Page 82 of 132 FirstFirst ... 327278798081828384858692 ... LastLast
Results 811 to 820 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #811
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Insurance', 'Water Services Invoice', 'Invoice 1377' SPAM

    FYI...

    Fake 'Insurance' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...insurance.html
    12 Oct 2015 - "This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.
    From [accounts@ nolettinggo .co.uk]
    Date Mon, 12 Oct 2015 11:43:16 +0330
    Subject Insurance
    Dear all
    Please find attached insurance paperwork including EL certificate. Invoices
    will follow at the beginning of November.
    Regards
    Karen


    In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56*. This particular document contains this malicious macro... which downloads a malware component from the following location:
    ukenterprisetours .com/877453tr/rebrb45t.exe
    The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56**. That VirusTotal report and this Hybrid Analysis report[3] show network traffic to:
    149.210.180.13 (TransIP BV, Netherlands)
    I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan..."
    * https://www.virustotal.com/en/file/f...is/1444637908/

    ** https://www.virustotal.com/en/file/0...is/1444638547/
    ... Behavioural information
    TCP connections
    149.210.180.13: https://www.virustotal.com/en/ip-add...3/information/
    92.123.225.120: https://www.virustotal.com/en/ip-add...0/information/

    3] https://www.hybrid-analysis.com/samp...nvironmentId=3

    ukenterprisetours .com: 46.20.120.64: https://www.virustotal.com/en/ip-add...4/information/

    - http://myonlinesecurity.co.uk/nolett...d-doc-malware/
    12 Oct 2015 - "An email that appears to come from nolettinggo .co.uk with the subject of 'Insurance' pretending to come from accounts@ nolettinggo .co.uk with a malicious word doc attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...o-1024x497.png

    ... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ...
    12 October 2015 : SKMBT_C36014102815580.doc - Current Virus total detections 7/55*
    .. Downloads Dridex banking malware from http ://capricorn-cleaning .co.uk/877453tr/rebrb45t.exe
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1444635759/

    capricorn-cleaning .co.uk: 109.108.129.21: https://www.virustotal.com/en/ip-add...1/information/
    ___

    Fake 'Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...s-invoice.html
    12 Oct 2015 - "This -fake- financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:
    From "UUSCOTLAND" <UUSCOTLAND@ uuplc .co.uk>
    Date Mon, 12 Oct 2015 17:12:12 +0530
    Subject Water Services Invoice
    Good Morning,
    I hope you are well.
    Please find attached the water services invoice summary for the billing period of
    12 September 2015 to 12 October 2015.
    If you would like any more help, or information, please contact me...
    Kind regards
    Melissa
    Melissa Lears
    Billing Specialist
    Business Retail
    United Utilities Scotland
    T: 0345 0726077 (26816)...
    The information contained in this e-mail is intended only for the individual to whom it is addressed. It may contain legally privileged or confidential information or otherwise be exempt from disclosure. If you have received this Message in error or there are any problems, please notify the sender immediately and delete the message from your computer. You must not use, disclose, copy or alter this message for any unauthorised purpose...


    Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least -four- different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro... Download locations spotted so far are:
    ukenterprisetours .com/877453tr/rebrb45t.exe
    eventmobilecatering .co.uk/877453tr/rebrb45t.exe
    thewimbledondentist .co.uk/877453tr/rebrb45t.exe
    cardiffhairandbeauty .co.uk/877453tr/rebrb45t.exe
    All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
    46.20.120.64: https://www.virustotal.com/en/ip-add...4/information/
    109.108.129.21: https://www.virustotal.com/en/ip-add...1/information/
    213.171.218.221: https://www.virustotal.com/en/ip-add...1/information/
    This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56[5]...
    149.210.180.13 (TransIP BV, Netherlands)
    86.105.33.102 (Data Net SRL, Romania)
    I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.
    Recommended blocklist:
    149.210.180.13: https://www.virustotal.com/en/ip-add...3/information/
    86.105.33.102: https://www.virustotal.com/en/ip-add...2/information/
    .
    1] https://www.virustotal.com/en/file/d...is/1444652575/

    2] https://www.virustotal.com/en/file/b...is/1444652586/

    3] https://www.virustotal.com/en/file/b...is/1444652597/

    4] https://www.virustotal.com/en/file/f...is/1444652607/

    5] https://www.virustotal.com/en/file/d...is/1444652695/

    - http://myonlinesecurity.co.uk/water-...d-doc-malware/
    12 Oct 10`5 - "An email that appears to come from United Utilities Scotland with the subject of 'Water Services Invoice' pretending to come from UUSCOTLAND <UUSCOTLAND@ uuplc .co.uk> with a malicious word doc attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x690.png

    .. DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ...
    12 October 2015: 12 October 2015 Invoice Summary.doc - Current Virus total detections 8/55*
    ... Downloads from the same locations as described in today’s earlier malspam run** of malicious word docs, but delivers an updated Dridex version (VirusTotal 1/56 ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1444654116/

    ** http://myonlinesecurity.co.uk/nolett...d-doc-malware/

    *** https://www.virustotal.com/en/file/d...is/1444652695/
    ... Behavioural information
    TCP connections
    86.105.33.102: https://www.virustotal.com/en/ip-add...2/information/
    191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Invoice 1377' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/invoic...e-pdf-malware/
    12 Oct 2015 - "An email with the subject of 'Invoice 1377' pretending to come from info@ peachsoftware .co.uk with a zip attachment is another one from the current bot runs... The content of the email says:

    Please see invoice attached

    12 October 2015: invoice-1377.zip: Extracts to: invoice-1377.exe
    Current Virus total detections 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1444648227/
    ___

    Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles
    - http://www.secureworks.com/cyber-thr...edin-profiles/
    7 Oct 2015 - "Summary: While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.
    Fake LinkedIn accounts: The 25 fake LinkedIn accounts identified by CTU researchers fall into two categories: fully developed personas (Leader) and supporting personas (Supporter). The table in the Appendix lists details associated with the accounts. The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas. The photos used in the fake accounts are likely of innocent individuals who have no connection to TG-2889 activity...
    Legitimate endorsers of -fake- TG-2889 LinkedIn accounts by country:
    > http://www.secureworks.com/assets/im...e007_500px.png
    ... Ongoing threat: Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical. It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. CTU researchers advise organizations to educate their users of the specific and general risks:
    - Avoid contact with known fake personas.
    - Only connect to personas belonging to individuals they know and trust.
    - Adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they have not -verified- outside of LinkedIn.
    When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual's purported employer. Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites..."

    Last edited by AplusWebMaster; 2015-10-13 at 02:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #812
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Customer Invoice', 'Bank Payment' SPAM

    FYI...

    Fake 'Customer Invoice' SPAM - doc malware
    - http://myonlinesecurity.co.uk/quickh...d-doc-malware/
    13 Oct 2015 - "An email appearing to come from 'QuickHostUK' with the subject of 'Customer Invoice' pretending to come from QuickHostUK <info@ quickhostuk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    This is a notice that an invoice has been generated on 11/10/2015.
    Your payment method is: Credit/Debit Card
    Invoice #302673
    Amount Due: £40.00GBP
    Due Date: 18/10/2015
    Invoice Items
    Fully Managed Hosting – Starter (18/10/2015 – 17/11/2015) £40.00GBP
    Sub Total: £40.00GBP
    Credit: £0.00GBP
    Total: £40.00GBP
    Payment will be taken automatically on 18/10/2015 from your credit card on record with us. To update or change the credit card details we hold for your account please login...


    13 October 2015: Invoice-302673.doc - Current Virus total detections 5/56*
    ... Which downloads Dridex banking malware from http ://thelureofnoma .com/~web/34fc34t45t/8ijfew.exe (VirusTotal 1/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1444732952/

    ** https://www.virustotal.com/en/file/9...is/1444733145/

    thelureofnoma .com: 69.72.240.66: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'Bank - Third Party Payment' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/common...e-pdf-malware/
    13 Oct 2015 - "An email appearing to come from 'Commonwealth Bank of Australia' with the subject of 'First NetBank Third Party Payment' pretending to come from NetBankNotification@ cba .com.au with a zip attachment is another one from the current bot runs... The content of the email says :
    First NetBank Third Party Payment
    Your first transfer to the following third party account(s) has been successfully processed:
    From Account: **** **** **** 6439 MasterCard
    To Account(s): Bonnie Sharpe 511-187 ***7654 AMEX $6,990.72 Assistance to Refugees
    Date: 13/10/2015
    Please check attached file for more information about this transaction.
    Yours sincerely,
    Commonwealth Bank of Australia
    Please do not reply. To confirm this is a genuine email sent by the Bank, please check your inbox on the NetBank home page.
    Message: 932750168


    13 October 2015: CBA Third Party Payment 932750168.zip: Extracts to: CBA Third Party Payment 949078743.scr
    Current Virus total detections 10/57*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...is/1444709718/

    Last edited by AplusWebMaster; 2015-10-13 at 15:43.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #813
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Flash 0-Day, Fake 'DocuSign', 'SMSF Gateway Svc Msg' SPAM, DRIDEX Takedown

    FYI...

    Flash 0-Day used in Pawn Storm...
    >> http://blog.trendmicro.com/trendlabs...torm-campaign/
    Oct 14, 2015 - "... the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years... Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207... We have notified Adobe about our discovery and are working with them to address this security concern. Updates to this entry will be made once more information is available."

    'Just released 10.13.2015 .'Suggest Flash be -disabled- immediately until a new fix/release from Adobe is available...

    * 'Suggest Java be disabled, too. Next scheduled release of Java update due 10.20.2015.
    - https://community.qualys.com/blogs/l...y-october-2015
    Oct 13, 2015 - "... Oracle will have their CPU later this month, on the 20th..."
    ___

    Fake 'DocuSign' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/docusi...e-pdf-malware/
    14 Oct 2015 - "An email with the subject of 'Completed: Optus agreement no JTJW-650508' pretending to come from thiaminenz570@ cintas .com; on behalf of; 'DocuSign via DocuSign <dse_eu1@ docusign .net>' with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...n-1024x780.png

    14 October 2015: Optus agreement no JTJW-650508.zip: Extracts to: Optus agreement no LPRH-300726.scr
    Current Virus total detections 6/56*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1444797213/
    ___

    Fake 'SMSF Gateway Svc Msg' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/austra...e-pdf-malware/
    14 Oct 2015 - "An email with the subject of 'Australia Post SMSF Gateway Service Message' pretending to come from SMSF Gateway Team <SMSFGateway-NO-REPLY@ smsfmsg .auspost .com.au> with a zip attachment is another one from the current bot runs... The content of the email says:
    We’re pleased to advise you that the Australia Post SMSF Gateway Service has received a superannuation contribution message.
    The details of this message are in the attached PDF.
    The contribution payment should appear in your nominated bank account with a payment reference number listed in the PDF to allow for easy reconciliation.
    Kind Regards
    The SMSF Gateway Team ...


    14 October 2015: Contribution448772241.zip: Extracts to: Contribution308911799.scr
    Current Virus total detections 4/56*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/7...is/1444789129/
    ___

    FBI, Security Vendors Partner for DRIDEX Takedown
    - http://blog.trendmicro.com/trendlabs...dridex-botnet/
    Oct 13, 2015 - "Multiple command-and-control (C&C) servers used by the DRIDEX botnet have been taken down by the Federal Bureau of Investigation (FBI), following the action taken by the National Crime Agency (NCA) in the UK. US law enforcement officials obtained court orders that resulted in the seizure of multiple servers used by DRIDEX. This crippled the malware’s C&C network, which is used by the malware to send the stolen information to the cybercriminals and to download configuration files that include the list of targeted banks. Furthermore, charges have been made against Andrey Ghinkul, aka Andrei Ghincul and Smilex, the Moldovan administrator of the botnet. Taking down cybercriminals is no small feat. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise. The takedown of the command-and-control (C&C) network used by the banking malware DRIDEX is the latest example of that partnership’s success... DRIDEX has slowly been making a name for itself this past year and has been viewed as the successor to the Gameover Zeus (GoZ) malware. Its prevalence in the threat landscape can be attributed to its business model, P2P (peer-to-peer) architecture, and unique routines. Unlike other malware, DRIDEX operates using the BaaS (Botnet-as-a Service) business model. It runs several bot networks, each identified by a number and each containing a specific set of target banks. Our investigation revealed that its target banks mostly come from the US and Europe (particularly Romania, France, and the UK)... users in the US and the UK accounted for more than 35% of DRIDEX infections:
    > https://blog.trendmicro.com/trendlab.../10/dridex.jpg
    The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture. Learning from the GoZ takedown, creators of DRIDEX added a another layer in its architecture before the command-and-control (C&C) server. Apart from these, DRIDEX is also equipped to remove or hide tracks in the system. Similar to the Chthonic variant of ZBOT, it uses an invisible persistence technique which involves writing autostart reg key upon system shutdown and deleting autostart reg key upon system startup. However, only DRIDEX cleans up the stored configuration in the registry and changes the malware copy location. DRIDEX is easily spread using malicious email attachments, usually Microsoft Office documents that contain macros. The use of macros could be seen as one way of ensuring a higher chance of successful attacks. Macros are commonly used in automated and interactive documents. The feature is usually deactivated by default, but if it was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. Furthermore, we found that the macro code contains garbage and useless code... While the takedown of the C&C servers now prevents DRIDEX from executing malicious activities, total cleanup still requires users to ensure that DRIDEX has been removed from their systems..."

    >>> http://www.justice.gov/usao-wdpa/pr/...lware-disabled
    Oct 13, 2015 - "... Victims of Bugat/Dridex may use the following webpage created by US-CERT for assistance in removing the malware:
    > https://www.us-cert.gov/dridex ..."
    Oct 13, 2015

    Last edited by AplusWebMaster; 2015-10-15 at 03:41.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #814
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scan' SPAM

    FYI...

    Fake 'Scan' SPAM - doc malware
    - http://myonlinesecurity.co.uk/ray-wh...d-doc-malware/
    15 Oct 2015 - "An email with the subject of '[Scan] 2015-10-14 5:29:54 p.m.' pretending to come from 'Ray White <rw@raylian .co.uk>' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...m-1024x357.png

    15 October 2015: 2015-10-14 5-29-54 p.m..doc . Current Virus total detections 4/54*
    ... Which downloads Dridex banking malware from http ://23.229.157.230/~gwhill2377/86575765/6757645.exe (VirusTotal 0/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1444898925/

    ** https://www.virustotal.com/en/file/2...is/1444899628/
    ... Behavioural information
    TCP connections
    89.32.145.12: https://www.virustotal.com/en/ip-add...2/information/
    88.221.14.138: https://www.virustotal.com/en/ip-add...8/information/

    23.229.157.230: https://www.virustotal.com/en/ip-add...0/information/
    > https://www.virustotal.com/en/url/d4...d790/analysis/

    - http://blog.dynamoo.com/2015/10/malw...-52954-pm.html
    15 Oct 2015 - "This rather terse spam email has a malicious attachment. It does not come from Raylian but is instead a simple forgery:
    From Ray White [rw@ raylian .co.uk]
    Date Thu, 15 Oct 2015 10:56:35 +0200
    Subject [Scan] 2015-10-14 5:29:54 p.m.
    Amanda's attached.


    In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro... The Hybrid Analysis report* shows this particular version (there will be others) downloading a binary from:
    sdhstribrnalhota .xf .cz/86575765/6757645.exe
    Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56** and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report*** for this indicates connections to:
    89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
    195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
    The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.
    Recommended blocklist:
    89.32.145.12
    195.154.251.123

    * https://www.hybrid-analysis.com/samp...nvironmentId=1

    ** https://www.virustotal.com/en/file/2...is/1444903993/
    ... Behavioural information
    TCP connections
    89.32.145.12: https://www.virustotal.com/en/ip-add...2/information/
    88.221.14.138: https://www.virustotal.com/en/ip-add...8/information/

    *** https://www.hybrid-analysis.com/samp...nvironmentId=1

    Last edited by AplusWebMaster; 2015-10-15 at 18:16.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #815
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'DHL' SPAM, Backdoor Zegost delivered

    FYI...

    Fake 'DHL' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/dhl-au...e-pdf-malware/
    16 Oct 2015 - "An email that appears to come from 'DHL Australia' with the subject of 'Return consignment AVD524417' pretending to come from DSC.AU.Returns@ dhl .com with a zip attachment is another one from the current bot runs... The content of the email says :
    BOOKING OF YOUR CONTROLLED RETURN
    Print off labels (on a LASER printer as this will ensure driver can scan barcode) and affix to carton.
    Please ensure all other labels are removed from carton.
    You can book your own freight by calling our Carrier Partner Startrack Express on 12 18 58 quoting Reference No. 524417
    Alternatively, DHL will call within 3 business days after labels are sent to assist in booking in your freight for collection.
    Quote the consignment Number that is on your labels (attached to your email with prefix AVD)
    Startrack Express will provide you with a booking number, please retain this number.
    Below is a mandatory TRANSFER SUMMARY. This must be completed prior to the arrival of driver; if not complete, this may result in a futile pick up.
    Goods are required back into warehouse no later than 7 working days. Please ensure good are ready for collection.
    STARTRACK EXPRESS TRANSFER SUMMARY REPORT ...


    16 October 2015: FL-AVD524417.zip: Extracts to: FL-AVD084542.exe
    Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1444969428/
    ___

    Backdoor Zegost delivered via Hacking Team exploit
    - http://research.zscaler.com/2015/10/...vered-via.html
    Oct 16, 2015 - "... In past two months, we've spotted multiple instances of Zegost Backdoor Trojan installation attempts leveraging Hacking Team's Adobe Flash exploit (CVE-2015-5119) payload. These attacks do not appear to be targeted, but the payload involved in the infection cycle has some resemblance to recent APT payloads from HttpBrowser & the PlugX RAT family. Attack Chain: The infection cycle starts with a legitimate Chinese real estate and shopping site www[.]kongquechang[.]com, which appears to have been compromised by the attackers and contains an injected script. The injected script will cause a series of -redirects- leading to Hacking Team's exploit payload... Attackers are abusing the Chinese URL shortening service t .cn to -redirect- victims to the attack server and also Baidu's URL shortening service dwz .cn to deliver the Adobe Flash exploit payload... Below is the complete list of C&Cs it tries to connect.
    80.247.233.18: https://www.virustotal.com/en/ip-add...8/information/
    91.121.82.113: https://www.virustotal.com/en/ip-add...3/information/
    69.164.213.85: https://www.virustotal.com/en/ip-add...5/information/
    79.143.191.147: https://www.virustotal.com/en/ip-add...7/information/
    199.241.30.233: https://www.virustotal.com/en/ip-add...3/information/
    162.243.12.14: https://www.virustotal.com/en/ip-add...4/information/
    188.93.73.90: https://www.virustotal.com/en/ip-add...0/information/
    195.154.184.240: https://www.virustotal.com/en/ip-add...0/information/
    Conclusion: The use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based whitelisting approach by signing their samples..."
    (More detail at the zscaler URL at the top.)

    kongquechang[.]com: Could not find an IP address for this domain name.

    Last edited by AplusWebMaster; 2015-10-16 at 22:53.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #816
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice / PO', 'Online banking app form' SPAM

    FYI...

    Fake 'Invoice / PO' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...stephanie.html
    19 Oct 2015 - "This -fake- financial spam does not come from Bombardier Transportation but is instead a simple -forgery- with a malicious attachment:
    From "Stephanie Greaves" [sgreaves@ btros .co.uk]
    Date Mon, 19 Oct 2015 12:06:42 +0430
    Subject COS007202
    Good morning,
    Please see attached purchase order.
    Kind regards,
    Stephanie Greaves
    Administration Apprentice
    Bombardier Transportation (Rolling Stock) UK Ltd
    Electronics, Cabling, & Interior Division
    Litchurch Lane, Derby, DE24 8AD


    Attached is a file COS007202.doc which comes in at least three different versions (VT results [1] [2] [3]) each containing a slightly different malicious macro... Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan...
    UPDATE: According to these Hybrid Analysis reports [4] [5] [6] , those macros download from the following locations:
    euroagroec .com/35436/5324676645.exe
    demo9.iphonebackstage .com/35436/5324676645.exe
    webmatique .info/35436/5324676645.exe
    The binary they download has a VirusTotal detection rate of 3/56[7] and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:
    157.252.245.49 (Trinity College Hartford, US)
    I recommend that you -block- traffic to that IP..."
    1] https://www.virustotal.com/en/file/3...is/1445246850/

    2] https://www.virustotal.com/en/file/4...is/1445246860/

    3] https://www.virustotal.com/en/file/8...is/1445246874/

    4] https://www.hybrid-analysis.com/samp...nvironmentId=3

    5] https://www.hybrid-analysis.com/samp...nvironmentId=3

    6] https://www.hybrid-analysis.com/samp...nvironmentId=1

    7] https://www.virustotal.com/en/file/a...is/1445249638/
    ___

    Fake 'Online banking app form' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/online...e-pdf-malware/
    19 Oct 2015 - "An email appearing to come from Nat West Leicester Business Banking Customer Support with the subject of 'Online banking application form********* CRM:013545192' (random numbers) pretending to come from 'NW – Leicester CRT <Leicester.CMT@ NatWest .com> with a zip attachment is another one from the current bot runs... The content of the email says:
    Please find enclosed the requested online application form which
    you will need to complete and return to myself via the post.
    Kind Regards
    Janine Lyles
    Relationship Manager’s Assistant
    Leicester Business Banking Customer Support
    1st Floor
    1 Granby Street
    Leicester
    LE1 6EJ
    Tel: 0116 2752435
    Fax: 0116 2575469
    E Mail ...


    19 October 2015: Online banking upd appl form.zip: Extracts to: Online banking upd appl form.scr
    Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1445250902/

    Last edited by AplusWebMaster; 2015-10-19 at 15:24.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #817
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'P.O.', 'NOTIFICATION' SPAM, Shifu banking trojan

    FYI...

    Fake 'P.O.' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/purcha...e-pdf-malware/
    20 Oct 2015 - "An email appearing to come from Xstrata with the subject of 'PurchaseOrder DR67CV_30HJ' from 'Xstrata' by 'Emerson, Vicky (PROD)' pretending to come from XstrataQLD@ axis.ventyx .com with a zip attachment is another one from the current bot runs... The content of the email says :
    Please find attached a PurchaserOder from Xstarta for your action. It has been sent via Mincom Axis.
    This PurhcaseOrder is in PDF format and can be viewed with Adobe Acrobat Reader. You may ACCEPT or REJECT this PurchaseOrdre from this email by following the isntructions below. In either case, an email will be generated for you to send to the Buyer via Mincom Axis. Type in any notes or comments you wish to convey to the buyer in the email Body and send the email but do not modify any part of the email Subject.
    To ACCEPT the whole PucrhaseOrder, click the following link and complete your details ...


    20 October 2015: PurchaseOrder_9EP31W_52M1_707850624.zip: Extracts to: PurchaseOrder_816785634_036545298.exe
    Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1445314610/
    ___

    Fake 'P.O.' SPAM - doc malware
    - http://blog.dynamoo.com/2015/10/malw...-no-48847.html
    20 Oct 2015 - "This -fake- financial spam comes with a malicious payload:
    From Harminder Saund [MinSaund77@ secureone .co.uk]
    Date Tue, 20 Oct 2015 16:08:53 +0700
    Subject Purchase Order No: 48847
    Attached is a copy of our Purchase Order number 48847
    Harminder Saund
    Secure One


    The sender's email address varies slightly, for example:
    MinSaund77@ secureone .co.uk
    MinSaund92@ secureone .co.uk
    MinSaund94@ secureone .co.uk
    MinSaund013@ secureone .co.uk
    Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro... There are probably different versions of the document with different macros. Automated analysis is pending, however the payload is most likely the Dridex Shifu banking trojan. Please check back for updates..."
    1] https://www.virustotal.com/en/file/9...is/1445335728/

    2] https://www.virustotal.com/en/file/a...is/1445335747/
    UPDATE: So far, three download locations have been identified..
    ladiesfirst-privileges .com/656465/d5678h9.exe
    papousek.kvalitne .cz/656465/d5678h9.exe
    pmspotter. wz.cz/656465/d5678h9.exe
    This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56*... The Hybrid Analysis reports [1] [2] indicate that it calls home to:
    fat.uk-fags .top / 188.166.250.20 (Digital Ocean, Singapore)
    I recommend that you -block- traffic to that IP."
    * https://www.virustotal.com/en/file/b...is/1445341067/

    1] https://www.hybrid-analysis.com/samp...nvironmentId=3

    2] https://www.hybrid-analysis.com/samp...nvironmentId=3
    ___

    Fake 'NOTIFICATION' SPAM - xls malware
    - http://blog.dynamoo.com/2015/10/malw...mailbella.html
    20 Oct 2015 - "This spam comes with a malicious attachment:
    From "GOMEZ SANCHEZ"[postmail@ bellair .net]
    To
    Date Tue, 20 Oct 2015 13:14:56 +0430
    Subject victim@ victimdomain .tld
    Congratulations
    Print out the attachment file fill it and return it back by fax or email
    Yours Sincerely
    GOMEZ SANCHEZ


    The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of -three- malicious macros... Analysis of the payload is pending, but is likely to be the Dridex Shifu banking trojan. Please check back later..."
    1] https://www.virustotal.com/en/file/c...is/1445335252/
    FINAL NOTIFICATION .xls - 4/56
    2] https://www.virustotal.com/en/file/8...is/1445335267/
    FINAL NOTIFICATION-2 .xls - 4/54
    3] https://www.virustotal.com/en/file/7...is/1445335281/
    FINAL NOTIFICATION-3 .xls - 4/56
    UPDATE: So far, three download locations have been identified..
    ladiesfirst-privileges .com/656465/d5678h9.exe
    papousek.kvalitne .cz/656465/d5678h9.exe
    pmspotter.wz. cz/656465/d5678h9.exe
    This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56*... The Hybrid Analysis reports [1] [2] indicate that it calls home to:
    fat.uk-fags .top / 188.166.250.20 (Digital Ocean, Singapore)
    I recommend that you block traffic to that IP."
    * https://www.virustotal.com/en/file/b...is/1445341067/

    1] https://www.hybrid-analysis.com/samp...nvironmentId=3

    2] https://www.hybrid-analysis.com/samp...nvironmentId=3

    ladiesfirst-privileges .com: 159.253.148.199: https://www.virustotal.com/en/ip-add...9/information/

    papousek.kvalitne .cz: 88.86.117.145: https://www.virustotal.com/en/ip-add...5/information/

    pmspotter.wz. cz: 88.86.117.153: https://www.virustotal.com/en/ip-add...3/information/

    Shifu banking trojan: http://news.softpedia.com/news/shifu...y-490580.shtml

    Last edited by AplusWebMaster; 2015-10-20 at 18:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #818
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'E-Toll', 'Delayed tax return', 'INVOICE', 'PNC' SPAM, Chrome -clone- 'eFast'

    FYI...

    Fake 'E-Toll' SPAM – PDF malware
    - http://myonlinesecurity.co.uk/your-e...e-pdf-malware/
    21 Oct 2015 - "An email with the subject of 'Your E-Toll account statement' pretending to come from RMSETollDontReply@ rms.nsw. gov.au with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Valued Customer,
    Please find attached your E-Toll account statement.
    If you would like to claim Cashback please:
    Simply login to your account and click on the ‘Claim Cashback’ link on the Account Overview screen. Follow the easy steps and submit your claim online. Please note: Online claims can only be completed on E-Toll accounts with online access.
    Mail the E-Toll transaction statements that list your toll usage for eligible trips and a completed Cashback rebate form to the following address: Roads and Maritime Services M5 Cashback Locked Bag 3 Dubbo NSW 2830
    Rebates must be claimed within 12 calendar months of the end of the Cashback quarter.
    Thank you for choosing E-Toll
    Regards
    The E-Toll Team Roads and Maritime Services
    To view documents in PDF format, you must have Adobe Acrobat PDF reader software version 5 or above installed on your computer.
    This email was sent to you by Roads and Maritime Services. This is an unmonitored email address so please do not reply to this email...


    21 October 2015: Oct 2015ST.zip: Extracts to: Oct 2015ST.exe
    Current Virus total detections 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1445398880/
    ___

    Fake 'Delayed tax return' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/austra...e-pdf-malware/
    21 Oct 2015 - "An email that appears to come from Australian Taxation Office with the subject of 'Delayed tax returns over 30 days' pretending to come from DelayedReturn <DelayedReturn@ ato. gov.au> with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...s-1024x769.png

    21 October 2015: TaxAgentReport516177320151020230248.zip: Extracts to: TaxAgentReport061836020151020223957.exe
    Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1445398912/
    ___

    Fake 'INVOICE' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...ayment_21.html
    21 Oct 2015 - "This -fake- financial spam is not from Lancashire Police but is a simple -forgery- with what appears to be a malicious attachment.
    From: Whitehead, Lyn [Lyn.Whitehead@ lancashire.pnn.police .uk]
    Date: 21 October 2015 at 10:15
    Subject: INVOICE FOR PAYMENT - 7500005791
    Hello
    Please find attached an invoice that is now due for payment.
    Regards
    Lyn
    Lyn Whitehead (10688)
    Business Support Department - Headquarters
    Email: Lyn.Whitehead@ lancashire.pnn.police .uk ...


    The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending. The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive. Other analysis is pending please check back.
    UPDATE 1: Another version of this is in circulation, also with zero detections at VirusTotal... The Hybrid Analysis for both samples in inconclusive...
    UPDATE 2: An analysis of the documents shows an HTTP request to:
    ip1.dynupdate.no-ip .com:8245
    All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise...
    UPDATE 4: The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros... in the document download a binary from the following locations:
    www .sfagan.co .uk/56475865/ih76dfr.exe
    www .cnukprint .com/56475865/ih76dfr.exe
    www .tokushu. co.uk/56475865/ih76dfr.exe
    www .gkc-erp .com/56475865/ih76dfr.exe
    At present this has a zero detection rate at VirusTotal*... Those reports in addition to this Malwr report[4] indicate malicious traffic to the following IPs:
    89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
    119.47.112.227 (Web Drive Ltd, New Zealand)
    195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
    157.252.245.49 (Trinity College Hartford, US)
    The payload is probably the Shifu banking trojan.
    Recommended blocklist:
    89.32.145.12
    119.47.112.227
    195.154.251.123
    157.252.245.49
    "
    1] https://www.hybrid-analysis.com/samp...nvironmentId=1

    2] https://www.hybrid-analysis.com/samp...nvironmentId=1

    3] https://www.hybrid-analysis.com/samp...nvironmentId=1

    4] https://malwr.com/analysis/NjE3YmRhO...RkZDE2ZTk1ZDM/

    * https://www.virustotal.com/en/file/3...is/1445428911/
    ... Behavioural information
    TCP connections
    119.47.112.227: https://www.virustotal.com/en/ip-add...7/information/
    8.254.218.14: https://www.virustotal.com/en/ip-add...4/information/
    195.154.251.123: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Fake 'PNC' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/your-p...e-pdf-malware/
    21 Oct 2015 - "An email with the subject of 'Your PNC Bank Online Statement is ready to be viewed' pretending to come from PNCBank_Statements@ pnc .com with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x550.png

    21 October 2015: Statement_7208_10212015.zip: Extracts to: Statement_3374_10212015.zip.scr
    Current Virus total detections 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...is/1445449142/
    ___

    Chrome -clone- 'eFast' serves ads, collects info
    - http://net-security.org/malware_news.php?id=3129
    21.10.2015 - "A Google Chrome lookalike browser dubbed 'eFast' is being actively pushed onto users. The software is at best annoying and unwanted, and at worst can lead users to malware. Posing as a legitimate application that will benefit users, eFast is actually only helpful to its creators - it sidelines other browsers, generates intrusive online ads (the creators are paid for each click), redirects users to potentially malicious pages, and monitors their Internet browsing activity, which is then sold to third party companies. "eFast Browser is mostly proliferated as a 'bundle' with other (mostly free) software," PC Risk's Tomas Meskauskas warns*. "Users do not expect bundled applications to be concealed, and thus, developers intentionally hide them within the 'Custom' or 'Advanced' settings. Users who rush the download/installation processes and skip this section often inadvertently install potentially unwanted programs. In doing so, they expose their systems to risk of infection and compromise their privacy"... During installation, eFast will attempt to -replace- Chrome if that is already installed, by deleting all the shortcuts to it on your taskbar and desktop. "To make sure that you will use your new browser, eFast makes itself the default browser and takes over some file-associations. File-associations are settings that determine which program will run when files with a certain extension are opened," Malwarebytes' Pieter Arntz explains**..."
    * https://www.pcrisk.com/removal-guide...-efast-browser
    eFast Browser removal instructions

    ** https://blog.malwarebytes.org/online...-associations/

    Last edited by AplusWebMaster; 2015-10-21 at 22:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #819
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice Summary.doc' SPAM, Fake Java, Email account PHISH, Apple Invoice PHISH

    FYI...

    Fake 'Invoice Summary.doc' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...nvoice_22.html
    22 Oct 2015 - "This -fake- invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment...
    From "UUSCOTLAND" [UUSCOTLAND@ uuplc. co.uk]
    Date Thu, 22 Oct 2015 19:30:13 +0700
    Subject Water Services Invoice
    Good Morning,
    I hope you are well.
    Please find attached the water services invoice summary for the billing period of
    22 September 2015 to 22 October 2015.
    If you would like any more help, or information, please contact me on 0345 0726077.
    Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
    help you. Alternatively you can email me at uuscotland@uuplc.co.uk.
    Kind regards
    Melissa
    Melissa Lears
    Billing Specialist
    Business Retail
    United Utilities Scotland ...


    So far I have seen -three different- versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing... malicious macros... Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates."
    1] https://www.virustotal.com/en/file/f...is/1445520172/

    2] https://www.virustotal.com/en/file/a...is/1445520186/

    3] https://www.virustotal.com/en/file/3...is/1445520199/

    UPDATE 1: This VirusTotal report* also identifies the following download locations:
    beauty.maplewindows .co.uk/t67t868/nibrd65.exe
    dtmscomputers .co.uk/t67t868/nibrd65.exe
    namastetravel .co.uk/t67t868/nibrd65.exe
    This file has a VirusTotal detection rate of 2/54** and that report indicates network traffic to: 198.74.58.153 (Linode, US)
    Further analysis is pending, in the meantime I suggest that you -block- traffic to the above IP."
    * https://www.virustotal.com/en/file/a...is/1445520186/

    ** https://www.virustotal.com/en/file/5...is/1445521267/

    198.74.58.153: https://www.virustotal.com/en/ip-add...3/information/
    ___

    Fake Java "pop-ups for Download"
    - https://blog.malwarebytes.org/online...ava-i-ordered/
    Oct 22, 2015 - "... The downloaded file is called setup.exe and is recognized by a few scanners* that detect this file as potentially unwanted adware. (PUP.Optional.Media)... It installs a program called Media Downloader version 1.5:
    > https://blog.malwarebytes.org/wp-con.../warning4w.png
    The other one I want to show you is not actually a pop-up, but a background image that was made to look like one:
    > https://blog.malwarebytes.org/wp-con.../10/site1w.png
    Clicking this “Install” button downloads and prompts you to install a bundler that does install Java version 1.8.25 but not until they have offered the other components of the bundle. In this case I had to “Decline” Norton360, Weatherbug, PC Mechanic and Stormfall Age of War. Note that the latest version for my system is Version 8 Update 65. Version 8u25 is over a year old. Paying attention to the UAC prompt could have saved us some work here. Super IS (Fried Cookie Ltd.) somehow doesn’t have that official ring to it to convince me that this is the Java installer I was promised:
    > https://blog.malwarebytes.org/wp-con...UACpromptw.png
    Probably triggered by the critical patch update that was released by Oracle there are some sites that use this opportunity to lure users into using Java prompt -lookalikes- or bundled installers (for outdated versions). As always, get your software from trusted sources..."
    * https://www.virustotal.com/nl/file/5...02a9/analysis/
    ___

    Email account credentials - PHISH
    - http://myonlinesecurity.co.uk/email-...ials-phishing/
    22 Oct 2015 - "I came across this slightly different email -phishing- attempt this morning... The original email is quite bland, but just enticing enough to persuade a user to click and fill in the forms...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...l-1024x338.png

    If you did follow the link, you would see a webpage looking like this:
    > http://myonlinesecurity.co.uk/wp-con...e-1024x565.png
    This site is hosted on a free hosting company weebly .com. Unfortunately these free hosts have minimal checks and it is easy to put up almost anything that can infect a user or act as a phishing site. Weebly does eventually respond to abuse reports but in my experience they are quite slow and take a long time to think about whether the site contravenes their T&Cs. Do -not- fill in the forms otherwise your email account will be compromised. You -never- need to give your email account password to anybody."
    ___

    Apple Invoice - Phish
    - https://blog.malwarebytes.org/fraud-...invoice-phish/
    Oct 22, 2015 - "... a blatant attempt to swipe your payment information. Couched in the well-worn guise of a supposed Apple Store refund, the mail wants potential victims to hand over their Apple ID / password and then a chunk of personal / payment details:
    > https://blog.malwarebytes.org/wp-con...pplephis01.jpg
    ... Of course, you probably did not authorise any sort of purchase for a “CoPilot Premium HD” which is exactly the “Oh no my money, I must retrieve it” reaction they’re banking on (unless you actually did buy one of these, in which case things might get a little confusing). Nothing will have people rushing to click buttons and hand over information faster than the possibility of someone making unauthorised payments – clicking the refund links will take them to a -fake- login, via a -redirect- on a potentially compromised t-shirt website. The phish pages themselves are located at
    aut0carhire(dot)com/index/user12-appleid/index(dot)html
    > https://blog.malwarebytes.org/wp-con...pplephish1.jpg
    After handing over Apple ID credentials, the victim is taken to the next step which involves them giving name, address, DOB and full payment information:
    > https://blog.malwarebytes.org/wp-con...pplephish2.jpg
    ... Unfortunately, hitting the “Cancel Transaction” button here would be pretty much the exact opposite of cancelling a transaction and victims could expect to see many more actual payments suddenly leaving their bank account. If you have this sitting in your mailbox, delete it. If you’ve already sent the scammers your details, notify your bank and cancel the card – while keeping an eye out for any dubious payments. Apple themed phish scams are a popular choice for criminals, and whether faced with iTunes logins, “Find my phone” fakeouts, iCloud shenanigans or payment receipts such as the one above, recipients should be wary and – if in doubt – head to -official- Apple pages* to find out if a payment really is being processed."
    * http://www.apple.com/shop/account/home

    aut0carhire(dot)com: 97.74.181.128: https://www.virustotal.com/nl/ip-add...8/information/
    >> https://www.virustotal.com/nl/url/6a...f05e/analysis/

    Last edited by AplusWebMaster; 2015-10-22 at 23:48.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #820
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'cleaning invoice', 'Credit Note', 'Receipt for Payment' SPAM, Paypal PHISH

    FYI...

    Fake 'cleaning invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...e-deborah.html
    23 Oct 2015 - "This -fake- financial spam comes with a malicious attachment:
    From "deborah Sherer" [thesherers@ westnet .co.uk]
    Date Fri, 23 Oct 2015 17:03:19 +0700
    Subject cleaning invoice
    Hello
    attached is invoice for payment
    thanks
    Deborah Sherer
    ---
    This email has been checked for viruses ...


    Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro... and downloads a malicious binary from one of the following locations:
    www .bhtfriends .org/tydfyyur54/43e67tko.exe
    zomb.webzdarma .cz/tydfyyur54/43e67tko.exe
    nisanyapi .com/tydfyyur54/43e67tko.exe
    This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55* (that's just a generic detection by Kaspersky). That VirusTotal report plus this Hybrid Analysis report** show network traffic to:
    195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
    Private sources also identify these following IPs as part of the C2 infrastructure:
    157.252.245.49 (Trinity College Hartford, US)
    198.74.58.153 (Linode, US)
    68.168.100.232 (Codero, US)
    The payload appears to be the Dridex banking trojan.
    Recommended blocklist:
    195.154.251.123
    157.252.245.49
    198.74.58.153
    68.168.100.232
    "
    1] https://www.virustotal.com/en/file/4...is/1445595890/

    2] https://www.virustotal.com/en/file/d...is/1445595902/

    3] https://www.virustotal.com/en/file/2...is/1445595912/

    * https://www.virustotal.com/en/file/a...is/1445595923/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=1
    ___

    Fake 'Credit Note' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...6536-from.html
    23 Oct 2015 - "This -fake- financial spam has a malicious attachment:
    From: Accounts [message-service@ post.xero .com]
    Date: 23 October 2015 at 15:08
    Subject: Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)
    Hi Mattie,
    Attached is your credit note CN-06536 for 8954.41 GBP.
    This has been allocated against invoice number
    If you have any questions, please let us know.
    Thanks,
    Avnet, Inc.


    The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc .. but it's actually a -ZIP- file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe and has a VirusTotal detection rate of 4/55*. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan... the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.
    UPDATE: The Hybrid Analysis report is here**, reporting the Nigerian IP and also showing that the malware saves itself as:
    %TEMP%\homebast.exe
    C:\Windows\mLunoMqU.exe "
    * https://www.virustotal.com/nl/file/9...is/1445609013/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=1

    197.149.90.166: https://www.virustotal.com/nl/ip-add...6/information/
    ___

    Fake 'Scan Data' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...5-t2-scan.html
    23 Oct 2015 - "This -fake- document scan appears to originate from within the victim's own organisation, but doesn't. Instead it comes with a malicious attachment.
    From: DocuCentre-V C6675 T2 [reception@ victimdomain .com]
    Reply-to: reception@ victimdomain .com
    Date: 23 October 2015 at 09:23
    Subject: Scan Data from FX-D6DBE1
    Number of Images: 1
    Attachment File Type: DOC
    Device Name: DocuCentre-V C6675 T2
    Device Location:


    Attached is a file 22102015160213-0001.doc which comes in a few different versions. The payload is Dridex and all the files and downloaded binaries are the same as used in this spam run*."
    * http://blog.dynamoo.com/2015/10/malw...e-deborah.html
    ___

    Fake 'Receipt for Payment' SPAM - PDF malware
    - http://myonlinesecurity.co.uk/thank-...e-pdf-malware/
    23 Oct 2015 - "An email saying 'Thank you for filing your taxes with FreeTaxUSA' with the subject of 'Receipt for Payment' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x939.png

    23 October 2015: unjammed black fly.zip: Extracts to: 9842548_2377731824.exe
    Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/nl/file/c...is/1445596923/
    ___

    Western Union Business Solutions Spam
    - http://threattrack.tumblr.com/post/1...solutions-spam
    Oct 23, 2015 - "Subjects Seen:
    Order 49746970 Booked - Western Union Business Solutions Online FX for Corporate
    Typical e-mail details:
    Please be advised that Order 49746970 totaling 70,494.00 USD has been booked on Oct 23 2015.
    Click on the attached file to view details of the order or to print a receipt.
    This email was sent by Western Union Business Solutions. We respect your right to privacy.
    Thank you for using Western Union Business Solutions.
    Sincerely,
    Western Union Business Solutions


    Malicious File Name and MD5:
    westernunion_order_receipt.exe (E4510056BB38A37EE7AE485AA6C4B36A)


    Screenshot: https://40.media.tumblr.com/356fe0f2...r6pupn_500.png

    Tagged: Western Union, Upatre
    ___

    Paypal - PHISH... again.
    - http://myonlinesecurity.co.uk/paypal...ited-phishing/
    23 Oct 2015 - "... There are a few major common subjects in a phishing attempt involving either PayPal or your Bank or Credit Card, with a message saying some thing like:
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your Account Access Is Limited
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    Confirmation of Order


    Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x780.png

    ... the links to the -phishing- website are behind the 'update your info' button or the 'update now' link... The eventual site is the highlighted part of the very long url which goes via googleadservices. Now many phishers have been using google search links to persuade a recipient to click-a-link. Hovering over the link in an email will show google which most people would think was safe... The only way is look at the address bar and in the -Genuine- PayPal site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)...
    > http://myonlinesecurity.co.uk/wp-con...ypal_phish.png
    This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
    ___

    Fake 'Notice to Appear' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/10/malw...to-appear.html
    22 Oct 2015 - "This -fake- legal spam comes with a malicious attachment:
    From: District Court
    Date: 22 October 2015 at 19:03
    Subject: Notice to Appear
    Notice to Appear,
    This is to inform you to appear in the Court on the October 27 for your case hearing.
    Please, prepare all the documents relating to the case and bring them to Court on the specified date.
    Note: The case may be heard by the judge in your absence if you do not come.
    You can review complete details of the Court Notice in the attachment.
    Sincerely,
    Michael Newell,
    District Clerk


    Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js... This obfuscated script translates into something a bit more understandable which clearly references the following domains:
    www .flowarrior .com
    www .abama .org
    littlefacesofpanama-association .com
    The Hybrid Analysis report* shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55** (possibly Cridex). It references the following IPs as being highly suspect:
    91.121.108.77 (OVH, France)
    78.24.220.229 (TheFirst-RU, Russia)
    A -large- number of IPs are queried... I have not had the chance to check those individual IP addresses, but I recommend that you -block- the following two at least:
    91.121.108.77
    78.24.220.229
    "
    * https://www.hybrid-analysis.com/samp...nvironmentId=1

    ** https://www.virustotal.com/nl/file/d...is/1445547994/

    > https://www.virustotal.com/nl/url/37...1464/analysis/
    ___

    G DATA Malware Report H1 2015
    - https://www.gdata-software.com/g-dat...t-half-of-2015
    Oct 22, 2015 - "... G DATA, is releasing their H1 2015 Malware Report, which looks at malware over the first half of 2015. Among the findings, researchers discovered a 64.8 percent spike of new malware strains as compared to the first half of 2014. This averages out to 12 new strains per minute. In all, the total number of malware strains this year is expected to be well above the level of 2014, with the U.S., China and France hosting the most malicious and fraudulent websites. In looking more closely at the banking industry, researchers found that Wells Fargo was the most frequently targeted financial services company by banking Trojans, and the Swatbanker family was the mostly frequently seen banking Trojan in the 6 month period, followed by the ZeuS family... websites related to the healthcare industry were most frequently classified as malicious (26.6 percent), with technology and telecom a distant second. The most commonly seen malware campaign was “Money Rain,” promising various ways to easily acquire money. While this campaign was seen on websites for all of the categories researched, 37 percent of the websites that were clearly connected to Money Rain were in the healthcare industry. Also of note, a new category, personal ads and dating, was revealed to be in the top 10 list of most prevalent malicious and fraudulent websites.
    > https://static.gdatasoftware.com/110..._48890w417.jpg
    Additional Key Findings Include:
    • The "Top 10" list of prevented malware attacks is dominated by adware and Potentially Unwanted Programs (PUP). Dealply and Graftor are the most prevalent families in this field.
    • Ukraine is new to the Top 10 list of countries most frequently found to be hosting malicious websites with 5% of the activity, putting the country in fourth place. This could potentially be due to the political havoc occurring in this region.
    • Exploits for vulnerabilities are now being integrated into exploit kits after just a few days. Users who do not keep their systems up-to-date will easily fall victim to cyber criminals.
    • The vulnerabilities in Adobe Flash were most frequently abused to silently and automatically attack and compromise PCs (Exploit)..."
    PDF - Full report: https://public.gdatasoftware.com/Pre...H1_2015_EN.pdf

    > https://static.gdatasoftware.com/110..._48866w800.jpg

    Last edited by AplusWebMaster; 2015-10-23 at 19:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •