FYI...
Fake 'Invoice January' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...ary-baird.html
18 Jan 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers but is instead a simple -forgery- with a malicious attachment.
From "A . Baird" [ABaird@ jtcp .co.uk]
Date Mon, 18 Jan 2016 16:17:20 +0530
Subject Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as
outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller ...
Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday... The payload is meant to be the Dridex banking trojan...
UPDATE: A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo .com/786585d/08g7g6r56r.exe
esecon .com.br/786585d/08g7g6r56r.exe
outago .com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54*. The same source identifies the following C2 servers which are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173 "
* https://www.virustotal.com/en/file/2...4bcf/analysis/
TCP connections
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
- http://myonlinesecurity.co.uk/invoic...ls-attachment/
18 Jan 2016 - "The Dridex bots are -still- not having a good day today. On Friday they sent -3- different malformed/damaged /broken malspams. Today, the first damaged/malformed broken one is an email with the subject of 'Invoice January- pretending to come from A . Baird <ABaird@ jtcp .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The -damaged/broken- attachment has a name something like INV-IN174074-2016-386.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc..
VirusTotal Detections 5/55* which will attempt to download Dridex banking malware from
[emirelo .com/786585d/08g7g6r56r.exe] (VirusTotal 3/54**) Payload Security /Reversit Analysis***
The email looks like:
From: A . Baird <ABaird@ jtcp .co.uk>
Date: Mon 18/01/2016 09:45
Subject: Invoice January
Hi,
We have been paid for much later invoices but still have the attached invoice as outstanding.
Can you please confirm it is on your system and not under query.
Regards
Alastair Baird
Financial Controller ...
This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you. Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you...
By default protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/6...is/1453114324/
** https://www.virustotal.com/en/file/2...is/1453115492/
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
*** https://www.reverse.it/sample/629bfd...nvironmentId=1
Contacted Hosts
194.24.228.5: https://www.virustotal.com/en/ip-add...5/information/
192.232.204.53: https://www.virustotal.com/en/ip-add...3/information/
___
Fake 'Statements' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...ts-alison.html
18 Jan 2016 - "This -fake- financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
From Alison Smith [ASmith@ jtcp .co.uk]
Date Mon, 18 Jan 2016 18:27:36 +0530
Subject Statements
Sent 12 JAN 16 15:36
J Thomson Colour Printers
14 Carnoustie Place
Glasgow
G5 8PB ...
Attached is a file S-STA-SBP CRE (0036).xls which is actually -corrupt- due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since -Friday- the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one*, also spoofing the same company."
* http://blog.dynamoo.com/2016/01/malw...ary-baird.html
- http://myonlinesecurity.co.uk/j-thom...ls-attachment/
18 Jan 2016 - "... damaged/broken attachment has a name something like S-STA-SBP CRE (0036).xls ... it would if fixed, download -Dridex- from the same locations as today’s earlier malspam runs..."
___
LastPass - Phish...
- https://www.seancassidy.me/lostpass.html
2016-01-18 - "... discovered a -phishing- attack against LastPass that allows an attacker to steal a LastPass user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. I call this attack 'LostPass'... Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well:
> https://www.seancassidy.me/images/lastpass_login.png
...
> https://www.seancassidy.me/images/lastpass_2fa.png
... Here's an image of LastPass and LostPass for Firefox on Windows 8 side-by-side. Which one is which?:
> https://www.seancassidy.me/images/lastpass_firefox.png "