FYI...
Fake 'Despatch Note' SPAM - doc malware
- http://myonlinesecurity.co.uk/despat...d-doc-malware/
29 Jan 2016 - "An email with the subject of 'Despatch Note FFGDES34309' pretending to come from Foyle Food Group Limited <accounts@ foylefoodgroup .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Foyle Food Group Limited <accounts@ foylefoodgroup .com>
Date: Fri 29/01/2016 09:17
Subject: Despatch Note FFGDES34309
Attachment: FFGDES34309.doc
Please find attached Despatch Note FFGDES34309
29 January 2016: FFGDES34309.doc - Current Virus total detections 5/54*
Downloads Dridex banking malware from jjcoll .in/56gf/g545.exe (VirusTotal 2/54**)
Other download locations include http ://romana .fi/56gf/g545.exe and
http ://clickchiropractic .com/56gf/g545.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454062970/
** https://www.virustotal.com/en/file/a...is/1454062183/
jjcoll .in: 198.12.152.113: https://www.virustotal.com/en/ip-add...3/information/
romana .fi: 217.78.212.183: https://www.virustotal.com/en/ip-add...3/information/
clickchiropractic .com: 50.87.150.204: https://www.virustotal.com/en/ip-add...4/information/
- http://blog.dynamoo.com/2016/01/malw...gdes34309.html
29 Jan 2016 - "This -fake- financial spam is not from Foyle Food Group Limited but is instead a simple -forgery- with a malicious attachment:
From Foyle Food Group Limited [accounts@ foylefoodgroup .com]
Date Fri, 29 Jan 2016 17:58:37 +0700
Subject Despatch Note FFGDES34309
Please find attached Despatch Note FFGDES34309
... The attachment is FFGDES34309.doc which comes in three different variants, downloading from:
jjcoll .in/56gf/g545.exe
romana .fi/56gf/g545.exe
clickchiropractic .com/56gf/g545.exe
This has... a detection rate of 6/49*. According to my contact, this phones home to:
85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)
This drops the Dridex banking trojan. The behaviour is consistent with botnet 220."
Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3 "
* https://www.virustotal.com/en/file/a...9a5f/analysis/
TCP connections
85.143.166.200: https://www.virustotal.com/en/ip-add...0/information/
8.254.218.30: https://www.virustotal.com/en/ip-add...0/information/
___
Fake 'Scanned image' SPAM - doc malware
- http://myonlinesecurity.co.uk/scanne...d-doc-malware/
29 Jan 2016 - "An email with the subject of 'Scanned image from copier@ victimdomain .tld' pretending to come from copier@ victimdomain .tld with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: copier@ victmdomain .tld
Date: Fri 29/01/2016 11:02
Subject: Scanned image from copier@ victimdomain .tld
Attachment: copier@ ...co.uk_20160129_084903.doc
Body content:
Reply to: copier@ ...co.uk <copier@ ...co.uk>
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format...
29 January 2016: copier@ ...co.uk_20160129_084903.doc - This is exactly the -same- malware which downloads the -same- Dridex banking malware from the -same- locations as described in this earlier post*..."
* http://myonlinesecurity.co.uk/despat...d-doc-malware/
___
Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...resumertf.html
29 Jan 2016 - "This spam leads to malware:
From: Laurena Washabaugh [washabaugh .1946@ rambler .ru]
Date: 29 January 2016 at 10:10
Subject: Quick Question
Signed by: rambler .ru
What's going on?
I was visting your website on 1/29/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.
Best regards,
Laurena Washabaugh
The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro... the document has a VirusTotal detection rate of 9/54*... but these automated analyses [1] [2] [3] show it phoning home to:
89.248.166.131 (Quasi Networks, Seychelles)
I recommend that you -block- traffic to that IP..."
* https://www.virustotal.com/en/file/8...is/1454068566/
1] https://malwr.com/analysis/ZDYyOTUzM...kxZDEzNWM1Y2U/
2] https://www.hybrid-analysis.com/samp...nvironmentId=1
3] https://www.hybrid-analysis.com/samp...nvironmentId=4
89.248.166.131: https://www.virustotal.com/en/ip-add...1/information/
- http://myonlinesecurity.co.uk/quick-...sheet-malware/
29 Jan 2016 - "An email with the subject of 'Quick Question' pretending to attach a -resume- coming from random senders with a malicious word rtf attachment which is actually a word docx file is another one from the current bot runs... The email looks like:
From: Robbi Aguinaldo <aguinaldo.1993@ rambler .ru>
Date: Fri 29/01/2016 08:18
Subject: Quick Question
Attachment: Resume.rtf
Howdy
I was visting your website on 1/29/2016 and I’m very interested.
I’m currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.
In appreciation,
Robbi Aguinaldo
29 January 2016: Resume.rtf - Current Virus total detections 0/55*
* https://www.virustotal.com/en/file/0...is/1449129718/
.. which downloads the following files:
http ://89.248.166.131/jer.jpg?810 (Currently unavailable)
> 89.248.166.131: https://www.virustotal.com/en/ip-add...1/information/
http ://91.224.161.116/clv002/f32.bin (VirusTotal 0/55**) which the malicious macro alters/decodes/creates several of the below files:
> cccyk7m15911_1.exe
- https://www.virustotal.com/en/file/a...is/1454087239/
> http ://192.227.181.211/foru.exe saved as: cigiquk79yycc7.exe
- https://www.virustotal.com/en/file/1...is/1454087310/
>FASDA.exe
- https://www.virustotal.com/en/file/6...is/1454087462/
> http ://89.248.166.131/1.exe saved as: m3q3c5s79uy5k95.exe
- https://www.virustotal.com/en/file/d...is/1454087618/
> MQERY.exe
- https://www.virustotal.com/en/file/5...is/1454087665/
... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... DO NOT click on it or try to open it..."
** https://www.virustotal.com/en/file/0...is/1449129718/
rambler .ru: 81.19.93.6: https://www.virustotal.com/en/ip-add...6/information/
81.19.77.5: https://www.virustotal.com/en/ip-add...5/information/
81.19.77.6: https://www.virustotal.com/en/ip-add...6/information/
81.19.93.5: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/33...94bd/analysis/
0/66
___
HSBC internet banking services down after cyber attack
- http://www.reuters.com/article/us-hs...-idUSKCN0V71BO
Jan 29, 2016 - "HSBC is working with law enforcement to catch those behind a cyber attack that forced its personal banking websites in the UK to shutdown, its second major service outage this month, the bank said on Friday. Europe's largest lender said it had "successfully defended" its systems against a distributed denial of service (DDoS) attack but it was experiencing fresh threats, impeding full restoration of its services... The outage began on Friday morning and online services were still down by 1630 GMT (11:30 a.m. ET). DDoS attacks are often used by cyber criminals trying to disrupt businesses and companies with significant online activities..."
___
GitHub Blog:
Update on 1/28 service outage:
- https://github.com/blog/2101-update-...service-outage
Jan 29, 2016 - "On Thursday, January 28, 2016 at 00:23am UTC, we experienced a severe service outage that impacted GitHub.com... A brief power disruption at our primary data center caused a cascading failure that impacted several services critical to GitHub.com's operation. While we worked to recover service, GitHub.com was unavailable for two hours and six minutes. Service was fully restored at 02:29am UTC. Last night we completed the final procedure to fully restore our power infrastructure..."