Page 85 of 132 FirstFirst ... 357581828384858687888995 ... LastLast
Results 841 to 850 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #841
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down relode .com - SPAM ...

    FYI...

    relode .com - SPAM...
    - http://blog.dynamoo.com/2015/11/spam...t-part-ii.html
    21 Nov 2015 - "Matt Tant and the moron spammers from relode .com are at it again.
    From: Matt Tant [matthew@ relode .com]
    To: "donotemail@ wearespammers .com" [donotemail@ wearespammers .com]
    Date: 21 November 2015 at 22:40
    Subject: Snagajob integration added
    This just in! In addition to our Craigslist and Indeed integrations, we have just pushed an integration with Snagajob! Do you post only on Craigslist, or do you post on multiple job posting sites?...


    I've covered these CAN-SPAM busting idiots before*..."
    * http://blog.dynamoo.com/2015/11/spam...matt-tant.html
    17 Nov 2015
    ___

    - http://centralops.net/co/DomainDossier.aspx
    relode .com
    aliases
    addresses
    198.185.159.144: https://www.virustotal.com/en/ip-add...4/information/
    198.185.159.145: https://www.virustotal.com/en/ip-add...5/information/
    198.49.23.144: https://www.virustotal.com/en/ip-add...4/information/
    198.49.23.145: https://www.virustotal.com/en/ip-add...5/information/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #842
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Employee Documents', 'UKMail tracking' SPAM, Cybercriminal Underground

    FYI...

    WordPress + Angler EK = compromise for some...
    - https://blog.malwarebytes.org/hackin...-a-year-later/
    Nov 23, 2015 - "We are seeing -dozens- of WordPress sites compromised recently with the same malicious code -redirecting- to the Angler exploit kit. The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page. It is important to stress this is a conditional injection because webmasters trying to identify the issue may -not- see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit)... The -rogue- code loads a Flash video file from a -suspicious- top-level domain name such as .ga, .tk or .ml which is used to -redirect- visitors to the Angler exploit kit. This is the same attack pattern we documented over a year ago (Exposing the Flash ‘EITest’ malware campaign*)... The latest WordPress version is 4.3.1. This particular ‘EITest campaign’ never actually stopped and saw an increase in the last few months which has been sustained up until now... Angler EK exploits Flash Player... If your WordPress site has been affected, keep in mind that the malicious injected code is just part of the symptoms from having your site hacked. It’s important to identify backdoors, .htaccess modifications as well as the original entry point, by looking at your access and error logs..."
    * https://blog.malwarebytes.org/exploi...ware-campaign/

    Latest Wordpress: https://wordpress.org/news/2015/09/wordpress-4-3-1/

    Latest Flash: https://helpx.adobe.com/security/pro...apsb15-28.html
    ___

    Fake 'Employee Documents' SPAM - xls malware
    - http://myonlinesecurity.co.uk/employ...sheet-malware/
    23 Nov 2015 - "An email with the subject of 'Employee Documents Internal Use' pretending to come from HR at your own email domain or company with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Employee Documents
    DOCUMENT LINK: [Link removed]
    This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.


    23 November 2015: Employee Documents(1928).xls - Current Virus total detections 4/54*
    ... Connects to and downloads kunie .it/u654g/76j5h4g.exe. It is very likely that the downloaded malware will be Dridex banking malware, although some antiviruses are indicating a -cryptowall- ransomware (VirusTotal 6/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1448270398/

    ** https://www.virustotal.com/en/file/e...is/1448270247/
    TCP connections
    89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
    90.84.59.51: https://www.virustotal.com/en/ip-add...1/information/

    - http://blog.dynamoo.com/2015/11/malw...documents.html
    23 Nov 2014 - "... Attached is a file Employee Documents(1928).xls ... sources tell me that there are -three- different versions downloading from the following locations:
    kunie .it/u654g/76j5h4g.exe
    oraveo .com/u654g/76j5h4g.exe
    www .t-tosen .com/u654g/76j5h4g.exe
    The downloaded binary has a detection rate of just 1/54*. That VirusTotal report and this Hybrid Analysis report** show network connections to the following IPs:
    89.108.71.148 (Agava Ltd, Russia)
    89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
    157.252.245.32 (Trinity College Hartford, US)
    The payload is probably the Dridex banking trojan...
    Recommended blocklist:
    89.108.71.148
    89.32.145.12
    157.252.245.32
    "
    * https://www.virustotal.com/en/file/4...is/1448276542/
    TCP connections
    89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
    8.254.218.126: https://www.virustotal.com/en/ip-add...6/information/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=1
    ___

    Fake 'UKMail tracking' SPAM - doc malware
    - http://myonlinesecurity.co.uk/ukmail...d-doc-malware/
    23 Nov 2015 - "An email with the subject of 'UKMail 988271023 tracking information' pretending to come from no-reply@ ukmail .com with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    UKMail Info!
    Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
    Please view the information about your parcel, print it and go to the post office to receive your package.
    Warranties
    UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service...


    23 November 2015: 988271023-PRCL.doc - Current Virus total detections 4/54*
    ... Connects to & downloads an updated Dridex banking malware from
    xsnoiseccs .bigpondhosting .com/u654g/76j5h4g.exe (VirusTotal 3/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1448280511/

    ** https://www.virustotal.com/en/file/9...is/1448282238/
    TCP connections
    89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
    23.62.99.136: https://www.virustotal.com/en/ip-add...6/information/

    - http://blog.dynamoo.com/2015/11/malw...-tracking.html
    23 Nov 2015 - "... The attachment is named 988271023-PRCL.doc ... This binary has a VirusTotal detection rate of 5/54*. That VirusTotal report plus this Hybrid Analysis report** and Malwr report*** indicate malicious traffic... The payload is likely to be the Dridex banking trojan...
    Recommended blocklist:
    157.252.245.32
    89.32.145.12
    89.108.71.148
    91.212.89.239
    89.189.174.19
    122.151.73.216
    37.128.132.96
    195.187.111.11
    37.99.146.27
    77.221.140.99
    195.251.145.79
    "
    * https://www.virustotal.com/en/file/9...is/1448285502/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=1

    *** https://malwr.com/analysis/ODJhYmE3N...M0ZDM2NmFhM2I/
    ___

    Dyreza trojan evolves for Win10
    - http://www.itnews.com.au/news/dyreza...dows-10-412101
    Nov 23 2015 - "Notorious banking trojan Dyreza has evolved to target the Windows 10 operating system, according to cyber-security firm Heimdal*. The new feature of this pernicious strain of malware includes support for Windows 10, so cyber-criminals can stay up to date with the developments of their prey as well as the ability to latch on to Microsoft Edge, Window's 10's replacement for the much-maligned internet explorer. Heimdall also noted that this new version of Dyreza “kills a series of processes linked to endpoint security software, in order to make its infiltration in the system faster and more effective”. Nearly 100,000 machines have apparently infected by Dyreza worldwide and Dyreza strains have been developed for just about every kind of Windows operating system in recent memory including Windows 7 through 10 as well as Winserver 2003 and Vista... Occasionally known as -Dyre- this particular trojan digs itself right into a users' browser. From there, it directs users to modified versions of otherwise legitimate webpages. If Dyreza is installed on a computer, it might steal online banking details as a user logs into what they think is a normal online -banking- webpage. It commonly spreads itself in large swathes of phishing emails in a tactic is known as 'spray and pray'. But once Dyreza does hits a target, it collects users data and becomes part of a botnet, allowing the attacker to receive the critical information from many users... The research also notes that this new strain arrives just in time for the holidays, with Christmas, Thanksgiving and more importantly, Black Friday, the US's post-thanksgiving shopping event, just around the corner..."
    * https://heimdalsecurity.com/blog/sec...ndows-10-edge/
    ___

    Cybercriminal Underground - 2015
    - https://www.trendmicro.com/vinfo/us/...round-in-2015/
    Nov 23, 2015 - "... Data leaked in the underground allows cybercriminals to commit various crimes like financial fraud, identity and intellectual property theft, espionage, and extortion. Chinese cybercriminals have managed to enhance the way they share data as seen in the case of SheYun, a search engine created specifically to make leaked data to users available. Over the last few years, we have been keeping track of the shift of prices of goods and services traded in the Chinese underground. Previously, we saw compromised hosts, DDoS attack tools services, and remote access Trojans (RATs) being sold. Today, social engineering tools have been added to the market.
    Carding devices: Cash transactions are slowly becoming a thing of the past, as evidenced by the adoption of electronic and mobile payment means.
    • PoS skimmers - Tampered PoS devices are sold to resellers who may or may not know that these devices are rigged. Some PoS skimmers come with an SMS-notification feature that allows the cybercriminal to access the stolen data remotely every time the device is used.
    • ATM skimmers – Commonly sold on B2B websites, these fraud-enabling devices allowed fraudsters to carry out bank fraud and actual theft. The devices have keypad overlays that are used to steal victims’ PINs.
    • Pocket skimmers – These small, unnoticeable magnetic card readers can store track data of up to 2,048 payment cards. They do not need to be physically connected to a computer or a power supply to work. All captured data can be downloaded onto a connected computer..."
    ___

    21% of Brits have been hit by cyber gits
    - http://www.theinquirer.net/inquirer/...-by-cyber-gits
    Nov 23 2015 - "ACCORDING TO A REPORT from Deloitte*, one in five British people has been the victim of a security breach... The report says that the ongoing explosion in business and consumer data presents an increasingly tempting target for those with evil intent. It warns companies that most consumers expect them to take responsibility for protecting their data. However, it adds that most consumers do not have a clue what that means... 'Our 2015 report found that 84 percent of consumers expect companies to be held responsible for ensuring the security of user data and personal information online'... Deloitte found that two-thirds of punters would pull their personal data out of firms if they could do so easily, while 52 percent are -not- happy with the way their data is used. Only about a third said that they are aware of the fact that their data is taken and used. Thirteen percent were completely clueless on collection. These people are reading the wrong websites..."
    * http://www2.deloitte.com/uk/en/pages...er-attack.html

    Last edited by AplusWebMaster; 2015-11-23 at 23:23.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #843
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Billing', 'Scan', 'FED Wire', 'Abcam Despatch' SPAM

    FYI...

    Fake 'Billing' SPAM - Cryptowall
    - http://blog.dynamoo.com/2015/11/malw...statement.html
    24 Nov 2014 - "This -fake- financial spam leads to ransomware:
    From: Scrimpsher [mumao82462308wd@ 163 .com]
    Date: 24 November 2015 at 16:57
    Subject: Serafini_Billing_Statement 2003
    Signed by: 163 .com
    Hi Please see attached a copy of your statement for the month of Nov 2015
    Sincerely
    Lynda Ang


    As with many recent ransomware attacks, this appears to have been sent through webmail (it really is from 163 .com, it is -not- being spoofed). Attached is a file Statement.zip which contains a malicious javascript statement.js ... [vT 7/53*] which then downloads a component from:
    46.30.45.73 /mert.exe
    That IP belongs to Eurobyte LLC in Russia. I recommend that you -block- it. This is saved as %TEMP%\122487254.exe and it has a VirusTotal detection rate of 5/55**... The application's icon and metadata is designed to make it look like a copy of VNC, but instead the VirusTotal detection indicates that it is Cryptowall. This Hybrid Analysis report*** demonstrates the ransomware in action most clearly..."
    > https://2.bp.blogspot.com/-JVJIL7NuZ...cryptowall.png
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en/file/7...is/1448391057/

    ** https://www.virustotal.com/en/file/b...is/1448390921/

    *** https://www.hybrid-analysis.com/samp...nvironmentId=1

    46.30.45.73: https://www.virustotal.com/en/ip-add...3/information/

    - http://centralops.net/co/DomainDossier.aspx
    163 .com
    aliases
    addresses
    123.58.180.8: https://www.virustotal.com/en/ip-add...8/information/
    123.58.180.7: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake 'Scan' SPAM - doc malware
    - http://myonlinesecurity.co.uk/scan-a...d-doc-malware/
    24 Nov 2015 - "An email with the subject of 'Scan as requested' pretending to come from Melissa O’Neill <adminoldbury@ newhopecare .co.uk> with a malicious word doc attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x718.png

    24 November 2015: 20151009144829748.doc - Current Virus total detections 5/53*
    ... Downloads Dridex banking malware from
    http ://afrodisias .com .tr/7745gd/4dgrgdg.exe (VirusTotal 4/55**)
    Update: other download locations discovered include
    www .costa-rica-hoteles-viajes .com/~web/7745gd/4dgrgdg.exe and janaduchanova .wz .cz/7745gd/4dgrgdg.exe
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1448358595/

    ** https://www.virustotal.com/en/file/9...is/1448359094/
    TCP connections
    89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
    88.221.14.130: https://www.virustotal.com/en/ip-add...0/information/

    - http://blog.dynamoo.com/2015/11/malw...d-melissa.html
    24 Nov 2015 - "... This has a VirusTotal detection rate of 4/55*. That VT analysis and this Malwr analysis** and these two Hybrid Analysis reports [1] [2] show network traffic to:
    157.252.245.32 (Trinity College Hartford, US)
    89.108.71.148 (Agava Ltd, Russia)
    89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
    88.86.117.153 (SuperNetwork, Czech Republic) ...
    Recommended blocklist:
    157.252.245.32
    89.108.71.148
    89.32.145.12
    88.86.117.153
    "
    * https://www.virustotal.com/en/file/9...is/1448361171/
    TCP connections
    89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
    88.221.14.130: https://www.virustotal.com/en/ip-add...0/information/

    ** https://malwr.com/analysis/ZDU2YWU5Y...A5NGFiYzQzYTE/

    1] https://www.hybrid-analysis.com/samp...nvironmentId=1

    2] https://www.hybrid-analysis.com/samp...nvironmentId=1
    ___

    Fake 'FED Wire' SPAM - xls malware
    - http://myonlinesecurity.co.uk/import...sheet-malware/
    24 Nov 2015 - "The second batch of malspam today using malicious office docs with macros is an email with the subject of 'IMPORTANT. FDIC. FED Wire and ACH Restrictions" pretending to come from FDIC, Federal Reserve Bank <administration@ usfederalreservebank .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...strictions.png

    24 November 2015: aes_E851174777E.xls - Current Virus total detections 3/56*
    The MALWR analysis shows us that it downloads various files from a combination of http ://rmansys .ru/utils/inet_id_notify.php and http ://s01.yapfiles .ru/files/1323961/435323.jpg .
    The only file I get that is malicious is test.exe that looks like it was -renamed- from the 435323.jpg on download by the macro inside this office doc. (VirusTotal 5/56**). I am unsure what malware this actually is, but is doesn’t look like it is Dridex... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1448364813/

    ** https://www.virustotal.com/en/file/5...is/1448365505/
    TCP connections
    89.108.101.61: https://www.virustotal.com/en/ip-add...1/information/
    90.156.241.111: https://www.virustotal.com/en/ip-add...1/information/
    217.197.126.52: https://www.virustotal.com/en/ip-add...2/information/

    - http://blog.dynamoo.com/2015/11/malw...erve-bank.html
    24 Nov 2015 - "This spam does -not- come from the Federal Reserve Bank, but is instead a simple -forgery- with a malicious attachment... According to this Malwr report[1] it drops all sorts of files including _iscrypt.dll [VT 0/54*] and 2.exe [VT 2/54**] which is analysed in this Malwr report[2] and this Hybrid Analysis report[3]. It is unclear as to what it does (ransomware? remote access trojan?), but it appears that the installation may be password protected...
    Recommended blocklist:
    185.26.97.120
    90.156.241.111
    89.108.101.61
    95.27.132.170
    217.197.126.52
    88.147.168.112
    217.19.105.3

    UPDATE: This Hybrid Analysis report[4] shows various web pages popping up from the Excel spreadsheet, including MSN and Lidl. The purpose of this is unknown."
    * https://www.virustotal.com/en/file/2...is/1448378403/

    ** https://www.virustotal.com/en/file/0...is/1448378422/

    1] https://malwr.com/analysis/NWMzNjQwM...U5NmM1NTk3MzQ/

    2] https://malwr.com/analysis/MGQ3NjdkY...A2MWE0MTAwM2Y/

    3] https://www.hybrid-analysis.com/samp...nvironmentId=1

    4] https://www.hybrid-analysis.com/samp...vironmentId=1]
    ___

    Fake 'Abcam Despatch' SPAM - xls malware
    - http://myonlinesecurity.co.uk/abcam-...sheet-malware/
    24 Nov 2015 - "The 3rd set today of malspam emails using malicious office docs is an email with the subject of 'Abcam Despatch [CCE5303255]' pretending to come from orders@ abcam .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...h-1024x550.png

    24 November 2015: invoice_1366976_08-01-13.xls - Current Virus total detections 6/56*
    ... which is actually a zip file that when extracted gives you -several- docs or xls files [1] [2] [3] [4] [5] [6]. MALWR analysis of some of them show that they contact & download a Dridex banking malware from these locations amongst others:
    http ://janaduchanova .wz.cz/7745gd/4dgrgdg.exe (VirusTotal 1/55**)
    http ://afrodisias.com .tr/7745gd/4dgrgdg.exe
    http ://www.costa-rica-hoteles-viajes .com/~web/7745gd/4dgrgdg.exe
    http ://biennalecasablanca .ma/7745gd/4dgrgdg.exe
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/8...is/1448365689/

    1] https://www.virustotal.com/en/file/4...is/1448365924/

    2] https://www.virustotal.com/en/file/6...is/1448366059/

    3] https://www.virustotal.com/en/file/a...is/1448366422/

    4] https://www.virustotal.com/en/file/2...is/1448366042/

    5] https://www.virustotal.com/en/file/2...is/1448366042/

    6] https://www.virustotal.com/file/1e47...is/1448361214/

    ** https://www.virustotal.com/en/file/3...is/1448365319/
    TCP connections
    89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
    191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/

    - http://blog.dynamoo.com/2015/11/malw...ce5303255.html
    24 Nov 2015 - "... The attachment name is invoice_1366976_08-01-13.xls ... This binary has a detection rate of 2/55* and phones home to the following IPs (according to this**):
    157.252.245.32 (Trinity College Hartford, US)
    89.108.71.148 (Agava Ltd, Russia)
    89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)..
    Recommended blocklist:
    157.252.245.32
    89.108.71.148
    89.32.145.12
    "
    * https://www.virustotal.com/en/file/3...is/1448369154/
    TCP connections
    89.108.71.148: https://www.virustotal.com/en/ip-add...8/information/
    191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=1

    Last edited by AplusWebMaster; 2015-11-24 at 21:50.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #844
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Paypal', 'NatWest' PHISH, eDellRoot, 1.2B stolen Web credentials

    FYI...

    Fake Paypal PHISH
    - http://myonlinesecurity.co.uk/paypal...pped-phishing/
    25 Nov 2015 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
    • Urgent: Your card has been stopped !
    • There have been unauthorised or suspicious attempts to log in to your account, please verify
    • Your account has exceeded its limit and needs to be verified
    • Your account will be suspended !
    • You have received a secure message from < your bank>
    • We are unable to verify your account information
    • Update Personal Information
    • Urgent Account Review Notification
    • We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    • Confirmation of Order
    The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links or fill in the html ( webpage) form that comes attached to the email.

    Screenshot1: http://myonlinesecurity.co.uk/wp-con...d-1024x675.png

    Screenshot2: http://myonlinesecurity.co.uk/wp-con...e-1024x531.png

    If you fill in the email address and password you get:
    Screenshot3: http://myonlinesecurity.co.uk/wp-con...2-1024x519.png
    ... Which is a typical phishing page that looks very similar to a genuine PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."
    ___

    Fake 'NatWest' phish
    - http://myonlinesecurity.co.uk/servic...west-phishing/
    25 Nov 2015 - "An email with the subject of 'Service status – NatWest' pretending to come from NatWest <natwest@ bt .net> is one of the phishing scams I have seen today... it is worth mentioning because it combines 2 different approaches. 1st it has a link in the body of the email and 2nd it attaches a html page inviting you to open it... Any Natwest customer would or should know that emails would -never- come from natwest@ bt .net but hundreds of recipients will still click-on-the-link or open the html page because it is there & they ain’t thinking right and they -always- click on every email they get...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x631.png
    The link in this case goes to http ://www .voyageitalie .com/N/n.html which -redirects- to: http ://www .paragonpakistan .pk/site/home/
    The attached html file simply says <META HTTP-EQUIV=”Refresh” CONTENT=”0; url= http ://www .voyageitalie .com/N/n.html”> so sending you to the site which looks like:
    > http://myonlinesecurity.co.uk/wp-con...-1024x1014.png
    ... All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email or click-the-link in the email..."
    ___

    DRIDEX SPAM ...
    - http://blog.trendmicro.com/trendlabs...st-us-targets/
    Nov 25, 2015
    Distribution of victims, October 13 to November 23
    > https://blog.trendmicro.com/trendlab...ex-chart-2.jpg
    Spam used to spread DRIDEX - 1
    > https://blog.trendmicro.com/trendlab...urrects_06.jpg
    Spam used to spread DRIDEX - 2
    > https://blog.trendmicro.com/trendlab...urrects_07.jpg
    "... DRIDEX botnets that have been around as early as August 2014... development further validates previous findings that the DRIDEX botnet was -not- totally taken down..."
    ___

    Security Bug in Dell PCs shipped since August 2015
    - http://krebsonsecurity.com/2015/11/s...ped-since-815/
    Nov 24, 2015 - "All new Dell laptops and desktops shipped since August 2015 contain a serious security vulnerability that exposes users to online eavesdropping and malware attacks. Dell says it is prepping a fix for the issue... Dell says the eDellRoot certificate was installed on all new desktop and laptops shipped from August 2015 to the present day. According to the company, the certificate was intended to make it easier for Dell customer support to assist customers in troubleshooting technical issues with their computers..."

    malware samples signed by eDellRoot
    - http://myonlinesecurity.co.uk/malwar...-by-edellroot/
    25 Nov 2015

    Dell Windows Systems Pre-Installed TLS Root CA
    - https://isc.sans.edu/diary.html?storyid=20411
    Last Updated: 2015-11-24

    Response - eDellroot Certificate / Dell Corporate blog
    - http://en.community.dell.com/dell-bl...ot-certificate
    23 Nov 2015

    Dell Computers Contain CA Root Certificate Vulnerability
    - https://www.us-cert.gov/ncas/current...-Vulnerability
    Nov 24, 2015

    >> http://arstechnica.com/security/2015...-removal-tool/
    Nov 24, 2015
    ___

    Ransomware safety tips - online retailers
    - http://net-security.org/malware_news.php?id=3162
    25.11.2015 - "Cybercriminals have developed a destructive new form of ransomware that targets online retailers. They scan websites for common vulnerabilities and use them to install malware that encrypts key files, images, pages and libraries, as well as their backups. The criminals behind these attacks then hold them hostage, and website operators must pay a ransom in anonymous cryptocurrency to unlock the files..."
    (More at the URL above.)
    ___

    FBI has lead in probe of 1.2 billion stolen Web credentials: documents
    - http://www.reuters.com/article/2015/...0TD2YN20151124
    Nov 24, 2015 - "A hacker who once advertised having access to user account information for websites like Facebook (FB.O) and Twitter (TWTR.N) has been linked through a Russian email address to the theft of a record 1.2 billion Internet credentials, the FBI said in court documents. That hacker, known as "mr.grey," was identified based on data from a cybsecurity firm that announced in August 2014 that it had determined an alleged Russian crime ring was responsible for stealing information from more than 420,000 websites, the documents said. The papers, made public last week by a federal court in Milwaukee, Wisconsin, provide a window into the Federal Bureau of Investigation's probe of what would amount to the largest collection of stolen user names and passwords. The court papers were filed in support of a search warrant the FBI sought in December 2014 and that was executed a month later related to email records. The FBI investigation was prompted by last year's announcement by Milwaukee-based cybersecurity firm Hold Security that it obtained information that a Russian hacker group it dubbed -CyberVor- had stolen the 1.2 billion credentials and more than 500 million email addresses. The FBI subsequently found lists of domain names and utilities that investigators believe were used to send spam, the documents said. The FBI also discovered an email address registered in 2010 contained in the spam utilities for a "mistergrey," documents show. A search of Russian hacking forums by the FBI found posts by a "mr.grey," who in November 2011 wrote that if anyone wanted account information for users of Facebook, Twitter and Russian-based social network VK, he could locate the records. Alex Holden, Hold Security's chief information security officer, told Reuters this message indicated mr.grey likely operated or had access to a database that amassed stolen data from computers via malware and viruses.
    Facebook and Twitter declined comment. The FBI declined to comment, and U.S. Justice Department had no immediate comment. The probe appears to be distinct from another investigation linked to Hold Security's reported discovery that 420,000 websites, including one for a JPMorgan Chase & Co (JPM.N) corporate event, were -targeted- by the Russian hackers. In a case spilling out of the discovery of the JPMorgan breach, U.S. prosecutors this month charged three men with engaging in a cyber-criminal enterprise that stole personal information from more than 100 million people. Prosecutors accused two Israelis, Gery Shalon and Ziv Orenstein, and one American, Joshua Samuel Aaron, of being involved in a variety of schemes fueled by hacking JPMorgan and 11 other companies. An indictment in Atlanta federal court against Shalon and Aaron names as a defendant an unidentified hacker believed to be in Russia."
    > http://www.nytimes.com/2014/08/06/te...edentials.html

    Last edited by AplusWebMaster; 2015-11-25 at 21:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #845
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Payment', 'Invoice' SPAM

    FYI...

    Fake 'Payment' SPAM - leads to Dridex
    - http://blog.dynamoo.com/2015/11/rand...to-dridex.html
    26 Nov 2015 - "I have only seen one version of this -spam- message so far:
    From: Basia Slater [provequipmex@ provequip .com .mx]
    Date: 26 November 2015 at 12:00
    Subject: GVH Payment
    I hope you had a good weekend.
    Please check the payment confirmation attached to this email. The Transaction should appear on your bank in 2 days.
    Basia Slater
    Accountant
    Comerica Incorporated


    This sample had a document name of I654WWFR3C6.doc which has a VirusTotal detection rate of 6/55*, containing this malicious macro... The Malwr report** for this version indicates a download from:
    harbourviewnl .ca/jo.jpg?6625
    According to that Malwr report, it drops a file YSpq2bkGVIi5yaPcv6667.exe (MD5 6c14578c2b77b1917b3dee9da6efcd56) which has a detection rate of 1/53***. The Hybrid Analysis report[4] and Malwr report[5] for that indicates malicious traffic to:
    94.73.155.10 (Telekomunikasyon Anonim Sirketi, Turkey)
    199.175.55.116 (VPS Cheap INC, US)
    Note that 94.73.155.12 is mentioned in this other Dridex report today[6], both IPs form part of a small subnet of 94.73.155.8/29 suballocated to one "Geray Timur Akkurt"... an additional download location of:
    gofishretail .com/jo.jpg?[4-digit-random-number]
    with an additional C2 location of:
    113.30.152.170 (Net4india , India)
    Recommended blocklist:
    94.73.155.8/29
    199.175.55.116
    113.30.152.170
    "
    * https://www.virustotal.com/en/file/b...is/1448541871/

    ** https://malwr.com/analysis/YjQ4ZDM3O...Y2MzgyYjhhMWY/

    *** https://www.virustotal.com/en/file/d...is/1448543018/

    4] https://www.hybrid-analysis.com/samp...nvironmentId=1

    5] https://malwr.com/analysis/ZjU5NzYyY...Y0YTQwZTJhYzM/

    6] http://blog.dynamoo.com/2015/11/malw...-si528880.html
    ___

    Fake 'Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/11/malw...-si528880.html
    26 Nov 2015 - "This -fake- invoice does not come from Hider Food Imports Ltd but is instead a simple -forgery- with a malicious attachment.
    From Lucie Newlove [lucie@ hiderfoods .co.uk]
    Date Thu, 26 Nov 2015 16:03:04 +0500
    Subject Invoice Document SI528880
    Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.
    ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
    Please contact our Sales Department for details.
    Hider Food Imports Ltd
    REGISTERED HEAD OFFICE
    Wiltshire Road,
    Hull
    East Yorkshire
    HU4 6PA
    Registered in England Number : 842813 ...


    The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54*, and it contains this malicious macro... which according to this Hybrid Analysis report** downloads a malicious component from:
    naceste2.czechian .net/76t89/32898u.exe
    This executable has a detection rate of just 1/54*** and... shows network traffic to the following IPs:
    94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
    8.253.44.158 (Level 3, US)
    37.128.132.96 (Memset, UK)
    91.212.89.239 (Uzinfocom, Uzbekistan)
    185.87.51.41 (Marosnet, Russia)
    42.117.2.85 (FPT Telecom Company, Vietnam)
    192.130.75.146 (Jyvaskylan Yliopisto, Finland)
    195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
    5.63.88.100 (Centr, Kazahkstan)
    The payload is probably the Dridex banking trojan...
    Recommended blocklist:
    94.73.155.12
    191.234.4.50
    8.253.44.158
    37.128.132.96
    91.212.89.239
    185.87.51.41
    42.117.2.85
    192.130.75.146
    195.187.111.11
    5.63.88.100
    "
    * https://www.virustotal.com/en/file/8...is/1448535919/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=1

    *** https://www.virustotal.com/en/file/2...is/1448537540/

    Last edited by AplusWebMaster; 2015-11-26 at 18:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #846
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Tax Invoice', 'Invoice', 'Transfer' SPAM

    FYI...

    Fake 'Tax Invoice' SPAM - doc malware
    - http://myonlinesecurity.co.uk/aline-...d-doc-malware/
    27 Nov 2015 - "An email with the subject of 'Aline: Tax Invoice #40525' pretending to come from Bruce Sharpe <bruce@ alinepumps .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:

    Good day, Please find attached Tax Invoice as requested. Many thanks for your call. Bruce Sharpe.

    27 November 2015 : Tax Invoice_40525_1354763307792.doc - Current Virus total detections 0/55*
    Malwr Analysis** show us it downloads Dridex banking malware from
    http ://www .alpenblick-beyharting .de/76f6d5/54sdfg7h8j.exe (VirusTotal 1/55***). Other download sites so far discovered include
    hostingunlimited .co.uk/76f6d5/54sdfg7h8j.exe
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/5...is/1448615839/

    ** https://malwr.com/analysis/NDhmMDBhN...M1ZDU0NjRiYTk/

    kidsmatter2us .org: 198.57.243.108: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/f1...1683/analysis/

    *** https://www.virustotal.com/en/file/7...is/1448615736/
    TCP connections
    94.73.155.12: https://www.virustotal.com/en/ip-add...2/information/
    8.254.218.126: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/11/malw...an-jarman.html
    27 Nov 2015 - "This -fake- invoice does not come from Sportsafe UK Ltd but is instead a simple -forgery- with a malicious attachment.
    From Ivan Jarman [IJarman@ sportsafeuk .com]
    Date Fri, 27 Nov 2015 17:21:27 +0530
    Subject Invoice
    Sent 27 NOV 15 09:35
    Sportsafe UK Ltd
    Unit 2 Moorside
    Eastgates
    Colchester
    Essex
    CO1 2TJ
    Telephone 01206 795265
    Fax 01206 795284


    I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54* and which contains this malicious macro... This Malwr report** shows the macro downloads from:
    kidsmatter2us .org/~parentsm/76f6d5/54sdfg7h8j.exe
    The executable has a detection rate of 3/55**. The Hybrid Analysis report*** shows network traffic to:
    198.57.243.108 (Unified Layer, US)
    94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
    77.221.140.99 (ZAO National Communications / Infobox.ru, Russia)
    37.128.132.96 (Memset, UK)
    37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
    217.160.110.232 (1&1, Germany)
    202.137.31.219 (Linknet, Indonesia)
    91.212.89.239 (Uzinfocom, Uzbekistan)
    The payload is probably the Dridex banking trojan.
    Recommended blocklist:
    198.57.243.108
    94.73.155.8/29
    77.221.140.99
    37.128.132.96
    37.99.146.27
    217.160.110.232
    202.137.31.219
    91.212.89.239
    "

    > https://malwr.com/analysis/ZDhkOTA1Z...kwNmFkNzkxOGE/

    - http://myonlinesecurity.co.uk/invoic...d-doc-malware/
    27 Nov 2015
    "... 27 November 2015: S-INV-BROOKSTRO1-476006.doc - Current Virus total detections *
    ... Downloads the 3rd different -Dridex- version that I have seen today from
    http ://kidsmatter2us .org/~parentsm/76f6d5/54sdfg7h8j.exe (VirusTotal **)..."
    * https://www.virustotal.com/en/file/9...is/1448627008/

    ** https://www.virustotal.com/en/file/e...is/1448627380/
    ___

    Fake 'Transfer' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/11/spam...-services.html
    27 Nov 2015 - "This malicious email sample was sent in by a contact (thank you), and contains a malicious attachment:
    From: Integrated Petroleum Services
    Sent: Friday, November 27, 2015 10:24 AM
    Subject: Transfer
    Hello,
    Please find attached the transfer order sent on Friday 27.
    Best Regards
    Hugo


    Attached is a file 20151126-291-transfer.xls (VT 1/53*) containing this malicious macro... which (according to this Malwr report**) downloads from:
    pathenryiluminacion.i8 .com/76f6d5/54sdfg7h8j.exe
    This binary has a VirusTotal detection rate of 3/55***. The payload is the same as found in this spam run[4]."
    * https://www.virustotal.com/en/file/2...is/1448630394/

    ** https://malwr.com/analysis/ZDhkOTA1Z...kwNmFkNzkxOGE/

    *** https://www.virustotal.com/en/file/e...is/1448630483/

    4] http://blog.dynamoo.com/2015/11/malw...an-jarman.html

    64.136.20.56: https://www.virustotal.com/en/ip-add...6/information/
    > https://www.virustotal.com/en/url/c5...47cc/analysis/
    ___

    Older Dell devices affected by eDellRoot ...
    - http://www.computerworld.com/article...rtificate.html
    Nov 26, 2015 - "... Tests performed inside a Windows 10 virtual machine revealed that the DSDTestProvider certificate gets left behind on the system when the Dell System Detect tool is uninstalled... users who want to remove it from their system must do so -manually- after they uninstall DSD. This can be done by pressing the Windows key + r, typing certlm.msc and hitting Run. After allowing the Microsoft Management Console to execute, users can browse to Trusted Root Certification Authorities > Certificates, locate the DSDTestProvider certificate in the list, right click on it and delete it..."

    > http://www.dell.com/support/article/us/en/19/SLN300321

    >> https://dellupdater.dell.com/Downloa...ellCertFix.exe
    ___

    Holiday Phishing Scams and Malware Campaigns
    - https://www.us-cert.gov/ncas/current...ware-Campaigns
    Nov 26, 2015 - "... Ecards from unknown senders may contain -malicious- links. Fake advertisements or shipping notifications may deliver -infected- attachments. Spoofed email messages and fraudulent posts on social networking sites may request support for phony causes..."
    (More at the us-cert URL above.)

    - http://research.zscaler.com/2015/11/...are-scams.html
    Nov 27, 2015 - "... the trend in phishing activity tends to rise with the amount of online shopping traffic, which comes with the added risk of -scammers- taking advantage of a consumers better judgement..."

    Beware the holiday scams coming to your email inbox
    - http://www.infoworld.com/article/300...ail-inbox.html
    Nov 28, 2015

    Last edited by AplusWebMaster; 2015-11-29 at 15:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #847
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Order Accepted', 'Message', 'QUICKBOOKS', 'Message' SPAM, 'Paypal' phish

    FYI...

    Fake 'Order Accepted' SPAM - doc malware
    - http://myonlinesecurity.co.uk/order-...d-doc-malware/
    30 Nov 2015 - "An email with the subject of 'Order PC299139PPS Accepted' pretending to come from CVLink <noreply@ contractvehicles .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x561.png

    30 November 2015: PC299139PPS.doc - Current Virus total detections 1/55*
    MALWR analysis** shows us it downloads what looks like a Dridex banking malware from
    http ://members.chello .at/~antitrack_legend/89u87/454sd.exe (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1448873990/

    ** https://malwr.com/analysis/NWE5YWEzN...QzMTc2ODExZmI/

    *** https://www.virustotal.com/en/file/b...is/1448873756/
    ___

    Fake 'Message' SPAM - malware attachment
    - http://blog.dynamoo.com/2015/11/malw...sage-from.html
    30 Nov 2015 - "I have only one sample of this rather terse email with -no- body text:
    From: scan@ victimdomain
    Reply-To: scan@ victimdomain
    To: hiett@ victimdomain
    Date: 30 November 2015 at 09:22
    Subject: Message from mibser_00919013013


    The spam appears to originate from within the victim's own domain, but it does not. In the sample I saw, the attachment was named Smibser_00915110211090.xls, had a VirusTotal detection rate of 3/54* and contained this malicious macro... According to this Hybrid Analysis report** and this Malwr report*** the macro downloads a malicious executable from:
    velitolu .com/89u87/454sd.exe
    This binary has a detection rate of 3/55****. Automated report tools [1] [2] show network traffic to:
    94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
    42.117.2.85 (FPT Telecom Company, Russia)
    89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
    5.63.88.100 (Centr, Kazakhstan)
    The payload is likely to be the Dridex banking trojan...
    Recommended blocklist:
    94.73.155.12
    42.117.2.85
    89.189.174.19
    5.63.88.100
    "
    * https://www.virustotal.com/en/file/a...is/1448880036/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=2

    *** https://malwr.com/analysis/YjgwNGJkY...UzODBiODNhNTk/

    **** https://www.virustotal.com/en/file/2...is/1448880465/

    1] https://malwr.com/analysis/ZTk4OWY0O...Y4ZDU5MDIzOTk/

    2] https://www.hybrid-analysis.com/samp...nvironmentId=1
    ___

    Fake 'QUICKBOOKS' SPAM - leads to malware
    - http://blog.dynamoo.com/2015/11/malw...uickbooks.html
    Nov 30, 2015 - "This -fake- Intuit QuickBooks spam leads to malware:
    From: QUICKBOOKS ONLINE [qbservices@ customersupport .intuit .com]
    Date: 30 November 2015 at 10:42
    Subject: INTUIT QB
    As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!
    InTuIT. | simplify the business of life
    © 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice.


    Screenshot: https://3.bp.blogspot.com/-jqzrc2_aW...400/intuit.png

    The spam is almost identical to this one[1] which led to Nymaim ransomware:
    > http://www.welivesecurity.com/2013/0...g-its-welcome/
    In this particular spam, the email went to a landing page at updates .intuitdataserver-1 .com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a -fake- Firefox update*. This executable has a VirusTotal detection rate of 3/55**... The Hybrid Analysis report*** shows the malware attempting to POST to mlewipzrm .in which is multihomed on:
    89.163.249.75 (myLoc managed IT AG, Germany)
    188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
    95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)
    The nameservers for mlewipzrm .in are NS1 .REBELLECLUB .NET and NS2 .REBELLECLUB .NET which are hosted on the following IPs:
    210.110.198.10 (KISTI, Korea)
    52.61.88.21 (Amazon AWS, US) ...
    As far as I can tell, these domains are hosted on the following IPs:
    52.91.28.199 (Amazon AWS, US)
    213.238.170.217 (Eksen Bilisim, Turkey)
    75.127.2.116 (Foroquimica SL / ColoCrossing, US)
    I recommend that you -block- the following IPs and/or domains:
    52.91.28.199
    213.238.170.217
    5.135.237.209
    196.52.21.11
    75.127.2.116
    210.110.198.10
    52.61.88.21
    89.163.249.75
    188.209.52.228
    95.173.164.212
    ..."
    (More listed at the dynamoo URL above.)
    * https://urlquery.net/report.php?id=1448887234353

    ** https://www.virustotal.com/en/file/d...is/1448887362/
    flashplayer19_ga_update.exe - 3/55

    *** https://www.hybrid-analysis.com/samp...nvironmentId=1

    1] http://blog.dynamoo.com/2015/11/myst...-leads-to.html
    ___

    Fake 'Message' SPAM - xls malware
    - http://myonlinesecurity.co.uk/messag...sheet-malware/
    30 Nov 2015 - "An email with the subject of 'Message from mibser_00919013013' pretending to come from scan@ your own email domain with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally -blank- body and just an XLS (Excel spreadsheet) attachment...

    30 November 2015: Smibser_00915110211090.xls - Current Virus total detections 4/55*
    ... Download’s Dridex banking malware from
    dalamantransferservicesrentacar .com/89u87/454sd.exe (VirusTotal 1/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1448888284/

    ** https://www.virustotal.com/en/file/3...is/1448889035/
    TCP connections
    94.73.155.12: https://www.virustotal.com/en/ip-add...2/information/
    191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Invoice Attached' SPAM - doc/xls malware
    - http://myonlinesecurity.co.uk/invoic...sheet-malware/
    30 Nov 2015 - "An email with the subject of 'Invoice Attached' pretending to come from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Good morning,
    Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
    Thank you!
    Mr. Susie Weber
    Accounting Specialist| USBank, GH Industrial Co., Ltd


    30 November 2015: invoice_details_68171045.xls - Current Virus total detections 1/55*
    MALWR analysis** shows us that it downloads http ://gallinda28trudi .com/v12/free17ld.exe (VirusTotal 3/55***) which is a Nymain Ransomware as described by Dynamoo****... The XLS macro drops/creates a UpdateWinrar.js that instructs the victim’s computer to download the file & rename it as %temp%\UpdOffice.exe then automatically run it, so making you think that it is an Office update if you see any alerts about the file running... DO NOT enable macros or editing, no matter how plausible the instructions appear to be:
    > http://myonlinesecurity.co.uk/wp-con...s-1024x602.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1448892567/

    ** https://malwr.com/analysis/YTkzYjYxZ...hiOGIxZjAyZjI/
    Hosts: 31.184.234.5: https://www.virustotal.com/en/ip-add...5/information/

    *** https://www.virustotal.com/en/file/d...is/1448887816/
    FlashPlayerUpdate.exe

    **** http://blog.dynamoo.com/2015/11/malw...uickbooks.html
    ___

    Fake 'Sales Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/11/malw...opi599241.html
    30 Nov 2015 - "This -fake- financial spam is not from James F Kidd, but is instead a simple -forgery- with a malicious attachment:
    From: orders@ kidd-uk .com
    Date: 30 November 2015 at 13:42
    Subject: Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD
    Please see enclosed Sales Invoice for your attention.
    Regards from Accounts at James F Kidd
    ( email: accounts@ kidd-uk .com )


    I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55*. This Malwr report** indicates that in this case there may be an error in the malicious macro. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan...
    UPDATE: I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54[3] and 4/55[4]. One of these two also produces an error when run. The working attachment (according to this Malwr report[5] and Hybrid Analysis report[6]) downloads a malicious binary from:
    bjdennehy .ie/~upload/89u87/454sd.exe
    This has a VirusTotal detection rate of 3/54[6]... Automated analysis tools... show malicious traffic to:
    94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
    103.252.100.44 (PT. Drupadi Prima, Indonesia)
    89.108.71.148 (Agava Ltd, Russia)
    91.223.9.70 (Elive Ltd, Ireland)
    41.136.36.148 (Mauritius Telecom, Mauritius)
    185.92.222.13 (Choopa LLC, Netherlands)
    42.117.2.85 (FPT Telecom Company, Vietnam)
    195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
    37.128.132.96 (Memset Ltd, UK)
    37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
    41.38.18.230 (TE Data, Egypt)
    89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
    122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
    185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
    217.197.159.37 (NWT a.s., Czech Republic)
    41.56.123.235 (Wireless Business Solutions, South Africa)
    91.212.89.239 (Uzinfocom, Uzbekistan)...
    Recommended blocklist:
    94.73.155.12
    103.252.100.44
    89.108.71.148
    91.223.9.70
    41.136.36.148
    185.92.222.13
    42.117.2.85
    195.187.111.11
    37.128.132.96
    37.99.146.27
    41.38.18.230
    89.189.174.19
    122.151.73.216
    185.87.51.41
    217.197.159.37
    41.56.123.235
    91.212.89.239
    "
    (More detail at the dynamoo URL above.)
    * https://www.virustotal.com/en/file/c...is/1448893229/

    ** https://malwr.com/analysis/N2YwM2Q0Y...UzNjQzYzc5ZTQ/

    3] https://www.virustotal.com/en/file/4...is/1448894274/

    4] https://www.virustotal.com/en/file/5...is/1448894280/

    5] https://malwr.com/analysis/ZjMwYTdmM...RlMDg5NWUyMzE/

    6] https://www.hybrid-analysis.com/samp...nvironmentId=1
    ___

    Fake 'Paypal' phish...
    - http://myonlinesecurity.co.uk/your-a...ypal-phishing/
    30 Nov 2015 - "An email saying 'Your Access Is Limited' coming from PayPal Team <scanner@ modainpelle .com>
    While at first glance this appears to be a typical PayPal phish, there are a few differences... There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
    • Your Access Is Limited
    • Urgent: Your card has been stopped !
    • There have been unauthorised or suspicious attempts to log in to your account, please verify
    • Your account has exceeded its limit and needs to be verified
    • Your account will be suspended !
    • You have received a secure message from < your bank>
    • We are unable to verify your account information
    • Update Personal Information
    • Urgent Account Review Notification
    • We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    • Confirmation of Order
    The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links or fill in the html (webpage) form that comes attached to the email.
    The link in this case goes to http ://www .hocine1990.ehost-services239 .com/index/ ... This particular phishing campaign starts with an email with a link...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...h-1024x740.png
    The website looks similar to this typical example of a PayPal phishing site:
    > http://myonlinesecurity.co.uk/wp-con...e-1024x531.png
    If you fill in the email address and password you get an intermediate page apologising for any inconvenience looking like:
    > http://myonlinesecurity.co.uk/wp-con...h-1024x524.png
    Then get sent on to a page looking like this one from an earlier PayPal Phish:
    > http://myonlinesecurity.co.uk/wp-con...2-1024x519.png
    Which is a typical phishing page that looks very similar to a genuine PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."

    Last edited by AplusWebMaster; 2015-11-30 at 18:13.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #848
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Card Receipt', 'Request for payment', 'Invoice' SPAM

    FYI...

    Fake 'Card Receipt' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/12/malw...cey-smith.html
    1 Dec 2015 - "This -fake- financial spam does not come from AquAid, but is instead a simple -forgery- with a malicious attachment. Poor AquAid were hit by the same thing several time earlier this year.
    From "Tracey Smith" [tracey.smith@ aquaid .co.uk]
    Date Tue, 01 Dec 2015 10:54:15 +0200
    Subject Card Receipt
    Hi
    Please find attached receipt of payment made to us today
    Regards
    Tracey
    Tracey Smith| Branch Administrator
    AquAid | Birmingham & Midlands Central
    Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
    Telephone: 0121 525 4533
    Fax: 0121 525 3502
    Mobile: 07795328895
    Email: tracey.smith@ aquaid .co.uk ...


    Attached is a file CAR014 151238.doc which comes in at least two different versions with a VirusTotal detection rate of 3/55 for both [1] [2]. According to these Malwr reports [3] [4] the macro in the document downloads a file from one of the following locations:
    rotulosvillarreal .com/~clientes/6543f/9o8jhdw.exe
    data.axima .cz/~krejcir/6543f/9o8jhdw.exe
    This binary has a detection rate of 3/54*. The Malwr report** for that file shows that it phones home to:
    94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
    There are other bad IPs in the 94.73.155.8 - 94.73.155.15 range, so I strongly recommend that you -block- all traffic to 94.73.155.8/29. These two Hybrid Analysis reports [5] [6] also show malicious traffic to the following IPs:
    89.248.99.231 (Interdominios S.A., Spain)
    103.252.100.44 (PT. Drupadi Prima, Indonesia)
    89.108.71.148 (Agava Ltd, Russia)
    221.132.35.56 (Post and Telecom Company, Vietnam)
    78.24.14.20 (VSHosting s.r.o., Czech Republic)
    The payload here is probably the Dridex banking trojan...
    Recommended blocklist:
    94.73.155.8/29
    89.248.99.231
    103.252.100.44
    89.108.71.148
    221.132.35.56
    78.24.14.20
    "
    1] https://www.virustotal.com/en/file/2...is/1448964063/

    2] https://www.virustotal.com/en/file/d...is/1448964077/

    3] https://malwr.com/analysis/YTY5ZmVkY...UyOGQ0MWQ0ZWE/

    4] https://malwr.com/analysis/MWRhNzE0N...E5NzMxMWUxY2Y/

    * https://www.virustotal.com/en/file/6...is/1448964517/

    ** https://malwr.com/analysis/ZWNkZTQ4N...FiMDU3MDE3Zjk/

    5] https://www.hybrid-analysis.com/samp...nvironmentId=1

    6] https://www.hybrid-analysis.com/samp...nvironmentId=1
    ___

    Fake 'Request for payment' SPAM - doc/xls malware
    - http://myonlinesecurity.co.uk/reques...sheet-malware/
    1 Dec 2015 - "An email with the subject of 'Request for payment (PGS/73329)' pretending to come from PGS Services Limited <rebecca@ pgs-services .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...9-1024x541.png

    1 December 2015: 3-6555-73329-1435806061-3.doc - Current Virus total detections 4/55*
    MALWR** shows me that it downloads http ://cru3lblow.xf .cz/6543f/9o8jhdw.exe (VirusTotal 1/52***) which looks like a revised/updated Dridex binary... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/e...is/1448972343/

    ** https://malwr.com/analysis/YjRiNGYwO...Q1MjgxOGYyODk/
    88.86.117.154: https://www.virustotal.com/en/ip-add...4/information/

    *** https://www.virustotal.com/en/file/b...is/1448972854/
    TCP connections
    157.252.245.29: https://www.virustotal.com/en/ip-add...9/information/
    23.14.92.19: https://www.virustotal.com/en/ip-add...9/information/
    94.73.155.12: https://www.virustotal.com/en/ip-add...2/information/
    > https://www.virustotal.com/en/url/16...d2fd/analysis/

    - http://blog.dynamoo.com/2015/12/malw...r-payment.html
    1 Dec 2015 - "This spam email is confused. It's either about a watch repair or property maintenance. In any case, it has a malicious attachment...
    From: PGS Services Limited [rebecca@ pgs-services .co.uk]
    Date: 1 December 2015 at 12:06
    Subject: Request for payment (PGS/73329)...
    RST Support Services Limited
    Rotary Watches Ltd...
    Full details are attached to this email in DOC format...


    Attached is a file 3-6555-73329-1435806061-3.doc which comes in at least three different versions... The payload is probably the Dridex banking trojan...
    Recommended blocklist:
    94.73.155.8/29
    89.32.145.12
    221.132.35.56
    157.252.245.29
    "
    ___

    Fake 'Invoice' SPAM - doc malware
    - http://myonlinesecurity.co.uk/invoic...d-doc-malware/
    1 Dec 2015 - "An email with the subject of 'Invoice #96914158 – Fastco' coming from Antoine Lambert <LambertAntoine85@ tellas .gr> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    Here is the Fastco Corp. Invoice we talked about earlier today. Please cost code and get it back to me.
    Thanks, Antoine Lambert


    ... coming from random compromised email accounts and have random invoice numbers...
    1 December 2015: INVOICE_96914158.doc - Current Virus total detections 2/56*
    This word doc contains a base64 encoded ole object which MALWR** shows us contacts
    http ://31.210.119.169 /superman/kryptonite.php and downloads clarkent.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1448981594/

    ** https://malwr.com/analysis/YTRjMzMyZ...A3MjQ4ODU0ZmI/

    *** https://www.virustotal.com/en/file/6...is/1448982333/
    TCP connections
    157.252.245.27: https://www.virustotal.com/en/ip-add...7/information/
    191.234.4.50: https://www.virustotal.com/en/ip-add...0/information/

    Last edited by AplusWebMaster; 2015-12-01 at 17:55.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #849
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Purchase Order', 'Payment Request', 'November Invoice' SPAM, 'Paypal' phish

    FYI...

    Fake 'Purchase Order' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/12/malw...4658-gina.html
    2 Dec 2015 - "This -fake- financial spam is not from CliniMed Limited but is instead a simple -forgery- with a malicious attachment:
    From Gina Harrowell [gina.harrowell@ clinimed .co.uk]
    Date Wed, 02 Dec 2015 01:53:41 -0700
    Subject Purchase Order 124658
    Sent 2 DEC 15 09:18
    CliniMed Ltd
    Cavell House
    Knaves Beech Way
    Loudwater
    High Wycombe
    Bucks
    HP10 9QY ...


    Attached is a file P-ORD-C-10156-124658.xls which I have seen two versions of (VirusTotal results [1] [2]) which contain a malicious macro... which according to these automated analysis reports [3] [4] [5] [6] pulls down an evil binary from:
    det-sad-89 .ru/4367yt/p0o6543f.exe
    vanoha.webzdarma .cz/4367yt/p0o6543f.exe
    There may be other versions of the Excel document with different download locations, but the payload will be the same. This has a VirusTotal detection rate of 1/55* and those previous reports plus this Malwr report** indicate malicious network traffic to the following IPs:
    193.238.97.98 (PJSC Datagroup, Ukraine)
    94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
    89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
    The payload is probably the Dridex banking trojan...
    Recommended blocklist:
    193.238.97.98
    94.73.155.8/29
    89.32.145.12
    "
    1] https://www.virustotal.com/en/file/9...is/1449050700/

    2] https://www.virustotal.com/en/file/e...is/1449050710/

    3] https://malwr.com/analysis/OGRiYjI0M...MzNTFmNThjMDk/

    4] https://malwr.com/analysis/ZWYyZjQ5M...RlODVmNTcxNjg/

    5] https://www.hybrid-analysis.com/samp...nvironmentId=1

    6] https://www.hybrid-analysis.com/samp...nvironmentId=1

    * https://www.virustotal.com/en/file/d...is/1449050819/
    TCP connections
    193.238.97.98: https://www.virustotal.com/en/ip-add...8/information/
    90.84.59.27: https://www.virustotal.com/en/ip-add...7/information/

    ** https://malwr.com/analysis/OTBlMTJjZ...Q0OTBkMDhlZjA/

    - http://myonlinesecurity.co.uk/purcha...sheet-malware/
    2 Dec 2015
    Screenshot: http://myonlinesecurity.co.uk/wp-con...8-1024x686.png

    25 February 2015: P-ORD-C-10156-124658.xls - Current Virus total detections 5/55*
    MALWR analysis** shows us that it downloads what looks like Dridex Banking malware from
    http ://vanoha.webzdarma .cz/4367yt/p0o6543f.exe (VirusTotal 1/55***)...
    * https://www.virustotal.com/en/file/e...is/1449050502/

    ** https://malwr.com/analysis/OGRiYjI0M...MzNTFmNThjMDk/

    *** https://www.virustotal.com/en/file/d...is/1449051414/
    TCP connections
    193.238.97.98: https://www.virustotal.com/en/ip-add...8/information/
    90.84.59.27: https://www.virustotal.com/en/ip-add...7/information/
    ___

    Fake 'Payment Request' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/12/malw...t-request.html
    2 Dec 2015 - "This -fake- financial spam is not from Aline Pumps but is instead a simple -forgery- with a malicious attachment. In any cases Aline are an Australian company, they would -not- be sending out invoices in UK pounds.
    From: Bruce Sharpe [bruce@ alinepumps .com]
    Date: 2 December 2015 at 09:44
    Subject: Aline Payment Request
    ATTENTION: ACCOUNTS PAYABLE
    Dear Sir/Madam,
    Overdue Alert
    Our records show that your current balance with us is £2795.50 of which £2795.50 is still overdue.
    Your urgent attention and earliest remittance of this amount would be appreciated.
    We value your business and we would like to resolves any issues as quickly as possible. I am personally available on (02) 8508 4900 or bruce@ alinepumps .com
    Sincerely,
    Bruce Sharpe - Accounts Receivable ...


    Attached is a file Statement_1973_1357257122414.doc which comes in at least three versions (although I have only seen two), with VirusTotal results of 4/55 [1] [2] and automated analysis [3] [4] shows download locations of:
    pivarimb .wz.cz/4367yt/p0o6543f.exe
    allfirdawhippet .com/4367yt/p0o6543f.exe
    apparently there is another download location of
    sebel .fr/4367yt/p0o6543f.exe
    In any case, the downloaded binary is the same and has a detection rate of 3/55*. The Malwr analysis** and this Hybrid Analyis*** shows it phoning home to:
    193.238.97.98 (PJSC DATAGROUP, Ukraine)
    I strongly recommend that you -block- traffic to that IP."
    1] https://www.virustotal.com/en/file/d...is/1449054590/

    2] https://www.virustotal.com/en/file/e...is/1449054600/

    3] https://malwr.com/analysis/MDkzNDFlZ...M4YWNmNDA1OWU/

    4] https://malwr.com/analysis/Mjc5MjdkZ...FkMjI0NjViNjY/

    * https://www.virustotal.com/en/file/4...is/1449054750/

    ** https://malwr.com/analysis/NTE3Nzg2N...ZjYmViMGQwMjc/

    *** https://www.hybrid-analysis.com/samp...nvironmentId=1

    - http://myonlinesecurity.co.uk/aline-...sheet-malware/
    2 Dec 2015 - "Following on from last week’s Malspam run* pretending to come from Aline pumps is today’s email with the subject of 'Aline Payment Request' pretending to come from Bruce Sharpe <bruce@ alinepumps .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
    * http://myonlinesecurity.co.uk/aline-...d-doc-malware/

    Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x575.png

    2 December 2015: Statement_1973_1357257122414.doc - Current Virus total detections 4/56*
    MALWR analysis** shows us that it downloads Dridex Banking malware from
    http ://pivarimb.wz .cz/4367yt/p0o6543f.exe (VirusTotal ***). This is an updated version from today’s earlier malspam run[1] of malicious office docs with macros..."
    * https://www.virustotal.com/en/file/e...is/1449053035/

    ** https://malwr.com/analysis/Mjc5MjdkZ...FkMjI0NjViNjY/
    88.86.117.153
    193.238.97.98
    191.234.4.50


    *** https://www.virustotal.com/en/file/4...is/1449053672/
    TCP connections
    193.238.97.98
    8.254.218.62


    1] http://myonlinesecurity.co.uk/purcha...sheet-malware/
    ___

    Fake 'November Invoice' SPAM - JS malware
    - http://myonlinesecurity.co.uk/novemb...re-teslacrypt/
    2 Dec 2015 - "An email with the subject of 'November Invoice' #37330118 [random numbered] pretending to come from random names and senders with a zip attachment is another one from the current bot runs... The content of the email says:
    Hello ,
    Please review the attached copy of your Electronic document.
    A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
    Thank you for your business.


    2 December 2015: invoice_37330118.zip: Extracts to: INVOICE_main_BD3847636213.js
    Current Virus total detections 2/54* which downloads a Teslacrypt ransomware from
    http ://74.117.183.84 /76 .exe (VirusTotal 3/55**) and tries to contact a combination of these sites
    ccfinance .it | ecaequeeessa .com | schonemaas .nl | cic-la-banque .org and either download additional malware or upload stolen data from your computer (MALWR***). Our friends over at Techhelplist[1] have posted a fuller breakdown of this one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/3...is/1449062157/

    ** https://www.virustotal.com/en/file/f...is/1449062699/

    *** https://malwr.com/analysis/ZmYzOTUzM...UwNmMxZmFhZTg/

    74.117.183.84: https://www.virustotal.com/en/ip-add...4/information/
    > https://www.virustotal.com/en/url/f5...6395/analysis/

    1] https://techhelplist.com/spam-list/9...nvoice-malware

    - http://blog.dynamoo.com/2015/12/malw...-60132748.html
    2 Dec 2015 - "... Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js... and this downloads a malicious file from:
    74.117.183.84 /76.exe?1
    ... The Malwr report* and Hybrid Analysis** indicates that this communicates with the following compromised domains:
    ccfinance .it
    ecaequeeessa .com
    schonemaas .nl
    cic-la-banque .org
    Both those reports indicate that this is the Teslacrypt ransomware:
    > http://1.bp.blogspot.com/-b_75tajtmR...teslacrypt.png
    Furthermore, the Hybrid Analysis report** also shows other traffic to:
    tsbfdsv.extr6mchf .com
    alcov44uvcwkrend .onion .to
    rbtc23drs.7hdg13udd .com ...
    Recommended blocklist:
    74.117.183.84
    5.39.222.193
    ccfinance .it
    ecaequeeessa .com
    schonemaas .nl
    cic-la-banque .org
    extr6mchf .com
    alcov44uvcwkrend .onion .to
    7hdg13udd .com
    "
    * https://malwr.com/analysis/OWM5NWIxY...Q2MTYxOWQ5ZjI/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=1
    ___

    Fake 'Adler Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/12/malw...ice-no-uk.html
    2 Dec 2015 - "This -fake- financial spam does not come from Adler Manufacturing Limited but is instead a simple forgery. It is meant to have a malicious attachment, but all of the samples I have seen are malformed.
    From: service@ adlerglobal .com
    Date: 2 December 2015 at 11:36
    Subject: Your Adler Invoice No. UK 314433178 IN
    Dear Customer,
    Thank you very much for having placed your order with Adler.
    Your goods have been shipped. Please see attached invoice for payment of
    your order.
    For your convenience, you will find several payment methods described on the
    attached invoice (please be sure to include your Adler Order #).
    If you have any questions, feel free to contact us.
    Best Regards,
    Your Adler Customer Service Team...


    Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from:
    vanoha.webzdarma .cz/4367yt/p0o6543f.exe
    det-sad-89 .ru/4367yt/p0o6543f.exe
    These download locations were seen earlier, but the payload has -changed- to one with a detection rate of 4/55*. Those earlier Malwr reports indicate malicious traffic to:
    193.238.97.98 (PJSC DATAGROUP, Ukraine)
    I strongly recommend that you -block- traffic to that IP. The payload is likely to be the Dridex banking trojan."
    1] https://www.virustotal.com/en/file/6...is/1449064630/

    2] https://www.virustotal.com/en/file/e...is/1449064641/

    3] https://malwr.com/analysis/NzRmOGExN...NiYWVkYTZkNDY/

    4] https://malwr.com/analysis/MTk0YWQ0O...NlYTgwOTBjZWQ/

    * https://www.virustotal.com/en/file/d...is/1449064895/
    ___

    Fake 'Shell E-bill' SPAM - doc malware
    - http://myonlinesecurity.co.uk/shell-...d-doc-malware/
    2 Dec 2015 - "The bad actors are either getting lazy or concentrating their efforts on old email templates that have attracted good returns previously. There seems to be a theme of reusing old email templates this week but this one from last year without even bothering to change the date is sheer idleness by the bad actor sending them. An email with the subject of 'Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014' pretending to come from Fuel Card Services <adminbur@ fuelcardgroup .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    Please note that this message was sent from an unmonitored mailbox which is unable to accept replies. If you reply to this e-mail your request will not be actioned. If you require copy invoices, copy statements, card ordering or card stopping please e-mail support@ fuelcardservices .com quoting your account number which can be found in the e-mail below...
    E-billing
    From: adminbur@ fuelcardservices .com
    Sent: Wed, 02 Dec 2015 19:25:57 +0530
    To: [REDACTED]
    Subject: Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014
    Account: B500101
    Please find your e-bill 0765017 for 30/10/2015 attached.
    To manage you account online please click xxxxx
    If you would like to order more fuel cards please click xxxxx
    If you have any queries, please do not hesitate to contact us.
    Regards
    Cards Admin.
    Fuel Card Services Ltd
    T 01282 410704
    F 0844 870 9837 ...


    2 December 2015: ebill0765017.doc - Current Virus total detections 6/55*
    MALWR** The word docs are the same as described in todays earlier malspam runs... however the Dridex malware downloaded from http ://sebel .fr/4367yt/p0o6543f.exe is an -updated- variant (VirusTotal 4/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/7...is/1449064154/

    ** https://malwr.com/analysis/N2U3N2UzN...AyOGRiYWI2NWU/

    *** https://www.virustotal.com/en/file/d...is/1449064895/

    sebel .fr: 213.186.33.19: https://www.virustotal.com/en/ip-add...9/information/
    > https://www.virustotal.com/en/url/48...7cdd/analysis/

    - http://blog.dynamoo.com/2015/12/malw...rd-e-bill.html
    2 Dec 2015 - "... The attachment is name ebill0765017.doc and it comes in two different versions. The payload appears to be -identical- to this spam run* earlier today. The payload is the Dridex banking trojan."
    * http://blog.dynamoo.com/2015/12/malw...t-request.html
    ___

    Fake 'Paypal' phish...
    - http://myonlinesecurity.co.uk/dear-p...ypal-phishing/
    2 Dec 2015 - "The phishing bots have got a bit confused today and can’t decide if they are imitating PayPal or HMRC to steal your money and identity. An email saying 'Dear Paypal Customer' pretending to come from online-service @hmrc .gov .uk ...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x550.png
    The link in this case goes to http ://blood4u .org/apple .com which has an -old- style PayPal log-in page:
    > http://myonlinesecurity.co.uk/wp-con...h-1024x519.png
    The red warning in the URL bar shows that Internet Explorer smart filter knows about it & alerts to it being -fake- and dangerous, which is a typical phishing page that looks very similar to a genuine old style PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."

    blood4u .org: 108.179.232.158: https://www.virustotal.com/en/ip-add...8/information/
    > https://www.virustotal.com/en/url/b5...34e7/analysis/

    Last edited by AplusWebMaster; 2015-12-02 at 23:02.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #850
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Scanned image', 'Invoice', 'ICM - Invoice' SPAM, Apple, Facebook Phish

    FYI...

    Fake 'Scanned image' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/12/malw...-mx-2600n.html
    3 Dec 2015 - "This -fake- scanned image document appears to come from within the victim's own domain, but it is in fact just a simple -forgery- with a malicious attachment.
    From: no-reply@ victimdomain .tld
    Date: 3 December 2015 at 08:12
    Subject: Scanned image from MX-2600N
    Reply to: no-reply@ victimdomain .tld [no-reply@ victimdomain .tld]
    Device Name: Not Set
    Device Model: MX-2600N
    Location: Not Set
    File Format: DOC MMR(G4)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in DOC format.
    Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
    to view the document.


    Attached is a file named no-reply@victimdomain.tld_20151203_3...0">.doc</font> which I have seen just a single sample of so far with a VirusTotal detection rate of 2/55*, and which contains this malicious macro... Automated analysis tools [1] [2] show that the macro downloads a component from the following location:
    vinsdelcomtat .com/u5y432/h54f3.exe
    There will probably be other versions of the document downloading from other locations, but for the moment the binary will be the same. This has a detection rate of 3/55** and this Malwr report*** shows that it communicates with a known bad IP of:
    193.238.97.98 (PJSC DATAGROUP, Ukraine)
    I strongly recommend that you -block- traffic to that IP. The payload is most likely to be the Dridex banking trojan."
    * https://www.virustotal.com/en/file/b...is/1449134658/

    1] https://malwr.com/analysis/MDUzNDZiY...dmMzI4YmEzM2Y/

    2] https://www.hybrid-analysis.com/samp...nvironmentId=1

    ** https://www.virustotal.com/en/file/f...is/1449135336/

    *** https://malwr.com/analysis/NWVlYmQ2N...I0NmFiODA1ZDI/
    ___

    Fake 'Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/12/malw...m-datanet.html
    3 Dec 2015 - "This -fake- financial email does not come from Datanet but is instead a simple -forgery- with a malicious attachment:
    From: Holly Humphreys [Holly.Humphreys@ datanet .co.uk]
    Date: 3 December 2015 at 08:57
    Subject: Invoice from DATANET the Private Cloud Solutions Company
    Dear Accounts Dept :
    Your invoice is attached, thank you for your business.
    If you have any queries please do not hesitate to contact us.
    Regards ...
    Holly Humphreys
    Operations
    Datanet - Hosting & Connectivity...


    I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro... and has a VirusTotal detection rate of 3/55*. According to this Malwr report** and this Hybrid Analysis*** the XLS file downloads a malicious binary from:
    encre .ie/u5y432/h54f3.exe
    There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55**** and that report plus this Malwr report[5] indicate malicious network traffic to:
    162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
    94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
    78.47.66.169 (Hetzner, Germany)
    The payload is almost definitely the Dridex banking trojan.
    Recommended blocklist:
    162.208.8.198
    94.73.155.8/29
    78.47.66.169

    UPDATE: I have seen another version of the document... and a VirusTotal result of 3/54[6]. According to this Malwr report[7] it downloads from:
    parentsmattertoo .org/u5y432/h54f3.exe "
    * https://www.virustotal.com/en/file/b...is/1449136696/

    ** https://malwr.com/analysis/N2Q4MGIyM...RjNTVkYzA0ZTM/

    *** https://www.hybrid-analysis.com/samp...nvironmentId=2

    **** https://www.virustotal.com/en/file/b...is/1449136696/

    5] https://www.hybrid-analysis.com/samp...nvironmentId=2

    6] https://www.virustotal.com/en/file/6...is/1449137162/

    7] https://malwr.com/analysis/MGE3YTQ1Y...I0ZDYxOWNjNzg/

    - http://myonlinesecurity.co.uk/invoic...sheet-malware/
    3 Dec 2015
    "... one from the current bot runs...:
    3 December 2015: C___Users__HOLLY~1.HUM__AppData__Local__Temp__Inv_107666_from_DATANET.CO..xls
    Current Virus total detections 3/55* - MALWR** tells us that it downloads http ://encre .ie/u5y432/h54f3.exe (VirusTotal 1/55***) which is likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1449138312/

    ** https://malwr.com/analysis/N2Q4MGIyM...RjNTVkYzA0ZTM/

    *** https://www.virustotal.com/en/file/6...is/1449137162/
    TCP connections
    94.73.155.12: https://www.virustotal.com/en/ip-add...2/information/
    8.254.218.14: https://www.virustotal.com/en/ip-add...4/information/
    78.47.66.169: https://www.virustotal.com/en/ip-add...9/information/
    ___

    Fake 'ICM - Invoice' SPAM - malicious attachment
    - http://blog.dynamoo.com/2015/12/malw...oice-2393.html
    3 Dec 2015 - "This -fake- financial spam does not come from Industrial Cleaning Materials but is instead a simple -forgery- with a malicious attachment:
    From "Industrial Cleaning Materials (ICM)" [sales@ icmsupplies .co.uk]
    Date Thu, 03 Dec 2015 18:22:34 +0700
    Subject ICM - Invoice #2393
    Dear Customer,
    Please find invoice 2393 attached.
    Kind Regards,
    ICM
    Industrial Cleaning Materials ...


    I have seen two version of the attachment order_2393.doc with VirusTotal results of 2/54 [1] [2] and the Malwr reports [3] [4] show that they download a component from:
    www .ofenrohr-thermometer .de/u5y432/h54f3.exe
    ante-prima .com/u5y432/h54f3.exe
    This has a VirusTotal detection rate of 1/53*. The payload appears to be the -same- as the one in this spam run earlier today** and looks like the Dridex banking trojan."
    1] https://www.virustotal.com/en/file/0...is/1449142268/

    2] https://www.virustotal.com/en/file/5...is/1449142290/

    3] https://malwr.com/analysis/ZjY1YWQ3N...AwNGViNjBmYjc/

    4] https://malwr.com/analysis/NDIyYzY5Y...JhYWU0MWU0NDY/

    * https://www.virustotal.com/en/file/6...is/1449142424/
    TCP connections
    94.73.155.12: https://www.virustotal.com/en/ip-add...2/information/
    8.254.218.14: https://www.virustotal.com/en/ip-add...4/information/
    78.47.66.169: https://www.virustotal.com/en/ip-add...9/information/

    ** http://blog.dynamoo.com/2015/12/malw...m-datanet.html

    - http://myonlinesecurity.co.uk/icm-in...d-doc-malware/
    3 Dec 2015 - "... another one from the current bot runs...
    3 December 2015 : order_2393.doc - Current Virus total detections 2/52*
    MALWR** shows a download from http ://www.ofenrohr-thermometer .de/u5y432/h54f3.exe (VirusTotal 0/47**) which is the same Dridex banking Trojan from today’s other malspam runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
    ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1449141906/

    ** https://www.virustotal.com/en/file/6...is/1449142424/
    TCP connections
    94.73.155.12: https://www.virustotal.com/en/ip-add...2/information/
    8.254.218.14: https://www.virustotal.com/en/ip-add...4/information/
    78.47.66.169: https://www.virustotal.com/en/ip-add...9/information/
    ___

    Apple Account Audit – Phish...
    - http://myonlinesecurity.co.uk/apple-...udit-phishing/
    3 Dec 2015 - "An email saying 'Apple Account Audit' coming from Apple <secure@ icloudresources .co.uk> is a -phishing- email that is designed to steal your Apple/ITunes account details as well as your credit card & other bank details. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x722.png

    The link in the email goes to http ://itunesconsumerhelp .com/myicloud/?email=victim@ victimdomain .com
    -If- you -open- the attached html file you see a webpage looking like:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x579.png
    ... the phisher has set up the website so that unless you either click through from the email or insert a email address in the format they require, you get a -fake- domain ['Account'] suspended notice..."
    > http://myonlinesecurity.co.uk/wp-con...d-1024x453.png
    The emails come from real newly created domains that sound and look like genuine Apple domains. The emails all have proper SPF and DKIM headers to help them get-past-spam-filters... All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email..."
    ___

    Facebook Phish...
    - https://blog.malwarebytes.org/fraud-...ree-video-app/
    Dec 3, 2015 - "... Recently, we’ve seen a campaign... -baiting- users with a -free- “Facebook video application”:
    > https://blog.malwarebytes.org/wp-con...p-original.png
    ... It asks for the user’s account credentials in order to access this so-called app. Once they are provided, the fake Facebook page saves the data onto a PHP page on its domain. We’ve seen a similar campaign hosted on another fake Facebook page, facebookstls[DOT]com:
    > https://blog.malwarebytes.org/wp-con...15/12/stls.png
    ... Should you encounter the above pages, or something similar, steer clear. We also advise our readers who are unfamiliar with -phishing- campaigns on Facebook and what to do if they realized that their credentials have been -stolen- to refer to this page* on the Help Center section**..."
    * https://www.facebook.com/help/217910864998172/

    ** https://www.facebook.com/help/

    facebookstls[DOT]com: 185.86.210.113: https://www.virustotal.com/en/ip-add...3/information/

    Close named site: http://trafficlight.bitdefender.com/...acebooksk.info
    "... Scammers can set up -fake- escrow websites and -fake- shipping companies. While promising to provide escrow services, once payment is made, the -fake- escrow website will take the money and disappear. These -scams- work hand in hand with fake shipping companies and target small businesses, such as restaurants, catering companies, etc. While purchasing large quantities of products, the scammers use stolen credit card numbers or counterfeit checks to complete the sale, and request that the items be shipped with a private third party shipping company, which only accepts payments through some wire transfer service..."

    Last edited by AplusWebMaster; 2015-12-03 at 17:59.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •