SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

PUPs Masquerade as Installer for Antivirus and Anti-Adware
- https://blog.malwarebytes.org/online...d-anti-adware/
Dec 18, 2015 - "... two pieces of programs claiming to be two different security software, being housed in a domain purporting to be a safe antivirus download hub. The destination in question, however, has been known to serve a -fake- Malwarebytes installer. The domain is antivirus-dld[DOT]com, and users must avoid visiting it or -block- it with their browsers. Below are screenshots of its subdomains where users can supposedly download the AVG and AdwCleaner programs:
1. https://blog.malwarebytes.org/wp-con...015/12/avg.png
...
2. https://blog.malwarebytes.org/wp-con...adwcleaner.png
... -both- installers show differences in file names and hashes, they exhibit more identical markings than what we see on the surface... AV engines detect these as variants of the SoftPulse family... As this “Thank you” GUI window is displayed, the supposed program, in this case AVG, is then downloaded and installed automatically. Users can’t see this happening at first because the installer’s GUI is overlaying the real program’s GUI:
> https://blog.malwarebytes.org/wp-con...5/12/avg05.png
Immediately after installation, the default browser opens to reveal an advertisement of an online dating site. We reckon that various ads are randomized:
> https://blog.malwarebytes.org/wp-con...5/12/avg06.png
Clicking -any- of these links directs users to magno2soft[DOT]com, a domain that the Google Chrome browser blocks, tagging it as malicious. Additionally, we did a quick look up of their “24/7 free support” phone number—(+1) 844 326 2917—to see if something comes up. It turns out that this number is also used by -other- domains... We have also noted that their contents are also identical to Magno2soft’s. Be advised to -not- visit these sites as some of them automatically download an executable file... Domains like antivirus-dld[DOT]com may only appear legitimate, but they’re just hubs distributing pieces of software you may not want lurking in your hard drive."

antivirus-dld[DOT]com: 23.229.195.163: https://www.virustotal.com/en/ip-add...3/information/

magno2soft[DOT]com: 178.33.154.37: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/58...9b8c/analysis/

[AplusWebMaster]

FYI...

Angler EK drops TeslaCrypt via recent Flash Exploit
- https://blog.malwarebytes.org/exploi...re-newexploit/
Dec 19, 2015 - "On December 18, security company Fortinet blogged* about a possible new variant of the CryptoWall ransomware distributed via spam. Around the same time we discovered that the Angler exploit kit was also pushing this new ‘variant’. However it is not CryptoWall... but rather TeslaCrypt. Files are encrypted and appended with a .vvv extension. In order to recover those files, victims must pay $500USD or face the risk of seeing this amount double within less than a week...
> https://blog.malwarebytes.org/wp-con...cryptowall.png
Angler EK uses a very recently patched flaw in Adobe Flash Player up to version 19.0.0.245** (CVE-2015-8446)**, making it the most lethal exploit kit at the moment..."
> https://www.virustotal.com/en/file/6...is/1450545960/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-add...2/information/
107.180.50.210: https://www.virustotal.com/en/ip-add...0/information/
109.232.216.57: https://www.virustotal.com/en/ip-add...7/information/

* http://blog.fortinet.com/post/new-cr...nt-in-the-wild

** http://malware.dontneedcoffee.com/20...h-1900245.html

>> https://forums.spybot.info/showthrea...l=1#post467614

*** https://www.adobe.com/software/flash/about/

[AplusWebMaster]

FYI...

Angler EK drops TeslaCrypt via recent Flash Exploit
- https://blog.malwarebytes.org/exploi...re-newexploit/
Dec 19, 2015 - "On December 18, security company Fortinet blogged* about a possible new variant of the CryptoWall ransomware distributed via spam. Around the same time we discovered that the Angler exploit kit was also pushing this new ‘variant’. However it is not CryptoWall... but rather TeslaCrypt. Files are encrypted and appended with a .vvv extension. In order to recover those files, victims must pay $500USD or face the risk of seeing this amount double within less than a week...
> https://blog.malwarebytes.org/wp-con...cryptowall.png
Angler EK uses a very recently patched flaw in Adobe Flash Player up to version 19.0.0.245** (CVE-2015-8446), making it the most lethal exploit kit at the moment..."
> https://www.virustotal.com/en/file/6...is/1450545960/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-add...2/information/
107.180.50.210: https://www.virustotal.com/en/ip-add...0/information/
109.232.216.57: https://www.virustotal.com/en/ip-add...7/information/

* http://blog.fortinet.com/post/new-cr...nt-in-the-wild

** http://malware.dontneedcoffee.com/20...h-1900245.html

>> https://forums.spybot.info/showthrea...l=1#post467614

*** https://www.adobe.com/software/flash/about/

[AplusWebMaster]

FYI...

Fake 'INVOICE' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/brenda...sheet-malware/
21 Dec 2015 - "... An email with the subject of 'Invoice' pretending to come from Brenda Howcroft <accounts@ swaledalefoods .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x778.png

21 December 2015: Invoice 14702.doc - Current Virus total detections 1/53*
... waiting for analysis to complete on this but it is almost certain to be a downloader for Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1450699970/

- http://blog.dynamoo.com/2015/12/malw...-howcroft.html
21 Dec 2015 - "This -fake- financial spam does not come from Swaledale Foods but is instead a simple -forgery- with a malicious attachment.
From: Brenda Howcroft [accounts@ swaledalefoods .co.uk]
Date: 21 December 2015 at 10:46
Subject: INVOICE
Your report is attached in DOC format.
To load the report, you will need the free Microsoft® Word® reader, available to download...
Many thanks,
Brenda Howcroft
Office Manager
t 01756 793335 sales
t 01756 790160 accounts ...

Attached is a file Invoice 14702.doc which comes in at least -9- different versions... sources say that at least some versions download from the following locations:
110.164.184.28 /jh45wf/98i76u6h.exe
getmooresuccess .com/jh45wf/98i76u6h.exe
rahayu-homespa .com/jh45wf/98i76u6h.exe
This dropped file has a detection rate of 6/54*. The Hybrid Analysis report** plus some other sources indicate network traffic to:
199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is the Dridex banking trojan...
Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169 "
* https://www.virustotal.com/en/file/e...is/1450707029/
TCP connections
199.7.136.88
13.107.4.5

** https://www.hybrid-analysis.com/samp...nvironmentId=1
___

Backdoors in Juniper's firewalls ...
- http://net-security.org/secworld.php?id=19259
21 Dec 2015

>> https://isc.sans.edu/diary.html?storyid=20521
Last Updated: 2015-12-21 - "We decided to move to raise our "Infocon" to yellow over the backdoor in Juniper devices. We decided to do this for a number of reasons:
- Juniper devices are popular, and many organizations depend on them to defend their networks
- The "backdoor" password is now -known- and exploitation is trivial at this point. [2]
- With this week being a short week for many of us, addressing this issue -today- is critical.
Who is effected by this issue? Juniper devices running ScreenOS 6.3.0r17 through 6.3.0r20 are affected by the -fixed- backdoor password (CVE-2015-7755). [1]
Juniper devices running ScreenOS 6.2.0r15 through 6.2.0r18 and ScreenOS 6.3.0r12-6.3.0r20 are affected by the VPN decryption problem (CVE-2015-7756). [1] ... There are two distinct issues. First of all, affected devices can be accessed via telnet or ssh using a specific "backdoor" password. This password can not be removed or changed unless you apply Juniper's patch..."
(More detail at the isc URL above.)
1] https://kb.juniper.net/InfoCenter/in...13&actp=search

2] https://community.rapid7.com/communi...ation-backdoor

Other references:
> https://www.imperialviolet.org/2015/12/19/juniper.html

>> https://gist.github.com/fox-srt/ca94b350f2a91bd8ed3f

- https://www.us-cert.gov/ncas/current...isory-ScreenOS
Dec 17, 2015

Exploit attempts - Juniper Backdoor...
- https://isc.sans.edu/diary.html?storyid=20525
Last Updated: 2015-12-22 00:19:29 UTC - "We are detecting numerous login attempts against our ssh honeypots using the ScreenOS backdoor password. Our honeypot doesn't emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be "manual" in that we do see the attacker trying different commands. We saw the first attempt at 17:43:43 UTC..."
___

DHL - Phish...
- http://myonlinesecurity.co.uk/shippi...-dhl-phishing/
21 Dec 2015 - "An email with the subject of 'SHIPPING DOCUMENT & INV-BL' coming from Ionel Ghenade <ionel_ghenade@ yahoo .com> is a phishing attempt to gain log in details for your DHL account... I don’t suppose many recipients will actually have a DHL account, although some will. This email does come from Yahoo. I do not know whether the sender has had his account hacked or it is a yahoo account created just for this phishing attempt. If your DHL account does get compromised, they will use it to send illegal and -stolen- goods at your expense and you will be held responsible for that... The email has a mass of recipients in the to: box (about 100) so that is the first warning or a mass spam and something wrong. The content simply says:
Hello,
THE DHL DOCUMENT HAS BEEN SENT TO YOU AS AS DIRECTED.
Regards

... And has a html attachment to the email that at first glance appears to be a PDF attachment. If you are unwise enough to open the attachment. the first thing you see is a JavaScript pop up alerting you with this message:
Encripted DHL file, Your Email has been configured To view Document information, Sign in to continue!
> http://myonlinesecurity.co.uk/wp-con...l_js_popup.png
Press OK and you get:
> http://myonlinesecurity.co.uk/wp-con...n-1024x917.png
Which of course looks like a DHL log in page, if you don’t look at the web address in the URL bar. In this case it is a local file on your computer, not a webpage. If you enter any email address and password, you are then sent to the genuine DHL site. This scam works because of the windows default behaviour to hide file extensions. In this case without the final extension HTML showing, you are mislead into thinking that it is a PDF file... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .html file it really is, so making it much more likely for you to accidentally open it..."
___

Password checks... ??
- http://myonlinesecurity.co.uk/are-yo...swords-secure/
21 Dec 2015 - "We keep seeing sites that offer to check your passwords and make sure they are safe and secure. One that popped up on Twitter today is:
- http://www.sbrcentre.co.uk/pages/303..._Password.html
This aims to educate you and suggest how long it would take to crack your password. Entering -any- password on any of these sites is a total mistake. All these sites that tell you how long and secure your password is, are pure snake oil and a high rating means absolutely -nothing- in the real world. First look at the site. It uses standard HTTP -not- an encrypted HTTPS connection, so in the event you have any problems on your network, anything you send to that site can be easily intercepted. Secondly, even though they say that they do not retain any passwords, how do you know that is true. A misconfiguration can easily store every password in plain text for any hacker to obtain and potentially track back to you. I made up a password to test it:
> http://myonlinesecurity.co.uk/wp-con...1-1024x546.png
...
> http://myonlinesecurity.co.uk/wp-con...2-1024x548.png
... Check it out with a -fake- password but don’t rely on being safe because of that fake password. Most breaches come because of errors or user interaction not having a short password. Having a long, complicated password that would, take 17 trillion years to crack does not mean you are safe. A high proportion of password hacks either come from the website that holds your password and it doesn’t matter if it is 2 characters long or 20000 characters long, if the site doesn’t encrypt stored passwords and keep them in plain text for any hacker to get hold of via security holes in that site. The other primary password loss method is YOU, when you enter details on a -fake- website or respond to a -phishing- email and give away all your passwords or log in information’s. In many cases a long complicated password is a detriment because you cannot remember it and write it down on a sticky note pinned to the monitor for everyone to see. Either use a password manager or use an easy to remember pass -phrase- or combination or words that mean something to you & no-one else, rather than a single word."

[AplusWebMaster]

FYI...

Fake 'fax' SPAM - JS malware
- http://myonlinesecurity.co.uk/you-ha...ne-js-malware/
22 Dec 2015 - "An email with the subject of 'You have received fax, document 00979545' [random numbered] pretending to come from Interfax Online <incoming@ interfax .net> with a zip attachment is another one from the current bot runs... The content of the email says :
A new fax document for you.
You can find your fax document in the attachment.
Scanned in: 50 seconds
File name: task-00979545.doc
Sender: Gerald Daniels
File size: 252 Kb
Pages sent: 3
Resolution: 200 DPI
Date of scan: Mon, 21 Dec 2015 19:39:17 +0300
Thank you for using Interfax!

2 September 2015: task-00979545.zip: Extracts to: task-00979545.doc.js
Current Virus total detections 10/54*. MALWR shows us it downloads -2- malware files 3009102.exe (virus total 4/53**) and 1af9fcbe48b1f[1].gif (VirusTotal 5/52***) and 1 innocent file from http ://martenmini .com/counter/? (long list of random characters). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1450770443/

** https://www.virustotal.com/en/file/4...is/1450751819/

*** https://www.virustotal.com/en/file/e...is/1450771087/
___

Fake 'New Account' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malw...gas-ac-no.html
22 Dec 2015 - "This -fake- financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple -forgery- with a malicious attachment.
From: trinity [trinity@ topsource .co.uk]
Date: 22 December 2015 at 10:36
Subject: British Gas - A/c No. 602131633 - New Account
Hi ,
Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.
Thanks & Regards,
Pallavi Parvatkar ...

Attached is a file British Gas.doc with... a VirusTotal detection rate of 2/54*. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.
UPDATE: These automated analyses [1] [2] show that the malicious document downloads from:
weddingme .net/786h8yh/87t5fv.exe
This has a VirusTotal detection rate of 3/54**. All those reports indicate malicious traffic to:
199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
The payload looks like Dridex...
Recommended blocklist:
199.7.136.88
151.80.142.33 "
* https://www.virustotal.com/en/file/0...is/1450781888/

1] https://www.hybrid-analysis.com/samp...nvironmentId=2

2] https://malwr.com/analysis/Yjc4NzYyM...RkZjk4OTJkNWQ/

** https://www.virustotal.com/en/file/f...is/1450782995/
TCP connections
199.7.136.88
90.84.59.19

- http://myonlinesecurity.co.uk/britis...sheet-malware/
22 Dec 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x690.png

22 December 2015 : British Gas.doc - Current Virus total detections 2/54*
Reverse it** shows a download of what looks like Dridex banking Trojan from
weddingme .net/786h8yh/87t5fv.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1450781888/

** https://www.reverse.it/sample/03b0c3...nvironmentId=1

*** https://www.virustotal.com/en/file/f...is/1450781177/
TCP connections
199.7.136.88
90.84.59.19
___

Fake 'PAYMENT RECEIVED' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malw...-received.html
22 Dec 2015 - "This -fake- financial spam does not come from Les Caves de Pyrene but is instead a simple -forgery- with a malicious attachment.
From: Avril Sparrowhawk [Avril.Sparrowhawk@lescaves.co.uk]
Date: 22 December 2015 at 11:14
Subject: CWIH8974 PAYMENT RECEIVED
Good afternoon
Thanks very much for your payment we recently from you, however there was a missed invoice. Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?
I have attached the invoice for your reference.
Kind regards
Avril
Avril Sparrowhawk
Credit Controller
Les Caves De Pyrene
Pew Corner
Old Portsmouth Road
Artington
Guildford
GU3 1LP
' +44 (0)1483 554784
6 +44 (0)1483 455068 ...

Attached is a malicious document CWIH8974.doc of which I have seen just a single sample with a VirusTotal detection rate of 2/54*. There may be other variations of the document, but in this case it downloads a malicious binary from:
secure.novatronica .com/786h8yh/87t5fv.exe
This has a VirusTotal detection rate of 2/53** and is the -same- payload as found in this earlier spam run***, leading to the Dridex banking trojan."
* https://www.virustotal.com/en/file/8...is/1450784063/

** https://www.virustotal.com/en/file/f...is/1450784374/
TCP connections
199.7.136.88
90.84.59.19

*** http://blog.dynamoo.com/2015/12/malw...gas-ac-no.html

- http://myonlinesecurity.co.uk/cwih89...nloads-dridex/
22 Dec 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...D-1024x753.png

22 December 2015: CWIH8974.doc - Current Virus total detections *
Payload Security Hybrid analysis** shows it downloads a Dridex banking Trojan from
secure.novatronica .com/786h8yh/87t5fv.exe which is the -same- payload as today’s earlier malspam run***..."
* https://www.virustotal.com/en/file/8...is/1450784063/

** https://www.hybrid-analysis.com/samp...nvironmentId=2

*** http://myonlinesecurity.co.uk/britis...sheet-malware/
___

Fake 'new payment terms' SPAM - PDF malware
- http://myonlinesecurity.co.uk/att-ne...e-pdf-malware/
22 Dec 2015 - "An email with various subjects based around the theme of invoices or payments coming from random email addresses and senders with a zip attachment is another one from the current bot runs... Some of the subjects seen include:
ATT: / new payment terms and payment
Invoice Updated: # 15/12/2015 from DXB International, Inc.
FW: Payment for Invoice
The contents of the emails vary with each email and it is totally -random- which combination of subject and email body you will get. The attachment name remains consistent. Some of the ones I have seen include:
We appreciate your business.
Kind Regards,
Marketing and Sales Manager
Jimmie McCoy
-Or-
Receipts attached. Thank you
Sales Manager
Peter Skinner
-Or-
I have two sets as samples ready to ship Invoice # 0311683, 1 box, 1 lbs, $46.28 Please let us know how you want us to ship these goods.
Thanks & Best Regards,
Payroll Supervisor
Frederick Castillo ...

22 December 2015: Inv#186;-1089-12-2015_PDF.zip: Extracts to: Inv._Nº-1089-12-2015_PDF.exe
Current Virus total detections 2/54*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1450791506/
___

Fake 'MUST READ' SPAM - doc malware
- http://myonlinesecurity.co.uk/must-r...d-doc-malware/
22 Dec 2015 - "An email with the subject of 'MUST READ! Police hunt missing terror suspect last seen in Camden!' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...n-1024x712.png

22 December 2015: suspect details 44165680.doc - Current Virus total detections 4/54*
MALWR** shows a download from http ://31.41.44.224 /portal/portal.php which is named as govuk.exe
(VirusTotal 2/54***). I am not certain what the payload actually is yet and am awaiting full analysis.
Update: fast work from the host of 31.41.44.224 https ://www .cishost .ru/ who took down the malware very quickly... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1450796426/

** https://malwr.com/analysis/NTAxMjlkN...M4NTU0YjFmN2M/

*** https://www.virustotal.com/en/file/2...is/1450796555/
portal.exe

31.41.44.224: https://www.virustotal.com/en/ip-add...4/information/
___

HSBC - Phish...
- https://blog.malwarebytes.org/fraud-...rently-locked/
Dec 22, 2015 - "Customers of HSBC should -avoid- the following URL, which is (most likely) part of an email based phishing campaign. While we don’t have an example of an email to hand, we can certainly shine some light on the website itself which is:
hsbc-message(dot)com
... in the hopes of helping you to avoid a nasty surprise this holiday season:
> https://blog.malwarebytes.org/wp-con...sbclocked1.jpg
... They urge visitors to click next (because hey, that form expires today!) and continue with the process, which is little more than a straight lunge for payment information:
> https://blog.malwarebytes.org/wp-con...sbclocked2.jpg
... To be specific: Card number, expiration date, card verification code, and finally the ATM PIN number. After this, the victim is shown a “We’ll get back to you in 24 hours” message before being forwarded on to a HSBC website:
> https://blog.malwarebytes.org/wp-con...sbclocked3.png
From a quick scan of various websites, it seems HSBC scams are all the rage right now [1], [2], [3], [4] so please be extra careful with your logins. Scammers are always looking for a way to grab some fast cash, and regardless of whether they approach you by email, SMS or phonecall..."
1] https://twitter.com/Nicv27/status/676108831940870144

2] https://www.instagram.com/p/_XvF5ypr4M/

3] https://www.instagram.com/p/_W6zn3nX-A/

4] http://www.scamcallfighters.com/scam...aud-35513.html

hsbc-message(dot)com: 98.139.135.129: https://www.virustotal.com/en/ip-add...9/information/

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malw...ndustrial.html
23 Dec 2015 - "This -fake- invoice has a malicious attachment:
From: Rachael Murphy
Date: 23 December 2015 at 13:05
Subject: Christmas Industrial Decorating invoice-50473367)
Good afternoon,
Please find attached 1 invoice for processing.
Regards and Merry Christmas!
Rachael Murphy
Financial Manager ...
This email has been scanned by the Symantec Email Security.cloud service.

The sender's name and reference number varies, the attachment is in the format invoice45634499.doc and it comes in at least -three- different versions (VirusTotal results [1] [2] [3]). Analysis is pending, the payload is likely to be the Dridex banking trojan."
1] https://www.virustotal.com/en/file/a...920d/analysis/

2] https://www.virustotal.com/en/file/2...a591/analysis/

3] https://www.virustotal.com/en/file/9...d665/analysis/

- http://myonlinesecurity.co.uk/christ...sheet-malware/
23 Dec 2015 - "An email with the subject of 'Christmas Industrial Decorating invoice-22306947)' pretending to come from random senders and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Tony Monroe <MonroeTony50@ bors-spic .ro>
Date: Wed 23/12/2015 12:56
Subject: Christmas Industrial Decorating invoice-22306947) (random numbers)
Good afternoon,
Please find attached 1 invoice for processing.
Regards and Merry Christmas!
Tony Monroe
Financial Manager ...

23 December 2015: invoice22306947.doc - Current Virus total detections 2/54*
... automatic analysis is inconclusive but it appears to have the same payload as described in THIS post** which is most likely to be Dridex banking Trojan..."
* https://www.virustotal.com/en/file/a...is/1450875552/

** http://myonlinesecurity.co.uk/fw-mer...sheet-malware/
___

Fake 'Fee Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malw...an-acc-no.html
23 Dec 2015 - "This -fake- financial spam comes with a malicious attachment. The sender's name and reference number is randomly generated.
From: Josie Ruiz
Date: 23 December 2015 at 11:38
Subject: FW: Meridian (Acc. No. 51588088) - Professional Fee Invoice
Dear Sir/Madam,
Re: Meridian Professional Fees
Please find attached our fee note for services provided, which we trust meets with your approval.
Payment should be made to Meridian International VAT Consulting Ltd. within the agreed payment terms.
We look forward to your remittance in due course.
Yours sincerely
Josie Ruiz
Financial CEO ...

The attachment has the same reference number as the subject, and there are at least -five- different versions... likely to be the Dridex banking trojan.
UPDATE 1: Hybrid Analysis of some of the samples [1] [2] shows some download locations:
146.120.89.92 /volkswagen/bettle.php
109.234.34.164 /volkswagen/bettle.php
Those IPs belong to:
146.120.89.92 (Ukrainian Internet Names Center LTD, Ukraine)
109.234.34.164 (McHost.Ru Inc, Russia)
This is actually an executable with a detection rate of 4/53*. The purpose of this executable is unknown, but it is certainly malicious. Analysis is still pending.
UPDATE 2: This Threat Expert report** and this Hybrid Analysis*** both report traffic to a presumably hacked server at:
104.131.59.185 (Digital Ocean, US)
Recommended blocklist:
104.131.59.185
146.120.89.92
109.234.34.164 "
* https://www.virustotal.com/en/file/c...is/1450879468/

** http://www.threatexpert.com/report.a...19fd795a748e57

*** https://www.hybrid-analysis.com/samp...nvironmentId=4

1] https://www.hybrid-analysis.com/samp...nvironmentId=1

2] https://www.hybrid-analysis.com/samp...nvironmentId=4

- http://myonlinesecurity.co.uk/fw-mer...sheet-malware/
23 Dec 2015
Screenshot: http://myonlinesecurity.co.uk/wp-con...e-1024x771.png

23 December 2015: invoice63835341.doc - Current Virus total detections 2/54*
... according to Dynamoo** this downloads from 109.234.34.164 /volkswagen/bettle.php which gave me a file called bettle.exe (VirusTotal ***)..."
* https://www.virustotal.com/en/file/9...is/1450873882/

** http://blog.dynamoo.com/2015/12/malw...an-acc-no.html

*** https://www.virustotal.com/en/file/c...is/1450879468/
___

Fake 'Invoice 70146427' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malw...-70146427.html
23 Dec 2015 - "This -fake- financial spam comes with a malicious attachment. It does -not- come from uksafetymanagement .co.uk but is instead a simple forgery.
From: Claire Carey
Date: 23 December 2015 at 12:01
Subject: UKSM Invoice 70146427
Good time of day,
Thank you for choosing UK Safety Management Ltd. to carry out your Portable Appliance Testing.
Please find enclosed your invoice.
Claire Carey...

The sender's name and reference number are randomly generated. Attached is a file in the format invoice29111658.doc which comes in at least -three- different versions... Analysis of the documents is pending. However, this is likely to be the Dridex banking trojan. The payload appears to be the -same- as the one found in this spam run*."
* http://blog.dynamoo.com/2015/12/malw...an-acc-no.html
___

Fake 'chasing payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/real-d...sheet-malware/
23 Dec 2015 - "An email with the subject of 'REAL Digital chasing payment 6910.47' pretending to come from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...t-1024x589.png

23 December 2015: invoice21891491.doc - Current Virus total detections 2/53*
ReverseIt analysis** is inconclusive and doesn’t show any payload, However it is likely to be the Dridex banking trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1450873320/

** https://www.reverse.it/sample/d68782...nvironmentId=4
___

Tis the season for shipping and phishing
- https://securelist.com/blog/phishing...-and-phishing/
Dec 23, 2015 - "... delivery services send email notifications and provide shipment tracking systems. However, this type of communication also creates the ideal conditions for cybercriminals to send phishing messages in the name of major delivery services, and we end up with an increase in the number of these messages. The fraudsters have a clear aim: to trick unwitting users into downloading a malicious program or entering their confidential data on a phishing site. For example, one scam message detected by Kaspersky Lab asked the user to fill in and sign a delivery form in order to receive a shipment. The message had a DOC file attached to it containing the exploit Exploit.MSWord.Agent.gg, which allowed the cybercriminal to, among other things, gain remote access to the infected computer:
> https://securelist.com/files/2015/12...hing_eng_1.png
In another -scam- message the fraudsters write that the shipment is already at a DHL office, but the courier cannot deliver it because the delivery address is unclear. The recipient is asked to follow a link within 48 hours and enter the shipment number on the tracking page; otherwise, the shipment will be returned to the sender:
> https://securelist.com/files/2015/12...hing_eng_2.png
A closer inspection reveals that none of the links in the message lead to the DHL site; instead they all point to the same URL packed with the help of a URL shortening service. Another typical fraudster trick is also used in the email – the victim is warned there is a limited amount of time to react (in this case, 48 hours). If the user fails to follow the link in time, the shipment will be returned to the sender. The plan is simple – distract users with warnings about the urgency of doing something quickly rather than giving them time to think things through logically. If unwitting users follow the link, they are taken to a specially crafted site in the corporate style of DHL, and are prompted to type in their login credentials to enter the shipment tracking system:
> https://securelist.com/files/2015/12...hing_eng_3.png
... A similar situation exists around FedEx, another large delivery service provider. Kaspersky Lab has detected multiple phishing messages sent in the name of this company:
> https://securelist.com/files/2015/12...hing_eng_4.png
There’s nothing new about this scheme – the victim enters account credentials on a crafted site in order to view information about a shipment:
> https://securelist.com/files/2015/12...hing_eng_5.png
The fact that this site is -fraudulent- and has nothing to do with FedEx is clear from the URL in the browser address bar. The conclusion that can be made from the examples given above is that you shouldn’t be too trusting or inattentive while you are online. Never follow links in email messages; it’s safer if you manually type the URL of the required site in your browser address bar. Whenever a page prompts you to enter confidential data, always check the URL in the address bar first. If anything looks suspicious in the URL or in the website design, think-twice before entering any personal data. Last but not least, always keep your security software up to date; it should also include an anti-phishing tool that will help you keep your data confidential, and your money safe. That way, you will be in a good mood for the holidays."
___

Joomla 3.4.7 released
- https://www.joomla.org/announcements...-released.html
21 Dec 2015 - "Joomla! 3.4.7 is now available. This is a -security- release for the 3.x series of Joomla which addresses a -critical- security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.6 release..."

Installing Joomla
> https://docs.joomla.org/J3.x:Installing_Joomla

Upgrade Packages
> https://github.com/joomla/joomla-cms/releases/tag/3.4.7

- https://www.us-cert.gov/ncas/current...ity-Update-CMS
Dec 22, 2015

[AplusWebMaster]

FYI...

Domain renewal SCAM
- http://myonlinesecurity.co.uk/domain-renewal-scam/
24 Dec 2015 - "Many (almost all of us) that have websites and .com domain names and haven’t chosen to use domain privacy will regularly get -scam- messages like this one, trying to fool us into thinking we have to pay these scammers to renew our domain name. They deliberately make it look & sound like a genuine domain renewal and hope that you won’t look carefully at the small print and see it is an SEO scam.
-Don’t- pay it and dump it in the bin:
Screenshot: http://myonlinesecurity.co.uk/wp-con...omain_scam.png "
___

PayPal phish ...
- http://myonlinesecurity.co.uk/your-a...ypal-phishing/
24 Dec 2015 - "A slightly different PayPal phishing spam run today saying 'Your Access Is restricted ✔' pretending to come from PayPal <jhon@ cilegonfab.co.id>. There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like :
Urgent: Your card has been stopped !
Your Access Is restricted ✔
Your PayPal account has been limited
You sent a payment of $xxxx USD/GBP/ Euro to some company or person
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order ...

Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x773.png

The link in this case goes to https ://updateinfo .fwd.wf/gb-uk/scr/?q=login&email=youremail@example .com
Note: the HTTPS Secure SSL login which is unusual for a phishing site and shows the effort that the phishers are starting to go to, in order to persuade you to give them your details:
> http://myonlinesecurity.co.uk/wp-con...h-1024x575.png
Which is a typical phishing page that looks very similar to a genuine PayPal log in page, if you don’t look carefully at the URL in the browser address bar. One feature of note is the way the phishers try to block known anti-phishing or antivirus companies from getting to the page. I used the default email address they conveniently inserted and invented a random password and ended up with this 404 page... If I use a “genuine” email with a random password, I get this page (split into 2 screenshots for clarity):
> http://myonlinesecurity.co.uk/wp-con...3-1024x541.png
...
> http://myonlinesecurity.co.uk/wp-con...4-1024x568.png
... This one wants your personal details, your Paypal account log in details and your credit card and bank details along with mother’s maiden name and other info to steal your identity. Many of them are also designed to specifically steal your facebook and other social network log in details..."
___

Tesco bank phish ...
- http://myonlinesecurity.co.uk/your-r...bank-phishing/
24 Dec 2015 - "An email with the subject 'Your Recent Attempt to Transfer Funds' pretending to come from Tesco Bank is a currently spreading a phishing attempt. There are a few major common subjects in a phishing attempt. Lots of them are involve your Bank or Credit Card... This particular phishing campaign starts with an email with a link (all the social media icons in the email do go to genuine Tesco bank social media sites or to a company called Payoneer who say “Payoneer empowers global commerce by connecting businesses, professionals, countries and currencies with its innovative cross-border payments platform.”):

Screenshot: http://myonlinesecurity.co.uk/wp-con...s-1024x636.png
Sends you to:
> http://myonlinesecurity.co.uk/wp-con...h-1024x602.png
If you fill in a user name you get a page asking for password and security number:
> http://myonlinesecurity.co.uk/wp-con...1-1024x561.png
Fill in that and you get to a typical phishing page.This one wants your personal details, your account log in details and your credit card and bank details. Many of them are also designed to specifically -steal- your email, Facebook and other social network log in details:
> http://myonlinesecurity.co.uk/wp-con...2-1024x693.png
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."

[AplusWebMaster]

FYI...

Fake 'WhatsApp' SPAM - malware
- http://myonlinesecurity.co.uk/fake-w...d-aud-malware/
27 Dec 2015 - "An email appearing to be a WhatsApp notification with the subject of 'A sound memo has been received aud' pretending to come from WhatsApp <peter.kroell@ towncountry .at> (random email addresses) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x585.png

27 December 2015: mabella12.zip: Extracts to: gully.exe - Current Virus total detections 19/54*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1451228525/
TCP connections
50.63.202.44: https://www.virustotal.com/en/ip-add...4/information/
98.139.135.129: https://www.virustotal.com/en/ip-add...9/information/
108.166.170.106: https://www.virustotal.com/en/ip-add...6/information/
208.100.26.234: https://www.virustotal.com/en/ip-add...4/information/
141.8.225.124: https://www.virustotal.com/en/ip-add...4/information/
173.201.93.128: https://www.virustotal.com/en/ip-add...8/information/

[AplusWebMaster]

FYI...

AMEX - Phish...
- http://myonlinesecurity.co.uk/confir...-attempt-fail/
28 Dec 2015 - "... An email with the subject of 'Confirm Your Account Profile! 12/28/2015' pretending to come from American Express Online <narobiprojectors@ inbox .com> (I have received several this afternoon/evening, all pretending to come from different names @ inbox .com)...

Screenshot: http://myonlinesecurity.co.uk/wp-con...5-1024x563.png

The -attached- HTML page which is complete with bad spelling mistakes and looks glaringly wrong would attempt to send your information (-if- you were unwise enough to fill in the page) to
http ://fantasticvacationhomes .com/verification3.php
> http://myonlinesecurity.co.uk/wp-con...h-1024x693.png "

fantasticvacationhomes .com: 192.185.141.50: https://www.virustotal.com/en/ip-add...0/information/
___

Straight2Bank - Phish...
- http://myonlinesecurity.co.uk/straig...nges-phishing/
28 Dec 2015 - "An email saying 'Straight2Bank Website changes' pretending to come from Straight2Bank <Milan.Colquhoun@ s2b.standardchartered .com> is one of today’s phishing attempts. I have received loads of these this morning and they are using several -different- phish sites... The link in the email directs you to a -fake site-, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):

Screenshot: http://myonlinesecurity.co.uk/wp-con...y-1024x758.png

... previous versions of phish attempts against this bank they only asked for passwords, log in details and pin numbers and didn’t ask for any other personal information... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."

[AplusWebMaster]

FYI...

Most vulnerabilities in 2015: Mac OS X, iOS, and Flash
- http://venturebeat.com/2015/12/31/so...ios-and-flash/
Dec 31, 2015 - "Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities. Rounding out the top five are Adobe’s Flash Player, with 314 vulnerabilities; Adobe’s AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities.
For comparison, last year the top five (in order) were: Microsoft’s Internet Explorer, Apple’s Mac OS X, the Linux Kernel, Google’s Chrome, and Apple’s iOS. These results come from CVE Details*, which organizes data provided by the National Vulnerability Database (NVD). As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures... the 2015 list of the top 50 software products** in order of total distinct vulnerabilities..."
* http://www.cvedetails.com/top-50-vendors.php?year=2015

** http://1u88jj3r4db2x4txp44yqfj1.wpen...op_50_2015.png

Top 50 list of products categorized by company - Graphic:
> http://1u88jj3r4db2x4txp44yqfj1.wpen...mpany_2015.png