SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2016-01-29, 14:57

FYI...

Fake 'Despatch Note' SPAM - doc malware
- http://myonlinesecurity.co.uk/despat...d-doc-malware/
29 Jan 2016 - "An email with the subject of 'Despatch Note FFGDES34309' pretending to come from Foyle Food Group Limited <accounts@ foylefoodgroup .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Foyle Food Group Limited <accounts@ foylefoodgroup .com>
Date: Fri 29/01/2016 09:17
Subject: Despatch Note FFGDES34309
Attachment: FFGDES34309.doc
Please find attached Despatch Note FFGDES34309

29 January 2016: FFGDES34309.doc - Current Virus total detections 5/54*
Downloads Dridex banking malware from jjcoll .in/56gf/g545.exe (VirusTotal 2/54**)
Other download locations include http ://romana .fi/56gf/g545.exe and
http ://clickchiropractic .com/56gf/g545.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454062970/

** https://www.virustotal.com/en/file/a...is/1454062183/

jjcoll .in: 198.12.152.113: https://www.virustotal.com/en/ip-add...3/information/

romana .fi: 217.78.212.183: https://www.virustotal.com/en/ip-add...3/information/

clickchiropractic .com: 50.87.150.204: https://www.virustotal.com/en/ip-add...4/information/

- http://blog.dynamoo.com/2016/01/malw...gdes34309.html
29 Jan 2016 - "This -fake- financial spam is not from Foyle Food Group Limited but is instead a simple -forgery- with a malicious attachment:
From Foyle Food Group Limited [accounts@ foylefoodgroup .com]
Date Fri, 29 Jan 2016 17:58:37 +0700
Subject Despatch Note FFGDES34309
Please find attached Despatch Note FFGDES34309

... The attachment is FFGDES34309.doc which comes in three different variants, downloading from:
jjcoll .in/56gf/g545.exe
romana .fi/56gf/g545.exe
clickchiropractic .com/56gf/g545.exe
This has... a detection rate of 6/49*. According to my contact, this phones home to:
85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)
This drops the Dridex banking trojan. The behaviour is consistent with botnet 220."
Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3 "
* https://www.virustotal.com/en/file/a...9a5f/analysis/
TCP connections
85.143.166.200: https://www.virustotal.com/en/ip-add...0/information/
8.254.218.30: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Scanned image' SPAM - doc malware
- http://myonlinesecurity.co.uk/scanne...d-doc-malware/
29 Jan 2016 - "An email with the subject of 'Scanned image from copier@ victimdomain .tld' pretending to come from copier@ victimdomain .tld with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: copier@ victmdomain .tld
Date: Fri 29/01/2016 11:02
Subject: Scanned image from copier@ victimdomain .tld
Attachment: copier@ ...co.uk_20160129_084903.doc
Body content:
Reply to: copier@ ...co.uk <copier@ ...co.uk>
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format...

29 January 2016: copier@ ...co.uk_20160129_084903.doc - This is exactly the -same- malware which downloads the -same- Dridex banking malware from the -same- locations as described in this earlier post*..."
* http://myonlinesecurity.co.uk/despat...d-doc-malware/
___

Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malw...resumertf.html
29 Jan 2016 - "This spam leads to malware:
From: Laurena Washabaugh [washabaugh .1946@ rambler .ru]
Date: 29 January 2016 at 10:10
Subject: Quick Question
Signed by: rambler .ru
What's going on?
I was visting your website on 1/29/2016 and I'm very interested.
I'm currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.
Best regards,
Laurena Washabaugh

The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro... the document has a VirusTotal detection rate of 9/54*... but these automated analyses [1] [2] [3] show it phoning home to:
89.248.166.131 (Quasi Networks, Seychelles)
I recommend that you -block- traffic to that IP..."
* https://www.virustotal.com/en/file/8...is/1454068566/

1] https://malwr.com/analysis/ZDYyOTUzM...kxZDEzNWM1Y2U/

2] https://www.hybrid-analysis.com/samp...nvironmentId=1

3] https://www.hybrid-analysis.com/samp...nvironmentId=4

89.248.166.131: https://www.virustotal.com/en/ip-add...1/information/

- http://myonlinesecurity.co.uk/quick-...sheet-malware/
29 Jan 2016 - "An email with the subject of 'Quick Question' pretending to attach a -resume- coming from random senders with a malicious word rtf attachment which is actually a word docx file is another one from the current bot runs... The email looks like:
From: Robbi Aguinaldo <aguinaldo.1993@ rambler .ru>
Date: Fri 29/01/2016 08:18
Subject: Quick Question
Attachment: Resume.rtf
Howdy
I was visting your website on 1/29/2016 and I’m very interested.
I’m currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.
In appreciation,
Robbi Aguinaldo

29 January 2016: Resume.rtf - Current Virus total detections 0/55*
* https://www.virustotal.com/en/file/0...is/1449129718/
.. which downloads the following files:
http ://89.248.166.131/jer.jpg?810 (Currently unavailable)
> 89.248.166.131: https://www.virustotal.com/en/ip-add...1/information/
http ://91.224.161.116/clv002/f32.bin (VirusTotal 0/55**) which the malicious macro alters/decodes/creates several of the below files:
> cccyk7m15911_1.exe
- https://www.virustotal.com/en/file/a...is/1454087239/

> http ://192.227.181.211/foru.exe saved as: cigiquk79yycc7.exe
- https://www.virustotal.com/en/file/1...is/1454087310/

>FASDA.exe
- https://www.virustotal.com/en/file/6...is/1454087462/

> http ://89.248.166.131/1.exe saved as: m3q3c5s79uy5k95.exe
- https://www.virustotal.com/en/file/d...is/1454087618/

> MQERY.exe
- https://www.virustotal.com/en/file/5...is/1454087665/

... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... DO NOT click on it or try to open it..."
** https://www.virustotal.com/en/file/0...is/1449129718/

rambler .ru: 81.19.93.6: https://www.virustotal.com/en/ip-add...6/information/
81.19.77.5: https://www.virustotal.com/en/ip-add...5/information/
81.19.77.6: https://www.virustotal.com/en/ip-add...6/information/
81.19.93.5: https://www.virustotal.com/en/ip-add...5/information/
> https://www.virustotal.com/en/url/33...94bd/analysis/
0/66
___

HSBC internet banking services down after cyber attack
- http://www.reuters.com/article/us-hs...-idUSKCN0V71BO
Jan 29, 2016 - "HSBC is working with law enforcement to catch those behind a cyber attack that forced its personal banking websites in the UK to shutdown, its second major service outage this month, the bank said on Friday. Europe's largest lender said it had "successfully defended" its systems against a distributed denial of service (DDoS) attack but it was experiencing fresh threats, impeding full restoration of its services... The outage began on Friday morning and online services were still down by 1630 GMT (11:30 a.m. ET). DDoS attacks are often used by cyber criminals trying to disrupt businesses and companies with significant online activities..."
___

GitHub Blog:
Update on 1/28 service outage:
- https://github.com/blog/2101-update-...service-outage
Jan 29, 2016 - "On Thursday, January 28, 2016 at 00:23am UTC, we experienced a severe service outage that impacted GitHub.com... A brief power disruption at our primary data center caused a cascading failure that impacted several services critical to GitHub.com's operation. While we worked to recover service, GitHub.com was unavailable for two hours and six minutes. Service was fully restored at 02:29am UTC. Last night we completed the final procedure to fully restore our power infrastructure..."

**AplusWebMaster** · 2016-02-01, 14:13

FYI...

Fake 'Order Processed' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...d-noreply.html
1 Feb 2016 - "This -fake- financial spam does not come from Duration Windows but is instead a simple -forgery- with a malicious attachment:
From NoReply-Duration Windows [noreply@ duration .co.uk]
Date Mon, 01 Feb 2016 04:21:03 -0500
Subject Order Processed.
Dear Customer,
Please find details for your order attached as a PDF to this e-mail.
Regards,
Duration Windows
Sales Department ...

I have only seen a single sample of this spam with an attachment V9568HW.doc which has a detection rate of 5/54*... likely to be the Dridex banking trojan.
UPDATE: The Malwr analysis** shows that the document downloads a malicious executable from:
www .peopleond-clan .de/u56gf2d/k76j5hg.exe
This has a VirusTotal detection rate of 4/54*** and those reports plus this Hybrid Analysis[4] show it phoning home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/6...is/1454322319/

** https://malwr.com/analysis/ZGNhYjJhM...ZlYjk0YzlhOWU/

*** https://www.virustotal.com/en/file/d...is/1454323739/

4] https://www.hybrid-analysis.com/samp...nvironmentId=4

- http://myonlinesecurity.co.uk/order-...d-doc-malware/
1 Feb 2016 - "An email with the subject of 'Order Processed' ... with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: NoReply-Duration Windows <noreply@ duration .co.uk>
Date: Mon 01/02/2016 10:16
Subject: Order Processed.
Attachment: V9568HW.doc
Dear Customer,
Please find details for your order attached as a PDF to this e-mail.
Regards, Duration Windows Sales Department ...

1 February 2016: V9568HW.doc - Current Virus total detections 4/55*
MALWR** shows downloads Dridex banking malware from
http ://iamnickrobinson .com/u56gf2d/k76j5hg.exe (VirusTotal 3/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454322062/

** https://malwr.com/analysis/ZmFkM2JiM...ZlZDdhMzY3NmQ/
74.86.19.136: https://www.virustotal.com/en/ip-add...6/information/
185.24.92.236: https://www.virustotal.com/en/ip-add...6/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

*** https://www.virustotal.com/en/file/d...is/1454325006/
TCP connections
185.24.92.236: https://www.virustotal.com/en/ip-add...6/information/
2.22.22.113: https://www.virustotal.com/en/ip-add...3/information/
___

Fake 'Invoice INV19' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...3456-from.html
1 Feb 2016 - "This spam appears to originate from a -variety- of companies with -different- references. It comes with a malicious attachment.
From: Marisol Barrett [BarrettMarisol04015@ victimdomain .tld]
Date: 1 February 2016 at 08:39
Subject: Invoice 48014 from JKX OIL & GAS
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Marisol Barrett ...

From: Oswaldo Browning [BrowningOswaldo507@ victimdomain .tld]
Date: 1 February 2016 at 09:38
Subject: Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Oswaldo Browning
J P MORGAN PRIVATE EQUITY LTD ...

The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the -fake- reference number). There are at least -three- different versions...
UPDATE 2: The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:
31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php
These IPs can be considered as -malicious- and belong to:
31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)
This drops a -malicious- binary with a detection rate of 2/53*. This phones home to:
185.24.92.229 (System Projects, LLC, Russia)
This spam appears to be the Dridex banking trojan (botnet 120 perhaps).
Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23 "
1] https://malwr.com/analysis/NDQyZDUwN...ViOGNlMzQyMWE/

2] https://malwr.com/analysis/NzAwMmM2Z...M3MWU0OTI2YTk/

3] https://malwr.com/analysis/NTg1ZmNjN...A1OWQ5YTA0OWE/

* https://www.virustotal.com/en/file/6...b31/analysis/#

- http://myonlinesecurity.co.uk/invoic...alware-broken/
1 Feb 2016 - "An email with the subject of 'Invoice' (random number) from Random companies pretending to come from random names at your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

1 February 2016: INV19 – 882596.doc - Current Virus total detections 2/54*
MALWR** shows a download from http ://31.41.45.23/indiana/jones.php
which gave me crypted120med.exe (VirusTotal 2/53***)..."
* https://www.virustotal.com/en/file/d...is/1454319886/

** https://malwr.com/analysis/NTk2NmJiN...M0Zjg1ZmM1NGU/

*** https://www.virustotal.com/en/file/6...is/1454322842/
___

Fake 'Scanned image' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...mage-from.html
1 Feb 2016 - "This -fake- document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple -forgery- with a malicious attachment.
From: copier@ victimdomain .tld
Date: 1 February 2016 at 12:11
Subject: Scanned image from copier@ victimdomain .tld
Reply to: copier@ victimdomain .tld [copier@ victimdomain .tld]
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format...

I have seen two different versions of the attached document, named in a format copier@ victimdomain .tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report* for one of them shows the macro downloading from:
dulichando .org/u56gf2d/k76j5hg.exe
This executable has a detection rate of 4/53** and the Hybrid Analysis reports*** that it phones home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you -block- traffic to that IP. The payload is Dridex, as seen here****."
1] https://www.virustotal.com/en/file/0...is/1454332258/

2] https://www.virustotal.com/en/file/a...is/1454332268/

* https://malwr.com/analysis/M2RhNmU5O...ZiZTM0NDY3YjY/

** https://www.virustotal.com/en/file/b...is/1454332659/

*** https://www.hybrid-analysis.com/samp...nvironmentId=4

**** http://blog.dynamoo.com/2016/02/malw...d-noreply.html

**AplusWebMaster** · 2016-02-02, 11:32

FYI...

Fake 'Order Dispatch' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/order-...sheet-malware/
2 Feb 2016 - "An email with the subject of 'Order Dispatch: AA608034' (random order numbers) pretending to come from aalabels <customercare45660@ aalabels .com> (random customercare numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...4-1024x549.png

2 February 2016: invoice_AA608034.doc - Current Virus total detections 4/52*
Downloads Dridex Banking malware from
hebenstreit .us.com/5h4g/0oi545gfgf.exe (VirusTotal 3/51**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

* https://www.virustotal.com/en/file/0...47d8/analysis/

** https://www.virustotal.com/en/file/2...is/1454402505/
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
90.84.59.9: https://www.virustotal.com/en/ip-add...9/information/

- http://blog.dynamoo.com/2016/02/malw...-aa207241.html
2 Feb 2016 - "This -fake- financial spam is not from aalabels .com but is instead a simple -forgery- with a malicious attachment.

Screenshot: https://3.bp.blogspot.com/-WM975r0NV...0/aalabels.png

The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least -three- different versions... Malwr reports... show the macro in the documents downloading from one of the folllowing locations:
timestyle .com.au/5h4g/0oi545gfgf.exe
hebenstreit .us.com/5h4g/0oi545gfgf.exe
fillingsystem .com/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/52*... Malwr reports show it phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I would strongly recommend -blocking- traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects."
* https://www.virustotal.com/en/file/2...is/1454404870/
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
90.84.59.9: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'New order' SPAM - malware
- http://myonlinesecurity.co.uk/corcom...06754-malware/
2 Feb 2016 - "An email with the subject of 'New order Enquiry 206754' pretending to come from Corcom Co ltd <corcom@ bnisyariah .co.id> with a zip attachment is another one from the current bot runs... The email looks like:
From: Corcom Co ltd <corcom@ bnisyariah .co.id>
Date: Tue 02/02/2016 03:13
Subject: New order Enquiry 206754
Attachment: Enquiry 206754.zip
Dear Customer,
Find attached our purchase order. Kindly quote us best price and send
us proforma invoice asap, so that we can proceed with the necessary
payment,We need this Order urgently. kindly confirm the PO and send PI
asap.
Thank you.
Ms. Sim Rabim
Jl. M.H. Thamrin 59 Jakarta 10350 ? Indonesia ...

2 February 2016: Enquiry 206754.zip: Extracts to: Enquiry 206754.exe - Current Virus total detections 14/52*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will be hidden instead of showing it as the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1454400171/
___

Fake 'PURCHASE' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...016-d1141.html
2 Feb 2016 - "This spam does not come from Flower Vision but is instead a simple -forgery- with a malicious attachment:
From: sales@ flowervision .co.uk
Date: 2 February 2016 at 08:28
Subject: PURCHASE 02/02/2016 D1141
FLOWERVISION
Internet Order Confirmation
Page
1/1 ...

Attached is a file SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of 1/50*. This Hybrid Analysis** shows the macro in the spreadsheet downloading from:
www .torinocity .it/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/51***, and is the same payload as seen earlier****."
* https://www.virustotal.com/en/file/0...is/1454406875/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://www.virustotal.com/en/file/2...is/1454407813/
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
90.84.59.9: https://www.virustotal.com/en/ip-add...9/information/

**** http://blog.dynamoo.com/2016/02/malw...-aa207241.html

- http://myonlinesecurity.co.uk/purcha...alware-dridex/
2 Feb 2016 - "An email with the subject of 'PURCHASE 02/02/2016 D1141' pretending to come from sales@ flowervision .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...1-1024x586.png

25 February 2015: SALES_D1141_02022016_164242.xls ...
Downloads Dridex from same locations as today’s earlier Malspam*. This one is
http ://www .fabian-enkenbach .de/5h4g/0oi545gfgf.exe (VirusTotal 5/51**)..."
* http://myonlinesecurity.co.uk/order-...sheet-malware/

** https://www.virustotal.com/en/file/2...is/1454407813/
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
90.84.59.9: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'RB0081 INV' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...039-sales.html
2 Feb 2016 - "This -fake- financial spam does not come from Leathams but is instead a simple -forgery- with a malicious attachment.
From: Sales invoice [salesinvoice@ leathams .co.uk]
Reply-To: "no-reply@ leathams .co.uk" [no-reply@ leathams .co.uk]
Date: 2 February 2016 at 13:15
Subject: RB0081 INV2372039
Dear Sir/Madam,
Please find attached your sales invoice(s) for supplied goods. Please process for payment as soon as possible.
In the event that you have a query - please direct your query...

Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least -two- different versions... The Malwr analysis for one of those samples shows a download from:
fillingsystem .com/5h4g/0oi545gfgf.exe
This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero*... The payload is the Dridex banking trojan.
UPDATE: Automated analysis [1] [2] shows the executable phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend -blocking- traffic to that IP, or the whole /22 in which it resides."
* https://www.virustotal.com/en/file/f...is/1454419546/
0/53

1] https://malwr.com/analysis/Y2EwMjNkO...QyMzM5YWZhMTM/

2] https://www.hybrid-analysis.com/samp...nvironmentId=1

- http://myonlinesecurity.co.uk/rb0081...d-doc-malware/
2 Feb 2016 - "An email with the subject of 'RB0081 INV2372039' pretending to come from Sales invoice <salesinvoice@ leathams .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Sales invoice <salesinvoice@ leathams .co.uk>
Date: Tue 02/02/2016 12:13
Subject: RB0081 INV2372039
Attachment: Leathams Ltd_INV2372039.doc
Dear Sir/Madam,
Please find attached your sales invoice(s) for supplied goods. Please process for payment as soon as possible.
In the event that you have a query – please direct your query...

2 February 2016: Leathams Ltd_INV2372039.doc - Current Virus total detections 4/54*
downloads Dridex banking malware from the same locations as today’s earlier malspams**. This example connects to http ://fillingsystem .com/5h4g/0oi545gfgf.exe which delivers an updated Dridex version to the earlier ones (VirusTotal 0/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454417962/

** http://myonlinesecurity.co.uk/order-...sheet-malware/

*** https://www.virustotal.com/en/file/f...is/1454419046/

**AplusWebMaster** · 2016-02-03, 12:54

FYI...

Turning Off Specific Files from Previewing in the Microsoft Outlook Reading Pane
- http://windowsitpro.com/outlook/turn...k-reading-pane

Block Certain File Types from Opening in Associated Office Applications
- http://windowsitpro.com/microsoft-of...e-applications

>> http://myonlinesecurity.co.uk/malfor...macro-viruses/
3 Feb 2016
___

Security flaws discovered in smart toys and kids' watches
- http://net-security.org/secworld.php?id=19404
3 Feb 2016 - "Rapid7 researchers* have unearthed serious flaws in two 'Internet of Things' devices:
• The Fisher-Price Smart Toy, a "stuffed animal" type of toy that can interact with children and can be monitored via a mobile app and WiFi connectivity, and
• The hereO GPS Platform, a smart GPS toy watch that allows parents to track their children's physical location.
In both cases the problem was with the authentication process, i.e. in the platform's web service (API) calls. In the first instance, the API calls were not appropriately verified, so an attacker could have sent unauthorized requests and extract information such as customer details, children's profiles, and more... In the second instance, the flaw allowed attackers to gain access to the family's group by adding an account to it, which would allow them to access the family member's location, location history, etc. "We have once again been able to work with vendors to resolve serious security issues impacting their platforms and hope that vendors considering related products are able to take note of these findings so that the overall market can improve beyond just these particular instances," noted Mark Stanislav, manager of global services at Rapid7*... "
* https://community.rapid7.com/communi...o-gps-platform
Feb 2, 2016
___

Fake 'Free Travel Lottery' SPAM - doc malware
- http://myonlinesecurity.co.uk/free-t...d-doc-malware/
3 Feb 2016 - "An email with the subject of 'Free Travel Lottery Drawing' pretending to come from VIATOR.COM <winners@ viator .com> with a malicious word doc attachment is another one from the current bot runs.. The email looks like:
From: VIATOR .COM <winners@ viator .com>
Date: Wed, 3 Feb 2016 16:14
Subject: Free Travel Lottery Drawing
Attachment: winner_81.doc
ATripAdvisor®Company
Unforgettable time in the place where summer never ends!
We held a lottery drawing among the customers of our travel agency Viator!
Free travel for 2 persons to a Paradise Island Koh-Samui, in Kingdom of Thailand for 10 days! Travel insurance included!
2,500,000 our customers took participation in the lottery. Only 250 winners!
To learn more about the tour and your Winner Bonus become familiar with the attached document...

3 February 2015: winner_81.doc - Current Virus total detections 1/54*
MALWR** shows downloads http ://finiki45toget .com/post/511plvk.exe (virustotal 2/52***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1454514245/

** https://malwr.com/analysis/ZDgyZmI0Z...Y5NzZiNzc3ODg/
163.20.136.189: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/bc...588a/analysis/

*** https://www.virustotal.com/en/file/b...is/1454512889/
___

Fake 'Invoice (SI-523)' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...nvoice-si.html
3 Feb 2016 - "This -fake- financial spam does not come from GS Toilet Hire but is instead a simple -forgery- with a malicious attachment. In other words, if you open it.. [don't].
From: GS Toilet Hire [donotreply@ sageone .com]
Date: 3 February 2016 at 09:12
Subject: GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016
Good morning
Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.
Full details, including payment terms, are included.
If you have any questions, please don't hesitate to contact us.
Kind regards,
Linda Smith
Office, GS Toilet Hire ...

I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates... containing some highly obfuscated scripts... which... downloads a binary from one of the following locations:
obstipatie..nu/43rf3dw/34frgegrg.exe
bjhaggerty..com/43rf3dw/34frgegrg.exe
(also www .ni-na27.wc.shopserve .jp/43rf3dw/34frgegrg.exe ...)
This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro... The binary... shows the malware phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.
UPDATE: The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:
xinchunge .com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband .com/43rf3dw/34frgegrg.exe
This is a different binary from before, with a detection rate of 4/53*. It still phones home to the same location."
1] https://www.virustotal.com/en/file/a...is/1454494549/

2] https://www.virustotal.com/en/file/5...is/1454494559/

3] https://malwr.com/analysis/YjBlMDMzZ...ZhMTkwZmRlYzE/
98.143.159.150
91.239.232.145
13.107.4.50

4] https://malwr.com/analysis/YWZiMGE1M...QwMGQwZjczZDU/
192.186.239.3
91.239.232.145
184.25.56.44

* https://www.virustotal.com/en/file/9...3f67/analysis/

- http://myonlinesecurity.co.uk/gs-toi...ing-to-dridex/
3 Feb 2016 - "... an email with the subject of 'GS Toilet Hire – Invoice (SI-523) for £60.00, due on 28/02/2016' pretending to come from GS Toilet Hire <donotreply@ sageone .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...0-1024x515.png

- or: http://myonlinesecurity.co.uk/wp-con...n-1024x515.png

3 February 2016: Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip - Extracts to: invoice_id2677432297.js
Current Virus total detections 2/54*. MALWR**
3 February 2016: Sales_Invoice_SI-523_GS Toilet Hire.doc - VirusTotal 3/52***
downloads what looks like -Dridex- from xinchunge .com/xinchunge.com/43rf3dw/34frgegrg.exe
(VirusTotal 4/53[4])
obstipatie .nu/43rf3dw/34frgegrg.exe
bjhaggerty .com/43rf3dw/34frgegrg.exe
taukband .com/43rf3dw/34frgegrg.exe
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1454491705/

** https://malwr.com/analysis/ZGI5OWI1Z...FiN2FjNjdiYjA/
46.17.1.250

*** https://www.virustotal.com/en/file/a...is/1454492103/

4] https://www.virustotal.com/en/file/9...is/1454493882/
___

Fake 'Invoice MOJU' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...-accounts.html
3 Feb 2016 - "This -fake- financial spam comes with a malicious attachment. It does not come from Moju Ltd but is instead a simple -forgery- with a malicious attachment:
From: Accounts [message-service@ post.xero .com]
Date: 3 February 2016 at 09:04
Subject: Invoice MOJU-0939
Hi,
Here's invoice MOJU-0939 for 47.52 GBP. For last weeks delivery.
The amount outstanding of 47.52 GBP is due on 25 Feb 2016.
If you have any questions, please let us know.
Thanks,
Moju Ltd

I have only seen one sample of this, with an attachment named Invoice MOJU-0939.zip containing a malicious script invoice_id4050638124.js that has detection rate of 2/53* and which according to this Malwr report** downloads a binary from:
www .ni-na27.wc.shopserve .jp/43rf3dw/34frgegrg.exe
This payload is the same as seen in this concurrent spam run***."
* https://www.virustotal.com/en/file/0...b867/analysis/

** https://malwr.com/analysis/MDhlY2U2M...dlYmU4NWFhNDQ/
210.160.220.144

*** http://blog.dynamoo.com/2016/02/malw...nvoice-si.html

- http://myonlinesecurity.co.uk/invoic...alware-dridex/
3 Feb 2016 - "An email with the subject of 'Invoice MOJU-0939' pretending to come from Accounts <message-service@ post.xero .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...9-1024x497.png

3 February 2016: Invoice MOJU-0939.zip: Extracts to: invoice_id6174018044.js
Current Virus total detections 2/52*. MALWR** which downloads what looks like Dridex banking malware from http ://obstipatie .nu/43rf3dw/34frgegrg.exe (VirusTotal 3/54***)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1454489431/

** https://malwr.com/analysis/ZGI5OWI1Z...FiN2FjNjdiYjA/

*** https://www.virustotal.com/en/file/e...is/1454490157/
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-add...5/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Attached Image' SPAM - xls malware
- http://myonlinesecurity.co.uk/attach...sheet-malware/
3 Feb 2016 - "... another email with the subject of 'Attached Image' pretending to come from canon@ victimdomain .tld with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: canon@ victimdomain .tld
Date: Wed 03/02/2016 10:38
Subject: Attached Image
Attachment: 1690_001 .xls

Body content: Blank

3 February 2016: 1690_001.xls - Current Virus total detections 2/52*
.. same Dridex macro dropper, downloading the -same- Dridex banking malware that was described in this earlier post** from -same- locations. This one was from
best-drum-set .com/43rf3dw/34frgegrg.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1454500546/

** http://myonlinesecurity.co.uk/gs-toi...ing-to-dridex/

- http://blog.dynamoo.com/2016/02/malw...rom-canon.html
3 Feb 2016 - "This spam pretends to come from the victim's own domain, but it doesn't. Instead it is a simple -forgery- with a malicious attachment.
From: canon@ victimdomain .tld
Date: 3 February 2016 at 12:09
Subject: Attached Image

There is no body text. Attached is a file 1690_001.xls of which I have seen a single variant with a detection rate of 9/54*. The Hybrid Analysis** shows it downloading an executable from:
best-drum-set .com/43rf3dw/34frgegrg.exe
This has a detection rate of 6/51 and is the -same- binary as used in this other spam attack today***."
* https://www.virustotal.com/en/file/b...is/1454501819/

** https://www.hybrid-analysis.com/samp...nvironmentId=4
192.254.190.17

*** http://blog.dynamoo.com/2016/02/malw...nvoice-si.html
___

Tesco 'shop for free' – phish
- http://myonlinesecurity.co.uk/tesco-...free-phishing/
3 Feb 2016 - "An email saying 'Tesco is giving you a chance to shop for free' pretending to come from Tesco .com <info@ sets .com> is one of the latest phishing emails trying to -steal- your Tesco bank details... This one -only- wants your personal details, Tesco log-in details and your credit card and bank details... some of the screen shots are from this new phish, but others have been re-used from older versions that I have already blogged about, but are identical except for the site name in the URL bar. If you follow that link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-con...1-1024x606.jpg
Then you get a page asking to verify your mobile phone number:
>> http://myonlinesecurity.co.uk/wp-con...2-1024x689.png
After filling in that page you then get this one:
>>> http://myonlinesecurity.co.uk/wp-con...1-1024x517.png
Then this comes up... Any 5 digit number entered in the box gets you to the next page:
>>>> http://myonlinesecurity.co.uk/wp-con...4-1024x568.png
Then you get a page asking for password and Security number... After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... eventually it auto -redirects- you to the genuine Tesco bank site... -All- of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

**AplusWebMaster** · 2016-02-04, 13:26

FYI...

Fake 'January balance' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...ce-alison.html
4 Feb 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers, but is instead a simple -forgery- with a malicious attachment:
From Alison Smith [ASmith056@ jtcp .co.uk]
Date Thu, 04 Feb 2016 10:52:21 +0300
Subject "January balance £785"
Hi,
Thank you for your recent payment of £672.
It appears the attached January invoice has been missed off of your payment. Could
you please advise when this will be paid or if there is a query with the invoice?
Regards
Alison Smith
Assistant Accountant ...

The poor company being spoofed has already been hit by this attack recently... The email address of the sender varies from message to message. Attached is a file IN161561-201601.js which comes in at least -five- different versions (VirusTotal 0/53[1]..). This is a highly obfuscated script... and automated analysis of the various scripts [6].. shows that the macro downloads from the following locations (there may be more):
ejanla .co/43543r34r/843tf.exe
cafecl .1pworks.com/43543r34r/843tf.exe
This binary has a detection rate of 2/52* and phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220."
1] https://www.virustotal.com/en/file/2...is/1454576263/

6] https://www.hybrid-analysis.com/samp...nvironmentId=1

* https://www.virustotal.com/en/file/1...is/1454577822/
TCP connections
62.76.191.108
13.107.4.50

- http://myonlinesecurity.co.uk/januar...rs-js-malware/
4 Feb 2016 - "... once again spoofing Alison Smith of J Thomson Colour Printers with an email with the subject of 'January balance £785' pretending to come from Alison Smith <ASmith5AC@ jtcp .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...5-1024x761.png

4 February 2016: IN161561-201601.js - Current Virus total detections 0/52*
MALWR** shows a download from http ://ejanla .co/43543r34r/843tf.exe which is highly likely to be Dridex banking malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1454576306/

** https://malwr.com/analysis/YWY2YzczY...dhNWE5OGEzN2Y/
23.229.207.163
62.76.191.108
13.107.4.50
___

Fake 'Swift Copy' SPAM - doc malware
- http://myonlinesecurity.co.uk/reswif...-1761-exploit/
4 Feb 2016 - "An email with the subject of 'Re: Swift Copy' pretending to come from Kim Raymonds <kimraymonds@ sssup .it> (probably random email addresses) with a malicious word doc attachment is another one from the current bot runs... This is using CVE-2014-1761 exploit* in unpatched versions of office and it doesn’t matter if you have macros turned off or not. If you are -not- patched, then you WILL be infected by this.
* https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-1761 - 9.3 (HIGH)
You also need to read the bottom paragraph of THIS page** to use additional settings to protect yourself against this & similar exploits...
** http://myonlinesecurity.co.uk/malfor...macro-viruses/
The email looks like:
From: Kim Raymonds <kimraymonds@ sssup .it>
Date: Thu 04/02/2016 10:27
Subject: Re:Swift Copy
Attachment: Swift Copy.doc
Dear
My boss requested i should send the swift copy to you.
Pls see the attached.
Have a great day!
Thanks,
Kim Raymonds
Office Manager

4 February 2016 : Swift Copy.doc - Current Virus total detections 23/52*
MALWR** shows it downloads http ://andersonken479 .pserver .ru/doc.exe (VirusTotal 16/54***) which is some sort of banking Trojan and password stealer. One additional trick being played on you to infect you, is the downloaded doc.exe has an icon looking like a word doc, so if you accidentally open the original swift copy.doc, the doc.exe gets silently downloaded in background and is supposed to autorun..."
* https://www.virustotal.com/en/file/5...is/1454405380/

** https://malwr.com/analysis/M2Q5NzBjY...lmMzBmYjg0MTU/
91.202.12.139: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/8d...d4c3/analysis/

*** https://www.virustotal.com/en/file/4...is/1454514020/
___

Fake 'Fuel Card E-bill' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...rd-e-bill.html
4 Feb 2016 - "This -fake- financial spam does not come from Fuel Card Services Ltd but is instead a simple
-forgery- with a malicious attachment:
From "Fuel Card Services" [adminbur@ fuelcardgroup .com]
Date Thu, 04 Feb 2016 04:29:24 -0700
Subject BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016 ...
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click ...
If you would like to order more fuel cards please click ...
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin.
Fuel Card Services Ltd ...

I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro... which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:
www .trulygreen .net/43543r34r/843tf.exe
... also reported is as a download location is:
www .mraguas .com/43543r34r/843tf.exe
If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52* and according to this Hybrid Analysis** shows that it phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too."
* https://www.virustotal.com/en/file/8...bc6d/analysis/

** https://www.hybrid-analysis.com/samp...nvironmentId=4

- http://myonlinesecurity.co.uk/bp-fue...sheet-malware/
4 Feb 2016 - "... an email with the subject of 'BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016' pretending to come from 'Fuel Card Services <adminbur@ fuelcardgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Fuel Card Services <adminbur@ fuelcardgroup .com>
Date: Thu 04/02/2016 12:31
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016
Attachment: ebill0200442.xls ...
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click ...
If you would like to order more fuel cards please click ...
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin...

4 February 2016: ebill0200442.xls - Current Virus total detections 4/52*
This will download Dridex banking Trojans from
http ://www .mraguas .com/43543r34r/843tf.exe (VirusTotal 4/52**)
Other locations so far discovered include
http ://clothesmaxusa .com/43543r34r/843tf.exe
http ://cluster007.ovh .net/~lelodged/43543r34r/843tf.exe
http ://69.61.48.46 /43543r34r/843tf.exe
http ://www .trulygreen .net/43543r34r/843tf.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1454588668/

** https://www.virustotal.com/en/file/8...is/1454588381/
___

Fake Amazon Mail - Phish ...
- https://blog.malwarebytes.org/fraud-...t-information/
Feb 4, 2016 - "From the mailbox: a -fake- Amazon mail which attempts to persuade the lucky recipient that they have the chance to win £10 in return for completing a quick survey. The mail, titled “ΙD: 569369943” and claiming to be from “members support” / message@ notice-amazon(dot)com, reads as follows:
'As a valued customer we would like to present you with an opportunity to make a quick buck. We are offering £10 each to a selected number of customers in exchange for completing a quick survey relating to our service. Your opinions and thoughts are vital in order for us to provide the best possible service..'
> https://blog.malwarebytes.org/wp-con...mznsignin0.jpg
... the link directed eager clickers from what looked to be a compromised home and gardens website (now offline) to:
amazon-update-account-awd547324897457(dot)tube-gif-converter(dot)com/Login(dot)php
... where the site asked for Amazon login credentials:
>> https://blog.malwarebytes.org/wp-con...mznsignin1.jpg
After this, the next page requested full-payment-information including address, phone number, credit card details, sort code / bank-account-number and “security question” too. At time of writing, both the initial redirection site and the phishing page(s) are both down for the count. Of course, scammers will likely resurrect this fake Amazon £10 survey reward / swipe your banking information tactic elsewhere so it pays to have an idea what they’re up to at all times. At this point, we’d usually suggest looking out for the green padlock / verified identity advice typically given near the end of a “Don’t get phished” blog. However, HTTPS isn’t deployed across the entirety of Amazon – only the pages where it’s really needed, such as login / payment and so on. All the same, it’s good practice to check for a green padlock / identity information anytime you’re asked to login or submit potentially sensitive data. Follow these simple steps, and you’re probably going to be safe from this type of attack. As a final tip, be very wary around emails claiming you’ve been entered into surveys or competitions – and if you see well known brands sending you odd mails about “making a quick buck”, you may want to run the other way."

notice-amazon(dot)com: 172.99.89.200: https://www.virustotal.com/en/ip-add...0/information/

**AplusWebMaster** · 2016-02-08, 15:06

FYI...

Fake 'Scanned file' SPAM – JS malware
- http://myonlinesecurity.co.uk/scanne...alware-dridex/
8 Feb 2016 - "An email with the subject of 'Scanned file from Optivet Referrals' pretending to come from Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com> on behalf of Optivet Referrals <reception@ optivet .com> with a .JS attachment is another one from the current bot runs... The email looks like:
From: Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of; Optivet Referrals <reception@ optivet.com>
Date: Mon 08/02/2016 08:08
Subject: Scanned file from Optivet Referrals
Attachment: 4060395693402.tiff.js
Dear Sir/Madam
Please find attached a document from Optivet Referrals.
Yours faithfully
The Reception Team at Optivet.
Optivet Referrals Ltd. Company Reg. No. 06906314. Registered office: Calyx House, South Road, Taunton, Somerset. TA1 3DU
Optivet Referrals Ltd. may monitor email traffic data and also the content of email for the purposes of security and staff training.
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system...

8 February 2016: 4060395693402.tiff.js - Current Virus total detections 1/54*
MALWR** shows it downloads Dridex banking Trojan from http ://zuhr-kreativ .com/98876hg5/45gt454h
(VirusTotal 0/55***) which is downloaded as a text file and the javascript file renames it to pVSgp3Qo.scr (or other random named scr file) and automatically runs it (virustotal 3/54[4]). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1454922441/

** https://malwr.com/analysis/YjkyNTBhZ...JkNTlkYThjMTE/
50.87.89.243
188.40.224.73
184.28.188.112

*** https://www.virustotal.com/en/file/3...is/1454923278/

4] https://www.virustotal.com/en/file/9...is/1454923099/
TCP connections
188.40.224.73: https://www.virustotal.com/en/ip-add...3/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...mentation.html
8 Feb 2016 - "This -fake- financial spam does not come from Crosswater Holdings, but it is instead a simple -forgery- with a malicious attachment:
From: CreditControl@ crosswater .co.uk
Date: 8 February 2016 at 10:34
Subject: Accounts Documentation - Invoices
Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
If you have any queries please do not hesitate to contact the Credit Controller who deals with your account...

Attached is a malicious script ~13190.js which comes in at least two different variants (VirusTotal [1] [2]). According to automated analysis [3]... these scripts download from:
hydroxylapatites7.meximas .com/98876hg5/45gt454h
80.109.240.71 /~l.pennings/98876hg5/45gt454h
This drops an executable with a detection rate of 3/53[4] which appears to phone home** to:
188.40.224.73 (NoTag, Germany)
I strongly recommend that you -block- traffic to that IP address. The payload is likely to be the Dridex banking trojan."
1] https://www.virustotal.com/en/file/9...is/1454938464/

2] https://www.virustotal.com/en/file/2...is/1454938475/

3] https://malwr.com/analysis/ZWJhYzY1Y...JlYzhmOGQ4ODA/
31.170.165.165
31.170.160.60

* https://www.virustotal.com/en/file/d...is/1454938652/

** https://www.hybrid-analysis.com/samp...nvironmentId=4
80.109.240.71: https://www.virustotal.com/en/ip-add...1/information/
188.40.224.73: https://www.virustotal.com/en/ip-add...3/information/
___

Fake 'Scanned Referral' SPAM - JS malware
- http://myonlinesecurity.co.uk/scanne...alware-dridex/
8 Feb 2016 - "An email with the subject of 'Scanned file from Optivet Referrals' pretending to come from Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of Optivet Referrals <reception@ optivet .com> with a .JS attachment is another one from the current bot runs... The email looks like:
From: Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of; Optivet Referrals <reception@ optivet .com>
Date: Mon 08/02/2016 08:08
Subject: Scanned file from Optivet Referrals
Attachment: 4060395693402.tiff.js
Dear Sir/Madam
Please find attached a document from Optivet Referrals.
Yours faithfully
The Reception Team at Optivet...

8 February 2016: 4060395693402.tiff.js - Current Virus total detections 1/54*
MALWR** shows it downloads Dridex banking Trojan from http ://zuhr-kreativ .com/98876hg5/45gt454h
(VirusTotal 0/55***) which downloaded is downloaded as a text file and the javascript file -renames- it to pVSgp3Qo.scr (or other random named scr file) and automatically runs it (virustotal 3/54[4]). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1454922441/

** https://malwr.com/analysis/YjkyNTBhZ...JkNTlkYThjMTE/
50.87.89.243
188.40.224.73
184.28.188.112

*** https://www.virustotal.com/en/file/3...is/1454923278/

4] https://www.virustotal.com/en/file/9...is/1454923099/

**AplusWebMaster** · 2016-02-09, 13:31

FYI...

Fake -blank subject- SPAM - malicious attachment
- http://myonlinesecurity.co.uk/empty-...alware-dridex/
Feb 9, 2016 - "... an email with no subject pretending to come from accounts_do_not_reply@ aldridgesecurity .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: accounts_do_not_reply@ aldridgesecurity .co.uk
Date: Tue 09/02/2016 08:07
Subject: NONE
Attachment: document2016-02-09-103153.doc
Body content:
Accounts

9 February 2016: document2016-02-09-103153.doc - Current Virus total detections 5/54*
Downloads Dridex banking malware from http ://promo.clickencer .com/4wde34f/4gevfdg (VirusTotal 0/54**) which is saved/downloaded as a text file and converted to label8.exe (VirusTotal 0/54***) by the macro and then autorun - MALWR[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1455008860/

** https://www.virustotal.com/en/file/2...is/1455010031/

*** https://www.virustotal.com/en/file/2...is/1455010031/

4] https://malwr.com/analysis/NmFjMTM0Z...kwMmI4NWQ5NTg/
66.7.195.81
50.56.184.194
184.25.56.42

- http://blog.dynamoo.com/2016/02/malw...-accounts.html
Feb 9, 2016 - "This rather terse spam does not come from Aldridge Security but it is instead a simple forgery with a malicious attachment. There is no subject.
From [accounts_do_not_reply@ aldridgesecurity .co.uk]
Date Tue, 09 Feb 2016 10:31:14 +0200
Subject
Accounts

I have only seen a single sample with an attachment document2016-02-09-103153.doc which has a VirusTotal detection rate of 5/54*. Automated analysis [1] [2] shows that it downloads a malicious executable from:
promo.clickencer .com/4wde34f/4gevfdg
This has a detection rate of 5/54**. Those analyses indicates that the malware phones home to:
50.56.184.194 (Rackspace, US)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/e...is/1455011714/

1] https://malwr.com/analysis/NmFjMTM0Z...kwMmI4NWQ5NTg/

2] https://www.hybrid-analysis.com/samp...nvironmentId=4

** https://www.virustotal.com/en/file/e...is/1455011714/
___

Fake 'statement' SPAM - doc malware jpg
- http://myonlinesecurity.co.uk/fwnibh...ed-from-a-jpg/
9 Feb 2016 - "An email with the subject of 'Fw:Nibh Donec Est LLC. statement' pretending to come from random senders at random email addresses with a malicious word doc attachment is another one from the current bot runs... The company in the subject matches the company in the body. The subjects vary but are all related to statements. Some subjects include:
Fw:Nibh Donec Est LLC. statement
Fwd:Quis Massa Mauris PC. statement
Re:Tellus Aenean LLP – statement
Aliquet Lobortis LLC – statement
The email looks like:
From: Brittany Hood <gerados@gerados .info>
Date: Tue 09/02/2016 06:06
Subject: Fw:Nibh Donec Est LLC. statement
Attachment: 62YDP.doc
Please find attached a statement
Best regards
Nibh Donec Est LLC
Brittany Hood

9 February 2016: 62YDP.doc - Current Virus total detections 2/54*
MALWR** shows a download from http ://inroadsdevelopment .us/ht.jpg?RZ9lqw4jFWvx=35 which delivers ht.jpg (VirusTotal 9/53***) which is decoded by a combination of the -macro- in the word doc and a dropped/extracted VBS file 12047.vbs (VirusTotal 1/51[4]) to give you 1204745.exe (VirusTotal 5/54[5])...
inroadsdevelopment .us: 192.185.16.61: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/68...c1cd/analysis/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1454998395/

** https://malwr.com/analysis/NDY5MDQxY...MwN2IwNjUzNzY/

*** https://www.virustotal.com/en/file/7...is/1454998178/

4] https://www.virustotal.com/en/file/a...is/1454999501/

5] https://www.virustotal.com/en/file/7...is/1454999510/

**AplusWebMaster** · 2016-02-10, 12:10

FYI...

Fake 'SERVICE SHEET' SPAM - doc malware
- http://myonlinesecurity.co.uk/emaili...d-doc-malware/
10 Feb 2016 - "An email with the subject of 'Emailing: MX62EDO 10.02.2016' pretending to come from documents@ dmb-ltd .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: documents@ dmb-ltd .co.uk
Date: Wed 10/02/2016 08:18
Subject: Emailing: MX62EDO 10.02.2016
Attachment: MX62EDO 10.02.2016.doc
Your message is ready to be sent with the following file or link
attachments:
MX62EDO 10.02.2016 SERVICE SHEET
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled...

10 February 2016: MX62EDO 10.02.2016.doc - Current Virus total detections 5/54*
MALWR** shows us a download of Dridex banking malware from
http ://g-t-c .co.uk/09u8h76f/65fg67n (VirusTotal 0/54***) Which is once again as seen in previous runs this last week, downloaded as a text file and -renamed- by the macro and saved to \%temp%\label8.exe where it is autorun (VirusTotal 4/54[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1455095855/

** https://malwr.com/analysis/NTNlNTdkO...M5ZWIwMmM2NGU/
185.11.240.14
87.229.86.20
13.107.4.50

*** https://www.virustotal.com/en/file/0...is/1455096865/

4] https://www.virustotal.com/en/file/0...is/1455097168/
TCP connections
87.229.86.20: https://www.virustotal.com/en/ip-add...0/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

- http://blog.dynamoo.com/2016/02/malw...-10022016.html
10 Feb 2016
"... Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3 "
___

Fake 'New Doc 115' SPAM - doc malware
- http://myonlinesecurity.co.uk/new-do...d-doc-malware/
10 Feb 2016 - "... an email with the subject of 'New Doc 115' pretending to come from admin <ali73_20081475@ yahoo .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: admin <ali73_20081475@ yahoo .co.uk>
Date: Wed 10/02/2016 11:02
Subject: New Doc 115
Attachment: New Doc 115.doc
Sent from Yahoo Mail on Android

10 February 2016: New Doc 115.doc - Current Virus total detections 5/54*
.. -same malware- and -same- download locations as today’s earlier malspam run** ..."
* https://www.virustotal.com/en/file/f...is/1455101427/

** http://myonlinesecurity.co.uk/emaili...d-doc-malware/
___

Fake 'Message' SPAM - xls malware
- http://myonlinesecurity.co.uk/messag...sheet-malware/
10 Feb 2016 - "... an email with the subject of 'Message from KMBT_C224' pretending to come from copier @ your own company or email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: copier@ victimdomain .tld
Date: Wed 10/02/2016 12:20
Subject: Message from KMBT_C224
Attachment: SKMBT_C22416020417390.xls

Body content: Empty

10 February 2016: SKMBT_C22416020417390.xls - Current Virus total detections 5/54*
MALWR** shows what should be a download of Dridex banking malware from
http ://toptut .ru/09u8h76f/65fg67n - however when I tried, I got a '404 not found'.
NOTE: there -will- be other download locations in different versions of this... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1455110388/

** https://malwr.com/analysis/YjQ5N2QzM...JkMDAyNTRlMDc/
85.10.201.19

toptut .ru: 85.10.201.19: https://www.virustotal.com/en/ip-add...9/information/
___

Fake 'DHL' SPAM - Teslacrypt
- http://myonlinesecurity.co.uk/dhl-de...re-teslacrypt/
10 Feb 2016 - "An email with the subject of 'DHL DeliverNow Notification Card on lost shipment (Third Notification)' pretending to come from DHL DeliverNow Network <zkfwgyh@ grafeia-teleton-kyriakidis .gr> (probably random email addresses with sender spoofed as DHL) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...--1024x769.png

25 February 2016: DHL_Notification_card.zip: Extracts to: file.zip which extracts to invoice_m7BNUn.js
Current Virus total detections 3/55*. MALWR** shows a download of what looks like Teslacrypt from either http ://fromjamaicaqq .com/26.exe or http ://greetingsfromitaff .com/26.exe (VirusTotal 4/55***).
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1455124017/

** https://malwr.com/analysis/NjY1MWFhM...dhZTg5N2E2OGQ/
173.82.74.197
192.3.186.222

*** https://www.virustotal.com/en/file/5...is/1455124442/

**AplusWebMaster** · 2016-02-11, 13:08

FYI...

Fake 'Unpaid Invoice' SPAM - JS malware
- http://myonlinesecurity.co.uk/int242...om-js-malware/
11 Feb 2016 - "An email with the subject of 'INT242343 Unpaid Invoice – Your Services May Be Suspended' pretending to come from payments <payments@ wavenetuk .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: payments <payments@ wavenetuk .com>
Date: Thu 11/02/2016 08:38
Subject: INT242343 Unpaid Invoice – Your Services May Be Suspended
Attachment: OutstandingStatement201602111650.js
PLEASE NOTE: THIS IS A NO REPLY EMAIL ACCOUNT
Dear Customer Please find attached to this email your statement You can view the invoices listed on our e-billing site at www .netbills .co.uk If you have any queries regarding use of the e-billing site or this statement please call us on 08444 12 7777.
Accounts Department Wavenet Group Incorporating – Titan Technology, Centralcom and S1 Network Services Tel 08444127777 ...

11 February 2016: OutstandingStatement201602111650.js - Current Virus total detections 0/54*
MALWR** shows a download of Dridex banking malware from
http ://aforbescompany .com/09u8h76f/65fg67n which once again is a text file that the javascript saves to & renames to %Temp%\sREKjVas.scr or another random named file (VirusTotal 2/55***)
Other download locations so far discovered include: http ://gp-training .net/09u8h76f/65fg67n ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1455183429/

** https://malwr.com/analysis/YzQxYzFjZ...UxMmJmODY2MWQ/
69.89.31.158
87.229.86.20
184.25.56.44

*** https://www.virustotal.com/en/file/b...is/1455183938/
TCP connections
87.229.86.20: https://www.virustotal.com/en/ip-add...0/information/
88.221.14.11: https://www.virustotal.com/en/ip-add...1/information/

- http://blog.dynamoo.com/2016/02/malw...d-invoice.html
11 Feb 2016 - "This spam does not come from Wavenet Group but is instead a simple -forgery- with a malicious attachment:
From payments [payments@ wavenetuk .com]
Date Thu, 11 Feb 2016 15:14:59 +0530
Subject INT242343 Unpaid Invoice - Your Services May Be Suspended
PLEASE NOTE: THIS IS A NO REPLY EMAIL ACCOUNT
Dear Customer
Please find attached to this email your statement
You can view the invoices listed on our e-billing site at www .netbills .co.uk
If you have any queries regarding use of the e-billing site or this statement please
call us on 08444 12 7777.
Accounts Department
Wavenet Group
Incorporating - Titan Technology, Centralcom and S1 Network Services
Tel 08444127777 ...

I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53*. The Malwr analysis shows that this script downloads an executable from:
gp-training .net/09u8h76f/65fg67n
There are probably a few other download locations. This binary has a detection rate of 2/54**. The Malwr report also indicates that it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/4...is/1455185997/

** https://www.virustotal.com/en/file/b...is/1455186992/
TCP connections
87.229.86.20: https://www.virustotal.com/en/ip-add...0/information/
88.221.14.11: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'Confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/confir...d-doc-malware/
11 Feb 2016 - "An email with the subject of 'Confirmation' pretending to come from sales@ writeonltd .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...d-1024x775.png

11 February 2016: Sales_Order_Confirmation__Priced_SORD00137058.doc - Current Virus total detections 5/55*
MALWR** is once again showing an attempted download from
http ://maraf0n.vv .si/09u8h76f/65fg67n which is giving a 404 not found and diverts to Russian hosting company home page... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1455188335/

** https://malwr.com/analysis/NmY4NGE1M...UxY2EzODVlMzE/
31.170.164.132: https://www.virustotal.com/en/ip-add...2/information/
31.170.160.60: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Office Direct' SPAM - doc malware
- http://myonlinesecurity.co.uk/uk-off...d-doc-malware/
11 Feb 2016 - "An email with the subject of 'UK Office Direct A/C OD04450155' pretending to come from office@ ukofficedirect .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-con...5-1024x767.png

11 February 2016: Invoice_INV8000288979.doc - Current Virus total detections 5/54*
MALWR** shows an attempted download from http ://maraf0n.vv .si/09u8h76f/65fg67n but like all the others this morning is giving a 404 and redirects to Russian hosting company home page... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1455187463/

** https://malwr.com/analysis/YWE2NzU5Y...ExMDM3MmUzZGE/
31.170.164.132: https://www.virustotal.com/en/ip-add...2/information/
31.170.160.60: https://www.virustotal.com/en/ip-add...0/information/
___

Fake 'Scan' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malw...50-please.html
11 Feb 2016 - "This -fake- document -scan- leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.
From: scanner@ victimdomain .tld
Date: 11 February 2016 at 10:24
Subject: Scan from KM1650
Please find attached your recent scan

Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1]..). The Malwr reports [4].. indicate the the macro in the document downloads a malicious executable from:
maraf0n.vv .si/09u8h76f/65fg67n
www .sum-electronics .co.jp/09u8h76f/65fg67n
The dropped executable has a detection rate of 2/54*. As with this earlier spam run** it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
-Block- traffic to that IP. The payload is the Dridex banking trojan."
1] https://www.virustotal.com/en/file/d...is/1455191710/

4] https://malwr.com/analysis/MGQzODg3Z...AzZDg0YWIxMWY/

* https://www.virustotal.com/en/file/b...is/1455192649/
TCP connections
87.229.86.20: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/00...23cb/analysis/
88.221.14.11: https://www.virustotal.com/en/ip-add...1/information/

** http://blog.dynamoo.com/2016/02/malw...d-invoice.html
___

Fake 'Sage Pay Invoice' SPAM - xls malware
- http://myonlinesecurity.co.uk/your-s...sheet-malware/
11 Feb 2016 - "An email with the subject of 'Your Sage Pay Invoice INV00318132' pretending to come from Sagepay EU <accounts@ sagepay .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Sagepay EU <accounts@ sagepay .com>
Date: Thu 11/02/2016 13:01
Subject: Your Sage Pay Invoice INV00318132
Attachment: INV00318132_V0072048_12312014.xls
Please find attached your invoice.
We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones. You should have already received an email that outlined the changes, however if you have any questions please contact ...

11 February 2016: INV00318132_V0072048_12312014.xls - Current Virus total detections 4/54*
MALWR** shows a download of Dridex banking malware from
http ://www .phraseculte .fr/09u8h76f/65fg67n (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1455199262/

** https://malwr.com/analysis/MTllNjllN...MyNjE0ODA2ZmY/
46.21.207.156
84.38.67.231
13.107.4.50

*** https://www.virustotal.com/en/file/f...is/1455198516/
TCP connections
84.38.67.231: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/8a...f65b/analysis/
104.86.111.136: https://www.virustotal.com/en/ip-add...6/information/

- http://blog.dynamoo.com/2016/02/malw...y-invoice.html
11 Feb 2016 - "... a simple -forgery- with a malicious attachment... Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least -11-). The VirusTotal detection rate for a subset of these is 6/54[1]... Only a single Malwr report* seemed to work, indicating the macro downloading from:
www .phraseculte .fr/09u8h76f/65fg67n
This dropped executable has a detection rate of 3/54**. The Malwr report shows it phoning home to:
84.38.67.231 (ispOne business GmbH, Germany)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
1] https://www.virustotal.com/en/file/c...23ee/analysis/

* https://malwr.com/analysis/MTllNjllN...MyNjE0ODA2ZmY/
46.21.207.156
84.38.67.231
13.107.4.50

** https://www.virustotal.com/en/file/f...is/1455203414/
TCP connections
84.38.67.231: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/8a...f65b/analysis/
104.86.111.136: https://www.virustotal.com/en/ip-add...6/information/
___

We might use your 'IoT stuff' to spy on you ...
- https://nakedsecurity.sophos.com/201...james-clapper/
Feb 11, 2016 - "... think that it could be 'Big Brother' doing the eyeballing, be it through your internet-connected fridge, your toothbrush, or your TV... the Internet of Things, or IoT: that collection of connected gadgets that have plenty of 'neat-o!' factor but which, all too often, are pockmarked with security holes:
> https://nakedsecurity.sophos.com/201...nt-to-get-off/
... IoT refers to a whole class of day-to-day 'things' that are now being offered with built-in network connectivity. These everyday objects can directly hook into the internet, all on their own, rather than needing to first be plugged into a computer connected to the internet. The emergence of the IoT has been accompanied by a torrent of stories about security researchers and malicious hackers breaking into all manner of objects... We’ve seen issues with connected kettles, TVs, lightbulbs, thermostats, refrigerators and baby monitors that have all been designed without adherence to the information security principle of least privilege:
> https://en.wikipedia.org/wiki/Princi...east_privilege
But one person’s security hole is another person’s opportunity. To intelligence agencies, IoT devices could illuminate an environment that they claim is 'going dark' due to new forms of encryption being used in consumer products and services... Wired* quoted remarks he made at a summit for In-Q-Tel, the CIA’s venture capital firm:
'Transformational' is an overused word, but I do believe it properly applies to these technologies, particularly to their effect on clandestine tradecraft' ..."
* http://www.wired.com/2012/03/petraeus-tv-remote/
___

Malware Found in 3rd Party App Stores
- http://blog.trendmicro.com/trendlabs...ty-app-stores/
Feb 10, 2016 - "... Because some users have concerns with the app giant Google Play, they choose to download apps from third-party stores. For instance, there are no region locks for apps in some third-party app stores. Some developers of paid apps even partner with third-party app stores with purchase capability to give those who download from the partnered store considerable discounts. Third-party app stores can also be the preferred store due to its popularity in a specific region. Android users have to keep in mind that installing apps from these third-party app stores requires users to allow the installation from 'unknown sources'. Malicious apps have a history of popping up from these third party websites, a reason why it is often recommended that Android users -must- stick to Google Play. Because of Google’s security measures, we believe it is the safest platform for downloading apps. It is worth noting, however, that third-party app stores are implementing means to tighten their security. Malicious apps were recently seen making the rounds in some third-party app stores. They spoof popular apps, increasing the chances of getting selected and downloaded. These include popular mobile games, mobile security apps, camera apps, music streaming apps, and so on. They even share the exact same package and certification with their Google Play counterpart... However, the malware only downloads and installs other apps -without- the user’s knowledge. These secretly downloaded apps will then present themselves as ads luring users to downloading other apps from time to time. It can also be used to collect user data and forward them to the attacker. Based on the data from our Trend Micro Mobile App Reputation Service, there are -1,163- malicious APKs detected as ANDROIDOS_ LIBSKIN.A. In addition, between January 29 and February 1, malicious apps detected as this malware have been downloaded in -169- countries and can be found in -four- third party app stores, namely Aptoide, Mobogenie, mobile9, and 9apps. We have already contacted these stores and informed them about these threats, but as of this writing, we have yet to receive any confirmation from their end...
> https://blog.trendmicro.com/trendlab...us-apps-01.png
... The popups lure users into clicking-unwanted-apps. Clicking-on-the-ads may not necessarily lead the user to the respective app or site. Other than that, ANDROIDOS_ LIBSKIN.A can also collect users’ data and send them back to a remote malicious user. This includes data about the user’s phone, subscription IDs, device ID, language, network type, apps running, network name, and so on... we do warn users to approach downloading apps with caution. One option that users may do to avoid downloading fake apps is to download the app from the developer’s website. They may also check the -reputation- of the store before downloading anything..."

**AplusWebMaster** · 2016-02-12, 14:03

FYI...

Fake 'DVSA' SPAM - malcious attachment
- http://blog.dynamoo.com/2016/02/malw...a-receipt.html
12 Feb 2016 - "This spam email does not come from a UK government agency, but is instead a simple -forgery- with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi .gov.uk.
From FPO.CC.15@ vosa.gsi .gov.uk
Date Fri, 12 Feb 2016 12:47:20 +0300
Subject DVSA RECEIPT
Good afternoon
Please find attached your receipt, sent as requested.
Kind regards
(See attached file)
Fixed Penalty Office
Driver and Vehicle Standards Agency ...

Attached is a file Fixed Penalty Receipt.docm which comes in at least -ten- different variants... I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:
raysoft .de/09u8h76f/65fg67n
xenianet .org/09u8h76f/65fg67n
steinleitner-online.net/09u8h76f/65fg67n [reported here (5)]
This dropped file has a detection rate of 5/54* ... This Hybrid Analysis report** indicates subsequent traffic to:
192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)
The payload is the Dridex banking trojan.
Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231 "
1] https://www.virustotal.com/en/file/5...is/1455274179/

2] https://www.virustotal.com/en/file/d...is/1455275696/

3] https://malwr.com/analysis/YzMzNTQ1M...I2MTUyM2E5MjQ/

4] https://malwr.com/analysis/OGFjN2VlZ...RiMTQyODdhMzA/

5] https://www.virustotal.com/en/file/f...is/1455274504/

* https://www.virustotal.com/en/file/f...is/1455274504/

** https://www.hybrid-analysis.com/samp...nvironmentId=4
___

Fake 'Fuelcard' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-l...eet-malware-2/
12 Feb 2016 - "An email with the subject of 'Your latest invoice' from The Fuelcard Company UK Ltd pretending to come from customerservice@ fuelcards .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: customerservice@ fuelcards .co.uk
Date: Fri 12/02/2016 10:16
Subject: Your latest invoice from The Fuelcard Company UK Ltd
Attachment: invoice.xls
Please find your latest invoice attached.
If you have any queries please do not hesitate to contact our Customer Service Team at customerservice@fuelcards.co.uk
Regards
The Fuelcard Compa
The Fuelcard Company UK Ltd ...

12 February 2016: invoice.xls - Current Virus total detections 5/53*
MALWR** shows a download of what is almost certainly Dridex Banking Trojan from
http ://web82 .snake.kundenserver42 .de/09u8h76f/65fg67n (VirusTotal 5/53***)
Other download locations include: http ://raysoft .de/09u8h76f/65fg67n
http ://steinleitner-online .net/09u8h76f/65fg67n
http ://www .xenianet .org/09u8h76f/65fg67n
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1455275820/

** https://malwr.com/analysis/ZDRiNDVlO...UxZGJjNTA2OTQ/
195.93.200.140
192.100.170.19
13.107.4.50

*** https://www.virustotal.com/en/file/f...is/1455276505/
TCP connections
192.100.170.19
13.107.4.50
87.229.86.20

- http://blog.dynamoo.com/2016/02/malw...oice-from.html
12 Feb 2016 - "... Hybrid Analysis* shows that this particular sample downloads from:
legismar .com/09u8h76f/65fg67n
This is the -same- executable as found in this earlier spam run**."
* https://www.hybrid-analysis.com/samp...nvironmentId=4

** http://blog.dynamoo.com/2016/02/malw...a-receipt.html

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake 'Despatch Note', 'Scanned image', 'Resume' SPAM, HSBC DDoS'd

Fake 'Order Processed', 'Invoice INV19', 'Scanned image' SPAM

Fake 'Order Dispatch', 'New order', 'PURCHASE', 'RB0081 INV' SPAM

Fake 'Invoice (SI-523)', 'Invoice MOJU', 'Attached Image' SPAM, Tesco PHISH

Fake 'January balance', 'Swift Copy', 'Fuel Card E-bill' SPAM, Amazon PHISH

Fake 'Scanned file', 'Invoices', 'Scanned Referral' SPAM

Fake -blank subject-, 'statement' SPAM

Fake 'SERVICE SHEET', 'New Doc 115', 'Message', 'DHL' SPAM

Fake 'Unpaid Invoice', 'Confirmation', 'Office Direct', 'Scan', 'SagePayInvoice' SPAM

Fake 'DVSA', 'Fuelcard' SPAM

Posting Permissions