FYI...
Fake 'E-Bill' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...r-week-38.html
17 Sep 2015 - "This -fake- financial spam comes with a malicious attachment:
From [invoices@ ebillinvoice .com]
To administrator@ victimdomain .com
Date Thu, 17 Sep 2015 11:10:15 GMT
Subject Shell E-Bill for Week 38 2015
Customer No : 28834
Email address : administrator@ victimdomain .com
Attached file name : 28834_wk38_2015.PDF
Dear Customer,
Please find attached your invoice for Week 38 2015.
In order to open the attached PDF file you will need
the software Adobe Acrobat Reader...
Yours sincerely
Customer Services...
Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56*. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you -block- or monitor that IP."
* https://www.virustotal.com/en/file/1...is/1442489503/
___
Fake 'REFURBISHMENT' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malw...cashirego.html
17 Sep 2015 - "This -fake- financial spam... comes in several different variants (I saw two):
From "Workflow Mailer" [hrwfmailerprod@ lancashire. gov.uk]
To hp_printer@ victimdomain .com
Date Thu, 17 Sep 2015 12:16:26 GMT
Subject FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)
__
From Mabel Winter
To hp_printer@ victimdomain .com
Sent Thu, 17 Sep 2015 12:12:26 GMT
ID 7216378
Number 6767609,1
Title Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT
Negotiation Preview Immediately upon publishing
Negotiation Open Immediately upon publishing
Negotiation Close September 21, 2015 10:00 am GMT
Company R.R. Donnelley & Sons Company
Subject ITT Clarifications
To view the message, please open attachment.
The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55*. The payload appears to be Upatre/Dyre..."
* https://www.virustotal.com/en/file/e...is/1442492094/
___
Fake 'Important notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/import...e-pdf-malware/
17 Sep 2015 - "An email with the subject of 'Important notice about document signing' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello,
You have been sent the document to sign it using Signority. To view this document, user’s personal data and secured link to signing, please open the attachment.
Regards,
The Signority Team
Other subjects in this malspam run delivering Upatre downloaders include:
Notice of documentation signing
Important notification of document signing
Important notice about documentation signing ...
17 September 2015: Gain infringement fine .zip: Extracts to: Send proposed sum .exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1442507711/