Page 64 of 132 FirstFirst ... 145460616263646566676874114 ... LastLast
Results 631 to 640 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #631
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Facebook Account' SPAM, 'Apple ID' Phish ...

    FYI...

    Fake 'Facebook Account' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/facebo...e-pdf-malware/
    2 Feb 2015 - "'Facebook Account Suspended' pretending to come from Facebook <noreply@ mail .fb .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and follow the link and run the downloaded file... Google seems to be -ignoring- the report to take down this url so far today or are far too busy complaining about Microsoft and other program makers not issuing patches inside the 90 day time period that Google insist on, to do something really useful in actually protecting users from malware like this one... The email looks like:

    Screenshot: http://myonlinesecurity.co.uk/wp-con...-suspended.png

    2 February 2015 : TermsPolicies.pdf.exe - Current Virus total detections: 11/57*
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/9...is/1422881129/
    ___

    Fake 'Your Apple ID' - Phish ...
    - http://myonlinesecurity.co.uk/apple-...kups-phishing/
    2 Feb 2015 - "'Your Apple ID,was used to restore a device from one of your iCloud backups' pretending to come from Apple iTunes <orders@ tunes .co .uk> is one of the latest phish attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... The original email looks like this It will NEVER be a genuine email from Apple or any other company so don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Apple website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you fill in the html (webpage) form that comes attached to the email. This one has a short url link ( https ://tr .im/JxUNR) in the email which -redirects- you... When you fill in your user name and password you get a page looking very similar to this one ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    (Screenshots available at the myonlinesecurity URL at the top of this post.)
    ___

    Facebook porn video trojan affects 110K users in 2 days
    - http://www.theinquirer.net/inquirer/...rs-in-two-days
    Feb 02 2015 - "A TROJAN that has spread itself by posting links to a pornographic video has affected over 110,000 Facebook users in just 48 hours. The malware spreads from the account of previously infected users of the social network, tagging around 20 of their friends. If someone opens the link contained in the post, they will get a preview of a porn video which eventually stops and asks for a fake Flash player to be downloaded which contains the malware. The malware was uncovered by a security researcher called Mohammad Reza Faghan, who posted information about it on security mailing list archive Seclists.org*... the Trojan is different from previous examples seen on Facebook, which sent messages on behalf of the victim to a number of the victim's friends. Upon infection of those friends, the malware could go one step further and infect the friends of the initial friends. In the new technique, however, the malware has more visibility to the potential victims as it tags the friends of the victim in the malicious post. The malware is thought to be able to hijack keyboard and mouse movements if executed successfully once landing on a victim's machine."
    * http://seclists.org/fulldisclosure/2015/Jan/131
    ___

    Fake Chrome update Spam drops CTB Locker/Critroni Ransomware
    - https://blog.malwarebytes.org/social...ni-ransomware/
    Feb 2, 2015 - "Beware of emails appearing to come from Google warning you that “Your version of Google Chrome is potentially vulnerable and out of date”. In this latest spam wave, cyber crooks are tricking users into downloading the well-known browser, except that it’s a dangerous Trojan that will encrypt your personal files and demand a hefty ransom to decrypt them back:
    > https://blog.malwarebytes.org/wp-con...15/02/spam.png
    The payload is not attached to the email but instead gets downloaded from various websites that appear to have been compromised... Running “ChromeSetup.exe” will not install Google Chrome. Instead the Windows wallpaper will change to this:
    > https://blog.malwarebytes.org/wp-con...encrypted1.png
    This is not just a fake warning. The files on the systems are -indeed- encrypted:
    > https://blog.malwarebytes.org/wp-con...encrypted4.png
    The bad guys demand a ransom that can be paid using Bitcoins:
    > https://blog.malwarebytes.org/wp-con...encrypted8.png
    ... The problem with ransomware is that while the active Trojans can be removed, it is much more difficult and sometimes impossible to recover the encrypted files. The folks at BleepingComputer* have some tips on how to restore your encrypted files. However, as is often the case, prevention is critical to avoid a nasty ransomware infection..."
    * http://www.bleepingcomputer.com/viru...rmation#shadow

    - http://net-security.org/malware_news.php?id=2952
    03.02.2015
    > http://www.net-security.org/images/a...l-03022015.jpg

    Last edited by AplusWebMaster; 2015-02-03 at 15:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #632
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'CIT' SPAM, 'Barclays Debit Card' – Phish ...

    FYI...

    Fake 'CIT' SPAM – doc malware
    - http://myonlinesecurity.co.uk/cit-in...d-doc-malware/
    3 Feb 2015 - "'CIT Inv# 15000375 for PO# SP14161' pretending to come from Circor <_CIG-EDI@ CIRCOR .COM> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...PO-SP14161.png

    3 February 2015: FOPRT01.DOC - Current Virus total detections: 1/57*
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1422951071/

    - http://blog.dynamoo.com/2015/02/malw...circorcom.html
    3 Feb 2015
    "... Recommended blocklist:
    143.107.17.183
    92.63.88.108
    "
    ___

    Fake 'Barclays Your Debit Card' – Phish ...
    - http://myonlinesecurity.co.uk/barcla...tion-phishing/
    3 Feb 2015 - "'Your Debit Card Notification' pretending to come from Barclays Bank Plc is one of the latest phish attempts to steal your Barclays Bank, debit card and personal details. This one only wants your Barclays log in details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well... The website at gardendecore .pl have cleaned up the phishing pages and hopefully plugged the security holes or vulnerabilities that let the bad guys get in in the first place. If you follow the link you see a webpage looking like the genuine Barclays log in page:

    Screenshot: http://myonlinesecurity.co.uk/wp-con..._-feb_2015.png

    When you fill in the required details there, the phishers then send you on to the next page where they ask you to fill in your name, details and passcodes, the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    ___

    Fake 'Garrett' SPAM - malware
    - http://myonlinesecurity.co.uk/pulsar...89933-malware/
    3 Feb 2015 - "'Garrett Courtright Copy from +07441489933' pretending to come from Garrett Courtright <ophidian@ nagsgolf .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Fax: +07441489933
    Date: 2015/01/18 16:43:04 CST
    Pages: 1
    Reference number: Y67969682C281D
    Filename: pulsar_instruments_plc57.zip
    Pulsar Instruments Plc
    Garrett Courtright


    3 February 2015 : pulsar_instruments_plc57.zip: Extracts to: pulsar_instruments_plc57.scr
    Current Virus total detections: 7/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1422985036/
    ... Behavioural information
    TCP connections
    213.186.33.2: https://www.virustotal.com/en/ip-add...2/information/
    5.178.43.10: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Halifax' SPAM – Phish ...
    - http://myonlinesecurity.co.uk/update...ifax-phishing/
    3 Feb 2015 - "'Update your account details' pretending to come from Halifax Online Banking <securitynews@halifax.co.uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. An alternative email says 'We’re improving your Halifax account' also pretending to come from Halifax Online Banking <securitynews@ halifax .co .uk>. This one wants all your personal details including email address and password and your credit card and bank details. Many of them are also designed to specifically steal your facebook and other social network log in details as well... don’t -ever- open or fill in the html (webpage) form that comes attached to the email... If you do it will lead you to a website that looks at first glance like the genuine bank website but you can clearly see in the address bar, that it is -fake-. Some versions of this phish will ask you to follow a link in the body of the email to a phishing site. Both of today’s emails have different phish sites in the attached html files but otherwise the attachments are identical.

    Screenshot: http://myonlinesecurity.co.uk/wp-con...sh_email_2.png
    -or-
    Screenshot: http://myonlinesecurity.co.uk/wp-con...sh_email_1.png

    If you open the attached html file you see a webpage looking like this (split in 2 to get it all):
    > http://myonlinesecurity.co.uk/wp-con...1-1024x587.png

    > http://myonlinesecurity.co.uk/wp-con...1-1024x620.png

    ... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    Last edited by AplusWebMaster; 2015-02-03 at 23:10.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #633
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'USPS Delivery' SPAM, -iOS- Spyware App, Apps on Google Play - Adware! ...

    FYI...

    Fake 'USPS Delivery' SPAM – doc malware
    - http://myonlinesecurity.co.uk/usps-d...d-doc-malware/
    4 Feb 2015 - "'USPS Delivery Notification' pretending to come from USPS <no-reply@ usps .gov> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...n-1024x614.png

    4 February 2015: label_54633541.doc - Current Virus total detections: 2/55*
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email..."
    * https://www.virustotal.com/en/file/5...is/1423064590/
    ___

    Pawn Storm Update: -iOS- Espionage App Found
    - http://blog.trendmicro.com/trendlabs...age-app-found/
    Feb 4, 2015 - "... spyware specifically designed for espionage on -iOS- devices. While spyware targeting -Apple- users is highly notable by itself, this particular spyware is also involved in a targeted attack... Operation Pawn Storm is an active economic and political cyber-espionage operation that targets a wide range of entities, like the military, governments, defense industries, and the media. The actors of Pawn Storm tend to first move a lot of pawns in the hopes they come close to their actual, high profile targets. When they finally successfully infect a high profile target, they might decide to move their next pawn forward: advanced espionage malware... The iOS malware we found is among those advanced malware. We believe the iOS malware gets installed on already compromised systems, and it is very similar to next stage SEDNIT malware we have found for Microsoft Windows’ systems... The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server. As of this publishing, the C&C server contacted by the iOS malware is -live- ...
    C&C Communication: Besides collecting information from the iOS device, the app sends the information out via HTTP. It uses POST request to send messages, and GET request to receive commands... The exact methods of installing these malware is unknown. However, we do know that the iOS device doesn’t have to be jailbroken per se. We have seen one instance wherein a lure involving XAgent simply says “Tap Here to Install the Application.” The app uses Apple’s ad hoc provisioning, which is a standard distribution method of Apple for iOS App developers. Through ad hoc provisioning, the malware can be installed simply by clicking-on-a-link, such as in the picture below:
    > http://blog.trendmicro.com/trendlabs.../pwnstrm10.png
    There may be other methods of infection that are used to install this particular malware. One possible scenario is infecting an iPhone* after connecting it to a compromised -or- infected Windows laptop via a USB cable...
    * http://blog.trendmicro.com/trendlabs...d-in-ios-apps/
    The hashes of the related files are:
    05298a48e4ca6d9778b32259c8ae74527be33815
    176e92e7cfc0e57be83e901c36ba17b255ba0b1b
    30e4decd68808cb607c2aba4aa69fb5fdb598c64 ..."

    - http://arstechnica.com/security/2015...s-ios-devices/
    Feb 4 2015
    ___

    Apps on Google Play Pose As Games - Infect Millions with Adware
    - https://blog.avast.com/2015/02/03/ap...s-with-adware/
    Feb 3, 2015 - "A couple of days ago, a user posted a comment on our forum* regarding apps harboring adware that can be found on Google Play. This didn’t seem like anything spectacular at the beginning, but once I took a closer look it turned out that this malware was a bit bigger than I initially thought. First of all, the apps are on Google Play, meaning that they have a huge target audience – in English speaking and other language regions as well. Second, the apps were already downloaded by millions of users and third, I was surprised that the adware lead to some legitimate companies:
    > https://blog.avast.com/wp-content/up...ak-game-GP.png
    The Durak card game app was the most widespread of the malicious apps with 5–10 million installations according to Google Play:
    > https://blog.avast.com/wp-content/up...es-300x168.png
    When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right? Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.
    > https://blog.avast.com/wp-content/up...ps-300x261.jpg
    An even bigger surprise was that users were sometimes directed to security apps on Google Play. These security apps are, of course, harmless, but would security providers really want to promote their apps via adware? Even if you install the security apps, the undesirable ads popping up on your phone don‘t stop. This kind of threat can be considered good social engineering. Most people won‘t be able to find the source of the problem and will face fake ads each time they unlock their device. I believe that most people will trust that there is a problem that can be solved with one of the apps advertised “solutions” and will follow the recommended steps, which may lead to an investment into unwanted apps from -untrusted- sources... the apps’ descriptions should make users -skeptical- about the legitimacy of the apps. Both in English and in other languages such as German, were written poorly: “A card game called ‘Durak‘ – one of the most common and well known game“. The apps‘ secure hash algorithm (SHA256) is the following:
    BDFBF9DE49E71331FFDFD04839B2B0810802F8C8BB9BE93B5A7E370958762836 9502DFC2D14C962CF1A1A9CDF01BD56416E60DAFC088BC54C177096D033410ED FCF88C8268A7AC97BF10C323EB2828E2025FEEA13CDC6554770E7591CDED462D "

    * https://forum.avast.com/?topic=165003.0
    ___

    Data Integrity: The Core of Security
    - http://www.securityweek.com/data-int...-core-security
    Feb 4, 2015 - "... Companies spend huge sums of money every year to maintain a security perimeter designed to fend off cyber and insider threats. According to Gartner*, worldwide spending on information security will reach $71.1 billion in 2014, an increase of 7.9 percent over 2013. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Other Gartner figures show that in 2013, average budget allocations for information security were 5.1% of the overall IT budget, up 8.5% from 2012. However, the majority of investments are aimed at bolstering traditional perimeter security defenses, which is a losing battle... if we can prevent data from leaving the organization or being modified, protecting against network breaches becomes less critical. Unfortunately, data is often left unsecured... When it comes to information security, 100 percent protection in unattainable. However, by supplementing traditional perimeter defense mechanisms with data integrity principals, organizations can significantly reduce their exposure to Sony scale data breaches."
    * http://www.gartner.com/newsroom/id/2828722
    ___

    YouTube dumps Flash for HTML5
    - http://www.infoworld.com/article/287...for-html5.html
    Jan 30, 2015 - "In a blow to proprietary rich Internet plug-ins, YouTube, which had been a stalwart supporter of Adobe’s Flash plug-in technology, revealed this week that it now -defaults- to the HTML5 <video> tag. The move shows HTML5's continued march toward Web dominance... Late Apple founder Steve Jobs probably did the most to the further the decline by refusing to support Flash on the company’s wildly popular iOS handheld devices. In fact, Flash shows a downward trajectory on W3Techs' report* on the number of websites using Adobe’s multimedia platform. It has -dropped- to 11.9 percent this month versus more than 15 percent a year ago. The numbers are far worse for Microsoft’s late-arriving Flash rival, Silverlight..."
    * http://w3techs.com/technologies/deta...-flash/all/all

    Last edited by AplusWebMaster; 2015-02-05 at 00:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #634
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake HSBC, Fake FedEx SPAM, Barclays – Phish ...

    FYI...

    Fake HSBC SPAM - PDF malware
    - http://myonlinesecurity.co.uk/hsbc-p...e-pdf-malware/
    5 Feb 2015 - "'HSBC Payment Advice' pretending to come from HSBC <no-replay@ hsbci .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Sir/Madam
    Upon your request, attached please find payment e-Advice for your
    reference.
    Yours faithfully
    HSBC
    We maintain strict security standards and procedures to prevent
    unauthorised access to information about you. HSBC will never contact
    you by e-mail or otherwise to ask you to validate personal information
    such as your user ID, password, or account numbers. If you receive such
    a request, please call our Direct Financial Services hotline.
    Please do not reply to this e-mail. Should you wish to contact us,
    please send your e-mail to commercialbanking@ hsbc .co .uk and we will
    respond to you.
    Note: it is important that you do not provide your account or credit
    card numbers, or convey any confidential information or banking
    instructions, in your reply mail.
    Copyright. The Hongkong and Shanghai Banking Corporation Limited 2005.
    All rights reserved...


    5 February 2015: HSBC-69695.zip: Extracts to: CashPro.exe
    Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1423139205/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    93.157.100.56: https://www.virustotal.com/en/ip-add...6/information/
    178.47.141.100: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake FedEx SPAM - malicious script
    - http://blog.dynamoo.com/2015/02/malw...iver-your.html
    5 Feb 2015 - "This -fake- FedEx spam has a malicious script attached.
    From: FedEx 2Day A.M.
    Date: 5 February 2015 at 15:01
    Subject: PETRO, Unable to deliver your item, #0000220741
    Dear Petro,
    We could not deliver your item.
    You can review complete details of your order in the find attached.
    Yours sincerely,
    Marion Bacon,
    Delivery Manager.
    (C) 2014 FedEx. The content of this message is protected by copyright and trademark laws.


    Attached is a file FedEx_0000220741.zip which contains a malicious javascript which is highly obfuscated... but it is a bit clearer when deobfuscated... This script has a moderate detection rate of 9/56*, and downloads a file from:
    http ://freesmsmantra .com/document.php?id=5451565E140110160B0824140110160B08000D160107104A070B09&rnd=3252631
    Which is saved as %TEMP%\11827407.exe. This has a low detection rate of 3/56**. Automated analysis tools... don't give much of a clue as it has been hardened against analysis."
    * https://www.virustotal.com/en/file/7...is/1423149508/

    ** https://www.virustotal.com/en/file/c...is/1423148815/

    50.31.134.98: https://www.virustotal.com/en/ip-add...8/information/
    ___

    Fake Barclays SPAM – Phish ...
    - http://myonlinesecurity.co.uk/new-ba...tice-phishing/
    5 Feb 2015 - "'New Barclays Service Important Notice' pretending to come from Barclays Service [mailto:secure@ barclaysalertid .com] is one of the latest phish attempts to steal your Barclays Bank details. We have been seeing a quite large increase in Barclays phishing emails over the last week or so. Today’s version is particularly well done with a domain that will fool a lot of people...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ng-email_1.png

    If you follow-the-link, you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...ays_phish1.png
    You then get:
    > http://myonlinesecurity.co.uk/wp-con...hish_check.png
    Then you get this page which tries to convince you that various African IP addresses have accessed your account and scare you into going further:
    > http://myonlinesecurity.co.uk/wp-con...ays_phish2.png
    You then get the processing/checking screen again before being sent on to:
    > http://myonlinesecurity.co.uk/wp-con...3-1024x646.png
    Where they ask you to fill in your name, details and passcodes, the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and format. And then once again to the processing/checking screen before you are sent on to the final page where they say they will send you a new pinsentry device by post:
    > http://myonlinesecurity.co.uk/wp-con...4-1024x603.png
    All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email..."

    Last edited by AplusWebMaster; 2015-02-05 at 22:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #635
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Something evil on 5.196.143.0/28, 5.196.141.24/29, Fake 'CashPro Online' SPAM ...

    FYI...

    Something evil on 5.196.143.0/28 and 5.196.141.24/29 ...
    - http://blog.dynamoo.com/2015/02/some...43028-and.html
    6 Feb 2015 - "... interesting blog post from Cyphort* got me digging into that part of the infection chain using nonsense .eu domains. It uncovered a whole series of IPs and domains that have been used to spread Cryptowall (possibly other malware too), hosted in the 5.196.143.0/28 and 5.196.141.24/29 ranges (and possibly more). These are OVH IP ranges, suballocated to a customer called Verelox .com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers. The first range is 5.196.141.24/29 which has apparently compromised servers at:
    5.196.141.24, 5.196.141.25, 5.196.141.26, 5.196.141.27
    ... The second range is 5.196.143.0/28 with apparently -compromised- servers at:
    5.196.143.3, 5.196.143.4, 5.196.143.5, 5.196.143.6, 5.196.143.7, 5.196.143.8, 5.196.143.10, 5.196.143.11,
    5.196.143.12, 5.196.143.13
    In addition to this, some of these domains use nameservers on the following IP addresses:
    168.235.70.106
    168.235.69.219
    These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth -blocking- traffic to.
    Note that Cyphort identify these C&C servers for the malware:
    asthalproperties .com:4444
    pratikconsultancy .com:8080
    The following IPs and domain names all seem to be connected and I would recommend -blocking- at least the IP addresses and domains... other domains look like they are probably throwaway ones:
    5.196.143.0/28
    5.196.141.24/29
    168.235.69.219
    168.235.70.106
    asthalproperties .com
    pratikconsultancy .com
    ..."
    (More detail at the dynamoo URL at the top of this post.)

    * http://www.cyphort.com/gopego-malvertising-cryptowall/
    ___

    Fake 'CashPro Online' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/cashpr...e-pdf-malware/
    6 Feb 2015 - "'Your CashPro Online Digital Certificate' pretending to come from CashPro Online <no-replay@ cashpro .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Dear CashPro Customer,
    This email is being sent to inform you that you have been granted a new
    digital certificate for use with Bank of America CashPro Online.
    Please open the attachment and you will be guided through a simple
    process to install your new digital certificate.
    If you have any questions or concerns, please contact the Bank of
    America technical help desk.
    Thank you for your business,
    Bank of America
    CashPro Online Security Team
    Please do not reply to this email .
    Copyright 2015 Bank of America Merrill Lynch. All rights reserved.
    CashPro is a registered trademark of Bank of America Corporation.


    6 February 2015: docs-20276.zip: Extracts to: docs.exe
    Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1423239330/
    ... Behavioural information
    TCP connections
    91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
    178.47.141.100: https://www.virustotal.com/en/ip-add...0/information/
    192.185.35.92: https://www.virustotal.com/en/ip-add...2/information/
    71.18.62.202: https://www.virustotal.com/en/ip-add...2/information/
    UDP communications
    77.72.174.163: https://www.virustotal.com/en/ip-add...3/information/

    - http://threattrack.tumblr.com/post/1...a-cashpro-spam
    Feb 6, 2014
    docs.exe (1D38C362198AD67329FDF58B4743165E)
    Tagged: bank of america, cashpro, Upatre

    Last edited by AplusWebMaster; 2015-02-08 at 00:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #636
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Lloyds new message', 'Lloyds new debit' SPAM – malware

    FYI...

    Fake 'Lloyds new message' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/lloyds...e-pdf-malware/
    9 Feb 2015 - "'You have a new message pretending to come from Lloyds Commercial Banking <GrpLloydslinkHelpdesk@ lloydsbanking .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Lloyds Commercial Logo
    We want you to recognise a fraudulent email if you receive one. Lloyds Bank will always greet you personally using your title and surname and, where you hold an existing account with us, the last four digits of your account number: XXXX1328.
    Dear Lloyds Link Customer,
    You have a new message
    There’s a new message for you, messages contain information about your account, so it’s important to view them.
    If you’ve chosen to use a shared email address, please note that anyone who has access to your email account will be able to view your messages.
    Please check attached message for more details.
    Subject
    Date
    Account details
    Account number
    Important information about your account
    09 Feb 2015
    Lloyds Commercial
    XXXX1328
    Please note: this message is important and needs your immediate attention. Please check attached file straightaway to view it.
    Yours sincerely
    Signature image of Nicholas Williams - Consumer Digital Director
    Nicholas Williams,
    Consumer Digital Director
    Please do not reply to this email as this address is not manned and cannot receive any replies.
    Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales, number 2065. Telephone: 020 7626 1500.
    Lloyds Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 119278.


    9 February 2015: ImportantMessage.zip: Extracts to: ImportantMessage.scr
    Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1423485253/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    94.41.208.125: https://www.virustotal.com/en/ip-add...5/information/
    198.23.48.157: https://www.virustotal.com/en/ip-add...7/information/
    UDP communications
    77.72.174.165: https://www.virustotal.com/en/ip-add...5/information/
    77.72.174.164: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake 'Lloyds new debit' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/lloyds...e-pdf-malware/
    9 Feb 2014 - "'You have received a new debit' pretending to come from Payments Admin <paymentsadmin@ lloydstsb .co .uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Monday 09 February 2014
    This is an automatically generated email by the Lloyds TSB PLC
    LloydsLink online payments Service to inform you that you have receive a
    NEW Payment.
    The details of the payment are attached.
    This e-mail (including any attachments) is private and confidential and
    may contain privileged material. If you have received this e-mail in
    error, please notify the sender and delete it (including any
    attachments) immediately. You must not copy, distribute, disclose or use
    any of the information in it or any attachments.


    9 February 2015 : details#00390702.zip: Extracts to: details.exe
    Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...is/1423485121/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    94.41.208.125: https://www.virustotal.com/en/ip-add...5/information/
    91.103.216.71: https://www.virustotal.com/en/ip-add...1/information/
    UDP communications
    77.72.174.167: https://www.virustotal.com/en/ip-add...7/information/
    77.72.174.166: https://www.virustotal.com/en/ip-add...6/information/

    Last edited by AplusWebMaster; 2015-02-09 at 18:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #637
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Amazon Order', 'Purchase Order' SPAM ...

    FYI...

    Fake 'Amazon Order' SPAM – malware
    - http://myonlinesecurity.co.uk/amazon...tails-malware/
    10 Feb 2015 - "'Amazon Order Details' pretending to come from Amazon.com > <delivers@ amazon .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This one is a lazy attempt to spread the malware using an old email from last year saying Order R:121216 Placed on June 28, 2014...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...s-1024x422.png

    Todays Date: order_report.zip: Extracts to: order_report_238974983274928374892374982.exe
    Current Virus total detections: 2/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1423571463/
    ___

    Fake 'Purchase Order' SPAM - malware
    - http://blog.dynamoo.com/2015/02/malw...de-groups.html
    10 Feb 2015 - "This spam comes with a malicious attachment:
    From: Megtrade groups [venkianch@ gmail .com]
    Reply-To: venkanch@ gmail .com
    Date: 10 February 2015 at 15:47
    Subject: RE: Purchase Order Copy
    Hello Vendor,
    I just got back from business trip, Please find attached our purchasing order let us know price so as to confirm sample with your company.
    You give us your payment terms but note our company payment policy 30% prepayment after confirming proforma invoice from you and the balance against copy of B/L.
    Kindly treat as urgent and send invoice, I await to have your urgent reply to proceed.
    Thanks & Best regards,
    Mr Venkianch
    Managing Director
    NZ Megtrade Groups Ltd ... Download Attachment As zip


    Unusually, this email does -not- appear to be sent out by a botnet but has been sent through -Gmail-. The link in the email goes www .ebayonline .com .ng/download/ohafi/jfred/Purchase%20Order%20Copy_pdf.7z where it downloads a file Purchase Order Copy_pdf.7z which (if you have 7-Zip installed) uncompresses to the trickily-named:
    (1) Purchase Order Copy.pdf ___________________
    (2) Delivery Time and Packing.pdf _______________________ _____ Adobe Reader.pdf
    ... or in .exe
    As you might expect, this is malicious in nature and has a VirusTotal detection rate of 34/57*. The Malwr analysis** indicates that this installs a -keylogger- among other things."
    * https://www.virustotal.com/en/file/0...is/1423585487/

    ** https://malwr.com/analysis/NmFjMWRhZ...dkMDRmYTM2NzI/

    Last edited by AplusWebMaster; 2015-02-10 at 21:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #638
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'e-invoice', 'Outstanding Invoice' SPAM

    FYI...

    Fake 'e-invoice' SPAM
    - http://blog.dynamoo.com/2015/02/malw...oice-from.html
    11 Feb 2015 - "This -fake- invoice spam has a malicious attachment:
    From: Lydia Oneal
    Date: 11 February 2015 at 09:14
    Subject: Your latest e-invoice from HSBC HLDGS
    Dear Valued Customer,
    Please find attached your latest invoice that has been posted to your online account. You’ll be pleased to know that your normal payment terms still apply as detailed on your invoice.
    Rest assured, we operate a secure system, so we can confirm that the invoice DOC originates from HSBC HLDGS and is authenticated with a digital signature.
    Thank you for using e-invoicing with HSBC HLDGS - the smarter, faster, greener way of processing invoices.
    This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.
    If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.
    If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.


    The company name and the name of the sender varies, but most of the body text remains identical. Some sample subjects are:
    Your latest e-invoice from HSBC HLDGS
    Your latest e-invoice from MAVEN INCOME & GROWTH VCT 3 PLC
    Your latest e-invoice from DDD GROUP PLC
    Your latest e-invoice from BAILLIE GIFFORD SHIN NIPPON
    Your latest e-invoice from ACAL
    Your latest e-invoice from PARAGON DIAMONDS LTD
    Your latest e-invoice from TULLETT PREBON PLC
    Your latest e-invoice from MERSEY DOCKS & HARBOUR CO
    Your latest e-invoice from HOLDERS TECHNOLOGY
    Your latest e-invoice from LED INTL HLDGS LTD
    Your latest e-invoice from HALOS
    Your latest e-invoice from ACORN INCOME FUND
    The word document is randomly-named, for example 256IFV.doc, 19093WZ.doc and 097DVN.doc. There are three different versions of this malicious document, all with low detection rates [1] [2] [3] containing a slightly different macro in each case... The malware probably drops a Dridex DLL, although I have not been able to obtain this.
    Recommended blocklist:
    85.143.166.72
    92.63.88.97
    205.185.119.159
    78.129.153.18
    5.14.26.146
    136.243.237.222
    185.48.56.62
    95.163.121.216
    "
    1] https://www.virustotal.com/en/file/0...is/1423650591/

    2] https://www.virustotal.com/en/file/6...is/1423650604/

    3] https://www.virustotal.com/en/file/f...is/1423650615/


    - http://myonlinesecurity.co.uk/latest...d-doc-malware/
    11 Feb 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...MINING-PLC.png
    ___

    Fake 'Outstanding Invoice' SPAM - malware
    - http://blog.dynamoo.com/2015/02/malw...il-walker.html
    11 Feb 2015 - "This fake invoice does -NOT- come from MBL Seminars, they are -not- sending this spam nor have their systems been compromised. Instead, this is a -forgery- with a malicious attachment.
    From: Gail Walker [gail@ mblseminars .com]
    Date: 11 February 2015 at 09:52
    Subject: Outstanding Invoice 271741
    Dear Customer
    Payment for your Season Ticket was due by 31 January 2015 and has not yet been received. A copy of the invoice is attached.
    By way of a reminder, the Season Ticket entitles all members of your organisation to save up to 50% on our public seminars and webinars. Since being a Season Ticket Holder your organisation has saved £728.50.
    Please arrange for payment by return by BACS, cheque, or credit card. If payment has been arranged and just not reached us yet then please ignore this email.
    If you have any queries, please do not hesitate to contact us.
    Regards
    Gail Walker
    MBL (Seminars) Limited ...


    So far I have seen two different malicious Word documents (there may be more) with low detection rates [1] [2] containing a different macro each... This file is saved as %TEMP%\dsHHH.exe. It has a VirusTotal detection rate of 10/57*... It also drops a DLL with a detection rate of 3/57** which is probably Dridex.
    Recommended blocklist:
    37.139.47.105
    5.39.99.18
    136.243.237.218
    66.110.179.66
    78.140.164.160
    109.234.38.70
    "
    1] https://www.virustotal.com/en/file/3...is/1423653571/

    2] https://www.virustotal.com/en/file/8...is/1423653583/

    * https://www.virustotal.com/en/file/9...is/1423653592/

    ** https://www.virustotal.com/en/file/1...is/1423654973/


    - http://myonlinesecurity.co.uk/gail-w...d-doc-malware/
    11 Feb 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...ice-271741.png

    Last edited by AplusWebMaster; 2015-02-11 at 15:54.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #639
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake BBB SPAM, Fake 'INVOICE' SPAM - malware, Ransomware phish ...

    FYI...

    Fake BBB SPAM - malware
    - http://blog.dynamoo.com/2015/02/malw...-services.html
    12 Feb 2012 - "This -fake- BBB email has a malicious attachment.
    From: BBB Accreditation Services [no-replay@ newyork .bbb .org]
    Date: Thu, 12 Feb 2015 10:50:01 +0000
    Subject: BBB SBQ Form
    Thank you for supporting your Better Business Bureau (BBB).
    As a service to BBB Accredited Businesses, we try to ensure that the information we provide to potential customers is as accurate as possible. In order for us to provide the correct information to the public, we ask that you review the information that we have on file for your company.
    We encourage you to print this SBQ Form, answer the questions and respond to us. (Adobe PDF)
    Please look carefully at your telephone and fax numbers on this sheet, and let us know any and all numbers used for your business (including 800, 900, rollover, and remote call forwarding). Our automated system is driven by telephone/fax numbers, so having accurate information is critical for consumers to find information about your business easily.
    Thank you again for your support, and we look forward to receiving this updated information.
    Sincerely,
    Accreditation Services


    Attached is a file SQB Form.zip which contains a malicious executable SQB Form.exe. This has a VirusTotal detection rate of 4/57*. Automated analysis tools... show that attempts to connect to these following legitimate IPs and domains to determine the IP address and current time:
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    time.microsoft.akadns .net
    checkip.dyndns .org
    Of these, checkip.dyndns .org is worth monitoring as it is often an indicator of infection.
    The Anubis report also shows a DNS query to semiyun .com on 95.173.170.227*** (Netinternet, Turkey). Also the Malwr report shows connections to the following URLs:
    http ://92.240.99.70:12112/1202uk11/HOME/0/51-SP:/0/ELHBEDIBEHGBEHK
    http ://92.240.99.70:12112/1202uk11/HOME/41/7/4/
    http ://semiyun .com/mandoc/previewa.pdf
    Of these, 92.240.99.70 (Ukrainian High Technologies Ltd, Ukraine) looks like the C&C server and this should definitely be -blocked-. A file jeoQxZ5.exe is also dropped with a detection rate of 6/57**. This is most likely the Dyre banking trojan..."
    * https://www.virustotal.com/en/file/2...is/1423739716/

    ** https://www.virustotal.com/en/file/1...is/1423741855/

    *** 95.173.170.227: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake 'invoice :reminder' SPAM - leads to CVE-2012-0158 exploit
    - http://blog.dynamoo.com/2015/02/invo...-cve-2012.html
    12 Feb 2015 - "This spam has a malicious attachment:
    From: Hajime Daichi
    Date: 12 February 2015 at 15:59
    Subject: invoice :reminder
    Greetings.
    Please find attached invoice copy for a transfer of USD29,900.00 payed to
    your company account yesterday.
    You can save, view and print this SWIFT message at your convenience.
    Please email should you require any additional information on this
    transaction.
    We thank you for your continued patronage.
    Corp. Office / Showroom:
    # 8-2-293/82/A/706/1,
    Road No. 36, Jubilee Hills,
    HYDERABAD - 500 033.
    Tel: +91 40 2355 4474 / 77
    Fax:+91 40 2355 4466
    E-mail: info@ valueline .in
    Branches : VIZAG | VIJAYAWADA | BANGALORE | MUMBA


    Attached is a file INVOICE.doc which is actually not a DOC at all, but an RTF file. A scan of the file at VirusTotal indicates that it is malicious, with a detection rate of 6/57*. Those detections indicate that this is exploitng CVE-2012-0158 aka MS12-027, a security flaw patched almost three years ago. So if you keep your patches up-to-date, there's a good chance you will be OK. But if you are running an ancient version of Microsoft Office (for example Office 2000, 2002 or XP) then you could be in trouble. The Malwr report for this is quite enlightening, showing the malware downloading another document from directxex .net/7783ed117ba0d69e/wisdomjacobs.exe. This has a detection rate of 14/57** and the Malwr report for this indicates that among other things it installs a -keylogger- confirmed by the ThreatExpert report.
    The domain directxex .net [Google Safebrowsing***] has an unsavoury reputation, and although it is currently hiding behind a Cloudflare IP, it actually appears to be hosted on an OVH France IP of 5.135.127.68. I definitely recommend that you -block- traffic to directxex .net."
    * https://www.virustotal.com/en/file/a...is/1423764503/

    ** https://www.virustotal.com/en/file/7...is/1423765263/

    *** https://www.google.com/safebrowsing/...=directxex.net
    "... listed for suspicious activity 122 time(s) over the past 90 days...

    > https://web.nvd.nist.gov/view/vuln/d...=CVE-2012-0158 - 9.3 (HIGH)
    ___

    Fake 'INVOICE' SPAM - malware
    - http://blog.dynamoo.com/2015/02/malw...west-loop.html
    12 Feb 2015 - "This -fake- invoice comes with a malicious attachment. It does not come from Minuteman Press, their systems have not been compromised in any way. Instead this is a simple email -forgery-.
    From: Minuteman Press West Loop [westloop@ minutemanpress .com]
    Reply-To: westloop@ minutemanpress .com
    Date: 12 February 2015 at 09:00
    Subject: INVOICE 1398 - FEB 4 2015
    (Please see attached file: INVOICE 1398 - FEB 4 2015.DOC)
    Thank you for your business.
    Julio Lopez | Design Manager | Minuteman Press West Loop
    1326 W. Washington Blvd. | Chicago, IL 60607
    p 312.291.8966 | f 312.929.2472 |


    I have seen just a single sample with an attachment INVOICE 1398 - FEB 4 2015.doc, although usually there are two or more variants so you may see slightly different ones. The DOC file has a VirusTotal detection rate of 0/57* and contains this malicious macro which downloads a second component from:
    http ://ecinteriordesign .com/js/bin.exe
    This is then saved as %TEMP%\\IHJfffFF.exe and has a detection rate of 7/57**. Automated analysis tools... show attempted connections to:
    37.139.47.105
    78.140.164.160
    41.56.49.36
    104.232.34.68
    210.181.222.118

    The Malwr report shows that it drops a DLL with an MD5 of 9001023d93beccd6c28ba67cbbc10cec which had a low detection rate at VT when it was checked a couple of hours ago***."
    * https://www.virustotal.com/en/file/0...is/1423734590/

    ** https://www.virustotal.com/en/file/a...is/1423734603/

    *** https://www.virustotal.com/en/file/5...d7c7/analysis/
    ___

    CTB-Locker Ransomware Spoofs Chrome and Facebook Emails as Lures, Linked to Phishing
    - http://blog.trendmicro.com/trendlabs...d-to-phishing/
    Feb 12, 2015 - "... We are seeing another wave of CTB-Locker -ransomware- making their way into the wild. What’s highly notable about this current batch of crypto-ransomware is that they are using “big names” like Facebook and Google Chrome as social engineering lures.
    The New Lures: We observed that the CTB-Locker ransomware arrives through spammed emails pretending to be from Google Chrome and Facebook. The -fake- Google Chrome email pretends to be a notification about updating the recipient’s Chrome browser. Upon clicking-the-link, the user will be directed to a site hosting the malware. The malware uses a Google Chrome -icon- to disguise itself as a legitimate installer package. This is actually a variant detected as TROJ_CRYPCTB.YUX.
    Fake Google Chrome email:
    > http://blog.trendmicro.com/trendlabs...02/CTB-L-1.png
    Another lure used by cybercriminals is Facebook. The email arrives as an account suspension notificaiton. The email instructs the user to click on an embedded link. This link will lead to the download of the malware:
    Fake Facebook email:
    > http://blog.trendmicro.com/trendlabs...02/CTB-L-2.png
    The malware uses a .PDF icon to disguise itself as a legitimate file. This malware is detected as TROJ_CRYPCTB.NSA. Our findings show that -both- variants are hosted in -compromised- sites. And interestingly enough, each variant is hosted on a group of compromised sites that is linked to one IP address. Connections to Phishing: Digging deeper into these compromised sites, we discovered that some of these URLs are associated with phishing spam, specifically those using -PayPal- as their lure.
    Fake PayPal email:
    > http://blog.trendmicro.com/trendlabs...02/CTB-L-3.png
    The spammed email arrives with the subject, “Take Action PayPal.” The email instructs the recipient to log in to their PayPal account to settle an issue by clicking-a-link in the email. Upon clicking, the link redirects to a phishing site. The site asks not only for the user’s login credentials, but other important, sensitive information like contact details and credit card information.
    Fake PayPal site:
    > http://blog.trendmicro.com/trendlabs...02/CTB-L-4.png
    Information requested by the phishing site:
    > http://blog.trendmicro.com/trendlabs...02/CTB-L-5.png
    Once the user completes all the information, the site then redirects the person to the legitimate PayPal login page. To avoid suspicion, it uses the excuse of needing to log in -again- for the changes to fully reflect in the PayPal account. Using the same URLs as those of the CTB-Locker malware suggests that the threat actors distributing the ransomware are also dabbling in phishing... CTB-Locker variants included language support for four languages: English, German, Italian, and Dutch. This new batch of ransomware now supports seven languages, namely, French, Spanish, Latvian, German, Dutch, Italian, and English.
    Ransom message:
    > http://blog.trendmicro.com/trendlabs...02/CTB-L-6.png
    ... The malware also now arrives in a Windows installer package. The two new variants identified were wrapped in an installer using using NSIS. Cybercriminals leverage NSIS, which is an open source installer like InstallShield, to make analysis difficult. When executed, the malware drops an encrypted version of the CRYPCTB malware and a library (.DLL) file. The library file will decrypt and execute the ransomware. After the routine, the library file will delete itself. In a surprising move, the cybercriminals adjusted the ransom payment for the decryption of files to 2 BTC, a fee lower than the 3 BTC ransom fee of previous variants. The malware also uses new set of Tor Addresses to communicate with the affected system... the added languages are all for countries based in Europe. This suggests that these variants may be targeting the EMEA region...
    Top countries affected by CRYPCTB malware family:
    > http://blog.trendmicro.com/trendlabs...2/CTB-L-72.jpg
    ... Conclusion: From what we’ve seen, the threat actors focused more on improving their chances of spreading the malware than improving the design of the code itself. Once the malware is in the system, it can be very challenging to recover the files without getting their help. As we have mentioned in previous entries, it might be tempting to give in and pay the ransom fee to get back encrypted files. However, there is no guarantee that the cybercriminals will actually honor the exchange. At the very worst, the victim is left with no files and no money..."

    Last edited by AplusWebMaster; 2015-02-12 at 23:09.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #640
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Remittance', 'PURCHASE ORDER' SPAM...

    FYI...

    Fake 'Remittance' SPAM - malware
    - http://blog.dynamoo.com/2015/02/malw...x12345678.html
    13 Feb 2015 - "This -spam- comes from randomly-named companies, with slightly different body text and different subject in each case. Here is an example:
    From: Gale Barlow
    Date: 13 February 2015 at 12:30
    Subject: Remittance IN56583285
    Dear Sir/Madam,
    I hope you are OK. I am writing you to let you know that total amount specified in the contract has been paid into your bank account on the 12th of February at 15:25 via BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
    To see full payment details please refer to the remittance advice note attached to the letter.
    Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
    Gale Barlow
    Accounts Manager
    4D PHARMA PLC
    Boyd Huffman
    Accounts Payable
    GETECH GROUP


    There is a malicious Word document attached to the email, so far I have only seen one version of this but usually there are two or more. The document itself has a low detection rate of 1/57* and it contains a malicious macro which downloads a file from the following location:
    http ://62.76.188.221 /aksjdderwd/asdbwk/dhoei.exe
    This is saved as %TEMP%\dsHHH.exe and has a detection rate of 7/57**, identifed as a Dridex downloader. Automated analysis tools... show a variety of activities, including communications with the following IPs:
    85.143.166.72 (Pirix, Russia)
    46.19.143.151 (Private Layer, Switzerland)
    193.206.162.92 (Universita degli Studi dell'Insubria, Italy)
    92.63.88.87 (MWTV, Latvia)
    78.129.153.18 (iomart, UK)
    205.185.119.159 (Frantech Solutions, US)
    The malware then drops a Dridex DLL with a detection rate of 3/52*** and mysteriously drops another Dridex downloader with a detection rate of 6/57****. The Malwr report for that indicates there is some attempting traffic to nonexistent domains.
    Recommended blocklist:
    85.143.166.72
    46.19.143.151
    193.206.162.92
    92.63.88.87
    78.129.153.18
    205.185.119.159
    "
    * https://www.virustotal.com/en/file/8...is/1423835743/

    ** https://www.virustotal.com/en/file/2...is/1423835772/

    *** https://www.virustotal.com/en/file/c...is/1423836506/

    **** https://www.virustotal.com/en/file/0...is/1423836488/
    ___

    Fake 'PURCHASE ORDER' SPAM - doc malware
    - http://myonlinesecurity.co.uk/alison...d-doc-malware/
    13 Feb 2013 - "'Alison Longworth PURCHASE ORDER (34663)' pretending to come from Alison Longworth <ALongworth@ usluk .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...RDER-34663.png

    13 February 2015 : 2600_001.doc - Current Virus total detections: 0/46*
    ... which downloads stroygp .ru/js/bin.exe which is a -dridex- banking trojan and has a virus total detection rate of 9/57**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1423834978/

    ** https://www.virustotal.com/en/file/3...is/1423836333/
    ... Behavioural information
    TCP connections
    37.139.47.105: https://www.virustotal.com/en/ip-add...5/information/
    210.181.222.118: https://www.virustotal.com/en/ip-add...8/information/
    86.104.134.156: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Something evil on 95.163.121.0/24
    - http://blog.dynamoo.com/2015/02/some...4-digital.html
    13 Feb 2015 - "I've written about DINETHOSTING* aka Digital Network JSC many times before, and frankly their entire IP range is a sea of crap, and I have a whole load of blocks in the 95.163.64.0/18 range (including the entirity of 95.163.64.0/10). This latest sea of badness seems to be suballocated to a customer using the 95.163.121.0/24 block.
    * http://blog.dynamoo.com/search/label/DINETHOSTING
    inetnum: 95.163.121.0 - 95.163.121.255
    netname: RU-CLOUDAVT-NET
    descr: LLC ABT Cloud Network
    country: RU ...
    descr: Digital Network JSC
    descr: Moscow, Russia ...
    Just looking at blog posts, I can see badness occurring in the recent past... That's quite a high concentration of bad servers in a relatively small block. A quick look at what is currently hosted indicates (IMHO) nothing of value, and I would recommend blocking the entire 95.163.121.0/24 range as a precaution."
    ___

    Fake Email 'Internet Fax' SPAM - trojan
    - http://blog.mxlab.eu/2015/02/13/emai...ntains-trojan/
    Feb 13, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”. This email is send from the spoofed address “Fax job <no-replay@ fax-job .com>” and has the following body:
    Image data has been attached.

    The attached file Docs.zip contains the 26 kB large file Docs.exe. The trojan is known as UDS:DangerousObject.Multi.Generic, TrojanDownloader:Win32/Upatre.AW, HEUR/QVM19.1.Malware.Gen or Win32.Trojan.Inject.Auto. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/d...3349/analysis/
    ___

    Google International Lottery Spam
    - http://threattrack.tumblr.com/post/1...l-lottery-spam
    12 Feb 2015 - "Subjects Seen:
    GOOGLE int
    Typical e-mail details:
    Congratulations on your victory in the international lottery GOOGLE INT and win in the amount of 10,000 euro.
    For winning fill out the form and send it to us investing in response.


    Malicious File Name and MD5:
    form.exe (433DF3A8CD60E501EE0CB5B4849D82DC)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...2TJ1r6pupn.png

    Tagged: Google, Lottery, Upatre

    - http://myonlinesecurity.co.uk/congra...e-pdf-malware/
    12 Feb 2015
    > https://www.virustotal.com/en/file/2...is/1423755189/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    92.240.99.70: https://www.virustotal.com/en/ip-add...0/information/
    46.30.212.195: https://www.virustotal.com/en/ip-add...5/information/
    UDP communications
    198.27.81.168: https://www.virustotal.com/en/ip-add...8/information/
    192.95.17.62: https://www.virustotal.com/en/ip-add...2/information/

    Last edited by AplusWebMaster; 2015-02-14 at 01:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •