SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2015-04-21, 12:53

FYI...

Fake 'E-Ticket' SPAM – javascript malware
- http://myonlinesecurity.co.uk/e-tick...cript-malware/
21 Apr 2015 - "'E-Ticket 7694892' pretending to come from E-Ticket <online@ ticket .com> with a link to a zip attachment is another one from the current bot runs... The email looks like:

This is your e-ticket receipt.
SEAT / 30A/ZONE 3
DATE / TIME 7 MAY, 2014, 09:19 AM
ARRIVING / Tulsa
ST / OK
REF / KE.7818 BAG / 4PC
TOTAL PRICE / 438.16 USD
FORM OF PAYMENT / CC
Download E-Ticket 7694892
Yours sincerely,
American Airlines E-Ticket services.

21 April 2015: E-Ticket 7694892.zip: Extracts to: E-Ticket 7694892.js
Current Virus total detections: 9/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1429584330/
___

Fake 'invoice' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2015/04/malw...e-i413136.html
21 Apr 2015 - "This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
From: Lichelle Ebner [mailto:Lichelle5938@ lagrinding .co .uk]
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136
Dear Accounts Payable,
Attached is a copy of invoice I413136 .The items were shipped. Please feel free to contact me if you have any questions or cannot read the attachment.
Thank you for your business.
Sincerely,
Lichelle Ebner
L. A. Grinding Company
Ph. (818) 846-9134
FAX (818)846-1786

So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57* and which contains this malicious macro... in turn this downloads a component from:
http ://eternitymobiles .com/25/144.exe
..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56**. Automated analysis tools... show that it attempts to communicate with a familiar IP:
89.28.83.228 (StarNet SLR, Moldova)
According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56***.
Recommended blocklist:
89.28.83.228 ..."
* https://www.virustotal.com/en/file/d...is/1429609465/

** https://www.virustotal.com/en/file/8...is/1429609471/

*** https://www.virustotal.com/en/file/b...is/1429610872/
___

Fake 'Admin Exchange' SPAM – PDF malware
- http://myonlinesecurity.co.uk/admini...e-pdf-malware/
21 Apr 2015 - "'Administrator – Exchange Email id3405629' pretending to come from Administrator@ no-reply <Administrator@ your domain > with a zip attachment is another one from the current bot runs... The email looks like:

no-reply,
This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.
To open the attachment (Exchange_id3405629.zip) please use the following password: Ujh6JZ2mHN
Thank you,
Administrator

Note: the address it pretends to come from will be your own email domain and the link in the email will appear to be your own web site or domain.
21 April 2015: Exchange_id3405629.zip: Extracts to: Exchange.exe
Current Virus total detections: 1/54* NOTE: we are also seeing the same malware payload coming in as a -fake- fax, and with the subject of Internal ONLY . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1429610427/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-add...4/information/

- http://threattrack.tumblr.com/post/1...nistrator-spam
Apr 21, 2015
Tagged: Exchange, Dyreza
___

Fake 'new my info' SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-my...e-pdf-malware/
21 Apr 2015 - "'new my info' pretending to come from random names and email addresses with a zip attachment that is named after the alleged sender is another one from the current bot runs... The email looks like:

Hello! I have found some interesting information that you might need!
Check out the attached file!
Bicicletes Nadal Oliver, S.L.
Passeig Ferrocarril, 61
07500 Manacor (Mallorca)
Illes Balears
Tel.971-843358 ...

21 April 2015: warehouseop02.zip: Extracts to: Alla.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1429618876/
___

Dridex re-directing to Malicious Dropbox hosted file via Google
- https://isc.sans.edu/diary.html?storyid=19609
2015-04-21 - "... this malware may use Google Analytics to count how many people opened the file, but I haven't confirmed that. Google -redirects- are however used to obscure the destination... Google will show a note that the user was redirected, but the file will download right away. It will not open, and the user will have to open it to enable the Macro to execute (DON'T)... Word document... example I received:
> https://isc.sans.edu/diaryimages/ima...26_43%20AM.png
... Virustotal only shows 4 "hits" out of 57* AV tools tested for this binary:
(More detail at the ISC URL above.)
* https://www.virustotal.com/en/file/e...is/1429631351/
File name: ACH transaction0336.doc

**AplusWebMaster** · 2015-04-22, 13:08

FYI...

Fake 'voice message' SPAM – fake wav malware
- http://myonlinesecurity.co.uk/voipfo...e-wav-malware/
22 Apr 2015 - "New voice message in mailbox' pretending to come from Voipfone Voicemail <voicemail@ voipfone .co .uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...in-mailbox.png

22 April 2015: WAV0004291.wav.zip: Extracts to: WAV0004291.wav.exe
Current Virus total detections: 3/52* . This 'New voice message in mailbox' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1429691927/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-add...8/information/
___

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/new-in...sheet-malware/
22 Apr 2015 - "'New Invoice ID:SI19779D' from [random company] pretending to come from [random name] using random names at random email addresses with a link to a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...wave_email.png

Note: I received this as a bounced return to thespykiller. I can categorically state that it was never sent from thespykiller domain. The bad guys -spoof- email addresses to pretend to send from all the time. 99.9% of the time the alleged sending domain has -never- been hacked and they just pretend to send from that domain. I have since received several different versions from loads of random companies. The invoice number is also random is all cases.
22 April 2015 : SI19779D.docm - Current Virus total detections: 0/55*
So far I am only seeing 1 version of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1429707780/
___

HSBC Payment Advice Spam
- http://threattrack.tumblr.com/post/1...nt-advice-spam
Apr 22, 2015 - "Subjects Seen:
Payment Advice - Advice Ref:[GB007112] / CHAPS credits
Typical e-mail details:
Sir/Madam,
Please download document from server, payment advice is issued at the request of our customer. The advice is for your reference only.
Download link:
bilbaopisos .es/HSBC_BANK-DATA/new_secure.html
Yours faithfully,
Global Payments and Cash Management
HSBC

Malicious URLs
bilbaopisos .es/HSBC_BANK-DATA/new_secure.html
Malicious File Name and MD5:
new_secure_payment.exe (c290126e419ff58678c3e490d89d7343)

Screenshot: https://41.media.tumblr.com/bcff8fce...r6pupn_500.png

Tagged: HSBC, Upatre

bilbaopisos .es: 216.119.143.194: https://www.virustotal.com/en/ip-add...4/information/

- http://blog.mxlab.eu/2015/04/23/url-...us-javascript/
Apr 23, 2015
wadv.com .br: 54.191.242.215: https://www.virustotal.com/en/ip-add...5/information/

> https://www.virustotal.com/en/url/ba...ac0b/analysis/
___

Fake 'New document' SPAM - malware
- http://blog.dynamoo.com/2015/04/malw...ment-with.html
22 Apr 2015 - "I have only seen one sample of this -spam- so far, it is likely that other variants use different company names:
From: Tamika Cortez
Date: 22 April 2015 at 14:33
Subject: New document with ID:G27427P from RESTAURANT GROUP PLC was generated
New report with ID:G27427P was generated by our system. Please follow the link below to get your report.
Download report ID:G27427P
Best regards ,Tamika Cortez
RESTAURANT GROUP PLC

In this case, the link in the email goes to: http ://igruv.tourstogo .us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC
..which includes the -victim's- email address in the URL. In turn, this -redirects- to:
http ://igruv.tourstogo .us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs
As the name suggests, this is a VBScript (VT 1/56*), in this case it is lightly obfuscated... and it initiates a download from:
http ://185.91.175.183/ sas/evzxce.exe
..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57**. Automated analysis tools... show network connections to the following IPs:
144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)
... it drops a Dridex DLL with a detection rate of 3/57***.
Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18 ..."
* https://www.virustotal.com/en/file/1...is/1429710473/

** https://www.virustotal.com/en/file/1...is/1429710529/

*** https://www.virustotal.com/en/file/8...is/1429711770/
___

IRS Spam
- http://threattrack.tumblr.com/post/1...79123/irs-spam
Apr 21, 2015 - "Subjects Seen
Your FED TAX payment (ID:X3ZIRS507273813) was Rejected
Typical e-mail details:
*** PLEASE DO NOT RESPOND TO THIS EMAIL ***
Your federal Tax payment (ID: X3ZIRS507273813), recently sent from your checking account was returned by the your financial institution.
For more information, please download attached notification. (Security Adobe PDF file)
Transaction Number: X3ZIRS507273813}
Payment Amount: $ 5478.41
Transaction status: Rejected
ACH Trace Number: 8888888888
Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service
Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Malicious File Name and MD5:
FEDERAL_tax_notify.exe (344afdc58ad6d110f1b3f8dbdbb86576)

Screenshot: https://40.media.tumblr.com/18d2466d...r6pupn_500.png

Tagged: IRS, Ruckgov

**AplusWebMaster** · 2015-04-23, 12:23

FYI...

Fake 'Refund on Order' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/refund...sheet-malware/
23 Apr 2015 - "'Refund on order 204-2374256-3787503' pretending to come from Amazon .co.uk <payments-messages@ amazon .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...56-3787503.png

23 April 2015 : 204-2374256-3787503-credit-note.doc - Current Virus total detections: 4/54*
... the malicious macro inside this example downloads myshland .com/42/335.exe which is saved and run as %Temp%\pierre5.exe (Virus Total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1429773545/

** https://www.virustotal.com/en/file/f...is/1429775442/

- http://blog.dynamoo.com/2015/04/malw...order-204.html
23 Apr 2015
... Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70 ..."
___

Fake 'Annual report' SPAM - PDF malware
- http://myonlinesecurity.co.uk/annual...e-pdf-malware/
23 Apr 2015 - "'Annual report' pretending to come from olivia <olivia@ cdc .co.uk> with a zip attachment is another one from the current bot runs...The email looks like:
Hi,
Annual report sent to you, maybe yours.
CDC Consulting
Algyr le parc
119 BL de la Bataille de Stalingrad
69100 Villeurbanne

23 April 2015: Annual report.zip: Extracts to: Luk22.exe
Current Virus total detections: 4/56* . This Annual report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1429792521/
... Behavioural information
TCP connections
23.253.254.67: https://www.virustotal.com/en/ip-add...7/information/
81.7.109.65: https://www.virustotal.com/en/ip-add...5/information/
95.80.123.41: https://www.virustotal.com/en/ip-add...1/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-add...4/information/

- http://threattrack.tumblr.com/post/1...al-report-spam
Apr 23, 2015
Tagged: Annual Report, Upatre, Dyreza
___

eFax Spam
- http://threattrack.tumblr.com/post/1...9183/efax-spam
Apr 23, 2015 - "Subjects Seen:
You have a new eFax from 977-374-7446 - 4 pages
Typical e-mail details:
eFax Message [Caller-ID: 977-374-7446]
You have received a 3 pages fax on Thu, 23 Apr 2015 08:20:40 -0600 .
You can view your eFax online, in PDF format, by visiting :
efax .com/documents/view_fax.aspx?utm_source=eFax&fax_type=doc&caller_id=977-374-7446
* This fax’s reference # is 50184025

Malicious URLs
91.194.254.239/fax_33663232.pdf.zip
Malicious File Name and MD5:
pdf_fax_33663232.pif (fe6e9444534f34f735fa94eb7c526207)

Screenshot: https://36.media.tumblr.com/b8f64613...r6pupn_500.png

91.194.254.239: https://www.virustotal.com/en/ip-add...9/information/

Tagged: eFax, Dyreza

**AplusWebMaster** · 2015-04-24, 12:47

FYI...

Fake 'Invoice' SPAM - malicious PDF attachment
- http://myonlinesecurity.co.uk/invoic...x-pdf-malware/
24 Apr 2015 - "'Invoice 519658' pretending to come from Colin Fox <colin@nofss .co .uk> with a PDF attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded -scripts- that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages... this evil pdf when opened in Adobe reader drops a word document containing macros, so DO NOT SAVE OR OPEN THIS PDF FILE: Just -delete- the email and any attachment as soon as it appears in your inbox. There appear to be several different versions of the PDF malware dropper although all are named the same and every copy that I have seen is the same file size (23kb) The malicious Macro inside the dropped word document (VirusTotal*) from one of the malicious PDF downloads and executes -> http ://bepminhchi .com/83/61.exe (virus total**)... Adobe reader in recent versions has 'Protected view' automatically -enabled- and unless you press the button to enable all features, you will be safe from this attack...
> http://myonlinesecurity.co.uk/wp-con...ected-view.png
If you do enable all features, then you have a second chance to protect yourself, by pressing either cancel or never allow opening files of this type on the pop up warning. Pressing allow WILL almost certainly automatically open the word doc and run the malicious macro so infecting you. Make sure Adobe reader ( or any other PDF reader software) is updated to the -latest- version to protect you. Older versions are vulnerable to these attacks. If using Adobe make sure you -uncheck- any additional offerings of security scans/Google chrome or toolbars that it wants to include in the download:
> http://myonlinesecurity.co.uk/wp-con...15/04/doc4.png

Screenshot: http://myonlinesecurity.co.uk/wp-con...ice-519658.png

24 April 2015: Sales Invoice 519658.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1429860267/

** https://www.virustotal.com/en/file/8...is/1429860321/
... Behavioural information
TCP connections
185.12.95.191: https://www.virustotal.com/en/ip-add...1/information/
88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-add...8/information/

*** https://www.virustotal.com/en/file/5...is/1429858901/

bepminhchi .com: 115.146.126.39: https://www.virustotal.com/en/ip-add...9/information/

- http://blog.dynamoo.com/2015/04/malw...nofsscouk.html
24 Apr 2015
... Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228 "
___

Fake 'Western Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malw...ell-nigel.html
24 Apr 2015 - "The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:

Screenshot: https://4.bp.blogspot.com/-VMHqpJpfh...enterprise.png

So far I have only seen one sample Western Order.doc [VT 4/57*] which contains a malicious macro... which is functionally identical to the one used in this spam run** which was also happening this morning."
* https://www.virustotal.com/en/file/e...is/1429871852/

** http://blog.dynamoo.com/2015/04/malw...nofsscouk.html

- http://myonlinesecurity.co.uk/wester...sheet-malware/
24 Apr 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...tern-Order.png
"... same dridex malware that was dropped by today’s earlier malware run 'Invoice 519658 Colin Fox' – PDF malware*..."
* http://myonlinesecurity.co.uk/invoic...x-pdf-malware/
___

Fake 'invoice for car repairs' SPAM – PDF malware
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
24 Apr 2015 - "'invoice for car #' random numbers coming from random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
hi,
The invoice for car repairs.
Gruss, Claus
Claus Leykauf
Galgengasse 14
91257 Pegnitz
Germany
tel.: +49 (0) 9241 724785
fax: +49 (0) 9241 724786
mobile: +49 (0) 172 8801123 ...

24 April 2015: ed0j5av43xs04bk #19641661.zip: Extracts to: car-repairs.exe
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1429872340/
___

Fake 'You win green card' – malware attachment
- http://myonlinesecurity.co.uk/you-wi...-card-malware/
24 Apr 2015 - "'You win green card' pretending to come from USA Green > <random email addresses> with a zip attachment is another one from the current bot runs... The email looks like:

Your requested report is attached here. USA.

24 April 2015: green_card_usa_483273289748923749823798.zip: Extracts to: green_card_usa_483273289748923749823798.exe
Current Virus total detections: 5/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1429873777/
___

Fileless Malware ...
- http://blog.trendmicro.com/trendlabs...d-in-the-wild/
Updated April 22, 2015 - "... It’s no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats. A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM of being installed in target computer’s hard drive. POWELIKS* is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry... Another example of fileless malware is “Phasebot,” which we found being peddled in websites that sell malware and other malicious online tools by the supposed malware creator. We detect Phasebot as TROJ_PHASE.A. Phasebot contains -both- rootkit and fileless execution capabilities. We noticed that this malware had the same features as Solarbot**, an old bot that was first seen in the wild around late 2013. This is made more evident when we compared the sites that sold the two malware(s)... Compared to Solarbot, Phasebot places a distinct emphasis on stealth and evasion mechanisms. It -encrypts- its communications to its C&C server by using random passwords each time it connects to the server. The malware was designed to check if the following programs are installed in the affected system:
.NET Framework Version 3.5
Windows PowerShell
... Both of these programs are integrated into current versions of Windows. After verifying that the affected system have these programs, Phasebot creates the following registry key where the encrypted shell code will be written:
HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{Bot GUID}
... Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims. (And not coincidentally, the targeted .NET framework version 3.5 is also found in Windows 7 and higher)... It’s highly possible that they will not limit themselves to simply using the Windows registry to hide their malware... The emergence of fileless malware can be a serious threat to users who are not familiar with this type of infection. Users are often advised to look for suspicious files or folders, but -not- in places like the Windows registry, which is used for fileless infection... Because fileless malware are hard to detect, they’re also difficult to remove. Much like rootkits, the location of the malware makes detection and deletion more difficult than the typical malware infection..."
* https://www.trendmicro.com/vinfo/us/...ROJ_POWELIKS.A

** http://www.infosecurity-magazine.com...ans-share-dna/

**AplusWebMaster** · 2015-04-27, 13:05

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malw...m-invoice.html
27 Apr 2015 - "This fake invoice email does -not- come from Booking .com but is a simple forgery with a malicious attachment.
From: invoice@ booking .com
Date: 27 April 2015 at 08:55
Subject: [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015
Dear customer,
Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.
If you have any questions, please contact our Credit Control Department at telephone number
+44 (0)208 612 8210 (e-mail: ).
Thank you for working with Booking .com.

The only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57*. This contains a malicious macro... which downloads a component from the following location:
http ://voipconcerns .com/62/927.exe
There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57***..."
* https://www.virustotal.com/en/file/1...is/1430122282/

** https://www.virustotal.com/en/file/7...is/1430122455/

*** https://www.virustotal.com/en/file/8...is/1430123480/

185.12.95.191: https://www.virustotal.com/en/ip-add...1/information/

voipconcerns .com: 174.37.237.228: https://www.virustotal.com/en/ip-add...8/information/

- http://myonlinesecurity.co.uk/113859...sheet-malware/
27 April 2015 - " invoice-1501383360.doc - Current Virus total detections: 3/56*
... which connects to and downloads tom-lebaric .com/62/927.exe which is saved as %Temp%\zigma2.4.exe and automatically run ( VirusTotal*)..."
* https://www.virustotal.com/en/file/8...is/1430121196/

tom-lebaric .com: 176.223.208.22: https://www.virustotal.com/en/ip-add...2/information/
___

Fake 'Hello' SPAM - malware attached
- http://myonlinesecurity.co.uk/hello-...e-pdf-malware/
27 Apr 2015 - "An email saying 'Hello! Can you please check the Attachment that I have sent? I need your help' with the subject of 'HI your name@ your domain' coming from random email addresses with a zip attachment is another one from the current bot runs...The email looks like:

Hello! Can you please check the Attachment that I have sent? I need your help.
Thanks
Rob Robichaud
Hub City Auto Paints and Supplies Ltd.
A Division of Autochoice Parts & Paints
CSR
153 Loftus St
Moncton, NB ...

Each email has a random named attachment that is named after your email address. All extract to different named files with different #
27 April 2015: derek- #52256657.zip: Extracts to: LOG.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1430135783/
... Behavioural information
TCP connections
176.106.122.31: https://www.virustotal.com/en/ip-add...1/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-add...5/information/
___

Fake 'Your account #513457796162 has been blocked' SPAM – malware attachment
- http://myonlinesecurity.co.uk/paulet...ocked-malware/
27 April 2015 - "'Your account #513457796162 has been blocked' pretending to come from Pauletta Stile with a zip attachment is another one from the current bot runs... The email looks like:

Your account #513457796162 was blocked for violation of our TOS.
Please see attached.
Pauletta Stile
Langenbacherstr. 25 57586 Weitefeld
GERMANY
+49 2743 80 70
Weitefeld
+49 2743 00 03 56

I have only received 1 copy of this malware so far. The last time a similar one was spammed out, we saw them coming form random email addresses with random subject numbers and attachment numbers.
27 April 2015: 513457796162.zip: Extracts to: 513457796162.scr
Current Virus total detections: 1/31*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an Excel spreadsheet instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1430140877/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-add...4/information/

- http://threattrack.tumblr.com/post/1...t-blocked-spam
April 27, 2015
Tagged: Account Blocked, dalexis
___

Incoming Fax Spam
- http://threattrack.tumblr.com/post/1...oming-fax-spam
Apr 27, 2015 - "Subjects Seen
Incoming Fax
Typical e-mail details:
INCOMING FAX REPORT
*********************************************************
Date/Time: Mon, 27 Apr 2015 08:08:50 -0800
Speed: 4985bps
Connection time: 05:08
Pages: 5
Resolution: Normal
Remote ID: 638-493-5566
Line number: 9
DTMF/DID:
Description: Internal only
To download / view please download attached file
*********************************************************

Malicious File Name and MD5:
IncomingFax.exe (784f8d6818cd23dd18c8f059a6b5d3d5)

Screenshot: https://40.media.tumblr.com/ab71c252...r6pupn_500.png

Tagged: Fax, Dyreza
___

Fake 'Invoice 215042210' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
27 Apr 2015 - "'Invoice 215042210 from FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.' pretending to come from “FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.” <replyTo@ quickbooks .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

Dear Customer :
Your invoice is attached. Please remit payment at your earliest
convenience.
Thank you for your business – we appreciate it very much.
Sincerely,
FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.

27 April 2015 : Inv_215042210_from_FRONT_RANGE_WHOLESALE_RESTAURANT_SUPPLIES_INC._5316.doc
Current Virus total detections: 2/57* which connects to and downloads 91.194.254.240 /us274/file.exe which in turn is saved as %Temp%\rramcgaq.exe and automatically runs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1430143720/

91.194.254.240: https://www.virustotal.com/en/ip-add...0/information/

**AplusWebMaster** · 2015-04-28, 10:35

FYI...

Fake 'Privacy Policy' SPAM – malware
- http://myonlinesecurity.co.uk/re-hel...utors-malware/
28 April 2015 - "An email in garbled English about a database of contributors and their Privacy Policy with a subject of 'RE: Hello' pretending to come from Chanda <faucibus.id@ aliquet .com> with a zip attachment is another one from the current bot runs... The email looks like:
Hello!
Dear user! We consider a database of contributors and we found that we have signed with you our “Privacy Policy” and that we have an updated CV. We will be audited in the near future, and we need to update the record. For this reason, is attached to this e-mail confidentiality agreement that we pray thee firm and return them by email or fax as soon as possible. We also need you, please send us your resume updated for inclusion in the database. If you have any questions, please contact me.
With great respect !

28 April 2015: Privacy Policy.zip: Extracts to: Privacy Policy.doc.scr
Current Virus total detections: 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will pretend to be a word doc instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1430201347/
... Behavioural information
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-add...8/information/
___

Fake 'INVOICE PD' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malw...will-comm.html
28 April 2015 - "This malicious spam does not come from Will Communications but is instead a simple -forgery- with a malicious attachment.
From: richard will [contactwill@ hotmail .com]
Date: 28 April 2015 at 09:05
Subject: INVOICE PD Will Comm
Thank-you for your payment!
Richard Will
Will Communications, Inc.
richard@ willcommunications .com

The samples that I have seen are all corrupted, and the malicious attachment just appears as a jumble of Base 64 encoded text, although this may not be the case with every email. After extraction, the malicious Word document has a detection rate of 4/56* and it contains this malicious macro... In this case, the macro downloads a component from:
http ://massachusettsselfstorage .com/62/927.exe
..this is saved as %TEMP%\johan3.2.b.exe and has a detection rate of 3/53**. There may well be other documents that download from -other- locations, but the binary will be the same in all cases. Automated analysis tools... show that it attempts to communicate with the following IP:
185.12.95.191 (RuWeb CJSC, Russia)
According the the Malwr report it drops a malicious Dridex DLL with a detection rate of 2/56***."
* https://www.virustotal.com/en/file/0...is/1430209748/

** https://www.virustotal.com/en/file/5...is/1430209765/

*** https://www.virustotal.com/en/file/a...is/1430210575/

massachusettsselfstorage .com: 209.114.42.129: https://www.virustotal.com/en/ip-add...9/information/

- http://myonlinesecurity.co.uk/invoic...sheet-malware/
28 April 2015 : Orion_PD_INV_12138.doc - Current Virus total detections: 4/54* downloads & executes http ://muebleseviajan .com/62/927.exe ..."
* https://www.virustotal.com/en/file/c...is/1430207999/

muebleseviajan .com: 185.14.56.96: https://www.virustotal.com/en/ip-add...6/information/
___

Bad Actor using Fiesta exploit kit
- https://isc.sans.edu/diary.html?storyid=19631
2015-04-28 - "... a criminal group using the Fiesta exploit kit (EK) to infect Windows computers... The group is currently using a gate that generates traffic from compromised websites to a Fiesta EK domain. I'm calling this group the "BizCN gate actor" because all its gate domains are registered through Chinese registrar www .bizcn .com, and they all reside on a -single- IP address... Earlier this month, the BizCN gate actor changed its gate IP to 136.243.227.9 [3]. We're currently seeing the gate lead to Fiesta EK on 205.234.186.114. Below is a flow chart for the infection chain:
> https://isc.sans.edu/diaryimages/ima...y-image-01.jpg
... Passive DNS on 136.243.227.9 shows at least 100 domains registered through www .bizcn .com hosted on this IP address. Each domain is paired with a -compromised- website... Since their information is now public through this diary entry, the actor will likely change the gate's IP address and domains again. Unless there's a drastic change in their pattern of operations, this BizCN gate actor will be found relatively soon after any upcoming changes..."
3] http://urlquery.net/search.php?q=136.243.227.9

205.234.186.114: https://www.virustotal.com/en/ip-add...4/information/

136.243.227.9: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'NatWest' SPAM – chm malware
- http://myonlinesecurity.co.uk/natwes...3-chm-malware/
28 Apr 2015 - "'NatWest Secure Message' pretending to come from NatWest .co.uk <secure.message@ natwest .com> with a zip attachment that extracts to a malicious chm (windows help file) is another one from the current bot runs... The email looks like:
You have received a secure message.
Read your secure message by opening the attachment, SecureMessage.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the NatWest Bank Secure Email Help Desk at 0131 556 3532.
First time users – will need to register after opening the attachment...

There is also a separate set of emails being spammed out with the -same- malware attachment with a subject of 'JP Morgan Access Secure Message' pretending to come from JP Morgan Access <service@ jpmorgan .com>...
Please check attached file(s) for your latest account documents regarding your online account.
Russel Whitlock
Level III Account Management Officer
817-267-1542 office
817-573-8940 cell
Russel.Whitlock@ jpmorgan .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
2015 JPMorgan Chase & Co...

All of these use random names at the relevant banks...
Update: there is a second set of these being spammed out with a plain chm attachment that is -not- inside a zip. Outlook (and some other email clients) block chm files by default so you will be protected from automatically opening or running this.
Todays Date: SecureMessage.zip: Extracts to: SecureMessage.chm
Current Virus total detections: 1/53* . The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1430217439/
SecureMessage.chm
___

Fake 'BACS payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/sales-...e-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a zip attachment is another one from the current bot runs... The email looks like:
Please find downloaded notification of your BACS payment from Essex County Council.
If you require further information please refer to the contact details in the attached document.
BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
Paramat 60
85 rue des jacobins
60740 Saint maximin
Tel : 03.44.66.03.47

28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1430219199/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustotal.com/en/ip-add...5/information/
81.7.109.65: https://www.virustotal.com/en/ip-add...5/information/
188.255.252.242: https://www.virustotal.com/en/ip-add...2/information/
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-add...4/information/
___

Fake 'Email Locked' SPAM - contains trojan
- http://blog.mxlab.eu/2015/04/28/emai...ntains-trojan/
Apr 28, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “[Issue 243061763D7F320] Account #735811402519 Temporarily Locked”. Different spoofed addresses are used a from email address and with each email, the content and the attached trojan is -different- to avoid detection by virus engines. Some examples:
Dear user,
We detect unauthorized Login Attempts to your ID #735811402519 from other IP Address.
Please re-confirm your identity. See attached docs for full information.
Evie Maccarter
King Yvonne M Dr
70 Exhibition Street, Kentville, NS B4N 4K9
CANADA
902-602-7131

The attached file 735811402519.zip contains the 102 kB large file 735811402519.scr. The trojan is known as UDS:DangerousObject.Multi.Generic, Heur.I or Trojan.Win32.Qudamah.Gen.3. At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/7...is/1430215524/
___

Scammy Nepal earthquake donation requests
- https://isc.sans.edu/diary.html?storyid=19635
2015-04-28 - "... like after every major hurricane or earthquake, the miscreants around the globe are currently scurrying to set up their -fake- charities and web pages, in order to solicit donations. The people of Nepal certainly can use our help and generosity to deal with the aftermath of the April 25 earthquake, but let's make sure the money actually ends up there. For our readers in the US, USAID.gov maintains a list of charities that they work with in Nepal at http://www.usaid.gov/nepal-earthquake .. but note how even USAID adds a disclaimer to be on the lookout for scams!..."

**AplusWebMaster** · 2015-04-29, 12:03

FYI...

Fake 'pictures' SPAM - malware
- http://myonlinesecurity.co.uk/here-a...tures-malware/
29 Apr 2015 - "An email saying 'Here are some pictures' with a subject of 'RE: Hello' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hello!
Here are some pictures !!
See you later!

29 April 2015: in_my_home.zip: Extracts to: in_my_home.scr
Current Virus total detections: 7/55*. Automatic analysis at MALWR show it to be a Zeus banking Trojan. Creates a windows hook that monitors keyboard input (keylogger), creates Zeus (Banking Trojan) mutexes, mutex: MPSWabDataAccessMutex, creates an Alternate Data Stream (ADS) file: C:\WINDOWS\system32\commtui2.exe:Zone.Identifier, Installs itself for autorun at Windows startup... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1430289254/
___

JavaScript malware
- http://myonlinesecurity.co.uk/javascript-malware/
29 Apr 2015 - "JavaScript malware is a different way of spreading malware. We have been seeing a steady increase in a different form of malware spreading. The bad guys are sending javascript files inside a zip or at the end of a link. We have seen several different email templates for this method ranging from:

- E-Ticket 7694892 pretending to come from E-Ticket <online@ ticket .com>
> http://myonlinesecurity.co.uk/e-tick...cript-malware/

- Order 595775 which contains a simple email reading something like “Good Day! Find Order 595775 attached Thank you Jim Olsen” These also come in as -fake- invoices with random numbers and random names and senders. You normally find the name in body of email matches the name of the alleged sender.

These particular js files (JavaScript malware) download & install a cryptowall 3.0 malware which will encrypt all your files on the computer and prevent access to them. There is absolutely -no- fix once you are infected so it is essential to have a full working backup and make sure it is stored off the computer. These cryptowall Trojans are -network- aware and will -encrypt- -all- -network- disks and external hard discs as well as the computer hard disc.
All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. -Don’t- try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking-the-link in the email to see what is happening... The basic rule is NEVER open -any- attachment to an email, unless you are expecting it..."

- http://blogs.cisco.com/security/talos/cryptowall-3-0
___

Fake 'HBSC credit' SPAM - PDF malware
- http://myonlinesecurity.co.uk/new-cr...e-pdf-malware/
29 Apr 2015 - "'New credit terms from HSBC' coming from random names at random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Sir/Madam,
We are pleased to inform you that our bank is ready to offer you a bank loan.
We would like to ask you to open the Attachment to this letter and read the terms.
Yours faithfully,
Global Payments and Cash Management
HSBC

29 April 2015: mail2.zip: Extracts to: Payment.exe
Current Virus total detections: 1/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1430307499/
___

Fake 'BACS payment' SPAM - PDF malware
- http://myonlinesecurity.co.uk/sales-...e-pdf-malware/
28 Apr 2015 - "An email saying 'Please find downloaded notification of your BACS payment from Essex County Council' with a subject of 'Hello (your email address)' pretending to come from sales with a zip attachment is another one from the current bot runs... The email looks like:
Please find downloaded notification of your BACS payment from Essex County Council.
If you require further information please refer to the contact details in the attached document.
BACS Remittance Advice generated automatically by 2e2 on behalf of Essex County Council.
Paramat 60
85 rue des jacobins
60740 Saint maximin
Tel : 03.44.66.03.47

28 April 2015: Random Attachment zip name: Extracts to: INVOICE.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1430219199/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustotal.com/en/ip-add...5/information/
81.7.109.65: https://www.virustotal.com/en/ip-add...5/information/
188.255.252.242: https://www.virustotal.com/en/ip-add...2/information/
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-add...4/information/
___

Incoming MMS Spam
- http://threattrack.tumblr.com/post/1...oming-mms-spam
Apr 29, 2015 - "Subjects Seen
Incoming mms from +07452136643
Typical e-mail details:
No.: +07452136643
Size: 8971
ID: OHB.45598A07E.7385
Filename: OHB.45598A07E.7385.cab
Billie Souto

Malicious File Name and MD5:
OHB.45598A07E.7385.scr (d2843ca1919e48c16c98673210e0c3d2)

Screenshot: https://41.media.tumblr.com/bc77a632...r6pupn_500.png

Tagged: MMS, ctb locker
___

Fake Chinese domain SCAMs
- http://blog.dynamoo.com/2015/04/cnwe...ycom-scam.html
29 Apr 2015 - "This spam email is actually part of a long-running Chinese scam.
From: Jim Bing [jim.bing@ cnwebregistry .cn]
Date: 29 April 2015 at 14:27
Subject: Re:"[redacted]"
Dear CEO,
(If you are not the person who is in charge of this, please forward this to your CEO, because this is urgent, Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China.
We received an application from Huayu Ltd on April 27, 2015. They want to register " [redacted] " as their Internet Keyword and " [redacted] .cn "、" [redacted] .com.cn " 、" [redacted] .net.cn "、" [redacted] .org.cn " domain names etc.., they are in China domain names. But after checking it, we find " [redacted] " conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?
Best Regards,
Jim
General Manager

Whoever "Huayu Ltd" are is irrelevant, as they aren't actually interested in registering these domains, even if they exist. Instead, this is an attempt by a -rogue- Chinese domain registrar to get you to buy -overpriced- and -worthless- domains. In this case the spam mentions the domain cnwebregistry .cn, but chinaygregistry .com is also on the same server and will be similarly fraudulent. This video I made a while ago explains the scam in more detail..."
(Video @ the dynamoo URL above.)

**AplusWebMaster** · 2015-04-30, 13:54

FYI...

Fake 'Telephone order' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2015/04/malw...mcdonnell.html
30 Apr 2015 - "This fake financial email is not from Gas Cylinders UK but is instead a simple -forgery- with a malicious attachment.
From: Rebecca McDonnell [rebecca@ gascylindersuk .co .uk]
Date: 30 April 2015 at 09:54
Subject: Telephone order form
Telephone order form attached
Regards,
Rebecca McDonnell
Business Administrator
340a Haydock Lane, Haydock Industrial Estate,
St Helens, Merseyside, WA11 9UY
DDI: 01744 304338
Fax: 01942 275 312 ...

There is a malicious Word document attached with the name TELEPHONE PURCHASE ORDER FORM.doc which probably comes in a few different variants, but the one I saw had a VirusTotal detection rate of 4/56* and contained this malicious macro... which downloaded a component from the following location:
http ://morristonrfcmalechoir .org/143/368.exe
This is saved as %TEMP%\serebok2.exe and has detection rate of 8/56**. Analysis tools are a bit patchy today, but the VirusTotal report indicates traffic to:
212.227.89.182 (1&1, Germany)
The Malwr report reported a dropped Dridex DLL with a detection rate of 3/55***."
* https://www.virustotal.com/en/file/3...is/1430390792/

** https://www.virustotal.com/en/file/6...is/1430390534/

*** https://www.virustotal.com/en/file/2...is/1430392218/

- http://myonlinesecurity.co.uk/teleph...sheet-malware/
30 Apr 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...order-form.png

30 April 2015 : TELEPHONE PURCHASE ORDER FORM.doc - Current Virus total detections: 4/55*
... which downloads and runs nishatdairy .com/143/368.exe which is saved as %Temp%\serebok3.exe and autoruns (virus Total**)..."
* https://www.virustotal.com/en/file/1...is/1430379008/

** https://www.virustotal.com/en/file/6...is/1430379609/
___

Fake 'Statement' SPAM - PDF malware
- http://myonlinesecurity.co.uk/statem...e-pdf-malware/
30 Apr 2015 - "'Statement of Account 5905779365764954' (random number) coming from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...9365764954.png

30 April 2015 : random name : Extracts to: statement.exe | Account_info.exe | Docs_23131445.exe
Current Virus total detections: 1/55* |1/55** | 1/55*** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...is/1430384002/

** https://www.virustotal.com/en/file/a...is/1430384014/

*** https://www.virustotal.com/en/file/1...is/1430384178/
___

Fake 'Amended Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/attach...sheet-malware/
30 Apr 2015 - "'Attached Amended Invoice 115784 Re D/N 103674. 9/4/15' pretending to come from accounts@ procterscheeses .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email body is totally -blank-. This contains exactly the -same- malware as today’s earlier spam run of malicious word docs Telephone order form – Rebecca McDonnell — word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/teleph...sheet-malware/
___

Nepal Earthquake Disaster - Email Scams
- https://www.us-cert.gov/ncas/current...er-Email-Scams
April 30, 2015 - "... potential email scams regarding the earthquake in Nepal. The scam emails may contain links or attachments that may direct users to phishing or malware infected websites. Phishing emails and websites requesting donations for -fraudulent- charitable organizations commonly appear after these types of natural disasters..."

**AplusWebMaster** · 2015-05-01, 13:12

FYI...

Fake 'Invoice' SPAM - doc/xls malware attached
- http://myonlinesecurity.co.uk/berend...sheet-malware/
1 May 2015 - "'Berendsen UK Ltd Invoice 60022446 344' pretending to come from donotreply@ berendsen .co .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...022446-344.png

1 May 2015 : IRN001610_60022446_I_01_01.doc - Current Virus total detections: 2/56*
... which connects to & download laurelwoodvirginia .com/654/46.exe which is saved as %temp%\serebok5.exe and -autorun- on your computer (virus Total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1430472222/

** https://www.virustotal.com/en/file/e...is/1430476073/
... Behavioural information
TCP connections
212.227.89.182: https://www.virustotal.com/en/ip-add...2/information/
88.221.15.80: https://www.virustotal.com/en/ip-add...0/information/
UDP communications
104.41.150.68: https://www.virustotal.com/en/ip-add...8/information/

laurelwoodvirginia .com: 66.175.58.9: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'Claim' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/copy-o...sheet-malware/
1 May 2015 - "'Copy of claim passed for consideration to HM Courts Ref: [random numbers] from [random companies]' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like this, but be aware that every email will have a -different- random claim number and -different- company listed as the claimant:

SOVEREIGN MINES OF AFRICA PLC has issued the claim against you and passed for consideration to HM Courts Ref:[EK8013GUH].The claim was read, and passed to the second reading. For these or other notarial acts, or the legalising of documents, please contact SOVEREIGN MINES OF AFRICA PLC as soon as posible.

So far I have seen:
- Copy of claim passed for consideration to HM Courts Ref:[EK8013GUH] from SOVEREIGN MINES OF AFRICA PLC
- Copy of claim passed for consideration to HM Courts Ref:[UK1751MQV] from FALKLAND OIL & GAS
- Copy of claim passed for consideration to HM Courts Ref:[EI6841DHZ] from BREEDON AGGREGATES LTD
- Copy of claim passed for consideration to HM Courts Ref:[BB1620VDT] from WILLIAM HILL PLC
- Copy of claim passed for consideration to HM Courts Ref:[FZ8349DFN] from GAZPROM OAO
- Copy of claim passed for consideration to HM Courts Ref:[WY4077WQJ] from Hardy Amies Ltd
- Copy of claim passed for consideration to HM Courts Ref:[GX0331SJB] from Nathaniel Lichfield and Partners
25 February 2015 : EI6841DHZ.doc | EK8013GUH.doc | UK1751MQV.doc
Current Virus total detections: 0/56* | 0/56** | 0/56***
... at least one of these macros downloads from pastebin .com/download.php?i=XEKaxHCg and verifed. acgfamilyoffices. com/ebn/logo.jpg (so far I have not been able to get the content but am still trying)..."
* https://www.virustotal.com/en/file/3...is/1430477322/

** https://www.virustotal.com/en/file/d...is/1430477337/

*** https://www.virustotal.com/en/file/9...is/1430477346/

- http://blog.mxlab.eu/2015/05/01/emai...ous-word-file/
May 1, 2015
> https://www.virustotal.com/en/file/3...is/1430480904/
File name: ZI2444LQN.doc
Detection ratio: 0/56
___

Fake 'Delivery confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/delive...sheet-malware/
1 May 2015 - "'Delivery confirmation form for purchase BW91149JYA [random numbers]' from 30/04/15 coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

Please fill out the attached form and return it to us.
Best regards, Antonia Lang

The name in the body of the email matches the alleged sender. The purchase number in the subject matches the attachment name. The malware payload is exactly the -same- as the payload in today’s earlier spam run of malicious word docs 'Copy of claim passed for consideration to HM Courts Ref:...' – word doc or excel xls spreadsheet malware*. The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/copy-o...sheet-malware/

**AplusWebMaster** · 2015-05-04, 19:36

FYI...

Fake 'Unaccepted account' SPAM – PDF malware
- http://myonlinesecurity.co.uk/holded...e-pdf-malware/
4 May 2015 - "An email coming from random senders and random email addresses with subjects of 'Holded account notification' or 'Unaccepted account caution' or similar vaguely banking related subjects with a zip attachment is another one from the current bot runs... Some subjects seen with this series of spam emails are:
Blocked bank operation report
Holded account notification
Unaccepted account caution
Rejected operation warning
Blocked transaction warning
Some attachment names are:
block_warning_information.zip
nullfication_alert_details.zip
rejection_message_data.zip
rejection_notification_form.zip
invalidation_alert_document.zip
The email looks like:
Be noted that your depositis rejected.
Please see the report for detailed information.
Susan Morgan
Account Security Department
-Or-
Be adviced that your payment not accepted.
Please see the document for detailed information.
Mary Roberts
Senior Manager
-Or-
We inform you that your fund not accepted.
Please look the document for detailed information.
Jane Jones
Senior Manager

4 May : block_warning_information.zip | nullfication_alert_details.zip
Extracts to: block_warning_report.exe | abrogation_warning_information.exe
Current Virus total detections: 1/55* | 1/55** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...bbc1/analysis/
... Behavioural information
TCP connections
166.78.246.145: https://www.virustotal.com/en/ip-add...5/information/
91.211.17.201: https://www.virustotal.com/en/ip-add...1/information/
38.124.60.223: https://www.virustotal.com/en/ip-add...3/information/
88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
191.233.81.105: https://www.virustotal.com/en/ip-add...5/information/

** https://www.virustotal.com/en/file/9...is/1430748957/
... Behavioural information
TCP connections
104.130.28.231: https://www.virustotal.com/en/ip-add...1/information/
91.211.17.201: https://www.virustotal.com/en/ip-add...1/information/
38.124.60.223: https://www.virustotal.com/en/ip-add...3/information/
88.221.14.249: https://www.virustotal.com/en/ip-add...9/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-add...8/information/

- https://isc.sans.edu/diary.html?storyid=19657
2015-05-05
___

ACH Spam
- http://threattrack.tumblr.com/post/1...46488/ach-spam
May 4, 2015 - "Subjects Seen:
ACH Approval Letter
Typical e-mail details:
The Automated Clearing House (ACH) application for your company has been processed and the payer unit number assigned is 029762. This number identifies to the Federal Reserve Bank of Cleveland the account to be debited and is required input in the “ABI ACH Payment Authorization Input Record.” It is the responsibility of the payer to use the correct payer unit number in every transaction in which statements are paid via ACH.
You may begin paying statements via ACH. If you are a Customhouse broker who is using ACH for the first time, please contact your ABI client representative to request that your ABI records be updated to permit ACH filing. If you are already using ACH for other importer statement transmissions, you do not need to contact your ABI client representative. If you are a new ABI importer, please contact your ABI client representative to ensure that the appropriate ABI records are updated to permit you to transmit entry summaries, which will be filed under ACH...
If you have any questions, you may contact ACH Help Desk at (317) 298-1200, extension 1098.
Sincerely,
Cindi Miller, Chief
Collections Refunds and Analysis Branch
Revenue Division
Thank You,
Kirsten Anderson

Malicious File Name and MD5:
ACH_Import_Information.scr (bc7bb730e98fcde7044251784e0d8ceb)

Tagged: ACH, Upatre
___

Macro Malware: Old Tricks still Work ...
- http://blog.trendmicro.com/trendlabs...l-work-part-1/
May 4, 2015 - "Now comes a time when we are reminded of why this security warning prompt in Microsoft Word matters:
Microsoft Word security warning for macros:
> https://blog.trendmicro.com/trendlab...4/Figure01.jpg
... We’ve already seen signs of macro malware in the threat landscape a year ago with the W97M_SHELLHIDE.A and TSPY_ZBOT.DOCM combination. At first, we thought that it was just a chance encounter but, as covered in our recent report on BARTALEX, the method of distributing malware through the misuse of macros has borne the likes of DRIDEX, ROVNIX and VAWTRAK into computer systems from the latter part of 2014 up to this year. What’s more, we noticed that this resurgence of macro malware has a single area of focus: enterprises. Enterprises were heavily affected by a spam outbreak involving macro malware. We saw that macro malware detections in Q1 2015 drove huge numbers:
Q1 2015 MS Word and Excel malware detections:
> https://blog.trendmicro.com/trendlab...4/Figure-2.jpg
This data is based on feedback from Trend Micro’s Smart Protection Network, representing files that have been detected on endpoints. The following conclusions can be drawn:
- The two common malware families seen are W97M_MARKER and W2KM_DLOADR.
- You can see X2KM_DLOADR detections around the start of February.
- A couple more significant ones like W2KM_DOXMAL and W2KM_MONALIS started showing up on the 2nd week of March
- Finally, W2KM_BARTALEX started picking up middle of February and was seen up to the last week of March... The macro code was instrumental in dropping the .DLL file that instated the malware, GHOLE. Targeted attack campaigns would usually use vulnerabilities that had been determined to be effective on a target, or even zero-day vulnerabilities. This operation, however, had taken a much easier route of using the tired, old method of traditional malware. If you take the methods employed by GHOLE, ZBOT, DRIDEX, ROVNIX and VAWTRAK, we’ve all seen them in the past – as well as macro malware and email-borne threats... the right time has come and known threats are repackaged with old methods, resulting to what we now determine to be equally effective..."
___

Fiesta EK wreaks havoc on popular Torrent Site
- https://blog.malwarebytes.org/exploi...-torrent-site/
May 4, 2015 - "... Beside the illegal nature of the act in some countries, many sites that index torrents are filled with aggressive ads and pop ups often tricking the user to run programs and other junk that they don’t need. To get the actual content you were looking for is often a battle that could end with some unwanted toolbars added to your browser, or worse, malware. Such is the case with popular Torrent index SubTorrents .com, a very popular Torrent in Spain and Latin America... Users trying to download their favourite TV show may end up getting more than they were looking for. Upon browsing the site, a malicious -redirection- silently loads the Fiesta exploit kit and associated malware payload. Fortunately, Malwarebytes Anti-Exploit users were shielded from this threat... Given the large amounts of ads on the site, it would have been fair to suspect a malvertising issue, but this was not the case here. Rather, the site itself has been -compromised- and serves a well hidden iframe... the author had some fun trying to make things a little more complicated. Rather than directly inserting a malicious iframe (to the exploit kit landing), they chose to build it on the fly by retrieving the content from an external .js... The exploit kit is Fiesta EK and we noticed a new format, where semi colons are now commas... Downloading illegal Torrents is dangerous business. On top of fake files that waste your time and bandwidth, users have to navigate through a sea of misleading ads and pop ups. They may end up saving a few bucks off that latest movie but could also risk a lot more, like getting a nasty malware infection. Ransomware being so prevalent these days could mean that all of user’s files, including those movies and songs could be encrypted and held for ransom. Regardless, it is important to stay safe from such attacks by keeping your computer up-to-date..."
(More detail at the malwarebytes URL above.)

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake 'E-Ticket', 'invoice', 'Admin Exchange' SPAM

Fake 'voice message', 'Invoice', 'New document', IRS SPAM

Fake 'Refund on Order', 'Annual report' SPAM

Fake 'Invoice', 'Western Order', 'You win green card' SPAM, Fileless Malware

Fake 'Invoice', 'Hello' SPAM

Fake 'Privacy Policy', 'INVOICE PD' SPAM, Fiesta EK

Fake 'pictures', 'BACS payment' SPAM, JavaScript malware

Fake 'Telephone order', 'Statement', 'Amended Invoice' SPAM

Fake 'Invoice', 'Claims' SPAM

Fake 'Unaccepted account, ACH SPAM, Macro Malware, Fiesta exploit kit

Posting Permissions