Page 60 of 132 FirstFirst ... 105056575859606162636470110 ... LastLast
Results 591 to 600 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #591
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Remittance Advice' SPAM, Zeus phish...

    FYI...

    Fake 'Remittance Advice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2014/12/spam...om-anglia.html
    10 Dec 2014 - "This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.
    From: Serena Dotson
    Date: 10 December 2014 at 10:33
    Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]
    Dear ,
    We are making a payment to you.
    Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
    If you have any questions regarding the remittance please contact us using the details below.
    Kind regards
    Serena Dotson
    Anglia Engineering Solutions Ltd ...


    The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros... which attempts to download an executable from the following locations:
    http ://217.174.240.46:8080/stat/lld.php
    http ://187.33.2.211:8080/stat/lld.php
    This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows attempted connections to the following IPs:
    194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
    84.92.26.50 (PlusNet, UK)
    87.106.246.201 (1&1, Germany)
    Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic. The payload is most likely Dridex, a banking trojan. I recommend that you block traffic to the following IPs:
    194.146.136.1
    84.92.26.50
    87.106.246.201
    217.174.240.46
    187.33.2.21
    1 "
    1] https://www.virustotal.com/en/file/5...is/1418208470/

    2] https://www.virustotal.com/en/file/1...is/1418208468/

    * https://www.virustotal.com/en/file/c...is/1418208856/

    - http://myonlinesecurity.co.uk/remitt...l-xls-malware/
    10 Dec 2014
    Screenshot: http://myonlinesecurity.co.uk/wp-con...-Solutions.jpg

    * https://www.virustotal.com/en/file/1...is/1418209362/

    ** https://www.virustotal.com/en/file/5...is/1418209779/
    ___

    Fake JPMorgan Chase – ACH – Bank account info SPAM – PDF malware
    - http://myonlinesecurity.co.uk/gre-pr...e-pdf-malware/
    10 Dec 2014 - "'ACH – Bank account information form' pretending to come from random names at jpmchase.com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please fill out and return the attached ACH form along with a copy of a voided check.
    Jules Hebert,
    JPMorgan Chase
    GRE Project Accounting
    Vendor Management & Bid/Supervisor
    Fax-602-221-2251
    Jules.Hebert@ jpmchase .com
    GRE Project Accounting


    10 December 2014: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
    Current Virus total detections: 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1418238116/
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    213.175.194.96: https://www.virustotal.com/en/ip-add...6/information/
    UDP communications
    107.23.150.92: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake 'PRODUCT ENQUIRY' SPAM - jpg malware
    - http://myonlinesecurity.co.uk/re-pro...e-jpg-malware/
    10 Dec 2014 - "'RE: PRODUCT ENQUIRY' coming from a random company with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Hello,
    We are very interested in your product line. We got your profile from sister-companies. Can you please email me the list of all your Class A products and their prices? How much is the minimum order for shipping? What is the mode of payment and can you ship to Stockholm (SWEDEN)?
    Please refer to the attached photo in my email. I was informed that this was purchased from your company. I would also like to order this product. Can you send the product code in your reply.
    Thank you very much
    Stven Clark
    Lindhagensgatan 90,
    112 18 Stockholm,
    SWEDEN…


    10 December 2014: Product Image NO. 1_jpeg…………….. (1).7z:
    Extracts to: Product Image NO. GXD46474848494DHW_jpeg…………….. (1).exe
    Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1418220978/
    ___

    85% of website scams - China
    - http://www.theregister.co.uk/2014/12...website_scams/
    10 Dec 2014 - "Chinese internet users are behind 85 per cent of -fake- websites, according to a semi-annual report [PDF*] from the Anti-Phishing Working Group (APWG). Of the 22,679 -malicious- domain registrations that the group reviewed, over 19,000 were registered to servers based in China. This is in addition to nearly 60,000 websites that were hacked in the first half of 2014 and then used to acquire people's details and credit card information while pretending to offer real goods or services. Chinese registrars were also the worst offenders, with nine of the top ten companies with the highest percentages of phished domains based in China. Dot-com domains are the most popular for phishing sites, being used in 51 per cent of cases, but when it comes down to the percentage of phished domains against the number of domains under that registry, the clear winner is the Central African Republic's dot-cf, with more than 1,200 phished domain out of a total of 40,000 (followed by Mali's dot-ml, Palau's dot-pw and Gabon's dot-ga). Despite concerted efforts to crack down on fake websites, little improvement was made on the last report in terms of uptime (although it is significantly lower than when the group first started its work back in 2010). The average uptime of a phishing site was 32 hours, whereas the median was just under 9 hours. As for the phishers' targets: Apple headed the list for the first time being used in 18 per cent of all attacks, beating out perennial favorite PayPal with just 14 per cent. Despite some fears, the introduction of hundreds of new generic top-level domains has not led to a noticeable increase in phishing, according to the report. The authors posit that this may because of the higher average price of new gTLDs, although they expect the new of new gTLD phished domains to increase as adoption grows and websites are compromised. Around 20 per cent of phishing attacks are achieved through hacking of vulnerable shared hosting providers..."
    * http://docs.apwg.org/reports/APWG_Gl...rt_1H_2014.pdf
    ___

    Zeus malware thru browser warning: social engineering...
    - http://blog.phishlabs.com/zeus-malwa...-at-its-finest
    Dec 5, '14 - "Zeus malware continues to plague the Internet with distributions through spam emails and embeds in compromised corners of the web – all designed to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research Analysis and Intelligence Division) recently observed the Zeus malware being distributed through an alarmingly convincing browser warning that prompts viewers to download and “restore settings”... designed to manipulate viewers so that they believe the alert is based on security preferences that he or she has previously set up. The message creates a sense of urgency and fear, warning of “unusual activity”... Generally speaking, grammar and spelling are often indicators of fake or malicious requests that lead to malware but cybercriminals have caught on to this vulnerability and stepped up their game. Although it is not perfect, the warning observed in this case was much more accurate than what we usually see. The warning states:
    "REPORTED BROWSER ONLINE DOCUMENT FILE READER WARNING”. We have detected unusual activities on your browser and the Current Online Document File Reader has been blocked base on your security preferences. It is recommended that you update to the latest version available in order to restore your settings and view Documents."
    Browser warning leading to Zeus malware download:
    > http://info.phishlabs.com/hs-fs/hub/...er_Warning.png
    The fake browser warning requires the user to click the "Download and Install" button. Once clicked, the victim is redirected to a site that downloads the Zeus executable (Zbot) malware. The R.A.I.D was able to track the malware back to the Zeus control panel...
    Zeus (Zbot) malware control panel:
    > http://info.phishlabs.com/hs-fs/hub/...rol_Panel..png
    Web users should be on the lookout for this kind of social engineering that capitalizes on fear and misleads users to believe the alert is showing up based on user-defined preferences. Zeus is a dangerous malware that continues to be distributed through sophisticated avenues. In the past, Zeus infections have led to exploitation of machines, making them part of a -botnet-, as well as bank account takeovers and fraud."

    Last edited by AplusWebMaster; 2014-12-11 at 03:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #592
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice 'UK Fuels E-bill', 'RBS Important Docs' SPAM, Phish, More Ransomware ...

    FYI...

    Fake Invoice 'UK Fuels E-bill' SPAM - malicious doc attachment
    - http://blog.dynamoo.com/2014/12/uk-f...ecom-spam.html
    11 Dec 2014 - "This -fake- invoice comes with a malicious attachment:
    From: invoices@ ebillinvoice .com
    Date: 11 December 2014 at 08:06
    Subject: UK Fuels E-bill
    Customer No : 35056
    Email address : [redacted]
    Attached file name : 35056_49_2014.doc
    Dear Customer
    Please find attached your invoice for Week 49 2014.
    In order to open the attached DOC file you will need
    the software Microsoft Office Word.
    If you have any queries regarding your e-bill you can contact us at invoices@ ebillinvoice .com.
    Yours sincerely
    Customer Services
    UK Fuels Ltd ...


    This spam is not from UK Fuels Ltd or ebillinvoice .com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors*. This downloads a file from the following location:
    http ://KAFILATRAVEL .COM/js/bin.exe
    This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56** at VirusTotal. The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you -block- this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55***."
    * https://www.virustotal.com/en/file/9...is/1418293134/

    ** https://www.virustotal.com/en/file/9...is/1418293637/

    *** https://www.virustotal.com/en/file/a...is/1418294506/

    - http://myonlinesecurity.co.uk/uk-fue...d-doc-malware/
    11 December 2014 : 35056_49_2014.doc (89kb) Current Virus total detections: 0/56*
    35056_49_2014.doc (69kb) Current Virus total detections: 0/56**
    * https://www.virustotal.com/en/file/9...is/1418285959/

    ** https://www.virustotal.com/en/file/1...is/1418285875/
    ___

    Fake 'RBS Important Docs' SPAM – doc malware
    - http://myonlinesecurity.co.uk/rbs-im...d-doc-malware/
    11 Dec 2014 - "'RBS Important Docs' pretending to come from Lenore Hinkle <Lenore@ rbs .co .uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Please review attached documents regarding your account.
    Tel: 01322 182123
    Fax: 01322 011929
    email: Lenore@ rbs .co.uk
    This information is classified as Confidential unless otherwise stated.


    11 December 2014: RBS_Account_Documents.doc (1mb) Current Virus total detections: 1/56*
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1418306209/
    ___

    REVETON Ransomware spreads ...
    - http://blog.trendmicro.com/trendlabs...ection-method/
    Dec 11, 2014 - "... Over the past few months spanning October up to the last weeks of November, we observed a noticeable increase in REVETON malware variants, in particular, TROJ_REVETON.SM4 and TROJ_REVETON.SM6... Below is the warning message along with a MoneyPak form to transfer the payment of $300 USD. The message also warns users that they have only 48 hours to pay the fine.
    Fake warning messages from Homeland Security and the ICE Cyber Crime Center:
    > http://blog.trendmicro.com/trendlabs...meland_ice.png
    ... the healthcare industry seems to be the most affected industry by this malware and mostly centered in the United States, followed by Australia. Below is a ranking of most affected countries by this new wave of REVETON malware spanning October to November 2014.
    Data for TROJ_REVETON.SM4 and TROJ_REVETON.SM6 for October – November 2014:
    > http://blog.trendmicro.com/trendlabs...ew-infect2.jpg
    ... It might be jarring for users to suddenly receive a message supposedly sent by law enforcement agencies. However, they need to keep in mind that this is just a tactic intended to “scare” users into paying the fee. Users might also be tempted to pay the ransom to get their computers up and running once again. Unfortunately, there is no guarantee that paying the ransom will result in having the computer screen unlocked. Paying the ransom will only guarantee more money going into the pockets of cybercrooks... Some ransomware variants arrive as attachments of spammed messages. As such, users should be wary of opening emails and attachments, especially those that come from unverified sources. If the email appears to come from a legitimate source (read: banks and other institutions), users should verify the email with the bank. If from a personal contact, -confirm- if they sent the message. Do not rely solely on trust by virtue of relationship, as friends or family members may be victims of spammers as well."
    ___

    Phish: CloudFlare SSL certificate abused
    - https://blog.malwarebytes.org/fraud-...phishing-scam/
    Dec 11, 2014 - "... received a phishing email pretending to come from LogMeIn, the popular remote administration tool. It uses a classic scare tactic “We were unable to charge your credit card for the due amount.( Merchant message – Insufficient funds )” to trick the user into opening up a
    -fake- invoice:
    > https://blog.malwarebytes.org/wp-con...12/unphish.png
    ... What struck our interest here was the fact that this link was https based. It was indeed a secure connection... with a valid certificate:
    > https://blog.malwarebytes.org/wp-con...icatechain.png
    On September 29, CloudFlare, a CDN and DNS provider amongst other things, announced Universal SSL, a feature available to all its paid and free customers. It is not the first time cyber-criminals are abusing CloudFlare, and this case is not entirely surprising. By giving a false sense of security (the HTTPS padlock), users are more inclined to follow through and download the malicious file.
    > https://blog.malwarebytes.org/wp-con...properties.png
    ... CloudFlare is issuing a warning that the URL is a ‘Suspected phishing site':
    > https://blog.malwarebytes.org/wp-con...12/warning.png
    In some regard SSL certifications may become like digitally signed files, where while they do add a level of trust one should still exercise caution and not blindly assume everything is fine. It might be difficult to keep up with each and every new site that wants to abuse the system (cat-and-mouse game)... We can certainly expect cyber criminals to start using SSL more and more given that it is freely available and not extremely difficult to put in place. Another standard known as Extended Validation Certificate SSL (EV SSL) requires additional validation than plain SSL, but again, this does not make things simple for the end user. If regular SSL is deemed weak, then we have a bit of a problem... We have reported this URL to CloudFlare and hope they can revoke the SSL certificate and shutdown the site."

    Last edited by AplusWebMaster; 2014-12-12 at 15:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #593
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Info-Stealing file infector hits US, UK

    FYI...

    Info-Stealing file infector hits US, UK
    - http://blog.trendmicro.com/trendlabs...or-hits-us-uk/
    Dec 11, 2014 5:15 pm (UTC-7) - "... there has been a spike in infections related to the malware URSNIF. The URSNIF family is known to steal information such as passwords. Spyware are always considered high risk, but these URSNIF variants can cause damage beyond info-stealing. These URSNIF variants are file-infectors — which is the cause of the noted spike... the countries most affected by the spike are the United States and the United Kingdom. These two countries comprise nearly 75% of all the infections related to these URSNIF variants. Canada and Turkey are the next countries most affected by malware.
    Countries affected by URSNIF spike, based on data gathered for December 2014 so far:
    > http://blog.trendmicro.com/trendlabs...SNIF-spike.jpg
    Additional feedback shows that education, financial, and manufacturing were among the industries affected by this spike... It infects all .PDF, .EXE, and .MSI files found in all removable drives and network drives. URSNIF packs the found files and embeds them to its resource section. When these infected files were executed, it will drop the original file in %User Temp% (~{random}.tmp.pdf, ~{random}.tmp.exe) and then execute it to trick user that the opened file is still fine... After deleting the original .PDF file, it will create an .EXE file using the file name of the original .PDF file. As for .MSI and .EXE files, it will insert its code to the current executable. It will only infect .EXE files with “setup” on its filename.
    Difference between an infected (top) and clean (bottom) .PDF file. The infected file is 3.18 MB while the clean file is 2.89 MB:
    > http://blog.trendmicro.com/trendlabs...NIF-spike3.png
    For MSI files, it will execute the original file first before executing the malware code. For .PDF and .EXE files, it will produce a dropper-like Trojan, which will drop and execute the original file and the main file infector... The malware family URSNIF is more known as spyware. Variants can monitor network traffic by hooking network APIs related to top browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox. It is also known for gathering information. However, the fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines... A different file infector type (e.g., appending) requires a different detection for security solutions; not all solutions may have this detection. Another notable feature for this particular malware is that it starts its infection routine 30 minutes after its execution... variants often arrive via spammed messages and Trojan dropper/downloader malware. Users need a comprehensive security solution that goes beyond detecting and blocking malware. Features like email reputation services which can detect and block spam and other email-related threats can greatly boost a computer’s security... infected .PDF and .EXE files as PE_URSNIF.A2. Infected .MSI files are detected as PE_URSNIF.A1.
    Hash of the related file:
    dd7d3b9ea965af9be6995e823ed863be5f3660e5
    44B7A1555D6EF109555CCE88F2A954CAFE56B0B4
    EFC5C6DCDFC189742A08B25D8842074C16D44951
    FD3EB9A01B209572F903981675F9CF9402181CA1 "
    ___

    Fake 'Order' SPAM - malicious attachment
    - http://blog.dynamoo.com/2014/12/wave...8551-spam.html
    12 Dec 2014 - "This -fake- invoice comes with a malicious attachment.
    From: kaybd2@ wavecable .com
    Date: 12 December 2014 at 17:17
    Subject: Order - R58551
    Thanks for placing order with us today! Your order is now on process.
    Outright Purchase: 6949 US Dollars
    Please click the word file provided below to see more details about your order.
    BILLING DETAILS
    Order Number: ZJW139855932
    Purchase Date: 13.07 11.12.2014
    Customer Email: info@ [redacted]


    Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56* on VirusTotal... macro downloads an executable from:
    http ://www.2fs. com .au/tmp/rkn.exe
    That has a VirusTotal detection rate of 5/55**... A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56***. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.
    Recommended blocklist:
    209.208.62.36
    5.187.1.78
    46.250.6.1
    5.135.28.106
    66.213.111.72
    95.211.188.129
    "
    * https://www.virustotal.com/en/file/9...is/1418406000/

    ** https://www.virustotal.com/en/file/9...is/1418406121/

    *** https://www.virustotal.com/en/file/b...is/1418408045/
    ___

    Spammers Accelerate Dyre Distribution
    - http://www.threattracksecurity.com/it-blog/dyre-spam/
    Dec 12, 2014 - "... Over the last few weeks, the cybercriminals behind Dyre have continued to refine their delivery tactics, and the Trojan is now capable of helping to spread itself and other malware. Our researchers have observed that systems infected with Dyre are not only at risk of the malware stealing log-in credentials, but it may also receive commands to download and install additional spammers – including the Cutwail/Pushdo botnet – to more broadly propagate Dyre. Pushdo is responsible for a large portion of Upatre spam, and the botnet is actively distributing Dyre and other malware, including the data-encrypting ransomware CryptoWall... The bad guys are pulling out all the stops when it comes to distributing their malicious spam. Everything from fraudulent PayPal security alerts to a Top Gun-inspired tale about a Norwegian fighter pilot crossing paths with a Russian MiG to a fake survey purporting to ask recipients their opinions on the controversial events in Ferguson, Missouri, have all been employed to trick recipients into clicking links and opening infected attachments. We recently observed Dyre downloading three spammers. The first, is Pushdo, which runs its own spammer modules. The second and third are a standalone spammers, one of which hijacks the victim’s Microsoft Outlook application to send personal emails with attachments harboring Upatre. The third spammer (see images and email text below from a small sampling) is generating a separate campaign and is increasing in frequency over the last several weeks. All this signals that Dyre is poised to become a more pervasive threat and increasingly active in malicious spam campaigns.
    > http://www.threattracksecurity.com/i...n-MiG-Spam.png
    (Multiple other SPAM samples shown at the threattracksecurity URL at the top of this post.)
    ...Ensure your antivirus and endpoint security is up-to-date, and deploy a robust email security solution to protect your organization from malicious spam. IT admins should continue to educate their users about email-borne threats and stress that despite them being at work, they shouldn’t click links and open attachments without regard for security... Consumers should -always- be cautious about what they click, and if there is any doubt about a warning, special offer or request for private information, contact the bank, retailer or service provider directly by -phone- to confirm."
    ___

    Wire transfer spam spreads Upatre
    - http://blogs.technet.com/b/mmpc/arch...ds-upatre.aspx
    11 Dec 2014 - "... currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre. It is important to note that customers running up-to-date Microsoft security software are protected from this threat..."

    Last edited by AplusWebMaster; 2014-12-12 at 23:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #594
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Payment Advice' SPAM, GoDaddy Phish ...

    FYI...

    Fake 'Payment Advice' SPAM - malicious doc attached
    - http://blog.dynamoo.com/2014/12/malw...lications.html
    15 Dec 2014 - "This -fake- payment advice spam is not from Vitacress but is a -forgery- with a malicious Word document attached.
    From: IFS Applications [Do_Not_Reply@ vitacress .co.uk]
    Date: 15 December 2014 at 07:49
    Subject: DOC-file for report is ready
    The DOC-file for report Payment Advice is ready and is attached in this mail.


    Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros... that download a malware binary from one of the following locations:
    http ://gv-roth .de/js/bin.exe
    http ://notaxcig .com/js/bin.exe
    This file is saved as %TEMP%\DYIATHUQLCW.exe and is currently has a VirusTotal detection rate of just 1/52*. The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be -blocked- if you can:
    203.172.141.250 (Ministry of Education, Thailand)
    74.208.11.204 (1&1, US)
    The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet."
    1] https://www.virustotal.com/en/file/d...is/1418633977/

    2] https://www.virustotal.com/en/file/b...is/1418633990/

    * https://www.virustotal.com/en/file/5...is/1418634587/

    >> http://myonlinesecurity.co.uk/ifs-ap...d-doc-malware/
    15 Dec 2014
    1] https://www.virustotal.com/en/file/b...is/1418628093/

    2] https://www.virustotal.com/en/file/d...is/1418628835/

    - http://blog.mxlab.eu/2014/12/15/emai...nloads-trojan/
    Dec 15, 2014
    > https://www.virustotal.com/en/file/5...1d97/analysis/
    ... Behavioural information
    TCP connections
    74.208.11.204: https://www.virustotal.com/en/ip-add...4/information/
    ___

    GoDaddy 'Account Notice' - Phish ...
    - http://www.hoax-slayer.com/godaddy-a...ing-scam.shtml
    Dec 15, 2014 - "Email purporting to be from web hosting company GoDaddy claims that your account may pose a potential performance risk to the server because it contains 'too many directories'... The email is -not- from GoDaddy. It is a phishing scam designed to steal your GoDaddy login details. A link in the message takes you to a -fake- Go Daddy login page...
    Example:
    Subject: Account Notice : Error # 7962
    Dear Valued GoDaddy Customer: Brett Christensen
    Your account contains more than 3331 directories and may pose a potential performance risk to the server.
    Please reduce the number of directories for your account to prevent possible account deactivation.
    In order to prevent your account from being locked out we recommend that you create special TMP directory.
    Or use the link below :
    [Link Removed]
    Sincerely,
    GoDaddy Customer Support...


    ... criminals responsible for this phishing attack can use the stolen login details to hijack the victims' GoDaddy account. Once they have gained access to the account, the criminals can take control of the victim's website and email addresses and use them to perpetrate, spam, scam, and malware attacks. Always login to your online accounts by entering the web address into your browser's address bar rather than by clicking-a-link in an email."

    Last edited by AplusWebMaster; 2014-12-15 at 21:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #595
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'eFax Drive' SPAM

    FYI...

    Fake 'eFax Drive' SPAM - malicious ZIP
    - http://blog.mxlab.eu/2014/12/16/url-...s-zip-archive/
    Dec 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “You’ve received a new fax”. This email is sent from the -spoofed- address and has the following body:
    New fax at SCAN9106970 from EPSON by https ://******* .com
    Scan date: Tue, 16 Dec 2014 13:17:59 +0000
    Number of pages: 2
    Resolution: 400×400 DPI
    You can secure download your fax message at:
    hxxp: //nm2b .org/bhnjhkkgvq/ufqielyyva.html
    (eFax Drive is a file hosting service operated by J2, Inc.)


    The downloaded file document7241_pdf.zip contains the 33 kB large file document7241_pdf.scr. The trojan is known as Packed.Win32.Katusha.1!O or Malware.QVM20.Gen. At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/d...499c/analysis/

    nm2b .org: 173.254.28.126: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'Bank account frozen' SPAM - doc malware
    - http://myonlinesecurity.co.uk/bank-a...d-doc-malware/
    16 Dec 2014 - "'Bank account frozen notice, note, attention. Attention #CITI-44175PI-77527' with a cab attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
    Notification Number: 8489465
    Mandate Number: 6782144
    Date: December 16, 2014. 01:13pm
    In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file “CITI-44175PI-77527.cab” for details.
    Yours truly,
    Kathy Schuler ...


    16 December 2014: CITI-44175PI-77527.cab : Extracts to: CITI-44175PI-77527.scr
    Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1418745402/
    ___

    Wells Fargo Secure Meessage Spam
    http://threattrack.tumblr.com/post/1...-meessage-spam
    Dec 16, 2014 - "Subjects Seen:
    You have a new Secure Message
    Typical e-mail details:
    You have received a secure message
    Read your secure message by download document-75039.pdf. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    In order to view the secure message please download it using our Cloud Hosting:
    nexpider .com/sawdnilhvi/ckyilmmoca.html


    Malicious URLs:
    nexpider .com/sawdnilhvi/ckyilmmoca.html
    Malicious File Name and MD5:
    document82714.scr (98FE8CAD93B6FCDE63421676534BCC57)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...vc41r6pupn.png

    Tagged: Upatre, Wells Fargo
    ____

    Trawling for Phish
    - https://blog.malwarebytes.org/online...ing-for-phish/
    Dec 16, 2014 - "... avoid on your travels, whether you’re sent a link to them directly or see the URLs linked in an email. First up, a page located at:
    secure-dropboxfile (dot)hotvideostube(dot)net/secure-files-dropbox/document/
    It claims to offer a shared Dropbox document in return for entering your email credentials. It follows the well-worn pattern of offering multiple login options for different types of email account, including Gmail, AOL, Windows Live, Yahoo and “other”:
    > https://blog.malwarebytes.org/wp-con...2/dboxprn1.jpg
    The website itself has a poor reputation on Web of Trust, has been listed as being compromised on defacement archives and was also hosting a banking phish not so long ago. Should visitors attempt to login, it sends them to a shared Google Document (no Dropbox files on offer here) which is actually a “public prayer request” spreadsheet belonging to a Church:
    > https://blog.malwarebytes.org/wp-con...2/dboxprn3.jpg
    The next page is Google Drive themed and located at:
    yellowpagesexpress (dot)com/cgi-bin/Secure Management/index(dot)php
    > https://blog.malwarebytes.org/wp-con...2/dboxprn2.jpg
    As before, it asks the visitor to login with the widest possible range of common email accounts available, before sending those who enter their details to an entirely unrelated Saatchi Art investment webpage. Readers should always be cautious around pages claiming to offer up files in return for email logins – it’s one of the most common tactics for harvesting password credentials."

    Last edited by AplusWebMaster; 2014-12-17 at 01:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #596
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'PL REMITTANCE' malware, 'Blocked ACH Transfer' SPAM, Exploit Kits in 2014

    FYI...

    Fake 'PL REMITTANCE' malware SPAM
    - http://blog.dynamoo.com/2014/12/pl-r...f844127rh.html
    17 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
    From: Briana
    Date: 17 December 2014 at 08:42
    Subject: PL REMITTANCE DETAILS ref844127RH
    The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
    This email was generated using PL Payment Remittance of Integra Finance System.
    Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.


    The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros.. which then reach out to the following download locations:
    http ://23.226.229.112:8080/stat/lldv.php
    http ://38.96.175.139:8080/stat/lldv.php
    The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55*. The ThreatTrack report shows it POSTing to the following IP:
    194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
    This IP has been used in several recent attacks and I strongly recommend blocking it. The Malwr report also shows it dropping a malicious DLL identified as Dridex. The ThreatExpert report gives some different IPs being contacted:
    80.237.255.196 (Denes Balazs / HostEurope, Germany)
    85.25.20.107 (PlusServer, Germany)
    The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:
    194.146.136.1
    80.237.255.196
    85.25.20.107
    23.226.229.112
    38.96.175.139
    "
    1] https://www.virustotal.com/en/file/3...is/1418810946/

    2] https://www.virustotal.com/en/file/e...is/1418810941/

    * https://www.virustotal.com/en/file/a...is/1418810686/

    > http://blog.mxlab.eu/2014/12/17/new-...s-in-the-wild/
    Dec 17, 2014
    Screenshot of the XLS: http://img.blog.mxlab.eu/2014/201412...ittance_01.gif
    - https://www.virustotal.com/en/file/e...cae3/analysis/

    > http://myonlinesecurity.co.uk/integr...l-xls-malware/
    17 Dec 2014
    - https://www.virustotal.com/en/file/e...is/1418816542/

    > https://www.virustotal.com/en/file/3...is/1418817871/
    ___

    Fake 'Blocked ACH Transfer' SPAM - malicious DOC attachment
    - http://blog.dynamoo.com/2014/12/bloc...malicious.html
    17 DEC 2014 - "Another spam run pushing a malicious Word attachment..
    Date: 17 December 2014 at 07:27
    Subject: Blocked ACH Transfer
    The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.
    Canceled transaction
    ACH file Case ID 623742
    Total Amount 2644.93 USD
    Sender e-mail info@mobilegazette.com
    Reason for rejection See attached word file
    Please see the document provided below to have more details about this issue...

    Screenshot: https://2.bp.blogspot.com/-HHVnC18sm.../s1600/ach.png

    Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55*. Inside this is a malicious macro... which downloads a file from:
    http ://www.lynxtech .com.hk/images/tn.exe
    This has a VirusTotal detection rate of just 1/54**. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.
    Recommended blocklist:
    5.187.1.78
    209.208.62.36
    "
    * https://www.virustotal.com/en/file/6...is/1418826644/

    ** https://www.virustotal.com/en/file/1...is/1418826840/
    ___

    Exploit Kits in 2014
    - http://blog.trendmicro.com/trendlabs...-kits-in-2014/
    Dec 17, 2014 - "... Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:
    CVE-2013-0074 (Silverlight)
    CVE-2014-0515 (Adobe Flash)
    CVE-2014-0569 (Adobe Flash)
    CVE-2014-2551 (Internet Explorer)
    The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits. The tables below shows which exploits are in use by exploit kits:
    > http://blog.trendmicro.com/trendlabs...-kit-usage.png
    Plugin Detection: Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.
    The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.
    Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits. By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – too. The following table summarizes which libraries are used.
    > http://blog.trendmicro.com/trendlabs...t-detect-b.png
    Antivirus Detection: A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner. This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052. The following table summarizes the products that each exploit kit detects:
    > http://blog.trendmicro.com/trendlabs...t-software.png
    Obfuscation Techniques: Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files. The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file)...
    Summary: Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools. The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors."
    ___

    Dyre Banking Trojan - Secureworks
    - http://www.secureworks.com/cyber-thr...anking-trojan/
    Dec 17 2014

    Last edited by AplusWebMaster; 2014-12-23 at 19:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #597
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down WordPress sites infected with Malware, Fake 'AquAid Card', Fake 'JPMorgan' SPAM ...

    FYI...

    More than 100,000 'WordPress sites infected with Malware'
    - https://www.sans.org/newsletters/newsbites/xvi/99#301
    Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
    > http://arstechnica.com/security/2014...rious-malware/
    Dec 15, 2014
    (More links at the sans URL above.)

    * http://blog.sucuri.net/2014/12/soaks...-websites.html
    Dec 14, 2014
    ___

    Fake 'AquAid Card' SPAM – doc malware
    - http://myonlinesecurity.co.uk/tracey...d-doc-malware/
    18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
    Hi
    Please find attached receipt of payment made to us today
    Tracey
    Tracey Smith| Branch Administrator
    AquAid | Birmingham & Midlands Central
    Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...


    Screenshot: http://myonlinesecurity.co.uk/wp-con...ious-email.jpg

    The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
    18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
    CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
    Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
    * https://www.virustotal.com/en/file/b...is/1418893740/

    ** https://www.virustotal.com/en/file/c...is/1418891360/

    *** https://www.virustotal.com/en/file/0...is/1418891888/


    > http://blog.dynamoo.com/2014/12/malw...d-receipt.html
    18 Dec 2014
    - https://www.virustotal.com/en/file/c...is/1418893415/
    ... Recommended blocklist:
    74.208.11.204
    81.169.156.5
    "
    ___

    Fake 'Internet Fax' SPAM - trojan Upatre.FH
    - http://blog.mxlab.eu/2014/12/18/emai...jan-upatre-fh/
    Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
    Fax image data
    hxxp ://bursalianneler .com/documents/fax.html


    The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/7...f048/analysis/
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    192.185.52.226: https://www.virustotal.com/en/ip-add...6/information/
    78.46.73.197: https://www.virustotal.com/en/ip-add...7/information/
    UDP communications
    203.183.172.196: https://www.virustotal.com/en/ip-add...6/information/
    203.183.172.212: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake 'JPMorgan Chase' SPAM - fake PDF malware
    - http://myonlinesecurity.co.uk/jpmorg...e-pdf-malware/
    17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This is a secure, encrypted message.
    Desktop Users:
    Open the attachment (message_zdm.html) and follow the instructions.
    Mobile Users:
    Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
    Need Help?
    Your personalized image for: <redacted>
    This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
    Email Security Powered by Voltage IBE
    Copyright 2013 JPMorgan Chase & Co. All rights reserved


    Screenshot: http://myonlinesecurity.co.uk/wp-con...re-message.jpg

    17 December 2014: message_zdm.zip: Extracts to: message_zdm.exe
    Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1418844158/
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    217.199.168.166: https://www.virustotal.com/en/ip-add...6/information/
    UDP communications
    217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/
    217.10.68.178: https://www.virustotal.com/en/ip-add...8/information/

    - http://threattrack.tumblr.com/post/1...e-message-spam
    Dec 18, 2014
    Screenshot: https://gs1.wac.edgecastcdn.net/8019...Hwm1r6pupn.png
    Tagged: JPMorgan, Upatre
    ___

    ICANN e-mail accounts, zone database breached in spearphishing attack
    Password data, other personal information of account holders exposed.
    - http://arstechnica.com/security/2014...ishing-attack/
    Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
    * https://www.icann.org/news/announcement-2-2014-12-16-en

    * https://czds.icann.org/en
    ___

    Worm exploits nasty Shellshock bug to commandeer network storage systems
    - http://arstechnica.com/security/2014...orage-systems/
    Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
    * http://arstechnica.com/security/2014...ith-nix-in-it/

    ** https://isc.sans.edu/forums/diary/Wo...+Devices/19061

    Last edited by AplusWebMaster; 2014-12-19 at 12:36.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #598
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'BACS payment' SPAM - XLS malware ...

    FYI...

    Fake 'BACS payment' SPAM - XLS malware
    - http://myonlinesecurity.co.uk/bacs-p...l-xls-malware/
    19 Dec 2014 - "'BACS payment Ref:9408YC' coming from random email addresses with a malicious Excel XLS attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    Please see below our payment confirmation for funds into your account on Tuesday re invoice 9408YC
    Accounts Assistant
    Tel: 01874 430 632
    Fax: 01874 254 622


    19 December 2014: 9408YC.xls - Current Virus total detections: 0/53* 0/55** 0/53***
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1418987287/

    ** https://www.virustotal.com/en/file/2...is/1418987903/

    *** https://www.virustotal.com/en/file/f...is/1418987497/

    - http://blog.dynamoo.com/2014/12/malw...f901109rw.html
    19 Dec 2014
    > https://www.virustotal.com/en/file/0...is/1418994768/
    "... UPDATE: A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal*..."
    * https://www.virustotal.com/en/file/0...is/1418994768/
    ... Behavioural information
    TCP connections
    194.146.136.1: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake ACH SPAM
    - http://blog.dynamoo.com/2014/12/malw...tion-case.html
    19 Dec 2014 - "This -fake- ACH spam leads to malware:
    Date: 19 December 2014 at 16:06
    Subject: Blocked Transaction. Case No 970332
    The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.
    Canceled ACH transaction
    ACH file Case ID 083520
    Transaction Amount 1458.42 USD
    Sender e-mail info@victimdomain
    Reason of Termination See attached statement
    Please open the word file enclosed with this email to get more info about this issue.


    In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54*. Inside are a series of images detailing how to turn off macro security.. which is a very -bad- idea.
    1] https://1.bp.blogspot.com/-zPH8zcx7O...600/image3.png

    2] https://2.bp.blogspot.com/-84ljBD1vR...600/image4.png

    3] https://1.bp.blogspot.com/-vCCQWdg2i...600/image5.png

    4] https://4.bp.blogspot.com/-cCjgc3glQ...600/image6.png

    If you enable macros, then this macro... will run which will download a malicious binary from http ://nikolesy .com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51** as is identified as the Dridex banking trojan."
    * https://www.virustotal.com/en/file/3...is/1419014981/

    ** https://www.virustotal.com/en/file/2...is/1419015141/
    ___

    Fake 'my-fax' SPAM
    - http://blog.dynamoo.com/2014/12/malw...my-faxcom.html
    19 Dec 2014 - "This -fake- fax spam leads to malware:
    From: Fax [no-replay@ my-fax .com]
    Date: 19 December 2014 at 15:37
    Subject: Employee Documents - Internal Use
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Fax Documents
    DOCUMENT LINK: http ://crematori .org/myfax/company.html
    Documents are encrypted in transit and store in a secure repository...


    ... Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55*. Most automated analysis tools are inconclusive... but the VT report shows network connections to the following locations:
    http ://202.153.35.133:40542/1912uk22//0/51-SP3/0/
    http ://202.153.35.133:40542/1912uk22//1/0/0/
    http ://natural-anxiety-remedies .com/wp-includes/images/wlw/pack22.pne
    Recommended blocklist:
    202.153.35.133
    natural-anxiety-remedies .com
    "
    * https://www.virustotal.com/en/file/9...is/1419003908/

    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Fake 'Target Order Confirmation' - malware SPAM
    - http://www.hoax-slayer.com/target-or...-malware.shtml
    Dec 19, 2014 - "Order confirmation email purporting to be from Target claims that the company's online store has an order addressed to you... The email is -not- from Target. The link in the message opens a compromised website that contains malware. The Target version is just one in a series of similar malware messages that have falsely claimed to be from well-known stores, including Walmart, Costco and Wallgreens...
    > http://www.hoax-slayer.com/images/ta...-malware-1.jpg
    If you use a non-Windows operating system, you may see a message claiming that the download is not compatible with your computer. If you are using one of the targeted operating systems, the malicious file may start downloading automatically. Alternatively, a message on the website may instruct you to click a link to download the file. Typically, the download will be a .zip file that hides a .exe file inside. Opening the .exe file will install the malware. The malware payload used in these campaigns can vary. But, typically, the malware can steal personal information from your computer and relay it to online scammers. The malware in this version is designed to add your computer to the infamous Asprox Botnet... This email is just one in a continuing series of malware messages that claim to be from various high profile stores, including Costco, Walmart and Wallgreens. Other versions list order or transaction details, but do not name any particular store. Again, links in the messages lead to malware websites. In some cases, the malware is contained in an attached file. If you receive one of these -bogus- emails, do -not- click any links or open any attachments..."
    ___

    Walgreens Order Spam
    - http://threattrack.tumblr.com/post/1...ens-order-spam
    Dec 19, 2014 - "Subjects Seen:
    Order Status
    Typical e-mail details:
    E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.
    Detailed order information is provided here.
    Walgreens


    Malicious URLs:
    rugby-game .com/search.php?w=ZT5EpruzameN92MeSlvI09DbnfrIhx1yqu3wrootEpM=
    Malicious File Name and MD5:
    Walgreens_OrderID-543759.exe (39CEBF3F19AF4C4F17CA5D8EFB940CB6)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...7f51r6pupn.png

    Tagged: Walgreens, Kuluoz
    ___

    Ars was briefly hacked yesterday; here’s what we know
    If you have an account on Ars Technica, please change your password today..
    - http://arstechnica.com/staff/2014/12...-what-we-know/
    Dec 16 2014 - "At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core... "All the Things"... by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). Out of an excess of caution, we strongly encourage all Ars readers - especially any who have reused their Ars passwords on other, more sensitive sites - to change their passwords today. We are continuing with a full autopsy of the hack and will provide updates if anything new comes to light..."

    Last edited by AplusWebMaster; 2014-12-19 at 23:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #599
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down US-CERT Targeted Destructive Malware Alert TA14-353A, Fake FedEx SPAM – malware

    FYI...

    Targeted Destructive Malware - Alert (TA14-353A)
    - https://www.us-cert.gov/ncas/alerts/TA14-353A
    Last revised: Dec 20, 2014 - "Systems Affected: Microsoft Windows
    Overview: US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
    SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2*. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host...
    Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
    Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
    ... *summary of the C2 IP addresses:
    203.131.222.102 Thailand...
    217.96.33.164 Poland...
    88.53.215.64 Italy...
    200.87.126.116 Bolivia...
    58.185.154.99 Singapore...
    212.31.102.100 Cypress...
    208.105.226.235 United States..."
    (More detail at the us-cert URL above.)

    203.131.222.102: https://www.virustotal.com/en/ip-add...2/information/
    217.96.33.164: https://www.virustotal.com/en/ip-add...4/information/
    88.53.215.64: https://www.virustotal.com/en/ip-add...4/information/
    200.87.126.116: https://www.virustotal.com/en/ip-add...6/information/
    58.185.154.99: https://www.virustotal.com/en/ip-add...9/information/
    212.31.102.100: https://www.virustotal.com/en/ip-add...0/information/
    208.105.226.235: https://www.virustotal.com/en/ip-add...5/information/

    - http://arstechnica.com/security/2014...il-of-badness/
    Dec 19 2014
    > http://cdn.arstechnica.net/wp-conten...-addresses.png
    ___

    Fake FedEx SPAM – malware
    - http://myonlinesecurity.co.uk/fedex-...rvice-malware/
    20 Dec 2014 - "'Postal Notification Service' pretending to come from FedEx with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...on-Service.jpg

    20 December 2014 : notification.zip: Extracts to: notification_48957348759483759834759834758934798537498.exe
    Current Virus total detections: 1/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...is/1419076775/

    "Package Delivery" Themed Scam Alert
    - https://www.us-cert.gov/ncas/current...med-Scam-Alert
    Dec 19, 2014
    > http://www.consumer.ftc.gov/blog/pac...red-your-inbox

    Last edited by AplusWebMaster; 2014-12-23 at 18:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #600
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Angler EK on 193.109.69.59, Fake 'Employee Documents' Fax SPAM - malware ...

    FYI...

    Angler EK on 193.109.69.59
    - http://blog.dynamoo.com/2014/12/angl...931096959.html
    22 Dec 2014 - "193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit... infection chain... The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:
    qwe.holidayspeedsix .biz
    qwe.holidayspeedfive .biz
    qwe.holidayspeedseven .biz
    A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted* in this /23 indicates that most of them appear to be selling counterfeit goods, so -blocking- the entire /23 will probably be no great loss.
    Recommended -minimum- blocklist:
    193.109.69.59
    holidayspeedsix .biz
    holidayspeedfive .biz
    holidayspeedseven .biz
    "
    * http://www.dynamoo.com/files/mmuskatov.csv

    193.109.69.59: https://www.virustotal.com/en/ip-add...9/information/
    ___

    Fake 'Tiket alert' SPAM
    - http://blog.dynamoo.com/2014/12/tike...et-really.html
    22 Dec 2014 - "Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

    From: FBR service [jon.wo@ fbi .com]
    Date: 22 December 2014 at 18:29
    Subject: Tiket alert
    Look at the link file for more information.
    http <redacted>
    Assistant Vice President, FBR service
    Management Corporation


    I have seen another version of this where the download location is negociomega .com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe. This has a VirusTotal detection rate of 2/54*. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:
    http ://202.153.35.133 :42463/2212us12//0/51-SP3/0/
    http ://202.153.35.133 :42463/2212us12//1/0/0/
    http ://moorfuse .com/images/unk12.pne
    202.153.35.133 is Excell Media Pvt Ltd, India.
    Recommended blocklist:
    202.153.35.133
    moorfuse .com
    mitsuba-kenya .com
    negociomega .com
    "
    * https://www.virustotal.com/en/file/1...is/1419277515/
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    188.132.231.115: https://www.virustotal.com/en/ip-add...5/information/
    ___

    Fake 'Employee Documents' Fax SPAM
    - http://blog.mxlab.eu/2014/12/19/emai...ious-zip-file/
    Dec 19, 2014 - "... intercepted quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is sent from the spoofed address “Fax <no-replay@ my-fax .com>” and has the following body:
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Fax Documents
    DOCUMENT LINK: ... <redacted>
    Documents are encrypted in transit and store in a secure repository ...


    The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe. The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ... Virus Total*..."
    * https://www.virustotal.com/en/file/9...5dcb/analysis/
    File name: fax8127480_924.exe
    Detection ratio: 26/53
    Analysis date: 2014-12-22
    ... Behavioural information
    TCP connections
    202.153.35.133: https://www.virustotal.com/en/ip-add...3/information/
    174.127.104.112: https://www.virustotal.com/en/ip-add...2/information/
    83.166.234.251: https://www.virustotal.com/en/ip-add...1/information/
    23.10.252.26: https://www.virustotal.com/en/ip-add...6/information/
    50.7.247.42: https://www.virustotal.com/en/ip-add...2/information/
    217.172.180.178: https://www.virustotal.com/en/ip-add...8/information/
    UDP communications
    173.194.71.127: https://www.virustotal.com/en/ip-add...7/information/

    Last edited by AplusWebMaster; 2014-12-22 at 23:04.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •