SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake ‘Sent from my iPhone’ themed emails - expose users to malware
- http://www.webroot.com/blog/2013/11/...users-malware/
Nov 19, 2013 - "Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitoring for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – * ... Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A... Once executed, the sample attempts to contact the following C&C servers:
91.109.14.224
31.7.35.112
49.50.8.93
173.0.131.15
209.50.251.101
88.198.7.211
64.120.153.69
219.94.206.70
173.231.139.57
next to the well known by now, networksecurityx.hopto .org (1) a C&C host..."
* https://www.virustotal.com/en/file/5...is/1384441224/

Diagnostic page for hopto .org
1) http://google.com/safebrowsing/diagn...ite=hopto.org/
"... Part of this site was listed for suspicious activity 731 time(s) over the past 90 days... Malicious software includes 817 exploit(s), 113 trojan(s), 59 virus. Successful infection resulted in an average of 5 new process(es) on the target machine. This site was hosted on 80 network(s)... Over the past 90 days, hopto .org appeared to function as an intermediary for the infection of 140 site(s)... this site has hosted malicious software over the past 90 days. It infected 210 domain(s)..."
___

Fake Snapchat downloads in Search Engine Ads
- http://www.threattracksecurity.com/i...ch-engine-ads/
Nov 19, 2013 - "Hot on the heels of fake Snapchat Adware installs*, we have advert results in both Google and Bing adverts leading to non-existent downloads of Snapchat in return for an Adware bundle. Here’s Google:
> http://www.threattracksecurity.com/i...oglesearch.png
The site in question here is soft1d(dot)com
> http://www.threattracksecurity.com/i...ft1dprompt.jpg
Here’s Bing:
> http://www.threattracksecurity.com/i...napadsbing.jpg
The ad in question is the one in the bottom right hand corner for download-apps(dot)org/snapchat
> http://www.threattracksecurity.com/i...-apps-snap.jpg
Both sites lead to the same install. Comments from Matthew, one of our researchers in the Labs who discovered this: 'When you run the installer it precedes to install Fast Media Converter (Zango/Pinball Corp/BlinkX/LeadImpact) and LyricsViewer (Crossrider) with the only notice being from the page shown in the “prompt” screenshots. After loading those, it proceeds to offer you some more: a Conduit Toolbar and Dealply. In the end there is no Snapchat install or even a replacement for Snapchat'...
> http://www.threattracksecurity.com/i...ion-snap-1.png
.
> http://www.threattracksecurity.com/i...ion-snap-3.png
VirusTotal has this one pegged at 4/47** ..."
* http://www.threattracksecurity.com/i...-leads-adware/
Nov 1, 2013
** https://www.virustotal.com/en/file/1...4b40/analysis/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Job Offer Notification Email Messages - 2013 Nov 19
Fake Monthly Report Notification Email Messages - 2013 Nov 19
Fake Invoice Attachment Email Messages - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Payment Information Notification Email Messages - 2013 Nov 19
Email Messages with Malicious Attachments - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Product Quote Request - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Payment Confirmation Email Messages - 2013 Nov 19
Fake Personal Photo Sharing Email Messages - 2013 Nov 19
Fake Payment Invoice Email Messages - 2013 Nov 19
Fake Shipment Tracking Information Email Messages - 2013 Nov 19
Fake Product Order Notification Email Messages - 2013 Nov 19
Fake Scanned Image Notification Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Bank Payment Notification Email Messages - 2013 Nov 19
Fake Customer Complaint Attachment Email Messages - 2013 Nov 19
(More info and links at the cisco URL above.)

[AplusWebMaster]

FYI...

Fake mileage reimbursement email leads to malware ...
- http://www.webroot.com/blog/2013/11/...-lead-malware/
Nov 20, 2013 - "Want to file for mileage reimbursement through a STD-261 form? You may want to skip the tens of thousands of -malicious- emails currently in circulation, attempting to trick users into executing the malicious attachment. Once downloaded, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign, undermining the confidentiality and integrity of the host.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-cont...re-1024x64.png
Detection rate for the spamvertised attachment: MD5: 3aaa04b0762d8336379b8adedad5846b – * ... Trojan.Win32.Bublik.bkri; TrojanDownloader:Win32/Upatre.A. Once executed, the sample starts listening on ports 8412 and 3495... It then attempts to phone back to the following C&C servers... (long list of IP's listed at the first webroot URL above)..."
* https://www.virustotal.com/en/file/e...is/1384525049/
___

Red Cross 419 Scam exploits Typhoon Haiyan
- http://www.threattracksecurity.com/i...yphoon-haiyan/
Nov 20, 2013 - "There are a number of emails currently in circulation attempting to cash in on the generosity of individuals and organisations wanting to assist the Typhoon Haiyan relief efforts. Another one just landed in our spamtraps, and reads as follows:
> http://www.threattracksecurity.com/i...yanmail-wm.jpg
... If the poor spelling and generally dreadful formatting of the mail doesn’t give the game away, hopefully the free Yahoo email address will help to tip the balance. This is absolutely a scam, and one that should be directed to the recycle bin / spam folder with all due haste. Elsewhere, Trend Micro are seeing missives related to fake Navy donations* and Symantec are dealing with one “Andrew Stevens” who is asking for donations** via Western Union. You can be sure more of these will emerge in the coming weeks, so please be cautious and don’t reply to any email sent out of the blue. No matter how convincing the mail appears to be, there’s a very good chance your money is going to end up with someone other than who you intended it for."
* http://blog.trendmicro.com/trendlabs...n-haiyan-scams

** http://www.symantec.com/connect/blog...es-philippines
___

Bitcoin Boom leads to Malware Badness
- http://www.threattracksecurity.com/i...lware-badness/
Nov 20, 2013 - "... you may be tempted to mine some Bitcoins via the art of downloading random files from the internet... The are certainly more than enough options to choose from; Youtube videos, promo sites, Pastebin posts – you name it, they’re all out there and they’re all clamouring for your attention. Just keep in mind that you never really know what you’re signing up to when playing the random download game... Scammers are promoting “no survey Bitcoin generators”, which come with -surveys- attached regardless.
> http://www.threattracksecurity.com/i.../bitcoins3.jpg
If no survey is available, you’re encouraged to pay for a premium account to access the download.
> http://www.threattracksecurity.com/i.../bitcoins4.jpg
Elsewhere, the below Pastebin page directs individuals to a Mediafire download. Note that they claim it is “legit”, but the file isn’t theirs and they won’t accept responsibility for any “inconvenience”. Never a good sign, really.
> http://www.threattracksecurity.com/i.../bitcoins1.jpg
...
> http://www.threattracksecurity.com/i.../bitcoins2.jpg
... VirusTotal currently flagging it at 8/47*. We’re also seeing a number of files on MEGA, which claim to be Bitcoin Generators (with one claiming to offer up 0.06975 mBTC “every couple of hours” in return for filling in some CAPTCHA codes)... An additional file below (also hosted on MEGA) already flags up at 17/47** on VirusTotal, and we also detect this as Trojan.Win32.Generic!BT... trying to go down the fast and easy route ensures there’s a lot to lose too. If you’re late to the Bitcoin party, bandwagon jumping may result in a nasty fall."
* https://www.virustotal.com/en/file/9...aa24/analysis/

** https://www.virustotal.com/en/file/0...ff38/analysis/

[AplusWebMaster]

FYI...

Fake ADP Anti-Fraud Secure Update Spam
- http://threattrack.tumblr.com/post/6...re-update-spam
Nov 21, 2013 - "Subjects Seen:
ALERT! From ADP: 2013 Anti-Fraud Secure Update
Typical e-mail details:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

Malicious File Name and MD5:
2013 Anti-Fraud Secure Update.zip (7DF767E9225803F5CA6C1ED9D2B5E448)
2013 Anti-Fraud Secure Update.exe (6A9D66DF6AE25A86FCF1BBFB36002D44)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...rG21r6pupn.png

Tagged: ADP, Upatre.

[AplusWebMaster]

FYI...

Fake WhatsApp SPAM - exposes users to malware ...
- http://www.webroot.com/blog/2013/11/...users-malware/
Nov 22, 2013 - "... intercepted a currently circulating malicious spam campaign impersonating WhatsApp — yet again — in an attempt to trick its users into thinking that they’ve received a voice mail. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised malicious email:
> https://www.webroot.com/blog/wp-cont...Cybercrime.png
Detection rate for the spamvertised attachment: MD5: 41ca9645233648b3d59cb52e08a4e22a – * ... TrojanDownloader:Win32/Kuluoz.D. Once executed, it phones back to:
hxxp ://103.4.18.215:8080 /460326245047F2B6E405E92260B09AA0E35D7CA2B1
70.32.79.44
84.94.187.245
172.245.44.180
103.4.18.215
172.245.44.2 ...
* https://www.virustotal.com/en/file/e...is/1384979533/
___

Watch where you’re logging in ...
- http://www.threattracksecurity.com/i...youre-logging/
Nov 22, 2013 - "If you do your online banking with TESCO, or indeed have a credit card with them you may want to be on the lookout for the following website which is hosting a rather large tally of login pages. The site in question is:
mrqos(dot)com(dot)au/kate/tess/tescr/login(dot)html
and that particular site was flagged not so long ago in the Zone-H defacement mirror, with “KEST” compromising it on or around the 15th of October, 2013.
> http://www.threattracksecurity.com/i.../11/tesco0.jpg
Here’s 100 or so identical HTML pages in one directory offering up a TESCO credit card login:
> http://www.threattracksecurity.com/i.../11/tesco3.jpg
All of the above pages present end-users with the following login screen:
> http://www.threattracksecurity.com/i.../11/tesco4.jpg
The page asks end-users to login to “Tesco bank online banking” with “credit card” mentioned in the top right hand corner. After entering a username, the page asks for more information... you should only ever log in on the homepage of your bank or credit card. Visiting it from URLs in emails or random messages sent your way just won’t cut the mustard – physically type in the URL, ensure there’s a padlock and the connection is encrypted. You won’t find padlocks or encryption on the above pages..."
___

Pokemon X and Y Tumblrs: Warn your Kids
- http://www.threattracksecurity.com/i...lrs-warn-kids/
Nov 22, 2013 - "A gentle reminder not to leave your kids alone with their best friend ever, the internet. Pokemon X and Y is by all accounts a raging success, and if the smaller members of your household go Googling for things related to said title, they may well end up on a site such as the below promising a PC download of the new game.
pokemonxetyromemulateur(dot)tumblr(dot)com
> http://www.threattracksecurity.com/i...edownload1.jpg
This site intends to direct the end-user to a cookie-cutter blog located at
pokemonxyemulator(dot)blogspot(dot)ro
The site pops a -survey- with offers likely dictated by region. What’s worrying here is if kids arrive on this site given the Pokemon theme, they could well be presented with survey questions asking for personal information alongside the more typical installs (and installs aren’t really something you want to be presenting kids with either).
> http://www.threattracksecurity.com/i...edownload2.jpg
In this case, one of the links leads to an iLivid install.
> http://www.threattracksecurity.com/i...edownload3.jpg
... it mentions a -toolbar- install which is pre-ticked in the next screen... What’s on offer here isn’t a big deal, but there’s no way you can predict what will be on the other end of a survey popup – everything from personal information requests and ringtone offers to Adware and (occasionally) Malware have all been sitting in wait on the other side of that “Complete this” button. While adults may hopefully steer clear of a lot of these antics, any kids going click happy in Pokemon land (or any other themed set of search engine queries) probably won’t be so lucky..."

[AplusWebMaster]

FYI...

Fake PayPal Spam
- http://threattrack.tumblr.com/post/6...n-of-case-spam
Nov 25, 2013 - "Subjects Seen:
Resolution of case #PP-016-353-161-368
Typical e-mail details:
Transaction ID: 27223374MSB9Y6FV6
Our records indicate that you never responded to requests for additional
information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see the attached file (Case_9503665.zip)
Sincerely,
Protection Services Department

Malicious File Name and MD5:
Case_9503665.zip (040D3AA61ADB6431576D27E14BA12E43)
Case_.exe (8DB3C24FCD0EF4A660636250D0120B23)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...tlR1r6pupn.png

Tagged: PayPal, Upatre
___

Fake HSBC emails - malware
- http://www.webroot.com/blog/2013/11/...users-malware/
Nov 25, 2013 - "HSBC customers, watch what you execute on your PCs. A circulating malicious spam campaign attempts to socially engineer you into thinking that you’ve received a legitimate ‘payment e-Advice’. In reality, once you execute the attachment, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-cont...s_Software.png
Detection rate for the spamvertised attachment: MD5: 2fbf89a24a43e848b581520d8a1fab27 – * ...Trojan.Win32.Bublik.blgc. Once executed, the sample starts listening on ports 3670 and 6652..."
* https://www.virustotal.com/en/file/1...is/1385042183/
___

.gov, .edu - Phish ...
- http://www.threattracksecurity.com/i...-edu-phish-oh/
Nov 25, 2013 - "We’ve noticed a couple of .cn URLs which customers of ANZ will probably want to steer clear of.
> http://www.threattracksecurity.com/i.../11/cnanz0.jpg
syftec(dot)gov(dot)cn
... appears to be a site about the county-level city Shangyu. One of the URLs on the site is
syftec(dot)gov(dot)cn/images/online/
... which takes users to:
rh(dot)buaa(dot)edu(dot)cn/js/online
... which is a .Edu URL called “China Domestic Research Project for ITER”, with the sub-heading “Key technologies research for remote handling manipulator using in nuclear environment”.
Here’s the frontpage, minus the js/online directory:
> http://www.threattracksecurity.com/i.../11/cnanz1.jpg
Here’s what is located at the rh(dot)buaa(dot)edu(dot)cn/js/online URL:
> http://www.threattracksecurity.com/i.../11/cnanz2.jpg
The page asks for name, DOB, address, card number, expiration date and security code. Hitting the log on button will direct users to the genuine ANZ website. The URL has already been blacklisted by Google Safebrowsing:
> http://www.threattracksecurity.com/i.../11/cnanz4.jpg
What’s interesting here is if the URL forwarding end-users from the .gov site to the .edu page is supposed to be there, or it too has been compromised to direct more users to the ANZ “login”. It’s possible the .gov site once forwarded them to a formerly legitimate page on the .edu portal which has since been compromised. However, the .edu page isn’t on Internet Archive so it’s hard to say one way or the other. What we can say for certain is that customers of ANZ should only log in on the genuine ANZ website*, and that .gov URLs are prime targets..."
* https://www.anz.com/

[AplusWebMaster]

FYI...

Fake Facebook pwd SPAM - Recoverypassword.zip and Facebook-SecureMessage.exe
- http://blog.dynamoo.com/2013/11/you-...-password.html
26 Nov 2013 - "This -fake- Facebook message comes with a malicious attachment:
Date: Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password!
facebook
Hello,
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.
Didn't request this change?
If you didn't request a new password, let us know immediately.
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Screenshot: https://lh3.ggpht.com/-20l6OoLiEfc/U.../facebook3.png

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42*. Automated analysis tools... shows attempted connections to developmentinn .com on 38.102.226.252 (Cogent, US) and spotopia .com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or not."
* https://www.virustotal.com/en-gb/fil...is/1385474059/

- https://www.virustotal.com/en/ip-add...9/information/
___

Xerox Incoming Fax Spam
- http://threattrack.tumblr.com/post/6...oming-fax-spam
Nov 26, 2013 - "Subjects Seen:
INCOMING FAX REPORT : Remote ID: 633-553-5385 [/i]
Typical e-mail details:
INCOMING FAX REPORT
Date/Time: 11/26/2013 04:51:31 EST
Speed: 17766 bps
Connection time: 07:01
Pages: 3
Resolution: Normal
Remote ID: 633-553-5385
Line number: 633-553-5385
DTMF/DID:
Description: Сost sheet for first half of 2013.pdf

Malicious File Name and MD5:
IncomingFax.zip (A5E6AB0F6ECF230633B91612A79BF875)
IncomingFax.exe (B048E178F86F6DBD54D84F488120BB9B)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...45y1r6pupn.png

Tagged: Xerox, Upatre
___

Something evil on 46.19.139.236
- http://blog.dynamoo.com/2013/11/some...619139236.html
26 Nov 2013 - "46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java -exploit- kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples* ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ip-...6/information/
___

Fake Loan site delivers adware
- http://www.threattracksecurity.com/i...ncial-dot-org/
Nov 26, 2013 - "... a fake loan page from an equally fake financial institution called “Trust Financial Group”.
> http://www.threattracksecurity.com/i...96C52913E1.jpg
Once users visit trustfinancial(dot)org, they are -redirected- to a default page serving a loan decision document. In order for visitors to see its unblurred version, they have to install a “secure loan viewer” application. Unfortunately, users will find out that the name of the program is actually called “Search Smarted and Search Assistor” and is signed by a verified publisher called Access Financial Resources, Inc.
> http://www.threattracksecurity.com/i...FFC1704ACD.jpg
Here’s another sample that we have acquired:
> http://www.threattracksecurity.com/i...49590EE75C.jpg
A quick search on Google for the name points me to a small company of financial planners in Oklahoma, but I can’t find connections to any legitimate software it’s involved in or to “Trust Financial Group”. We can count on the idea that whoever is behind the bogus page and brand had used the name of a legitimate small financial company to make the certificate appear more authentic, which in turn makes the applications seem legit. Unfortunately, this is -not- the case. The files are not document viewer applications, but they are -adware- programs that, once installed, -injects- ads into search engine results.
> http://www.threattracksecurity.com/i...0F9F6D03F2.jpg
... Eric Howes, ThreatTrack Security’s Principal Lab Researcher, “The domains used here are all anonymously registered. And while this attack technically isn’t a phishing attack, it is exploiting users’ trust and faith in financial institutions to trick them into installing adware.” Our researchers have further determined that the ads being injected are pulled through the domain, ez-input(dot)info, which was also registered anonymously..."
___

Blackshades Rat usage on the rise...
- http://www.symantec.com/connect/blog...alleged-arrest
Nov 25, 2013 - "... Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several -other- malware families.
Shadesrat evolution since July 2013:
> http://www.symantec.com/connect/site...xploit%201.png
For the last few years we have seen a spectacular increase of attacks against Web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. In all cases, the attacker’s goal is very clear; to execute a malicious payload on the user’s computer. The attackers managed to do this using different exploit kits. When Symantec observed the increase of W32.Shadesrat infections, we identified hundreds of C&C servers being used to gather credentials from compromised computers. W32.Shadesrat targets a wide variety of credentials including email services, Web services, instant messaging applications, and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information. During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point, and until the arrest of the author of the Blackhole Exploit Kit and the Cool Exploit Kit, the latter has been the most prevalent. These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.
> http://www.symantec.com/connect/site...xploit%202.png
We also observed that after the arrest of the author of the Blackhole Exploit Kit and Cool Exploit Kit, both exploit kits have nearly disappeared, leaving Neutrino as the new kit of choice.
> http://www.symantec.com/connect/site...xploit%203.png
Once an unsuspecting user has been compromised, -multiple- payloads are downloaded and used to retain control by using Remote Administration Tools or downloaders that enable them to install additional malware with new functionalities. The C&C servers also spread the following other malware threats.
> http://www.symantec.com/connect/site...xploit%204.png
... The distribution of the threats suggests that the attackers attempted to infect as many computers as possible. The attackers do not seem to have targeted specific people or companies. This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal. Don’t forget to make sure that your software is up-to-date and that your antivirus solution has the latest definitions."

[AplusWebMaster]

FYI...

Fake ADP SPAM - Reference #274135902580" / Transaction.exe
- http://blog.dynamoo.com/2013/11/adp-...2580-spam.html
27 Nov 2013 - "Is it Salesforce or ADP? Of course.. it is -neither- ...
Date: Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]
From: "support@ salesforce .com" [support@ salesforce .com]
Subject: ADP - Reference #274135902580
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #274135902580
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48*...
> https://lh3.ggpht.com/-SxwSXmXNPHs/U...ransaction.png
Malwr reports an attempted connection to seribeau .com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several -hundred- legitimate web sites on it, and it is not possible to determine if these are clean or infected."
* https://www.virustotal.com/en-gb/fil...is/1385558999/

- https://www.virustotal.com/en/ip-add...2/information/
___

Dun & Bradstreet iUpdate Spam
- http://threattrack.tumblr.com/post/6...t-iupdate-spam
Nov 27, 2013 - "Subjects Seen:
D&B iUpdate : Company Request Processed
Typical e-mail details:
Thank you,
Your request has been successfully processed by D&B.
All information has been reviewed and validated by D&B.
Please Find your Order Information attached.

Malicious File Name and MD5:
CompanyInfo.zip (22CC978F9A6AEE77E653D7507B35CD65)
CompanyInfo.exe (2F3C1473F8BCF79C645134ED84F5EF62)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...Rwc1r6pupn.png

Tagged: Dun & Bradstreet, Upatre
___

Tax Return Accountant’s Letter Spam
- http://threattrack.tumblr.com/post/6...ts-letter-spam
Nov 27, 2013 - "Subjects Seen:
FW: 2012 and 2013 Tax Documents; Accountant’s Letter
Typical e-mail details:
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant’s letter.

Malicious File Name and MD5:
<e-mail recipient>.zip (BC8FC4D02BB86F957F5AE0818D94432F)
TaxReturn.exe (E85AD4B09201144ACDC04FFC5F708F03)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...2ka1r6pupn.png

Tagged: Tax Return, Upatre
___

Russian Photo Attachment Spam
- http://threattrack.tumblr.com/post/6...ttachment-spam
Nov 27, 2013 - "Subjects Seen:
Hello
Typical e-mail details:
Hi
My name is Yulia.
I am from Russia.
Look my photo in attachment.

Malicious File Name and MD5:
DSC_0492(copy).jpg.zip (41B37B08293C1BFE76458FA806796206)
DSC_0492(copy).jpg.exe (AC7CD2087014D9092E48CE465E4F902D)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...5Ih1r6pupn.png

Tagged: Photo, Sirefef, .

[AplusWebMaster]

FYI...

Fake Skype voicemail - Trojan SPAM ...
- http://www.theregister.co.uk/2013/11...s_zeus_trojan/
28 Nov 2013 - "A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns*. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan. Messages typically come with the subject line “You received a new message from Skype voicemail service”. The emails contain a copyright notice and a disingenuous warning that "Skype staff will NEVER ask you for your password via email", all in a bid to appear genuine..."
* http://www.actionfraud.police.uk/ale...in-virus-nov13

- http://blog.mxlab.eu/2013/11/26/fake...ntains-trojan/

[AplusWebMaster]

FYI...

Fake 'planned outage' SPAM - attachment contains trojan ...
- http://blog.mxlab.eu/2013/12/02/emai...ntains-trojan/
Dec 2, 2013 - "MX Lab... started to intercept a new trojan distribution campaign by email with the subject “Important update. Please read”. This email is sent from the spoofed address “mail server update” and has the following body:
Dear user!
This is a planned Outage for our MAIL Services on Mon, 02 Dec 2013 11:30:14 +0300
Our MailServer is currently experiencing some problems. It should be working again as usual shortly.
If you want to keep previous saved emails
please download and save your backup from the attached file.
Please do not reply to this message.
This is a mandatory notification containing information about important changes in the products you are using.

Screenshot of the message: http://img.blog.mxlab.eu/2013/201312...ned_outage.gif

The attached ZIP file has the name saved_mailbox_yoct_F479657BA8.zip and contains the 115 kB large file saved_mail_user_id_8349653__random_numbers__6587234.eml. The trojan is known as Trojan/Win32.Zbot, W32/Trojan.RSKY-7175, Win32/PSW.Fareit.A, Trojan.Ransom.RV or Mal/Generic-S. At the time of writing, 7 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 8ff5f6c1e5b368c2e9de2a0d98364f9cae6560ba54874f55779b78a0f487745c
The trojan is capable of downloading files from the internet and according to Malwr it can steal information from local internet browsers and harvest credentials from FTP clients. This last one can perhaps be use to upload a virus or malware to hosts that can use this location for other campaigns.
The trojan will start a new service, make some Windows registry modifications and will make contact with hosts to download a file from:
hxxp ://62.76.45.242/our/1.exe
hxxp ://62.76.42.218/our/1.exe
hxxp ://62.76.45.242/our/2.exe
hxxp ://62.76.42.218/our/2.exe
hxxp ://networksecurityx .hopto .org
The file 1.exe is 369kB large and is identified as W32/Trojan.RSKY-7175 or Trojan.Ransom.RV. The file 2.exe couldn’t be downloaded, the host gave us an 404 error. This executable will create a process ihre.exe on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system and collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 8989, 0.0.0.0 on port 2626 and 0.0.0.0 on port 0. At the time of writing, 2 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink*** and Malwr permalink**** for more detailed information.
SHA256: 8b9ed72674c49abc1aa0ab1c94a8fa13a1b471c23e799c7cce173a67603cb407."
* https://www.virustotal.com/en/file/8...is/1385977408/

** https://malwr.com/analysis/MmRjZDMzZ...VhNzI0MGJiMzU/

*** https://www.virustotal.com/en/file/8...is/1385978531/

**** https://malwr.com/analysis/Y2QzOWY1N...NkZTJmY2JkODY/

- https://www.virustotal.com/en/ip-add...2/information/

- http://google.com/safebrowsing/diagn...ite=hopto.org/
"... this site was listed for suspicious activity 695 time(s) over the past 90 days..."
___

Toolbar uses Your System to make BTC ...
- http://blog.malwarebytes.org/fraud-s...m-to-make-btc/
Nov 29, 2013 - "Potentially Unwanted Programs or PUPs as we like to call them, are things like Toolbars, Search Agents, etc. Unnecessary junk for your desktop that usually involves monitoring your surfing/shopping habits and slowing down your system with their sub-par software that ends up hurting you much more than helping. A recent and unfortunate discovery by some of our users revealed that some of these programs do more than just cover your desktop in ads, they also steal your systems resources for mining purposes... we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.
> http://cdn.blog.malwarebytes.org/wp-...t-1024x420.png
... we received a request for assistance from one of our users about a file that was taking up 50 percent of the system resources on their system. After trying to remove it by deleting it, he found that it kept coming back, the filename was “jh1d.exe”... We did some research and found out that the file in question was a Bitcoin Miner known as “jhProtominer”, a popular mining software that runs via the command line. However, it wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe” . Monitor.exe* was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT. We were able to find out the connection between WBT and Mutual Public thanks to an entry in the Sarasota Business Observer:
> http://cdn.blog.malwarebytes.org/wp-.../WBT_is_MP.png
Another product belonging to Mutual Public is known as Your Free Proxy.
> http://cdn.blog.malwarebytes.org/wp-...rFreeProxy.png
Your Free Proxy uses the Mutual Public Installer (monitor.exe), obtaining it from an Amazon cloud server... We checked out this cloud server and found monitor.exe but also some additional interesting files, notably multiple types of “silent” installers and a folder called “coin-miner”... We at Malwarebytes are putting our foot down and detecting these threats as what they are, giving our users the option to remove them and never look back..."
* https://www.virustotal.com/en/file/c...353e/analysis/
File name: vti-rescan
Detection ratio: 1/48
Analysis date: 2013-11-29

[AplusWebMaster]

FYI...

Fake AMEX SPAM
- http://threattrack.tumblr.com/post/6...e-message-spam
Dec 3, 2013 - "Subjects Seen:
Confidential - Secure Message from AMEX
Typical e-mail details:
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-524-3645, option 1. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express

Malicious File Name and MD5:
SecureMail.zip (2986FFD9B827B34DCB108923FEA1D403)
SecureMail.exe (7DC5BF7F5F3EAF118C7A6DE6AF921017)

Screenshot: https://gs1.wac.edgecastcdn.net/8019...MJQ1r6pupn.png

Tagged: American Express, Upatre
___

Fake eFax SPAM
- http://blog.dynamoo.com/2013/12/anot...efax-spam.html
3 Dec 2013 - "These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.
Date: Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Fax transmission: -5219616961-5460126761-20130705352854-84905.zip
Please find attached to this email a facsimile transmission we have just received on your behalf
(Do not reply to this email as any reply will not be read by a real person)

Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48*) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48**.
> http://1.bp.blogspot.com/-riDinrvAIZ...fax-report.png
Automated analysis tools... show an attempted communication with tuhostingprofesional .net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised."
* https://www.virustotal.com/en/file/a...is/1386113630/

** https://www.virustotal.com/en/file/3...is/1386113237/
___

Fake Fax/Voice SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/03/emai...ntains-trojan/
Dec 3, 2013 - "... new trojan distribution campaign by email with the subject “Faxnachricht von unknown an 03212-1298305″. This email is send from the spoofed address “”WEB.DE Fax und Voice” <fax-021213-voice@webde.de>” and has the followingvery short body:
Fax und Voice
The attached ZIP file has the name WEB.DE Fax und Voice.zip and contains the 120 kB large file WEB.DE Fax und Voice.exe. The trojan is known as TR/Dropper.VB.3500, Virus.Win32.Heur.p, Trojan.Packed.25042, Win32/TrojanDownloader.Wauchos.X, PE:Trojan.VBInject!1.64FE or Troj/Agent-AFAX. At the time of writing, 15 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
SHA256: 8d2fe8b6c370c0568f93bb4eee838dc4514f2cc5578424b7376ed21e4ca9091b
* https://www.virustotal.com/en/file/8...091b/analysis/

** https://malwr.com/analysis/ZWMxYjQ3Y...I5OGUwZmEwZGQ/
___

Fake Mastercard SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/03/impo...om-mastercard/
Dec 3, 2013 - "... trojan distribution campaign appears with more or less the same lay out in the email that targets Mastercard holders with the subject “Important notification for a Mastercard holder”. MX Lab... intercepted these emails that are sent from the spoofed address “MasterCard” and has the following body:
Important notification for a Mastercard holder!
Your Bank debit card has been temporarily blocked
We’ve detected unusual activity on your Bank debit card . Your UK Bank debit card has been temporarily blocked, please fill document in attachment and contact us
About MasterCard Global Privacy Policy Copyright Terms of Use
© 1994-2013 MasterCard

Screenshot: http://img.blog.mxlab.eu/2013/20131203_mastercard.gif

The attached ZIP file has the name MasterCard_D77559FFA7.zip and contains the 131 kB large file MasterCard_info_pdf_34857348957239509857928472389469812364912034237412893476812734.pdf.exe. The trojan is known as PasswordStealer.Fareit, Trojan-PWS/W32.Tepfer.131072.HS, PE:Malware.Obscure/Huer!1.9E03, Troj/Agent-AFAZ or Trojan.DownLoader9.22851. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total. Use the... Malwr permalink* for more detailed information."
* https://malwr.com/analysis/Yjk0NjczN...QzOGQyNGM0OTU/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/cent...utbreak.x?i=77
Fake Fax and Voice Notification Email Messages - 2013 Dec 03
Fake Purchase Order Request Email Messages - 2013 Dec 03
Fake Payment Confirmation Notification Email Messages - 2013 Dec 03
Fake Shipping Order Information Email Messages - 2013 Dec 03
Fake Product Inquiry Email Messages - 2013 Dec 03
Fake Product Purchase Order Email Messages - 2013 Dec 03
Fake Meeting Invitation Email Messages - 2013 Dec 03
Fake Fax Message Delivery Email Messages - 2013 Dec 03
Fake Failed Delivery Notification Email Messages - 2013 Dec 03
Malicious Personal Pictures Attachment Email Messages - 2013 Dec 03
Fake Payment processing Notification Email Messages - 2013 Dec 03
Fake Unpaid Debt Invoice Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Product Order Quotation Email Messages - 2013 Dec 03
Fake Payroll Invoice Notification Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Financial Document Email Messages - 2013 Dec 03
(More detail and links at the cisco URL above.)