Page 66 of 132 FirstFirst ... 165662636465666768697076116 ... LastLast
Results 651 to 660 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #651
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Order/ Payment' SPAM, Fake job offer SPAM

    FYI...

    Fake 'Order/ Payment' SPAM – Java malware
    - http://myonlinesecurity.co.uk/lucy-c...-java-malware/
    1 Mar 2015 - "'lucy C Ulngaro New Order/ Payment' pretending to come from Admin <tareq@ msp .com.sa> with a jar attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...er-Payment.png

    1 March 2015: PO-2015-0123.jar: Current Virus total detections: 22/57*
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a zip file instead of the java file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1425193109/
    ___

    Fake job offer SPAM
    - http://blog.dynamoo.com/2015/02/fake...ctioncouk.html
    28 Feb 2015 - "This -fake- job offer claimed to be from a UK-based company called Trade Construction Company LLC using a website at tradeconstruction .co .uk. However, no such company exists in the UK, and this is a rip-off of a wholly legitimate US firm that is actually called Trade Construction Company LLC who are -not- involved in this scam at all.

    From: JOB ALERT [klakogroups@ gmail .com]
    Reply-To: klakogroups@ gmail .com
    To: Recipients [klakogroups@ gmail .com]
    Date: 27 February 2015 at 18:37
    Subject: NEW JOB VACANCIES IN LONDON.
    Trade Construction Company,
    L.L.C,
    70 Gracechurch Street.
    EC3V 0XL, London. UK
    We require the services of devoted and hardworking workers, who are ready to work after undergoing enlistment training. in all sectors
    as The Trade Construction Company Management intends to increase its man power base due to increasing number of customers and contract in the Company.
    Available Positions...


    ... The tradeconstruction .co.uk site is almost a bit-by-bit copy of the genuine tradeconstruction .com website.
    > https://4.bp.blogspot.com/-SqBEq8BOc...struction1.jpg
    ... Nothing about this job offer is legitimate. It does -not- come from who it appears to come from and should be considered to be a -scam- and avoided."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #652
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Secure Message' SPAM – malware

    FYI...

    Fake 'Secure Message' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/jp-mor...e-pdf-malware/
    2 Mar 2015 - "'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please check attached file(s) for your latest account documents regarding your online account.
    Forrest Blackwell
    Level III Account Management Officer
    817-140-6313 office
    817-663-8851 cell
    Forrest .Blackwell@ jpmorgan .com
    Investments in securities and insurance products are:
    NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    2015 JPMorgan Chase & Co...


    2 March 2015: JP Morgan Access – Secure.zip : Extracts to: JP Morgan Access – Secure.scr
    Current Virus total detections: 9/57** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1425314842/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #653
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Apple ID' – phish, Android malware

    FYI...

    Fake 'Apple ID' – phish...
    - http://myonlinesecurity.co.uk/your-r...e-id-phishing/
    2 Mar 2015 - "'Your recent download with your Apple ID' pretending to come from Apple iTunes <orders@ tunes .co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details. This one only wants your personal details, Apple log in details and your credit card and bank details... This one has a short url link in the email which -redirects- you...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...r-Apple-ID.png

    If you follow-the-link (don't) you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...y_apple_ID.png
    ... fill in your user name and password you get a page looking very similar to this one (split into sections), where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format.
    > http://myonlinesecurity.co.uk/wp-con...apple_ID_2.png
    ...
    > http://myonlinesecurity.co.uk/wp-con...apple_ID_3.png
    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
    ___

    Fraud Alert: Unauthorised Appstore Payment – phish
    - http://myonlinesecurity.co.uk/fraud-...ment-phishing/
    3 Mar 2015 - "Fraud Alert: Unauthorised Appstore Payment' pretending to come from iTunes <datacareapsecurity@ apple. co.uk> is one of the latest -phish- attempts to steal your Apple Account and your Bank, credit card and personal details...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...re-Payment.png

    All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email...:
    ___

    Worm.Gazon: Want Gift Card? Get Malware
    - http://www.adaptivemobile.com/blog/w...rd-get-malware
    2 Mar 2015 - "... A simple piece of -malware- is on the way to become one of the 'spammiest' mobile malware outbreaks seen yet. This malware we have dubbed Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page:

    Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https ://bit .ly/ getAmazon[redactedD]
    > http://www.adaptivemobile.com/images...n-download.jpg

    The malware passes itself as an app that gives Amazon rewards. However, the only thing it actually does is pulling up a scam page inside the app which asks you to participate in the -survey- ... Each of the options below ends up taking you to either another scam page or asks you to download a game in the Google Play. While you are busy clicking through pages the author just earns money through your clicks as we have seen in other pieces of mobile malware.
    > http://www.adaptivemobile.com/images...azon-scam1.png
    However, in the background this malware harvests all your contacts and sends a -spam- message to each of them with the URL pointing to the body of the worm... Thousands of people have seemingly installed this malware and been a victim. We are seeing over 4k infected devices in all of the major networks in North America, and we've blocked over 200k spam messages generated by these infected devices. Stopping the spread via messaging is critical as each one of these messages was an attempt to spread the app to an infected user's contacts. Based on click-throughs from the shortened URL it also seems this malware has been encountered in multiple other countries as well, worldwide. At the moment none of the AV engines detect this malware according to VirusTotal.
    > http://www.adaptivemobile.com/images...virustotal.png
    ... users should be aware of this -scam- and as always, be careful clicking on links in text messages that seem suspect. In this case, like other worm malware we have seen recently, even messages your contacts send you may not be safe. The malware can be removed using standard Android app uninstall utilities..."

    Last edited by AplusWebMaster; 2015-03-04 at 05:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #654
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake no body text SPAM - malicious, 'Remittance advice' SPAM – doc/excel malware

    FYI...

    Fake no body text SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/03/malw...hn-donald.html
    4 Mar 2015 - "This rather terse email comes with a malicious attachment:
    From: John Donald [john@ kingfishermanagement .uk .com]
    Date: 4 March 2015 at 09:09
    Subject: Document1


    There is no body text, but there is an attachment Document1.doc which is not currently detected by AV vendors*, in turn it contains this malicious macro... which downloads another component from the following location:
    http ://retro-moto .cba .pl/js/bin.exe
    Note that there may be other different versions of this document with different download locations, but it should be an identical binary that is downloaded. This file is saved as %TEMP%\GHjkdjfgjkGKJ.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show attempted network traffic to the following IPs:
    92.63.87.13 (MWTV, Latvia)
    104.232.32.119 (Net3, US)
    87.236.215.103 (OneGbits, Lithunia)
    108.61.198.33 (Gameservers.com / Choopa LLC, Netherlands)
    According to the Malwr report it also drops another version of itself with a detection rate of just 1/57*** plus a DLL with a detection rate of 7/56****.
    Recommended blocklist:
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    104.232.32.119
    87.236.215.103
    108.61.198.33
    "
    * https://www.virustotal.com/en/file/2...is/1425464228/

    ** https://www.virustotal.com/en/file/1...is/1425464153/

    *** https://www.virustotal.com/en/file/7...is/1425466045/

    **** https://www.virustotal.com/en/file/0...is/1425466059/

    - http://myonlinesecurity.co.uk/john-d...sheet-malware/
    4 Mar 2015
    > Document1.docx: https://www.virustotal.com/en/file/b...is/1425459634/
    > https://www.virustotal.com/en/file/1...is/1425460757/
    ... Behavioural information
    TCP connections
    92.63.87.13: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Fake 'Remittance advice' SPAM – word doc or excel xls malware
    - http://myonlinesecurity.co.uk/remitt...sheet-malware/
    4 Mar 2015 - "'Remittance advice [Rem_5556YJ.xml] (random numbers)' pretending to come from random addresses and random companies with a malicious word doc or Excel XLS spreadsheet attachment, these are actually XLM word files is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them... The email looks like:
    Good morning
    You can find remittance advice [Rem_5556YJ.xml] in the attachment
    Kind Regards
    Lenny Madden
    GLAXOSMITHKLINE


    4 March 2015 : Rem_5892GV.xml Current Virus total detections: 0/56* | 0/56**
    So far I have only seen 2 versions of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even more different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1425470968/

    ** https://www.virustotal.com/en/file/5...is/1425471785/

    - http://blog.dynamoo.com/2015/03/remi...stery-xml.html
    4 Mar 2015
    "... recommend blocking them:
    62.76.176.203
    46.30.42.171
    74.208.68.243
    37.139.47.111
    "
    ___

    Fake 'UPS Tracking' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/ups-sh...e-pdf-malware/
    4 Mar 2015 - "'UPS Ship Notification, Tracking Number 1Z06E18A6840121864 pretending to come from UPS <no-replay@ upsi .com> with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...6840121864.png

    04 March 2015: Details.zip: Extracts to: Details.exe
    Current Virus total detections: 12/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1425482799/
    ... Behavioural information
    TCP connections
    216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
    190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
    108.174.149.222: https://www.virustotal.com/en/ip-add...2/information/
    190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
    UDP communications
    212.79.111.155: https://www.virustotal.com/en/ip-add...5/information/
    212.79.111.156: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'invoice' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/ron-mi...e-pdf-malware/
    4 Mar 2015 - "'RMPD#7989 – invoices' pretending to come from Rothn-Ron <ron@ bellsouth .net> with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...9-invoices.png

    04 March 2015: RMPD#7989 INVOICES.zip: Extracts to: RMPD#7989 INVOICES.exe
    Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1425486885/
    ... Behavioural information
    TCP connections
    216.146.38.70: https://www.virustotal.com/en/ip-add...0/information/
    190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
    108.174.149.222: https://www.virustotal.com/en/ip-add...2/information/
    190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
    UDP communications
    217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/
    217.116.122.136: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Many common sites might be temporarily offline
    - http://myonlinesecurity.co.uk/many-c...arily-offline/
    4 Mar 2015 - "... Amazon and Rackspace have both announced that they will need to -reboot- some of their servers to address the issue before March 10, when the Xen Project plans to disclose the latest bugs*. Details of the vulns are being withheld for now, to give the cloud vendors time to patch. In a FAQ** about the upcoming maintenance, Amazon Web Services said that only some of its earliest Elastic Compute Cloud (EC2) customers should be affected."
    * http://xenbits.xen.org/xsa/

    ** https://aws.amazon.com/premiumsuppor...nance-2015-03/

    - http://blog.trendmicro.com/trendlabs...er-encryption/
    Mar 4, 2015 - "... We advise Android users to refrain from using the default Android browser in their devices. They can instead use the Google Chrome app as it is not affected by the bug. Furthermore, connections to the Google search site are not affected. According to Deep Security Labs Director Pawan Kinger, FREAK is a serious and very real vulnerability which may require some level of sophistication to exploit. However, its sophistication won’t dissuade determined attackers. Carrying out a FREAK exploit requires attackers to be able to first create a man-in-the-middle (MITM) attack against the servers. It would also require the ability to control an SSL session between client and server and then force that session to downgrade to the lower encryption level. Then, the attacker would have to take the weakly encrypted traffic and perform a brute force attack against it that would take several hours, as opposed to days or weeks with higher encryption... Administrators can also check if their site is vulnerable by using the SSL Labs’ SSL Server Test*..."
    * https://www.ssllabs.com/ssltest/

    - http://www.bloomberg.com/news/videos...ak-attack-hole
    Mar 4, 2015 - Video 2:40

    Last edited by AplusWebMaster; 2015-03-05 at 02:57.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #655
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Brochure' SPAM - doc/xls malware

    FYI...

    Fake 'Brochure' SPAM - doc/xls malware
    - http://myonlinesecurity.co.uk/bobby-...sheet-malware/
    5 Mar 2015 - "'Brochure2.doc' pretending to come from Bobby Drell <rob@ abbottpainting .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please change the year to 2015.
    Please confirm receipt
    Thanks
    Bobby Drell


    5 March 2015 : Brochure2.doc - Current Virus total detections: 1/57* ... the malicious macro connects to & downloads data.gmsllp.com/js/bin.exe (dridex banking Trojan) which is saved as %Temp%\324235235.exe that has a virus total rate of 2/57** ... So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1425549729/

    ** https://www.virustotal.com/en/file/3...is/1425550694/

    - http://blog.dynamoo.com/2015/03/malw...bby-drell.html
    5 Mar 2015
    "... Recommended blocklist:
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    95.163.121.0/24
    "
    ___

    Fake Natwest SPAM - PDF malware
    - http://myonlinesecurity.co.uk/natwes...e-pdf-malware/
    5 Mar 2015 - "'RE: Incident IM00491288' pretending to come from Kevin Otero <Kevin.Otero@ bankline .natwest .com> with a zip attachment is another one from the current bot runs... different random names. So far names and email addresses seen are
    Kevin Otero <Kevin.Otero@ bankline .natwest .com>
    Collin Stovall <Collin.Stovall@ bankline .natwest .com>
    Lavern Olsen <Lavern.Olsen@ bankline .natwest .com>
    Rae Bouchard <Rae.Bouchard@ bankline .natwest .com>
    Nadine Kerr <Nadine.Kerr@bankline .natwest .com>
    ... The email looks like:
    Good Afternoon ,
    Attached are more details regarding your account incident.
    Please extract the attached content and check the details.
    Please be advised we have raised this as a high priority incident and will endeavour to resolve it as soon as possible. The incident reference for this is IM00491288.
    We would let you know once this issue has been resolved, but with any further questions or issues, please let me know.
    Kind Regards,
    Kevin Otero
    Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th Floor, 1 ...


    5 March 2015: Incident IM00491288.zip: Extracts to: IM0743436407_pdf.exe
    Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1425548558/
    ___

    Fake Invoice SPAM - PDF malware
    - http://myonlinesecurity.co.uk/carmel...e-pdf-malware/
    5 Mar 2015 - "'Alpro Invoice(s): 7985974765' pretending to come from Alpro <carmel@ alpro .com> with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...5/03/Alpro.png

    5 March 2015 : invoice7985974765.zip: Extracts to: invoice7985974765.exe
    Current Virus total detections: 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1425547819/

    Last edited by AplusWebMaster; 2015-03-05 at 14:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #656
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake IRS SPAM - doc/xls malware

    FYI...

    Fake IRS SPAM - doc malware
    - http://blog.dynamoo.com/2015/03/malw...tronic-ip.html
    6 Mar 2015 - "This -fake- IRS email comes with a malicious attachment.
    From: Internal Revenue Service [refund.noreply@ irs .gov]
    Date: 6 March 2015 at 08:48
    Subject: Your 2015 Electronic IP Pin!
    Dear Member
    This is to inform you that our system has generated your new secured Electronic PIN to e-file your 2014 tax return.
    Please kindly download the microsoft file to securely review it.
    Thanks
    Internal Revenue Service ...


    ... attachment TaxReport(IP_PIN).doc ... there are usually several different versions[1]. Currently this is -undetected- by AV vendors*. This contains a malicious macro... which downloads a component from the following location:
    http ://chihoiphunumos .ru/js/bin.exe
    There are probably other download locations, but the payload will be the same. This is saved as %TEMP%\324235235.exe and has a detection rate of 1/55**. Automated analysis tools... show attempted connections to:
    92.63.87.13 (MWTV, Latvia)
    95.163.121.200 (Digital Networks CJSC aka DINETHOSTING, Russia)
    104.232.32.119 (Net3, US)
    87.236.215.103 (OneGbits, Lithunia)
    According to the Malwr report this executable drops another version of itself [VT 1/56***] and a malicious DLL [VT 2/56****].
    Recommended blocklist:
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    95.163.121.0/24
    104.232.32.119
    87.236.215.103
    "
    * https://www.virustotal.com/en/file/d...is/1425632162/

    ** https://www.virustotal.com/en/file/8...is/1425632174/

    *** https://www.virustotal.com/en/file/a...is/1425632946/

    **** https://www.virustotal.com/en/file/8...is/1425632950/

    1] http://myonlinesecurity.co.uk/intern...sheet-malware/
    6 Mar 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...nic-IP-Pin.png
    ___

    Fake 'Invoice' SPAM – doc/xls malware
    - http://myonlinesecurity.co.uk/mick-g...sheet-malware/
    6 Mar 2015 - "'Mick George Invoice 395687 for Dudley Construction Ltd' pretending to come from Mick George Invoicing <mginv@ mickgeorge .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These emails today, so far, are all malformed and broken. Every copy that I have received appears garbled and doesn’t actually have an attachment. Some mail servers will be configured to repair the damage and deliver the email in its full glory, where it will potentially infect you. This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...ge-invoice.png

    ... the malware payload will be identical to today’s other malicious office document run Internal Revenue Service Your 2015 Electronic IP Pin! – word doc or excel xls spreadsheet malware*. We do notice that the bad guys are using 2 or 3 subjects and email templates but using the same malware that has been -renamed- ...
    Edit: I have managed to extract the malware payload from a quarantined copy on the server and can confirm that it is the -same- malware payload as today’s other run although renamed as Invoice395687.DOC . So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
    * http://myonlinesecurity.co.uk/intern...sheet-malware/

    - http://blog.dynamoo.com/2015/03/malw...ce-395687.html
    6 Mar 2015 - "This -malformed- spam is meant to have a malicious attachment... This malware and the payload it drops is identical to the one found in this -fake- IRS spam run* earlier today..."
    * http://blog.dynamoo.com/2015/03/malw...tronic-ip.html
    ___

    Fake Bankline SPAM - malware
    - http://blog.dynamoo.com/2015/03/malw...eived-new.html
    6 Mar 2015 - "This fake banking spam leads to malware.
    From: Bankline [secure.message@ business .natwest .com]
    Date: 6 March 2015 at 10:36
    Subject: You have received a new secure message from BankLine
    You have received a secure message.
    Your Documents have been uploaded to Cubby cloud storage.
    Cubby cloud storage is a cloud data service powered by LogMeIn, Inc.
    Read your secure message by following the link bellow: ...
    <redacted> ...
    You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
    If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Bankline Bank Secure Email Help Desk at 0131 556 8719.
    First time users - will need to register after opening the attachment...


    This downloads a ZIP file from cubbyusercontent .com which contains a malicious executable Business Secure Message.exe which has a VirusTotal detection rate of just 1/57*. Automated analysis tools... show attempted connections to the following URLs:
    http ://all-about-weightloss .org/wp-includes/images/vikun.png
    http ://bestcoveragefoundation .com/wp-includes/images/vikun.png
    http ://190.111.9.129 :14248/0603no11/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
    http ://190.111.9.129 :14249/0603no11/HOME/41/7/4/
    It also appears that there is an attempted connection to 212.56.214.203.
    Of all of these IPs, 190.111.9.129 (Navega.com, Guatemala) is the most critical to -block-.
    It is also a characteristic of this malware (Upatre/Dyre) that it connects to checkip.dyndns .org to work out the IP address of the infected machine, it is worth checking for traffic to this domain. The Malwr report shows several dropped files, including fyuTTs27.exe which has a VirusTotal detection rate of 4/57**."
    * https://www.virustotal.com/en/file/d...is/1425640773/
    ... Behavioural information
    TCP connections
    91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
    190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
    192.254.186.169: https://www.virustotal.com/en/ip-add...9/information/
    46.151.254.183: https://www.virustotal.com/en/ip-add...3/information/
    5.178.43.49: https://www.virustotal.com/en/ip-add...9/information/
    212.56.214.203: https://www.virustotal.com/en/ip-add...3/information/
    UDP communications
    74.125.200.127: https://www.virustotal.com/en/ip-add...7/information/

    ** https://www.virustotal.com/en/file/8...is/1425641282/
    ... Behavioural information
    UDP communications
    217.10.68.152: https://www.virustotal.com/en/ip-add...2/information/
    217.116.122.136: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake HSBC SPAM – PDF malware
    - http://myonlinesecurity.co.uk/hsbc-p...e-pdf-malware/
    6 Mar 2015 - "'HSBC Payment' pretending to come from HSBC <no-replay@ hsbc .co.uk> with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...BC-Payment.png

    6 March 2015: HSBC-2739.zip: Extracts to: HSBC-2739.exe
    Current Virus total detections: 0/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1425636158/
    ... Behavioural information
    TCP connections
    91.198.22.70: https://www.virustotal.com/en/ip-add...0/information/
    5.10.69.232: https://www.virustotal.com/en/ip-add...2/information/
    190.111.9.129: https://www.virustotal.com/en/ip-add...9/information/
    UDP communications
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    77.72.169.167: https://www.virustotal.com/en/ip-add...7/information/
    77.72.169.166: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake Gateway SPAM - PDF malware
    - http://myonlinesecurity.co.uk/your-o...e-pdf-malware/
    6 Mar 2015 - "'Your online Gateway .gov .uk Submission' pretending to come from Gateway .gov.uk <ruyp@ bmtrgroup .com> with a link to download a zip attachment is another one from the current bot runs... The email looks like:
    Your online Gateway .gov.uk Submission
    Government Gateway logo
    Electronic Submission Gateway
    Thank you for your submission for the Government Gateway.
    The Government Gateway is the UK’s centralized registration service for e-Government services.
    To view/download your form to the Government Gateway please visit http ://www.gateway .gov.uk/
    This is an automatically generated email. Please do not reply as the email address is not
    monitored for received mail.
    gov .uk - the best place to find government services and information - Opens in new window
    The best place to find government services and information


    The link in the email leads to... the same malware as today’s run of 'You have received a new secure message from BankLine' -fake- PDF malware*.
    * http://myonlinesecurity.co.uk/receiv...e-pdf-malware/
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    ___

    Cryptowall, again!
    - https://isc.sans.edu/diary.html?storyid=19427
    Last Updated: 2015-03-06 - "A new variant of Cryptowall (An advanced version of cryptolocker) is now using a malicious .chm file attachment to infect systems. According to net-security.org*, Bitdefender labs has found a -spam- wave that spread a malicious .chm attachments. CHM is the compiled version of html that support technologies such as JavaScript which can -redirect- a user to an external link. “Once the content of the .chm archive is accessed, the malicious code downloads from this location http :// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process”..."
    * http://net-security.org/malware_news.php?id=2981
    Mar 5, 2015
    > http://www.net-security.org/images/a...owall-calc.jpg

    Last edited by AplusWebMaster; 2015-03-07 at 00:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #657
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Statement' SPAM, Paypal PHISH

    FYI...

    Fake 'Statement' SPAM - doc malware
    - http://myonlinesecurity.co.uk/statem...e-pdf-malware/
    9 Mar 2015 - "'Statement from MARKETING & TECHNOLOGY GROUP, INC. pretending to come from TECHNOLOGY GROUP <rwilborn@ mtgmediagroup .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear Customer :
    Your statement is attached. Please remit payment at your
    earliest convenience.
    Thank you for your business – we appreciate it very
    much.
    Sincerely,
    MARKETING & TECHNOLOGY GROUP, INC


    9 March 2015: docs2015.zip: Extracts to: docs2015.exe
    Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1425899308/
    ___

    Fake 'Credit Application' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/emaili...e-pdf-malware/
    9 Mar 2015 - "'Emailing: Serv-Ware Credit Application.pdf' with a zip attachment pretending to come from clint@ servware .com is another one from the current bot runs... The email looks like:

    Thanks,
    Clint Winstead
    Manager
    Serv-Ware Products
    clint@ servware .com
    phone: 800.768.5953
    fax : 800.976.1299 ...


    9 March 2015: Serv-WareCreditApplication.zip: Extracts to: Serv-WareCreditApplication.exe
    Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1425915088/
    ... Behavioural information
    TCP connections
    75.127.114.162: https://www.virustotal.com/en/ip-add...2/information/
    UDP communications
    77.72.174.163: https://www.virustotal.com/en/ip-add...3/information/
    77.72.174.162: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Paypal PHISH
    - http://myonlinesecurity.co.uk/your-p...0%8F-phishing/
    8 Mar 2015 - "There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    Confirmation of Order
    your PayPal account is limited – take action now‏


    Screenshot: http://myonlinesecurity.co.uk/wp-con...action-now.png

    This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."

    Last edited by AplusWebMaster; 2015-03-09 at 18:25.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #658
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'PMQ agreement' SPAM - PDF malware

    FYI...

    Fake 'PMQ agreement' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/2015-p...e-pdf-malware/
    10 Mar 2015 - "'2015 PMQ agreement' pretending to come from linda@ pmq .com with a zip attachment is another one from the current bot runs... The email looks like:
    HI
    I have Not received your signed contract for the 2015 ad campaign. If you would please sign and return.
    Thank you
    Linda

    Watch our 2015 PMQ Media Kit here ...
    PMQ Pizza Magazine
    Linda Green / Co-Publisher
    (662)234-5481 ext 121 / linda.pmq@ gmail .com
    cell (662)801-5495
    PMQ Pizza Magazine Office: 662-234-5481 x121 / Fax: 662-234-0665
    605 Edison Street, Oxford, MS 38655 ...
    Don’t forget to renew your subscription to the magazine at ...


    10 March 2015 : American_Wholesale.zip: Extracts to: American_Wholesale.exe
    Current Virus total detections: 9/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1425997192/
    ... Behavioural information
    TCP connections
    216.146.43.70: https://www.virustotal.com/en/ip-add...0/information/
    95.181.53.78: https://www.virustotal.com/en/ip-add...8/information/
    122.155.1.42: https://www.virustotal.com/en/ip-add...2/information/
    77.85.204.114: https://www.virustotal.com/en/ip-add...4/information/
    88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/
    UDP communications
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    208.91.197.54: https://www.virustotal.com/en/ip-add...4/information/
    173.194.71.127: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Apple Watch Giveaway Spam Clocks In on Twitter
    - https://blog.malwarebytes.org/privac...in-on-twitter/
    Mar 10, 2015 - "Twitter users should be aware that mentioning the new Apple Watch could result in -spam- headed their way:
    > https://blog.malwarebytes.org/wp-con.../watchspm0.jpg
    ... The so-called Apple Giveaways profile says the following in its Bio space:
    > https://blog.malwarebytes.org/wp-con.../watchspm6.jpg
    It may sound promising, but what follows is a semi-exhausting jaunt around a couple of different websites with instructions to follow along the way... What we do end up with is a wall of text on a Facebook page with some very specific hoops to jump through in order to obtain the watch... they claim they’ll direct message within 72 hours with a “confirmation link”. The creation date for the website is listed as March 9th, and the Whois details are hidden behind a Whoisguard so there’s no way to know who you’re sending your information to... this seems like a long shot in terms of “winning” the incredibly expensive watch..."

    Last edited by AplusWebMaster; 2015-03-10 at 20:40.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #659
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Tax rebate', 'Remittance', blank body, 'admin.scanner' SPAM...

    FYI...

    Fake 'Tax rebate' SPAM – doc or xls malware
    - http://myonlinesecurity.co.uk/your-t...sheet-malware/
    11 Mar 2015 - "'Your Tax rebate' pretending to come from HMRC Revenue&Customs with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    HM revenue
    Dear ...
    After the last yearly computations of your financial functioning we have defined that you
    have the right to obtain a tax rebate of 934.80.
    Please confirm the tax rebate claim and permit us have
    6-9 days so that we execute it.
    A rebate can be postponed for a variety of reasons.
    For instance confirming unfounded data or applying
    not in time.
    To access the form for your tax rebate, view the report attached. Document Reference: (983EMI).
    Regards,
    HM Revenue Service. We apologize for the inconvenience...


    The malware payload with this template is same as today’s "Your Remittance Advice [FPAEEKBYQU] – Word doc malware"* . So far I am only seeing 1 version of this malware..."
    * http://myonlinesecurity.co.uk/your-r...d-doc-malware/

    - http://blog.dynamoo.com/2015/03/malw...ce-advice.html
    11 Mar 2015
    "... Recommended blocklist:
    95.163.121.0/24
    188.120.226.6
    188.165.5.194
    193.26.217.39
    93.170.123.36
    85.143.166.190
    46.30.42.177
    "
    ___

    Fake 'Remittance' SPAM - doc or xml malware
    - http://myonlinesecurity.co.uk/your-r...d-doc-malware/
    11 Mar 2015 - "'Your Remittance Advice [FPAEEKBYQU] (random characters)' coming from random names and email addresses with a malicious word doc or xml attachment is another one from the current bot runs... The email looks like:
    Good Morning,
    Please find attached the BACS Remittance Advice for payment made by FORUM ENERGY.
    Please note this may show on your account as a payment reference of FPANJRCXFM.
    Kind Regards
    Marilyn Aguilar
    Accounts Payable


    11 March 2015 : Rem_7656CN.xml - Current Virus total detections: 2/57*
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/c...is/1426068203/
    ___

    Fake blank body SPAM - doc or xls malware
    - http://myonlinesecurity.co.uk/inv-09...sheet-malware/
    11 Mar 2015 - "'inv.09.03' pretending to come from Jora Service <jora.service@ yahoo .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally empty-body with just the attachment.

    11 March 2015 : INV 86-09.03.2015.doc - Current Virus total detections: 0/56*
    So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments..."
    * https://www.virustotal.com/en/file/5...is/1426067908/
    ___

    Fake 'admin.scanner' SPAM - doc or xls malware
    - http://myonlinesecurity.co.uk/messag...sheet-malware/
    11 Mar 2015 - "'Message from RNP0026735991E2' pretending to come from admin.scanner@ <your own email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    This E-mail was sent from “RNP0026735991E2″ (MP C305).
    Scan Date: 11.03.2015 08:57:25 (+0100)
    Queries to: admin.scanner@ ...


    11 March 2015 : 201503071457.xls - Current Virus total detections: 0/56*
    This looks like it is the same malware payload as today’s 'inv.09.03 Jora Service' – word doc or excel xls spreadsheet malware**..."
    * https://www.virustotal.com/en/file/1...is/1426068752/

    ** http://myonlinesecurity.co.uk/inv-09...sheet-malware/

    - http://blog.dynamoo.com/2015/03/malw...sage-from.html
    11 Mar 2015
    "... Recommended blocklist:
    188.225.77.216
    42.117.1.88
    31.41.45.211
    87.236.215.103
    104.232.32.119
    188.120.243.159
    "
    ___

    Fake 'Rate Increase' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/please...e-pdf-malware/
    11 Mar 2015 - "'Please' pretending to come from Phoenix <phoenix@ pnjinternational .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Good Afternoon,
    Please find attached notice regarding carriers pre-filing for an additional General Rate Increase for effective date of April 9, 2015. Please note, we are advising you of this filing in order to comply with FMC regulations. However, we feel it is unlikely that the carriers will be successful in implementing this increase, especially since the March 9th GRI has already been postponed to March 17th. We will continue to keep you updated as we receive additional information pertaining to these filed rate increases.
    Phoenix Zhang-Shin
    Director
    P & J International Ltd
    Calverley House, 55 Calverley Road
    Tunbridge Wells, Kent, UK TN1 2TU ...


    11 March 2015: documents-id323.zip: Extracts to: documents-id323.exe
    Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1426081018/
    ... Behavioural information
    TCP connections
    216.146.39.70: https://www.virustotal.com/en/ip-add...0/information/
    95.181.53.78: https://www.virustotal.com/en/ip-add...8/information/
    209.126.254.152: https://www.virustotal.com/en/ip-add...2/information/
    185.30.40.44: https://www.virustotal.com/en/ip-add...4/information/
    88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/
    UDP communications
    134.170.185.211: https://www.virustotal.com/en/ip-add...1/information/
    74.125.204.127: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake Voicemail SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/03/malw...l-message.html
    11 Mar 2015 - "When was the last time someone sent you a voice mail message by email? Never? There are no surprises to find that this spam email message has a malicious attachment.
    From: Voicemail admin@ victimdomain
    Date: 11/03/2015 11:48
    Subject: Voicemail Message (07813297716) From:07813297716
    IP Office Voicemail redirected message
    Attachment: MSG00311.WAV.ZIP


    The attachment is a ZIP file containing a malicious EXE file called MSG00311.WAV.exe which has a VirusTotal detection rate of 5/57*. According to the Malwr report, it pulls down another executable and some config files from:
    http ://wqg64j0ei .homepage.t-online .de/data/log.exe
    http ://cosmeticvet .su/conlib.php
    This behaviour is very much like a Dridex downloader, a campaign that has mostly been using malicious macros rather than EXE-in-ZIP attacks.
    The executable it drops has a detection rate of 2/54**... Malwr reports ... show a further component download from:
    http ://muscleshop15 .ru/js/jre.exe
    http ://test1.thienduongweb .com/js/jre.exe
    This component has a detection rate of 5/57***. According to the Malwr report for that we see (among other things) that it drops a DLL with a detection rate of 4/57**** which is the same Dridex binary we've been seeing all day. Piecing together the IP addresses found in those reports combined with some information from one of my intelligence feeds, we can see that the following IPs are involved in this activity:
    ... Recommended blocklist:
    31.41.45.211
    62.213.67.115
    80.150.6.138
    42.117.1.88
    188.225.77.242
    212.224.113.144
    37.59.50.19
    62.76.179.44
    95.163.121.0/24
    185.25.150.3
    104.232.32.119
    188.120.243.159
    "
    * https://www.virustotal.com/en/file/2...is/1426091260/

    ** https://www.virustotal.com/en/file/e...is/1426091556/

    *** https://www.virustotal.com/en/file/1...is/1426092316/

    **** https://www.virustotal.com/en/file/5...is/1426093429/

    Last edited by AplusWebMaster; 2015-03-11 at 21:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #660
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake Invoice SPAM - doc or xls malware, Facebook Worm

    FYI...

    Fake Invoice SPAM - doc or xls malware
    - http://myonlinesecurity.co.uk/invoic...sheet-malware/
    12 Mar 2015 - "'Invoice [random numbers] for payment to <random company>' coming from random names and companies with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... The email has a totally blank-body and just a word or excel attachment with a random name...

    11 March 2015 : 6780MHH.doc - Current Virus total detections: 0/56*
    ... which connects to & downloads https ://92.63.88.102 /api/gb1.exe which in turn is saved as %temp%\dsfsdfsdf.exe (virus total**). So far I am only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/1...is/1426151513/

    ** https://www.virustotal.com/en/file/2...is/1426156982/
    ... Behavioural information
    TCP connections
    95.163.121.33: https://www.virustotal.com/en/ip-add...3/information/

    92.63.88.102: https://www.virustotal.com/en/ip-add...2/information/

    - http://blog.dynamoo.com/2015/03/malw...34xyz-for.html
    12 March 2015
    "...Recommended blocklist:
    95.163.121.0/24
    92.63.82.0/23
    92.63.84.0/22
    92.63.88.0/24
    85.143.166.0/24
    "
    ___

    Fake Voicemail SPAM - malware
    - http://myonlinesecurity.co.uk/you-ha...-mail-malware/
    12 Mar 2015 - "'You have received a voice mail' pretending to come from Voicemail Report <no-reply@ voicemail-delivery .com> with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...voice-mail.png

    12 March 2015: VOICE8411-263-481.zip: Extracts to: VOICE8411-263-481.scr
    Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper sound file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1426165959/
    ___

    Facebook Worm variant leverages Multiple Cloud Services
    - https://blog.malwarebytes.org/fraud-...loud-services/
    Mar 12, 2015 - "... We came across a worm that we think belongs to the -Kilim- family and whose purpose is to compromise a user and spread via Facebook. The lure is the promise of pornographic material that comes as what appears to be a video file named Videos_New.mp4_2942281629029.exe, which in reality is a malicious program. Once infected, the victim spreads the worm to all of his contacts and groups that he belongs to... The bad guys have built a multi-layer redirection architecture that uses the ow.ly URL shortener, Amazon Web Services and Box.com cloud storage.
    > https://blog.malwarebytes.org/wp-con...15/03/flow.png
    ... We identified three domains involved in the configuration and update mechanism for the worm:
    - videomasars .healthcare | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
    - porschealacam .com | Enom, whoisguard Protected, Panama | 91.121.114.211 | PVH AS16276 OVH
    - hahahahaa .com | Enom, whoisguard Protected, Panama |AS13335 CLOUDFLARENET
    ... This is a malicious file (Trojan) hosted on the popular cloud storage Box. Malwarebytes Anti-Malware detects it as Trojan.Agent.ED (VirusTotal link*). This binary is responsible for downloading additional resources (the worm component) from another resource (porschealacam .com). Here we find a malicious Chrome extension (VirusTotal link**) and additional binaries (scvhost.exe*** and son.exe****). Additional code is retrieve by the piece of malware (perhaps in case the user does not have the Chrome browser) from a third site, hahahahaa .com, to spread the worm via Facebook ... a rogue Chrome extension is injected but that is not all. The malware also creates a shortcut for Chrome that actually launches a malicious app in the browser directly to the Facebook website... In this ‘modified’ browser, attackers have full control to capture all user activity but also to restrict certain features. For example, they have disabled the extensions page that once can normally access by typing chrome://extensions/, possibly in an attempt to -not- let the user disable or remove the malicious extension. Clearly, the crooks behind this Facebook worm have gone to great lengths to anonymize themselves but also to go around browser protection by creating their own booby-trapped version.
    We have reported the various URLs to their respective owners and some have already been shutdown. However, we still urge caution before clicking on any link that promises free prizes or sensational items. Once again the bad guys are leveraging human nature and while we do not know how many people fell for this threat, we can guess that it most likely affected a significant number of Facebook users."
    (More detail at the malwarebytes URL above.)
    * https://www.virustotal.com/en/file/6...is/1426093312/

    ** https://www.virustotal.com/en/file/7...is/1426051972/

    *** https://www.virustotal.com/en/file/6...is/1426093308/

    **** https://www.virustotal.com/en/file/4...is/1426093310/

    91.121.114.211: https://www.virustotal.com/en/ip-add...1/information/

    Last edited by AplusWebMaster; 2015-03-12 at 23:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •