Page 65 of 132 FirstFirst ... 155561626364656667686975115 ... LastLast
Results 641 to 650 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #641
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'invoice', Fake 'order' SPAM - doc malware, 'Copy of transaction' xls malware

    FYI...

    Fake 'invoice' SPAM - doc malware
    - http://blog.dynamoo.com/2015/02/malw...group-ltd.html
    16 Feb 2015 - "This -fake- invoice does not come from The Automotive Group Ltd or any similarly-named company. Their systems have not been compromised in any way. Instead, this is a -forgery- with a malicious attachment. Note that the taghire .co.uk simply shows "Under Construction".
    From: Lawrence Fisher [l.fisher@ taghire .co .uk]
    Date: 16 February 2015 at 08:25
    Subject: invoice
    Here is the invoice
    Kind Regards,
    Lawrence Fisher
    T.A.G. (The Automotive Group) Ltd.
    Unit 22 Coney Green Business Centre Wingfield View, Clay Cross, Chesterfield...


    So far I have only seen one sample of this, with an attachment named Invoice 0215.doc which has zero detections according to VirusTotal*. It contains an obfuscated Word macro which downloads an additional component from:
    http ://laikah .de/js/bin.exe
    Usually there are two or three versions of this document, but I have only seen one. If you look at the macro code itself, the download location is not encrypted in the code although other elements of the process are encrypted with a string + key combination. Those combinations contain non-printable characters, possibly in an attempt to avoid analysis. This .exe file is downloaded as %TEMP%\345435.exe and it has a VirusTotal detection rate of 3/57**. Automated reporting tools... show that this POSTS to 37.139.47.105. It appears that communication is attempted with the following IPs:
    37.139.47.105 (Pirix, Russia)
    78.140.164.160 (Webazilla, US)
    95.163.121.179 (Digital Networks, Russia)
    86.104.134.156 (One Telecom, Moldova)
    117.223.58.214 (BSNL / Broadband Multiplay, India)
    109.234.38.70 (McHost, Russia)
    Also, according to the Malwr report***, a DLL is dropped with a detection rate of 3/57.
    Recommended blocklist:
    37.139.47.105
    78.140.164.160
    95.163.121.179
    86.104.134.156
    117.223.58.214
    109.234.38.70
    "
    * https://www.virustotal.com/en/file/a...is/1424078591/

    ** https://www.virustotal.com/en/file/9...is/1424078636/

    *** https://malwr.com/analysis/Yzg4MGU5M...UwOTQ3NjYwMDg/

    - http://myonlinesecurity.co.uk/lawren...d-doc-malware/
    16 Feb 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...ag-invoice.png
    ___

    Fake 'order' SPAM - doc malware
    - http://myonlinesecurity.co.uk/la-pla...d-doc-malware/
    16 Feb 2015 - "'L&A Plastic Order# 66990' pretending to come from Hannah <Hannah@ lapackaging .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...rder-66990.png

    This email has exactly the same malware although different file/document name as today’s versions of Lawrence Fisher T.A.G. (The Automotive Group) Ltd invoice - Word doc malware* and downloads the same dridex banking Trojan** from the same locations***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * http://myonlinesecurity.co.uk/lawren...d-doc-malware/

    ** https://www.virustotal.com/en/file/a...is/1424075902/

    *** https://www.virustotal.com/en/file/9...is/1424078802/
    ... Behavioural information
    TCP connections
    37.139.47.105: https://www.virustotal.com/en/ip-add...5/information/
    UDP communications
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'Copy of transaction' SPAM - xls malware
    - http://blog.dynamoo.com/2015/02/malw...t-id91460.html
    16 Feb 2015 - "This rather terse spam comes with a malicious attachment:
    From: Rosemary Gibbs
    Date: 16 February 2015 at 10:12
    Subject: Re: Data request [ID:91460-2234721]
    Copy of transaction.


    The sender's name, the ID: number and the name of the attachment vary in each case. Example attachment names are:
    869B54732.xls
    BE75129513.xls
    C39189051.xls
    None of the three attachments are detected by anti-virus vendors [1] [2] [3]. They each contain a slightly different macro... It's quite apparent that this is ROT13 encoded which you can easily decrypt at http://www.rot13.com/index.php rather than working through the macro... So, these macros are attempting to use Powershell to download and execute the next step (possibly to avoid the UAC popup). The downloaded binary has a VirusTotal detection rate of 3/57* and automated analysis tools... show attempted communications with:
    85.143.166.72 (Pirix, Russia)
    205.185.119.159 (FranTech Solutions, US)
    92.63.88.87 (MWTV, Latvia)
    173.226.183.204 (TW Telecom, Taiwan)
    27.5.199.115 (Hathway Cable and Datacom, India)
    149.171.76.124 (University Of New South Wales, Australia)
    46.19.143.151 (Private Layer, Switzerland)
    It also drops a DLL with a 4/57** detection rate which is the same malware seen in this attack***.
    Recommended blocklist:
    85.143.166.72
    205.185.119.159
    92.63.88.87
    173.226.183.204
    27.5.199.115
    149.171.76.124
    46.19.143.151
    "
    1] https://www.virustotal.com/en/file/b...is/1424087084/

    2] https://www.virustotal.com/en/file/7...is/1424087089/

    3] https://www.virustotal.com/en/file/6...is/1424087096/

    * https://www.virustotal.com/en/file/f...is/1424087041/

    ** https://www.virustotal.com/en/file/0...is/1424088561/

    *** http://blog.dynamoo.com/2015/02/malw...group-ltd.html

    - http://myonlinesecurity.co.uk/copy-t...l-xls-malware/
    16 Feb 2015
    ___

    Fake 'Order' SPAM - doc malware
    - http://blog.dynamoo.com/2015/02/malw...der-66990.html
    16 Feb 2015 - "This -fake- financial spam does not come from LA Packaging, their systems are not compromised in any way. Instead, this is a simple -forgery- with a malicious attachment:
    From: Hannah [Hannah@ lapackaging .com]
    Date: 16 February 2015 at 10:38
    Subject: L&A Plastic Order# 66990
    For your records, please see attached L&A Order# 66990 and credit card receipt.
    It has shipped today via UPS Ground Tracking# 1Z92X9070369494933
    Best Regards,
    Hannah – Sales
    L&A Plastic Molding / LA Packaging
    714-694-0101 Tel - Ext. 110
    714-694-0400 Fax
    E-mail: Hannah@ LAPackaging .com


    Attached is a malicious Word document 66990.doc - so far I have only seen one version of this, although there are usually several variants. This document contains a macro... an executable from:
    http :// hoodoba.cba .pl/js/bin.exe = 95.211.144.65: https://www.virustotal.com/en/ip-add...5/information/
    At present this has a detection rate of 6/57*. It is the same malware as seen in this spam run**."
    * https://www.virustotal.com/en/file/9...is/1424089760/

    ** http://blog.dynamoo.com/2015/02/malw...group-ltd.html

    - http://myonlinesecurity.co.uk/la-pla...d-doc-malware/
    16 Feb 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...rder-66990.png
    ___

    Money mule SCAM
    - http://blog.dynamoo.com/2015/02/mone...aearnscom.html
    16 Feb 2015 - "This spam email is attempting to recruit people to aid with money laundering ("money mules") and other illegal operations.
    Date: 16 February 2015 at 21:29
    Subject: New offer
    Good day!
    We considered your resume to be very attractive and we thought the vacant position in our company could be interesting for you.
    Our firm specializes in advertisment services realizing unique products of creative advertising and branding strategies
    and solutions to develop a distinctive brand value.
    We cooperate with different countries and currently we have many clients in the USA and the EU.
    Due to this fact, we need to increase the number of our destination representatives' regular staff.
    In their duties will be included the document and payment control of our clients.
    Part-time employment is currently important.
    We offer a wage from 3500 GBP per month.
    If you are interested in our offer, mail to us your answer on riley@ gbearn .com and
    we will send you an extensive information as soon as possible.
    Respectively submitted
    Personnel department


    The reply-to address of gbearn .com has recently been registered by the -scammers- with false WHOIS details. There is also an equivalent domain usaearns .com for recruiting US victims. Although there is no website, both domains have a mail server at 93.188.167.170 (Hostinger, US) which also serves as one of the nameservers for these domains (ns1 .recognizettrauma .net). The other nameserver (ns2 .recognizettrauma .net) is on 75.132.186.90 (Charter Communications, US). Be in no doubt that the job being offered here is -illegal- and you should most definitely avoid it."
    ___

    Banking Trojan Dyreza sends 30,000 malicious emails in one day
    - http://net-security.org/malware_news.php?id=2964
    16.02.2015 - "A massive spam wave is installing banking Trojan Dyreza on tens of thousands of computers to steal sensitive financial data from unsuspecting customers, warns Bitdefender*. 30,000 malicious emails were sent in just one day from spam servers in the UK, France, Turkey, US and Russia. The spam, which has been directed to customers of UK banks including NatWest, Barclays, RBS, HSBC, Lloyds Bank and Santander, carries links to HTML files which directs users to URLs pointing to highly obfuscated Javascript code. This automatically downloads a zip archive from a remote location... each downloaded archive is named differently to bypass antivirus solutions. This technique is called server-side polymorphism and ensures that the downloaded malicious file is always brand new. To take the con one step further, the same Javascript code -redirects- the user to the localized webpage of a fax service provider as soon as the archive is downloaded..."
    * http://www.hotforsecurity.com/blog/b...rns-11368.html
    ___

    Banking malware VAWTRAK - malicious macro downloaders
    > http://blog.trendmicro.com/trendlabs...ws-powershell/
    Feb 16, 2015

    Last edited by AplusWebMaster; 2015-02-20 at 17:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #642
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Customer statement', 'Service Suspension', 'Unpaid invoice' SPAM

    FYI...

    Something evil on 92.63.88.0/24 (MWTV, Latvia)
    - http://blog.dynamoo.com/2015/02/some...tv-latvia.html
    17 Feb 2015 - "I've been tracking -Dridex- for some time, and I keep seeing IPs for MWTV in Latvia cropping up. So far I have seen:
    92.63.88.87
    92.63.88.97
    92.63.88.100
    92.63.88.105
    92.63.88.106
    92.63.88.108
    I'm not sure how widely this spreads through the MWTV network, but I would certainly recommend -blocking- 92.63.88.0/24 on your network perimeter."
    ___

    Fake 'Customer statement' SPAM - doc malware
    - http://myonlinesecurity.co.uk/custom...d-doc-malware/
    17 Feb 2015 - "'Customer statement 0001031389 as on 02/05/2015' pretending to come from AR.Support@efi.com and being addressed to minutemanpresschicago@ comcast .net and sent to you via a bcc with a malicious word doc attachment is another one from the current bot runs... All these emails have random invoice numbers in the subject line and the invoice number matches the attachment name & number in most cases so far today...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...0001031389.png

    17 February 2015 : Customer statement 0001031389 as on 02052015.DOC
    Current Virus total detections: 0/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1424169255/

    - http://blog.dynamoo.com/2015/02/malw...-customer.html
    17 Feb 2015
    "... Recommended blocklist:
    202.44.54.5
    66.110.179.66
    92.63.88.105
    "
    ___

    Fake 'Service Suspension' SPAM - xls malware
    - http://myonlinesecurity.co.uk/servic...l-xls-malware/
    17 Feb 2015 - "'Service Suspension Notification [ID:FECC254778] (random numbers)' with a malicious word excel XLS attachment is another one from the current bot runs... All these emails have random numbers in the subject line and the attachment name...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...tification.png

    17 February 2015 : FECC254778.xls
    Current Virus total detections: 1/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1424174070/
    ___

    Fake 'Unpaid invoice' SPAM – XLS malware
    - http://myonlinesecurity.co.uk/unpaid...l-xls-malware/
    17 Feb 2015 - "'Unpaid invoice [ID:AFCBF43812] ( random numbers)' with a malicious Excel XLS attachment is another one from the current bot runs... All these emails have random invoice numbers in the subject line and the invoice number matches the attachment name & number in most cases so far today...All these emails have random invoice numbers in the subject line and the invoice number matches the attachment name & number in most cases so far today. The email has a totally -blank- body...

    17 February 2015 : AFCBF43812.xls - Current Virus total detections: 1/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1424178689/

    - http://blog.dynamoo.com/2015/02/malw...876543210.html
    17 Feb 2015
    "... fake invoice comes with no body text, a random ID: in the subject and a randomly-named malicious Excel attachment...
    Recommended blocklist:
    92.63.88.97
    92.63.88.87
    78.129.153.27
    62.76.43.194
    46.4.232.206
    136.243.237.194
    74.208.68.243
    "
    ___

    Fake 'Invoices' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
    17 Feb 2015 "'Invoices for INTERCON, INC. Sent on 02/17/15 from Electroshield Inc' pretending to come from accounting@ interconinc .com with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...r-INTERCON.png

    17 February 2015: invoices.zip: Extracts to: invoices.exe
    Current Virus total detections: 7/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1424188090/
    ___

    FedEx Notification Spam
    - http://threattrack.tumblr.com/post/1...ification-spam
    Feb 17, 2015 - "Subjects Seen
    Postal Notification Service
    Typical e-mail details:
    Dear Customer,
    You parcel arrived, read the account in the attachment.
    Consignment: #149700366
    Submit time: Tue, 17 Feb 2015 11:11:55 +0000


    Malicious File Name and MD5:
    invoice.exe (6E3EF30E49B69E8AA6F487816A4AC9F9)


    Screenshot: https://gs1.wac.edgecastcdn.net/8019...FbG1r6pupn.png

    Tagged: FedEx, Upatre
    ___

    Equation Group IP ranges and domains
    - http://blog.dynamoo.com/2015/02/an-a...ion-group.html
    17 Feb 2915 - "There has been a lot of buzz this morning about "The Equation Group", a possible state actor involved in placing malware on hard disks..."
    (Good read, but WAY too many IPs to be listed here - see the dynamoo URL above.)

    - https://isc.sans.edu/diary.html?storyid=19345
    2015-02-17

    - http://www.theregister.co.uk/2015/02...quation_group/
    17 Feb 2015

    Last edited by AplusWebMaster; 2015-02-18 at 14:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #643
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'E-bill', 'insurance' SPAM, Malicious XLS or XLSM attachments...

    FYI...

    Multiple SPAM emails using malicious XLS or XLSM attachment
    - http://blog.dynamoo.com/2015/02/mult...malicious.html
    18 Feb 2015 - "I'm seeing multiple spam runs (probably pushing the Dridex banking trojan) with no-body-text, various subjects and either an XLS or XLSM attachment. Example subjects include:
    Copy [ID:15E376774] attaced
    RE: Requests documentation [458C28133]
    Request error [C3843]
    Request error [FDF396530]
    Requests documentation [242B035667]
    Attachments look something similar to this:
    15E376774.xlsm
    242B035667.xlsm
    458C28133.xls
    C3843.xls
    FDF396530.xlsm
    The XLS and XLSM files are different structurally.. the XLSM files are basically an Office 2007 ZIP archive of all the data components, the XLS files are an old school Office 2003 file. Nevertheless, they contain a macro with 23 components to make it harder to analyse, although the important modules are Module 11 which contains the text string to decrypt, and Module 14 which contains the decryption function itself. Almost everything else is irrelevant. Once the string is decrypted, it becomes fairly obvious what it going on. So far, there appear to be four strings with different download locations... we can see a file dxzq.jpg being downloaded which is actually a CAB file (JIOiodfhioIH.cab) which is then expanded to JIOiodfhioIH.exe and then run. For information, these IPs are hosted by:
    5.196.243.7 (OVH, Ireland)
    46.30.42.151 (Eurobtye LLC, Russia)
    176.31.28.235 (OVH, France)
    92.63.88.63 (MWTV, Latvia)
    This executable has a detection rate of 4/56. Automated analysis... shows attempted network connections to:
    82.151.131.129 (Doruknet, Turkey)
    121.50.43.175 (Tsukaeru.net, Japan)
    74.208.68.243 (1&1, US)
    The Malwr report shows that it also drops a DLL with a detection rate of just 1/56*.
    Recommended blocklist:
    82.151.131.129
    121.50.43.175
    74.208.68.243
    5.196.243.7
    46.30.42.151
    176.31.28.235
    92.63.88.63
    ..."
    * https://www.virustotal.com/en/file/2...is/1424263599/

    - http://myonlinesecurity.co.uk/excel-xlsm-malware/
    18 Feb 2015 - "... The email has a totally-blank-body..."
    > https://www.virustotal.com/en/file/3...is/1424262074/
    ___

    Fake 'Thank you' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/thank-...e-pdf-malware/
    18 Feb 2015 - "'Thank you for your payment' pretending to come from nycserv@ finance .nyc .gov with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ur-payment.png

    18 February 2015: attachment.zip : Extracts to: attachment.exe
    Current Virus total detections: 9/57* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1424277505/
    ... Behavioural information
    TCP connections
    91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
    31.43.236.251: https://www.virustotal.com/en/ip-add...1/information/
    50.87.148.213: https://www.virustotal.com/en/ip-add...3/information/
    31.43.236.251: https://www.virustotal.com/en/ip-add...1/information/
    UDP communications
    77.72.174.161: https://www.virustotal.com/en/ip-add...1/information/
    77.72.174.160: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Esso E-bill' SPAM – doc malware
    - http://blog.dynamoo.com/2015/02/malw...so-e-bill.html
    18 Feb 2015 - "This fake invoice is a -forgery- with a malicious attachment:
    From: invoices@ ebillinvoice .com
    Date: 18 February 2015 at 09:01
    Subject: UK Fuels Esso E-bill
    Customer No : 90714
    Email address : [redacted]
    Attached file name : 36890_06_2015.DOC (ZIP)
    Dear Customer
    Please find attached your invoice for Week 06 2015.
    If you have any queries regarding your e-bill you can contact us at invoices@ ebillinvoice .com.
    Alternatively you can log on to your account at www .velocitycardmanagement .com to review your transactions and manage your account online.
    Yours sincerely
    Customer Services
    UK Fuels...


    I have only seen a single sample of this, with a ZIP file 36890_06_2015.zip attached, which in turn contains a document 36890_06_2015.doc. This document contains a malicious macro, and is exactly the same as the one used in this campaign* leading to the Dridex banking trojan."
    * http://blog.dynamoo.com/2015/02/this...malicious.html

    - http://myonlinesecurity.co.uk/uk-fue...d-doc-malware/
    18 Feb 2015
    > https://www.virustotal.com/en/file/0...is/1424251443/
    ___

    Fake 'auto insurance' SPAM - doc malware
    - http://blog.dynamoo.com/2015/02/this...malicious.html
    18 Feb 2015 - "This -fake- financial spam has a malicious attachment:
    From: Dan Bigelow [dan@ express-insurance .net]
    Date: 18 February 2015 at 09:18
    Subject: Auto insurance apps and documents
    Hello ,
    Please print “All” attached forms and sign and initial where I highlighted.
    Scan and email back to me or fax to me at 407-937-0511.
    Sincerely,
    Dan Bigelow
    Referrals are important to us. If you know anyone who would benefit from our services, please contact me.
    We would appreciate the opportunity to work with them.
    2636 West State Rd 434 # 112
    Longwood, Fl 32779 ...


    This spam does -not- actually come from Express Insurance nor have their systems or data been compromised in any way. Instead this is a simple -forgery- with a malicious Word document attached. There are actually at least two different versions of the document with zero detections [1] [2]... Despite the difference, both seem to download from:
    http ://ecv.bookingonline .it/js/bin.exe
    The download file is saved as %TEMP%\FfdgF.exe and has a VirusTotal detection rate of 3/57*. Automated analysis tools... indicate that it attempts to phone home to:
    83.169.4.178 (Hosteurope, Germany)
    202.44.54.5 (World Internetwork Corporation, Thailand)
    66.110.179.66 (Microtech Tel, US)
    This probably drops a Dridex DLL, however the Malwr analysis appears to have malfunctioned and I don't have a sample.
    Recommended blocklist:
    83.169.4.178
    202.44.54.5
    66.110.179.66
    "
    1] https://www.virustotal.com/en/file/7...is/1424256101/

    2] https://www.virustotal.com/en/file/0...is/1424256116/

    * https://www.virustotal.com/en/file/1...is/1424257699/

    Last edited by AplusWebMaster; 2015-02-18 at 21:34.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #644
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Statement' SPAM, Fake 'Invoice' SPAM – XLS malware, 'DVLA' Phish

    FYI...

    Fake 'Statement' SPAM – XLS malware
    - http://myonlinesecurity.co.uk/maria-...l-xls-malware/
    19 Feb 2015 - "'Maria Wilson Securigroup Statement' pretending to come from Maria Wilson <maria.wilson132@ securigroup .co .uk> (the email address that pretends to send changes with each email so you get maria.wilson<random numbers>@securigroup .co .uk) with a malicious xls attachment is another one from the current bot runs... So far today -3- different versions of the malware attachment have been seen...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...-Statement.png

    19 February 2015 : Statement 18 FEB 2015.xls
    Current Virus total detections: 0/57* | 0/57** | 0/57*** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1424337205/

    ** https://www.virustotal.com/en/file/d...is/1424337493/

    *** https://www.virustotal.com/en/file/e...is/1424337433/

    - http://blog.dynamoo.com/2015/02/malw...ia-wilson.html
    19 Feb 2015
    "... Recommended blocklist:
    83.169.4.178
    66.110.179.66
    202.44.54.5
    14.99.146.242
    78.140.164.160
    220.143.5.92
    217.12.203.34
    "
    ___

    Fake 'Invoice' SPAM – XLS malware
    - http://myonlinesecurity.co.uk/marylo...l-xls-malware/
    19 Feb 2015 - "'Marylou Proforma Invoice' pretending to come from Marylou Champagne <marylou@ droitcour .com> with a malicious Excel XLS attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ma-Invoice.png

    The malware payload is exactly the same as today’s Maria Wilson Securigroup Statement – Excel XLS malware* although -named- differently Inv SP14216.xls "
    * http://myonlinesecurity.co.uk/maria-...l-xls-malware/
    ___

    Fake 'Remittance Advice' SPAM - XLS malware
    - http://myonlinesecurity.co.uk/this-i...l-xls-malware/
    19 Feb 2015 - "Following on from -other- Excel XLS macro laden malwares today we are seeing a load of -damaged/misconfigured- emails with a malicious Excel XLS attachment arriving. The subject says 'This is your Remittance Advice #CCI36306' and pretends to come from Violet Garner <Jodi.1d@ ip-35-29-71-77. bgwan .com> The email has -garbled- plain text content with 3 attachments. They are supposed to be a rerun of 'SGBD National Payments Centre – This is your Remittance Advice' – Excel XLS malware* ... the 3rd is the malware attachment, which is named CCI36306.xls and contains exactly the same malware payload as the other malixcious XLS files from today 'Marylou Proforma Invoice'** – Excel XLS malware and "Maria Wilson Securigroup Statement'*** – Excel XLS malware... All these emails have random invoice numbers in the subject line and the invoice number matches the attachment name & number in most cases so far today...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...e-CCI36306.png

    ... Some mail clients and mail servers ( particularly web based email services) might deliver these emails intact and readable. My mail server is very precise and doesn’t try to fix broken/misconfigured emails and either rejects/quarantines them or delivers them as is and leaves it up to the receiving email client to make heads or tails of them. These all are from the current bot runs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * http://myonlinesecurity.co.uk/sgbd-n...l-xls-malware/

    ** http://myonlinesecurity.co.uk/marylo...l-xls-malware/

    *** http://myonlinesecurity.co.uk/maria-...l-xls-malware/
    ___

    Fake 'order shipment' SPAM - XLS malware
    - http://myonlinesecurity.co.uk/your-o...l-xls-malware/
    19 Feb 2015 - "'Your order is ready for shipment T/N:HP3638_572' pretending to come from Christian Stout, State Department <834b3a@ aluguelubatuba .com> with a malicious Excel XLS attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...tian-Stout.png

    19 February 2015 : HP3638_572.xls - Current Virus total detections: 2/57*
    ... which downloads from 185.48.56.137 /ssdynamooss/sspidarss.cab and creates %temp\fgdgfffgfgf.exe
    (-dridex- banking Trojan) which has a virus total detection rate 5/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1424346447/

    ** https://www.virustotal.com/en/file/9...is/1424347235/
    ... Behavioural information
    TCP connections
    82.151.131.129: https://www.virustotal.com/en/ip-add...9/information/

    - http://blog.dynamoo.com/2015/02/malw...ent-order.html
    19 Feb 2015
    "...Recommended blocklist:
    82.151.131.129
    121.50.43.175
    74.208.68.243
    85.143.166.0/24
    37.139.47.0/24
    "
    * https://www.virustotal.com/en/file/9...is/1424356739/

    ** https://www.virustotal.com/en/file/e...is/1424358171/
    ___

    Macros? Really?!
    - https://isc.sans.edu/diary.html?storyid=19349
    2015-02-19 - "... While the past 15 years or so were mostly devoid of any significant macro viruses, macro-based malware is now making a "successful" comeback. Last week, we saw a significant Dridex malware run that was using macros in Excel files (.XLSM), and earlier this week, the crooks behind the banking spyware "Vawtraq" started to spam the usual "Fedex Package" and "Tax Refund" emails, but unlike in other malspam runs, the attachment was no longer a ZIP with an EXE or SCR inside, but rather a file in Microsoft Office .DOC format. File extension based blocking on the email gateway is not going to save your bacon on this one... For Vawtraq, -if- the recipient -opens- the DOC, the content looks garbled, and the only readable portion is in (apparently) user-convincing red font, asking the recipient to enable macros. You can guess what happens next if the user falls for it...: A VBS and Powershell file get extracted from the DOC, and then download and -run- the Vawtraq malware executable. The whole mess has very low detection in anti-virus, yesterday's Vawtraq started with zero hits on VirusTotal, and even today, one day later, it hasn't made it past 7/52 anti-virus engines detecting the threat yet. Thus, odds are you will need to revert to manual analysis to determine if a suspicious Office document is indeed malicious, and to extract any indicators from it that can help to discover users on your network who have been "had"..."
    ___

    Fake 'DVLA' Phish...
    - http://myonlinesecurity.co.uk/dvla-y...fund-phishing/
    19 Feb 2015 "'You are eligible to receive a tax disc refund' pretending to come from DVLA <refund @directdvla .co .uk> is a brand new -phish- attempt to steal your Personal information, driving licence details and your Bank details. I have never previously seen one of these and definitely have never seen any phishing attempt that asks you to scan/photograph your driving licence and upload a copy of that. This one wants your personal details, A copy of your driving licence to be uploaded and bank details...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...fund_email.png

    If you follow-the-link (don't) you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...x_refund_1.png
    After you upload a copy of your driving licence you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the name and date of birth is filled in:
    > http://myonlinesecurity.co.uk/wp-con...x_refund_2.png
    You are then sent on to the genuine DVLA pages..."
    ___

    Apple GSX Access – Phish...
    - http://myonlinesecurity.co.uk/apple-...eges-phishing/
    19 Feb 2015 - "'Apple GSX Access Privileges' pretending to come from gsx_notifications@ apple .com is one of the latest phish attempts to steal your Apple account. This one only wants your Apple log in details Many of them are also designed to specifically steal your credit card and bank details, your email, facebook and other social network log in details as well... Some versions of this phish will ask you fill in the html (webpage) form that comes -attached- to the email.
    Dear GSX User,
    Your access privileges on the Apple Global Service Exchange (GSX) system were revoked by GSX_Rejections@ group .apple .com on 19-Feb-2015
    Reason for Revoking access :
    http ://idmsa-gsx-apple .net/WebApp-login.html
    Please contact your GSX administrator for more information.


    If you follow the link you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...s-1024x588.png
    When (IF) you fill in your user name and password you get sent immediately to an identical page to log in again, but this time it is the genuine Apple GSX log in page..."
    ___

    Some Superfish domains and IP addresses and ranges...
    - http://blog.dynamoo.com/2015/02/some...-addresse.html
    19 Feb 2015 - "In the light of the growing Lenovo/Superfish* fuss, I set out to identify those Superfish domains and IPs that I could, for the purposes of -blocking- or monitoring. The domains and IPs that I have been able to identify are here [csv**]. Superfish appear to operate the following domains (and several subdomains thereof):
    venn .me
    best-deals-products .com
    superfish .com
    pin2buy .net
    pintobuy .net
    similarproducts .net
    adowynel .com
    govenn .com
    group-albums .com
    jewelryviewer .com
    likethatapps .com
    likethatdecor .com
    likethatpet .com
    likethatpets .com
    testsdomain .info
    superfish .mobi
    vennit .net
    superfish .us
    These following IP addresses and ranges appear to be used exclusively by Superfish (some of their other domains are on shared infrastructure).
    66.70.35.240/28
    66.70.34.64/26
    66.70.34.128/26
    66.70.34.251
    66.70.35.12
    66.70.35.48

    All of those IPs are allocated to Datapipe in the US. Superfish itself is based in Israel, which seems to be a popular place to develop adware..."
    * http://thenextweb.com/insider/2015/0...new-computers/

    ** http://www.dynamoo.com/files/superfish.csv

    >> http://www.reuters.com/article/2015/...0LN0XI20150219
    Feb 19, 2015

    Last edited by AplusWebMaster; 2015-02-19 at 18:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #645
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Bank' SPAM - PDF malware, 'NYC Parking Fine' SPAM, Lenovo/Superfish ...

    FYI...

    Fake 'Bank' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/lloyds...e-pdf-malware/
    20 Feb 2015 - "'Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 9147056/' pretending to come from RSTNAME} Woodruff <Arron.Woodruff@ lloydsbanking .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please find attached our document pack for the above customer. Once completed please return via email to the below address.
    If you have any queries relating to the above feel free to contact us at MN2Lloydsbanking@ lloydsbanking .com
    Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 08457 21 31 41. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 0128078. Telephone: 0845 603 1637
    Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
    Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
    Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
    HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC272200.
    This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded...


    The malware attached to this email is the same malware as in today’s other Upatre "delivery supply only quotation 16822 in total"* – fake PDF malware . If previous days are anything to go by, we -will- see -numerous- different emails all containing the same upatre malware and all with different file names..."

    * http://myonlinesecurity.co.uk/supply...e-pdf-malware/
    20 Feb 2015 - "'supply only quotation 16822 in total' pretending to come from wendy@ burwoodsupply .co .uk with a zip attachment is another one from the current bot runs... The email looks like:
    Hi
    Attached are 1 quotes so far they are in excel format so they can be altered if necessary (I normally only send the quotes in PDF so they can’t be altered but Mike asked me not to do this).
    The rest to follow tomorrow a.m.
    Regards
    Teresa Byron
    Office Administrator
    ECY Armco Barley Castle Lane, Appleton Thorn, Warrington, Cheshire, WA4 4RB t: +44(0)1925 860000 f: +44(0)1925 861111
    This email is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you are not the intended recipient please notify the sender. Please delete the message from all places in your computer where it is stored...


    20 February 2015: quotes.zip: Extracts to: quotes.exe
    Current Virus total detections: 2/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    ** https://www.virustotal.com/en/file/d...is/1424432388/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    31.43.236.251: https://www.virustotal.com/en/ip-add...1/information/
    81.169.145.150: https://www.virustotal.com/en/ip-add...0/information/
    31.43.236.251: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'NYC Parking Fine' SPAM - malware
    - http://www.hoax-slayer.com/new-york-...-malware.shtml
    Feb 20, 2015 - "Email purporting to be from the NYC Department of Finance thanks you for paying $7900 in parking fines via your credit card and suggests you open an -attached- file to view details... claims to be from the NYC Department of Finance... Opening the attached .zip file will reveal a malicious .exe file. If you then click-the-.exe file, -malware- may be installed on your computer. The exact type of malware varies..."
    ___

    Lenovo - vulnerable to HTTPS Spoofing
    - https://www.us-cert.gov/ncas/current...HTTPS-Spoofing
    Feb 20, 2015 - "Lenovo consumer personal computers employing the pre-installed Superfish Visual Discovery software contain a critical vulnerability through a compromised root CA certificate. Exploitation of this vulnerability could allow a remote attacker to read -all- encrypted web browser traffic (HTTPS), successfully impersonate (spoof) any website, or perform other attacks on the affected system. US-CERT recommends users and administrators review Vulnerability Note VU#529496* and US-CERT Alert TA15-051A** for additional information and mitigation details."

    * http://www.kb.cert.org/vuls/id/529496
    Feb 20, 2015 - "... Solution: The CERT/CC is currently unaware of any official solutions to this problem and recommends the following workarounds.
    - Uninstall Komodia Redirector SDK and associated root CA certificates
    - Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries..."
    ** https://www.us-cert.gov/ncas/alerts/TA15-051A
    Feb 20, 2015 - "... Solution: Uninstall Superfish VisualDiscovery and associated root CA certificate
    - Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. In the case of Lenovo PCs, this includes Superfish Visual Discovery.
    It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on [3] deleting (link is external) and [4] managing (link is external) certificates in the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”
    Mozilla provides similar [5] guidance for their software, including the Firefox and Thunderbird certificate stores."

    3] https://technet.microsoft.com/en-us/.../cc772354.aspx

    4] http://windows.microsoft.com/en-us/w...r-certificates

    5] https://wiki.mozilla.org/CA:UserCert...ot_Certificate

    > http://support.lenovo.com/us/en/prod...fish_uninstall

    - https://blog.malwarebytes.org/privac...erfish-fiasco/
    Feb 20, 2015 - "... To find out if you are affected, you can visit:
    - https://filippo.io/Badfish/ "

    Last edited by AplusWebMaster; 2015-02-23 at 12:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #646
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice SPAM, A Week in Security...

    FYI...

    Fake Magazine Invoice SPAM - PDF malware
    - http://myonlinesecurity.co.uk/essex-...e-pdf-malware/
    23 Feb 2015 - "'Essex Central Magazine Invoice' pretending to come from Essex Central Magazine <darren@ notifications .kashflow .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please see attached invoice for the upcoming issue of Essex Central
    Magazine.
    Regards,
    Accounts Dept.


    23 February 2015: invoice.zip: Extracts to: invoice_pdf.exe
    Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1424701064/

    - http://blog.mxlab.eu/2015/02/23/fake...upatre-trojan/
    Feb 23, 2014
    > https://www.virustotal.com/en/file/8...2b79/analysis/
    ___

    A Week in Security...
    - https://blog.malwarebytes.org/online...ity-feb-15-21/
    Feb 23, 2013 - "... fakeouts festooned all over YouTube, claiming to activate Windows 10:
    > https://blog.malwarebytes.org/online...s-and-surveys/
    ... rogue tweets on Twitter baiting whoever is interested in Evolve:
    > https://blog.malwarebytes.org/fraud-...ed-by-malware/
    ... a quite rare phishing campaign that targets accounts of Japanese gamers who have profiles under Square Enix:
    > https://blog.malwarebytes.org/fraud-...-video-gamers/
    ... an infection via malicious code injection on the official website of renowned British celebrity chef... the site launches exploits targeting vulnerabilities on Adobe Flash, Silverlight, and Java:
    > https://blog.malwarebytes.org/exploi...o-exploit-kit/
    ... a compromise on RedTube, a top adult entertainment site. It was injected with a rogue iframe that directs visitors to the download and execution of an Angler exploit kit variant. The said EK targets Flash and Silverlight vulnerabilities:
    > https://blog.malwarebytes.org/exploi...ts-to-malware/
    ... Malwarebytes Labs Team."

    Last edited by AplusWebMaster; 2015-02-24 at 22:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #647
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice SPAM - doc malware, 7,038 new vulnerabilities 2014...

    FYI...

    Fake Invoice SPAM - doc malware
    - http://blog.dynamoo.com/2015/02/malw...d-invoice.html
    24 Feb 2015 - "This -fake- invoice is not from Berendsen UK Ltd but is a simple forgery. They are not sending out the spam and their systems have not been compromised in any way. Instead, this email has a malicious Word document attached.
    From: donotreply@ berendsen .co .uk
    Date: 24 February 2015 at 08:09
    Subject: Berendsen UK Ltd Invoice 60020918 117
    Dear Sir/Madam,
    Please find attached your invoice dated 21st February.
    All queries should be directed to your branch that provides the service. This detail can be found on your invoice.
    Thank you...


    I have only seen one sample of this email, with a Word document IRN001549_60020918_I_01_01.doc which has a -zero- detection rate*. Contained within this is a malicious Word macro which downloads a component from the following location:
    http ://heikehall .de/js/bin.exe
    This binary has a VirusTotal detection rate of 2/57**. Automated analysis tools... show that it attempts to phone home to:
    92.63.87.13 (MWTV, Latvia)
    5.196.241.196 (OVH, Ireland)
    66.110.179.66 (Microtech Tel, US)
    202.44.54.5 (World Internetwork Corporation, Thailand)
    78.140.164.160 (Webazilla, US)
    31.160.233.212 (KPN, Netherlands)
    185.14.30.98 (UA Servers, Ukraine)
    86.104.134.156 (One Telecom, Moldova)
    MWTV have featured several times on this blog. A close examination of their 92.63.80.0/20 block indicates a mix of legitimate and illegitimate sites, however the bad sites are concentrated in the following ranges:
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    In addition to this, the malware attempts to drop a Dridex DLL which is widely detected by AV vendors with a detection rate of 30/57***.
    Recommended blocklist:
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    5.196.241.196
    66.110.179.66
    202.44.54.5
    78.140.164.160
    31.160.233.212
    185.14.30.98
    86.104.134.156
    "
    * https://www.virustotal.com/en/file/1...is/1424770482/

    ** https://www.virustotal.com/en/file/5...is/1424770511/

    *** https://www.virustotal.com/en/file/a...is/1424772155/

    - http://myonlinesecurity.co.uk/izabel...d-doc-malware/
    24 Feb 2015 - "'Izabela Pachucka Arsenal LTD document do confirm' pretending to come from Izabela Pachucka <pachuckaizabela@ arsenalltd .pl>with a malicious word doc attachment is another one from the current bot runs...
    Screenshot: http://myonlinesecurity.co.uk/wp-con...a-Pachucka.png
    The malware attached to this series of emails is exactly the same as in today’s Berendsen UK Ltd Invoice 60020918 117 – Word doc malware although renamed as roexport.doc* or roexport.xls..."
    * http://myonlinesecurity.co.uk/berend...d-doc-malware/

    Screenshot: http://myonlinesecurity.co.uk/wp-con...n-1024x682.png
    ___

    Fake Order SPAM - doc malware
    - http://myonlinesecurity.co.uk/andrew...d-doc-malware/
    24 Feb 2015 - "'Board Order – PO15028' pretending to come from Andrew Manville <andy@ icotherm .co .uk> with a malicious word doc attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...er-PO15028.png

    ... exactly the -same- as the attachments to today’s other malicious word and excel macros Izabela Pachucka Arsenal LTD document do confirm – Word doc malware* and Berendsen UK Ltd Invoice 60020918 117 – Word doc malware** although re-named as SCAN_20150224_100752437.doc or SCAN_20150224_100752437.xls ..."
    * http://myonlinesecurity.co.uk/izabel...d-doc-malware/

    ** http://myonlinesecurity.co.uk/berend...d-doc-malware/
    ___

    Fake 'Time Sheet' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/bobby-...e-pdf-malware/
    24 Feb 2015 - "'Time Sheet' pretending to come from hartsellb@ mtpleasantnc .us with a zip attachment is another one from the current bot runs... The email looks like:
    Sorry again this time it has a attachment.
    Thanks
    Bobby


    24 February 2015: 2-9-15 to 2-15-15.zip: Extracts to: 2-9-15 to 2-15-15.exe
    Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...is/1424785308/
    ... Behavioural information
    TCP connections
    216.146.39.70: https://www.virustotal.com/en/ip-add...0/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    199.116.77.164: https://www.virustotal.com/en/ip-add...4/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/

    - http://threattrack.tumblr.com/post/1...ime-sheet-spam
    Feb 24, 2015
    ___

    Fake 'EFT Notification' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/town-o...e-pdf-malware/
    24 Feb 2015 - "'TOWN OF MT PLEASANT, here is your EFT Notification' pretending to come from finance_ap@ cabarruscounty .us with a zip attachment is another one from the current bot runs... The email is very basic and terse and simply has this in the body :

    live-842000_12-17-2014-PE-E.pdf

    24 February 2015: live-842000_12-17-2014-PE-E.zip:
    Extracts to: live-842000_12-17-2014-PE-E.exe
    Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...is/1424793555/
    ... Behavioural information
    TCP connections
    216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    46.30.212.175: https://www.virustotal.com/en/ip-add...5/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    UDP communications
    66.228.45.110: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake FedEx SPAM - trojan
    - http://blog.mxlab.eu/2015/02/23/fake...ntains-trojan/
    Feb 23, 2015 - "... intercepted a new trojan distribution campaign by email with the subjects similar to:
    Reese Torres agent Fedex
    Dylan Livingstone agent Fedex

    This email is sent from the spoofed address “Fedex <fedexservice@ juno .com>” and has the following body:
    Dear Customer,
    We tried to deliver your item on February 22th, 2014, 08:15 AM.
    The delivery attempt failed because the address was business closed or nobody could sign for it.
    To pick up the package,please, print the receipt that is attached to this email and visit Fedex location indicated in the invoice.
    If the package is not picked up within 48 hours, it will be returned to the shipper.
    Label/Receipt Number: 44364578782324455
    Expected Delivery Date: February 22th, 2014
    Class: International Package Service
    Service(s): Delivery Confirmation
    Status: Notification sent
    Thank you
    Copyright© 2015 FEDEX. All Rights Reserved...


    The attached file Package.zip contains the 78 kB large file 443645787823424455.scr. The trojan is known as HEUR:Trojan.Win32.Generic or Win32.Trojan.Inject.Auto. At the time of writing, 5 of the 57 AV engines did detect the trojan at Virus Total*..."
    * https://www.virustotal.com/en/file/0...b23b/analysis/
    ... Behavioural information
    UDP communications
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    7,038 new security vulnerabilities - 2014 stats
    - http://www.gfi.com/blog/most-vulnera...tions-in-2014/
    Feb 18, 2015 - "... 7,038 -new- security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.
    > http://www.gfi.com/blog/wp-content/u...ties-09-14.jpg
    24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has -increased- compared to last year.
    > http://www.gfi.com/blog/wp-content/u...rabilities.jpg
    Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.
    > http://www.gfi.com/blog/wp-content/u...oduct-type.jpg
    Top operating systems by vulnerabilities reported in 2014
    > http://www.gfi.com/blog/wp-content/u...2/OS-chart.jpg
    Top applications by vulnerabilities reported in 2014
    > http://www.gfi.com/blog/wp-content/u...tion-chart.jpg
    ... Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.
    To keep systems secure, it is -critical- that they are fully patched. IT admins should focus on (patch them first):
    - Operating systems (Windows, Linux, OS X)
    - Web browsers
    - Java
    - Adobe free products (Flash Player, Reader, Shockwave Player, AIR).
    Vulnerability and patch management should be priority tasks for every sysadmin. Microsoft’s updates are -not- enough because third-party applications are just as problematic..."

    Last edited by AplusWebMaster; 2015-02-25 at 04:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #648
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'LogMeIn' SPAM, Copy .com used by CryptoRansomware, Dropbox malware

    FYI...

    Fake 'LogMeIn' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/02/malw...o-payment.html
    25 Feb 2015 - "This -fake- financial email does not come from LogMeIn, instead it has a malicious attachment:
    From: LogMeIn .com [no_reply@ logmein .com]
    Date: 25 February 2015 at 08:52
    Subject: Your LogMeIn Pro payment has been processed!
    Dear client,
    Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers.
    Your credit card has been successfully charged.
    Date : 25/2/2015
    Amount : $999 ( you saved $749.75)
    The transaction details can be found in the attached receipt.
    Your computers will be automatically upgraded the next time you sign in.
    Thank you for choosing LogMeIn!


    Attached is a malicious Excel document called logmein_pro_receipt.xls with a VirusTotal detection rate of 0/56*. Usually in a spam run like this there are several different versions of the document but so far I have only seen one, containing this malicious macro. The macro downloads a file from:
    http ://junidesign .de/js/bin.exe
    This is saved as %TEMP%\GHjkdfg.exe and has a VirusTotal detection rate of 3/57**. Automated analysis tools... show this calling home to the following IPs:
    92.63.87.13 (MTWV, Latvia)
    86.104.134.156 (One Telecom, Moldova)
    217.12.203.34 (ITL, Bulgaria)
    108.61.165.19 (Choopa LLC, Netherlands)
    5.196.241.196 (OVH, Ireland)
    66.110.179.66 (Microtech Tel, US)
    202.44.54.5 (World Internetwork Corporation, Thailand)
    95.163.121.179 (Digital Networks aka DINETHOSTING, Russia)
    59.97.137.171 (Broadband Multiplay, India)
    78.140.164.160 (Webazilla, US)
    107.181.174.104 (Colo at 55, US / UA Servers, Ukraine)
    ... The Malwr report shows that among other activities, this drops an executable that seems to be another version of itself [VT 3/57***] and a malicious DLL which is probably a Dridex component [VT 4/57****].
    Recommended blocklist:
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    86.104.134.156
    217.12.203.34
    108.61.165.19
    5.196.241.196
    66.110.179.66
    202.44.54.5
    95.163.121.179
    59.97.137.171
    78.140.164.160
    107.181.174.104
    "
    * https://www.virustotal.com/en/file/2...is/1424856686/

    ** https://www.virustotal.com/en/file/1...is/1424856906/

    *** https://www.virustotal.com/en/file/e...is/1424858127/

    **** https://www.virustotal.com/en/file/9...is/1424858199/

    - http://myonlinesecurity.co.uk/your-l...sheet-malware/
    25 Feb 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...-processed.png

    Fake emails mimic LogMeIn receipts
    - http://blog.logmein.com/products/phi...gmein-receipts
    Feb 17, 2015
    ___

    Copy .com used to distribute Crypto Ransomware
    - https://isc.sans.edu/diary.html?storyid=19371
    2015-02-25 01:04:23 UTC - "Thanks to Marco for sending us a sample of yet another piece of crypto-ransom malware. The file was retrieved after visiting a compromised site (www .my-sda24 .com) . Interestingly, the malware itself was stored on copy .com. Copy .com is a cloud based file sharing service targeting corporate users. It is run by Barracuda, a company also known for its e-mail and web filtering products that protect users from just such malware. To its credit, Barracuda removed the malware within minutes of Marco finding it. At least right now, detection for this sample is not great. According to Virustotal, 8 out of 57 virus engines identify the file as malicious [1]. A URL blacklist approach may identify the original site as malicious, but copy .com is unlikely to be blocked. It has become very popular for miscreants to store malicious files on cloud services, in particular if they offer free trial accounts. Not all of them are as fast as Barracuda in removing these files."

    1] https://www.virustotal.com/en/file/1...adf4/analysis/

    146.185.221.150: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Dropbox SPAM - malware
    - http://blog.dynamoo.com/2015/02/malw...shared-mt.html
    25 Feb 2015 - "This spam leads to a malware download via Dropbox.
    From: Info via Dropbox
    Reply-To: hcm0366@ gmail .com
    Date: 25 February 2015 at 05:38
    Subject: Info Chemicals shared "MT 103_PO_NO!014.zip" with you
    Signed by: dropbox .com
    From Info:
    "Good day ,
    How are you today
    pls check attached, my manager had requested I email you our new order details together with TT copy of balance payment. Kindly confirm in return.
    regards,
    Frank Manner
    Broad Oak Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
    Registered No. 1971053 England & Wales...


    The email has been digitally signed by Dropbox (which means exactly nothing) and is -spoofing- the wholly legitimate Broad Oak Ltd who have been a target of this sort of thing several times before. In this case, the link in the email goes to:
    https ://www .dropbox .com/l/dFxVxjuDRo3j2oANVURy2v
    and then to
    https ://www .dropbox .com/s/fnsprei93c45ts6/MT%20103_PO_NO!014.zip
    Which leads to a malicious EXE file called MT 103_PO_NO!014.zip. Inside that is the malware itself, a file .pdf.scr which has a detection rate of 11/57*. According to the Malwr report it drops another executable with a detection rate of 9/57**. The payload looks similar to the Zeus trojan. Also, according to Malwr and ThreatExpertit attempts to communicate with an apparent web-to-Tor gateway at
    mmc65z4xsgbcbazl .onion .am
    onion .am is hosted on 37.220.35.39 (YISP Colo, Netherlands)... Be aware that there are probably many other Dropbox locations in use for this spam run. If you see more, I suggest you forward the email to abuse -at- dropbox.com ..."
    * https://www.virustotal.com/en/file/e...is/1424849825/

    ** https://www.virustotal.com/en/file/9...is/1424850664/
    ___

    Fake 'eFax message' SPAM - malware
    - http://myonlinesecurity.co.uk/efax-m...e-pdf-malware/
    25 Feb 2015 - "'eFax message from “POTS modem 2 ” – 1 page(s), Caller-ID: 1-630-226-2563' pretending to come from message@ inbound .efax .com with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...TS-modem-2.png

    25 February 2015 : fax_2342.zip: Extracts to:fax_2342.exe
    Current Virus total detections: 19/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1424883423/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    188.65.112.97: https://www.virustotal.com/en/ip-add...7/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    UDP communications
    77.72.169.166: https://www.virustotal.com/en/ip-add...6/information/
    77.72.169.167: https://www.virustotal.com/en/ip-add...7/information/

    Last edited by AplusWebMaster; 2015-02-25 at 21:38.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #649
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down cPanel PHISH, Fake 'Voice Message', 'Copy Invoices' SPAM

    FYI...

    cPanel ‘Account Suspended’ PHISH serves exploits
    - https://blog.malwarebytes.org/exploi...rves-exploits/
    Feb 26, 2015 - "cPanel is one of the most popular web hosting control panels out there. It allows administrators to manage their website(s) using a graphical front end, perform maintenance and review important logs among other things. cPanel also has a user interface for CGI (short for Common Gateway Interface) typically used to run scripts and generate dynamic content. One such script populates a fairly well-known (and somewhat dreaded) page known as the “Account Suspended” page:
    > https://blog.malwarebytes.org/wp-con...suspended1.png
    Visitors to a site are -redirected- to this screen for one of many reasons ranging from the site owner’s failure to pay for his hosting, violating the Terms and Conditions, or perhaps exceeding their allocated bandwidth... The page itself is made of HTML code, and can be edited by an administrator, often via a Web Host Manager (WHM). Many sites that were once used to distribute malware and have been suspended will sport that kind of page. One would assume that the site would now be harmless, since the hosting provider has already taken action. If you aren’t looking at the URL carefully (the suspended page should be displayed at the root of the domain) and assumed so, you might just run into a case where the site is actually fully compromised and still active... The injected iframe redirects straight to a Fiesta exploit kit landing page. The landing page usually performs various checks and prepares the exploits that are going to get fired at the victim. As is often the case with exploit kits, that page is heavily obfuscated to make identification a little bit more difficult... This case is a reminder not to trust a book by its cover and always exercise caution. Attackers were clever to hide the malicious redirect code where they did because they might trick someone into brushing off the site as “already terminated by the hosting provider”, when in fact it’s not. They might have fooled some, but they didn’t fool us..."
    (More detail at the malwarebytes URL at the top.)
    ___

    Fake 'Voice Message' SPAM - wav malware
    - http://myonlinesecurity.co.uk/ring-c...e-wav-malware/
    26 Feb 2015 - "'New Voice Message from No Caller ID on 25/02/2015 at 16:25' pretending to come from notify-uk@ ringcentral .com with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ce-message.png

    26 February 2015: NoCallerID-1218-162550-153.wav.zip:
    Extracts to: NoCallerID-1218-162550-1536.wav.exe
    Current Virus total detections: 0/57* . The extracted file name is actually NoCallerID-1218-162550-153б.wav.exe (if you look closely, you can see that the 6 is not the number six at all but a foreign language character that looks like a number 6) This can cause analysis problems with some of the auto analysers which have crashed trying to analyse this one and an error on some windows systems, possibly leading to the file auto-running. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav (voice or music) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1424938264/
    ... Behavioural information
    TCP connections
    81.177.139.53: https://www.virustotal.com/en/ip-add...3/information/
    95.211.144.65: https://www.virustotal.com/en/ip-add...5/information/
    92.63.87.13: https://www.virustotal.com/en/ip-add...3/information/
    80.150.6.138: https://www.virustotal.com/en/ip-add...8/information/
    UDP communications
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'Copy Invoices' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/02/malw...-christou.html
    26 Feb 2015 - "This -fake- invoice spam comes with a malicious attachment:
    From: Chris Christou [chris.christou@ greysimmonds .co.uk]
    Date: 26 February 2015 at 10:45
    Subject: Copy invoices
    Hello ,
    Please find copy invoices attached as per our telephone conversation.
    Kind regards,
    Chris
    Chris Christou
    Credit Control
    Grey Simmonds
    Cranes Point
    Gardiners Lane South
    Basildon
    Essex SS14 3AP
    Tel: 0845 130 9070
    Fax: 0845 370 9071...


    It does -NOT- come from Grey Simmons, nor have their systems been compromised in any way. Instead, this is a simple forgery. I have only seen one sample so far, with an attachment IGM135809.doc [detection rate 0/57*] which contains this malicious macro... which downloads a further component from:
    http ://xomma .net/js/bin.exe
    This is saved as %TEMP%\GVhjJJVJH.exe and has a VirusTotal detection rate of 4/56**. Automated analysis tools... show it attempting to phone home to the following IPs:
    92.63.87.13 (MWTV, Latvia)
    78.140.164.160 (Webazilla, US)
    86.104.134.156 (One Telecom, Moldova)
    104.232.32.119 (Net 3, US)
    This Malwr report shows dropped files with an MD5 of 590fc032ac747d970eb8818671f2bbd3 [VT 3/57***] and 1997b0031ad702c8347267db0ae65539 [VT 4/57****].
    Recommended blocklist:
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    78.140.164.160
    86.104.134.156
    104.232.32.119
    "
    * https://www.virustotal.com/en/file/7...is/1424948249/

    ** https://www.virustotal.com/en/file/c...is/1424948263/

    *** https://www.virustotal.com/en/file/4...553d/analysis/

    **** https://www.virustotal.com/en/file/7...accb/analysis/


    - http://myonlinesecurity.co.uk/chris-...sheet-malware/
    26 Feb 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...y-invoices.png
    ___

    Fake email SPAM - malware attached
    - http://myonlinesecurity.co.uk/nicola...e-pdf-malware/
    26 Feb 2015 - "'NicolaR RA 069767 (random numbers)' pretending to come from NicolaR@ jhs. co.uk with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con.../RA-069767.png

    26 February 2015: RA_New.zip: Extracts to: RA_New.exe
    Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1424955113/
    ___

    Fake 'Sales Invoice' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/worldw...e-pdf-malware/
    26 Feb 2015 - "'Your Sales Invoice' pretending to come from donotreply@ worldwind .co.uk with a zip attachment is another one from the current bot runs... The email looks like:

    Your document is attached with our regards.
    The document is in PDF format and requires Adobe Reader to view ...


    26 February 2015: 131234.zip: Extracts to: 131234.exe
    Current Virus total detections: 7/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...is/1424964940/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    89.248.61.60: https://www.virustotal.com/en/ip-add...0/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    UDP communications
    217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/
    217.116.122.136: https://www.virustotal.com/en/ip-add...6/information/

    Last edited by AplusWebMaster; 2015-02-26 at 23:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #650
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Bogus Search Engine, Fake 'Invoice', 'Offer Sheet' , 'eFax message' SPAM

    FYI...

    Bogus Search Engine leads to Exploits
    - https://blog.malwarebytes.org/online...s-to-exploits/
    Feb 27, 2015 - "... Sadly, devious software makers are using all the tricks in the books to fool users into installing their programs. Even when you take all the precautions necessary and never download anything from an untrusted source, you could still end up with Adware. The recent Lenovo/Superfish fiasco is a good example of that. Brand new computers were pre-installed with Adware that surreptitiously injected ads into the browser by introducing vulnerabilities, in an almost undetectable way. Adware is not only annoying but can also weaken a computer’s security status. Today, we have another case to prove that point. Potentially Unwanted Programs often install a search assistant (or rather a browser and search -hijacker-) on people’s machines:
    > https://blog.malwarebytes.org/wp-con...bfindfast2.png
    The idea is simple: To redirect people’s searches to affiliates or other sponsors and earn pay-per-click commissions. This one is hosted at webfindfast .com*:
    > https://blog.malwarebytes.org/wp-con...2/searches.png
    For the end-user, the search experience is simply terrible but yet not the end of their troubles. In this case, clicking on any link results in a -redirection- to an exploit kit landing page, quickly followed by malware... As usual, after several convoluted redirects, the user ends up on the door step of the famous Angler exploit kit... Vulnerable computers are infected with a piece of malware detected as Trojan.Crypt.NKN by Malwarebytes Anti-Malware. It will install a rogue Antivirus program known as 'Malware Defender 2015' and pull up a purchase page from an IP address located in Istanbul (176.53.125.20)**... The lesson to learn from this is to once again stay away from bundled software and other programs that appear to be free but come with a catch. Also, if you’re starting to see a different home page or search engine than you used to, you should make sure your browser has not been altered in some way."
    * 136.243.24.248: https://www.virustotal.com/en/ip-add...8/information/

    ** 176.53.125.20: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Invoice' SPAM - doc malware
    - http://blog.dynamoo.com/2015/02/malw...inv650988.html
    27 Feb 2015 - "This -fake- invoice email is not from Dennys but is a simple forgery with a malicious attachment. Dennys are not sending the spam, and their systems have not been compromised in any way.
    From: accounts@ dennys .co.uk
    Date: 27 February 2015 at 09:14
    Subject: Dennys Invoice INV650988
    To view the attached document, you will need the Microsoft Word installed on your system.


    So far I have only seen a single sample, with an attachment INV650988.doc which has a VirusTotal detection rate of exactly zero*. This contains this malicious macro... which downloads another component from the following location:
    http ://hew.homepage.t-online. de/js/bin.exe
    This is saved as %TEMP%\324235235.exe and has a VirusTotal detection rate of 1/57**.
    According to the Malwr report, this executable then goes on and downloads another version of itself and a config file from:
    http ://apartmentprofile .su/conlib.php
    http ://paczuje.cba .pl/java/bin.exe
    It drops several files, KB2896~1.EXE [VT 3/57***], edg2.exe [VT 3/57****] and a Dridex DLL which is much more widely detected (and we saw this same DLL yesterday)... Between the Malwr and VirusTotal analyses, we see attempts to communicate with the following IPs:
    198.52.200.15 (Centarra Networks, US)
    95.211.144.65 (Leaseweb, Netherlands)
    195.114.0.64 (SuperHost.pl, Poland)
    92.63.87.13 (MWTV, Latvia)
    78.140.164.160 (Webazilla, US)
    59.97.137.171 (Broadband Multiplay Project, India)
    104.232.32.119 (Net 3, US)
    Some of these are shared hosting, I recommend for maximum protection that you apply the following blocklist:
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    198.52.200.15
    78.140.164.160
    59.97.137.171
    104.232.32.119
    "
    * https://www.virustotal.com/en/file/4...is/1425029078/

    ** https://www.virustotal.com/en/file/0...is/1425029464/

    *** https://www.virustotal.com/en/file/d...is/1425031075/

    **** https://www.virustotal.com/en/file/a...is/1425031099/


    - http://myonlinesecurity.co.uk/dennys...sheet-malware/
    27 Feb 2015
    > https://www.virustotal.com/en/file/4...is/1425027918/
    ___

    Fake 'Offer Sheet' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/pearl-...e-pdf-malware/
    27 Feb 2015 - "'Pearl Summer Offer Sheet' pretending to come from maikel.theunissen@ pearleurope .com with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ffer-Sheet.png

    27 February 2015: Pearl UK Summer Offer Sheet 2015.zip: Extracts to: Pearl UK Summer Offer Sheet 2015.exe
    Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...is/1425039221/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    192.185.86.160: https://www.virustotal.com/en/ip-add...0/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    UDP communications
    107.23.150.92: https://www.virustotal.com/en/ip-add...2/information/
    107.23.150.99: https://www.virustotal.com/en/ip-add...9/information/
    ___

    Fake 'eFax message' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/efax-m...e-pdf-malware/
    27 Feb 2015 - "'eFax message from “unknown” – 1 page(s), Caller-ID: 1-219-972-8538' pretending to come from message@ inbound .efax .com with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...n-1024x610.png

    27 February 2015: FAX_20150226_1424989043_176.zip: Extracts to: FAX_20150226_1424989043_176.exe
    Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1425056870/
    ... Behavioural information
    TCP connections
    91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
    181.189.152.131: https://www.virustotal.com/en/ip-add...1/information/
    192.185.106.103: https://www.virustotal.com/en/ip-add...3/information/
    UDP communications
    217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/

    Last edited by AplusWebMaster; 2015-02-28 at 02:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •