SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2016-03-11, 14:28

FYI...

Fake 'Amazon order' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecurity.co.uk/your-a...ky-ransomware/
11 Mar 2016 - "An email with the subject of 'Your Amazon order #204-217966-773659' [random numbered] pretending to come from AMAZON.COM <no-reply@ Amazon .com> with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: http://myonlinesecurity.co.uk/wp-con...9-1024x656.png

11 March 2016: ORD204-217966-773659.zip: Extracts to: ZGQ8748487803.js - Current Virus total detections 6/57*
.. MALWR** shows a download of Locky ransomware from http ://onsancompany .com/system/logs/uy78hn654e.exe
(VirusTotal 5/57***). Other download locations so far discovered for Locky today include:
solucionesdubai .com.ve/system/logs/uy78hn654e.exe
ghayatv .com/system/logs/uy78hn654e.exe
dolcevita-ykt .ru/system/logs/uy78hn654e.exe
mercadohiper .com.br/system/logs/uy78hn654e.exe
chinhuanoithat .com/system/logs/uy78hn654e.exe
http ://nhinh .com/system/logs/uy78hn654e.exe
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1457692698/

** https://malwr.com/analysis/MGZhZjA4Y...U3OWVlZTZjNDg/
Hosts
103.18.4.151
31.184.196.78
91.219.30.254

*** https://www.virustotal.com/en/file/9...is/1457691942/
TCP connections
31.184.196.75: https://www.virustotal.com/en/ip-add...5/information/

- http://blog.dynamoo.com/2016/03/malw...order-137.html
11 Mar 2016 - "This fake Amazon spam comes with a malicious attachment:
From: AMAZON.COM [Mailer-daemon@ amazon .com]
Date: 11 March 2016 at 09:09
Subject: Your Amazon order #137-89653734-2688148
Hello,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order #137-89653734-2688148 Placed on March 11, 2016
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon.
Amazon .com

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script... Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192 "
___

Fake 'Scanned image' SPAM - leads to malware
- http://blog.dynamoo.com/2016/03/malw...mage-data.html
11 Mar 2016 - "This -fake- document scan leads to malware. It appears to come from within the victim's own domain, but this is a trivial forgery.
From: admin [lands375@ victimdomain .tld]
Date: 11 March 2016 at 09:02
Subject: Scanned image
Image data in PDF format has been attached to this email.

Attached is a document named in a similar format to 11-03-2016-6440705503.zip which contains a randomly-named malicious script. So far I have seen -three- versions of this script (VirusTotal results [1] [2] [3]) which according to the Malwr reports [4].. download a malicious binary from:
ghayatv .com/system/logs/uy78hn654e.exe
This is Locky ransomware, the -same- as dropped in this other spam run* - that post also contains a list of C2s to block."
* http://blog.dynamoo.com/2016/03/malw...order-137.html

1] https://www.virustotal.com/en/file/c...is/1457690743/

2] https://www.virustotal.com/en/file/1...c931/analysis/

3] https://www.virustotal.com/en/file/2...is/1457691017/

4] https://malwr.com/analysis/YWVkNzRlZ...M3ZjcyYWUzM2E/
___

Fake 'Payment' SPAM - leads to Locky ransomware
- http://myonlinesecurity.co.uk/fw-pay...ky-ransomware/
11 Mar 2016 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware.. The email looks like:
From: Inez Harding <HardingInez04459@ jazztel .es>
Date: Fri 11/03/2016 08:15
Subject: FW: Payment 16-03-#280729
Attachment: payment_doc_280729.zip
Dear voicemail,
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Inez Harding
Account Manager

5 March 2016: payment_doc_280729.zip: Extracts to 2 files:
Post_Tracking_Label_id00-371904814#.js [VT*] [VT**]. MALWR [1] [2] shows -both- download Locky Ransomware from http ://50.28.211.199 /hdd0/89o8i76u5y4 (VirusTotal 5/56***). I am informed[3] that there are several other download locations, all of which appear to be offering a slightly -different- Locky ransomware download... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1457687806/

** https://www.virustotal.com/en/file/8...is/1457687807/

1] https://malwr.com/analysis/YjkxNjNkN...cxZGYwZTM0YjE/
Hosts
50.28.211.199
31.184.196.78
91.234.32.192

2] https://malwr.com/analysis/MjgzYjZlZ...Q4NTljYmRkZjE/
Hosts
50.28.211.199
91.234.33.149
31.184.196.78
31.184.196.75

*** https://www.virustotal.com/en/file/8...is/1457689671/
TCP connections
91.219.30.254: https://www.virustotal.com/en/ip-add...4/information/

3] http://blog.dynamoo.com/2016/03/malw...507586-we.html
11 Mar 2016 - "These spam messages come from various senders with different references and attachment names.
From: Thanh Sears
Date: 11 March 2016 at 10:29
Subject: FW: Payment 16-03-#507586
Dear [redacted],
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Thanh Sears
Financial Manager

Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script... The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to -block- are the same as found in this earlier Locky run*..."
1] https://www.virustotal.com/en/file/1...is/1457693183/

2] https://www.virustotal.com/en/file/0...is/1457693194/

* http://blog.dynamoo.com/2016/03/malw...order-137.html
___

Massive Volume of Ransomware Downloaders being Spammed
- https://www.trustwave.com/Resources/...being-Spammed/
March 9, 2016 - "We are currently seeing extraordinarily huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware. Ransomware encrypts data on a hard drive, and then demands payment from the victim for the key to decrypt the data. Our Spam Research Database saw around 4 million malware spams in the last -seven- days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps... your last line of defense against ransomware infection is always having an up to date and good backup process."

**AplusWebMaster** · 2016-03-12, 16:13

FYI...

Fake 'Urgent Notice' SPAM - JS malware leads to Teslacrypt
- http://myonlinesecurity.co.uk/urgent...pt-ransomware/
Last revised 12 March 2016 - "An email with the subject of 'Urgent Notice # 96954696' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt or locky ransomware...
Update 12 March 2016: Unusual for a Saturday.. they are going after the domestic/consumer market instead of office/Enterprise/companies. Another big malspam run of this email today with malicious js attachments (VirusTotal 12/57*). (MALWR**) with a connection to and download of http ://joecockerhereqq .com/80.exe?1 (VirusTotal 5/57***). This definitely looks like Teslacrypt...
WARNING: following the MALWR links will give a browser warning in ALL browsers. Their SSL certificate has -expired- yesterday 11 March 2016. In this case -ONLY- it is safe to ignore the warning and visit the site until they install the updated certificate.. The email looks like:
From: Lacy eaton <eatonLacy97994@ listenary .com>
Date: Fri 11/03/2016 20:42
Subject: Urgent Notice # 96954696
Attachment: statistic_96954696.zip
Dear Customer!
According to our data you owe our company a sum of $877,13. There are records saying that you have ordered goods in a total amount of $ 877,13 in the third quarter of 2015.
Invoice has been paid only partially. The unpaid invoice #96954696 is enclosed below for your revision.
We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
Please check out the file and do not hesitate to pay off the debt.
Otherwise we will have to start a legal action against you.
Regards,
Lacy eaton ...

11March 2016: statistic_96954696.zip: Extracts to: details_jEpMnR.js - Current Virus total detections [4] .. MALWR[5] shows a download of teslacrypt or locky from http ://joecockerhereqq .com/69.exe?1 or http ://joecockerhereff .com/69.exe?1 (VirusTotal [6]) Payload Security Hybrid analysis [7]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1457728759/

** https://malwr.com/analysis/ZWM4ZTU4N...JhN2U0MTMzYTU/
Hosts
54.212.162.6
203.124.115.1
166.62.4.223

*** https://www.virustotal.com/en/file/a...is/1457772426/
TCP connections
203.124.115.1: https://www.virustotal.com/en/ip-add...1/information/
166.62.4.223: https://www.virustotal.com/en/ip-add...3/information/

4] https://www.virustotal.com/en/file/b...is/1457728932/

5] https://malwr.com/analysis/ZjFmNTYyY...M0NGNmZWZlNWE/
Hosts
212.119.87.77
204.44.102.164

6] https://www.virustotal.com/en/file/b...is/1457731360/
TCP connections
91.219.30.254: https://www.virustotal.com/en/ip-add...4/information/

7] https://www.hybrid-analysis.com/samp...nvironmentId=1
91.234.32.192: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/73...d9c6/analysis/

- http://blog.dynamoo.com/2016/03/malw...-78815053.html
12 Mar 2016 - "This spam comes from random senders, and has random references, dollar amounts and attachment names:
From: Donnie emily
Date: 12 March 2016 at 14:01
Subject: Urgent Notice # 78815053
Dear Customer!
According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.
Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.
We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
Please check out the file and do not hesitate to pay off the debt.
Otherwise we will have to start a legal action against you.
Regards,
Donnie emily ...

Attached is a randomly-named ZIP files, in the sample I have seen... plus a random string of characters. I have seen -six- versions of this script... This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different... malicious domains are also on the same servers... there are a vast number of malicious IPs and servers in this cluster...
Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone .com
sappmtraining .com
shirongfeng .cn
vtechshop .net "
___

Malvertising Magnitude ...
- https://labsblog.f-secure.com/2016/0...e-exploit-kit/
Mar 7, 2016 - "... we noticed yet another malvertising campaign... pushing users towards Magnitude exploit kit:
> https://newsfromthelab.files.wordpre...ng?w=752&h=367
... we found with one of the ad platforms, click2.danarimedia .com, is that, it is also being used by some distribution of Conduit Toolbars, which is considered 'potentially unwanted' as they usually come bundled with free software and -forces- changes to browser settings... The -redirection- from our upstream from the -same- ad platform to Magnitude EK... we should not underestimate the power of Potentially Unwanted Applications (PUA). Because even if a program started as potentially unwanted, it doesn’t mean that attackers could not take advantage of it in delivering other threats to the user’s machine. It is very possible that users could get redirected to exploits kits and eventually end up with a malware infection, which is for this particular exploit kit, is a CryptoWall ransomware:
> https://newsfromthelab.files.wordpre...ng?w=799&h=600 "
... -ongoing- today.

click2.danarimedia .com: 199.212.255.138: https://www.virustotal.com/en/ip-add...8/information/
199.212.255.137
199.212.255.136
199.212.255.140
199.212.255.139

**AplusWebMaster** · 2016-03-14, 13:30

FYI...

Fake 'Blocked Transaction' SPAM - leads to Teslacrypt
- http://blog.dynamoo.com/2016/03/malw...tion-case.html
14 Mar 2016 - "This -fake- financial transaction has a malicious attachment:
From: Judy brittain
Date: 14 March 2016 at 08:12
Subject: Blocked Transaction. Case No 19706002
The Automated Clearing House transaction (ID: 19706002), recently initiated from your online banking account, was rejected by the other financial institution.
Canceled ACH transaction
ACH file Case ID: 09293
Transaction Amount: 607,89 USD
Sender e-mail: brittainJudy056@ panick .com.ar
Reason of Termination: See attached statement

The sender's name, references and dollar amounts vary from message to messages. The attachment names are randomly-generated (the format seems the same as this*) containing either one-or-four malicious scripts. According to this analysis** the scripts download from:
ohelloguyzzqq .com/85.exe?1
Although the infection mechanism seems the same as this spam run*, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55***. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here*."
* http://blog.dynamoo.com/2016/03/malw...omer-case.html

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://www.virustotal.com/en/file/2...is/1457945732/
___

Fake 'Credit details' SPAM - leads to Teslacrypt
- http://blog.dynamoo.com/2016/03/malw...-87320357.html
14 Mar 2016 - "So many -Teslacrypt- campaigns, so little time...
From: Ladonna feather
Date: 14 March 2016 at 14:50
Subject: Credit details ID: 87320357
Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.
NOTE: This is the automatically generated message. Please, do not reply.

... names, references and attachment names vary.. malicious scripts in the attachment...
This is Teslacrypt ransomware...
Recommended blocklist:
54.212.162.6: https://www.virustotal.com/en/ip-add...6/information/
212.119.87.77: https://www.virustotal.com/en/ip-add...7/information/
78.135.108.94: https://www.virustotal.com/en/ip-add...4/information/
washitallawayff .com: 31.128.86.113
176.8.242.205
94.143.247.194
174.118.252.36
46.185.13.41
92.52.181.125
93.123.236.46
213.111.147.60
37.1.3.115
77.122.205.79
___

Fake 'IMG from Admin' SPAM - JS malware leads to locky or Dridex
- https://myonlinesecurity.co.uk/email...cky-or-dridex/
14 Mar 2016 - "An email with the subject of 'Emailing: IMG_18977' [random numbered] pretending to come from admin-at-your-own-email-domain with a zip attachment is another one from the current bot runs which downloads what looks like either Locky ransomware or Dridex banking Trojan... The email looks like:
From: admin admin@ victim domain .tld
Date: Mon 14/03/2016 12:14
Subject: Emailing: IMG_18977
Attachment: IMG_18977.zip
Your message is ready to be sent with the following file or link attachments:
IMG_18977
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.
Please consider the environment before printing this email.
E-mail messages may contain viruses, worms, or other malicious code. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective action against such code. Henry Schein is not liable for any loss or damage arising from this message...

14 March 2016: IMG_18977.zip: Extracts to: ICG8994683408.js - Current Virus total detections 4/56*
... unable to get any analysis from automatic analysers, both MALWR and Hybrid analysis are down at the moment... Manual analysis of the javascript file shows it connects to
http ://lampusorotmurah .com/system/logs/78tgh76.exe (VirusTotal 3/57**) which is inclusive but is likely to be either Dridex banking Trojan or Locky ransomware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1457961662/

** https://www.virustotal.com/en/file/2...is/1457962014/

lampusorotmurah .com: 72.34.33.170: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/9a...52f8/analysis/
___

Fake 'blank email' SPAM - JS malware downloads kovter boaxxe and ransomware
- https://myonlinesecurity.co.uk/blank...nd-ransomware/
14 Mar 2016 - "An email addressed to 'abuse' at your-email-domain with -no- subject coming from Support <support@ hvp-online .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: Support <support@ hvp-online .com>
Date: Mon 14/03/2016 08:51
Subject: blank
Attachment: 0000783426.zip

Body content: Totally empty

14 March 2016: 0000783426.zip: Extracts to: 0000783426.doc.js - Current Virus total detections 13/57*
.. ReverseIt** and Wepawet*** shows a download of -3- files from a combination of these locations which will be Boaxxe, Kovter and some sort of ransomware:
nueva.alite .eu
arbasal .com
app.ulled .com
norbert.thecua.perso .sfr.fr
diarga.fall.perso.neuf .fr
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1457947548/

** https://www.reverse.it/sample/cfe18a...nvironmentId=4
Host Address
91.142.215.21
87.106.240.27
217.111.217.243
86.65.123.70
173.201.146.128

*** https://wepawet.iseclab.org/view.php...8e9511&type=js
___

Fake 'Traffic Violation' SPAM - leads to Teslacrypt
- http://blog.dynamoo.com/2016/03/malw...-62699928.html
14 Mar 2016 - "This -fake- legal email has a malicious attachment:
From: Myrna baker
Date: 14 March 2016 at 15:58
Subject: Traffic report ID: 62699928
Dear Citizen,
We are contacting you on behalf of a local Traffic Violation Bureau.
Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 49757
Unfortunately, we will have no other option rather than passing this case to the local police authorities.
Please, see the report with the documents proofs attached for more information on this case.

Details in the email vary from message to message. The payload is Teslacrypt ransomware, as seen in this earlier spam run*."
* http://blog.dynamoo.com/2016/03/malw...-87320357.html

- https://myonlinesecurity.co.uk/traff...to-ransomware/
14 March 2016: post_scan_02271147.zip: Extracts to: accent_nUIboL.js - Current Virus total detections 4/56* reverseIT** shows a download of what is probably Teslacrypt from
giveitallhereqq .com/69.exe?1 (VirusTotal 4/56***)
* https://www.virustotal.com/en/file/4...is/1457965942/

** https://www.hybrid-analysis.com/samp...nvironmentId=1
Host Address
54.212.162.6: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/74...f869/analysis/

*** https://www.virustotal.com/en/file/b...is/1457974614/
TCP connections
198.1.95.93: https://www.virustotal.com/en/ip-add...3/information/
___

Fake 'Debt#' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/debt-...to-teslacrypt/
13 Mar 2016 - "An email with the subject of 'Debt #80574, Customer Case Nr.: 693' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt... The email looks like:
From: Tanya best <bestTanya09673@ bezeqint .net>
Date: Sun 13/03/2016 16:14
Subject: Debt #80574 , Customer Case Nr.: 693
Attachment: money_44821787.zip
Body content:
Dear Customer,
Despite our constant reminders, we would like to note that the mentioned debt #80574 for $500,74 is still overdue for payment.
We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.
Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.
We hope on your understanding.
Kind regards,
Finance Department
Tanya best ...

13 March 2016: money_44821787.zip: Extracts to: -4- different named but identical js files by #
Current Virus total detections 1/57*. SecureIT** shows a download of what appears to be Teslacrypt from
ohelloguyqq .com/70.exe (VirusTotal 4/57***)
JS files from zip I got were Post_Parcel_Label_id00-611695718#.js
Post_Shipment_Label_id00-436290447#.js
Post_Tracking_Label_id00-503290854#.js
Post_Tracking_Label_id00-993809340#.js
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1457889197/

** https://www.reverse.it/sample/9caaf8...nvironmentId=4
78.135.108.94: https://www.virustotal.com/en/ip-add...4/information/

*** https://www.virustotal.com/en/file/1...is/1457890122/

- http://blog.dynamoo.com/2016/03/malw...omer-case.html
13 Mar 2016 - "The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments...
From: Lamar drury
Date: 13 March 2016 at 18:43
Subject: Debt #85533 , Customer Case Nr.: 878
Dear Customer,
Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.
We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.
Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.
We hope on your understanding.
Kind regards,
Finance Department
Lamar drury ...

Attached is a ZIP file... plus a random number. Inside are one-to-four malicious .js scripts... There are at least -22- unique scripts... These appear [1] [2] to download a malicious binary from one of the following locations:
ohelloguyff .com/70.exe
ohelloguyzzqq .com/85.exe?1
Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56*... Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94 "

1] https://www.hybrid-analysis.com/samp...nvironmentId=4

2] https://www.hybrid-analysis.com/samp...nvironmentId=1

* https://www.virustotal.com/en/file/3...is/1457899296/
___

Apple Store Support Ticket #35652467 – Apple PHISH
- https://myonlinesecurity.co.uk/apple...le-phish-fail/
14 Mar 2016 - "An email pretending to come from 'App Store Billing #7221' <apple.id3627@ applemarketingpro .com> is one of the latest -phish- attempts to -steal- your Apple and bank/credit card details...

Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x625.png

The link in the email -if- you did copy & paste the link into a browser window -redirects- to another dyndns link where you would see a webpage looking like this where they want a lot of details and have gone to a lot of effort to validate the forms and stop obvious fake information being put in:
> https://myonlinesecurity.co.uk/wp-co...d-1024x557.png
The links behind the 'unsubscribe' and 'Click-here-to-view-our-privacy-policy' lead you to the Romanian Security Team forum. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

applemarketingpro .com: 174.35.126.195: https://www.virustotal.com/en/ip-add...5/information/

**AplusWebMaster** · 2016-03-15, 13:12

FYI...

Malvertising Campaign... Leads to Angler Exploit Kit/BEDEP
- http://blog.trendmicro.com/trendlabs...loit-kitbedep/
Updated Mar 15, 2016 - "A malvertising campaign related to the Angler Exploit Kit is currently targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone. Based on our monitoring, the malicious ads were delivered by a compromised-ad-network in various highly-visited mainstream websites–including news, entertainment, and political commentary sites. As of this writing, while the more popular portals appear to be no longer carrying the bad ad, the malvertising campaign is still ongoing and thus continues to put users at risk of downloading malware into their systems... Users and organizations are advised to make sure that keep their applications and systems up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others..."
(More detail at the trendmicro URL above.)

- https://blog.malwarebytes.org/malver...op-publishers/
Mar 15, 2016 - "... on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while:
Publisher Traffic (monthly)[1]
msn .com 1.3B
nytimes .com 313.1M
bbc .com 290.6M
aol .com 218.6M
my.xfinity .com 102.8M
nfl .com 60.7M
realtor .com 51.1M
theweathernetwork .com 43M
thehill .com 31.4M
newsweek .com 9.9M
1] Numbers pulled from SimilarWeb .com
... Rogue domains:
Domain Name: TRACKMYTRAFFIC .BIZ: 104.28.18.116: https://www.virustotal.com/en/ip-add...6/information/
104.28.19.116: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/7d...5230/analysis/
Domain Name: TALK915 .PW: 104.27.191.84: https://www.virustotal.com/en/ip-add...4/information/
104.27.190.84: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/46...0128/analysis/
... On Sunday, when the attack really expanded, the Angler exploit kit was then used... Angler EK has gone through several changes lately, in its URI patterns but also in the landing page itself. It is also the only one to use a recently patched Silverlight vulnerability*... the actual malware payload in each of these attacks, chances are quite high that it would be one of the several strains of ransomware currently out there..."
* http://malware.dontneedcoffee.com/20...2016-0034.html
(More detail at the malwarebytes URL above.)
___

Fake 'Insufficient Funds' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/insuf...to-teslacrypt/
15 Mar 2016 -"... an email with the subject of 'Insufficient Funds Transaction ID:12719734' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt... The email looks like:
From: Random names & email addresses
Date: Tue 15/03/2016 06:29
Subject: Insufficient Funds Transaction ID:12719734
Attachment: money_12719734.zip
Dear Valued Customer,
Your transaction 12719734 dated on 13/03/2016 4:24 PM was declined due to insufficient funds on your account.
For more details please refer to the report enclosed.
Thank you!

15 March 2016: money_12719734.zip: Extracts to: details_sESWjv.js
| access_21202865.zip: Extracts to: details_AdbdeE.js - Current Virus total detections [1] [2]:
.. MALWR [3] [4] shows a download of what looks like Teslacrypt from
http ://giveitalltheresqq .com/80.exe?1 or http ://giveitalltheresqq .com/69.exe?1 VirusTotal [5] ...
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustotal.com/en/file/9...is/1458027607/

2] https://www.virustotal.com/en/file/9...is/1458027607/

3] https://malwr.com/analysis/NGRlNTQzZ...MzNGEyNDA0YTQ/
Hosts
54.175.175.52: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/ba...9ca7/analysis/
>> https://www.virustotal.com/en/url/52...3f7e/analysis/
107.180.50.183: https://www.virustotal.com/en/ip-add...3/information/

4] https://www.virustotal.com/en/file/e...is/1458027237/

5] https://www.virustotal.com/en/file/e...is/1458027237/
___

Fake 'my photo' SPAM - fake jpg malware
- https://myonlinesecurity.co.uk/photo...e-jpg-malware/
15 Mar 2016 - "... An email with the subject of 'photo,my photo,image,pic' pretending to come from lyle.house@ hotmail .co.uk (probably random addresses) with a zip attachment is another one from the current bot runs... The email looks like:
From: lyle.house@ hotmail .co.uk
Date: Tue 15/03/2016 10:52
Subject: photo,my photo,image,pic
Attachment: IMG_0024415_02-2016 JPG.zip
photo Sent from my iPhone

The link behind photo goes to https ://www.dropbox .com/s/5eaj5qwy9yz3xmo/IMG_0024415_02-2016%20JPG.zip?dl=0 where a zip file is downloaded. I am unable to find an abuse report for dropbox to alert them...
15 March 2016: IMG_0024415_02-2016 JPG.zip: Extracts to: IMG_0024415_02-2016 JPG,jpeg.exe
Current Virus total detections 4/57* MALWR** - The detections are inconclusive...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg ( image) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1458039815/
TCP connections
87.117.242.31: https://www.virustotal.com/en/ip-add...1/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

** https://malwr.com/analysis/NTkyMzc3Y...Y5NTU0NTdiYmI/
Hosts
87.117.242.31
13.107.4.50
___

Fake 'Document Enclosed' SPAM - fake PDF malware
- https://myonlinesecurity.co.uk/docum...e-pdf-malware/
15 Mar 2016 - "... An email with the subject of 'Document Enclosed' pretending to come from Ka2521@ hotmail .co.uk with a zip attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...d-1024x426.png

15 March 2016: INV.P10119.03.2016.XML.zip: Extracts to: INV.P10119.03.2016.XML.PDF,.exe
Current Virus total detections 4/57* which is the -same- malware as described in this other Malspam run**.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1458039815/
TCP connections
87.117.242.31
13.107.4.50

** https://myonlinesecurity.co.uk/photo...e-jpg-malware/
___

Fake 'Itinerary' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/itine...ky-ransomware/
15 Mar 2016 - "An email with the subject of 'Itinerary #13B0B450E' [random numbered] pretending to come from no-reply@ clicktravel .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-co...E-1024x382.png

15 March 2016: Hotel-Fax-V004X3R8_4983252052512314320.zip: Extracts to: USH3121122904.js
Current Virus total detections 5/57* - MALWR** shows a download of Locky ransomware from
http ://flaxxup .com/87yg756f5.exe (VirusTotal 3/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1458040913/

** https://malwr.com/analysis/YzcxMGYyM...g4Y2I4ODcyMzA/
Hosts
98.131.204.1: https://www.virustotal.com/en/ip-add...1/information/
51.254.181.122: https://www.virustotal.com/en/ip-add...2/information/

*** https://www.virustotal.com/en/file/0...is/1458039440/
TCP connections
37.139.27.52: https://www.virustotal.com/en/ip-add...2/information/
149.202.109.205: https://www.virustotal.com/en/ip-add...5/information/
___

Dropbox spreading malware via spoofed emails about orders – fake PDF malware
- https://myonlinesecurity.co.uk/dropb...e-pdf-malware/
16 Mar 2016 - "... from these earlier malspam runs [1] [2] we now have a series of emails with the basic subject of 'orders' pretending to come from different companies with a -link- to Dropbox to download a zip attachment... another one from the current bot runs... The email looks like:
From: admin@ t-mobile .de
Date: Tue 15/03/2016 13:02
Subject: Fwd: INVOICE – Your Order from Sports
Attachment: 9937700846-001.PDF.zip
Order Details
Order Number: 31860 Date Ordered: Tuesday 15 March, 2016 Order In Progress If you have any questions or queries regarding your order please contact us

Some of the subjects and alleged senders seen so far include:
'Fwd: INVOICE – Your Order from Sports' pretending to come from admin@ t-mobile .de
'order 15/03/2016' pretending to come from benelle@ bt .com
'Fwd: INVOICE – Your Order' pretending to come from wdcabs1@ gmail .com
All -three- of these emails have the -same- body content and the -same- link-to-Dropbox to download the malware https ://www.dropbox .com/s/gckssj2hhyrfo2u/9937700846-001.PDF.zip?dl=0
> https://myonlinesecurity.co.uk/wp-co...e-1024x541.png
There are no abuse links or method of reporting malware, only to report DCMA and copyright infringements, by the tiny flag in bottom left corner...
15 March 2016: 9937700846-001.PDF.zip : Extracts to: 9937700846-001.PDF.exe
.. Current Virus total detections 5/56* which is exactly the -same- malware as described in the earlier malspam runs**... These are spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://myonlinesecurity.co.uk/docum...e-pdf-malware/

2] https://myonlinesecurity.co.uk/photo...e-jpg-malware/

* https://www.virustotal.com/en/file/4...is/1458046592/
TCP connections
87.117.242.31: https://www.virustotal.com/en/ip-add...1/information/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

** https://myonlinesecurity.co.uk/photo...e-jpg-malware/
___

Documents with malicious macros deliver fileless malware to financial-transaction systems
- http://www.csoonline.com/article/304...n-systems.html
Mar 14, 2016 - "Spammed Word documents with malicious macros have become a popular method of infecting computers over the past few months. Attackers are now taking it one step further by using such documents to deliver fileless malware that gets loaded directly in the computer's memory. Security researchers from Palo Alto Networks analyzed a recent attack campaign that pushed spam emails with malicious Word documents to business email addresses from the U.S., Canada and Europe... 'Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat', the Palo Alto researchers said in a blog post*..."
* http://researchcenter.paloaltonetwor...based-attacks/
Mar 11, 2016 - "... users should ensure that macros are -not- enabled by default and should be wary of opening -any- macros in files received from untrusted sources..."

**AplusWebMaster** · 2016-03-16, 13:38

FYI...

Malvertising Attacks Targeting The UK
- https://blog.malwarebytes.org/malver...geting-the-uk/
Mar 16, 2016 - "We recently stumbled upon a -malvertising- incident on a large British newspaper site which we decided to investigate in greater details. As with many attacks we have found lately, the line between legitimate advertisers and rogue ones is getting finer and finer. Indeed, in many cases ad networks simply cannot tell them apart without actual proof of malicious activity... Malvertising Flow:
dailymail .co.uk
adclick.g.doubleclick .net
track.bridge .systems (Russian RTB?)
cdn.exeterquads .com (Fake ad server)
geraeuschvollste.ciderstore .co.uk (Angler EK landing)
At first sight, exterquads .com looks like a legitimate business (which it is) located in the UK. However, the subdomain (the ‘cdn‘ preceding the main domain) was registered via criminals who managed to steal the registrant’s credentials in order to create a rogue URL that points to their own server. This is called 'domain shadowing'*.
Legitimate domain:
Hostname: exeterquads .com
IP address: 5.196.39.216
Running on: Microsoft-IIS/8.5
Rogue (shadowed) sub-domain:
Hostname: cdn.exeterquads .com
IP address: 5.63.145.76: https://www.virustotal.com/en/ip-add...6/information/
Running on: nginx/1.0.15
The crooks also -stole- the graphics from this legitimate business to create an ad banner which looks rather convincing but is meant to be a -decoy- for the real motivation behind this attack. Indeed, alongside the banner, an innocuous 1×1 pixel image is served (supposedly for tracking purposes). This is where 'fingerprinting' happens. The -rogue- code hiding in the image can be decoded to reveal a nefarious intent to identify real victims and eliminate those running security tools, the latter being of no interest to the criminals:
> https://blog.malwarebytes.org/wp-con...16/03/flow.png
The final part of this rogue code is to launch the exploit kit URL, which for all these campaigns has been Angler EK. Because this campaign was aimed at people living in the UK, we searched for additional rogue advertisers abusing other businesses. We found quite a handful of them that have been used in recent attacks... one way to determine whether an advertiser is legit is by checking the domain info and seeing if there are any discrepancies between the main domain and sub-domain. Also, many of those rogue-subdomains use free-SSL-certificates, while the core domain doesn’t... The UK malvertising campaign is of a rather large size, just after the US one. We have also spotted specific campaigns targeting Canadians, Australians and the French with a similar modus operandi. The amount of work spent -forging- legitimate brands and advertising under such disguise is really astonishing. We managed to get in touch with one company whose brand had been abused and they clearly were none the wiser when asked whether they were aware of this ad banner residing on a sub-domain. However, they managed to find out the source of the problem once they talked with their hosting provider... This kind of attack is a reminder of just how many different ways a website can-be-compromised or leveraged to fulfill certain goals. It also shows how difficult it can be for ad networks to -vet- new customers and weed out malicious ones."
* https://www.proofpoint.com/us/threat...e-Shadow-Knows
___

Cyber criminals snap up expired domains to serve malicious ads
- http://www.reuters.com/article/us-we...-idUSKCN0WI2DZ
Mar 16, 2016 - "Expired domain names are becoming the latest route for cyber criminals to find their way into the computers of unsuspecting users. Cyber criminals launched a malicious advertising campaign this week targeting visitors of popular news and entertainment websites after gaining ownership of an expired web domain of an advertising company. Users visiting the websites of the New York Times, Newsweek, BBC and AOL, among others, may have installed malware on their computers if they clicked on the malicious ads. Bresntsmedia .com, the website used by -hacks- to serve up malware, expired on Jan. 1 and was registered again on March 6 by a different buyer, security researchers at Trustwave SpiderLabs wrote in a blog*. Buying the domain of a small but legitimate ad company provided the criminals with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, the researchers said... The researchers also found two more expired "media"-related domains - envangmedia .com and markets.shangjiamedia .com - used by the same cyber criminals. The people behind the campaign may be on keeping a watch for expired domains with the word "media" in them, they said."
* https://www.trustwave.com/Resources/...o-New-Heights/

envangmedia .com: 136.243.149.196: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/5a...221a/analysis/

markets.shangjiamedia .com: 136.243.149.201: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/be...b055/analysis/
___

Fake 'Your order' SPAM - doc malware delivers Dridex
- https://myonlinesecurity.co.uk/your-...macro-malware/
16 Mar 2016 - "An email saying 'Thank you for shopping with 365 Electrical' with the subject of 'Your order summary from 365 Electrical. Order number: 93602' (random numbers) coming from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: random names and email addresses
Date: Wed 16/03/2016 10:29
Subject: Your order summary from 365 Electrical. Order number: 93602
Attachment: Sales Order Document for Emailing_140603632941_1752380.doc
Dear customer,
Thank you for shopping with 365 Electrical. This is to acknowledge that we’ve received your order (see attached document). Please note that acceptance of your order takes place when the goods are loaded onto one of our vehicles for delivery to you.
Your order number is 93602.
Please read the following important information:
Damaged Goods: Must be reported within 48 hours of delivery date with photographic evidence. Do not install any damaged or unwanted items. This counts as acceptance of goods and the item is then non-returnable and non-refundable.
Delivery Timeslots: You must ensure that you can be available all day on your chosen day of delivery; if you find you cannot keep to the delivery date you must notify us before 12 noon one working day before...
Thank you,
365 Electrical

16 March 2016: Sales Order Document for Emailing_140603632941_1752380.doc - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://api.holycrossservices .com/dri/donate.php which gave me
crypted120med.exe (VirusTotal 4/56***). This looks like Dridex banking Trojan.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1458123902/

** https://malwr.com/analysis/NDIwOGNmN...E2ZWQyMGY2YTM/
Hosts
176.103.56.36
188.93.239.28
184.27.46.153

*** https://www.virustotal.com/en/file/7...is/1458124624/
TCP connections
188.93.239.28: https://www.virustotal.com/en/ip-add...8/information/
88.221.14.11: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'Unpaid Invoice' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/unpai...macro-malware/
16 Mar 2016 - "An email with the subject of 'Unpaid Invoice' pretending to come from Dave.Maule@ tiscali .co.uk ( probably random) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Dave.Maule@ tiscali .co.uk
Date: Wed 16/03/2016 11:08
Subject: Unpaid Invoice
Attachment: original invoice feb2016.doc
I noticed that your invoice is overdue by 25 days and wanted to reach out to make sure that you received our original invoice and my reminder email on 02/16.
You can pay us by CC, direct deposit or with a check.
If you have any questions, please let us know and we’d be happy to respond.
Warm Regards,
A Cooper

16 March 2016: original invoice feb2016.doc - Current Virus total detections 23/57*
.. Waiting for analysis. This is highly likely to download either Dridex banking Trojan or Locky ransomware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1458127451/
___

Fake 'Document1' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/docum...ky-ransomware/
16 Mar 2016 - "A -blank/empty- email with the subject of 'Document1' pretending to come from your own email address and sent to your own email address with a zip attachment is another one from the current bot runs which downloads Locky ransomware... The email looks like:
From: your own email address
Date: Wed 16/03/2016 11:58
Subject: Document1
Attachment: Document1.zip

Body content: totally -blank-

16 March 2016: Document1.zip: Extracts to: CDF6840557603.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky ransomware from
http ://winjoytechnologies .com/v4v5g45hg.exe (VirusTotal 1/56***) which is a -different- Locky binary from this earlier malspam run[1]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1458129749/

** https://malwr.com/analysis/NmRlMGE2Z...hiZGNmYzRjMTQ/
Hosts
192.185.37.228: https://www.virustotal.com/en/ip-add...8/information/
91.195.12.187: https://www.virustotal.com/en/ip-add...7/information/

*** https://www.virustotal.com/en/file/3...is/1458129716/
TCP connections
91.195.12.187

1] https://myonlinesecurity.co.uk/beste...idex-or-locky/
___

Fake 'Bestellung' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/beste...idex-or-locky/
16 Mar - "An email written partly in English -and- partly in German supposedly from Buhler group with the subject of 'Bestellung 69376' [random numbered] pretending to come from david.favella654@ buhlergroup .com (-random- numbers after david.favella) with a zip attachment is another one from the current bot runs... Update: I am reliably informed this is Locky ransomware not Dridex... The email looks like:
From: david.favella654@ buhlergroup .com
Date: Wed 16/03/2016 10:03
Subject:Bestellung 69376
Attachment: Bestellung Bestellung 69376.zip
Sehr geehrte Damen und Herren,
anbei erhalten Sie unsere Bestellung. Diese ist maschinell erstellt und ist daher ohne Unterschrift gültig.
Dear ladies and gentlemen,
enclosed you receive our order. This order has been created automatically and is valid without signature.
Mit freundlichen Grüßen / Best regards ...

16 March 2016: Bestellung Bestellung 69376.zip: Extracts to: BOY8641744807.js
Current Virus total detections 6/57*.. MALWR** shows a download of Locky ransomware from
http ://vital4age .eu/v4v5g45hg.exe (VirusTotal 0/57***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1458127067/

** https://malwr.com/analysis/ODQzZTFhN...Y0ZTFiMjhjMGM/
Hosts
85.13.152.231: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/d6...f427/analysis/

*** https://www.virustotal.com/en/file/e...is/1458127276/
TCP connections
149.202.109.205: https://www.virustotal.com/en/ip-add...5/information/
91.195.12.187: https://www.virustotal.com/en/ip-add...7/information/
___

Fake 'Order status updated' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/re-mi...macro-malware/
16 Mar 2016 - "An email with the subject of 'RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing' pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... This mass malspam run has a subject that looks like 'RE: [random company name] – Order Number [random number] status updated to order processing'. The attachment names are based on the company name in the subject and include:
CML MICROSYSTEMS – Order NUM. 09725_866338_23.doc
MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
MXC CAPITAL PLC – Order NUM. 80048_534442_26.doc
ROSSETI JSC – Order NUM. 39475_569330_86.doc
Some subjects include:
RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing
RE: CML MICROSYSTEMS – Order Number 09725/866338/23 status updated to order processing
RE: ROSSETI JSC – Order Number 39475/569330/86 status updated to order processing
RE: MXC CAPITAL PLC – Order Number 80048/534442/26 status updated to order processing
One example email looks like:
From: Horton.Elena9@ incrcc .org
Date: Wed 16/03/2016 13:34
Subject: RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing
Attachment: MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
Dear customer,
First of all thank you for purchasing with us.
We want to let you know that your order 89785/682352/15 status has been updated to ORDER PROCESSING
If you have any questions about your order, send an email to sales@fromdomain qouting your order number 89785/682352/15 or simply reply to this message.
Your unique reference: Your order number listed above.
MINERAL & FINANCIAL INVESTMENTS LTD
You can download and view a copy of your invoice from the attached document...

16 March 2016: MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
.. Current Virus total detections 1/57*..
Update: a resubmission to MALWR** got a download from http ://api.kairoshealthcare .org/dri/donate.php
which gave freshmeat.exe (VirusTotal 4/56***) which appears to ebb an -updated- Dridex binary although also using the same download locations from this earlier Malspam run[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1458134954/

** https://malwr.com/analysis/NDA2M2RhN...JkN2ZmYzUzNGU/
Hosts
213.159.214.241: https://www.virustotal.com/en/ip-add...1/information/
188.93.239.28
13.107.4.50

*** https://www.virustotal.com/en/file/b...is/1458137759/
TCP connections
188.93.239.28: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/c5...5c4b/analysis/
13.107.4.50: https://www.virustotal.com/en/ip-add...0/information/

4] https://myonlinesecurity.co.uk/your-...macro-malware/

**AplusWebMaster** · 2016-03-17, 12:48

FYI...

Fake 'Interparcel Documents' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...documents.html
17 Mar 2016 - "This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
From: Interparcel [bounce@ interparcel .com]
Date: 17 March 2016 at 08:51
Subject: Interparcel Documents
Your Interparcel collection has been booked and your documents are ready.
There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
Thank you for booking with Interparcel.

Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:
gooddrink .com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots .com/wp-content/plugins/hello123/56h4g3b5yh.exe
The detection rate for the binary is 5/57*. This DeepViz report** on the binary shows network connections to:
195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)
As mentioned before, these characteristics look like the Dridex banking trojan.
Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78 "
1] https://www.virustotal.com/en/file/d...is/1458205307/

2] https://www.virustotal.com/en/file/0...is/1458205319/

3] https://malwr.com/analysis/Yjk4MWRiO...BhYTAzNDdlZTM/
Hosts
185.85.191.251

4] https://malwr.com/analysis/ZDljMjUwM...llNjU1MzM1NzY/
Hosts
62.210.16.61

* https://www.virustotal.com/en/file/7...is/1458206236/

** https://sandbox.deepviz.com/report/h...ee5d6ec6746d8/

- https://myonlinesecurity.co.uk/inter...ads-to-dridex/
17 Mar 2016 - "An email with the subject of 'Interparcel Documents' pretending to come from Interparcel <bounce@ interparcel .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Interparcel <bounce@ interparcel .com>
Date: none
Subject: Interparcel Documents
Attachment: Shipping Labels (642079569307).doc
Your Interparcel collection has been booked and your documents are ready.
There is a document attached to this email called Shipping Labels (642079569307).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
Thank you for booking with Interparcel.

17 March 2016: Shipping Labels (642079569307).doc - Current Virus total detections 8/57*
.. MALWR** shows a download from http ://www.corecircle .it/wp-content/plugins/hello123/56h4g3b5yh.exe (VirusTotal ***) This is likely to be the Dridex banking Trojan. Hybrid Analysis[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1458204597/

** https://malwr.com/analysis/ZjBiOWMxZ...VhNTYzNDg4NGE/
Hosts
62.149.142.224

*** https://www.virustotal.com/en/file/7...is/1458205050/

4] https://www.hybrid-analysis.com/samp...nvironmentId=4
Host Addresses
195.169.147.26
64.76.19.251
___

Fake 'Remittance Adivce' SPAM - doc malware leads to Dridex
- https://myonlinesecurity.co.uk/remit...ads-to-dridex/
17 Mar 2016 - "An email with the subject of' Remittance Adivce' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Note the -misspelling- in the subject 'Remittance Adivce' instead of 'Remittance Advice' which should be enough to raise warning flags. One of the emails looks like:
From: Gill.Wilmer07@ urbanmountainhomes .com
Date: Thu 17/03/2016 09:16
Subject: Remittance Adivce
Attachment: remitadv_ana.doc
Please find attached a remittance advice for payment made yo you today.
Please contact the accounts team on 020 7523 2565 or via reply email for any queries regarding this payment.
Kind Regards
Wilmer Gill

17 March 2016: remitadv_ana.doc - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://bakery.woodwardcounseling .com/michigan/map.php which gave me crypted120med.exe (virustotal 3/56***) MALWR[4] which looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1458206097/

** https://malwr.com/analysis/M2U5MDVjM...A3NGM5YjUwY2M/
Hosts
217.12.199.94
188.93.239.28

*** https://www.virustotal.com/en/file/9...is/1458204974/
TCP connections
38.64.199.33
104.86.111.136

4] https://malwr.com/analysis/Yjg0NDU3M...E1ZWQyMzJlMjA/
Hosts
188.93.239.28

- http://blog.dynamoo.com/2016/03/malw...ivce-from.html
17 Mar 2016 - "This fake financial spam has a malicious attachment and poor spelling in the subject field.
From: Booth.Garth19@ idsbangladesh .net.bd
Date: 17 March 2016 at 09:17
Subject: Remittance Adivce
Please find attached a remittance advice for payment made yo you today.
Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.
Kind Regards
Garth Booth

... Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148 "
___

Fake 'Documentxx' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/03/malw...pparently.html
17 Mar 2016 - "This spam appears to come from-the-victim, but this is just a simple forgery (explained here*). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is -no- body text. Here is an example:
From: victim@ domain .tld
To: victim@ domain .tld
Date: 17 March 2016 at 10:37
Subject: Document32

* http://blog.dynamoo.com/2011/09/why-...self-spam.html
Inside is a randomly-named script (samples VirusTotal reports [1] [2]..). These Malwr reports [8] [9].. indicate that the -script- attempts to download a binary from the following locations:
escortbayan.xelionphonesystem .com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel .pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors .com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman .com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados .com.br/wp-content/plugins/hello123/89h8btyfde445.exe
The dropped binary has a detection rate of just 2/57**. Those reports and these other automated analyses [14] [15].. show network traffic to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)
This is Locky ransomware.
Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114 "
1] https://www.virustotal.com/en/file/3...is/1458212406/

2] https://www.virustotal.com/en/file/9...is/1458212403/

8] https://malwr.com/analysis/YWE1ZTY1N...g3MTBkODYzNTE/

9] https://malwr.com/analysis/Zjg1NmY3Y...E4YWQyMmQwNGU/

** https://www.virustotal.com/en/file/b...is/1458213349/

14] https://malwr.com/analysis/OWVjNzBlN...diNTczMDNjZDE/

15] https://www.hybrid-analysis.com/samp...nvironmentId=4
___

Fake 'PDFPart2.pdf' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/pdfpa...ky-ransomware/
17 Mar 2016 - "An email with the subject of 'PDFPart2.pdf' pretending to come from Administrator admin@ your-own-email domain with a zip attachment is another one from the current bot runs which downloads Locky ransomware... The -broken- email looks like:
From: Administrator admin@ your own email domain
Date: Thu 17/03/2016 12:34
Subject: PDFPart2.pdf
Attachment: PDFPart2.zip
—-_com.android.email_2732400748040
Content-Type: multipart/alternative; boundary=”–_com.android.email_2732400748040″
—-_com.android.email_2732400748040 ...
.. When it is fixed...
From: Administrator admin@ your own email domain
Date: Thu 17/03/2016 12:34
Subject: PDFPart2.pdf
Attachment: PDFPart2.zip
Sent from my Samsung Galaxy Note 4 – powered by Three

17 March 2016: PDFPart2.zip: Extracts to: MNS2053291109.js - Current Virus total detections 6/57*
.. MALWR** shows a download of Locky ransomware from
http ://www.tuttiesauriti .org/wp-content/plugins/hello123/89h8btyfde445.exe (VirusTotal 5/56***) which although the same file name as today’s earlier locky malspam run is a -different- binary.. A second version CHR5185491610.js (VirusTotal [4]).. MALWR shows a download of the -same- Locky ransomware from
http ://cepteknik .org/wp-content/plugins/hello123/89h8btyfde445.exe ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1458220341/

** https://malwr.com/analysis/ODEwMTZiN...YxYWVhNThhY2E/
Hosts
62.149.140.49: https://www.virustotal.com/en/ip-add...9/information/
78.40.108.39

*** https://www.virustotal.com/en/file/d...is/1458220984/
TCP connections
78.40.108.39: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/90...a495/analysis/

4] https://www.virustotal.com/en/file/a...is/1458221038/

- http://blog.dynamoo.com/2016/03/malw...t-from-my.html
17 Mar 2016 - "This spam run has a malicious attachment. It appears to come from within the user's own domain.
From: Administrator [admin@ victimdomain .tld]
Date: 17 March 2016 at 12:54
Subject: PDFPart2.pdf
Sent from my Samsung Galaxy Note 4 - powered by Three
Sent from my Samsung Galaxy Note 4 - powered by Three

All the attachments that I saw were corrupt, but it appears to be trying to download a -script- that installs Locky ransomware..."
___

Fake 'Invoice' SPAM - RTF malware leads to Dridex
- https://myonlinesecurity.co.uk/invoi...ads-to-dridex/
17 Mar 2016 - "An email with the subject of 'Invoice DOINV32142' from Tip Top Delivery (random characters) pretending to come from random email addresses with a malicious word doc RTF attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x783.png

17 March 2016: Invoice_DOINV32142_from_tip_top_delivery.rtf - Current Virus total detections 3/57*
.. MALWR** shows a download of what looks like Dridex banking Trojan from
http ://parts.woodwardcounselinginc .com/michigan/map.php which gave me twitt_us.exe (VirusTotal 3/57***).
It looks like a continuation of this earlier Dridex malspam[1] with similar sites... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1458235091/

** https://malwr.com/analysis/YjdhMzA5N...IyNWIwYTgzN2M/
Hosts
176.107.177.85
188.93.239.28
8.254.249.62

*** https://www.virustotal.com/en/file/d...is/1458235750/
TCP connections
188.93.239.28
104.86.111.136

1] https://myonlinesecurity.co.uk/remit...ads-to-dridex/

**AplusWebMaster** · 2016-03-18, 12:50

FYI...

Teslacrypt SPAM: 'Unpaid Issue…'
- https://blog.malwarebytes.org/intell...-unpaid-issue/
Mar 18, 2016 - "We have all seen the current upsurge in Ransomware attacks. It has been covered on an international scale, with new variants appearing at a very fast pace, some target Windows, some target Macs and some have cross platform capabilities... The email seen below is an example how the orchestrated attack is carried out (thanks to Conrad Longmore* for the email example):
From: Jennie bowles
Date: 10 March 2016 at 12:27
Subject: GreenLand Consulting – Unpaid Issue No. 58833
Dear Client! For the third time we are reminding you about your unpaid debt. You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off. We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly. Otherwise we will have to start a legal action against you.
Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St FL 58833 928-429-4994
The emails usually contain a ZIP file which contains a malicious script/downloader. Upon running this specific malicious script/downloader I was greeted by Teslacrypt ransomware (69.exe) from:
hellomississmithqq[.]com /
IP: 54.212.162.6: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/59...a41e/analysis/
... below are some of the associated domains / IPs identified from the above sample. This Teslacrypt ransomware campaign has recently morphed into a hybrid Teslacrypt/Locky ransomware campaign. The aforementioned domain hellomississmithqq[.]com was seen serving up both Teslacrypt and Locky Ransomware on 10 March 2016).
Identified command and control:
multibrandphone[.]com
vtechshop[.]net
sappmtraining[.]com
shirongfeng[.]cn
controlfreaknetworks[.]com
tele-channel[.]com
Associated IP addresses with hellomississmithqq[.]com:
46.108.108.182
54.212.162.6
78.135.108.94
134.19.180.8
202.120.42.190
216.150.77.21
142.25.97.48
202.120.42.190
... Ransomware is not going away, on the contrary it is becoming more and more prevalent with new variants coming out at a fast pace and targeting multiple platforms. It is recommended that users are using anti-malware protection, especially one that has a website protection option..."
* http://blog.dynamoo.com/
___

Evil networks to block 2016-03-18
- http://blog.dynamoo.com/2016/03/evil...016-03-18.html
18 Mar 2016 - "A follow-up to this list* posted a few days ago. These networks are primarily distributing Angler and in my opinion you should -block- their entire ranges to be on the safe side...
85.204.74.0/24
89.45.67.0/24
89.108.83.0/24
148.251.249.96/28
184.154.89.128/29
184.154.135.120/29
185.30.98.0/23
185.117.73.0/24
185.141.25.0/24
194.1.237.0/24
212.22.85.0/24
217.12.210.128/25 "
* http://blog.dynamoo.com/2016/03/evil...016-03-07.html
___

Fake 'Proof of Delivery' SPAM - doc macro malware leads to Dridex
- https://myonlinesecurity.co.uk/ukmai...ads-to-dridex/
18 Mar 2016 - "An email with the subject of 'Proof of Delivery Report: 16/03/16-17/03/16' pretending to come from UKMail Customer Services <list_reportservices@ ukmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...1-1024x763.png

18 March 2016: poddel-pdf-2016031802464600.docm - Current Virus total detections 9/57*
.. MALWR** shows a download from http ://felipemachado .com/wp-content/plugins/hello123/r34t4g33.exe
(VirusTotal 9/57***) which looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1458295346/

** https://malwr.com/analysis/NWVkYjY1O...Q4YzJjMWNiNzc/
Hosts
93.104.215.155
64.147.192.68
184.25.56.51

*** https://www.virustotal.com/en/file/c...is/1458295346/

- http://blog.dynamoo.com/2016/03/malw...ry-report.html
18 Mar 2016 - "This spam does not come from UKMail but is instead a simple -forgery- with a malicious attachment:
From: UKMail Customer Services [list_reportservices@ ukmail.com]
Date: 18 March 2016 at 02:46
Subject: Proof of Delivery Report: 16/03/16-17/03/16
Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD ...

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm ...
Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78 "
___

Fake 'Attached Image' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/blank...ky-ransomware/
18 Mar 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from a scanner, copier or multi-functional device at your-own-domain with a random numbered zip attachment is another one from the current bot runs which downloads Locky ransomware... The email looks like:
From: scanner or copier at your-own-email domain
Date: Fri 18/03/2016 10:24
Subject: Attached Image pretending to come from a scanner or copier at your own domain
Attachment: 9369_001.zip (all random numbers)

Body content: totally blank

5 March 2016: 9369_001.zip : Extracts to: AGK4044783108.js - Current Virus total detections 2/57*
.. MALWR** shows a download of Locky ransomware from
http ://naairah .com/wp-content/plugins/hello123/j7u7h54h5.exe (VirusTotal 2/55***)
.. MALWR[4] and from http ://robyrogers .com.au/wp-content/plugins/hello123/8888ytc6r.exe (VirusTotal 4/57[5])... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1458300821/

** https://www.virustotal.com/en/file/5...is/1458300821/
Hosts
149.202.201.228
46.148.20.46
27.131.66.9
195.154.126.159

*** https://www.virustotal.com/en/file/e...is/1458301083/
TCP connections
46.148.20.46

4] https://malwr.com/analysis/NGY4ZjQxY...Y0MWQ5NjkzMzg/
Hosts
185.82.216.143

5] https://www.virustotal.com/en/file/2...is/1458301375/
___

Fake 'FedEx' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/fedex...to-ransomware/
18 Mar 2016 - "An email with the subject of 'FedEx_00196222.zip' pretending to come from mogotoys@ server.robo-apps .com; on behalf of; FedEx 2Day <shawn.maddox@ mogotoys .com> with a zip attachment is another one from the current bot runs which downloads ransomware... The email looks like:
From: mogotoys@ server.robo-apps .com; on behalf of; FedEx 2Day <shawn.maddox@ mogotoys .com>
Date: Fri 18/03/2016 02:49
Subject: Problems with item delivery, n.00196222
Attachment: FedEx_00196222.zip
Dear Customer,
Your parcel has arrived at March 15. Courier was unable to deliver the parcel to you.
Shipment Label is attached to email.
Yours sincerely,
Shawn Maddox,
Sr. Station Agent.

18 March 2016: FedEx_00196222.zip: Extracts to: FedEx_00196222.doc.js - Current Virus total detections 12/57*
.. Wepawet** shows downloads from a combination of of these -5- locations:
evakuator-lska .com.ua | rpexpress .qc.ca | omergoksel .com | web.benzol .net.pl | cspfc.immo .perso.sf
.. Hybrid analysis*** shows the download location to be
evakuator-lska .com.ua where it gave -2- files VirusTotal [1][2] which look like Kovter and Boaxxe...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1458279168/

** https://wepawet.iseclab.org/view.php...ef4046&type=js

*** https://www.reverse.it/sample/f3a52a...nvironmentId=1
Contacted Hosts
78.109.16.100
28.59.23.77
47.206.106.113
145.24.135.107
178.33.69.66
87.118.110.192
189.60.150.37
28.29.231.118
DNS Requests
evakuator-lska .com.ua: 78.109.16.100: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/06...4c5c/analysis/
find-dentalimplants .com: 173.201.146.128: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/90...6076/analysis/

1] https://www.virustotal.com/en/file/1...is/1458249226/

2] https://www.virustotal.com/en/file/e...is/1458282807/

**AplusWebMaster** · 2016-03-21, 18:02

FYI...

Fake 'Fax transmission' SPAM - malicious script attachment
- http://blog.dynamoo.com/2016/03/malw...rvice-fax.html
21 Mar 2016 - "This -fake- fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple -forgery- with a malicious attachment.
From: FX Service [emailsend@ w.e191.victimdomain .tld]
Date: 21 March 2016 at 14:32
Subject: Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff
Please find attached to this email a facsimile transmission we
have just received on your behalf
(Do not reply to this email as any reply will not be read by
a real person)

Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide-number-of-malicious-scripts (some example VirusTotal results [1] [2]..). Malwr analysis of those samples [6] [7].. shows binary download locations at:
http ://modaeli .com/89h766b.exe
http ://spormixariza .com/89h766b.exe
http ://sebastiansanni .org/wp-content/plugins/hello123/89h766b.exe
http ://cideac .mx/wp-content/plugins/hello123/89h766b.exe
There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56*. This Malwr report** of the payload indicates that it is Locky ransomware.
All of those sources plus this Deepviz report*** show network traffic to the following IPs:
195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine) ...
Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90 "
1] https://www.virustotal.com/en/file/d...f7a3/analysis/

2] https://www.virustotal.com/en/file/3...3fc1/analysis/

6] https://malwr.com/analysis/NDA4MTliN...VkOTE4YjdiYWY/

7] https://malwr.com/analysis/MTRhYmQwY...FjYzNmYzg3NmU/

* https://www.virustotal.com/en/file/4...is/1458575289/

** https://malwr.com/analysis/MGU5NDIxN...I5NTJiYjg4MGY/

*** https://sandbox.deepviz.com/report/h...352ae1d944c2a/
___

Fake 'Your account ID... has been suspended' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/your-...to-teslacrypt/
21 Mar 2016 - "An email with the subject of 'Your account ID:98938 has been suspended' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
From: random email addresses
Date: Beatriz gepp <geppBeatriz957@ jjdior .com>
Subject: Your account ID:98938 has been suspended.
Attachment: warning_letter_34692556.zip
Your bank account associated with the ID:98938 has been suspended because of the unusual activity connected to this account and a failure of the account holder to pay the taxes on a due date.
Your debt: - 394,42 USD
For more details and the information on how to unlock your account please refer to the document attached.

21 March 2016: warning_letter_34692556.zip: Extracts to: letter_I22vNL.js - Current Virus total detections 15/56*
.. MALWR** shows a download of teslacrypt from http ://grandmahereqq .com/80.exe?1 (VirusTotal ***)
Note: this also tries to download http ://google .com/80.exe?1 which does-not-exist... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1458579387/

** https://malwr.com/analysis/Njc2NGU2Z...JmYzlkZjVmNGQ/
Hosts
54.212.162.6
216.58.192.14

*** https://www.virustotal.com/en/file/6...is/1458581354/
___

Hacked Canadian Hospital Website serves Ransomware
- https://blog.malwarebytes.org/securi...acked-website/
Mar 21, 2016 - "... Norfolk General Hospital, based in Ontario, became a teaching facility for McMaster University’s Faculty of Health Sciences in 2009. The web portal is powered by the Joomla CMS, running version 2.5.6 (latest version is 3.4.8) according to a manifest file present on their server. Several vulnerabilities exist for this outdated installation, which could explain why the site has been hacked. Our honeypots visited the hospital page and got infected with ransomware via the Angler exploit kit. A closer look at the packet capture revealed that malicious-code leading to the exploit kit was -injected- directly into the site’s source code itself. Like many site hacks, this injection is conditional and will appear only -once- for a particular IP address. For instance, the site administrator who often visits the page will only see a clean version of it, while first timers will get served the exploit and malware:
> https://blog.malwarebytes.org/wp-con...16/03/Flow.png
The particular strain of ransomware dropped here is -TeslaCrypt- which demands $500 to recover your personal files it has encrypted. That payment doubles after a week... We contacted the Norfolk hospital and eventually were able to speak with their IT staff. We shared the information we had (screenshots, network packet capture) and told them about the ransomware payload we collected when we reproduced the attack in our lab. We were told that they were working on upgrading their version of Joomla with their hosting provider..."

Norfolk General Hospital - Ontario: ngh.on .ca: 205.150.58.124:
>> https://www.virustotal.com/en/url/ef...3773/analysis/

**AplusWebMaster** · 2016-03-22, 12:19

FYI...

Fake 'Credit Note' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/credi...to-ransomware/
22 Mar 2016 - "An email with the subject of 'Credit Note CN-73290' from On Semiconductor Corp for [redacted] (0312) pretending to come from Accounts <message-service@ post.xero .com> with a zip attachment is another one from the current bot runs which downloads ransomware... These don’t look like either Locky or Teslacrypt ransomware so it appears that another gang of bad actors are using the same email templates as the 2 prolific malspammers to spread their version of ransomware. One example of the email looks like:
From: Accounts <message-service@ post.xero .com>
Date: Tue, 22 Mar 2016 04:38:32
Subject: Credit Note CN-73290 from On Semiconductor Corp for [victim company ] (0312)
Attachment: Credit Note CN-73290.zip
Hi Kris,
Attached is your credit note CN-73290 for 52611.30 AUD.
This has been allocated against invoice number
If you have any questions, please let us know.
Thanks,
McKesson Corporation ...

22 March 2016: Credit Note CN-73290.zip: Extracts to: Credit Note CN-64451.js
.. Current Virus total detections 2/56*. MALWR** shows a download of some sort of ransomware from
http ://www .frontlinecarloans .com.au/public/js/bin.exe (VirusTotal 6/56***) (Hybrid Analysis [1]) (MALWR [2])
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1458611843/

** https://malwr.com/analysis/NDVkNDQyY...hjNzI3OWEyY2E/
Hosts
103.4.18.250: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/f8...af2b/analysis/
104.27.151.145
23.99.222.162

*** https://www.virustotal.com/en/file/6...is/1458626108/
TCP connections
104.27.151.145

1] https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
104.27.150.145

2] https://malwr.com/analysis/NTQ1ZmJkM...UwMDBlMmMwYzk/
Hosts
104.27.150.145
23.101.187.68
104.27.151.145
___

Fake 'Blank 2' SPAM - word macro malware leads to Dridex
- https://myonlinesecurity.co.uk/blank...ads-to-dridex/
22 Mar 2016 - "An email with a completely blank / empty body with the subject of 'Blank 2' pretending to come from Steve Gale <steve1gales@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Steve Gale <steve1gales@ gmail .com>
Date: Tue 22/03/2016 09:19
Subject: Blank 2
Attachment: Blank 2.docm

Body content: completely empty

22 March 2016: Blank 2.docm - Current Virus total detections 6/56*
.. MALWR** shows a download from http ://www .lightningstars .in/system/logs/87h76hghuhi.exe (VirusTotal 5/56***)
which is inconclusive but looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1458638302/

** https://malwr.com/analysis/YWZlZDM3Z...NmZjFmMmVjOTM/
Hosts
162.144.73.194: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/03...f32f/analysis/

*** https://www.virustotal.com/en/file/c...is/1458637560/
___

Fake 'Statement' SPAM - JS malware leads to Locky Ransomware
- https://myonlinesecurity.co.uk/rando...ky-ransomware/
22 Mar 2016 - "An email with the subject of 'FW: Statement S#327763' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... One example of the emails looks like:
From: Luis Wagner <WagnerLuis4446@ newthoughtcenterofhawaii .com>
Date: Tue 22/03/2016 09:03
Subject: FW: Statement S#327763
Dear ans,
Please find attached the statement (S#327763) that matches back to your invoices.
Can you please sign and return.
Best regards,
Luis Wagner
Business Development Director

22 March 2016: statement_ans_327763.zip: Extracts to -3- .JS files - 2 are identical & 1 different
.. Current Virus total detections [1] [2]: MALWR* shows -both- download Locky Ransomware from
http ://alexsolenni .it/pol4dsf (VirusTotal 3/57**). This zip file contains -3- js files and an -unknown- file that when examined is actually empty... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustotal.com/en/file/6...is/1458641040/

2] https://www.virustotal.com/en/file/3...is/1458641075/

* https://malwr.com/analysis/NmUyYTBhM...JmNGIzODA0ODI/
Hosts
178.237.15.128: https://www.virustotal.com/en/ip-add...8/information/
92.63.87.106: https://www.virustotal.com/en/ip-add...6/information/

** https://www.virustotal.com/en/file/1...is/1458641975/
TCP connections
92.63.87.106
___

Fake 'HP' SPAM - RTF macro malware leads to Dridex
- https://myonlinesecurity.co.uk/hewle...ads-to-dridex/
22 Mar 2016 - "An email that appears to come from HP (Hewlett Packard Enterprises) with the subject of 'Urgent: F400572 HARGREAVES LANSDOWN PLC/ HPE' coming from random names and email addresses with a malicious word doc RTF attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...E-1024x906.png

5 March 2016: fillout_DAINV13955_derek.rtf - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://connect.act-sat-bootcamp .com/dana/home.php
which gave me hpe.jpg (which is -renamed- .exe file and not any sort of image file) (VirusTotal 3/57***)
Detections are inconclusive but likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1458642936/

** https://malwr.com/analysis/MjNhNTQyN...NjMTI2MjdhM2U/
Hosts
91.240.86.234: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/da...1072/analysis/

*** https://www.virustotal.com/en/file/f...is/1458642865/
___

Fake 'bodily injury' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/you-a...to-ransomware/
22 Mar 2016 - "An email with the subject of 'You are being accused with bodily injury (Case: 02172723)' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-co...3-1024x447.png

5 March 2016: post_scan_02172723.zip: Extracts to: post_pgfEUf.js - Current Virus total detections 5/57*
.. MALWR** shows a download of what looks like Teslacrypt but might just be Locky from
http ://isityouereqq .com/80.exe?1(VirusTotal 5/57***) -Both- Locky and Teslacrypt have used the -same- servers and -same- file names over the last few weeks... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1458652839/

** https://malwr.com/analysis/NmRjODg3O...U1OTgxZjQwOGM/
Hosts
185.118.142.154: https://www.virustotal.com/en/ip-add...4/information/

*** https://www.virustotal.com/en/file/c...is/1458654208/
___

'Re-activate your Online Banking' – NatWest PHISH
- https://myonlinesecurity.co.uk/re-ac...bank-phishing/
22 Mar 2016 - "There are a few major common subjects in a phishing-attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
Urgent: Your card has been stopped !
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
Re-activate your Online Banking

The original email looks like this:

Screenshot: https://myonlinesecurity.co.uk/wp-co...g-1024x554.png

... the site the link goes to http ://linkage .org.uk//new_website/online/personal-natwest/Log-in.php
where a pop up asks you to download what appears to be the genuine Trusteer rapport security software:
> https://myonlinesecurity.co.uk/wp-co...p-1024x547.png
... if you close then pop up & then fill in the email address and password [DON'T] you get a typical phishing page that looks very similar to a genuine Nat west bank page, if you don’t look carefully at the URL in the browser address bar... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."

linkage .org.uk: 37.61.235.162: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/03...6afb/analysis/
___

“Copyright Violation” > Facebook Phish
- https://blog.malwarebytes.org/phishi...acebook-phish/
Mar 22, 2016 - "... we’ve spotted a phishing-scam using them as a launchpad for data theft. The name of the game is worrying the potential victim into clicking-on-the-supplied-link, with a curious mix of copyright violations and account verification. Here’s an example:
> https://blog.malwarebytes.org/wp-con...bcopyscam1.png
As you may have guessed, Facebook doesn’t issue copyright notices then direct you to apps pages. The 'Apps page' on offer here is a 'Get Verified' effort, complete with request for name, email/phone, password, profile link and 'comments':
> https://blog.malwarebytes.org/wp-con...bcopyscam2.jpg
We reported the page to Facebook, and it is now offline:
> https://blog.malwarebytes.org/wp-con...bcopyscam3.jpg
'Verify your account' -scams- are fairly old, but throwing tall tales of copyright issues into the mix for that extra sheen of panic isn’t quite as common. Always do your best to keep your logins safe and, if in doubt, go to the site owners directly..
–never- enter your credentials into a -link- sent your way in -random- Facebook messages."

**AplusWebMaster** · 2016-03-23, 14:47

FYI...

Fake 'electronic invoice' SPAM - rtf macro malware
- https://myonlinesecurity.co.uk/your-...macro-malware/
23 Mar 2016 - "Following on from this malspam run yesterday* is today’s similar run with emails with the same subjects pretending to be 'your latest electronic invoice from D.E. Web Works' with a malicious word doc RTF attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt...
* https://myonlinesecurity.co.uk/urgen...ads-to-dridex/
One of the emails looks like:
From: Brandie Everett <Everett.Brandie19@ business.telecomitalia .it> (random senders)
Date: Wed 23/03/2016 10:34
Subject: Urgent: F137648 MFI Group/ HPE
Attachment: inv_839922034.rtf
MFI Group
Invoice Due:03/31/2016 IJINV71859 Amount Due: $898.68
Dear Customer: Here is your latest electronic invoice from D.E. Web Works. If your invoice is not attached as a PDF, you can change your preference in the ?Invoice Summary? section at the bottom of this email. If you wish for your invoices to go to someone different in your organization, just reply to this email and let us know. For your convenience, mail your payment to the address listed on the invoice. Please note that if we have you set up for automatic billing to your credit card or ACH, you will still receive this email, but the balance due will reflect a zero balance. If it does not reflect a zero balance, please contact us immediately. If you have questions about the invoice you have received, please feel free to reply to this email or call us... Electronic invoicing is just one more way that D.E. Web Works is doing its part to give back to the environment. For more information about our environmental initiative,contact us Thank you for helping us be Part of the Solution. We sincerely appreciate your business. MFI Group ...

23 March 2016: inv_839922034.rtf - Current Virus total detections 2/57*
.. MALWR** shows a download from http ://wrkstn09.peoriaseniorband .com/dana/home.php which gave me runwithme.exe. The analysis is inconclusive. (VirusTotal 4/56***) but is highly likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1458736152/

** https://malwr.com/analysis/NzhmM2Q2N...A3NTg5MTE2NTI/
Hosts
109.237.108.25: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/2a...ab77/analysis/

*** https://www.virustotal.com/en/file/5...is/1458736404/
___

Fake 'Back Office: Invoice' SPAM - rtf macro malware
- https://myonlinesecurity.co.uk/the-b...macro-malware/
23 Mar 2016 - "An email with the subject of 'The Back Office : Invoice (MJINV78470)' pretending to come from random senders with a malicious word doc RTF attachment is another one from the current bot runs... The alleged sender’s name matches the name in the body of the email. The invoice number is random but matches the attachment name & number. One of the emails looks like:
From: Vincenzo Mann <Mann.Vincenzo42@ vyas .com>
Date: Wed 23/03/2016 12:22
Subject: The Back Office : Invoice ( MJINV78470 )
Attachment: backoffice_MJINV78470.rtf
03/23/2016
Please see the attached PDF File for account MJINV78470 in the amount of $
583.44. This Invoice MJINV78470 is due on 03/23/2016.
To view and/or print e-bills, you will need Microsoft Office Word installed on your computer.
If you have any questions or need further assistance, please send a reply.
Please include your name, address, and user name in your message.
Please do not reply to this message.
Thank you.
Vincenzo Mann
The Back Office

23 March 2016: backoffice_MJINV78470.rtf - Current Virus total detections 2/57*
.. MALWR** shows it downloads http ://wrkstn09.satbootcampaz .com/dana/home.php which delivered
runwithme.exe (VirusTotal 4/56***). This is the same downloaded malware as described HERE[1]... looks like a password stealer and Banking Trojan. It might be Dridex or might be Vawtrk[2]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1458739404/

** https://malwr.com/analysis/YjQwZDkyN...IwMWVjMmY1NTY/
Hosts
109.237.108.25: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/d7...670d/analysis/

*** https://www.virustotal.com/en/url/d7...670d/analysis/

1] https://myonlinesecurity.co.uk/your-...macro-malware/

2] https://blogs.mcafee.com/mcafee-labs...rving-vawtrak/

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake 'Amazon order', 'Scanned image', 'Payment' SPAM, 4 million malware spams

Fake 'Urgent Notice' SPAM - Teslacrypt, Malvertising Magnitude

Fake 'Blocked Transaction', 'Credit details', 'blank email', 'Debt#' SPAM, ApplePHISH

Malvertising, Fake 'Insufficient Funds', 'my photo', 'Doc Enclosed', 'Itinerary' SPAM

Fake 'Your order', 'Unpaid Invoice', 'Document1', 'Bestellung', 'Order status' SPAM

Fake 'Interparcel Documents', 'Remittance Adivce', 'Documentxx', 'PDFPart2.pdf' SPAM

Fake 'Unpaid Issue', 'Proof of Delivery', 'Attached Image', 'FedEx' SPAM, Evil nets..

Fake 'Fax transmission', 'Your account ID' SPAM, Hospital serves Ransomware

Fake 'Credit Note', 'Blank', 'Statement', 'HP', 'bodily injury' SPAM - Facebook Phish

Fake 'electronic invoice', 'Back Office' SPAM

Posting Permissions