Page 92 of 132 FirstFirst ... 4282888990919293949596102 ... LastLast
Results 911 to 920 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #911
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'March Invoice', 'Your Order', 'MX62EDO' SPAM, Tesco Bank Phish

    FYI...

    Fake 'March Invoice' SPAM - Locky ransomware
    - http://blog.dynamoo.com/2016/03/malw...kan-dream.html
    1 Mar 2016 - "This -fake- financial spam can't make up its mind which month it is for.
    From: Caitlin Velez
    Date: 1 March 2016 at 11:50
    Subject: March Invoice
    Hi,
    Attached is the November invoice.
    Thanks!
    Caitlin Velez
    Customer Service
    Balkan Dream Properties ...


    So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero*. This Malwr report** shows that it is the Locky ransomware, download a binary from:
    intuit.bitdefenderdistributor .info/intrabmw/get.php
    This is hosted on a bad webserver at..
    93.95.100.141 (Mediasoft ekspert, Russia)
    ..and it then phones home to..
    5.34.183.195 (ITL / UA Servers, Ukraine)
    There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..
    31.184.197.119 (Petersburg Internet Network ltd., Russia)
    51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
    91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
    Recommeded blocklist:
    5.34.183.195
    31.184.197.119
    51.254.19.227
    91.219.29.55
    93.95.100.141
    "
    * https://www.virustotal.com/en/file/0...is/1456833407/

    ** https://malwr.com/analysis/MDlhNDk3Y...ZhZGQxZDg4N2I/

    - http://myonlinesecurity.co.uk/march-...ky-ransomware/
    1 Mar 2016 - "... an email with the subject of 'March Invoice' pretending to come from random names, companies and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    From: Grace Buckley <BuckleyGrace41@ jackvalan .com>
    Date: Tue 01/03/2016 11:51
    Subject: March Invoice
    Attachment: INVBEAC8E.zip
    Hi,
    Attached is the November invoice.
    Thanks!
    Grace Buckley
    Customer Service
    MONTANARO UK SMALLER COS INVESTM TR ...


    1 March 2016: INVBEAC8E.zip: Extracts to: statistics_60165140386.js - Current Virus total detections 0/56*
    MALWR** shows it downloads http ://intuit.bitdefenderdistributor .info/intrabmw/get.php which gave me
    lohi.exe (VirusTotal 5/54***). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...is/1456833183/

    ** https://malwr.com/analysis/MDlhNDk3Y...ZhZGQxZDg4N2I/
    93.95.100.141
    5.34.183.195


    *** https://www.virustotal.com/en/file/f...is/1456832632/
    TCP connections
    185.14.29.188: https://www.virustotal.com/en/ip-add...8/information/
    ___

    Fake 'Your Order' SPAM - Locky ransomware
    - http://myonlinesecurity.co.uk/delay-...ky-ransomware/
    1 Mar 2016 - "An email with the subject of 'Delay with Your Order #200C189B, Invoice #37811753' [random numbered] pretending to come from Random names, companies and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    From: Joel Barron <BarronJoel28@ softranstech .com>
    Date: Tue 01/03/2016 11:30
    Subject: Delay with Your Order #200C189B, Invoice #37811753
    Attachment: order_copy_200C189B.zip
    Dear Valued Customer,
    It is very unpleasant to hear about the delay with your order #200C189B, but be sure that our department will do its best to resolve the problem. It usually takes around 7 business days to deliver a package of this size to your region.
    The local post office should contact your as soon as they will receive the parcel. Be sure that your purchase will be delivered in time and we also guarantee that you will be satisfied with our services.
    Thank you for your business with our company.
    Joel Barron
    Sales Manager


    1 March 2016: order_copy_200C189B.zip: Extracts to: readme_692768919.js - Current Virus total detections 0/56*
    MALWR** shows what looks like a download of Locky Ransomware from
    http ://sitemar.ro/5/92buyv5 ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1456831819/

    ** https://malwr.com/analysis/YzUzMWY2N...UzZjg0ZmY1ZmU/
    Hosts
    89.38.241.66
    185.14.29.188


    - http://blog.dynamoo.com/2016/03/malw...mer-it-is.html
    1 Mar 2016 - "This strangely worded spam leads to the Locky ransomware:
    From =cU3RlZmFuaWUgU3VsbGl2YW4=?= [SullivanStefanie68750@numericable .fr]
    Date Tue, 01 Mar 2016 13:40:48 +0200
    Subject =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICM3QjZCN0UwOCwgSW52b2ljZSAjMzI1ODMzNDY=?=
    Dear ValuedCustomer,
    It is very unpleasant to hear about the delay with your order #7B6B7E08, but be sure
    thatour department will do its best to resolve the problem.It usually takes around7
    business days to deliver a package of this size to your region.
    The local post office should contact your as soon as they will receive theparcel.Be
    sure that your purchase will be delivered in time and we alsoguarantee that you will
    be satisfied with our services.
    Thank you for your business with our company.
    Stefanie Sullivan
    Sales Manager


    All the samples I have seen have slightly -mangled- headers. The sender name varies. Attacked is a ZIP file named in a similar format to order_copy_7B6B7E08.zip which contains a malicious script named something like:
    important_181031694.js
    warning_659701636.js
    statistics_466026824.js
    I have seen -six- different samples so far with zero detection rates [1]... and which according to these analysis [7]... attempt to download a Locky binary from:
    sitemar .ro/5/92buyv5
    pacificgiftcards .com/3/67t54cetvy
    maisespanhol .com.br/1/8y7h8bv6f
    Those binaries phone home to:
    5.34.183.195/main.php
    31.184.197.119/main.php
    Those C&C servers are the same as I mentioned in this spam run* and I suggest you -block- traffic to:
    5.34.183.195
    31.184.197.119
    51.254.19.227
    91.219.29.55
    "
    1] https://www.virustotal.com/en/file/a...6de8/analysis/

    7] https://malwr.com/analysis/OWM1MmU0M...VjZmNlNTM4NWY/

    * http://blog.dynamoo.com/2016/03/malw...kan-dream.html
    ___

    Fake 'MX62EDO' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/03/malw...-01032016.html
    1 Mar 2016 - "This -fake- document scan has a malicious attachment. It appears to come from within the victim's own domain.
    From: documents@ victimdomain .tld
    Date: 1 March 2016 at 13:43
    Subject: Emailing: MX62EDO 01.03.2016
    Your message is ready to be sent with the following file or link
    attachments:
    MX62EDO 01.03.2016 SERVICE SHEET
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments. Check your e-mail
    security settings to determine how attachments are handled.
    This email has been checked for viruses by Avast antivirus software...


    I have seen two samples so far, with an attachment that has a similar name to MX62EDO20160301538482.zip which contains a malicious randomly-named script (e.g. PK5293425659.js). Detection rates on the scripts are fairly low [1] [2]. According to these Malwr reports [3] [4] the payload is the Locky ransomware. These two samples download malicious binaries from:
    tianshilive .ru/vqmod/xml/87yhb54cdfy.exe
    ubermensch .altervista.org/system/logs/87yhb54cdfy.exe
    In turn, these attempt to phone home to:
    31.184.197.119 /main.php
    5.34.183.195 /main.php
    These are the -same- C&C servers as seen here*."
    1] https://www.virustotal.com/en/file/4...9efa/analysis/

    2] https://www.virustotal.com/en/file/0...is/1456840115/

    3] https://malwr.com/analysis/MDExMGY0O...UxNTAwMWE1NWI/
    Hosts
    5.101.152.42
    31.184.197.119


    4] https://malwr.com/analysis/Yzk3OTI3N...FmMWU2NTQ2ZjI/
    Hosts
    176.9.24.196
    5.34.183.195


    * http://blog.dynamoo.com/2016/03/malw...mer-it-is.html
    ___

    Tesco Bank - 'Interest Rate And Tax' Phish
    - http://myonlinesecurity.co.uk/tesco-...-tax-phishing/
    1 Mar 2016 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card.. This one from Tesco is no exception... The link in this case goes to:
    http ://grupomathile .com.br/hhaa/hhaa.html which -redirects- to:
    http ://agapechurchindia .org/jss/tesco/tesco/Log.htm
    This particular phishing campaign starts with an email with-a-link:

    Screenshot: http://myonlinesecurity.co.uk/wp-con...x-1024x511.png

    If you fill in the user name you get sent on to a series of pages asking for more information:
    > http://myonlinesecurity.co.uk/wp-con...1-1024x558.png
    ... which is a typical phishing page that looks very similar to a genuine Tesco Bank page, if you don’t look carefully at the URL in the browser address bar..."

    Last edited by AplusWebMaster; 2016-03-01 at 16:26.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #912
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoices', 'Package', 'Invoice Copy', 'remittance advice' SPAM, TeslaCrypt

    FYI...

    Fake 'Invoices' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/03/malw...tstanding.html
    2 Mar 2016 - "These randomly-generated financial spam emails come with a malicious attachment:
    From: Buckminster U. Petty
    Date: 2 March 2016 at 07:55
    Subject: Outstanding Invoice
    Please check the receipt attached to this message. The Transaction will be posted on your account within 48 hours.
    ----------
    From: Astra B. Fuller
    Date: 2 March 2016 at 08:08
    Subject: Fwd: ZYL Invoice
    Please find the payment details attached to this message. The Transfer should appear on your account in 2 days.
    ----------
    From: Audrey U. Oneil
    Date: 2 March 2016 at 07:34
    Subject: Re: Sales Invoice
    Please review the invoice attached to this message. The Transfer should appear on your bank in 48 hours.


    Attached is a randomly-named file with an -RTF- extension which is actually a -DOCX- file in disguise. I have seen three different attachments with detection rates of 1/55 [1] [2] [3] and the Malwr reports for those [4] [5] [6] show the macro contained within downloading from the following locations:
    thevillagelounge .nl/e.jpg?LnRiNLIoPC3=55
    creeko .com/d.jpg?GIk1nRWM0r27m5Ss=50
    creeko .com/d.jpg?GIk1nRWM0r27m5Ss=8
    The VirusTotal results for the two unique binaries dropped are 3/55 [7] [8] but automated analysis.. is inconclusive. It looks rather like -ransomware- but I cannot confirm this."
    1] https://www.virustotal.com/en/file/7...is/1456908576/

    2] https://www.virustotal.com/en/file/5...is/1456908593/

    3] https://www.virustotal.com/en/file/e...is/1456908601/

    4] https://malwr.com/analysis/ODdkNDBmY...A2NjU4OGQ4YjA/
    Hosts
    172.231.69.95
    209.242.233.7: https://www.virustotal.com/en/ip-add...7/information/

    5] https://malwr.com/analysis/ZWZhZDRhN...M3MmRjYTFmOGY/
    Hosts
    172.231.69.95
    209.242.233.7: https://www.virustotal.com/en/ip-add...7/information/

    6] https://malwr.com/analysis/OWVkMTU4Z...Y1NTQ2MzAyM2E/
    Hosts
    172.231.69.95
    178.251.196.62: https://www.virustotal.com/en/ip-add...2/information/

    7] https://www.virustotal.com/en/file/e...is/1456909038/

    8] https://www.virustotal.com/en/file/d...is/1456909051/

    creeko .com: 209.242.233.7: https://www.virustotal.com/en/ip-add...7/information/

    thevillagelounge .nl: 178.251.196.62: https://www.virustotal.com/en/ip-add...2/information/
    ___

    Fake 'Package' SPAM – JS malware/ransomware
    - http://myonlinesecurity.co.uk/packag...to-ransomware/
    2 Mar 2016 - "An email with the subject of 'Package # 16049177' [random numbered] that matches the attachment and the number in the body of the email, pretending to come from random email addresses, names and companies with a zip attachment is another one from the current bot runs... The email looks like:
    From: Alyson cockcroft <cockcroftAlyson2993@ arc-performance .com> ( random senders)
    Date: Wed 02/03/2016 10:14
    Subject: Package # 16049177
    Attachment: Invoice_ref-16049177.zip
    Dear Client,
    Your replacement package was shipped 5 days ago and is now being transferred to your local post office.
    The package identification number is # 16049177 , please double-check the information on it in the file attached below.
    We are grateful for your purchase from our shop and are very sorry for the inconvenience.


    2 March 2016: Invoice_ref-16049177.zip: Extracts to: invoice_scan_EdcJqY.js - Current Virus total detections 5/56*
    MALWR** shows a download of what looks like Teslacrypt rather than Locky ransomware based on the file names and locations from either http ://ohelloweuqq .com/69.exe or http ://soclosebutyetqq .com/69.exe
    (VirusTotal 4/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1456913677/

    ** https://malwr.com/analysis/ZTcwMTE0M...A1YTEwNzQ5M2I/
    104.232.35.31: https://www.virustotal.com/en/ip-add...1/information/
    91.196.50.241: https://www.virustotal.com/en/ip-add...1/information/

    *** https://www.virustotal.com/en/file/0...is/1456916592/
    TCP connections
    194.228.3.204: https://www.virustotal.com/en/ip-add...4/information/
    ___

    Fake 'Invoice Copy' SPAM - doc macro/ransomware
    - http://myonlinesecurity.co.uk/invoic...ky-ransomware/
    2 Mar 2016 - "An email with the subject of 'Invoice Copy' pretending to come from random senders with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    From: Jerrod Parker <ParkerJerrod02870@ kabel-deutschland .de>
    Date: Wed 02/03/2016 10:15
    Subject: Invoice Copy
    Attachment: scan_559376.doc
    Dear Customer,
    Please make sure you send payment for your parcel to avoid any inconvenience. Open the attached file to review the confirmation listing.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    Jerrod Parker
    Account Manager

    -Or:
    Dear User,
    Your order will be shipped shortly, we apologize for the troubles. Please, review the invoice in the attached file.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    Johnnie Newman
    Project Manager


    2 March 2016: scan_559376.doc - Current Virus total detections 6/55*
    MALWR shows a download from http ://cabanasestina .ro/num/5buybbtyu8 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1456917614/

    cabanasestina .ro: 188.213.205.89: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/73...6cb4/analysis/
    ___

    Fake 'remittance advice' SPAM - JS malware/ransomware
    - http://myonlinesecurity.co.uk/remitt...to-ransomware/
    2 Mar 2016 - "An email pretending to be a remittance advice for the payment made on the 19th Feb 2015 from Hillsong Church London with a random subject of 'MEARS GROUP March Invoice #17577' [random numbered] and random company names pretending to come from random senders with a zip attachment is another one from the current bot runs... The name of the alleged sender matches the name in the email body... The email looks like:
    From: Osvaldo West <West.Osvaldo736@ ttml .co.in>
    Date: Wed 02/03/2016 12:16
    Subject: MEARS GROUP March Invoice #17577
    Attachment: Hillchurch-C7EA2.zip or Hillsong-914FCE.xls
    Hi there,
    Please find the remittance advice for the payment made on the 19th Feb 2015 from Hillsong Church London.
    Please let me know if there are any queries.
    Kind regards,
    Osvaldo West ...


    2 March 2016: Hillchurch-C7EA2.zip: Extracts to: TR914740032016.js Current Virus total detections 3/56*
    MALWR** shows a download from http ://doaemdpmekd.securalive .eu/8fjvimkel1/c987ah8j9ei1.php (VirusTotal 2/55***)
    which gave me readme.exe ...
    2 March 2016 : Hillsong-914FCE.xls - Current Virus total detections 2/55[4]
    which is being detected as a Dridex downloader. -Both- Locky Ransomware and Dridex banking Trojans use the -same- download mechanisms and until you actually see the payload, it is impossible to tell whether it is Dridex or Locky.. MALWR shows a download from http ://oimedoaeklmrf.giftcardnanny .ca/nu2o3mk4/c987ah8j9ei1.php which gave me likeaboss.exe (VirusTotal 2/56[5]).. this is the -same- malware file as the js version so is more likely to actually be Dridex rather than Locky... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1456921684/

    ** https://malwr.com/analysis/YTUzYWZiY...A3NWU1ZTJlZjc/
    Hosts
    193.201.227.90: https://www.virustotal.com/en/ip-add...0/information/
    24.172.94.181
    13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

    *** https://www.virustotal.com/en/file/d...is/1456922055/
    TCP connections
    24.172.94.181
    13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

    4] https://www.virustotal.com/en/file/b...is/1456922090/

    5] https://www.virustotal.com/en/file/d...is/1456922631/
    TCP connections
    24.172.94.181
    13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

    doaemdpmekd.securalive .eu: 193.201.227.90: https://www.virustotal.com/en/ip-add...0/information/

    oimedoaeklmrf.giftcardnanny .ca: 193.201.227.90

    - http://blog.dynamoo.com/2016/03/malw...ng-church.html
    2 Mar 2016 - "... the body text is from a church..
    Hi there,
    Please find the remittance advice for the payment made on the 19th Feb 2015 from
    Hillsong Church London...


    ... all these locations are on the same server (and are the same binary), hosted on:
    193.201.227.90 (PE Tetyana Mysyk, Ukraine)
    According to VirusTotal*, there are a few -hijacked- GoDaddy subdomains on that IP. This method is a little unusual for this type of attack... this Hybrid Analysis** show the malware phoning home to:
    24.172.94.181 (Time Warner Cable, US)
    It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.
    Recommended blocklist:
    193.201.227.90
    24.172.94.181
    "
    * https://www.virustotal.com/en/ip-add...0/information/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=4
    ___

    Fake 'March Invoice' SPAM - xls malware
    - http://myonlinesecurity.co.uk/le-mar...sheet-malware/
    2 Mar 2016 - "An email with the subject of 'ENABLES IT GROUP PLC March Invoice #39903' (random company names and invoice numbers) pretending to come from random names with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    From: Ina Wolfe <Wolfe.Ina680@ intex .in>
    Date:
    Subject: ENABLES IT GROUP PLC March Invoice #39903
    Attachment: Hillsong-838834.xls
    Afternoon,
    Please find attached a copy of our bank details.
    If we can be of further assistance then please do not hesitate to contact me
    Many thanks,
    Ina Wolfe
    Credit Controller
    Le Mark Self-Adhesive Ltd. ...


    2 March 2016: Hillsong-838834.xls - When renamed to zip & extracted you get SCAN7420032016.js (VirusTotal 3/56*)
    MALWR shows a download from http ://aoieofnv.lotnine .com/8fjvimkel1/c987ah8j9ei1.php which is the -same- malware as described in THIS post**... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/4...is/1456931124/

    ** http://myonlinesecurity.co.uk/remitt...to-ransomware/

    aoieofnv.lotnine .com: 193.201.227.90: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Fake 'Invoice Scan/copy' SPAM - doc macro malware
    - http://myonlinesecurity.co.uk/paymen...macro-malware/
    2 Mar 2016 - "An email with the subject of 'Payment Confirmation / Invoice Scan / Invoice copy' pretending to come from random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    From: Gavin Gaines <GainesGavin739@ iconpln .net.id>
    Date: Wed 02/03/2016 14:07
    Subject: Payment Confirmation / Invoice Scan / Invoice copy
    Attachment: scan_174761.doc
    Dear Customer,
    Please review the attached copy of your Electronic document.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    Gavin Gaines
    Account Manager

    -Or:
    Dear Member,
    The mistake made will be compensated promptly, please do not worry. Please
    take a look at the file attached as it contains all the information.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    Marisol Lara
    Account Manager


    2 March 2016: scan_174761.doc - Current Virus total detections 6/56*
    MALWR isn’t showing any download on this one but that might be due to analysis protection more than anything else... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1456927470/
    ___

    Fake 'Whitehouse paperwork' SPAM - JS malware / Locky ransomware
    - http://myonlinesecurity.co.uk/whiteh...ky-ransomware/
    2 Mar 2016 - "An email with the subject of 'Whitehouse paperwork' pretending to come from 'Admin' at your own email domain with a zip attachment is another one from the current bot runs... The email looks like:
    From: admin <admin@ victimdomain .tld>
    Date: Wed 02/03/2016 14:48
    Subject: Whitehouse paperwork
    Attachment: 201603021282046970.zip
    This E-mail was sent from “RNPDD9C46” (Aficio MP C2500).
    Scan Date: Wed, 02 Mar 2016 19:18:02 +0430


    2 March 2016: 201603021282046970.zip: Extracts to:OR5121206096.js - Current Virus total detections 6/56*
    MALWR shows a download from http ://cocowashi .com/system/logs/76tr5rguinml.exe (VirusTotal 4/56**) which is locky ransomware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1456933931/

    ** https://www.virustotal.com/en/file/e...is/1456934341/
    TCP connections
    109.237.111.168: https://www.virustotal.com/en/ip-add...8/information/

    cocowashi .com: 50.118.112.2: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/53...d99b/analysis/
    ___

    Fake 'Order reference' SPAM - JS malware/Teslacrypt
    - http://myonlinesecurity.co.uk/order-...to-teslacrypt/
    2 Mar 2016 = "An email with the subject of 'Order reference # 58087317' [random numbered] pretending to come from random email addresses, companies and names with a zip attachment is another one from the current bot runs... The email looks like:
    From: Felecia niven <nivenFelecia41@ neukoelln-arcaden .de>
    Date: Wed 02/03/2016 17:09
    Subject: Order reference # 58087317
    Attachment: Invoice_ref-58087317.zip
    Dear Customer,
    We apologize for the troubles with your parcel # 58087317 and can assure you that this mistake will not be happening again.
    Please, check the information on this case in the attachment.
    Taking in consideration the problem on your order we also included info on your bonus of $483,35 , which you may use during your next order.


    2 March 2016: Invoice_ref-58087317.zip: Extracts to: invoice_copy_wvpthP.js - Current Virus total detections 9/56*
    MALWR** shows a download from http ://soclosebutyetqq .com/80.exe or http ://ohelloweuqq .com/80.exe
    (VirusTotal 4/56***) Which is almost certainly Teslacrypt ransomware.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a safe file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1456942781/

    ** https://malwr.com/analysis/Y2UwMDRlN...JiMDI4NmY2YzE/
    Hosts
    104.232.35.31: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/f2...b20f/analysis/
    173.82.74.197: https://www.virustotal.com/en/ip-add...7/information/

    *** https://www.virustotal.com/en/file/6...is/1456942277/
    TCP connections
    194.228.3.204: https://www.virustotal.com/en/ip-add...4/information/

    soclosebutyetqq .com: 173.82.74.197: https://www.virustotal.com/en/ip-add...7/information/
    91.196.50.241: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/97...2241/analysis/
    ohelloweuqq .com: 104.232.35.31: https://www.virustotal.com/en/ip-add...1/information/
    50.3.16.250: https://www.virustotal.com/en/ip-add...0/information/
    >> https://www.virustotal.com/en/url/25...e9b7/analysis/
    ___

    Fake 'Visa benefits, rewards' leads to TeslaCrypt ransomware
    - http://www.symantec.com/connect/fr/b...ypt-ransomware
    01 Mar 2016 - "... recently observed a -spam-campaign- offering -fake- Visa rewards and benefits as -bait- to deliver -ransomware- to recipients’ computers. The email in this particular campaign purports to come from 'Visa Total Rewards' and provides details about the benefits of using Visa credit cards. Attached to the email is an archive file which poses as a -whitepaper- containing more information about the supposed rewards and benefits offered by the program. If the recipient opens the attachment, they will see only an obfuscated JavaScript file (detected as JS.Downloader):
    > http://www.symantec.com/connect/site...ure1-email.png
    If the recipient is fooled into opening the JavaScript file, the script downloads a -variant- of the TeslaCrypt ransomware (detected as Trojan.Cryptolocker.N) from the specified URL and runs it. A few minutes later, a message is displayed stating that all of the user’s files have been encrypted and payment in Bitcoin is required to decrypt the files:
    > http://www.symantec.com/connect/site...re-2-tesla.png
    The ransomware provides more information to victims on a personalized home page and demands a payment of US$500 (or 1.2 bitcoins) within 160 hours of infection in order to unlock the encrypted files. If the transaction is not made within the specified time frame, the price doubles to $1,000. This page provides a contact form that offers assistance in case of payment issues or any other problems the victims may run into. There is also an opportunity to decrypt a single file for no fee to prove that the files can be properly decrypted:
    > http://www.symantec.com/connect/site...igure3-pay.png
    The vast majority of the spam is being distributed to English-speaking countries, with the UK (40 percent) and the US (36 percent) most targeted. Other regions around the globe are affected as well:
    > http://www.symantec.com/connect/site...ie-chart_0.png
    ... Tips on protecting yourself from ransomware:
    •Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
    •Always keep your security software up to date to protect yourself against any new variants of malware.
    •Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
    •Delete any suspicious-looking emails you receive, especially if they contain links or attachments..."

    Last edited by AplusWebMaster; 2016-03-02 at 21:30.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #913
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'FreePDF', 'Receipt', 'Order Delay', 'Hyperama' SPAM, Teslacrypt, Phishing surge

    FYI...

    Fake 'FreePDF' SPAM - doc malware
    - http://myonlinesecurity.co.uk/freepd...macro-malware/
    3 Mar 2016 - "An email with the subject of 'FreePDF: 1922110915192.doc' pretending to come from Worrall, Antony <Ant.Worrall@ cmco .eu> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...u-1024x556.png

    3 March 2016: 1922110915192.docm - Current Virus total detections 3/56*
    MALWR** shows a download from http ://corsian .com/system/logs/98yh87b564f.exe which looks like Dridex banking Trojan from the MALWR quick overview, but might be some sort of ransomware (VirusTotal 4/55***)...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1457001459/

    ** https://malwr.com/analysis/NWExZmZkM...YzNzY4MDViNTA/
    Hosts
    173.0.136.57
    188.40.224.78
    8.254.249.78


    *** https://www.virustotal.com/en/file/6...is/1457001741/
    TCP connections
    188.40.224.78: https://www.virustotal.com/en/ip-add...8/information/
    8.253.82.30: https://www.virustotal.com/en/ip-add...0/information/

    - http://blog.dynamoo.com/2016/03/malw...025984doc.html
    3 Mar 2015 - "This -fake- financial spam has a malicious attachment.
    From "Worrall, Antony" [Ant.Worrall@ cmco .eu]
    Date Thu, 03 Mar 2016 14:25:14 +0430
    Subject FreePDF: 1922110025984.doc


    Atached is a randomly-named file that matches the reference in the subject. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run*."
    * http://blog.dynamoo.com/2016/03/malw...no-173535.html
    ___

    Fake 'Receipt' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/03/malw...no-173535.html
    3 Mar 2015 - "This spam does not come from KM Media Group but it is instead a simple -forgery- with a malicious attachment:
    From Sally Webb [swebb@thekmgroup .co.uk]
    Date Thu, 03 Mar 2016 10:58:07 +0100
    Subject Receipt - Order No 173535
    regards,
    Sally
    *Sally Webb*
    Recruitment Media Sales Executive
    KM Media Group
    DDI : 01622 794500 ...


    Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detection rates around 3/55*. Analysis from another source (thank you) gives download locations... The initial payload has a detection rate of 4/55** which has now been -updated- with a -new- payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:
    188.40.224.78 (Hetzner / NoTaG Community, Germany)
    78.108.93.186 (Majordomo LLC, Russia)
    87.106.8.177 (1&1, Germany)
    91.236.4.234 (FHU Climax Rafal Kraj, Poland)
    Recommended blocklist:
    188.40.224.78
    78.108.93.186
    87.106.8.177
    91.236.4.234
    "
    * https://www.virustotal.com/en/file/1...c76f/analysis/

    ** https://www.virustotal.com/en/file/6...ce97/analysis/
    TCP connections
    188.40.224.78
    8.253.82.30

    ___

    Fake 'Order Delay' SPAM - JS malware leading to Teslacrypt
    - http://myonlinesecurity.co.uk/order-...to-teslacrypt/
    2 Mar 2016 - "An email with the subject of 'Order Delay – Package Ref. 91063856' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    From: Ernestine simister <simisterErnestine49836@ mail.vistony .com>
    Date: Thu 03/03/2016 16:52
    Subject: Order Delay – Package Ref. 91063856
    Attachment: Invoice_ref-91063856.zip
    Respected Customer,
    The delay of your parcel ref. # 91063856 cannot be controlled due to the unstable weather conditions in our region.
    We are doing everything we can to arrange the best shipping time for your package.
    Please check the information on your purchase in the attached file. There your will also find the info on the new delivery time.
    Sincerely,
    Sales Department Manager ...


    3 March 2016: Invoice_ref-91063856.zip: Extracts to: invoice_SCAN_WxapPe.js Current Virus total detections 3/56*
    MALWR** shows a download from http ://isthereanybodyqq .com/69.exe?1 or
    http ://ujajajgogoff .com/69.exe?1 (currently down) which is Teslacrypt ransomware (VirusTotal 4/54***)
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1457023881/

    ** https://malwr.com/analysis/MjU2YWMwY...ZhMGNjZjA5Yjk/
    Hosts
    50.3.16.250
    173.82.74.197
    173.201.145.1
    108.167.143.8
    50.62.66.1


    *** https://www.virustotal.com/en/file/d...is/1457024955/

    isthereanybodyqq .com: 173.82.74.197: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/a4...849f/analysis/
    91.196.50.241
    78.135.108.94


    ujajajgogoff .com: 204.44.84.21: https://www.virustotal.com/en/ip-add...1/information/
    162.211.67.244
    ___

    Fake 'Hyperama' SPAM - JS malware leads to Locky ransomware
    - http://myonlinesecurity.co.uk/891217...ky-ransomware/
    3 Mar 2016 - "An email with a random numbered subject pretending to come from Administrator <tward9232@ hyperama .com> (random numbers afterward) with a zip attachment is another one from the current bot runs... The email looks like:
    From: Administrator <tward9232@ hyperama .com>
    Date: Mon 18/01/2016 15:26
    Subject: 8912179-99
    Attachment: doc0022386.zip
    Tracey Ward
    Purchase Ledger
    Hyperama ...


    3 March 2016: Edoc0022386.zip: Extracts to: DOC7797628157.js - Current Virus total detections 23/56*
    MALWR** shows a download of Locky ransomware from http ://anro.kiev .ua/vqmod/vqcache/4trf3g45.exe
    .. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1441173827/

    ** https://malwr.com/analysis/ZDNiNmMyO...lhMDVmMGVmOGE/
    Hosts
    77.87.194.146: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/40...6d01/analysis/
    192.121.16.196: https://www.virustotal.com/en/ip-add...6/information/

    anro.kiev .ua: 77.87.194.146
    ___

    Phishing surges, file-sharing takes lead as most targeted industry of Q1
    - http://www.hotforsecurity.com/blog/p...-q1-13472.html
    Mar 03, 2016 - "Phishing through file-sharing services has soared in the past three months, making cloud-based file distribution services the most targeted sector of the first quarter of the year, Bitdefender found. Globally, file-sharing is being used to spread phishing scams more than the retail and payment industries, the traditional favorites of hackers. Almost one-in-five-malicious-URLs uses a file-sharing service to deliver malicious payloads to users, recent Bitdefender data shows.
    Top 10 Most Targeted Industry Sectors for Internet Phishing
    > http://www.hotforsecurity.com/wp-con...t1-768x380.jpg
    What the technique lacks in innovation is compensated for by the ease of use and popularity of consumer-grade sharing services. In the past year, Dropbox reached 400 million users who stored 35 billion Microsoft Office files, while Google Drive had 190 million in 2014. As importantly, file-sharing and cloud storage services lack security features to filter harmful content. This helps attackers hide their malware-infected files without a trace... The typical infection flow goes like this: the user receives a genuine-looking email that advises users to click-on-an-embedded-link to view an attached document. The link -redirects- the user to a phishing page hosted on the provider’s domain. The page asks for the user’s credentials, then captures and sends the data to cyber-criminals over SSL. SSL certificates ensure data on a website is submitted in a secure manner, but they do -not- guarantee the site itself is safe. Thus, hackers are taking advantage, buying cheap SSL certificates and using them on phishing websites to appear legitimate... Scammers are usually after more than just cloud storage credentials; the malicious URLs can trick users into downloading file-encrypting ransomware, for instance. And the hazard has become significantly more serious as new ransomware iterations can seize control over files stored on cloud services..."

    Last edited by AplusWebMaster; 2016-03-03 at 22:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #914
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Closing bill', 'Remittance' SPAM

    FYI...

    Fake 'Closing bill' SPAM - xls malware leading to Dridex
    - http://myonlinesecurity.co.uk/closin...ing-to-dridex/
    4 Mar 2016 - "An email with the subject of 'Closing bill' pretending to come from MyBill <mybill.central@ affinitywater .co.uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...r-1024x755.png

    4 March 2016: 54138887_51656_18836.xls - Current Virus total detections 5/56*
    MALWR shows a download from http ://17.rent-shops .ru/system/logs/vbry73f34f.exe (VirusTotal 5/56**)
    which looks like Dridex banking Trojan. All the XLS attachments are random names/numbers and all created on the fly. So far I have seen -15- or so all with individual file hashes which doesn’t make it easy.
    Other download locations so far discovered include
    http ://2.casino-engine .ru/games/megajack/vbry73f34f.exe | http ://prettymom.ru/system/logs/vbry73f34f.exe |
    http ://shop-bedep .com/system/logs/vbry73f34f.exe | desean .com.sg/system/logs/vbry73f34f.exe ...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1457083098/

    ** https://www.virustotal.com/en/file/c...is/1457082565/

    - http://blog.dynamoo.com/2016/03/malw...ll-mybill.html
    4 Mar 2016 - "... Some additional download locations and C&C servers to block, from another source (thank you!)
    jean-daniel .com.ua/system/logs/vbry73f34f.exe
    namkeendelights .com/system/logs/vbry73f34f.exe
    Overall, some of these download locations look like good candidates for blocking, especially:
    81.177.140.123 (Avguro Technologies Ltd, Russia)
    210.245.90.206 (FPT Telecom Company, Vietnam)
    89.184.72.57 (Internet Invest Ltd., Ukraine)
    These additional C&C servers have been seen before:
    78.108.93.186 (Majordomo LLC, Russia)
    87.106.8.177 (1&1, Germany)
    91.236.4.234 (FHU Climax Rafal Kraj, Poland)
    Recommended blocklist:
    188.165.215.180
    78.108.93.186
    87.106.8.177
    91.236.4.234
    81.177.140.123
    210.245.90.206
    89.184.72.57
    "
    ___

    Fake 'Remittance' SPAM - malicious .rtf attachment
    - http://myonlinesecurity.co.uk/remitt...macro-malware/
    4 Mar 2016 - "An email with the subject of 'Remittance' coming from random email addresses, companies and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    From: Bridgette – WITAN PACIFIC INVESTMENT TRUST <Cunningham.Bridgette3@ leonduniec .com>
    Date: Fri 04/03/2016 10:30
    Subject: Remittance
    Attachment: rem.advice-3798605447.rtf
    Dear Sir/Madam,
    Hope you are well. I am writing you to let you know that full amount specified in the contract has been paid into your bank account on the 1st of March at 14 through BACS payment system and should reach the destination (beneficiary’s) account within 3 working days.
    To see full payment details please refer to the remittance advice note attached to the letter.
    Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
    Bridgette Cunningham ...


    4 March 2016: rem.advice-3798605447.rtf - Current Virus total detections 2/56*
    MALWR is unable to detect any HTTP connection or download any malware, that is probably due to an anti-analysis protection in the word doc RTF. It will almost certainly turn out to download Dridex banking trojan, Locky or another similar ransomware..
    Update: Dynamoo[1] has posted some locations for the downloads which appear to be Dridex banking Trojan..
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1457091062/

    1] http://blog.dynamoo.com/2016/03/malw...om-random.html
    4 Mar 2016 - "This fake financial spam appears to come from random companies. The body text is similar in all cases.
    Sample 1: From: Ignacio - Floris of London
    Date: 4 March 2016 at 09:42
    Subject: Remittance
    Dear Sir/Madam,
    I hope you are well. I am writing you to let you know that total amount qualified in the contract has been sent to your bank account on the 3rd of March at 14 through BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
    To see full payment details please refer to the remittance advice note attached to the letter
    Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as soon as possible. Please do not hesitate to write us.
    Ignacio Knox
    Accounts Payable


    ... This is the -same- IP as seen here* which Sophos identified as being Dridex.
    Recommended blocklist:
    31.131.24.76
    24.172.94.181
    "
    * https://www.sophos.com/en-us/threat-...-analysis.aspx
    ___

    The Rules Of Spam ...
    - http://bruce.pennypacker.org/2005/02...rules-of-spam/
    "... Rule #1: Spammers lie...
    ... Rule #2: If a spammer seems to be telling the truth, see Rule #1..."
    ref via: http://blog.dynamoo.com/
    ___

    New Macro Malware - Uses Forms to Store its Code
    - http://blog.trendmicro.com/trendlabs...ms-store-code/
    Mar 3, 2016 - "The resurgence and continued prevalence of macro malware could be linked to several factors, one of which is their ability to -bypass- traditional antimalware solutions and sandboxing technologies. Another factor is the continuous enhancements in their routines: just recently, we observe that the macro malware related to DRIDEX and the latest crypto-ransomware variant, Locky ransomware, used Form object in macros to obfuscate the malicious code. With this improvement, it could further aid cybercriminals or attackers to -hide- any malicious activity they perform in their target network or system... Locky ransomware, which is reported to be responsible for compromising the network and encrypting the records of Hollywood Presbyterian Medical Center last February 2016, is the first instance of ransomware that capitalized on malicious macros to infiltrate systems. Typically, ransomware is distributed via compromised websites or spam emails. However, this -variant- deviated and replicated this behavior (use of macros) commonly seen in DRIDEX. Based on our Smart Protection Network data, the top countries by Locky ransomware are Germany, Japan, and the United States:
    Top countries affected by Locky ransomware for the past 3 months
    > https://blog.trendmicro.com/trendlab...y-1024x596.png
    DRIDEX, a prevalent online banking malware has its own macro downloader. When we’re conducting our analysis, we found out that most of our DRIDEX detections pertain to its macro downloader and -not- the actual TSPY_DRIDEX. This could suggest that this threat is -still- rampant as ever despite the takedown of some of its command-and-control (C&C) servers last year.
    Countermeasures... awareness of such threats and their behavior is one of the initial steps in order to combat their risks. It’s also important to -not-enable-macros- from email attachments as this can add another layer of protection to prevent the download of malicious files on the system. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources."
    (More detail at the trendmicro URL at the top of this post.)

    Last edited by AplusWebMaster; 2016-03-05 at 17:28.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #915
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Angry Fake 'Customer Invoice' SPAM, Teslacrypt, iCloud PHISH

    FYI...

    Fake 'Customer Invoice' SPAM - JS malware Teslacrypt
    - http://myonlinesecurity.co.uk/dear-v...to-teslacrypt/
    5 March 2016 - "An email with the subject of Invoice, Ref. 00278908' [random numbered] pretending to come from random email addresses and names with a zip attachment is another one from the current bot runs...
    The email looks like:
    From: Derrick bolton <boltonDerrick32@ kgorman .ca>
    Date: Sat 05/03/2016 07:38
    Subject: Invoice, Ref. 00278908
    Attachment: Invoice_ref-00278908.zip
    Dear Valued Customer,
    We are very grateful for your purchase. The specified sum of $679,48 was paid and now your order is being processed by our company.
    Delivery information and the invoice can be found in the attached file.
    Thank you!
    Derrick bolton
    Sales Manager ...


    5 March 2016 : Invoice_ref-00278908.zip: Extracts to: invoice_ZAwuzp.js (I have seen -4- different zip files by # all extracting to -different- js files) VirusTotal detections [1] [2] [3] [4] all of which according to MALWR [a].. contact http ://ujajajgogoff .com/80.exe?1 where they actually download a file called 69... This site was distributing Teslacrypt ransomware earlier in the week, so this is likely to be the same. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    1] https://www.virustotal.com/en/file/6...is/1457036665/

    a] https://malwr.com/analysis/MmQwNmNmN...M0ZWJhYTM2MDA/
    74.117.183.252
    >> https://www.virustotal.com/en/url/31...138c/analysis/

    - https://isc.sans.edu/diary.html?storyid=20801
    Last Updated: 2016-03-05 - "We have seen in the last two weeks a massive amount of websites hosting a variant of angler exploit kit that infects computers downloading and activating a variant of teslacrypt... Please keep in mind some countermeasures to avoid infection by Angler EK or ransomware:
    • Implements strong antispam, antimalware and antiphishing procedures.
    • Keep operating systems patched against known vulnerabilities.
    • Install patches from vendors as soon as they are distributed, after performing a full test procedure for each patch.
    • Train your users to be careful when opening attachments.
    • Configure antimalware software to automatically scan all email and instant-message attachments.
    • Configure email programs to do not automatically open attachments or automatically render graphics.
    • Ensure that the preview pane of your e-mail reader is turned off.
    • Use a browser plug-in like noscript to block the execution of scripts and iframes."
    ___

    iCloud PHISH
    - http://myonlinesecurity.co.uk/i21506...loud-phishing/
    5 March 2016 - " 'i215061438' pretending to come from Online-iApple <replyonline@ online .apple .org> is one of the latest -phish- attempts to steal your Apple/iCloud account. This one only wants your 'iCloud/Apple email address log in and password...

    Hello [REDACTED]
    You received one new message!
    SignIn and View
    Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.
    Thank you,
    The iApple Team


    ... It is quite easy to mistake-the-URL for a genuine apple site because you are instinctively drawn to the http ://icloudapple .com at the -start- of the URL, where you should be looking at the last-part before the first - otrack .net .. That clearly is -not- an Apple or iCloud site. If did click the link you would see a webpage looking like this where any email address and password gives you a message saying: 'Your Apple ID or password was incorrect. Forgot password?' .. which is the link to the genuine Apple forgot password site:
    > http://myonlinesecurity.co.uk/wp-con...g-1024x549.png
    The links behind the unsubscribe and 'Click here to view our privacy policy' lead you to the Romanian Security Team forum. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

    otrack .net: 192.185.195.163 >> https://www.virustotal.com/en/url/d2...cd26/analysis/

    Last edited by AplusWebMaster; 2016-03-05 at 18:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #916
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down HMRC Tax Refund/iCloud PHISH

    FYI...

    HMRC Tax Refund/iCloud PHISH
    - http://myonlinesecurity.co.uk/apple-...shing-attempt/
    6 Mar 2016 - "A right mishmash of an email with this HMRC tax phishing attempt. The bots sending these are very confused this morning. The email subject says 'Tax Refund New Message Alert!' but the body is all about an iCloud log in... The email looks like:
    From: HM & Customs <1Message@ HMRC .gov.uk>
    Date: Sun 06/03/2016 04:50
    Subject: Tax Refund New Message Alert!
    Attachment: none
    Your ID was used to sign in to App Store via a web browser.
    Date and Time: March 04, 2016, 14:03 PM PDT
    If you have not signed in to iCloud recently and believe someone may have accessed your account, you should verify your identity and change your password. Sign in to HMRC online Services
    Hm & Customs respects your privacy.


    The link behind the 'Sign in to' leads to http ://chefom .com/hmrc .gov.uk/8a9e617ee9a73ddf31d5b21bd3ef46ba/index.php which is known by Internet Explorer Smart filter as well as Chrome and Firefox phishing filters and blocked. There no doubt will be other sites using the same email template that aren’t yet blocked. If you are unwise enough to follow-the-links and have anti-phishing or smart filter turned off, then you see a typical HMRC phishing page which looks very similar to a HMRC genuine page:
    > http://myonlinesecurity.co.uk/wp-con...HMRC_phish.png "

    chefom .com: 192.186.242.105: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/f6...61b2/analysis/

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #917
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Order Confirmation', 'Appear in Court', 'DHL invoice', 'payment proof' SPAM

    Fake 'Order Confirmation', 'Appear in Court', 'DHL invoice', 'payment proof' SPAM, WordPress plugin backdoor, Payroll and Human Resources - PHISH

    FYI...

    Fake 'Order Confirmation' SPAM - ransomware
    - http://blog.dynamoo.com/2016/03/malw...n-payment.html
    7 Mar 2016 - "This -fake- financial spam comes from various senders with different references, amounts and slightly different addresses. There is a malicious attachment which appears to be ransomware.
    From: Ellen thorp
    Date: 7 March 2016 at 07:08
    Subject: Order Confirmation - Payment Successful, Ref. 81096454
    Dear Client,
    Thank you for your transaction of $477,84. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
    We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
    Double check please the document enclosed to this email.
    Thank you for your order and we hope to see you again as our customer.
    Respectfully,
    Ellen thorp
    Chief Accountant ...


    Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary [1]... These Hybrid Analysis reports on three of the samples [2].. show the script download a malicious binary from:
    blablaworldqq .com/80.exe?1
    hellomydearqq .com/69.exe?1
    hellomydearqq .com/80.exe?1
    At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:
    51.254.226.223 (OVH, France)
    173.82.74.197 (Multacom Corporation, US)
    The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54 [3]... Analysis of these files [4]... indicates behaviour consistent with ransomware, and these binaries attempt to phone home...
    Recommended blocklist:
    51.254.226.223
    173.82.74.197
    conspec .us
    tmfilms .net
    iqinternal .com
    goktugyeli .com
    saludaonline .com
    "
    1] https://www.virustotal.com/en/file/4...is/1457338902/

    2] https://www.hybrid-analysis.com/samp...nvironmentId=4

    3] https://www.virustotal.com/en/file/4...is/1457338902/

    4] https://malwr.com/analysis/N2YyNWRiY...U5MmJlODc4OTQ/

    - http://myonlinesecurity.co.uk/order-...pt-ransomware/
    7 Mar 2016 - "An email with the subject of 'Order Confirmation – Payment Successful, Ref. 67703560" [random numbered] pretending to come from random email addresses, companies and names with a zip attachment is another one from the current bot runs... The name of the alleged sender matches the name of the Chief Accountant. The ref number in subject matches the attachment number. The email looks like:
    From: Amie yonk <yonkAmie092@ bumperscuffshrewsbury .co.uk>
    Date: Mon 07/03/2016 05:56
    Subject: Order Confirmation – Payment Successful, Ref. 67703560 (random numbers)
    Attachment: Invoice_ref-67703560.zip
    Dear Client,
    Thank you for your transaction of $727,71. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
    We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
    Double check please the document enclosed to this email.
    Thank you for your order and we hope to see you again as our customer.
    Respectfully,
    Amie yonk
    Chief Accountant ...


    7 March 2016: Invoice_ref-67703560.zip: Extracts to: invoice_zVVGbu.js - Current Virus total detections 2/56*
    MALWR** shows a download from http ://hellomydearqq .com/69.exe?1 so that tells us that this is Teslacrypt ransomware (VirusTotal 2/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1457330191/

    ** https://malwr.com/analysis/ZDZkZGRjM...U2ZjI1MDg4MzM/
    Hosts
    173.82.74.197
    50.62.245.1


    *** https://www.virustotal.com/en/file/9...is/1457333744/
    ___

    Fake 'Notice to Appear in Court' SPAM - JS malware leads to Kovter and ransomware
    - http://myonlinesecurity.co.uk/notice...nd-ransomware/
    7 Mar 2016 - "An email with the subject of 'Notice to Appear in Court' coming from no-reply@ mailout .pl with a zip attachment is another one from the current bot runs... The email looks like:
    From: no-reply@ mailout .pl
    Date: Mon 07/03/2016 10:19
    Subject: Notice to Appear in Court
    Attachment: Notice_to_Appear_00736595.zip
    Notice to Appear,
    You have to appear in the Court on the March 15.
    You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
    Note: The case may be heard by the judge in your absence if you do not come.
    The copy of Court Notice is attached to this email.
    Sincerely,
    Adam Middleton,
    Court Secretary.


    7 March 2016: Notice_to_Appear_00736595.zip: Extracts to: Notice_to_Appear_00736595.doc.js - Current Virus total detections 15/56*
    .. MALWR** shows a download of -3- files from http ://mehulic-art .com which are known as Kovter, and other ransomware files. VirusTotal [1] [2] [3].. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1457346335/

    ** https://malwr.com/analysis/Y2Q4ZWYwN...BjYmUwMWZhNjg/
    Hosts
    185.58.74.132

    1] https://www.virustotal.com/en/file/d...is/1457304422/

    2] https://www.virustotal.com/en/file/d...is/1457346993/

    3] https://www.virustotal.com/en/file/5...is/1457285169/
    ___

    Fake 'DHL invoice' SPAM - JS malware leads to Locky Ransomware
    - http://myonlinesecurity.co.uk/your-l...ky-ransomware/
    7 Mar 2016 - "An email with the subject of 'Your latest DHL invoice: HSC4387902' [random numbered] pretending to come from e-billing@ dhl .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...2-1024x551.png

    7 March 2016: HSC4387902.zip: Extracts to: MNB3492495814.js - Current Virus total detections 1/54*
    .. MALWR** shows a download of the -same- Locky ransomware version as mentioned in THIS post*** from http ://shapes .com.pk/system/logs/87tg7v645c.exe
    This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/0...is/1457349592/

    ** https://malwr.com/analysis/YmY0ZGQ1M...JiMjFiOGFlYmE/
    Hosts
    50.87.248.127

    *** http://myonlinesecurity.co.uk/paymen...ky-ransomware/
    ___

    Fake 'payment proof' SPAM - JS malware leads to Locky Ransomware
    - http://myonlinesecurity.co.uk/paymen...ky-ransomware/
    7 Mar 2016 - "An email with the subject of 'payment proof' pretending to come from SunBeverages <Info@ sunbeverages .eu> with a zip attachment is another one from the current bot runs... The email looks like:
    From: SunBeverages <Info@ sunbeverages .eu>
    Date: Mon 07/03/2016 09:42
    Subject: payment proof
    Attachment: 169990489_0492729.zip (random numbers)
    Please see attached proof of payment...


    5 March 2016: 169990489_0492729.zip: Extracts to: SPL6767845811.js - Current Virus total detections 1/57*
    .. MALWR** shows a download of Locky ransomware from http ://aqarhits .com/system/logs/87tg7v645c.exe
    (VirusTotal 4/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1457347704/

    ** https://malwr.com/analysis/MTliZTkyN...E4MmU0ZTc4NGM/
    Hosts
    162.210.102.210
    46.108.39.18


    *** https://www.virustotal.com/en/file/3...is/1457348069/
    TCP connections
    212.47.223.19: https://www.virustotal.com/en/ip-add...9/information/
    ___

    Fake 'E-Service Invoice' SPAM - leads to malware
    - http://blog.dynamoo.com/2016/03/malw...urope-ltd.html
    7 Mar 2016 - "This -fake- financial spam leads to malware:
    From Andrew Williams [andrew.williams@ eurocoin .co.uk]
    Date Mon, 07 Mar 2016 17:37:49 +0530
    Subject E-Service (Europe) Ltd Invoice No: 10013405
    Dear Customer,
    Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
    to make payment for all transactions on or before their due date.
    Please contact E-Service (Europe) if you have any issues or queries preventing your
    prompt payment ...


    Attached is a ZIP file named Invoice 10013405.zip which contains one of a wide range of randomly-named scripts. A trusted third party analysis (thank you!) shows that there are download locations.. The dropped binary has a detection rate of 5/56* and the Malwr report** clearly shows this is the Locky ransomware. My contact reports that the malware phones home to:
    192.121.16.196 (EDIS, Netherlands)
    46.108.39.18 (EDIS, Romania)
    212.47.223.19 (Web Hosting Solutions OY, Estonia)
    109.237.111.168 (Krek Ltd, Russia)
    185.92.220.35 (Choopa LLC, Netherlands)
    89.108.85.163 (Agava Ltd, Russia)
    192.71.213.69 (EDIS, Spain)
    Recommended blocklist:
    192.121.16.196
    46.108.39.18
    212.47.223.19
    109.237.111.168
    185.92.220.35
    89.108.85.163
    192.71.213.69
    "

    - http://myonlinesecurity.co.uk/e-serv...ky-ransomware/
    7 Mar 2016 - "An email with the subject of 'E-Service (Europe) Ltd Invoice No: 10013405' [random numbered] pretending to come from Andrew Williams <andrew.williams@ eurocoin .co.uk> with a zip attachment is another one from the current bot runs which downloads LOCKY RANSOMWARE.. The email looks like:
    From: Andrew Williams <andrew.williams@ eurocoin .co.uk>
    Date: Mon 07/03/2016 11:39
    Subject: E-Service (Europe) Ltd Invoice No: 10013405 ( random numbers)
    Attachment: Invoice 10013405.zip
    Dear Customer,
    Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you to make payment for all transactions on or before their due date...


    7 March 2016: Invoice 10013405.zip: Extracts to: YOJ5879833117.js - Current Virus total detections 2/54*
    .. MALWR** shows a download of Locky ransomware from http ://kiddyshop.kiev .ua/image/data/87tg7v645c.exe (VirusTotal 5/54***) Which is slightly different to today’s earlier versions. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/5...is/1457354372/

    ** https://malwr.com/analysis/OTVkYTBkZ...QzMzNjMmU5ZWU/
    Hosts
    176.114.0.200
    185.92.220.35


    *** https://www.virustotal.com/en/file/d...is/1457355960/
    TCP connections
    192.121.16.196: https://www.virustotal.com/en/ip-add...6/information/
    ___

    WordPress plugin opens backdoor, steals user credentials
    - https://www.helpnetsecurity.com/2016...r-credentials/
    Mar 7, 2016 - "If you are one of the 10,000+ users of the 'Custom Content Type Manager (CCTM)' WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned. After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an -infected- WP site, the researchers have begun digging, and discovered that:
    • The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
    • The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started -adding- “small tweeks by new owner” and “bug fixes”... Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to -disable- automatic plugin updates."
    > https://blog.sucuri.net/2016/03/when...-goes-bad.html
    Updated Mar 7, 2016
    (More detail at both URLs above.)
    ___

    Payroll and Human Resources - PHISH
    - https://www.helpnetsecurity.com/2016...employee-data/
    Mar 7, 2016 - "... 'Because a W-2 form provides the employee’s name, Social Security number, address, and earnings information for the year with how much had been deducted for taxes, etc. – as well as the employer’s name and address – it provides everything criminals need to engage in tax refund fraud', Dissent, the privacy advocate running the Office of Inadequate Security blog*, explains. 'It used to be that in February and March, we’d see a number of reports-of-breaches involving employees’ W-2 tax statements that were due to printing or mailing errors. This year, we’re seeing reports of W-2 data-theft -via- phishing'. The blogger has been flagging reports of various companies being successfully targeted with this type of attack: Actifio, AmeriPride, Evening Post Industries, GCI, Main Line Health, and the latest, Seagate. Snapchat was hit earlier this month. And there are likely many more... instead of going directly after the money, the attackers are after information that can be used for stealing money. The fake emails almost always seem to be coming from the firm’s -CEO- asking the payroll -or- HR employee to send the employees’ W-2 forms, in PDF form, 'for review'... we can expect a continuing, steady stream of these emails hitting all types of companies. It remains on them to educate their staff so they don’t fall for it."
    * http://www.databreaches.net/mounting...ctims-in-2016/
    Mar 7, 2016

    Last edited by AplusWebMaster; 2016-03-07 at 23:15.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #918
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Pay_Advice_Vendor', 'Emailing', 'Order', 'FeDex-service', 'Compensation' SPAM

    FYI...

    Fake 'Pay_Advice_Vendor' SPAM - JS malware leads to Dridex
    - http://myonlinesecurity.co.uk/pay_ad...ads-to-dridex/
    8 Mar 2016 - "An email with the subject of PayPay_Advice_Vendor_0000300320_1000_for_03.03.2016' pretending to come from Accounts Payable <vendoramendments@ yorkshirewater .co.uk> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
    From: Accounts Payable <vendoramendments@ yorkshirewater .co.uk>
    Date: Tue 08/03/2016 08:25
    Subject: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016
    Attachment: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP
    Spotted a leak?
    If you spot a leak please report it immediately. Call us ...
    Get a free water saving pack
    Don’t forget to request your free water and energy saving pack, it could save you money on your utility bills and help you conserve water..


    8 March 2016: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP: Extracts to: LQO1169369605.js
    Current Virus total detections 4/56*.. MALWR shows a download of what looks like Dridex banking Trojan from http ://reclamus .com/9uj8n76b5.exe (VirusTotal 2/56**). Other download locations so far discovered include
    lhs-mhs .org/9uj8n76b5.exe | jatukarm-30 .com/9uj8n76b5.exe | stopmeagency.free .fr/9uj8n76b5.exe ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1457426128/

    ** https://www.virustotal.com/en/file/b...is/1457426412/
    TCP connections
    38.64.199.3: https://www.virustotal.com/en/ip-add...3/information/
    8.253.82.126: https://www.virustotal.com/en/ip-add...6/information/

    - http://blog.dynamoo.com/2016/03/malw...003003201.html
    8 Mar 2016 - "This -fake- financial spam does not come from Yorkshire Water but is instead a simple -forgery- with a malicious attachment.
    From Accounts Payable [vendoramendments@ yorkshirewater .co.uk]
    Date Tue, 08 Mar 2016 10:32:52 +0200
    Subject Pay_Advice_Vendor_0000300320_1000_for_03.03.2016
    Spotted a leak?
    If you spot a leak please report it immediately. Call us...
    Get a free water saving pack
    Don't forget to request your free water and energy saving pack, it could save you
    money on your utility bills and help you conserve water...


    I have only seen a single sample with an attachment named Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP which contains a randomly-named malicious script with a detection rate of 3/54*. According to the Malwr report** and Hybrid Analysis*** on this sample, it downloads a malicious binary from:
    lhs-mhs .org/9uj8n76b5.exe
    This binary has a detection rate of 2/54[4] and all those reports indicate that it phones home to:
    38.64.199.3 (PSINet, Canada)
    I recommend that you -block- traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan."
    * https://www.virustotal.com/en/file/5...is/1457426440/

    ** https://malwr.com/analysis/MjU1N2JkM...JkMjlkOGZlOTk/
    Hosts
    208.131.141.2
    38.64.199.3
    184.25.56.34


    *** https://www.hybrid-analysis.com/samp...nvironmentId=4

    4] https://www.virustotal.com/en/file/b...is/1457426850/
    TCP connections
    38.64.199.3: https://www.virustotal.com/en/ip-add...3/information/
    8.253.82.126: https://www.virustotal.com/en/ip-add...6/information/
    ___

    Fake 'Emailing' SPAM - JS attachment leads to Dridex
    - http://myonlinesecurity.co.uk/emaili...ads-to-dridex/
    8 Mar 2016 - "An email with the subject of 'Emailing: 20121005154449756' pretending to come from Gary Atkinson <Gary@ garrardwindows .co.uk> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
    From: Gary Atkinson <Gary@ garrardwindows .co.uk>
    Date: Tue 08/03/2016 09:00
    Subject: Emailing: 20121005154449756
    Attachment:
    Please find attached document as requested.


    8 March 2016:20121005154449756.zip: Extracts to: UIP3776229406.js - Current Virus total detections 3/56*
    MALWR** shows a download of Dridex banking Trojan from http ://lhs-mhs .org/9uj8n76b5.exe
    (VirusTotal ***) which is the same binary as THIS post[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1457427965/

    ** https://malwr.com/analysis/MGZjZDhiN...JlNDVkOWEyNzE/
    Hosts
    208.131.141.2
    38.64.199.3
    8.254.249.78


    *** https://www.virustotal.com/en/file/b...is/1457427628/
    TCP connections
    38.64.199.3: https://www.virustotal.com/en/ip-add...3/information/
    8.253.82.126: https://www.virustotal.com/en/ip-add...6/information/

    4] http://myonlinesecurity.co.uk/pay_ad...ads-to-dridex/

    - http://blog.dynamoo.com/2016/03/malw...154449756.html
    8 Mar 2016 - "This spam does -not- come from Garrard Windows but is instead a simple -forgery- with a malicious attachment:
    From Gary Atkinson [Gary@ garrardwindows .co.uk]
    Date Tue, 08 Mar 2016 12:09:33 +0300
    Subject Emailing: 20121005154449756
    Please find attached document as requested.


    Attached is a file 20121005154449756.zip which contains a randomly-named script. I have seen two samples so far (VirusTotal results [1]..). The Malwr reports [3].. show the script downloads from the following locations:
    jatukarm-30 .com/9uj8n76b5.exe
    stopmeagency .free.fr/9uj8n76b5.exe
    The downloaded binary appears to be Dridex and is the -same- as found in this spam run*."
    1] https://www.virustotal.com/en/file/e...is/1457429537/

    2] https://malwr.com/analysis/Y2ZiZTA2Z...hlYzdmYWIyYWI/
    Hosts
    203.146.251.198
    38.64.199.3
    23.216.11.120


    * http://blog.dynamoo.com/2016/03/malw...003003201.html
    ___

    Fake 'Order' SPAM - doc malware leads to Dridex
    - http://myonlinesecurity.co.uk/order-...ads-to-dridex/
    8 Mar 2015 - "An email with the subject of 'Order 1307605 (Acknowledgement)' pretending to come from rick.adrio@ booles .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    From: rick.adrio@ booles .co.uk
    Date: Tue 08/03/2016 09:31
    Subject: Order 1307605 (Acknowledgement)
    Attachment: pm51A.docm
    Please find document attached ...


    8 March 2016: pm51A.docm Current Virus total detections 5/55*
    MALWR** shows a download of Dridex banking Trojan from http ://kyudentyumi .web .fc2 .com/9uj8n76b5.exe
    ... which is the -same- Dridex Trojan version as described in today’s earlier posts where they are using .JS files inside zips to distribute the malware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/d...is/1457430327/

    ** https://malwr.com/analysis/NjZkZjFmM...VkOGE3OTZhOTM/
    Hosts
    208.71.106.45
    38.64.199.3
    23.216.11.120


    - http://blog.dynamoo.com/2016/03/malw...r-1307605.html
    8 Mar 2015 - "This fake financial spam has a malicious attachment:
    From rick.adrio@ booles .co.uk
    Date Tue, 08 Mar 2016 15:58:07 +0530
    Subject Order 1307605 (Acknowledgement)
    Please find document attached ...


    Attached is a file pm51A.docm which I have seen two versions of (VirusTotal results [1] [2]). According to these Malwr reports [3] [4] and various other sources the macro in the document downloads from:
    stopmeagency .free.fr/9uj8n76b5.exe
    reclamus .com/9uj8n76b5.exe
    lhs-mhs .org/9uj8n76b5.exe
    izzy-cars .nl/9uj8n76b5.exe
    kyudentyumi.wekyudentyumi .web.fc2 .com/9uj8n76b5.exe
    The dropped binary has -changed- from earlier and has a detection rate of 2/55*, it phones home to the -same- IP address as seen in this campaign**. It appears to be the Dridex banking trojan."
    1] https://www.virustotal.com/en/file/1...is/1457433767/

    2] https://www.virustotal.com/en/file/0...is/1457433778/

    3] https://malwr.com/analysis/MWM1ZmRlY...A5YTlmMzFiYmQ/
    Hosts
    46.235.47.134
    38.64.199.3
    13.107.4.50


    4] https://malwr.com/analysis/NmIyYzAxM...g2ODFhZGY1MmE/
    Hosts
    208.131.141.2
    38.64.199.3
    13.107.4.50


    * https://www.virustotal.com/en/file/a...5874/analysis/
    TCP connections
    38.64.199.3: https://www.virustotal.com/en/ip-add...3/information/
    131.253.33.50: https://www.virustotal.com/en/ip-add...0/information/

    ** http://blog.dynamoo.com/2016/03/malw...003003201.html
    ___

    Fake 'FeDex-service' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/03/malw...ent-fedex.html
    8 Mar 2016 - "This -fake- FedEx spam has a malicious attachment:
    From: FeDex-service
    Date: 8 March 2016 at 11:40
    Subject: Samson Floyd agent Fedex
    Dear [redacted],
    We attempted to deliver your item on March 07th, 2016, 11:40 AM.
    The delivery attempt failed because the address was business closed or
    nobody could sign for it. To pick up the parcel,please, print the receipt
    that is attached to this email and visit Fedex office indicated in the
    invoice. If the package is not picked up within 48 hours, it will be returned
    to the shipper.
    Label: US45928402845 ...


    Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js ... This attempts to download an executable from:
    www .fotoleonia .it/files/sample.exe
    This has a VirusTotal detection rate of 4/54*. The Malwr report** shows a subsequent download from:
    www .claudiocalaprice .com/modules/fedex/pad.exe
    This has similar detections*** to the first binary. That Malwr report also indicates the binary POSTing data to:
    pdf.repack .bike/new_and/state.php
    This is hosted on:
    151.80.76.200 (Kitdos, US / OVH, France)
    I would suggest that the -entire- 151.80.76.200/29 range is questionable and should be -blocked-. None of the automated tools I ran... gave any insight as to what the malware does, but it is clearly something malicious."
    * https://www.virustotal.com/en/file/e...is/1457437544/

    ** https://malwr.com/analysis/Yjk4NWM3Y...ZhMGMxMDQyNzU/
    Hosts
    78.83.32.3
    172.217.3.35
    172.217.0.67
    62.149.142.172
    129.70.132.34
    8.8.4.4
    23.100.122.175
    151.80.76.200
    62.149.142.151


    *** https://www.virustotal.com/en/file/b...is/1457438147/
    ___

    Fake 'Compensation' SPAM - JS malware leads to Locky Ransomware
    - http://myonlinesecurity.co.uk/compen...ky-ransomware/
    8 Mar 2016 - "An email with the subject of 'Compensation – Reference Number #242852' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
    From: Lily Adams <AdamsLily33@ haleandheartymovers .com>
    Date: Tue 08/03/2016 12:00
    Subject: Compensation – Reference Number #242852
    Attachment: SCAN_00_242852.zip
    Dear Customer,
    The mistake made will be compensated promptly, please do not worry.
    Please take a look at the file attached (scanned document) as it contains all the information.
    Sincerely,
    Lily Adams
    Sales Manager ...


    8 March 2016: SCAN_00_242852.zip: Extracts to -2- different .JS files: accent.670345320.js
    Current Virus total detections 1/56* and email.141350705.js (VirusTotal 1/56**).. MALWR [1][2] shows both download of Locky ransomware from http ://lahmar.choukri.perso.neuf .fr/78hg4wg (VirusTotal ***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1457438201/

    ** https://www.virustotal.com/en/file/0...is/1457438200/

    1] https://malwr.com/analysis/OTdhZjg3Z...M1MGFlNWM0NzE/
    Hosts
    86.65.123.70
    37.235.53.18


    2] https://malwr.com/analysis/NWFjMmE1Z...gzMzI2ODkyMjI/
    Hosts
    86.65.123.70
    89.108.85.163


    *** https://www.virustotal.com/en/file/0...is/1457439479/
    TCP connections
    89.108.85.163: https://www.virustotal.com/en/ip-add...3/information/
    149.154.157.14: https://www.virustotal.com/en/ip-add...4/information/

    - http://blog.dynamoo.com/2016/03/malw...reference.html
    8 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
    From: Orval Burgess
    Date: 8 March 2016 at 11:10
    Subject: Compensation - Reference Number #368380
    Dear Customer,
    The mistake made will be compensated promptly, please do not worry.
    Please take a look at the file attached (scanned document) as it contains all the information.
    Sincerely,
    Orval Burgess
    Account Manager


    Attached is a file named in a similar format to SCAN_00_368380.zip which contains -TWO- malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1]..) and automated analysis tools [5].. [9].. show binary download locations at:
    ministerepuissancejesus .com/o097jhg4g5
    ozono. org.es/k7j6h5gf
    Those same reports indicate the malware attempts to phone home to the following IPs:
    89.108.85.163 (Agava Ltd, Russia)
    151.236.14.51 (EDIS, Netherlands)
    149.154.157.14 (EDIS, Italy)
    37.235.53.18 (EDIS, Spain)
    192.121.16.196 (EDIS, Sweden)
    Those automated reports all indicate that this is the Locky ransomware.
    Recommended blocklist:
    89.108.85.163
    151.236.14.51
    149.154.157.14
    37.235.53.18
    192.121.16.196
    "
    (More detail at the dynamoo URL above.)
    1] https://www.virustotal.com/en/file/7...0616/analysis/

    5] https://malwr.com/analysis/Y2JkOGM2Z...dhNWFiYmVmOWQ/

    9] https://www.hybrid-analysis.com/samp...nvironmentId=4
    email.297456567.js
    email.931921928.js
    email.374106319.js
    email.864036956.js
    ___

    Fake 'Invoice #' SPAM - JS malware leads to ransomware
    - http://myonlinesecurity.co.uk/fw-inv...to-ransomware/
    8 Mar 2016 - "An email with the subject of 'FW: Invoice #733745-2016-03' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads a Locky Ransomware version... The email looks like:
    From: Agnes Vaughan <VaughanAgnes08980@ speedy .com.ar>
    Date: Tue 08/03/2016 15:12
    Subject: FW: Invoice #733745-2016-03
    Attachment:
    Dear ellie,
    Please see attached (scanned document) file for your invoice.
    Thank you for your business
    Agnes Vaughan
    Account Manager


    8 March 2016: SCAN_2016_03_733745.zip: Extracts to: -2- slightly different sized .JS files
    accent.216401762.js (VT*) and accent.599656717.js (VT**)
    .. MALWR [1] [2] both show a download from http ://het-havenhuis .nl/099oj6hg (VirusTotal 15/57***)
    ... the second MALWR report clearly shows Locky.. Chrome & Firefox but -not- Internet Explorer -block- this site with big red warnings of malware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/d...is/1457449790/

    ** https://www.virustotal.com/en/file/4...is/1457449826/

    1] https://malwr.com/analysis/YTUyNTRlY...RkYWM5ZjIwN2M/
    Hosts
    83.137.194.70
    212.47.223.19
    192.121.16.196
    89.108.85.163


    2] https://malwr.com/analysis/YWU4ZTZmN...ZlZTFiYmI5NTY/
    Hosts
    83.137.194.70
    212.47.223.19
    151.236.14.51


    *** https://www.virustotal.com/en/file/d...is/1457450528/
    TCP connections
    37.235.53.18: https://www.virustotal.com/en/ip-add...8/information/

    Last edited by AplusWebMaster; 2016-03-08 at 23:00.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #919
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Invoice#', 'DOC', 'Voice msg', 'Invoice 2016', 'from Admin' SPAM, AMEX Phish

    FYI...

    Fake 'Invoice#' SPAM - JS malware leads to Teslacrypt
    - http://myonlinesecurity.co.uk/invoic...pt-ransomware/
    9 Mar 2016 - "An email with the subject of 'Invoice #96187656 for your Order' [random numbered] pretending to come from Finance Information (random email addresses) with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... The email looks like:
    From: Finance Information <root@ free-dreams .nl>
    Date: Wed 09/03/2016 07:23
    Subject: Invoice #96187656 for your Order
    Attachment: invoice_SCAN_yzGbVV.zip
    Good day, dear client!
    We have recently shipped your parcel at you region post office.
    You can find the file bill of your shipment in the attachment. Make sure to check.
    Take care.
    Order/Invoice number:
    96187656
    Order/Invoice date:
    09.03.2016
    Accounts Department
    Wavenet Group
    Incorporating – Titan Technology, Centralcom and S1 Network Services ...


    9 March 2016: invoice_SCAN_yzGbVV.zip: Extracts to: invoice_SCAN_yzGbVV.js - Current Virus total detections 8/57*
    MALWR** shows a download of Teslacrypt from http ://howareyouqq .com/25.exe?1 (VirusTotal ***)
    NOTE: this also tries to download http ://google .com/25.exe?1 which does not exist and I can only assume that the bad actors have made a mistake in their coding and were probably trying to use the well known open redirect security hole in Google search and other google products... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1457508873/

    ** https://malwr.com/analysis/NmU4NjllZ...E3MTBlYWZmYzU/
    Hosts
    185.118.142.154
    216.58.219.14


    *** https://www.virustotal.com/en/file/2...is/1457503315/
    TCP connections
    50.87.28.241: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/42...f038/analysis/
    ___

    Fake 'DOC' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/03/malw...008-idris.html
    9 Mar 2016 - "This terse spam has a malicious attachment. There is -no- body text.
    From: Idris Mohammed [idrismohammed25@ gmail .com]
    Date: 9 March 2016 at 09:55
    Subject: DOC-Z21193008


    Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4].. shows the macro in these two documents downloading from:
    gpcarshop .com.br/system/logs/07yhnt7r64.exe
    karnavalnye .com/system/logs/07yhnt7r64.exe
    There are no doubt several -other- download locations. This binary has a detection rate of 3/56*. The various reports indicate that it phones home to a server at:
    64.76.19.251 (Impsat, Argentina)
    I strongly recommend that you -block- traffic to that IP. Payload is likely to be the Dridex banking trojan."
    1] https://www.virustotal.com/en/file/7...is/1457517657/

    2] https://www.virustotal.com/en/file/e...is/1457517660/

    3] https://malwr.com/analysis/MmEwMTc4N...EzNmQ0NjVhMDk/

    4] https://malwr.com/analysis/Y2Y4ZTQzO...gyZTExN2U4ODE/

    * https://www.virustotal.com/en/file/2...is/1457518357/
    TCP connections
    64.76.19.251
    8.253.82.126


    - http://myonlinesecurity.co.uk/doc-z2...ads-to-dridex/
    9 Mar 2016 - "An email with the subject of 'DOC-Z21193008' pretending to come from Idris Mohammed <idrismohammed29@ gmail .com> (random numbers after idrismohammed) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    From: Idris Mohammed <idrismohammed29@ gmail .com>
    Date: Wed 09/03/2016 09:54
    Subject: DOC-Z21193008
    Attachment: img-DOC-Z21193008.docm


    Body content: completely blank

    9 March 2016: img-DOC-Z21193008.docm - Current Virus total detections 4/56*
    .. MALWR shows a download of Dridex banking Trojan from
    http ://karnavalnye .com/system/logs/07yhnt7r64.exe (VirusTotal 3/56**)...
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/9...is/1457518626/

    ** https://www.virustotal.com/en/file/2...is/1457518357/
    TCP connections
    64.76.19.251
    8.253.82.126

    ___

    Fake 'Voice msg' SPAM - JS malware leads to Dridex
    - http://myonlinesecurity.co.uk/voice-...ads-to-dridex/
    9 Mar 2016 - "An email with the subject of 'Voice Message Attached from +44163311902' – name unavailable [random numbered] pretending to come from voicemail <voicemail@ inclarity .net> with a zip attachment is another one from the current bot runs which downloads Dridex banking malware... The email looks like:
    From: voicemail <voicemail@ inclarity .net>
    Date:
    Subject: Voice Message Attached from +44163311902 – name unavailable
    Attachment: 44163311902_20160309_91981473.wav.zip
    Time: Wed, 09 Mar 2016 14:51:02 +0530
    Click attachment to listen to Voice Message


    9 March 2016: 44163311902_20160309_91981473.wav.zip: Extracts to: WED2970789413.js - Current Virustotal detections 3/56*
    .. MALWR** shows a download of Dridex banking Trojan from http ://variant13 .ru/system/logs/07yhnt7r64.exe which is the -same- Dridex binary from THIS post***.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1457519130/

    ** https://malwr.com/analysis/NDQ4MDRkN...QyMDA3NWUyMjk/
    Hosts
    37.140.192.62
    64.76.19.251
    13.107.4.50


    *** http://myonlinesecurity.co.uk/doc-z2...ads-to-dridex/
    ___

    Fake 'Invoice 2016' SPAM - JS malware leads to Locky Ransomware
    - http://myonlinesecurity.co.uk/fw-inv...ky-ransomware/
    9 Mar 2016 - "An email saying 'Please find attached 2 invoices for processing' with the subject of 'FW: Invoice 2016-M#184605 [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
    From: Ann Guerrero <GuerreroAnn36420@ ono .com>
    Date: Wed 09/03/2016 10:38
    Subject: FW: Invoice 2016-M#184605
    Attachment: Payment_2016_March_184605.zip
    Dear vbygry,
    Please find attached 2 invoices for processing.
    Yours sincerely,
    Ann Guerrero
    Account Manager ...


    5 March 2016: Payment_2016_March_184605.zip: Extracts to -2- different files:
    problem.974210026.js [VT*] see_it.001832901.js [VT**]:
    .. MALWR [1] [2] -both- show a download of Locky Ransomware from
    http ://planetarchery .com.au/system/logs/q32r45g54 (VirusTotal 5/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1457523481/

    ** https://www.virustotal.com/en/file/d...is/1457523485/

    1] https://malwr.com/analysis/OGE4YjllM...Q4OTVhYjExZWY/
    Hosts
    103.240.88.28
    149.154.157.14


    2] https://malwr.com/analysis/OTc5ZDBmM...IxZDVkYzViNzE/
    Hosts
    103.240.88.28
    91.195.12.131


    *** https://www.virustotal.com/en/file/a...is/1457524130/
    TCP connections
    149.154.157.14: https://www.virustotal.com/en/ip-add...4/information/

    - http://blog.dynamoo.com/2016/03/malw...ttached-2.html
    9 Mar 2016 - "These -fake- financial spam emails come from random sources with different names and reference numbers:
    From: Melisa Keller
    Date: 9 March 2016 at 12:08
    Subject: FW: Invoice 2016-M#111812
    Dear server,
    Please find attached 2 invoices for processing.
    Yours sincerely,
    Melisa Keller
    Financial Manager ...


    Attached is a file with a name similar to Payment_2016_March_111812.zip which contains -two- scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates... there may be other download locations. The Malwr reports indicate that the malware phones home to:
    78.40.108.39 (PS Internet Company LLC, Kazakhstan)
    149.154.157.14 (EDIS, Italy)
    The payload is the Locky ransomware.
    UPDATE: I received the following information from another source (thank you)...
    Additional C2s:
    91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
    151.236.14.51 (EDIS, Netherlands)
    37.235.53.18 (EDIS, Spain)
    Recommended blocklist:
    78.40.108.39
    149.154.157.14
    91.195.12.131
    151.236.14.51
    37.235.53.18
    "
    ___

    Fake 'from Admin' SPAM - JS malware leads to ransomware
    - http://myonlinesecurity.co.uk/random...to-ransomware/
    9 Mar 2016 - "An email with the subject of 'DOC-AA25400B' [random numbered] pretending to come from -admin- <adm323@ victim_domain .tld> the numbers after adm are random Your-own-email-domain with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
    From: admin <adm323@ victim_domain .tld>
    Date: Wed 09/03/2016 12:05
    Subject: DOC-AA25400B
    Attachment: DOC-AA25400B.zip


    Totally -blank- body content

    9 March 2016: DOC-AA25400B.zip: Extracts to: JGK9027615101.js - Current Virus total detections 5/57*
    .. MALWR** shows a download of Locky Ransomware from
    http ://thietbianninhngocphuoc .com/system/logs/98yhb764d.exe (VirusTotal ***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/6...is/1457528965/

    ** https://malwr.com/analysis/ZWI1NzJlM...U0MmRkYzlhNmI/
    Hosts
    123.30.187.116: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/5b...f15c/analysis/
    78.40.108.39

    *** https://www.virustotal.com/en/file/f...is/1457528686/
    TCP connections
    78.40.108.39: https://www.virustotal.com/en/ip-add...9/information/
    ___

    AMEX 'PSK' PHISH
    - http://myonlinesecurity.co.uk/americ...-psk-phishing/
    9 Mar 2016 - "... a mass run of phishing emails -spoofing- American Express saying 'Please create your Personal Security Key'. There are -3- sites so far discovered that attempt to perform this phishing attack
    http ://americanexpressnew2016 .com/login
    http ://americanexpressglobal .com/login
    http ://axpoglobalverify .com/login
    Currently all 3 sites fail to resolve from a UK IP address. They were all registered -yesterday- 8 March 2016 via Todaynic .com using Chinese details which I assume are false. The name servers associated with the domains are DNS1.NEWSITEDNS2 .RU and DNS2.NEWSITEDNS2 .RU
    Edit: after a bit of digging around, it appears that the NEWSITEDNS2 .RU has previously been used for Amex and other bank phishing attacks. It is suggested that you -block- their IP numbers to prevent further and future problems:
    155.94.169.106 VirusTotal*
    104.168.62.233 VirusTotal**
    50.2.26.16 VirusTotal***
    148.163.173.227
    192.210.203.49

    Either the DNS has not propagated yet worldwide or the DNS service has pulled the domains. My gut feeling is that the bots have sent the emails too early before the sites were live. The date & time on the emails say Wed 30/09/2015 13:32. I received about -50- copies of these between 03.20 and 03.30 UTC. Be aware and watch out for when these do go live, probably later today...

    Screenshot: http://myonlinesecurity.co.uk/wp-con...g-1024x558.png "

    * https://www.virustotal.com/en/ip-add...6/information/

    ** https://www.virustotal.com/en/ip-add...3/information/

    *** https://www.virustotal.com/en/ip-add...6/information/
    ___

    Some Tips for Preventing Ransomware
    - https://isc.sans.edu/diary.html?storyid=20821
    Last Updated: 2016-03-09 - "... 'get asked a lot by clients is "how can I prepare/prevent an infection?"
    'Prepare' is a good word in this case, it encompasses both prevention and setting up processes for dealing with the infection that will inevitably happen in spite of those preventative processes. Plus it's the first step in the Preparation / Identification / Containment / Eradication / Restore Service / Lessons Learned Incident Handling process (see SANS SEC 504*..)
    * https://www.sans.org/course/hacker-t...ident-handling
    ... best advice is - look at how the infection happens, and make this as difficult as possible for the attacker, the same as you would try to prevent any malware. Most malware these days outsources the delivery mechanism - so Cryptowall is typically delivered by an exploit "kit". These days, that typically means the Angler, Rig, or maybe Nuclear exploit kits (Angler being the most prevalent at the moment). These kits aren't magic, they generally try to exploit -old- versions of Java, Flash, Silverlight or take advantage of -missing- Windows updates... When patches come out, the authors of these kits reverse-the-patches and bolt the exploits into their kit..."
    (More detail at the isc-diary URL at the top of this post.)

    Last edited by AplusWebMaster; 2016-03-09 at 20:45.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #920
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'random invoice', 'Attached File', 'Unpaid Issue' SPAM

    FYI...

    Fake 'random invoice' SPAM - doc macro leads to unknown malware
    - http://myonlinesecurity.co.uk/random...known-malware/
    10 Mar 2016 - "An email with random invoice or bill subjects coming from random names and emails addresses with a malicious word doc attachment is another one from the current bot runs... A high proportion of these are -not- getting caught by the spam or content filters because they pass SPF & DKIM authentication checks. These have a load of different subjects that include:
    Re: Important Notice About Created Invoice
    Urgent Notification About New Bill
    Re: Last Notice About Paid Bill
    Fwd: Important Message About Unpaid Invoice
    Fwd: Urgent Notice About Paid Bill
    Last Notification About Created Bill
    Fw: Last Message About Last Bill
    Fwd: Urgent Message About New Invoice
    Re: Urgent Message About Created Invoice
    Fw: Last Notification About Unpaid Invoice
    The email looks like:
    From: Reece Solis <acc@ hai-van .com>
    Date: Thu 10/03/2016 04:58
    Subject: Re: Important Notice About Created Invoice
    Attachment: 4KEEY46Y.doc
    Pls review the report attached.
    Reece Solis

    -or-
    check the invoice attached.
    Stuart Sweet

    -or
    see the report in attachment.
    Odysseus Mcmillan


    10 March 2016: 4KEEY46Y.doc - Current Virus total detections: [1] [2]..
    .. MALWR [3] [4] shows downloads from http ://hoosierpattern .com/a1.jpg?Df1iQh0PABlsu=38 which is a jpg that contains embedded malware that is extracted via the macro & a dropped vbs file to give 339.exe (VirusTotal 4/57*)...
    Update: I am reliably informed that this is Dridex banking Trojan and an alternative download location is http ://darrallmacqueen .com/b2.jpg?JzKE5CmWJZnG=
    ... The jpg it downloads looks like this (screenshot to avoid risks):
    > http://myonlinesecurity.co.uk/wp-con...03/hoosier.png
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    1] https://www.virustotal.com/en/file/5...is/1457590567/

    2] https://www.virustotal.com/en/file/4...is/1457586170/

    3] https://malwr.com/analysis/YTRjY2M1Z...ZkNzc0YjAzMDY/
    Hosts
    172.231.69.95
    216.194.172.222: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/ed...43b9/analysis/

    4] https://malwr.com/analysis/MTAxMzFhY...AxMjdkYmZkOGE/
    Hosts
    172.231.69.95
    216.194.172.222


    * https://www.virustotal.com/en/file/9...is/1457591438/

    5] https://www.reverse.it/sample/93747b...nvironmentId=1

    6] https://www.reverse.it/sample/93747b...nvironmentId=4

    - http://blog.dynamoo.com/2016/03/malw...ut-unpaid.html
    10 Mar 2016 - "... examples can be seen here*...
    * http://myonlinesecurity.co.uk/random...known-malware/
    ... the only mitigating step I can think of is to -block- traffic to darrallmacqueen .com which should stop the files downloading."

    darrallmacqueen .com: 185.9.51.4: https://www.virustotal.com/en/ip-add...4/information/

    hoosierpattern .com: 216.194.172.222: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/ed...43b9/analysis/
    ___

    Fake 'Attached File' SPAM - JS malware leads to Locky Ransomware
    - http://myonlinesecurity.co.uk/attach...ads-to-dridex/
    10 Mar 2016 - "An email with the subject of 'Attached File / Attached Doc / Attached Document' pretending to come from a scanner or printer at your own domain with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking Trojan - EDIT: it is LOCKY ransomware not Dridex... The attachment name is created from the recipients email address and 2 sets of random numbers. So far I have seen these sent from:
    epson@ victimdomain .tld
    canon@ victimdomain .tld
    xerox@ victimdomain .tld
    copier@ victimdomain .tld
    scanner @victimdomain .tld
    The email looks like:
    From: epson@ victim domain .tld
    Date: Thu 10/03/2016 07:11
    Subject: Attached File / Attached Doc / Attached Document
    Attachment: xerox.994@ thespykiller .co.uk_385010_151064713.zip


    Body content: totally -empty- blank body

    10 March 2016: xerox.994@thespykiller.co.uk_385010_151064713.zip: Extracts to: IIE1525816908.js
    Current Virus total detections 5/57*
    .. MALWR** shows a download of what looks like Dridex banking Trojan from http ://buyfuntees .com/system/logs/7t6f65g.exe (VirusTotal 5/56***) Update: it is Locky ransomware not Dridex. Dynamo’s blog[4] has these additional download locations:
    behrozan .ir/system/logs/7t6f65g.exe
    fashion-boutique .com.ua/system/logs/7t6f65g.exe
    fortyseven .com.ar/system/logs/7t6f65g.exe (VirusTotal 1/56[5])
    iwear .md/system/logs/7t6f65g.exe
    lady-idol.6te .net/system/logs/7t6f65g.exe
    ncrweb .in/system/logs/7t6f65g.exe
    xn--b1afonddk2l .xn--p1ai/system/logs/7t6f65g.exe ..."

    * https://www.virustotal.com/en/file/5...is/1457597941/

    ** https://malwr.com/analysis/OWE0MTIyM...FkMzA2MzIwMzk/
    Hosts
    67.225.233.214
    91.219.30.254


    *** https://www.virustotal.com/en/file/8...is/1457598134/
    TCP connections
    91.234.33.149: https://www.virustotal.com/en/ip-add...9/information/

    4] http://blog.dynamoo.com/2016/03/malw...ched-file.html
    10 Mar 2016 - "This spam has a malicious attachment. It appears to come from within the sender's own-domain. There is no-body-text.
    From: canon@ victimdomain .tld
    Date: 10 March 2016 at 09:02
    Subject: Attached File


    ... Sender is canon or copier or epson or scanner or xerox at the victim's domain.
    Recommended blocklist:
    31.184.196.78
    78.40.108.39
    91.219.30.254
    91.234.33.149
    "

    5] https://www.virustotal.com/en/file/6...is/1457604744/
    TCP connections
    31.184.196.78: https://www.virustotal.com/en/ip-add...8/information/
    ___

    Fake 'Unpaid Issue' SPAM - JS malware leads to Teslacrypt
    - http://myonlinesecurity.co.uk/greenl...to-teslacrypt/
    10 Mar 2016 - "An email with the subject of 'GreenLand Consulting Unpaid Issue No. 14599' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
    From: Goldie dawson <dawsonGoldie888@ lamelba .fr>
    Date: Thu 10/03/2016 13:28
    Subject: GreenLand Consulting Unpaid Issue No. 14599
    Attachment: Invoice_ref-99527554.zip
    Dear Client!
    For the third time we are reminding you about your unpaid debt.
    You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 14599. But it has never been paid off.
    We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
    Otherwise we will have to start a legal action against you.
    Respectfully,
    Goldie dawson
    Chief Accountant ...


    10 March 2016: Invoice_ref-99527554.zip: Extracts to: invoice_copy_AczFAX.js - Current Virus total detections 3/57*
    .. MALWR** shows a download of Teslacrypt from http ://hellomississmithqq .com/69.exe?1 (VirusTotal ***)
    .. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1457616298/

    ** https://malwr.com/analysis/ZDAyODliN...MxYjM5ZGU5YjQ/
    Hosts
    185.118.142.154
    149.154.157.14
    91.195.12.131
    151.236.14.51
    37.235.53.18
    78.40.108.39


    *** https://www.virustotal.com/en/file/1...is/1457617418/

    - http://blog.dynamoo.com/2016/03/malw...onsulting.html
    10 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
    From: Jennie bowles
    Date: 10 March 2016 at 12:27
    Subject: GreenLand Consulting – Unpaid Issue No. 58833
    Dear Client!
    For the third time we are reminding you about your unpaid debt.
    You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.
    We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
    Otherwise we will have to start a legal action against you.
    Respectfully,
    Jennie bowles
    Chief Accountant ...


    ... scripts attempt to download a malicious binary... Recommended blocklist:
    142.25.97.48
    185.118.142.154
    78.135.108.94
    74.117.183.252
    91.243.75.135
    91.195.12.131
    149.154.157.14
    151.236.14.51
    37.235.53.18
    78.40.108.39
    178.162.214.146
    "

    Last edited by AplusWebMaster; 2016-03-10 at 16:39.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •