrypted commands to download
    http ://birsekermasali .com/js/boss/payment.exe which is giving a 404.
    I decided to dig around a bit on the open directories on birsekermasali .com and see what I could find. Trying
    http ://birsekermasali .com/js/boss/ gave me a password required prompt, but trying the
    http ://birsekermasali .com/hta/ gave me -2- additional -HTA- files:

    allfiles.hta (VirusTotal 6/58[5]) (Payload Security[6]) which downloads
    http ://birsekermasali .com/js/boss/invoices.exe (VirusTotal 38/65[7]) (Payload Security[8])
    kelly.hta (VirusTotal 14/59[9]) (Payload Security[10]) Which downloads
    http ://birsekermasali .com/js/kels/docs.exe (VirusTotal 46/65[11]) (Payload Security[12]) which in turn downloads
    http ://birsekermasali .com/js/kels/dates.exe (VirusTotal 41/59[13]) (Payload Security[14])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/8...is/1506187514/

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14

    3] https://www.virustotal.com/en/file/7...is/1506231952/
    docs[1].hta

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14
    74.125.206.106
    162.221.190.147
    209.9.53.57
    69.172.201.153
    198.54.116.113
    213.167.231.2
    112.175.232.227
    23.227.38.64
    121.127.250.125


    5] https://www.virustotal.com/en/file/1...is/1506234023/
    allfiles.hta

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14
    74.125.206.106
    162.221.190.147
    209.9.53.57
    69.172.201.153
    198.54.116.113
    213.167.231.2
    112.175.232.227
    23.227.38.64
    121.127.250.125


    7] https://www.virustotal.com/en/file/6...is/1506170974/

    8] https://www.hybrid-analysis.com/samp...ironmentId=100

    9] https://www.virustotal.com/en/file/f...is/1506234037/
    kelly.hta

    10] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14
    198.54.115.96


    11] https://www.virustotal.com/en/file/f...is/1506035556/
    output.112274294.txt

    12] https://www.hybrid-analysis.com/samp...ironmentId=100

    13] https://www.virustotal.com/en/file/2...is/1506118256/

    14] https://www.hybrid-analysis.com/samp...ironmentId=100

    birsekermasali .com: 192.185.115.14: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/c0...03a3/analysis/
    > https://www.virustotal.com/en/url/da...7cbc/analysis/

    Last edited by AplusWebMaster; 2017-09-24 at 14:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1273
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Voice Message' SPAM

    FYI...

    Fake 'Voice Message' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/fake-...ky-ransomware/
    25 Sep 2017 - "... Locky ransomware.... They are sticking with 'Voice Message' theme again today. It is an email with the subject of 'Message from 02031136950' (random phone number) pretending to come from server@ random number.um .broadviewnet .net. They all come from 'Message Server' and the email address is server@ random number.um .broadviewnet .net...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...2031136950.png

    Voice Message(02031136950.7z: Extracts to: Voice Message(02090039814).vbs - Current Virus total detections 10/58*. Payload Security**. These -vbs- files download from a large number of -compromised- sites. This example contacts
    asheardontheradiogreens .com/YTkjdJH7w1
    tertrodefordown .info/af/YTkjdJH7w1
    artplast .uz/YTkjdJH7w1?
    where a txt file is downloaded. The file is a actually a renamed.exe file (VirusTotal 17/65***). With these if there is a ? at the end of a URL, you get a renamed.txt file. If there is no ? you get an .exe that has no extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1506322168/
    Voice Message(02090039814).vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    199.30.241.139

    *** https://www.virustotal.com/en/file/b...is/1506322258/
    YTkjdJH7w1.txt

    asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/cd...05d7/analysis/

    tertrodefordown .info: 49.51.36.73: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/fa...0c52/analysis/

    artplast .uz: 62.209.133.18: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/2e...f65d/analysis/

    Last edited by AplusWebMaster; 2017-09-25 at 19:52.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1274
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'eFax and Virgin Media' SPAM

    FYI...

    Fake 'eFax and Virgin Media' SPAM - deliver Dridex
    - https://myonlinesecurity.co.uk/dride...-virgin-media/
    26 Sep 2017 - "... Dridex Banking Trojans being delivered via malspam emails... The 2 that I have looked at so far are:
    'Your Virgin Media bill is ready' coming from Virgin Media <webteam@ virginmedia.smebusinesslink .com>'
    'Corporate eFax message' from “Unknown” – 4 page(s), Caller-ID: 44-161-261-1924 coming from eFax Corporate <message@ efax.inboundcop .com>
    ... the criminals sending these have registered look-a-like or plausible domains: they are actually using subdomains of these domains that make a recipient think that the emails are coming from a “proper” message sending service... The emails are just about identical to those on these 2 pages with the dates and amounts changed:
    smebusinesslink .com on 24th September 2017 using eranet .com as registrar and hosted on OVH 188.165.217.40
    > https://myonlinesecurity.co.uk/fake-...-and-trickbot/
    inboundcop .com on 24th September 2017 using eranet .com as registrar and hosted on OVH 188.165.232.177 ...
    > https://myonlinesecurity.co.uk/fake-...-and-trickbot/

    They are sending these emails from a whole range of IP addresses (all tracking back to various subdomains of the 2 main -fraudulent- domains) under the control of these criminals that pass email authentication for the -fake- domains:
    46.105.101.20
    46.105.101.72
    46.105.101.110
    54.36.192.0/24
    94.23.32.95
    188.165.217.40
    188.165.217.44
    188.165.200.80
    188.165.215.105
    188.165.215.115
    188.165.239.123
    188.165.232.177
    188.165.217.228
    ... The emails are just about identical to those on these 2 pages with the dates and amounts changed:
    > 'Virgin Media Your Virgin Media bill is ready' ... and 'e Fax' ...
    The link in the email goes to a -compromised- or fraudulently-set-up OneDrive for business/SharePoint site where a zip file containing a .js file is downloaded...

    The virgin site is:
    https ://grllen-my.sharepoint .com/personal/misaacs_grllen_com_au/_layouts/15/guestaccess.aspx?docid=0f577514318c64d3a83fdc412856063e6&authkey=AZhzom6O9TOyFzZv4HUJ6zM
    where a .js file is downloaded. That downloads 46.105.102.161 /PDF/Virginmedia_bill_25_09_2017_3 .pdf
    an innocent PDF file of a -genuine- Virgin media bill and displays that while at the same time downloads the Dridex banking Trojan in the background (I cannot determine the actual download location of the Dridex Trojan from the reports)
    Virginmedia_bill_25_09_2017_3.zip: Extracts to: Virginmedia_bill_25_09_2017_3.js
    Current Virus total detections 4/58[1]. Payload Security[2] | Dridex Payload - VirusTotal 13/61[3]|
    Payload Security[4] |

    The eFax site is:
    https ://ucg1-my.sharepoint .com/personal/janet_lau_ucg_co_nz/_layouts/15/guestaccess.aspx?docid=0eab92172e4fb424093bc21e476a6a698&authkey=AT_9AE00prV_R0aRf9HYOtg
    where another js file is downloaded. That also downloads an innocent PDF file from
    188.165.193.38 /PDF/FAX_20170925_1401908954_6.pdf
    saying it all about the Rural Payments agency and displays that while at the same time downloads the
    -Dridex- banking Trojan in the background
    (I cannot determine the actual download location of the Dridex Trojan from the reports)...:
    FAX_20170925_1401908954_6.zip: Extracts to: FAX_20170925_1401908954_6.js
    Current Virus total detections 7/59[5]: Payload Security[6] | Dridex Payload - VirusTotal 13/61[7] |
    Payload Security[8] |
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/0...is/1506415697/
    Virginmedia_bill_25_09_2017_3.js

    2] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    46.105.102.161
    173.203.123.102
    193.218.145.101
    162.243.137.50
    87.106.219.40


    3] https://www.virustotal.com/en/file/9...is/1506415824/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    173.203.123.102
    193.218.145.101
    162.243.137.50
    87.106.219.40


    5] https://www.virustotal.com/en/file/5...is/1506418921/
    FAX_20170925_1401908954_6.js

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    104.146.230.59
    188.165.193.38
    173.203.123.102
    193.218.145.101
    162.243.137.50
    87.106.219.40


    7] https://www.virustotal.com/en/file/9...is/1506415824/

    8] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    173.203.123.102
    193.218.145.101
    162.243.137.50
    87.106.219.40


    grllen-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-add...1/information/

    ucg1-my.sharepoint .com: 13.107.6.151

    188.165.217.40: https://www.virustotal.com/en/ip-add...0/information/

    188.165.232.177: https://www.virustotal.com/en/ip-add...7/information/

    Last edited by AplusWebMaster; 2017-09-26 at 17:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1275
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'UPS' SPAM, Email credential phish, JavaScript - Stealer

    FYI...

    Fake 'UPS' SPAM - tries to deliver malware
    - https://myonlinesecurity.co.uk/fake-...liver-malware/
    27 Sep 2017 - "... malware downloaders... an email with the subject of 'UPS Ship Notification, Tracking Number 1Z51322Y3483221007' (random numbers) pretending to come from UPS Quantum View <pkginfo26@ ups .com> (random pkginfo numbers)...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...3483221007.png
    ... following the link gives you a webpage looking like one of these screenshots pressing login does different things or -nothing- depending on the site:
    > https://myonlinesecurity.co.uk/wp-co...S_tracking.png

    This is a slightly more complicated infection chain that usual. There are -dozens- of different sites in the emails -hidden- behind the shipment details link. A lot of them don’t do anything except display a -fake- UPS website. Some however are connecting via an -iframe- to download
    http ://rateventrithathen .info/track.php which gave me TRACK-1Z68725Y5236890147.js
    Current Virus total detections 2/59*. Payload Security** | Joe Security***
    Neither online sandbox retrieved any payload, whether the sites are blocked or the JS is VM aware is unknown... The basic rule is NEVER open any attachment or link in email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/a...is/1506504272/
    TRACK-1Z68725Y5236890147.js

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    49.51.36.73

    *** https://jbxcloud.joesecurity.org/analysis/378185/1/html

    rateventrithathen .info: 49.51.36.73: https://www.virustotal.com/en/ip-add...3/information/
    > https://www.virustotal.com/en/url/39...64cf/analysis/
    ___

    Email credential phish...
    - https://myonlinesecurity.co.uk/email...invoice-scams/
    27 Sep 2017 - "... seeing a series of “attacks” using Adobe as the lure. So far I have seen 2 different ones...

    Screenshot:
    1] https://myonlinesecurity.co.uk/wp-co...ment-email.png
    This email has a genuine PDF attachment with a link to http ://bit .ly/2wTMuYg which will -redirect- you to
    http ://cloudy-exch .pw/invoice/update.HTML. There is a warning on the bit.ly page that alerts to it being a phishing or malware site but will -still- allow you to visit the page by clicking-the-link:
    > https://myonlinesecurity.co.uk/wp-co...tement_pdf.png
    ... However downloading the html file will open in Firefox only on the computer.
    The page looks like this:
    > https://myonlinesecurity.co.uk/wp-co...text_adobe.png
    ... where -if- you enter any details and press submit, you are redirected to https ://drive.google .com/file/d/0BxKSeHpNweSsWldNaGpUMDlHWW8/view
    ... where you see this -fake- statement:
    > https://myonlinesecurity.co.uk/wp-co...ogle_drive.png

    The next -phishing-scam- works right out of the box with no effort:
    2] https://myonlinesecurity.co.uk/wp-co...ice-Urgent.png
    This PDF attachment looks like:
    > https://myonlinesecurity.co.uk/wp-co...-Order_pdf.png
    Where -if- you follow the link you go to
    https ://app-onlinedoc.000webhostapp .com/Inv-47654345584.php?code=2000500 where you see:
    > https://myonlinesecurity.co.uk/wp-co...adobe_scam.png
    Entering details tries to -redirect- you to
    http ://alliancecr .com/skd/xendr.php , Where I get a 404 page not found (a quick look up shows the site registered by Godaddy in 2001, The DNS is managed by Cloudflare and there is no site found, so it is highly likely that Cloudflare have null routed the DNS already)... A quick look at the source code of the 000webhost page shows that it appears to try to send the information via Googlemail... Update: within minutes of reporting the 000webhost site, it was taken down. That is fast abuse response. I wish all webhosts were so quick and efficient..."

    cloudy-exch .pw: 185.158.249.100: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/5a...37b8/analysis/

    app-onlinedoc.000webhostapp .com: 145.14.145.6: https://www.virustotal.com/en/ip-add...6/information/

    alliancecr .com: Could not find an IP address for this domain name...
    ___

    JavaScript and Stealer DLL Variant in New Attacks
    - http://blog.talosintelligence.com/20...7-stealer.html
    Sep 27, 2017 - "... a newly discovered -RTF- document family that is being leveraged by the FIN7 group (also known as the Carbanak gang) which is a financially-motivated group targeting the financial, hospitality, and medical industries. This document is used in -phishing- campaigns to execute a series of scripting languages containing multiple obfuscation mechanisms and advanced techniques to bypass traditional security mechanisms. The document contains messages enticing the user to click on an embedded object that executes scripts which are used to infect the system with an information stealing malware variant. This malware is then used to steal passwords from popular browsers and mail clients which are sent to remote nodes that are accessible to the attackers... The dropper variant that we encountered makes use of an LNK file to execute wscript.exe with the beginning of the JavaScript chain from a word document object...
    Command and Control IPs"
    104.232.34.36: https://www.virustotal.com/en/ip-add...6/information/
    5.149.253.126: https://www.virustotal.com/en/ip-add...6/information/
    185.180.197.20: https://www.virustotal.com/en/ip-add...0/information/
    195.54.162.79: https://www.virustotal.com/en/ip-add...9/information/
    31.148.219.18: https://www.virustotal.com/en/ip-add...8/information/
    (More detail at the talosintelligence URL above.)

    Last edited by AplusWebMaster; 2017-09-27 at 22:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1276
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scan xxx' SPAM

    FYI...

    Fake 'Scan xxx' SPAM - Necurs sent Locky/Trickbot
    - https://myonlinesecurity.co.uk/necur...on-techniques/
    28 Sep 2017 - "... malware downloaders coming from the necurs botnet... email with the subject of 'Emailing: Scan0253' (random numbers) pretending to come from random names at your-own-email-address or company domain. Today they have changed delivery method and will give either Locky Ransomware or Trickbot banking Trojan depending on your IP address and country of origin...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...very-email.png

    Scan0253.7z: Extracts to: Scan0277.vbs - Current Virus total detections 11/59*. Payload Security** |
    In this particular VBS example there were 6 hard coded urls
    “geeks-online .de/9hciunery8g?”,
    ”freevillemusic .com/9hciunery8g?” (VirusTotal 9/65[3]) (Payload Security[4]) Looks like Trickbot
    “anarakdesert .com/LUYTbjnrf?”,
    ”americanbulldogradio .com/LUYTbjnrf?”
    ”sherylbro .net/p66/LUYTbjnrf” (VirusTotal 20/65[5]) (Payload Security[6]) This one is Locky
    “poemsan .info/p66/d8743fgh” - Also Locky but a different file hash (VirusTotal 39/64[7]) (Payload Security[8])
    The lookup services used are : “https ://ipinfo .io/json”,
    ”http ://www.geoplugin .net/json.gp”,
    ”http ://freegeoip .net/json/”
    Update: thanks to Racco42[9] we have full list of currently known URLs posted on Pastebin[10]...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1506589221/
    Scan0277.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.239.38.21
    178.237.36.10
    205.204.66.82


    3] https://www.virustotal.com/en/file/0...is/1506589359/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    5] https://www.virustotal.com/en/file/4...is/1506589526/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    7] https://www.virustotal.com/en/file/3...is/1506591639/

    8] https://www.hybrid-analysis.com/samp...ironmentId=100

    9] https://twitter.com/Racco42/status/913339950015373312

    10] https://pastebin.com/ahfN337m

    > http://blog.dynamoo.com/2017/09/malw...0xxx-from.html
    28 Sep 2017 - "This -fake- 'document scan' delivers different malware depending on the victim's location...
    ... All these recent attacks have used .7z archive files which would require 7zip or a compatible program to unarchive. Most decent mail filtering tools should be able to block -or- strip this extension, more clever ones would be able to determine that there is a .vbs script in there and block on that too."

    Last edited by AplusWebMaster; 2017-09-28 at 14:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1277
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice', 'Office 365 invoice', 'order' SPAM

    FYI...

    Fake 'invoice' SPAM - deliver Locky/Trickbot
    - https://myonlinesecurity.co.uk/anoth...large-js-file/
    29 Sep 2017 - "... Locky downloaders... an email with a blank/empty subject pretending to come from random names and email addresses. The body content pretends to be an 'invoice' notification. There are -no- attachments with these emails but a link-in-the-email-body goes to various -compromised- sites to download a .js file. As far as I can tell the actual Locky payload is -embedded- inside the .js file. For some strange reason the js file is named voicemsg_random numbers.js which would indicate that this was intended or has also been used in a voice message scam attempt to deliver Locky as well. The other strange thing in this campaign is the url in the body. All the ones I received are broken and start with 'ttp://' but looking at the mailscanner they look normal with a -complete- html on my server they look -normal- with a complete html and start with the proper 'http://'...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...nk-subject.png

    voicemsg_088436.js - 410.7 KB (420558 bytes) - Current Virus total detections 5/59*. Payload Security**
    | drops 1102.exe 298.0 KB (305152 bytes) - VirusTotal 14/65[3] - Payload Security[4].
    Nothing is actually detecting these as -Locky- Ransomware and in fact some AV on VirusTotal detect as
    -Cerber- Ransomware. I am only calling these Locky based on the
    moroplinghaptan .info/eroorrrs post request (giving a 404) shown in the Payload Security report. This has been a strong Indicator-of-Compromise (IOC) for Locky recently.
    > Update: I am reliably informed that it depends on your IP address and location what malware you get. You will either get
    -Locky- Ransomware or -Trickbot- banking Trojan embedded inside the .js file.
    Some of the download sites in the emails include:
    http ://resortphotographics .com/invoice.html
    http ://somallc .com/invoice.html
    http ://pinkyardflamingos .com/invoice.html
    http ://agregate-cariera .ro/invoice.html
    http ://sgtenterprises .com/invoice.html
    http ://weloveflowers .co.uk/invoice.html
    They all use an -iframe- to actually download from
    http ://moroplinghaptan .info/offjsjs/ - This site has been used in a later Locky campaign today that was spoofing voicemessages...
    The basic rule is NEVER open any attachment or -link- an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1506691940/
    voicemsg_088436.js

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    49.51.133.167
    216.58.213.174


    3] https://www.virustotal.com/en/file/3...is/1506692289/
    1102.exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    moroplinghaptan .info: 49.51.133.167: https://www.virustotal.com/en/ip-add...7/information/
    > https://www.virustotal.com/en/url/47...a588/analysis/
    ___

    Fake 'Office 365 invoice' - delivers Locky
    - https://myonlinesecurity.co.uk/fake-...ky-ransomware/
    29 Sep 2017 - "The 3rd version I have seen today... Locky downloaders has gone back to a traditional zip (7z) attachment containing a vbs file. This is an email pretending to be an 'Office 365 Invoice' with the subject of 'Invoice' pretending to come from the -same-name- that is in the recipient field. Random names & email addresses...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...voice_O365.png

    604173.7z: Extracts to: Invoice_930546166795.vbs - Current Virus total detections 10/58*. Payload Security**
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1506683968/

    ** https://www.virustotal.com/en/file/8...is/1506683968/
    Contacted Hosts
    185.57.172.213: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Fake 'order' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    29 Sep 2017 - "... malware today, all using -different- or unusual delivery methods. This next example is about an order confirmation. The attachment is a .uue attachment. Winzip says it can open .UUE files but only extracted a -garbled- encrypted/encoded txt file. Universal extractor extracted a working .exe file...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...rder_email.png

    order290917.uue: (virusTotal 4/58*) - Extracts to: order290917.exe - Current Virus total detections 14/64**
    Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1506681970/
    order290917.uue

    ** https://www.virustotal.com/en/file/3...is/1506696900/
    order290917.exe

    *** https://www.hybrid-analysis.com/samp...ironmentId=100

    Last edited by AplusWebMaster; 2017-09-29 at 22:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1278
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'order' SPAM

    FYI...

    Fake 'order' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/anoth...ivers-malware/
    2 Oct 2017 - "An email with the subject of 'Fwd: Re: Order' pretending to come from info@ anashin .am with a malicious word doc attachment delivers malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co..._doc_email.png

    Order0210177.doc - Current Virus total detections 15/58*. Payload Security** downloads
    http ://birsekermasali .com/hta/gen.hta (VirusTotal 15/57[3]) (Payload Security[4]) which in turn downloads
    http ://birsekermasali .com/css_files/gen/quote.exe (VirusTotal 25/66[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1506949614/
    Order0210177.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    192.185.115.14

    3] https://www.virustotal.com/en/file/4...is/1506968237/
    gen.hta

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    192.185.115.14
    198.187.29.143


    5] https://www.virustotal.com/en/file/4...is/1506967286/
    quote.exe

    6] https://www.hybrid-analysis.com/samp...ironmentId=100

    birsekermasali .com: 192.185.115.14: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/e3...43f3/analysis/

    > https://www.virustotal.com/en/url/dd...6ef3/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1279
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'FedEx', 'Shipping', 'Cash Statement' SPAM

    FYI...

    Fake 'FedEx' SPAM - leads to info stealer
    - https://isc.sans.edu/diary/rss/22888
    2017-10-03 - "... On Monday 2017-10-02, I ran across malicious spam (malspam) pushing Formbook, an information stealer. Arbor Networks has a good article about Formbook here:
    > https://www.arbornetworks.com/blog/a...-form-grabber/
    ... The email is disguised as a 'FedEx delivery notice'. It has a-link-to-a-compromised-website that's hosting malware. The link points to a supposed document for this fake delivery:
    > https://isc.sans.edu/diaryimages/ima...y-image-01.jpg
    Clicking on-the-link (DON'T) returned a RAR archive. The RAR archive contains a Windows executable that's poorly-disguised as some sort of receipt... indicators seen during the infection from Formbook malspam on Monday 2017-10-02:
    Email:
    Date/Time: 2017-11-02 at 14:23 UTC
    Subject: Re: Alert: FedEx OFFICE Delivery® ... 17-10-02, at 07:22:11 AM BA
    From: "DOCUMENT2017" <gifcos@ tutanota.com>
    Link from the email: hxxps ://superiorleather .co.uk/Receipt.r22

    Traffic seen when retrieving the RAR archive:
    185.46.121.66 [1] port 443 - superiorleather .co.uk - GET /Receipt.r22 ..."
    1] 185.46.121.66: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/97...6369/analysis/
    Post-infection traffic:
    47.90.52.201 port 80 - www .shucancan .com - GET /ch/?id=[80 character ID string]
    52.87.61.120 port 80 - www .ias39 .com - GET /ch/?id=[80 character ID string]
    66.206.43.242 port 80 - www .fairwaytablet .com - GET /ch/?id=[80 character ID string]
    103.38.43.236 port 80 - www .chunsujiayuan .com - GET /ch/?id=[80 character ID string]
    104.250.134.156 port 80 - www .ebjouv .info - GET /ch/?id=[80 character ID string]
    104.31.80.135 port 80 - www .dailyredherald .com - GET /ch/?id=[80 character ID string]
    153.92.6.50 port 80 - www .beykozevdenevenakliyatci .com - GET /ch/?id=[80 character ID string]
    162.242.173.39 port 80 - www .238thrift .com - GET /ch/?id=[80 character ID string]
    180.178.39.66 port 80 - www .et551 .com - GET /ch/?id=[80 character ID string]
    195.154.21.65 port 80 - www .lesjardinsdemilady .com - GET /ch/?id=[80 character ID string]
    198.54.114.238 port 80 - www .prfitvxnfe .info - GET /ch/?id=[80 character ID string]
    199.34.228.59 port 80 - www .craigjrspestservice .com - GET /ch/?id=[80 character ID string]

    162.242.173.39 port 80 - www .238thrift .com - POST /ch/
    198.54.114.238 port 80 - www .prfitvxnfe .info - POST /ch/ "
    (More detail @ the isc URL above.)

    > http://www.malware-traffic-analysis..../03/index.html
    ___

    Fake 'Shipping' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    3 Oct 2017 - "... an email with the subject of 'Re: Shipping arrangement process' pretending to come from Valero .com but coming from Anna Brugt <dhen.ordonez@ ritetrend .com.ph>...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...nt-process.png

    There is a-link-in-the-email body to
    http ://www.oysterpublicschool .com//hy/reciept/_outputC9E322F.exe which gives a 404,
    but there is also a RAR attachment with a file of the same name. It is highly likely that other versions of this email will have a different download link, that might be active.

    _outputC9E322F.rar: Extracts to: _outputC9E322F.exe - Current Virus total detections 15/66*. Payload Security**
    The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1507051011/
    _outputC9E322F.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    109.169.89.11

    oysterpublicschool .com: 192.185.115.66: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'Cash Statement' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/cash-...ivers-malware/
    3 Oct 2017 - ... Malware downloaders... an email with the subject of 'Cash Statement of Account 10/03/2017' coming from Front Desk <reception@ st-timsrc .org>...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...10-03-2017.png

    The email has a pdf attachment with a link to
    https ://goo .gl/4tzM3b which redirects to
    http ://uae-moneyremit .top/plugins/cfare.html where you seen a page like this asking you to install a plugin to view the page:
    > https://myonlinesecurity.co.uk/wp-co...gin_needed.png

    Pressing install will download
    https ://www.dropbox .com/s/piw5k38lytremqz/firefoxplugin_install.exe (VirusTotal 13/64*) (Payload Security**)

    We have had a series of these emails recently (28 September 2017) was DAY END CASH PAYMENT REPORT AS ON 28/09/2017 which delivered fxplugin_install.exe (VirusTotal 44/65[3]) (Payload Security[4]) which was netwire RAT...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1507058018/
    firefoxplugin_install.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    5.206.227.248

    3] https://www.virustotal.com/en/file/2...is/1506917666/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    85.159.233.23

    Last edited by AplusWebMaster; 2017-10-03 at 23:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1280
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Copy of invoice', 'Payment Confirmation' SPAM

    FYI...

    Fake 'Copy of invoice' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/fake-...ky-ransomware/
    4 Oct 2017 - "... Locky downloaders... an email with the subject of 'Copy of invoice A5165059014. Please find your invoice attached' pretending to come from online@ screwfix .com...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-attached.png

    InvoiceA5165059014.7z: Extracts to: Invoice558727316499528791952132.vbs - Current Virus total detections 6/59*
    Payload Security** downloads from one of these hard coded locations in this vbs. (There will be numerous others):
    “spazioireos .it/8etyfh3ni?”,
    ”derainlay .info/p66/8etyfh3ni”,
    ”turfschiploge .nl/8etyfh3ni?” (VirusTotal 16/65[3])...

    > Update: current list of known download sites PASTEBIN(a) thanks to Racco42(b)
    a) https://pastebin.com/ajXf4k0f
    b) https://twitter.com/Racco42

    The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1507106667/
    Invoice558727316499528791952132.vbs

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    81.29.205.233

    3] https://www.virustotal.com/en/file/7...is/1507107227/

    spazioireos .it: 81.29.205.233: https://www.virustotal.com/en/ip-add...3/information/

    derainlay .info: https://en.wikipedia.org/wiki/Fast_flux

    turfschiploge .nl: 46.235.43.11: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'Payment Confirmation' SPAM - delivers java adwind
    - https://myonlinesecurity.co.uk/fake-...s-java-adwind/
    4 Oct 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments or -links- to download them. I have previously mentioned many of these HERE[1]...
    1] https://myonlinesecurity.co.uk/?s=java+adwind

    Screenshot: https://myonlinesecurity.co.uk/wp-co...nfirmation.png

    Xpress Money Payment Confirmation.jar (462kb) - Current Virus total detections 16/62*. Payload Security**...
    All the links-in-the-email (including the -image- of an XLS file) go to the-same-url (guaranteed to be a compromised site), where the all the site content is now about QTUM, a -bitcoin- exchange. I have been seeing several compromised malware delivery sites recently with all their content changed to the QTUM content) to download a zip file:
    http ://restaurantelburladero .com/Xpress Money Payment Confirmation.z (.z is a file extension that many unzipping utilities will extract from, although not commonly used)... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1507035357/
    Scan 2017100323 114727.xls Here.JAR

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.58.209.238

    restaurantelburladero .com: 5.2.88.79: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/a5...fc97/analysis/
    ___

    'Dnsmasq' - multiple vulnerabilities
    > https://www.helpnetsecurity.com/2017...dnsmasq-flaws/
    Oct 3, 2017
    > https://www.kb.cert.org/vuls/id/973527
    2 Oct 2017
    > http://www.securitytracker.com/id/1039474
    Oct 2 2017

    Last edited by AplusWebMaster; 2017-10-04 at 22:17.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •