Fake 'OUTSTANDING INVOICES', 'Amendment/Agreement' SPAM, New crypto-ransomware
FYI...
Fake 'OUTSTANDING INVOICES' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malw...ces-steve.html
9 Nov 2015 - "This -fake- financial email does not come from Resimac but is instead a simple -forgery- with a malicious attachment.
From "Steve McDonnell" [stevem@ resimac .co.uk]
Date Mon, 09 Nov 2015 18:24:23 +0530
Subject OUTSTANDING INVOICES
Dear,
Please find attached invoices 1396 & 1406 which are now outstanding.
I should be grateful if you would let me know when they are going to be paid.
Kind Regards
Steve McDonnell
Company Secretary
Resimac Ltd
Unit 11, Poplars Industrial Estate ...
I have only seen a single sample of this with an attachment named Invoices001396,1406-11.2015.xls which has a VirusTotal detection rate of 3/54* ... which contains this malicious macro... which (according to this Hybrid Analysis report**) in this case downloads a binary from:
www .davidcaballero .com/87yte55/6t45eyv.exe
The VirusTotal detection rate for this binary is 3/55***. That report indicates network traffic to:
89.108.71.148 (Agava Ltd, Russia)
Other analyses are pending, however I strongly recommend that you block traffic to that IP. The payload is likely to be the Dridex banking trojan."
* https://www.virustotal.com/en/file/6...8fc3/analysis/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
*** https://www.virustotal.com/en/file/3...a673/analysis/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/
213.229.173.59: https://www.virustotal.com/en/ip-add...9/information/
- http://myonlinesecurity.co.uk/outsta...sheet-malware/
9 Nov 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...S-1024x561.png
"... 9 November 2015: Invoices001396,1406-11.2015.xls
Current Virus total detections 8/55* ... Downloads Dridex banking malware from
www .davidcaballero .com/87yte55/6t45eyv.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...8fc3/analysis/
___
Fake 'Amendment/Agreement' SPAM - sharefile .com malware
- http://blog.dynamoo.com/2015/11/malw...me-shared.html
5 Nov 2015 - "This -fake- Dropbox spam appears to come from randomly-generated people..
From: Sandy Schmitt via Dropbox [no-reply@ dropbox .com]
Date: 9 November 2015 at 11:41
Subject: Sandy Schmitt shared "Amendment or the Agreement_09-11-2015.zip" with you
Sandy used Dropbox to share a file with you!
Click here to view...
> https://1.bp.blogspot.com/-cua7HAy0d...ke-dropbox.png
The link in the email actually goes to sharefile .com where it downloads a file Amendment or the Agreement_09-11-2015.zip containing a malicious executable Amendment or the Agreement_09-11-2015.scr which has a VirusTotal detection rate of 2/54*. Automated analysis is inconclusive [1] [2] but you can guarantee that this is nothing good. Because of the low detection rates, it might be worth -temporarily- blocking sharefile .com."
* https://www.virustotal.com/en/file/4...is/1447072746/
1] https://www.hybrid-analysis.com/samp...nvironmentId=1
2] https://malwr.com/analysis/MTU3N2U2Z...JjNzE2MDFiYmE/
___
New crypto-ransomware targets Linux web servers
- http://net-security.org/malware_news.php?id=3148
09.11.2015 - "There's a new piece of crypto-ransomware out there, but unlike most malware of this particular type, this one is mainly directed at web servers running on Linux. The threat has been dubbed Linux Encoder by Dr. Web researchers, and is currently detected by a small fraction of AV solutions*:
> http://www.net-security.org/images/a...112015-big.jpg
... "Once launched with administrator privileges, the Trojan (...) downloads files containing cybercriminals' demands and a file with the path to a public RSA key. After that, the malicious program starts as a daemon and deletes the original files," the researchers explained**. "Subsequently, the RSA key is used to store AES keys which will be employed by the Trojan to encrypt files on the infected computer"... It encrypts a wide variety of files - including Office, documents, image files, HTML and PHP files, archives, DLLs and EXE files - and adds the .encrypted extension to them. Instructions on what to do in order to get the files decrypted are included in each directory. Dr. Web researchers are working on a technology that can help decrypt data encrypted by this malware, but in the meantime the best protection against its destructiveness is to backup crucial files regularly..."
* https://www.virustotal.com/en/file/f...0956/analysis/
** https://news.drweb.com/show/?i=9686&lng=en&c=5
Britain to build cyber attack forces, Casino Malvertising Campaign, Blackhole EK
