FYI...
Fake 'Your order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...-has-been.html
24 Mar 2016 - "This -fake- financial spam does -not- come from Axminster Tools & Machinery, but is instead a simple -forgery- with a malicious attachment:
From: customer.service@ axminster .co.uk
Date: 24 March 2016 at 10:11
Subject: Your order has been despatched
Dear Customer
The attached document provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services ...
Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive.. however a manual analysis of the macros contained within.. show download locations at:
skandastech .com/76f45e5drfg7.exe
ekakkshar .com/76f45e5drfg7.exe
This binary has a detection rate of 6/56* and the Deepviz Analysis** and Hybrid Analysis*** show network traffic to:
71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)
It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.
Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41 "
1] https://www.virustotal.com/en/file/8...0f8b/analysis/
2] https://www.virustotal.com/en/file/3...2cb3/analysis/
* https://www.virustotal.com/en/file/9...is/1458816089/
** https://sandbox.deepviz.com/report/h...5a3781bd5c2f1/
*** https://www.hybrid-analysis.com/samp...nvironmentId=4
- https://myonlinesecurity.co.uk/axmin...macro-malware/
24 Mar 2016 - "An email with the subject of 'Your order has been despatched' pretending to come from customer.service@axminster .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: customer.service@ axminster .co.uk
Date: Thu 24/03/2016 08:43
Subject: Your order has been despatched
Attachment: LN4244786.docm
Dear Customer
The attached document* provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services ...
24 March 2016: LN4244786.docm - Current Virus total detections 6/57*
.. Update: I have been reliably informed[1] that there are -several- versions of this macro word doc that will download Dridex from skandastech .com/76f45e5drfg7.exe -or- ekakkshar .com/76f45e5drfg7.exe
(VirusTotal 6/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1458808762/
** https://www.virustotal.com/en/file/9...is/1458814484/
1] https://twitter.com/ConradLongmore/s...52076117155840
___
Fake 'Payment Receipt' SPAM - leads to Locky ransomeware
- http://blog.dynamoo.com/2016/03/malw...eipt-from.html
24 Mar 2016 - "This -fake- financial spam comes from random recipients, for example:
From: Marta Wood
Date: 24 March 2016 at 10:10
Subject: FW: Payment Receipt
Dear [redacted],
Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.
Regards,
Marta Wood
Technical Manager - General Insurance
Attached is a ZIP file that incorporates the recipients name plus a word such as 'payment, details or receipt' plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk. VirusTotal detection rates for the scripts are fairly low (examples [1] [2]..). Automated analysis [7] [8].. shows binary download locations at:
stie.pbsoedirman .com/msh4uys
projectpass .org/o3isua
natstoilet .com/l2ps0sa [404]
yourhappyjourney .com/asl2sd [404]
Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries... The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically it is Locky. Automated analyses [21] [22].. show it phoning home to:
195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
... Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39 "
1] https://www.virustotal.com/en/file/8...35ca/analysis/
2] https://www.virustotal.com/en/file/4...is/1458819009/
7] https://malwr.com/analysis/ODg1YzdiM...ZhNTEzYmI0ZTE/
8] https://malwr.com/analysis/NDg0ODM1Y...gzZjc0NWFiYjk/
19] https://www.virustotal.com/en/file/0...is/1458819857/
20] https://www.virustotal.com/en/file/b...is/1458819870/
21] https://sandbox.deepviz.com/report/h...04214fb0c8251/
22] https://sandbox.deepviz.com/report/h...067322c7906b0/
___
Fake 'Attached docs' SPAM - JS malware
- https://myonlinesecurity.co.uk/attac...ab-js-malware/
24 Mar 2016 - "An empty-blank-email with the subject of 'Attached document(s)' pretending to come from Afifa Shohab <afifashohab4650@ gmail .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: Afifa Shohab <afifashohab4650@ gmail .com> [random numbers after the afifashohab]
Date: Thu 24/03/2016 12:58
Subject: Attached document(s)
Attachment: mygov_0239769.zip
Body content: empty
Some of these emails are coming in as working emails and displayed properly with a working attachment, others are misconfigured and corrupt... Screenshot:
> https://myonlinesecurity.co.uk/wp-co...s-1024x710.png
24 March 2016: mygov_0239769.zip: Extracts to: UQF2157341011.js - Current Virus total detections 3/56*
... from http ://tijuanametropolitana .com/3476grb4f434r.exe (VirusTotal 4/56**) which is the -same- malware as described HERE[3]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1458826227/
** https://www.virustotal.com/en/file/e...is/1458825187/
TCP connections
46.8.44.39: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/d3...fc5d/analysis/
3] https://myonlinesecurity.co.uk/monic...16-js-malware/
24 March 2016: FT6284053.zip: Extracts to: XUY9156182001.js - Current Virus total detections 3/57*
.. download from http ://akalbatu .com/3476grb4f434r.exe (VirusTotal 3/57**) ... likely to be either Dridex or Locky ransomware..."
* https://www.virustotal.com/en/file/b...is/1458822000/
** https://www.virustotal.com/en/file/e...is/1458822302/
TCP connections
46.8.44.39: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/d3...fc5d/analysis/
___
Fake 'Sixt Invoice' SPAM - word macro malware
- https://myonlinesecurity.co.uk/sixt-...-macro-malware
24 Mar 2016 - "An email with the subject of 'Sixt Invoice: 0252056792' from 24.03.2016 (random numbers) pretending to come from random, names, companies and email addresses with a malicious word doc attachment is another one from the current bot runs...
Screenshot: https://myonlinesecurity.co.uk/wp-co...6-1024x780.png
24 March 2016: Sixt_receipt_49200616.doc - Current Virus total detections 2/56*
.. downloads from http ://web-intra.fhc-inc .org/live/essentials.php which gave me
65a7fwgybid.xls (VirusTotal 5/56**) which is actually an .exe file -not- an XLS excel spreadsheet -despite- the file name & icon... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1458833067/
** https://www.virustotal.com/en/file/a...is/1458832875/
> https://www.hybrid-analysis.com/samp...nvironmentId=4
Sixt_receipt_15768471.doc
Contacted Hosts
92.63.100.7: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/25...c558/analysis/
38.64.199.113: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/f2...2a17/analysis/
79.124.67.226: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/c1...1e3c/analysis/
222.255.121.202: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/42...7124/analysis/
47.88.191.14: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/ff...7417/analysis/
197.96.139.253: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/79...7c24/analysis/