SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake 'Message from scanner' SPAM – PDF malware
- http://myonlinesecurity.co.uk/messag...e-pdf-malware/
24 Aug 2015 - "'Message from scanner' pretending to come from scanner.coventrycitycentre@ brianholt .co.uk with a zip attachment but a completely -empty/blank- body of the email is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...om-scanner.png

24 August 2015: Sscanner15081208190.zip: Extracts to: Sscanner15081208190.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1440408248/

- http://blog.dynamoo.com/2015/08/malw...m-scanner.html
24 Aug 2015 - "... malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54*. The Hybrid Analysis report** shows the malware POSTing to:
smboy .su/mu/tasks.php
.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to -block- the whole range to be on the safe side. The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware."
* https://www.virustotal.com/en/file/8...is/1440414098/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

95.172.146.73: https://www.virustotal.com/en/ip-add...3/information/
___

German site dwdl .de -hacked- serving malware via 94.142.140.222
- http://blog.dynamoo.com/2015/08/popu...de-hacked.html
24 Aug 2015 - "... German media website dwdl .de has been -hacked- and is serving up malware, according to this URLquery report*. URLquery's IDS function detects what looks like the RIG Exploit kit:
> https://3.bp.blogspot.com/-pFLpyrW75...00/dwdl-de.png
The exploit is injected code pointing to a server at 94.142.140.222 (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops .com which is a -hijacked- GoDaddy domain. The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:
> https://3.bp.blogspot.com/-XrAJ6DxnJ..._graph.php.gif
VirusTotal** gives an overview of other malicious domains on this server. It indicates that the following domains have been -hijacked- and malicious subdomains set up..."
(Long list at the dynamoo URL - top of this post.)
* http://urlquery.net/report.php?id=1440424952903

** 94.142.140.222: https://www.virustotal.com/en/ip-add...2/information/

[AplusWebMaster]

FYI...

Fake 'Visa Card' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malw...-aug-2015.html
25 Aug 2015 - "This -fake- financial spam does not come from Ellesemere Engineering but is in fact a simple forgery with a malicious attachment:
From [david@ ellesmere .engineering]
To "'Sharon Howarth'" [sharon@ ellesmere .engineering]
Date Tue, 25 Aug 2015 09:52:47 +0200
Subject Visa Card Aug 2015
Visa Card payments this month
---
This email has been checked for viruses...

Attached is a document Visa Card Aug 2015.docm which I have seen in three different versions, containing one of -three- malicious macros... that then attempt to download a malicious binary from one of the following locations:
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
This executable has a detection rate of just 1/55* and the Malwr report** shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- that IP address. The payload to this is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/d...is/1440489790/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustotal.com/en/ip-add...9/information/
191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/

** https://malwr.com/analysis/YzFkMGQyN...djMjRjODg5NDY/

internetdsl .pl: 80.48.169.1: https://www.virustotal.com/en/ip-add...1/information/

free .fr: 212.27.48.10: https://www.virustotal.com/en/ip-add...0/information/

- http://myonlinesecurity.co.uk/visa-c...macro-malware/
25 Aug 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...d-Aug-2015.png
25 August 2015: Visa Card Aug 2015.docm - Current Virus total detections 7/55*
Downloads Dridex banking malware.
* https://www.virustotal.com/en/file/9...is/1440499540/
___

Fake 'Dropbox' SPAM - leads to malware
- http://blog.dynamoo.com/2015/08/malw...hedule092.html
25 Aug 2015 - "This -fake- Dropbox email leads to malware, hosted on the sharing service sugarsync .com.
From: June Abel via Dropbox [no-reply@ dropbox .com]
Date: 25 August 2015 at 12:59
Subject: June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you
June used Dropbox to share a file with you!
Click here to download.
© 2015 Dropbox

I have seen three different samples with different download locations:
https ://www.sugarsync .com/pf/D3941255_827_052066225?directDownload=true
https ://www.sugarsync .com/pf/D160756_82_6104120627?directDownload=true
https ://www.sugarsync .com/pf/D2694666_265_638165437?directDownload=true
In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55*. Analysis is pending, but the payload appears to be the Dyre banking trojan.
UPDATE: The Hybrid Analysis report** shows traffic to 197.149.90.166 (Cobranet, Nigeria) which I recommend you block."
* https://www.virustotal.com/en/file/8...is/1440506327/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

sugarsync .com: 74.201.86.21: https://www.virustotal.com/en/ip-add...1/information/

197.149.90.166: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'Invoice 26949' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malw...rom-i-spi.html
25 Aug 2015 - "My spam traps did not collect the body text from this message, so all I have is headers. However, this -fake- financial email is not from i-Spi Ltd and is instead a simple forgery with a malicious attachment:
From [sales@ ispitrade .com]
Date Tue, 25 Aug 2015 20:37:09 +0800
Subject Invoice 26949 from I - SPI Ltd

Attached is a file Inv_26949_from_I__SPI_Ltd_7888.doc which actually comes in several different versions... which contains a malicious macro... that downloads an executable from one of the following locations:
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://claudio.locatelli .free .fr/45gf3/7uf3ref.exe
http ://spitlame.free .fr/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
This Hybrid Analysis report* shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
This is the same bad IP as found in this earlier spam run**, I recommend that you block it. The payload here is almost definitely the Dridex banking trojan."
* https://www.hybrid-analysis.com/samp...nvironmentId=1

** http://blog.dynamoo.com/2015/08/malw...-aug-2015.html

- http://myonlinesecurity.co.uk/invoic...macro-malware/
25 August 2015: Inv_26949_from_I__SPI_Ltd_7888.doc "... Downloads the -same- Dridex banking malware as described in today’s earlier malspam run of malicious word docs*..."
* http://myonlinesecurity.co.uk/visa-c...macro-malware/
___

Browsefox variant High Stairs - browser hijackers
- https://blog.malwarebytes.org/securi...t-high-stairs/
Aug 25, 2015 - "Browsefox aka Sambreel aka Yontoo is a family of browser hijackers. When advertised they promise to “customize and enhance your interaction with the websites you visit”, but in reality they are almost never a users choice install. They come -bundled- with other software at many major download sites and at best you will see this screen when the installation starts:
> https://blog.malwarebytes.org/wp-con...5/08/main1.png
High Stairs is one of the latest additions to this family. It is being offered as a browser extension -without- making clear what it does for the user. If you want to have a look at the EULA and Privacy Policy you will have to visit their website:
> https://blog.malwarebytes.org/wp-con...15/08/EULA.png
... The EULA clearly states that it allows the “Software” to use -any- means imaginable to deliver advertisements and that it will collect your data. The Privacy Policy lets you know that they will use, share and sell those data to any and all parent, subsidiary or affiliate companies. Bottom line, as long as it brings in cash. Browser hijackers of this family are VM aware, meaning they will not do a full install if they detect they are run on a Virtual Machine. Sometimes the files are downloaded and put in place, but the extensions are not installed and enabled. The -hijackers- from this family do provide browser extensions for IE, Firefox, Chrome and Opera (and probably more)... invisible iframes can be used to deliver anything and everything to your computer, ranging from advertisements (which is very likely in this case) to (in theory) exploit kits. In theory in this case means, that we haven’t seen any exploit kits being delivered through the advertisements these PUPs deliver, but if the PUP has a vulnerability or their network is compromised a third party could use this in the same manner as has been done with malvertisements on legitimate sites. This browser hijacker is relatively easy to remove. Other variants have been known to install services as well, making them a bit harder to tackle. Unfortunately “High Stairs” is not alone. We see a new Sanbreel variant at least a few times every week. The installer and the installed files are all detected as 'PUP.Optional.HighStairs.A'. Logs, more screenshots and removal instructions for “High Stairs” can be found on our forums*..."
* https://forums.malwarebytes.org/inde...r-high-stairs/

[AplusWebMaster]

FYI...

Fake 'Scanned image - MX-2600N' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/scanne...macro-malware/
26 Aug 2015 - "'Scanned image from MX-2600N' pretending to come from noreply@ your email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...-macros_21.png
The email looks like:
Reply to: noreply@ securityandprivacy .co.uk <noreply@ securityandprivacy .co.uk>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.

26 August 2015: noreply@ securityandprivacy.co.uk_20150826_181106.doc
Current Virus total detections 7/57*:
Downloads Dridex banking malware from one of these locations:
detocoffee.ojiji .net/45ygege/097uj.exe (virus Total**)
students.johnbryce .co.il/nagare/45ygege/097uj.exe
groupedanso .fr/45ygege/097uj.exe
asterixpr.republika .pl/45ygege/097uj.exe
fotolagi .com/45ygege/097uj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1440582748/

** https://www.virustotal.com/en/file/e...is/1440583201/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustotal.com/en/ip-add...9/information/
191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/

- http://blog.dynamoo.com/2015/08/malw...e-from-mx.html
26 Aug 2015 - "... The email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@ victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros... which attempt to download a malicious component from one of the following locations:
http ://fotolagi .com/45ygege/097uj.exe
http ://asterixpr.republika .pl/45ygege/097uj.exe
http ://detocoffee.ojiji .net/45ygege/097uj.exe
This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis... shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan."
1] https://www.virustotal.com/en/file/7...is/1440583485/

2] https://www.virustotal.com/en/file/8...is/1440583498/

3] https://www.virustotal.com/en/file/5...is/1440583515/
___

Fake 'invoice A4545945' SPAM - PDF malware
- http://myonlinesecurity.co.uk/screwf...e-pdf-malware/
26 Aug 2015 - "'Copy of invoice A4545945. Please find your invoice attached' pretending to come from Screwfix Direct <online@ screwfix .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer
Thank you for shopping at Screwfix.
As requested please find attached a copy of invoice: A4545945.
You will require a PDF file reader in order to view and print the invoice. Should your invoice not be attached please email invoice@ screwfix .com ensuring that you quote your order reference.
Please do not reply to this e-mail.
If you have any queries, please quote the Invoice Number: A4545945, when contacting us:
Phone: 0500 41 41 41 (03330 112 320 from a mobile) UK based Contact Centre
E-mail: online@ screwfix .com
Write to: Screwfix, Trade House, Mead Avenue, Yeovil, BA88 8RT ...

26 August 2015: Invoice_A3176864.zip: Extracts to: Invoice.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1440580919/
___

Fake 'Invoices from UBM' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-i...pdf-malware-2/
26 Aug 2015 - "'Your Invoices from UBM' pretending to come form UBM (UK) Limited <ubm@ ubm .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please find attached your invoice(s) from UBM. If you have any queries regarding the invoice, payment or service delivered please don’t hesitate to contact us on the details below.
Regards,
UBM Receivables Team.
Tel : +44 207 921 8506 (21627)
Email : bogumila.murzyn@ ubm .com
Fax :
****PLEASE DO NOT REPLY TO THE EMAIL ADDRESS ubm@ ubm .com AS IT IS NOT MONITORED**** ...

26 August 2015:65550757_Invoices_26-AUG-2015.zip:
Extracts to: 65550757_Invoices_26-AUG-2015.scr ... which is the -same- Upatre malware that is described in today’s other malspam run with Zip attachments*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/screwf...e-pdf-malware/
___

Fake 'new fax delivery svc' – PDF malware
- http://myonlinesecurity.co.uk/we-are...e-pdf-malware/
26 Aug 2015 - "A series of emails saying 'We are a new fax delivery service' with the subject reading Fax #[ random characters] from [random name] with a zip attachment is another one from the current bot runs... The email looks like:
You have a fax.
Data sent: Wed, 26 Aug 2015 14:08:41 +0000
TO: [redacted]
*********************************
We are a new fax delivery service – Walker-Gerlach.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: “Fast. Cheap. Best quality.”
*********************************
-Or-
You have a fax.
Data sent: Wed, 26 Aug 2015 14:06:21 +0000
TO: [REDACTED]
*********************************
We are a new fax delivery service – Hirthe-Bayer.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: “Fast. Cheap. Best quality.”
*********************************

26 August 2015: fax_jxJ3O9_Walker-Gerlach_Colton Leffler.zip
Extracts to: Invoice East Marta.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1440598735/

- http://blog.dynamoo.com/2015/08/fake...e-senders.html
26 Aug 2015 - "... - fake- fax spam comes from random senders - company names and attachment names vary from spam to spam... Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56* detection rate at VirusTotal. The Hybrid Analysis report** shows it phoning home to:
197.149.90.166 /260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166 /260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.*** "
* https://www.virustotal.com/en/file/9...is/1440599515/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** http://blog.dynamoo.com/2015/08/malw...hedule092.html
___

Bank of America Invoice Spam
- http://threattrack.tumblr.com/post/1...a-invoice-spam
Aug 26, 2015 - "Subjects Seen
Invoice Annabell Yost
Typical e-mail details:
Dear Customer,
Invoice14768170 from Annabell Yost.
Sincerely,
Ellsworth Abbott
1-100-532-7314
Bank of America PLC.

Screenshot: https://40.media.tumblr.com/b3655d7b...r6pupn_500.png

Malicious File Name and MD5:
InvoiceFaker__Number.number(5)info_324986219861.exe (276646dc44bb3a2e4bf7ba21f207b5be)

Tagged: bank of america, Upatre

[AplusWebMaster]

FYI...

Angler Exploit Kit strikes MSN.com via Malvertising Campaign
- https://blog.malwarebytes.org/malver...sing-campaign/
Aug 27, 2015 - "The same ad network – AdSpirit .de – which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN .com. This is the work of the -same- threat actors that were behind the Yahoo! malvertising. The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers. The ad request came from AppNexus, which loaded the booby-trapped advert from AdSpirit and the subsequent malvertising chain.
Infection chain:
msn .com/en-us/news/politics/dozens-of-clinton-emails-were-classified-from-the-start-us-rules-suggest/ar-BBlXPkl?ocid=iehp (publisher)
lax1.ib.adnxs .com/{redacted} (AppNexus Ad network)
pub.adspirit .de/adframe.php?pid=7&ord=[timestamp]prdclick_0 (AdSpirit Ad network)
trkp-a1009.rhcloud .com/?tr28-0a22 (OpenShift redhat Redirection)
fox23tv .com/?cn67CuYcDcbvV (Same ad but with redirection to malicious URL)
abbezcqerrd.irica.wieshrealclimate .com (iframe to exploit kit)
hapme.viwahcvonline .com (Angler EK landing page)
> https://blog.malwarebytes.org/wp-con...redir_flow.png
This time, rogue actors are leveraging RedHat’s cloud platform, rhcloud .com to perform multiple -redirections- to the Angler exploit kit (in the previous attack they were using Microsoft’s Azure). While we did not collect the malware payload associated with this campaign, we believe it is either Ad fraud or ransomware, Angler’s trademark. Angler has been acting up strange lately, for instance last week it fell out of favour briefly for the Neutrino EK when compromised sites decided to redirect to the latter. Following our report, AppNexus -deactivated- the creative in question and said they were investigating this issue in greater depth..."

viwahcvonline .com: 141.8.224.93: https://www.virustotal.com/en/ip-add...3/information/

> https://www.virustotal.com/en/url/a4...2078/analysis/
___

Fake 'resume' SPAM leads to Cryptowall
- http://blog.dynamoo.com/2015/08/malw...-leads-to.html
26 Aug 2015 at 22:48 - "This -fake- resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware. In the only sample I saw, the spam looks like this:
From: emmetrutzmoser@ yahoo .com
To:
Date: 26 August 2015 at 23:29
Subject: RE:resume
Signed by: yahoo .com
Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply
Best regards
Janet Ronald

Attached was a file Janet_Ronald_resume.doc [VT 5/56*] which contains a malicious macro... The format of this message is very similar to this other fake resume spam seen recently[1], and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
1] http://blog.dynamoo.com/2015/08/malw...el-resume.html
Deobfuscating the macro shows that a file is downloaded from http :// 46.30.46.60 /444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report** shows some of this in action, but Techhelplist[2] did the hard work of decrypting it..
> https://4.bp.blogspot.com/-gMHNsx2OE...cryptowall.png
...
2] https://twitter.com/Techhelplistcom/...33492441268224
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report*** on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report[3] which has some nice screenshots.
3] https://www.hybrid-analysis.com/samp...nvironmentId=2
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
46.30.46.60 (Eurobyte, Russia)
linecellardemo .net / 23.229.194.224 (GoDaddy, US)
You might want to block the entire 46.30.46.0/24 range because.. well, Russia really."
* https://www.virustotal.com/en/file/d...is/1440622900/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://www.virustotal.com/en/file/4...2920/#comments
___

Fake 'Attachement' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/attach...sheet-malware/
27 Aug 2015 - "A -blank- email with the subject of 'Attachement' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...-macros_21.png
The email has a totally empty-blank body and just an XLS Excel spreadsheet attachment:

27 August 2015 : 20131030164403.xls - Current Virus total detections 4/57*
Downloads Dridex banking malware from http ://pintart .pt/43t3f/45y4g.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1440669673/

** https://www.virustotal.com/en/file/0...is/1440670039/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
23.14.92.27: https://www.virustotal.com/en/ip-add...7/information/

pintart .pt: 80.172.241.24: https://www.virustotal.com/en/ip-add...4/information/
___

Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecurity.co.uk/paysli...e-pdf-malware/
27 Aug 2015 - "'Payslip for period end date 27/08/2015' pretending to come from noreply@ fermanagh. gov.uk with a zip attachment is another one from the current bot runs... The email looks like:
Dear administrator
Please find attached your payslip for period end 27/08/2015
Payroll Section ...

Some emails have arrived malformed-and-damaged and look like:
This is a multi-part message in MIME format.
——————=_Next_25232_7367279505.4684370133215
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Dear ae48852507a
Please find attached your payslip for period end 27/08/2015
Payroll Section ...

27 August 2015: payslip.zip: Extracts to: payslip.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...5298/analysis/

- http://blog.dynamoo.com/2015/08/malw...eriod-end.html
27 Aug 2015 - "... Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly. This executable has a detection rate of 3/56* and the Hybrid Analysis report** indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking."
* https://www.virustotal.com/en/file/6...is/1440677452/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'Girls List' Spam ...
- https://blog.malwarebytes.org/online...-in-mailboxes/
Aug 27, 2015 - "... spammers are changing up their dating site spam tactics a little bit in the wake of the continued Ashley Madison fallout, with the below curious missives landing in spamtraps over the last day or so:
> https://blog.malwarebytes.org/wp-con...crowdspam1.jpg
... emails are identical, and read as follows:
> https://blog.malwarebytes.org/wp-con...crowdspam2.jpg
... well, they -would- read as follows if they had any text in them to read. The emails are entirely -blank- instead offering up two attachments called “girls_list”. A “girl list” would seem to conjure up visions of swiped data and things you’re not supposed to have access to; as it turns out, opening up the .HTML attachment -redirects- you in a browser to a -porn- dating site which splashes... many nude photos around the screen... These emails are already caught by Gmail as spam, but other providers may -not- be flagging them yet. While I’m sure there are lots of fun things you can do with a list, allowing yourself to be redirected-to-porno-spam is probably not one of them and you should avoid these mails. With websites and services jumping on the AM data bandwagon*, it’s clear that anything involving dating and lists is going to be a hot topic for some time to come. Don’t fall for it."
* http://www.troyhunt.com/2015/08/ashl...ites-like.html
24 Aug 2015 - "... harvesting email addresses and spamming searched victims..."
___

Malvertising campaigns increase 325%
- http://net-security.org/malware_news.php?id=3088
26.08.2015 - "Cyphort* investigated the practices used by cyber criminals to inject malicious advertisements into legitimate online advertising networks. Researchers found that malvertising campaigns carried out by hackers increased 325 percent in the past year... The problem of malvertising isn’t going away and cyber criminals will continue finding ways to monetize their attacks. According to the Association of National Advertisers, ad-fraud will cost global advertisers more than $6 billion in 2015..."
* http://www.cyphort.com/category/malvertising/

[AplusWebMaster]

FYI...

Fake 'Payment Receipt' SPAM – xls malware
- http://myonlinesecurity.co.uk/dartfo...sheet-malware/
28 Aug 2015 - "'Payment Receipt' pretending to come from donotreply@ dartford-crossing-charge.service .gov.uk with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...-macros_21.png

Screenshot: http://myonlinesecurity.co.uk/wp-con...nt-Receipt.png

28 August 2015: PaymentReceipt.xls - Current Virus total detections 5/56*:
Downloads Dridex banking malware from http ://cheaplaptops.pixub .com/3453/5fg44.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1440757199/

** https://www.virustotal.com/en/file/f...is/1440756592/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
23.14.92.35: https://www.virustotal.com/en/ip-add...5/information/
91.239.232.9: https://www.virustotal.com/en/ip-add...9/information/
31.131.251.33: https://www.virustotal.com/en/ip-add...3/information/

pixub .com: 93.188.160.103: https://www.virustotal.com/en/ip-add...3/information/
___

Dropbox Spam
- http://threattrack.tumblr.com/post/1...3/dropbox-spam
Aug 28, 2015 - "Subjects Seen:
Brad Waters shared “TP Resignation Letter 2.pdf” with you
Reed Contreras shared “TP Resignation Letter 2.pdf” with you
Typical e-mail details:
Brad used Dropbox to share a file with you!
Click here to view.

Screenshot: https://40.media.tumblr.com/5e54ebbf...r6pupn_500.png

Malicious URLs:
newyearpartyistanbul .com/securestorage/getdocument.html
Malicious File Name and MD5:
TP Resignation Letter 2.scr (90a60d95b2f0db6722755e535e854e82)

Tagged: Dropbox, Upatre

newyearpartyistanbul .com: 93.89.224.6: https://www.virustotal.com/en/ip-add...6/information/

[AplusWebMaster]

FYI...

Fake 'FedEx delivery problem' SPAM – JS malware
- http://myonlinesecurity.co.uk/fedex-...46-js-malware/
31 Aug 2015 - "An email with the subject of 'Shipment delivery problem #0000639746' pretending to come from FedEx... with a zip attachment that extracts to a JS file is another one from the current bot runs...The content of the email says :
Dear Customer,
Your parcel has arrived at August 28. Courier was unable to deliver the parcel to you.
Please, open email attachment to print shipment label.
Yours faithfully,
Jeffrey Kendall,
Operation Agent.

31 August 2015: FedEx_ID_0000639746.zip: Extracts to: FedEx_ID_0000639746.doc.js
Current Virus total detections 17/57*. I am not getting any payload via the automatic analysers so far although Wepawet indicates it connects to one of these sites:
selmaryachtmarket .com
riggst .com
harmacrebar .com ...

Update: managed to get the malware 92305548.exe (VirusTotal**) and ba892f004ed[1].gif (VirusTotal***)

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1441042826/

selmaryachtmarket .com: 174.137.191.22: https://www.virustotal.com/en/ip-add...2/information/
riggst .com: 108.175.152.86: https://www.virustotal.com/en/ip-add...6/information/
harmacrebar .com: 96.31.35.62: https://www.virustotal.com/en/ip-add...2/information/

** https://www.virustotal.com/en/file/a...is/1441044798/
0/57

*** https://www.virustotal.com/en/file/4...is/1441029511/
1/56

[AplusWebMaster]

FYI...

Fake 'Private message' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...e-message.html
1 Sep 2015 - "This spam comes with a malicious attachment:
From: Adrien Abbott
Date: 1 September 2015 at 12:34
Subject: Private message notification 41447
You've received a private message. Please open the attached to view it.
Adrien Abbott
Chief Tactics Executive
home: 1-583-761-3793
work: 380.022.2492
twitter: @nicole
skype: nicole
messenger: nicole

I have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other -variants- could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56*, the Hybrid Analysis report** shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to:
197.149.90.166 (Cobranet, Nigeria)
..which is an IP that has been used several times for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor."
* https://www.virustotal.com/en/file/8...is/1441111004/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

- http://myonlinesecurity.co.uk/privat...e-pdf-malware/
1 Sep 2015 - "... random names and email addresses from with a zip attachment is another one from the current bot runs... -hundreds- of other names. All details in the body of the email are random. The alleged sender matches the name in the body of the email and the attachment contains those names as well...
1 September 2015: 27121259_Zemlak-Rodriguez_Hans Mohr.zip: Extracts to: velmasuscipit.incidunt.exe
Current Virus total detections 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1441109597/
___

Fake 'Complaint notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/compla...e-pdf-malware/
1 Sep 2015 - "Following on from the earlier malspam run* we now have a series of emails with the subject of 'Complaint notice' [random numbers] also coming from random names and email addresses with a zip attachment is another one from the current bot runs...
* http://myonlinesecurity.co.uk/privat...e-pdf-malware/
The content of the email says :
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Martine McDermott
Lead Metrics Designer
T: (104) 644-7068
F: 174.118.9422
-Or-
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Jordane Emard
Internal Intranet Designer
T: 576-698-2292
F: 1-167-549-0752

And -hundreds- of other names. All details in the body of the email are random. The alleged sender matches the name in the body of the email and the attachment contains those names as well...
1 September 2015: 8961683689_Bahringer-Jacobs_Martine McDermott.zip:
Extracts to: alekvoluptatibus-at.exe
Current Virus total detections 2/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1441122287/

- http://blog.dynamoo.com/2015/09/malw...-internet.html
1 Sep 2015 - "This spam comes with a malicious attachment:
From: Margret Kuhic
Date: 1 September 2015 at 16:10
Subject: Complaint of your Internet activity
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Margret Kuhic
Dynamic Communications Agent
T: 1-679-732-5379
F: 100.173.9045

All the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a -valid- attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56*. This Hybrid Analysis report** shows it to be just another variant of Update/Dyre with the same characteristics as the malspam seen earlier today***, sending traffic to an IP that I suggest you -block- or monitor:
197.149.90.166 (Cobranet, Nigeria)
Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494 "
* https://www.virustotal.com/en/file/1...is/1441121661/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** http://blog.dynamoo.com/2015/09/malw...e-message.html
___

Fake 'ACH rejection' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ach-re...e-pdf-malware/
1 Sep 2015 - "An email with the subject of 'ACH rejection due to system malfunctioning' pretending to come from The ACH Network <Stevie.Espinoza@ nacha .org> with a link to download a zip attachment is another one from the current bot runs... The content of the email says :
ACH PAYMENT CANCELLED
The ACH Transaction (ID: 86440585067071), recently sent from your savings account (by you or any other person), was CANCELLED by other financial institution.
Rejection Reason: See details in the report below
Transaction Report: New Banking Details.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association

The link in the email sends you to http ://cheenichetty .com/securestorage/get_document.html where a zip file is downloaded automatically and you are -bounced- immediately to Dropbox and you think you were on Dropbox the whole time. These 'NACHA/ACH/The Electronic Payments Association payment cancelled' or 'payment rejected' emails are a persistent method of trying to deliver malware to your computer...
1 September 2015: New Banking Details.zip: Extracts to: New Banking Details.scr
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1441127390/

cheenichetty .com: 160.153.50.129: https://www.virustotal.com/en/ip-add...9/information/
___

Your Worst Day In IT
- http://www.darkreading.com/partner-p...a/d-id/1321999
9/1/2015 - "At VMworld 2015 in San Francisco, I roamed the floor with a camera asking attendees, "What was your worst day in IT?" When we initially came up with this question, we thought everyone's worst day would have something to do with a security breach or malware. Turns out that hardware failures and human error are far more common. As much as we talk about threat protection, what we really need to watch out for is our equipment and ourselves."

[AplusWebMaster]

FYI...

Fake 'toll road invoice' SPAM – JS malware
- http://myonlinesecurity.co.uk/pay-fo...97-js-malware/
2 Sep 2015 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [ random numbered] pretending to come from E-ZPass Agent with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...7-1024x476.png

2 September 2015: E-ZPass_00212297.zip: Extracts to: E-ZPass_00212297.doc.js
Current Virus total detections 2/57* which downloads 2 files 51053011.exe (virus total**) and 9360abf00281f3aa[1].gif (VirusTotal***) from a combination of these 3 sites
ihaveavoice2 .com
leikkihuone .com
etqy .com
... the 51053011.exe has a stolen digital signature from ESET Antivirus, which has been blocked and at least in Internet Explorer, Smart Filter warns about an invalid digital signature and blocks the file. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/

** https://www.virustotal.com/en/file/9...is/1441160077/

*** https://www.virustotal.com/en/file/8...is/1441173275/

ihaveavoice2 .com: 50.116.104.205: https://www.virustotal.com/en/ip-add...5/information/
leikkihuone .com: 23.91.123.160: https://www.virustotal.com/en/ip-add...0/information/
etqy .com: "... query for etqy .com failed"
___

Fake 'order cancelled' SPAM - PDF malware
- http://myonlinesecurity.co.uk/the-sh...e-pdf-malware/
2 Sep 2015 - "An email with the subject of 'The shipment of your ordered goods is impossible' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Unfortunately, the delivery of you order # 003313 was cancelled since
the specified address of the recipient was not correct. You’re recommended to
complete the attached form and send it back or print it and get this package
on your own at our office.
Alf Gottlieb, Corporate Intranet Director ...
-Or-
Hello!
Unfortunately, the delivery of you order # 4534481 was cancelled since
the specified address of the recipient was not correct. You’re recommended to
complete the attached form and send it back or print it and get this package
on your own at our office.
Arnoldo Strosin, Dynamic Markets Producer

And hundreds of other random names and job titles and companies. Some of the subjects in this series of emails include:
The shipment of your ordered goods is impossible
The delivery of your ordered goods isn’t finished
The shipment of your parcel is impossible
The shipping of your parcel is impossible to complete
The shipping of your items has failed
The shipping of your items isn’t finished
The delivery of your items was cancelled
The shipping of your goods is impossible
The delivery of your parcel has failed ...
2 September 2015: orderHayes Flat.zip: Extracts to: orderYost Dale.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441191343/
___

Fake 'Companies House' SPAM – PDF malware
- http://myonlinesecurity.co.uk/compan...e-pdf-malware/
2 Sep 2015 - "Another perennial email that constantly does the rounds has a subject matter about 'Companies House WebFiling service' and pretends to be either a complaint or a filing acknowledgement. They come with a zip attachment which is another one from the current bot runs... The content of the email says :
This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
(CC01) Company Complaint for the above company was accepted on 02/09/2015.
The submission number is 1GS31QZLMK1BCRG
Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
Not yet filing your accounts online? See how easy it is…
Note: reference to company may also include Limited Liability Partnership(s).
Thank you for using the Companies House WebFiling service.
Service Desk tel +44 (0)303 1234 500 or email...
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

2 September 2015: Case_1GS31QZLMK1BCRG.zip: Extracts to: Case_081415.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1441193027/

[AplusWebMaster]

FYI...

Malvertising found on Dating Site Match[dot]com
- https://blog.malwarebytes.org/malver...e-matchdotcom/
Sep 3, 2015 - "In an attack similar to the one that happened last month on PlentyOfFish, the UK version of online dating site Match .com was caught serving malvertising. Both companies are actually related since the Match Group bought out POF.com last summer. This latest malvertising incident is the work of the same gang using Google shortened URLs leading to the Angler exploit kit.
Infection flow:
Initial URL: uk.match .com/search/advanced_search.php
Malvertising: tags.mathtag .com/notify/js?exch={redacted}&price=0.361
Malvertising: newimageschool .com/adframe/banners/serv.php?uid=215&bid=14&t=image&w=728&h=90
Malicious Redirector: goo .gl/QU2x0w
Exploit Kit (Angler): med.chiro582help .com/carry.shtm?{redacted}
> https://blog.malwarebytes.org/wp-con...15/09/math.png
The malvertising goes through a Goo.gl shortened URL (already blacklisted) that loads the Angler exploit kit:
> https://blog.malwarebytes.org/wp-con.../09/google.png
Angler EK is known to serve the Bedep ad fraud Trojan as well as CryptoWall ransomware. The cost per thousand impressions (CPM) for the booby trapped ad was only 36 cents, which is nothing compared to how much infected computers can bring in terms of revenues. For instance, CryptoWall demands $5oo per victim. We alerted Match .com and the related advertisers but the malvertising campaign is still-ongoing via other routes."

chiro582help .com: 74.207.227.69: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'chat history' SPAM – PDF malware
- http://myonlinesecurity.co.uk/you-ne...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You need to read this chat history' coming from random senders and email addresses from with a zip attachment is another one from the current bot runs... The content of the email says :
Good day!
You should know this. View the chat history that I’ve attached. Remember
it’s strongly confidential, so please don’t show it to anyone.
Mrs. Edmund Schultz | (859) 913-2400
Toys | Hackett-Kiehn

And hundreds of other random names, email addresses, phone numbers and companies. Other subjects in this series include:
You should view this correspondence
Please view this correspondence
You need to view it
Please see it
You need to review this information
You need to review this chat history
Please see this messages
You need to read this chat history
You should read this messages
You should view this correspondence
And hundreds of other similar variations on the theme of messages and chat history...
3 September 2015: history Ward LockUG.zip: Extracts to: history Chelsea VillagePY.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1441271691/
___

Fake 'Invoice / credit note' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
3 Sep 2015 - "The latest set of -Upatre- downloader emails are 'Invoice' or 'credit note' from random companies. An email with the subject of 'Invoice INV-91659 from [random company]' for [Your web domain] (random numbers) or 'Credit Note CN-85402 from [random company]' for [Your web domain] (random numbers) pretending to come from Accounts with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...4-1024x493.png

3 September 2015: Invoice INV-91659.zip: Extracts to: Invoice.scr
Current Virus total detections 1/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1441279729/
___

Fake 'Lloyds Bank' SPAM – PDF malware
- http://myonlinesecurity.co.uk/custom...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'Customer Account Correspondence' pretending to come from Lloyds Bank Commercial Finance <customermail@ lloydsbankcommercialfinance .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x490.png

3 September 2015: Lloyds-Commercial_Documents.zip: Extracts to: Lloyds-Commercial_Documents.scr
Current Virus total detections 3/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1441281692/
___

Fake 'overdue balance' SPAM – PDF malware
- http://myonlinesecurity.co.uk/overdu...e-pdf-malware/
3 Sep 2015 - "Following on from the earlier -Upatre- downloaders, the latest set of emails are about an overdue balance from random companies. An email with the subject of 'Urgent' e-mail letter of 'overdue balance' or 'Important reminder notice about outstanding balance' or very similar wording with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...s-1024x314.png

Some of the subjects so far seen include:
Important reminder letter about outstanding remittances
Urgent e-mail letter of overdue balance
Important reminder letter about outstanding remittances
Urgent letter of past due balance
Urgent reminder about your delinquent balance
Important reminder notice of delinquent remittances
Urgent reminder about outstanding balance ...
3 September 2015: documents Heidenreich MillsDE.zip: Extracts to: documents Stark LodgeFR.exe
Current Virus total detections 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1441291670/
___

Fake 'Canadian Bank' SPAM - PDF malware
- http://myonlinesecurity.co.uk/you-ha...e-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You have received a secure e-mail / Vous avez reu un courriel protégé' pretending to come from Canadian Imperial Bank of Commerce <noreply@ cibc .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...l-1024x580.png

3 September 2015: SecureMail.zip: Extracts to: SecureMail.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1441298777/
___

Skype Spam...
- https://blog.malwarebytes.org/fraud-...is-skype-spam/
Sep 3, 2015 - "Over the last few weeks, there’s been a spam campaign taking place on Skype which involves the following steps:
> Scammers use an automated technique to break old/weak Skype passwords (this has been contested by Skype users in that forum thread*).
* http://community.skype.com/t5/Securi...4038620#M47813
> They then use these accounts to send spam messages to contacts.
> The spam frequently hides the “real” destination by providing (say) a Baidu search engine link instead – along with the Skype Username of the person who clicked the link in the URL.
> The websites the “masked” URls lead to tend to use redirects – it’s possible they’ve been compromised – before dumping the end-user on a diet spam page.
Here’s an example of the spam currently going around:
>> https://blog.malwarebytes.org/wp-con...skypespam0.jpg
“Hi [username] | baidu(dot)com/[URL string] advise”
Below you can see the initial landing page, the final destination and a screenshot of a Fiddler log:
> https://blog.malwarebytes.org/wp-con...skypespam3.jpg
...
> https://blog.malwarebytes.org/wp-con...pam2.jpg?w=564
If your Skype password is in need of a spring clean... feel free to check out the list of hints and tips on the Skype Security page**."
** https://www.skype.com/en/security/

[AplusWebMaster]

FYI...

Fake 'RE:resume' SPAM / Cryptowall
- http://blog.dynamoo.com/2015/09/malw...-happened.html
4 Sep 2015 - "This -fake- résumé spam leads to ransomware:
From: fredrickkroncke@ yahoo .com
Date: 5 September 2015 at 03:50
Subject: RE:resume
Signed by: yahoo.com
Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply
Kind regards
Teresa Alexander

The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:
> https://1.bp.blogspot.com/-f1xY7yodu...d-document.png
Following these steps would be a Very-Bad-Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56*.
The Hybrid Analysis report** shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:
46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga .net)
192.186.235.39 (satisgoswamicollege .org)
52.88.9.255 (entriflex .com)
23.229.143.32 (eliasgreencondo .com)
-Blocking- those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56***.
Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report):
> https://3.bp.blogspot.com/-KrTiQq4qf...ryptowall2.png
This further references another bunch of domains that you might want to -block- especially in a corporate environment:
namepospay .com
optiontosolutionbbs .com
optionpay2all .com
democraticash .com
This further Hybrid Analysis report**** on the dropped binary also identifies the following malicious site:
68.178.254.208 (erointernet .com)
... it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr .es - although this is -not- a malcious site, you can consider it to be a potential indicator of compromise. The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.
Recommended blocklist:
46.30.46.0/24
gaiga .net
satisgoswamicollege .org
entriflex .com
eliasgreencondo .com
erointernet .com
namepospay .com
optiontosolutionbbs .com
optionpay2all .com
democraticash .com "
* https://www.virustotal.com/en/file/6...is/1441396906/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://www.virustotal.com/en/file/6...is/1441396906/

**** https://www.hybrid-analysis.com/samp...nvironmentId=1
___

Fake 'reservation confirmed' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-r...e-pdf-malware/
4 Sep 2015 - "An email with the subject of 'Your reservation is now confirmed!' pretending to come from Booking .com with a zip attachment is another one from the current bot runs... The content of the email says:
Thanks! Your reservation is now confirmed.
To view additional information about your reservation, please open the attachment.
Booking number: 376627092
PIN Code: 6524
Email: [Redacted]
Your reservation: 1 night, 1 room
Check in: Saturday, September 05, 2015
(2:00 pm – 00:00 am)
Check out: Sunday, September 06, 2015
(until 12:00 pm)
Superior Double Room £1,799.68
VAT (20%) included £449.92
Total Price £2,249.60
Please note: additional supplements (e.g. extra bed) are not added to this total.
The total price shown is the amount you will pay to the property. Booking.com does not charge any reservation, administration or other fees.
You can easily change or cancel this booking for free before September 05 – 2015, to cancel or modify your reservation please complete the attached form and fax it to:
+1 888 850 5250
Have a great trip!
– The Booking.com Team
Copyright 1996 – 2013 Booking .com. All rights reserved.
This email was sent by Booking .com, Herengracht 597, 1017 CE Amsterdam, Netherlands

4 September 2015: Booking number 376627092.zip: Extracts to: Booking.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1441343056/
___

Fake 'account security' SPAM
- http://myonlinesecurity.co.uk/import...ount-security/
4 Sep 2015 - "An email with the subject of 'Important system notification about account security' coming from random companies and random email addresses with a zip attachment is another one from the current bot runs... However the attachment is defective and corrupt. If previous experience is anything to go by, the bad guys controlling the botnet will soon realise their mistake and send out a new batch of -working- emails and attachments. The content of the email says:
This is an automatically generated security system alert. It happens when something goes wrong with your account.
To view full details, please open the attached report.
Mrs. Myriam Dach
tel: 1-606-773-7379
Email : cyineosoy5964lqw@ allpromoprint .com

... other subjects include:
Notice concerning your account
Important system notification about your account protection ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake 'Order' SPAM - PDF malware
- http://myonlinesecurity.co.uk/order-...e-pdf-malware/
4 Sep 2015 - "An email with the subject of 'Order is finished' coming from random companies and random email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Many thanks for purchasing! Please retain attached transaction summary for your records.
Please do not respond to this e-mail message. It’s automatically generated.
Terence Kilback
tel: 936.953.8037
Lehner LLC
Email: ...

Other subjects in this series of emails include:
Your purchase is finished
Your order is finished
Your purchase is confirmed ...
4 September 2015: Krystel StreetMT_report.zip: Extracts to: Tristin LandBL_report.exe
Current Virus total detections 5/57 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1441384453/