FYI...
Fake 'Amazon order' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecurity.co.uk/your-a...ky-ransomware/
11 Mar 2016 - "An email with the subject of 'Your Amazon order #204-217966-773659' [random numbered] pretending to come from AMAZON.COM <no-reply@ Amazon .com> with a zip attachment is another one from the current bot runs which downloads Locky ransomware...
Screenshot: http://myonlinesecurity.co.uk/wp-con...9-1024x656.png
11 March 2016: ORD204-217966-773659.zip: Extracts to: ZGQ8748487803.js - Current Virus total detections 6/57*
.. MALWR** shows a download of Locky ransomware from http ://onsancompany .com/system/logs/uy78hn654e.exe
(VirusTotal 5/57***). Other download locations so far discovered for Locky today include:
solucionesdubai .com.ve/system/logs/uy78hn654e.exe
ghayatv .com/system/logs/uy78hn654e.exe
dolcevita-ykt .ru/system/logs/uy78hn654e.exe
mercadohiper .com.br/system/logs/uy78hn654e.exe
chinhuanoithat .com/system/logs/uy78hn654e.exe
http ://nhinh .com/system/logs/uy78hn654e.exe
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1457692698/
** https://malwr.com/analysis/MGZhZjA4Y...U3OWVlZTZjNDg/
Hosts
103.18.4.151
31.184.196.78
91.219.30.254
*** https://www.virustotal.com/en/file/9...is/1457691942/
TCP connections
31.184.196.75: https://www.virustotal.com/en/ip-add...5/information/
- http://blog.dynamoo.com/2016/03/malw...order-137.html
11 Mar 2016 - "This fake Amazon spam comes with a malicious attachment:
From: AMAZON.COM [Mailer-daemon@ amazon .com]
Date: 11 March 2016 at 09:09
Subject: Your Amazon order #137-89653734-2688148
Hello,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order #137-89653734-2688148 Placed on March 11, 2016
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon.
Amazon .com
Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script... Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192 "
___
Fake 'Scanned image' SPAM - leads to malware
- http://blog.dynamoo.com/2016/03/malw...mage-data.html
11 Mar 2016 - "This -fake- document scan leads to malware. It appears to come from within the victim's own domain, but this is a trivial forgery.
From: admin [lands375@ victimdomain .tld]
Date: 11 March 2016 at 09:02
Subject: Scanned image
Image data in PDF format has been attached to this email.
Attached is a document named in a similar format to 11-03-2016-6440705503.zip which contains a randomly-named malicious script. So far I have seen -three- versions of this script (VirusTotal results [1] [2] [3]) which according to the Malwr reports [4].. download a malicious binary from:
ghayatv .com/system/logs/uy78hn654e.exe
This is Locky ransomware, the -same- as dropped in this other spam run* - that post also contains a list of C2s to block."
* http://blog.dynamoo.com/2016/03/malw...order-137.html
1] https://www.virustotal.com/en/file/c...is/1457690743/
2] https://www.virustotal.com/en/file/1...c931/analysis/
3] https://www.virustotal.com/en/file/2...is/1457691017/
4] https://malwr.com/analysis/YWVkNzRlZ...M3ZjcyYWUzM2E/
___
Fake 'Payment' SPAM - leads to Locky ransomware
- http://myonlinesecurity.co.uk/fw-pay...ky-ransomware/
11 Mar 2016 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware.. The email looks like:
From: Inez Harding <HardingInez04459@ jazztel .es>
Date: Fri 11/03/2016 08:15
Subject: FW: Payment 16-03-#280729
Attachment: payment_doc_280729.zip
Dear voicemail,
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Inez Harding
Account Manager
5 March 2016: payment_doc_280729.zip: Extracts to 2 files:
Post_Tracking_Label_id00-371904814#.js [VT*] [VT**]. MALWR [1] [2] shows -both- download Locky Ransomware from http ://50.28.211.199 /hdd0/89o8i76u5y4 (VirusTotal 5/56***). I am informed[3] that there are several other download locations, all of which appear to be offering a slightly -different- Locky ransomware download... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1457687806/
** https://www.virustotal.com/en/file/8...is/1457687807/
1] https://malwr.com/analysis/YjkxNjNkN...cxZGYwZTM0YjE/
Hosts
50.28.211.199
31.184.196.78
91.234.32.192
2] https://malwr.com/analysis/MjgzYjZlZ...Q4NTljYmRkZjE/
Hosts
50.28.211.199
91.234.33.149
31.184.196.78
31.184.196.75
*** https://www.virustotal.com/en/file/8...is/1457689671/
TCP connections
91.219.30.254: https://www.virustotal.com/en/ip-add...4/information/
3] http://blog.dynamoo.com/2016/03/malw...507586-we.html
11 Mar 2016 - "These spam messages come from various senders with different references and attachment names.
From: Thanh Sears
Date: 11 March 2016 at 10:29
Subject: FW: Payment 16-03-#507586
Dear [redacted],
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Thanh Sears
Financial Manager
Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script... The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to -block- are the same as found in this earlier Locky run*..."
1] https://www.virustotal.com/en/file/1...is/1457693183/
2] https://www.virustotal.com/en/file/0...is/1457693194/
* http://blog.dynamoo.com/2016/03/malw...order-137.html
___
Massive Volume of Ransomware Downloaders being Spammed
- https://www.trustwave.com/Resources/...being-Spammed/
March 9, 2016 - "We are currently seeing extraordinarily huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware. Ransomware encrypts data on a hard drive, and then demands payment from the victim for the key to decrypt the data. Our Spam Research Database saw around 4 million malware spams in the last -seven- days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps... your last line of defense against ransomware infection is always having an up to date and good backup process."