SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2016-01-04, 17:48

FYI...

Evil network: 199.195.196.176/29...
- http://blog.dynamoo.com/2016/01/evil...629-roman.html
4 Jan 2016 - "199.195.196.176/29 is a small bunch of IPs hosting browser-hijacker sites, belonging to Hosting Services, Inc. in Utah and suballocated to a customer. Several domains are flagged by Google as leading to PUAs or malware [1] [2] [3] [4] [5] [6], and almost all those domains also have anonymous registrations... Blocking 199.195.196.176/29 or monitoring traffic to it might detect infected hosts, that appear to have a bunch of per-install crapware and other stuff installed."
(More detail at the dynamoo URL above.)
1] https://www.google.com/transparencyr...downloader.biz

2] https://www.google.com/transparencyr...mile-files.com

3] https://www.google.com/transparencyr...ress-files.com

4] https://www.google.com/transparencyr...downloader.com

5] https://www.google.com/transparencyr...wn4loading.net

6] https://www.google.com/transparencyr...downloader.net

> http://centralops.net/co/DomainDossier.aspx
network:Network-Name:Dedicated Server
network:IP-Network:199.195.196.176/29
network:IP-Network-Block:199.195.196.176 - 199.195.196.183
network:Org-Name:Alyabiev, Roman
network:Street-Address:pr. Molodeznoi 7 kv. 101
network:City:Kemerovo
network:State:
network:Postal-Code:650044
network:Country-Code:RU ...
___

Ransom32: The first javascript ransomware
- https://isc.sans.edu/diary.html?storyid=20569
2016-01-04 - "... new variant and this one has been built using javascript. This malware -fakes- the NW.js framework. Once installed, connects to its C&C server on TOR network port 85 to get the bitcoin address and the crypto key used for encryption. This trend is not new and we have seen how malware is being built more and more sophisticated to avoid being detected by any antimalware control at the endpoint. You have to integrate endpoint security with network security and correlate any possible alerts that might indicate an incident happening, like a computer being connected to TOR network."
More info at: http://blog.emsisoft.com/2016/01/01/...pt-ransomware/

**AplusWebMaster** · 2016-01-06, 12:51

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...-49934798.html
6 Jan 2016 - "This -fake- financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:
From: Bertha Sherman
Date: 6 January 2016 at 09:29
Subject: Invoice-205611-49934798-CROSSHILL SF
Dear Customer,
Please find attached Invoice 02276770 for your attention.
Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept' ...

I have seen at least -four- different attachments with names in a format similar to invoice40201976.doc... Malwr reports... show that the malware contained within POSTs to:
37.46.130.53 /jasmin/authentication.php
179.60.144.21 /jasmin/authentication.php
195.191.25.138 /jasmin/authentication.php
Those reports also show communication to other suspect IPs, giving:
94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)
This Hybrid Analysis* also shows similar characteristics. The macro drops a file tsx3.exe with a detection rate of 7/55**. The Malwr report*** doesn't give any particular insight as to what this is, but it is likely to be a banking trojan or ransomware. There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost .RU IP in Russia:
109.234.34.224 /jasmin/authentication.php ...
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* https://www.hybrid-analysis.com/samp...nvironmentId=2

** https://www.virustotal.com/en/file/4...is/1452075219/

*** https://malwr.com/analysis/MmFjNGZjZ...lkMmRhMmZjZWY/

1] http://blog.dynamoo.com/2016/01/malw...a20114520.html

2] http://blog.dynamoo.com/2016/01/malw...tion-from.html

- http://myonlinesecurity.co.uk/invoic...sheet-malware/
6 Jan 2016 - "An email with the subject of 'Invoice-205611-88038421-CROSSHILL SF' coming from random email addresses and senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

6 January 2016: invoice88038421.doc - Current Virus total detections 2/56*
MALWR** shows tsx3.exe downloaded from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal 6/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1452072516/

** https://malwr.com/analysis/YTI1YTcwN...I1YzExMWZjNGY/

*** https://www.virustotal.com/en/file/4...is/1452073223/
___

Fake 'Penalty Charge Notice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...a20114520.html
6 Jan 2016 - "This -fake- financial spam comes with a malicious attachment. The sender's name, reference numbers and attachment names vary. It seems to be closely related to this spam run*.
From: Viola Carrillo
Date: 6 January 2016 at 09:53
Subject: Invoice for IA20114520
To Whom It May Concern,
Please find attached an invoice relating to Penalty Charge Notice Number IA20114520 along with a copy of the contravention.
In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.
Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.
Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.

I have seen two variants of the attachment (VirusTotal results [1] [2]) and these two Malwr reports [3] [4] indicate identical characteristics to the payload in this spam run* which is also being sent out today."
* http://blog.dynamoo.com/2016/01/malw...-49934798.html

1] https://www.virustotal.com/en/file/9...is/1452076482/

2] https://www.virustotal.com/en/file/8...is/1452076495/

3] https://malwr.com/analysis/NTIyNzhmY...FhMGY0OWUxNGQ/
195.191.25.138
78.47.119.93
13.107.4.50

4] https://malwr.com/analysis/YWZjODliM...NmMDYwMzNlNWQ/
195.191.25.138
78.47.119.93
13.107.4.50

- http://myonlinesecurity.co.uk/invoic...sheet-malware/
6 Jan 2016 - "The second of today’s Dridex downloaders... pretends to be a penalty-charge-notification is an email with the subject of 'Invoice for IA20122439' (random numbers) pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

6 January 2016 : invoice20122439.doc - Current Virus total detections 2/56*
MALWR** shows us a download of tsx3.exe from http :// 109.234.34.224/jasmin/authentication.php
... this is the -same- Dridex payload as described in today’s slightly earlier Malspam run***..."
* https://www.virustotal.com/en/file/5...is/1452076028/

** https://malwr.com/analysis/MWFhNTVjZ...hmNjFkY2JjZjc/
109.234.34.224
78.47.119.93
13.107.4.50

*** http://myonlinesecurity.co.uk/invoic...sheet-malware/
___

Fake 'Payment notification' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/paymen...sheet-malware/
6 Jan 2016 - "The Third of today’s Dridex downloaders... pretends to be an energy statement is an email with the subject of 'Payment notification from Third Energy Services Limited' coming from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Blair Maldonado <MaldonadoBlair76939@ ewb-mn .org>
Date: Wed 06/01/2016 10:29
Subject: Payment notification from Third Energy Services Limited
Body content:
Payment notification from Third Energy Services Limited
Third Energy Services Limited
Registered in England & Wales. Registered number: 50380220.
Registered office: 7th Floor. Portland House, Bressenden Place, London, UK, SW1E 5BH
Tel: 01944 759904 ot 0207 0420 800
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Third Energy. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone...

6 January 2016: remit50380220.doc - Current Virus total detections 2/55*
MALWR** once again shows a download of tsx3.exe from http :// 195.191.25.138/jasmin/authentication.php which is the -same- Dridex banking malware as described in today’s earlier malspam runs [1] [2]..."
* https://www.virustotal.com/en/file/d...is/1452076128/

** https://malwr.com/analysis/ZmUwNWIzM...Y0NWM2YmMxMjM/
195.191.25.138
94.158.214.45
78.47.119.93
13.107.4.50
2.61.168.116

1] http://myonlinesecurity.co.uk/invoic...sheet-malware/

2] http://myonlinesecurity.co.uk/invoic...sheet-malware/

- http://blog.dynamoo.com/2016/01/malw...tion-from.html
6 Jan 2016 - "This -fake- financial email comes with a malicious attachment.
From: Addie Caldwell
Date: 6 January 2016 at 10:31
Subject: Payment notification from Third Energy Services Limited
Payment notification from Third Energy Services Limited...

... -three- different versions of the attachment (in the format remit85752524.doc or similar)... similar characteristics to this spam run* plus this additional URL:
109.234.34.224 /jasmin/authentication.php
This IP is allocated to McHost .RU in Russia and can be considered as malicious. The payload is unknown, but is possible Dridex.
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* http://blog.dynamoo.com/2016/01/malw...-49934798.html
___

Fake 'BACS PAYMENT' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...s-payment.html
6 Jan 2016 - "This -fake- financial spam comes with different sender names, reference details and attachment names. However, in all cases the attachment is malicious.
From: Forrest Cleveland
Date: 6 January 2016 at 11:23
Subject: STA19778072 - BACS PAYMENT
Importance: High
Hello,
Wasn’t sure who to email.
I don’t know if you have been asked but Statestrong Products Ltd are making one payment today for two cars. Could you let me know when it is in the account please as these are both collections tomorrow...

So far I have seen -three- different attachment variants... same general characteristics as this spam run*. However in this case the dropped file tsx3.exe has been updated and the -new- version has a detection rate of 6/54**. The Malwr report*** indicates very similar traffic to before.
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* http://blog.dynamoo.com/2016/01/malw...-49934798.html

** https://www.virustotal.com/en/file/d...is/1452080581/

*** https://malwr.com/analysis/NjUyZjQ4Y...I1NjIxYjcyNTc/
78.47.119.93
165.254.102.181

- http://myonlinesecurity.co.uk/sta376...sheet-malware/
6 Jan 2016 - "The 4th of today’s Dridex malspam downloaders... email with the subject of 'STA37626091 – BACS PAYMENT' (random numbers) coming from random email addresses and senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...T-1024x535.png

6 January 2016: remit37626091.doc - Current Virus total detections *
MALWR** shows us it once again downloads tsx3.exe which looks like Dridex banking malware from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal ***) this looks like an updated version from earlier, but Dridex is known to update at frequent intervals throughout the day, often as frequently as -hourly- ..."
* https://www.virustotal.com/en/file/e...is/1452079135/

** https://malwr.com/analysis/MjEyZjhkO...Y2NzAzODk3NTA/
37.46.130.53
78.47.119.93
13.107.4.50

*** https://www.virustotal.com/en/file/d...is/1452078831/
___

Fake 'Unilet Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...-67940597.html
6 Jan 2016 - "This fake invoice seems to be a bit confused as to who is sending it. It has a malicious attachment.
From: Desiree Doyle
Date: 6 January 2016 at 12:29
Subject: Unilet Invoice 67940597
Hello,
Please find attached another invoice to pay please by BACS.
Thanks
Desiree Doyle
Accounts Department
-----Original Message-----
From: Desiree Doyle
Sent: 06 January 2016 12:30
To: Desiree Doyle
Subject: Scanned from a Xerox Multifunction Device
Please open the attached document. It was scanned and sent to you using a Xerox Multifunction Device.
Attachment File Type: pdf, Multi-Page
Multifunction Device Location: Melbury House-MG01
Device Name: 7225 ...

The attachment has a random name in the format remit41071396.doc and I have seen -three- different versions with quite low detection rates [1] [2] [3]. The Malwr reports for these [4] [5] [6] indicate that it has the -same- behaviour as the spam documented here*, dropping a file tsx.exe ..."
1] https://www.virustotal.com/en/file/b...is/1452084584/

2] https://www.virustotal.com/en/file/9...is/1452084616/

3] https://www.virustotal.com/en/file/9...is/1452084631/

4] https://malwr.com/analysis/Yjk3ZWRhY...Q3NWI1ZDQ5MGQ/
37.46.130.53
2.61.168.116
78.47.119.93
13.107.4.50
94.158.214.45

5] https://malwr.com/analysis/NmZmMTM2M...U4YTNhNzVmNjY/
179.60.144.21

6] https://malwr.com/analysis/YjE1NzljM...EwNGE4NzQxZDU/
37.46.130.53
78.47.119.93
13.107.4.50

* http://blog.dynamoo.com/2016/01/malw...-49934798.html

- http://myonlinesecurity.co.uk/unilet...d-doc-malware/
6 Jan 2016 - "Yet another Dridex downloader coming in an email with the subject of 'Unilet Invoice 58520927' (random numbers) pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...7-1024x518.png

6 January 2016: remit58520927.doc - Current Virus total detections 2/56*
MALWR** once again shows us tsx3.exe being downloaded from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal 6/54***) -Same- Dridex Banking malware as THIS earlier malspam[4]..."
* https://www.virustotal.com/en/file/8...is/1452083864/

** https://malwr.com/analysis/NTM3Yzg2M...JjYjk5ODBlNGI/
37.46.130.53
78.47.119.93
13.107.4.50

*** https://www.virustotal.com/en/file/d...is/1452083988/

4] http://myonlinesecurity.co.uk/sta376...sheet-malware/
___

Facebook “Page Disabled” Phish - wants your Card Details
- https://blog.malwarebytes.org/fraud-...-card-details/
Jan 6, 2015 - "Fake Facebook Security pages are quite a common sight, and there’s a “Your page will be disabled unless…” -scam- in circulation at the moment on random Facebook comment sections which you should steer clear of. The scam begins with a message like this:
Warning!!!
Your page will be disabled.
Due to your page has been reported by other users.
Please re-confirm your page in order to avoid blocking. You violate our terms of service. If you are the original owner of this account, please re-confirm your account in order to avoid blocking.
If the multiple exclamation marks and generally terrible grammar didn’t give the game away, the following request certainly might:
To complete your pages account please confirm Http below:
https(dot)lnkd(dot)in/bNF9BUY?Facebook.Recovery.page
"Attention"
If you do not confirm, then our system will automatically block your account and you will not be able to use it again.
Thank you for the cooperation helping us improve our service.
The Facebook Team

... Google Safe Browsing flags the final destination as a dubious website: and fires up a “Deceptive site ahead” warning:
> https://blog.malwarebytes.org/wp-con...efacebook1.jpg
... After harvesting your Facebook credentials, they then go after payment information:
> https://blog.malwarebytes.org/wp-con...efacebook3.jpg
... Should the victim enter their information and hit the button, they’ll be forwarded on to the real Facebook Security Facebook page. There’s also a “Confirm Paypal” button which leads to a phish for -that- service, too:
> https://blog.malwarebytes.org/wp-con...efacebook4.jpg
The above page is located at:
report-fanpage(dot)gzpot(dot)com/Next/paypal(dot)com(dot)htm
Make no mistake, this is one phishing scam that could cost you a lot more than your Facebook login. Should you be sent any attempts at panicking you into entering your logins on a so-called “Security Page”, you should give both destination URL and comment sender a very wide berth."

> https://www.virustotal.com/en/url/f7...d6a8/analysis/

report-fanpage.gzpot .com: 31.170.166.81: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/ad...96a9/analysis/

**AplusWebMaster** · 2016-01-07, 12:30

FYI...

Malvertising - Pop-under Ads sends CryptoWall4
- https://blog.malwarebytes.org/malver...-cryptowall-4/
Jan 7, 2016 - "We have caught a new malvertising campaign on the PopAds network launching the Magnitude exploit kit via pop-under ads. A pop-under is an ad window that appears behind the main browser window and typically remains open until the user manually closes it. Unsuspecting victims running -outdated- versions of the Flash Player were immediately infected with the CryptoWall ransomware. This campaign started around January 1st with ads mostly placed on various adult and video streaming sites and lead to an increase in Magnitude EK activity. Infection flow overview:
serve.popads .net/servePopunder.php?cid={redacted}
{redacted}.name/
Magnitude EK domain ...
According to our data, this attack mainly targeted European users:
> https://blog.malwarebytes.org/wp-con...01/graphic.png
CryptoWall 4 infection: Once a system is infected, personal files are encrypted and usable as indicated in the dreaded CryptoWall ransom page:
> https://blog.malwarebytes.org/wp-con...ransompage.png
To recover pictures, documents and other import files, users are asked to pay in order to receive a “decryption” key... Prevention: Ransomware is one particular type of malware where prevention and backups are more important than ever. Since this particular attack relies on web exploits to infect the machine, it is crucial to keep your browser and related plugins up-to-date. You may also want to consider disabling or removing the Flash Player altogether since it has suffered a high number of zero-day exploits in recent history (even the latest version was vulnerable)..."
popads .net: 184.154.76.140: https://www.virustotal.com/en/ip-add...0/information/

- http://www.csoonline.com/article/301...s-encrypt.html
Jan 7, 2016
___

Fake 'Angel Springs' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...ents-from.html
7 Jan 2016 - "This -fake- financial spam comes with a malicious attachment. The name of the sender varies, as does the reference number in the subject field that matches the attachment name.
From: Leonor Stevens
Date: 7 January 2016 at 10:13
Subject: Your Latest Documents from Angel Springs Ltd [1F101177]
Dear Customer,
Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.
Here's a few ways we've made it easier for you:
Your new documents are now attached to your email. You don't have to follow a link now to get to your documents...

The three samples I have sent for analysis... show an initial communication with:
176.103.62.108 /ideal/jenny.php
91.223.88.205 /ideal/jenny.php
These IPs belong to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
I note that 91.223.88.204 also hosts some bad things.. and the entire 176.103.48.0/20 block has a history of evil-ness... Note that there are probably other download locations. Check back later if you are interested.
These malicious documents drop a binary geroin.exe which has a detection rate of 3/54*. The Malwr report** for this shows it phoning home to:
78.47.119.93 (Hetzner, Germany)...
Recommended blocklist:
176.103.48.0/20
91.223.88.204/30
78.47.119.93 "
* https://www.virustotal.com/en/file/9...is/1452162035/

** https://malwr.com/analysis/NGY4M2MzM...djZTdmZGM4NDQ/

- http://myonlinesecurity.co.uk/your-l...sheet-malware/
7 Jan 2016 - "... an email with the subject of 'Your Latest Documents from Angel Springs Ltd [090190F1]' (random characters) pretending to come from random names and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From:Shanna Bolton <BoltonShanna6995@ dsldevice .lan>
Date:Thu 07/01/2016 08:57
Subject: Your Latest Documents from Angel Springs Ltd [090190F1] ...
Dear Customer,
Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we’ve invested in upgrading our billing systems to make things a little easier for you.
Here’s a few ways we’ve made it easier for you:
Your new documents are now attached to your email. You don’t have to follow a link now to get to your documents...

7 January 2016: 090190F181854503.doc - Current Virus total detections 2/54*
... downloads geroin.exe which looks like Dridex banking malware from http ://91.223.88.205 /ideal/jenny.php (VirusTotal 3/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1452161327/

** https://www.virustotal.com/en/file/9...is/1452162035/
___

Fake 'Ibstock Group Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/ibstoc...sheet-malware/
7 Jan 2016 - "... an email with the subject of 'Invoice 38178369 19/12 4024.80' pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...0-1024x746.png

7 January 2016: invoice38178369.doc - Current Virus total detections *
Downloads the -same Dridex banking malware from http ://193.201.227.12 /ideal/jenny.php as described in this slightly earlier post:
> http://myonlinesecurity.co.uk/your-l...sheet-malware/
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1452163655/

- http://blog.dynamoo.com/2016/01/malw...7665-1912.html
7 Jan 2016 - "This -fake- financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam* which was sent out earlier today.
From: Amber Smith
Date: 7 January 2016 at 10:38
Subject: Invoice 01147665 19/12 £4024.80 ...
Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.
Its invoice 01147665 19/12 £4024.80 P/O ETCPO 35094
Can you have a look at it for me please?
Thank-you !
Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group ...

The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far... show these documents communicating with:
193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
IPs are allocated to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)
As before, a binary geroin.exe is dropped which communicates with:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post*."
* http://blog.dynamoo.com/2016/01/malw...ents-from.html
___

Fake 'Close Invoice Finance Limited' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...e-finance.html
7 Jan 2016 - "This fake financial spam comes with a malicious attachment:
From: Carey Cross
Date: 7 January 2016 at 11:35
Subject: Close Invoice Finance Limited Statement 1/1
Dear Customer,
Please find attached your latest statement from Close Brothers Invoice Finance.
Your username is 05510/0420078
Your password should already be known to you...
Regards
Close Brothers Invoice Finance

The sernder's name will vary, as will the attachment name. I have only seen a single sample at the moment with a detection rate of 2/54*. Functionally, the payload is identical to that found in this earlier spam run**, and it drops the Dridex banking trojan."
* https://www.virustotal.com/en/file/c...is/1452167385/

** http://blog.dynamoo.com/2016/01/malw...ents-from.html

- http://myonlinesecurity.co.uk/close-...sheet-malware/
7 Jan 2016 - "... an email with the subject of 'Close Invoice Finance Limited Statement 1/1' pretending to come from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

7 January 2016: invEF362145.doc - Current Virus total detections 2/56*
Downloads the -same- Dridex banking malware from http :// 193.201.227.12/ideal/jenny.php as described in today’s earlier posts [1] [2]..."
* https://www.virustotal.com/en/file/e...is/1452168289/

1] http://myonlinesecurity.co.uk/ibstoc...sheet-malware/

2] http://myonlinesecurity.co.uk/your-l...sheet-malware/

**AplusWebMaster** · 2016-01-08, 13:07

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/invoic...sheet-malware/
8 Jan 2016 - "An email with the subject of 'Invoice from DSV 7FF6AB68, ARIA (UK) LTD, 61694956, Customer ref: ALEX MUNRO, SE/GB' pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Melba Schneider <SchneiderMelba36@ euro-net .pl>
Date: Fri 08/01/2016 10:47
Subject: Invoice from DSV 7FF6AB68 , ARIA (U K) LTD, 61694956, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 7FF6AB68
Total Amount: GBP 60,00
Due Date: 28.01.2016
If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.
Best Regards
Melba Schneider
DSV Road Limited
Scandinavia House ...

8 January 2016: logmein_pro_receipt.xls - Current Virus total detections 1/54*
MALWR** shows us a download of hram.exe from http :// 194.28.84.79/softparade/spanish.php which looks like Dridex banking malware (virusTotal 4/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1452250187/

** https://malwr.com/analysis/NWEyMzUwN...c2NDJjOThkYmI/
194.28.84.79
78.47.119.93

*** https://www.virustotal.com/en/file/a...is/1452250858/

- http://blog.dynamoo.com/2016/01/malw...-723a36b7.html
8 Jan 2016 - "This -fake- financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.
From: Hoyt Fowler
Date: 8 January 2016 at 10:49
Subject: Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7
Total Amount: GBP 60,00
Due Date: 28.01.2016
If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.
Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House ...

... In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55*. According to this Malwr report**, the sample attempts to download a further component:
194.28.84.79 /softparade/spanish.php
There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too. A file named hram.exe is dropped onto to target system with a detection rate of 4/54***. The Malwr report indicates that this communicates with:
78.47.119.93 (Hetzner, Germany)
This is a -critical- IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan...
Recommended blocklist:
78.47.119.93
194.28.84.79 "
* https://www.virustotal.com/en/file/4...is/1452252108/

** https://malwr.com/analysis/MjI0NDM4N...FkYTFiY2RmODQ/
194.28.84.79
78.47.119.93

*** https://www.virustotal.com/en/file/a...is/1452252679/
___

'Let’s Encrypt'... abused by Malvertisers
- http://blog.trendmicro.com/trendlabs...-malvertisers/
Jan 6, 2016 - "... the potential for 'Let’s Encrypt' being -abused- has always been present. Because of this, we have kept an eye out for -malicious- sites that would use a Let’s Encrypt certificate. Starting on December 21, we saw activity going to a malvertising server, with traffic coming from users in Japan. This campaign led to sites hosting the Angler Exploit Kit, which would download a banking Trojan (BKDR_VAWTRAK.AAAFV) onto the affected machine:
Daily hits to malvertising server:
> https://blog.trendmicro.com/trendlab...crypt-2-01.png
... The malvertisers used a technique called “domain shadowing”. Attackers who have gained the ability to create subdomains under a legitimate domain do so, but the created subdomain leads to a server under the control of the attackers. In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site... Traffic to this created subdomain was protected with HTTPS and a Let’s Encrypt certificate... The domain hosted an ad which appeared to be related to the legitimate domain to disguise its traffic. Parts of its redirection script have also been moved from a JavaScript file into a .GIF file to make identifying the payload more difficult. Anti-AV code similar to what we found in the September attack is still present. In addition, it uses an open DoubleClick -redirect- ... users should also be aware that a “secure” site is -not- necessarily a safe site, and we also note that the best defense against exploit kits is still keeping software up-to-date to minimize the number of vulnerabilities that may be exploited..."

> http://news.netcraft.com/archives/20...raudsters.html

> http://news.netcraft.com/wp-content/...016/09/pie.png

Fraudulent Digital Certificates
- https://technet.microsoft.com/en-us/...y/2607712.aspx

> https://www.fdic.gov/news/news/finan.../fil2704a.html

**AplusWebMaster** · 2016-01-09, 20:16

FYI...

Russian ISP prevents Cisco from Shutting Down Cybercriminal Gang
- http://yro.slashdot.org/story/16/01/...rcriminal-gang
Jan 09, 2016 - "Cisco's Talos research team* has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign**. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware."
* http://blog.talosintel.com/2016/01/r...ompromise.html
Jan 7, 2016 - "... when a provider is notified of malicious activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response led Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough."

** http://news.softpedia.com/news/uncoo...g-498667.shtml
___

LLoyds bank - 'update to our mobile banking app' – Phish
- http://myonlinesecurity.co.uk/lloyds...phishing-scam/
9 Jan 2016 - "... Today’s example is an email received with a subject of 'UPDATE NOTIFICATION' pretending to come from Lloyds plc <info@ glc .com>. Mobile apps and mobile banking is the new big thing and banks are encouraging users to use mobile banking... This one wants your personal bank log-in details in order to steal all your money. Many of them are also designed to specifically steal your email, facebook and other social network log in details... The original email looks like this, It will NEVER be a genuine email from Your bank, or any other financial body so don’t ever follow the link or fill in the html (webpage) form that comes attached to the email... If you are unwise enough to follow the link which goes to http ://toxicwingsli .com/op.htm and then -redirects- you to http ://joelcomm .net/wp-content/l10yds/1e9644d8cb4d7dc77c5770ae1b84b3fa/ you see a webpage looking like the genuine Lloyds log in page, look carefully at the url in the top bar and you can see it isn’t Lloyds at all but a fake site:

Screenshot: http://myonlinesecurity.co.uk/wp-con...h_webpage1.png

If you still haven’t realised that it is a phishing attempt and give them your username & password, you will be sent to the next page which asks for your memorable information. You then get bounced on to the genuine Lloyds Bank site..."

toxicwingsli .com: 166.62.118.179: https://www.virustotal.com/en/ip-add...9/information/

joelcomm .net: 23.235.226.77: https://www.virustotal.com/en/ip-add...7/information/

**AplusWebMaster** · 2016-01-11, 13:05

FYI...

Fake 'latest invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...oice-from.html
11 Jan 2016 - "This -fake- financial spam does not come from UKFast but is instead a simple -forgery- with a malicious attachment.
From UKFast Accounts [accounts@ ukfast .co.uk]
Date Mon, 11 Jan 2016 11:00:10 +0300
Subject Your latest invoice from UKFast No.1228407

I am unable to determine what the body text is at the moment. In this case, the attachment was named Invoice-1228407.doc and has a VirusTotal detection rate of 3/54*. The Malwr report** shows that the malicious macro... downloads an executable from:
www .vmodal .mx/5fgbn/7tfr6kj.exe
This binary has a detection rate of 2/54***... This Malwr report[4] for the dropped file indicates network traffic to:
114.215.108.157 (Aliyun Computing Co, China)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/0...is/1452505104/

** https://malwr.com/analysis/MTliNWQ5N...gxNGVmYzQyZDU/
185.21.134.14
114.215.108.157
13.107.4.50

*** https://www.virustotal.com/en/file/f...is/1452505941/
TCP connections
114.215.108.157: https://www.virustotal.com/en/ip-add...7/information/
8.253.82.158: https://www.virustotal.com/en/ip-add...8/information/
110.77.142.156: https://www.virustotal.com/en/ip-add...6/information/

4] https://malwr.com/analysis/NTYzMjk4Z...E4ZWQ1NTA2Mzg/

- http://myonlinesecurity.co.uk/your-l...sheet-malware/
11 Jan 2016 - "An email with the subject of 'Your latest invoice from UKFast No.1228407' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: UKFast Accounts <accounts@ukfast.co.uk>
Date: Mon 11/01/2016 09:00
Subject: Your latest invoice from UKFast No.1228407
Hi,
Thank you for choosing UKFast. Please find attached your latest invoice. You can also download it.
As you have chosen to pay by Direct Debit there’s nothing more you need to do, payment will be taken on or after the date stated on your invoice.
Should you have any queries relating to this invoice please raise an invoice query from within MyUKFast. Alternatively you can contact us on 0845 458 3535.
Remember you can view all your invoices, set who should receive these alerts and much more all via MyUKFast.
Kind Regards ...

11 January 2016: Invoice-1228407.doc - Current Virus total detections 3/54*
downloads Dridex banking malware from http ://www .vmodal .mx/5fgbn/7tfr6kj.exe (VirusTotal 1/55**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1452505104/

** https://www.virustotal.com/en/file/f...is/1452507654/
TCP connections
114.215.108.157: https://www.virustotal.com/en/ip-add...7/information/
8.253.82.158: https://www.virustotal.com/en/ip-add...8/information/
110.77.142.156: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'E-Service' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...urope-ltd.html
11 Jan 2016 - "This -fake- financial spam does not come from E-Service (Europe) Ltd but is instead a simple -forgery- with a malicious attachment:
From Andrew Williams [andrew.williams@ eurocoin .co.uk]
Date Mon, 11 Jan 2016 17:07:38 +0700
Subject E-Service (Europe) Ltd Invoice No: 10013405
Dear Customer,
Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.
Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment ...

E-Service have been exceptionally quick about posting an update on their Twitter page*.
* https://twitter.com/EServiceUK/statu...96655831625728
However, they have -not- been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan. So far, I have seen -five- different versions of the attachment, all named Invoice 10013405.XLS ... The Malwr reports for the attachment... show that the macro in the spreadsheet downloads a file from the following locations:
arellano .biz/5fgbn/7tfr6kj.exe
pastorsschoolinternational .org/5fgbn/7tfr6kj.exe
www.c0-qadevtest .net/5fgbn/7tfr6kj.exe
This dropped file has a detection rate of 1/55**. It is the -same- binary as found in this earlier spam run*** which phones home to:
114.215.108.157 (Aliyun Computing Co, China)
This is an IP that I strongly recommend blocking..."
** https://www.virustotal.com/en/file/f...is/1452509215/
TCP connections
114.215.108.157
8.253.82.158
110.77.142.156

*** http://blog.dynamoo.com/2016/01/malw...oice-from.html

- http://myonlinesecurity.co.uk/e-serv...sheet-malware/
11 Jan 2016 - "An email with the subject of 'E-Service (Europe) Ltd Invoice No: 10013405' pretending to come from with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Andrew Williams <andrew.williams@ eurocoin .co.uk>
Date: Mon 11/01/2016 10:22
Subject: E-Service (Europe) Ltd Invoice No: 10013405
Dear Customer,
Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you to make payment for all transactions on or before their due date.
Please contact E-Service (Europe) if you have any issues or queries preventing your prompt payment...

11 January 2016: loInvoice 10013405.XLS - Current Virus total detections 7/54*
Downloads from http ://arellano .biz/5fgbn/7tfr6kj.exe which the -same- Dridex banking malware as described in this slightly earlier post**..."
* https://www.virustotal.com/en/file/1...is/1452509257/

** http://myonlinesecurity.co.uk/your-l...sheet-malware/
___

Fake 'Kaseya Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...-1ed0c068.html
11 Jan 2016 - "This -fake- financial email has a malicious attachment:
From: Terry Cherry
Date: 11 January 2016 at 10:48
Subject: Kaseya Invoice - 1ED0C068
Dear Accounts Payable,
Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.
Our bank details for wire transfer are included on the attached invoice.
Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@ kaseya .com) for assistance with adding card details through our portal.
Please do not hesitate to let us know if you have any questions.
Thanks again for your patronage.
Sincerely,
Terry Cherry
Kaseya Customer Invoicing ...

The sender's name, references and attachments may vary. This appears to be a spam from Dridex 120, and it is a characteristic that there is a very-large-number-of-variants of the attachments. In this case, I analysed three different attachments with detection rate of about 2/55 [1].. and which according to these Malwr reports [4].. downloads a binary from the following locations:
5.189.216.10 /montana/login.php
77.246.159.154 /montana/login.php
109.234.39.40 /montana/login.php
All of these IPs should be considered to be malicious:
5.189.216.10 (LLHost Inc, Netherlands)
77.246.159.154 (JSC Server, Russia)
109.234.39.40 (McHost.ru, Russia)
A binary named trap.exe ... a detection rate of 5/54[7] is downloaded. According to this Malwr report[8] the executable phones home to:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan.
Recommended blocklist:
78.47.119.93
5.189.216.10
77.246.159.154
109.234.39.0/24 "
1] https://www.virustotal.com/en/file/e...is/1452510008/

4] https://malwr.com/analysis/MjY3NDlmN...dkM2UwM2FjY2M/

7] https://www.virustotal.com/en/file/9...is/1452510360/

8] https://malwr.com/analysis/NTA1YzViM...NmNWU4ZjQyOWM/

- http://myonlinesecurity.co.uk/kaseya...sheet-malware/
11 Jan 2016 - "An email with the subject of 'Kaseya Invoice – DD5A9977' pretending to come from random names, companies and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Alvin Fry <FryAlvin59518@ attrazioneviaggi .it>
Date: Mon 11/01/2016 11:00
Subject: Kaseya Invoice – DD5A9977
Dear Accounts Payable,
Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.
Our bank details for wire transfer are included on the attached invoice.
Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@ kaseya .com) for assistance with adding card details through our portal.
Please do not hesitate to let us know if you have any questions.
Thanks again for your patronage...

11 January 2016: Invoice-19071543.doc - Current Virus total detections 2/55*
downloads the -same- Dridex banking malware form the same locations as described in THIS post**..."
* https://www.virustotal.com/en/file/8...is/1452515923/

** http://myonlinesecurity.co.uk/invoic...sheet-malware/
___

Fake 'Invoice-11JAN15' SPAM - leads to malware
- http://blog.dynamoo.com/2016/01/malw...771728-gb.html
11 Jan 2016 - "This rather generic looking spam email leads to malware:
From: Raleigh Frazier [FrazierRaleigh8523@ amnet .net.au]
Date: 11 January 2016 at 11:20
Subject: Invoice-11JAN15-53771728-GB
Dear Customer,
Please find attached Invoice 53771728 for your attention.
Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
02051 2651180.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept'

The name of the sender, references and attachment name varies. There are at least -three- different variations of the attachment, probably more. Detection rates are approximately 2/55*... and these Malwr reports [4].. indicate that the behaviour is very similar to the one found in this spam run**."
* https://www.virustotal.com/en/file/d...is/1452511471/

4] https://malwr.com/analysis/YjA0MjRlM...gyMmIxZDBiODc/

** http://blog.dynamoo.com/2016/01/malw...-1ed0c068.html

**AplusWebMaster** · 2016-01-12, 13:11

FYI...

Fake 'Lattitude Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...de-global.html
12 Jan 2016 - "This -fake- financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple -forgery- with a malicious attachment.
From: Darius Green
Date: 12 January 2016 at 09:33
Subject: Lattitude Global Volunteering - Invoice - 3FAAB65
Dear customer,
Please find attached a copy of your final invoice for your placement in Canada.
This invoice needs to be paid by the 18th January 2016.
Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer our bank details are.
You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.
Account Name: Lattitude Global Volunteering
Bank: Barclays Bank
Sort Code: 20-71-03
Account No. 20047376
IBAN: GB13BARC20710320047376
SWIFBIC: BARCGB22
Kind regards
Luis Robayo
Accounts Department
Lattitude Global Volunteering ...

I have personally only seen two samples so far with detection rates of 2/55 [1] [2]. These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:
31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php
This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be -malicious- and should be blocked.
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)
A file kfc.exe is dropped onto the target system which has a detection rate of 6/52*... Those previous Malwr reports indicate that it phones home to a familiar IP of:
78.47.119.93 (Hetzner, Germany)
Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84 "
1] https://www.virustotal.com/en/file/9...is/1452594409/

2] https://www.virustotal.com/en/file/1...is/1452594427/

3] https://malwr.com/analysis/YzM3NTc3M...hhZmQyMDYxMjM/

4] https://malwr.com/analysis/MzdjNGRjN...MxM2Q2NjM3ZjM/

* https://www.virustotal.com/en/file/9...is/1452595124/

- http://myonlinesecurity.co.uk/lattit...sheet-malware/
12 Jan 2016 - "An email with the subject of 'Lattitude Global Volunteering – Invoice – AF6643A' (random numbers) pretending to come from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

12 January 2016: Invoice – AF6643A.doc - Current Virus total detections 2/54*
MALWR analysis** shows it downloads Dridex banking malware from http :// 5.149.254.84/shifaki/indentification.php named as 120CR.exe Which looks suspiciously familiar from recent days (VirusTotal 6/54***)..."
* https://www.virustotal.com/en/file/3...is/1452591731/

** https://malwr.com/analysis/ZTFjNWI2Z...E5MDRkZDE0MGU/
5.149.254.84
78.47.119.93

*** https://www.virustotal.com/en/file/9...is/1452592072/
___

Fake 'payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/mgu-tr...sheet-malware/
12 Jan 2016 - "An email with the subject on the -theme- of payment, transaction, Transfer coming from random email addresses and random people with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These malicious word docs appear to based on the Black Energy dropper described HERE:
> https://isc.sans.edu/forums/diary/Bl...Dropper/20601/
The email looks like:
From: Random senders like Hermione Acevedo <info@ gistparrot .com> or Avye Brown <werbeteam@ gmx .de>
Date: Tue 12/01/2016 06:02
Subject: Random subjects like Fwd: MGU Transaction, AI Transaction, VL Payment, AJ Transfer
Good morning
Please find the receipt attached to this message. The Transaction will be posted on your account in two days.
Regards
Hermione Acevedo
-Or-
Good Day
Please check the invoice enclosed with this message. The Transaction will be posted on your bank within 1-2 days.
Best regards
Avye Brown

12 January 2016: 51U5P05W22P34.doc - Current Virus total detections 1/54*
ReverseIT analysis**. These are very -different- to previous macro word docs. This one contacts
crechemploi .be/wpl.jpg?ICpz8scC0AI=35 (VirusTotal 0/54***) and downloads an -image- file wpl.jpg which is extremely large 245kb for a small image. It looks like it has embedded -malware- inside it which in this example is named 3088239.exe (VirusTotal 2/55[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1452581898/

** https://www.reverse.it/sample/fa7bcf...nvironmentId=1
195.154.231.179: https://www.virustotal.com/en/ip-add...9/information/
104.224.128.163: https://www.virustotal.com/en/ip-add...3/information/

*** https://www.virustotal.com/en/file/9...is/1452584610/

4] https://www.virustotal.com/en/file/a...is/1452585387/

crechemploi .be: 195.154.231.179: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'Payment Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...002014343.html
12 Jan 2016 - "This -fake- financial spam is not from Wipro but is instead a simple -forgery- with a malicious attachment.
From: Bhavani Gullolla [bhavani.gullolla1@ wipro .com]
Date: 12 January 2016 at 09:51
Subject: Payment Advice - 0002014343
Dear Sir/Madam,
This is to inform you that we have initiated the electronic payment through our Bank.
Please find attached payment advice which includes invoice reference and TDS deductions if any.
Transaction Reference :
Vendor Code :9189171523
Company Code :WT01
Payer/Remitters Reference No :63104335
Beneficiary Details :43668548/090666
Paymet Method : Electronic Fund Transfer
Payment Amount :1032.00
Currency :GBP
Processing Date :11/01/2016 ...

The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54 [1] [2], and according to the Malwr reports [3] [4] they both download a -malicious- binary from:
hotpointrepair .info/u5y4g3/76u54g.exe
This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55* and this Malwr report** shows network traffic to:
199.231.189.9 (Interserver Inc, US)
I strongly recommend that you -block- this IP address..."
1] https://www.virustotal.com/en/file/e...is/1452596943/

2] https://www.virustotal.com/en/file/a...is/1452596954/

3] https://malwr.com/analysis/NWFkMjdkM...A0NWIwOGJlZDg/
66.147.242.93
199.231.189.9
8.254.249.78

4] https://malwr.com/analysis/MTRjMDQ4O...Y2OGExYWVmZjk/
66.147.242.93
199.231.189.9
184.28.188.195

* https://www.virustotal.com/en/file/d...is/1452597607/

** https://malwr.com/analysis/MjMyMzQ1M...NhOWM3MmZlMDU/
199.231.189.9
13.107.4.50

hotpointrepair .info: 66.147.242.93: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/dd...11b3/analysis/
___

Fake 'Sales Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/sales-...sheet-malware/
12 Jan 2016 - "An email with the subject of 'Sales Invoice SIN040281 from Charbonnel et Walker Limited' pretending to come from Corinne Young <corinne.young@ charbonnel .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x464.png

12 January 2016: SIN040281.DOC - Current Virus total detections 4/55*
Downloads Dridex banking malware from http ://hotpointrepair .info/u5y4g3/76u54g.exe (VirusTotal 1/55**)
-same- Dridex malware as other malspam runs. Note: Dridex updates frequently during the day, so you might get a different malware version... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-con...1-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1452601210/

** https://www.virustotal.com/en/file/0...is/1452599104/
TCP connections
199.231.189.9: https://www.virustotal.com/en/ip-add...9/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

hotpointrepair .info: 66.147.242.93: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/dd...11b3/analysis/
___

'LloydsLink online website changes' - PHISH
- http://myonlinesecurity.co.uk/lloyds...nges-phishing/
12 Jan 2016 - "... Today’s example is an email received with a subject of 'LloydsLink online website changes' pretending to come from LloydsLink online <Hugo.Batzold@ lloydslink.online .lloydsbank .com>.
We have been seeing these sort of emails for -numerous- banks recently... Note the 0 instead of the o in the second Lloyds. you see a webpage looking identical to the genuine Lloydslink log-in page, look carefully at the url in the top bar and you can see it isn’t Lloyds at all but a -fake- site:

Screenshot: http://myonlinesecurity.co.uk/wp-con...m-1024x365.png

If you still haven’t realised that it is a phishing attempt and give them your username & password, you will then get bounced on to the -genuine- Lloyds Bank site:
> https://lloydslink.online.lloydsbank...on/Logon.xhtml
... and think that you just didn’t enter details correctly or mistyped a digit and need to re-enter them and won’t even pay any attention, until you get the dreaded letter or phone call saying someone has emptied your bank account. All of these emails use Social engineering tricks to persuade you to follow the links or open the attachments that come with the email..."
___

Ransom32 – the malicious package
- https://blog.malwarebytes.org/intell...cious-package/
Jan 11, 2016 - "Ransom32 is a new ransomware implemented in a very atypical style. Emisoft provides a good description of its functionality here:
> http://blog.emsisoft.com/2016/01/01/...pt-ransomware/
... we will focus on some implementation details of the malicious package. Ransom32 is delivered as an executable, that is in reality a autoextracting WinRAR archive. By default it is distributed as a file with .scr extension:
> https://blog.malwarebytes.org/wp-con...nsom32_scr.png
The WinRAR script is used to drop files in the specified place and autorun the unpacked content... Installation directory created in %TEMP%... The unpacked content consist of following files:
> https://blog.malwarebytes.org/wp-con...32_content.png
chrome.exe spoofs Google’s browser, but in reality it is an element responsible for preparing and running the Node JS application (that is the -main- part of the ransomware). After the chrome.exe is run from the %TEMP% folder, it installs the above files into %APPDATA% -in folder Chrome Browser:
> https://blog.malwarebytes.org/wp-con.../installed.png
... After encrypting the files, the ransom nag-window is displayed. The gui is generated by javascript, with the layout defined by the included CSS:
> https://blog.malwarebytes.org/wp-con...m32_screen.png
The internet connection is operated via included Tor client – renamed to rundll32.exe ...
Conclusion: In the past, malware authors cared mostly about small size of their applications – that’s why early viruses were written in assembler. Nowadays, technologies used and goals have changed. The most important consideration is not the size, but the ability to imitate legitimate applications, for the purpose of avoiding detection. Authors of Ransom32 went really far in this direction. Their package is huge in comparison to typical samples. It consists of various elements, including legitimate applications – i.e the tor client (renamed to rundll32.exe). The technology that they have chosen for the core – Node JS – is a complete change of direction from the malware written in low-level languages. However, compiled Java Script (although it works about 30 percent slower than not compiled) is not very popular and there is lack of tools to analyze it – which makes it a good point for malware authors, who gain some level of code protection..."
(More detail at the malwarebytes URL at the top.)

**AplusWebMaster** · 2016-01-13, 12:05

FYI...

MS account security info verification – Phish
- http://myonlinesecurity.co.uk/micros...tion-phishing/
13 Jan 2016 - "... phishing attempts against Microsoft office and outlook accounts. This one starts with an email with the subject 'Microsoft account security info verification' pretending to come from Microsoft <security-noreply@ account .microsoft .com> . One of the major common subjects in this sort of phishing attempt is 'Your password will expire soon' or 'update your email' or something very similar. This one wants only wants your email / Microsoft account log in details...

Screenshot: http://myonlinesecurity.co.uk/wp-con...n-1024x550.png

The link behind the 'Upgrade Now' is http ://tenga .my/wp-content/outnew/index.php?email=victim@doamain.com. If you are unwise enough to follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-con...n-1024x542.png
... which is a very good imitation of a genuine Microsoft 365 log on page. If you do fill in the email and password, you immediately get sent to the genuine Office 365 log on page and you just think that you might have entered the email or password incorrectly and do it again. All of these emails use Social engineering tricks to persuade you to follow links or open the attachments that come with the email..."

tenga .my: 181.224.159.177: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/domain...y/information/
___

Fake 'Scanned Document' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/scanne...sheet-malware/
13 Jan 2016 - "An email with the subject of 'Scanned Document MRH Solicitors' pretending to come from Color @ MRH Solicitors <color93@ yahoo .co.uk> (random color numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Color @ MRH Solicitors <color93@ yahoo .co.uk>
Date: Wed 13/01/2016 08:26
Subject: Scanned Document
Find the attachment for the scanned Document

13 January 2016: ScannedDocs122151.xls - Current Virus total detections 7/54*
Downloads Dridex banking malware from http ://armandosofsalem .com/l9k7hg4/b4387kfd.exe (VirusTotal 3/56**)...
DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/?attachment_id=5895
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1452675230/

** https://www.virustotal.com/en/file/e...is/1452675552/

armandosofsalem .com: 192.254.189.167: https://www.virustotal.com/en/ip-add...7/information/

- http://blog.dynamoo.com/2016/01/malw...color-mrh.html
13 Jan 2016 - "... The Hybrid Analysis* of the dropped binary shows attempted network traffic to the following domains:
exotelyxal .com
akexadyzyt .com
ekozylazal .com
These are hosted on an IP worth blocking:
158.255.6.128 (Mir Telematiki Ltd, Russia)"
* https://www.hybrid-analysis.com/samp...nvironmentId=4
b4387kfd.exe
___

Fake 'Order' SPAM - doc malware
- http://myonlinesecurity.co.uk/order-...d-doc-malware/
13 Jan 2016 - "An email with the subject of 'Order 0046/033777 [Ref. MARKETHILL CHURCH]' pretending to come from JOHN RUSSELL <John.Russell@ yesss .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...H-1024x966.png

13 January 2016: Order 0046_033777 [Ref. MARKETHILL CHURCH].doc - Current Virus total detections 6/55*
MALWR** shows a download from http ://amyzingbooks .com/l9k7hg4/b4387kfd.exe which will be a Dridex banking malware (VirusTotal 2/55***). This site was used in earlier Dridex downloads today but -different- versions were offered... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1452694400/

** https://malwr.com/submission/status/...Q4YTdhOWY2NDA/

*** https://www.virustotal.com/en/file/3...is/1452695776/
TCP connections
85.25.200.103: https://www.virustotal.com/en/ip-add...3/information/

- http://blog.dynamoo.com/2016/01/malw...33777-ref.html
13 Jan 2016 - "... This binary has a detection rate of 4/53*. The Hybrid Analysis** shows the malware phoning home to:
85.25.200.103 (PlusServer AG, Germany)
I recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/3...is/1452699929/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

**AplusWebMaster** · 2016-01-14, 13:23

FYI...

Fake 'scanner' SPAM - doc malware
- http://myonlinesecurity.co.uk/messag...d-doc-malware/
14 Jan 2016 - "An empty or blank email with the subject of 'Message from local network scanner' pretending to come from jpaoscanner at your own email domain with a malicious word doc attachment is another one from the current bot runs... The attachment to these are named Scann16011310150.docf . Note the F after the doc which effectively makes them useless because windows doesn’t know what to do with them and asks you. They will open in Word, if you tell them to, and do contain a malicious macro that will infect you.
Update: a second batch a few minutes after the first run now has a proper word doc attachment, although the body is still -blank- . The email looks like:
From: jpaoscanner@ ....co.uk
Date:Thu 14/01/2016 10:52
Subject: Message from local network scanner

Body content: EMPTY

12 January 2016: Scann16011310150.docf - Current Virus total detections 2/53*
downloads Dridex banking malware from 199.59.58.162 :80 /~admin1/786h5g4/9787g4fr4.exe (VirusTotal 3/56**)
(reverseIT***)
12 January 2016: Scann16011310150.doc - Current Virus total detections 3/54[4]
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1452768488/

** https://www.virustotal.com/en/file/9...is/1452770219/

*** https://www.reverse.it/sample/ecacd3...nvironmentId=1
Contacted Hosts:
199.59.58.162: https://www.virustotal.com/en/ip-add...2/information/
188.138.88.14: https://www.virustotal.com/en/ip-add...4/information/

4] https://www.virustotal.com/en/file/1...is/1452769443/

- http://blog.dynamoo.com/2016/01/malw...l-network.html
14 Jan 2016 - "This -fake- document scan comes with a malicious attachment.
From: jpaoscanner@ victimdomain .tld
Date: 14 January 2016 at 10:45
Subject: Message from local network scanner

There is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a file Scann16011310150.docf which comes in at least -five- different versions...
Hybrid Analysis shows one of the samples in action, downloading a binary from:
www .willsweb .talktalk .net/786h5g4/9787g4fr4.exe
This has a detection rate of 3/55*. That same analysis reports that it phones home to:
188.138.88.14 (PlusServer AG, France)...I strongly recommend that you -block- traffic to that IP..."
* https://www.virustotal.com/en/file/9...is/1452771350/
TCP connections
188.138.88.14: https://www.virustotal.com/en/ip-add...4/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
___

800 risk experts from 40 countries identify the top global business risks
- http://net-security.org/secworld.php?id=19327
14 Jan 2016
> http://www.net-security.org/images/a...s-012016-1.jpg

>> http://www.net-security.org/images/a...s-012016-2.jpg
___

Evil network: 46.30.40.0/21...
- http://blog.dynamoo.com/2016/01/evil...e-llc-and.html
13 Jan 2016 23:23 - "... From looking around, it seemed that whoever Eurobyte rented servers to had an unhealthy interest in CryptoWall and the Angler EK. Eurobyte is a Russian hosting company, which in turn is a customer of Webzilla in the Netherlands... there are -thousands- of subdomains hosted in the 46.30.40.0/21 range, where the main domain (e.g. www) is hosted in a completely -different- location. The subdomains are then used to host malware such as the Angler Exploit Kit... What appears to be going on here is a domain shadowing attack on a massive scale[1], primarily leading victims to exploit kits. There do appear to be some genuine Russian-language sites hosted in this block. But if you don't tend to send visitors to Russian sites, I would very strongly recommend -blocking- 46.30.40.0/21 from your network... The attack is known sometimes as 'domain shadowing'... While researching this topic, I discovered that Talos had done some similar work* which also pointed a finger at Eurobyte and their very lax control over their network."
* http://blog.talosintel.com/2016/01/r...ompromise.html
Jan 7, 2016 - "... when a provider is notified of -malicious- activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response lead Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough."

1] http://blogs.cisco.com/security/talo...wing#shadowing

**AplusWebMaster** · 2016-01-15, 14:58

FYI...

Fake 'order #7738326' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...8326-from.html
15 Jan 2016 - "This -fake- financial spam does not come from The Safety Supply Company but is instead a simple -forgery- with a malicious attachment:
From: Orders - TSSC [Orders@ thesafetysupplycompany .co.uk]
Date: 15 January 2016 at 09:06
Subject: Your order #7738326 From The Safety Supply Company
Dear Customerl
Thank you for your recent purchase.
Please find the details of your order through The Safety Supply Company attached to this email.
Regards,
The Sales Team

So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55*... likely to be the Dridex banking trojan. This Hybrid Analysis** on the first sample shows it downloading from:
149.156.208.41 /~s159928/786585d/08g7g6r56r.exe
That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:
216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)
I have now seen another version of the DOC file [VT 4/54***] which has similar characteristics[4]... This related spam run gives some additional download locations:
nasha-pasika .lviv .ua/786585d/08g7g6r56r.exe
arm .tv/786585d/08g7g6r56r.exe
Sources also tell me that there is one at:
204.197.242.166 /~topbun1/786585d/08g7g6r56r.exe
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41 "
* https://www.virustotal.com/en/file/6...is/1452849120/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://www.virustotal.com/en/file/b...is/1452849706/

4] https://www.hybrid-analysis.com/samp...nvironmentId=1

- http://myonlinesecurity.co.uk/your-o...sheet-malware/
15 Jan 2016 - "An email with the subject of 'Your order #7738326 From The Safety Supply Company' pretending to come from 'Orders – TSSC <Orders@ thesafetysupplycompany .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Orders – TSSC <Orders@ thesafetysupplycompany .co.uk>
Date: Fri 15/01/2016 09:20
Subject: Your order #7738326 From The Safety Supply Company
Dear Customerl
Thank you for your recent purchase.
Please find the details of your order through The Safety Supply Company attached to this email.
Regards,
The Sales Team

15 January 2016: Order.doc - Current Virus total detections 4/54*
downloads Dridex banking malware from 149.156.208.41 /~s159928/786585d/08g7g6r56r.exe (VirusTotal 2/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1452851905/

** https://www.virustotal.com/en/file/2...is/1452851228/
___

SPAM with damaged or broken office doc or XLS attachments
- http://myonlinesecurity.co.uk/kelly-...ls-attachment/
15 Jan 2016 - "The Dridex bots are still not having a good day today. The -3rd- malformed/damaged/broken malspam is an email with the subject of 'Statement pretending to come from Kelly Pollard <kelly.pollard@ carecorner .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... Some malformed or misconfigured email servers might attempt to fix the broken email and actually deliver a working copy.
The damaged/broken attachment has a name something like Statement 012016.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc, unlike the earlier ones. VirusTotal Detections 7/55* which will attempt to download Dridex banking malware... (waiting for analysis) please check back later..."
* https://www.virustotal.com/en/file/6...is/1452864034/
Statement 012016.doc

- http://blog.dynamoo.com/2016/01/malw...ent-kelly.html
15 Jan 2016 - "This fake financial spam is meant to have a malicious attachment, but it is corrupt:
From Kelly Pollard [kelly.pollard@ carecorner .co.uk]
Date Fri, 15 Jan 2016 13:56:01 +0200
Subject Statement
Your report is attached in DOC format.
Kelly Pollard
Marketing Manager ...

The attachment is named Statement 012016.doc but due to an error in the email it is corrupt, and is either zero length or will produce garbage. If it were to work, it would produce a payload similar to that found here* and here**, namely the Dridex banking trojan. This is the -third- corrupt Dridex run today..."
* http://blog.dynamoo.com/2016/01/malw...e-from-mx.html
15 Jan 2015
** http://blog.dynamoo.com/2016/01/malw...servation.html
15 Jan 2015

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Evil network: 199.195.196.176/29, Javascript Ransomware

Fake 'Invoice', 'Penalty Charge Notice', 'Payment notification' SPAM, Facebook Phish

Malvertising - CryptoWall, Fake 'Angel Springs', 'Ibstock Group Invoice' SPAM

Fake 'Invoice' SPAM, Malvertisers...

Russian ISP prevents Cisco from Shutting Down Cybercriminal Gang

Fake 'latest invoice', 'E-Service', 'Kaseya Invoice' SPAM

Fake 'Lattitude Invoice', 'payment', 'Payment Advice', 'Sales Invoice' SPAM, Ransom32

MS account Phish, Fake 'Scanned Document', 'Order' SPAM

Fake 'scanner' SPAM, Evil network: 46.30.40.0/21

Fake 'order #7738326' SPAM

Posting Permissions