SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2016-03-24, 13:05

FYI...

Fake 'Your order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...-has-been.html
24 Mar 2016 - "This -fake- financial spam does -not- come from Axminster Tools & Machinery, but is instead a simple -forgery- with a malicious attachment:
From: customer.service@ axminster .co.uk
Date: 24 March 2016 at 10:11
Subject: Your order has been despatched
Dear Customer
The attached document provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services ...

Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive.. however a manual analysis of the macros contained within.. show download locations at:
skandastech .com/76f45e5drfg7.exe
ekakkshar .com/76f45e5drfg7.exe
This binary has a detection rate of 6/56* and the Deepviz Analysis** and Hybrid Analysis*** show network traffic to:
71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)
It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.
Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41 "
1] https://www.virustotal.com/en/file/8...0f8b/analysis/

2] https://www.virustotal.com/en/file/3...2cb3/analysis/

* https://www.virustotal.com/en/file/9...is/1458816089/

** https://sandbox.deepviz.com/report/h...5a3781bd5c2f1/

*** https://www.hybrid-analysis.com/samp...nvironmentId=4

- https://myonlinesecurity.co.uk/axmin...macro-malware/
24 Mar 2016 - "An email with the subject of 'Your order has been despatched' pretending to come from customer.service@axminster .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: customer.service@ axminster .co.uk
Date: Thu 24/03/2016 08:43
Subject: Your order has been despatched
Attachment: LN4244786.docm
Dear Customer
The attached document* provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services ...

24 March 2016: LN4244786.docm - Current Virus total detections 6/57*
.. Update: I have been reliably informed[1] that there are -several- versions of this macro word doc that will download Dridex from skandastech .com/76f45e5drfg7.exe -or- ekakkshar .com/76f45e5drfg7.exe
(VirusTotal 6/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1458808762/

** https://www.virustotal.com/en/file/9...is/1458814484/

1] https://twitter.com/ConradLongmore/s...52076117155840
___

Fake 'Payment Receipt' SPAM - leads to Locky ransomeware
- http://blog.dynamoo.com/2016/03/malw...eipt-from.html
24 Mar 2016 - "This -fake- financial spam comes from random recipients, for example:
From: Marta Wood
Date: 24 March 2016 at 10:10
Subject: FW: Payment Receipt
Dear [redacted],
Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.
Regards,
Marta Wood
Technical Manager - General Insurance

Attached is a ZIP file that incorporates the recipients name plus a word such as 'payment, details or receipt' plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk. VirusTotal detection rates for the scripts are fairly low (examples [1] [2]..). Automated analysis [7] [8].. shows binary download locations at:
stie.pbsoedirman .com/msh4uys
projectpass .org/o3isua
natstoilet .com/l2ps0sa [404]
yourhappyjourney .com/asl2sd [404]
Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries... The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically it is Locky. Automated analyses [21] [22].. show it phoning home to:
195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
... Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39 "
1] https://www.virustotal.com/en/file/8...35ca/analysis/

2] https://www.virustotal.com/en/file/4...is/1458819009/

7] https://malwr.com/analysis/ODg1YzdiM...ZhNTEzYmI0ZTE/

8] https://malwr.com/analysis/NDg0ODM1Y...gzZjc0NWFiYjk/

19] https://www.virustotal.com/en/file/0...is/1458819857/

20] https://www.virustotal.com/en/file/b...is/1458819870/

21] https://sandbox.deepviz.com/report/h...04214fb0c8251/

22] https://sandbox.deepviz.com/report/h...067322c7906b0/
___

Fake 'Attached docs' SPAM - JS malware
- https://myonlinesecurity.co.uk/attac...ab-js-malware/
24 Mar 2016 - "An empty-blank-email with the subject of 'Attached document(s)' pretending to come from Afifa Shohab <afifashohab4650@ gmail .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: Afifa Shohab <afifashohab4650@ gmail .com> [random numbers after the afifashohab]
Date: Thu 24/03/2016 12:58
Subject: Attached document(s)
Attachment: mygov_0239769.zip

Body content: empty

Some of these emails are coming in as working emails and displayed properly with a working attachment, others are misconfigured and corrupt... Screenshot:
> https://myonlinesecurity.co.uk/wp-co...s-1024x710.png

24 March 2016: mygov_0239769.zip: Extracts to: UQF2157341011.js - Current Virus total detections 3/56*
... from http ://tijuanametropolitana .com/3476grb4f434r.exe (VirusTotal 4/56**) which is the -same- malware as described HERE[3]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1458826227/

** https://www.virustotal.com/en/file/e...is/1458825187/
TCP connections
46.8.44.39: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/d3...fc5d/analysis/

3] https://myonlinesecurity.co.uk/monic...16-js-malware/
24 March 2016: FT6284053.zip: Extracts to: XUY9156182001.js - Current Virus total detections 3/57*
.. download from http ://akalbatu .com/3476grb4f434r.exe (VirusTotal 3/57**) ... likely to be either Dridex or Locky ransomware..."
* https://www.virustotal.com/en/file/b...is/1458822000/

** https://www.virustotal.com/en/file/e...is/1458822302/
TCP connections
46.8.44.39: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/d3...fc5d/analysis/
___

Fake 'Sixt Invoice' SPAM - word macro malware
- https://myonlinesecurity.co.uk/sixt-...-macro-malware
24 Mar 2016 - "An email with the subject of 'Sixt Invoice: 0252056792' from 24.03.2016 (random numbers) pretending to come from random, names, companies and email addresses with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...6-1024x780.png

24 March 2016: Sixt_receipt_49200616.doc - Current Virus total detections 2/56*
.. downloads from http ://web-intra.fhc-inc .org/live/essentials.php which gave me
65a7fwgybid.xls (VirusTotal 5/56**) which is actually an .exe file -not- an XLS excel spreadsheet -despite- the file name & icon... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/a...is/1458833067/

** https://www.virustotal.com/en/file/a...is/1458832875/

> https://www.hybrid-analysis.com/samp...nvironmentId=4
Sixt_receipt_15768471.doc
Contacted Hosts
92.63.100.7: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/25...c558/analysis/
38.64.199.113: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/f2...2a17/analysis/
79.124.67.226: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/c1...1e3c/analysis/
222.255.121.202: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/42...7124/analysis/
47.88.191.14: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/ff...7417/analysis/
197.96.139.253: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/79...7c24/analysis/

**AplusWebMaster** · 2016-03-25, 17:23

FYI...

Fake 'Invoice Copy' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/fw-in...ky-ransomware/
25 Mar 2016 - "Although it is Good Friday... the Locky ransomware campaign continues unabated with an email with the subject of 'FW: Invoice Copy' pretending to come from a random or unknown name at your own email address with a zip attachment is another one from the current bot runs which downloads Locky ransomware...One of the emails looks like:
From: Stacie Tucker <fax@ [redacted] .co.uk> [Your own email address]
Date: Fri 25/03/2016 09:03
Subject: FW: Invoice Copy
Attachment: copy-fax_323571.zip
Dear fax,
Please review the attached copy of your Invoice (number: IN323571) for an amount of $4031.15.
Thank you for your business.
Stacie Tucker
Director, Digital Communications

25 March 2016: copy-fax_323571.zip: Extracts to: PMTac2edf.js.js Current Virus total detections 1/58*
.. MALWR** shows a download of Locky ransomware from
http ://holidaysinkeralam .com/ke4uad (VirusTotal 6/58***). Other download locations so far discovered include:
http ://goldenlifewomen .com/o3isvs (VT[1])
http ://fssblangenlois .ac.at/k3idv (VT[2])
http ://warrendotwarren .url.ph/ldpeo3s (VT[3])
... more detailed breakdown, including the multitude of hosts and differing file #’s delivering today’s malware can be found HERE[4] courtesy of Techelplist. This zip file contains 2 js files and 3 dat files that when examined is actually -empty- ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/9...is/1458900076/

** https://malwr.com/analysis/ZTJkMDAwZ...k4NzgwNGM2MmQ/
Hosts
184.168.47.225
93.170.104.127

*** https://www.virustotal.com/en/file/7...is/1458901000/
TCP connections
89.108.84.132

1] https://www.virustotal.com/en/file/b...is/1458910253/
TCP connections
185.117.72.94

2] https://www.virustotal.com/en/file/d...is/1458910585/
TCP connections
89.108.84.132

3] https://www.virustotal.com/en/file/8...is/1458911035/
TCP connections
185.117.72.94

4] https://otx.alienvault.com/pulse/56f...7f23a0c0f414d/

**AplusWebMaster** · 2016-03-28, 12:22

FYI...

Fake 'Overdue Incoices' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/fw-ov...ky-ransomware/
28 Mar 2016 - "... mispelled subject of 'FW: Overdue Incoices' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Boyce Day <DayBoyce99@ armadev .com>
Date: Mon 28/03/2016 09:09
Subject: FW: Overdue Incoices
Attachment: sexy123_copy_489051.zip
Dear sexy123,
Please find attached copy updated statement as your account has 3 overdue incoices.
Is there any reasons why they haven’t yet been paid?
Best Wishes,
Boyce Day
Vice President Finance

28 March 2016: sexy123_copy_489051.zip: Extracts to: SCN734815.txt.js - Current Virus total detections 2/58*
.. MALWR** and Hybrid Analysis[3] show a download of Locky ransomware from
http ://www.suansawanresort .com/n7eua (VirusTotal 6/58[4])
Other download locations so far discovered include
http ://bbwsa .com/m7rysa
http ://dukeplasticslab .com/j47akfa
http ://foothillsofhemet .com/k4sifs
http ://www.stopeugenicsnow .eu/m8dhs
http ://blackmountaintipis .com/mxn3aad
This zip file contains 3 js files and 3 unknown files that when examined is actually empty (full of 0 byte padding, actually a mix of 0 & 1)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1459152409/

** https://malwr.com/analysis/OTkxYzNjY...cyZGJiYmJmOTY/
Hosts
192.254.235.178
84.19.170.249: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/01...cd59/analysis/

3] https://www.reverse.it/sample/4ede8c...nvironmentId=4
Contacted Hosts
192.254.235.178
92.63.87.134: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/aa...cae1/analysis/

4] https://www.virustotal.com/en/file/4...is/1459152904/
TCP connections
78.46.170.79
___

Fake 'FW:' attached invoice SPAM - JS leads to Locky Ransomware
- https://myonlinesecurity.co.uk/pleas...ent-js-malware
28 Mar 2016 - "... an email with the subject of 'FW:' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads... Locky Ransomware... The email looks like:
From: Random senders
Date: Mon 28/03/2016 09:47
Subject: FW:
Attachment: copy_ellie_734294.zip
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

5 March 2016: copy_ellie_734294.zip: Extracts to a folder named 'warning' which contains -2- files both appearing to have -same- content although different file # ticket_613588769.js VT 0/57[1] and
125_ticket_942667766.lib VT 0/57[2]. MALWR[3] shows a download from
http ://twocircles .in/HwgIY9 .exe (VirusTotal 5/58[4]) which is inconclusive in detections but MALWR[5] shows contacts of innocent files from Microsoft Update. Hybrid analysis[6] definitely shows Locky Ransomware...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustotal.com/en/file/9...is/1459155351/

2] https://www.virustotal.com/en/file/4...is/1459155491/

3] https://malwr.com/analysis/OWMxMWZmN...IxZWRiMWFhNDg/

4] https://www.virustotal.com/en/file/0...is/1459155069/

5] https://malwr.com/analysis/MDg4NmQ1M...EzMjMwY2ZjYjc/
Hosts
184.25.56.84

6] https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
66.160.196.39: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/69...153c/analysis/
83.217.8.127
___

Fake 'Document(1).pdf' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/docum...to-ransomware/
28 Mar 2016 - "An email that tries to make you think it is coming from your own email domain/company with the subject of 'Document(1).pdf' pretending to come from netadmin <nadiam1pa@ your email domain .tld> with a zip attachment is another one from the current bot runs which downloads some sort of ransomware... The email looks like:
From: netadmin <nadiam1pa@ your email domain .tld>
Date: Document (1).pdf
Subject: Document (1).pdf
Attachment: Document (1).zip
Document (1).pdf

28 March 2016: Document (1).zip: Extracts to: FDV4328982511.js - Current Virus total detections 7/57*
.. MALWR** shows a download of this ransomware file from
http ://store.brugomug .co.uk/765f46vb.exe (VirusTotal 3/58***) MALWR[4]...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...is/1459173075/

** https://malwr.com/analysis/ODEzODQwZ...Y4NzIxNjg0YzA/
Hosts
50.56.106.21
84.19.170.249: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/15...2673/analysis/

*** https://www.virustotal.com/en/file/6...is/1459171814/
TCP connections
91.200.14.73

4] https://malwr.com/analysis/Y2FmMTY2N...I3YTJhNzk5NDE/
Hosts
91.200.14.73: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/26...df21/analysis/

store.brugomug .co.uk: 50.56.106.21: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/4a...778e/analysis/
___

Fake 'invoice' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/rando...macro-malware/
28 Mar 2016 - "An email with the subject of [random company name] 'invoice' – [recipient domain] pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... One of the emails looks like:
From: Random senders
Date: Mon 28/03/2016 16:04
Subject: CERAMIC FUEL CELLS Invoice ...
Attachment: Invoice Number 1460847 – Issue Date 02166113.rtf
Sent from my iPad
Begin forwarded message:
Thank you for choosing CERAMIC FUEL CELLS! We hope you enjoy our new invoice format. In our effort to be more environmentally friendly, our new invoice saves paper yet provides all of the same information in a more condensed format. Please let us know if you have any questions or concerns.

28 March 2016: Invoice Number 1460847 – Issue Date 02166113.rtf - Current Virus total detections 4/57*
.. MALWR shows a download from
http ://store.clarksvillevw .com/smartphones/iphonese.php which gave me 122.wav which is -NOT- a wav file despite appearing to be able to be played in windows explorer - but is a renamed .exe file
(VirusTotal 3/58**). This will probably turn out to be either Dridex or Locky ransomware, but analysis is pending...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/6...is/1459177325/

** https://www.virustotal.com/en/file/1...is/1459177386/

store.clarksvillevw .com: 185.118.166.167: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/f2...987c/analysis/
___

Fake 'TERREDOC' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...age-9758w.html
28 Mar 2016 - "This French-language -spam- comes with a malicious attachment:
From: Christine Faure [c.faure@ technicoflor .fr]
Date: 28 March 2016 at 16:54
Subject: Envoi d’un message : 9758W-TERREDOC-RS62937-15000
Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :
9758W-TERREDOC-RS62937-15000
Message de sécurité

To save you putting it into 'Google Translate', the body text reads:
'Your message is ready to be sent with the following file or link attached'...
Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least -eight- different versions each containing a -different- malicious-script (VirusTotal results [1] [2]... The Malwr reports for those samples [9] [10]... show a malicious binary downloaded from:
store.brugomug.co.uk/765f46vb.exe
ggbongs .com/765f46vb.exe
dragonex .com/765f46vb.exe
homedesire .co.uk/765f46vb.exe
scorpena .com/765f46vb.exe
pockettypewriter .co.uk/765f46vb.exe
enduro .si/pdf/765f46vb.exe
185.130.7.22 /files/qFBC5Y.exe
Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57* and according to all those previous reports... the malware phones home to:
83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)
All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware. The other binary appears to be -another- version of Locky which appears to phone home to the -same- servers.
Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100 "
1] https://www.virustotal.com/en/file/6...0b48/analysis/

2] https://www.virustotal.com/en/file/6...is/1459182332/

9] https://malwr.com/analysis/NjFiZGRjN...E2NjAxYjQ1NTY/
Hosts
77.234.131.73
109.235.139.64
185.130.7.22

10] https://malwr.com/analysis/YmE5ZmU2Z...M2ZmE1NmI1MjI/
Hosts
50.56.106.21
83.217.8.127

* https://www.virustotal.com/en/file/6...db31/analysis/
TCP connections
91.200.14.73

**AplusWebMaster** · 2016-03-29, 13:48

FYI...

Fake 'Credit Card Declined' SPAM - JS malware
- https://myonlinesecurity.co.uk/credi...64-js-malware/
29 Mar 2016 - "An email with the subject of 'Credit Card Has Been Declined *9764' [random numbered] pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads what looks like it is supposed to be locky ransomware... The email looks like:
From: Shirley brackenbury <brackenburyShirley12280@ covertech .com.br>
Date: Tue 29/03/2016 10:03
Subject: Credit Card Has Been Declined *9764
Attachment: copy_ellie_631312.zip
Your credit card has been declined, cancellation notice is enclosed down below.

29 March 2016: copy_ellie_631312.zip: Extracts to: info_614949608.js and a copy named 290_info_571294222.lib
Current Virus total detections 0/58*. MALWR** shows an attempted download from
http ://teknosolar .com/CLVrSc.exe which is currently giving a 404 not found...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1459242165/

** https://malwr.com/analysis/MzM3M2FlM...RkZGZkYzgwNzM/
Hosts
185.18.196.201: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/7a...7dba/analysis/
___

Fake 'Payment' SPAM – doc macro malware
- https://myonlinesecurity.co.uk/emers...macro-malware/
29 Mar 2016 - "An email with the subject of [random name] 'payment/invoice/report/message/Transaction' pretending to come from the same random name but a totally different email address with a random numbered malicious word doc attachment is another one from the current bot runs... One of the emails looks like:
From: Emerson Sherman <accounts@ rapicutcarbides .com>
Date: Tue 29/03/2016 05:10
Subject: Emerson Sherman. Payment
Attachment: 14385.doc
Good day
I hope you had a good weekend.
Please find the payment confirmation enclosed with this email. The Transfer should appear on your bank within 1 day.
Thanks
Emerson Sherman

29 March 2016: 14385.doc - Current Virus total detections 8/58[1] 7/57[2]
.. Payload Security* shows a download from http ://www .setabayloan .com/sg1.jpg?YSbs= which gave 585816.exe
(VirusTotal 9/57**) and is definitely Dridex banking Trojan. This Dridex affiliate uses jpg images on a website that the macro decodes and extracts the .exe file. That way a victim only sees the genuine image in their temp folders or briefly displayed...
> https://myonlinesecurity.co.uk/wp-co...etabayloan.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/f...is/1459229375/

2] https://www.virustotal.com/en/file/e...is/1459226242/

* https://www.reverse.it/sample/ef3ce8...nvironmentId=4
Contacted Hosts
129.121.192.16: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/2d...65d7/analysis/
87.117.242.13

** https://virustotal.com/en/file/07b6b...8d7e/analysis/
___

Fake 'New Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malw...016280375.html
29 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
From: Rose Lu [salesdeinnovative@ technologist .com]
Date: 29 March 2016 at 02:30
Subject: Re: New Order P2016280375
Good Day,
Please find enclosed our new order P2016280375 for your kind attention and prompt execution.
I look forward to receiving your order acknowledgement in due course.
Best regards
Rose Lu
Office Manager
Suzhou Eagle Electric Vehicle Manufacturing Co., Ltd.
Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China ...

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58*. The Malwr report** is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..
Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe
So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn .no-ip .biz hosted on: 105.112.39.114 (Airtel, Nigeria)
I strongly recommend that you -block- traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before***) so you might want to consider -blocking- those too."
* https://www.virustotal.com/en/file/6...ece1/analysis/

** https://malwr.com/analysis/ZjEwNzIzM...YyMzE1MTYzZTk/

1] https://malwr.com/analysis/NTM5OTY3Z...gzODViNmE5ZGY/
Hosts
105.112.39.114

2] https://www.hybrid-analysis.com/samp...nvironmentId=1
Contacted Hosts
105.112.39.114

3] https://sandbox.deepviz.com/report/h...ab956bb66e3c0/

*** http://blog.dynamoo.com/2013/11/dyna...t-want-to.html
___

Fake 'Sent from my iPhone' SPAM - leads to Locky ransomware
- http://blog.dynamoo.com/2016/03/malw...sent-from.html
29 Mar 2016 - "... These spam emails look like the victim is sending them to themselves (but they aren't*). Reference numbers vary a little between emails, but the basic pattern is:
From: victim
To: victim
Date: 29 March 2016 at 17:50
Subject: CCE29032016_00034
Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:
3r .com .ua/ty43ff333.exe
canadattparts .com/ty43ff333.exe
chilloutplanet .com/ty43ff333.exe
gazoccaz .com/ty43ff333.exe
hindleys .com/ty43ff333.exe
jeweldiva .com/ty43ff333.exe
kandyprive .com/ty43ff333.exe
labonacarn .com/ty43ff333.exe
silvec .com/ty43ff333.exe
tbde .com .vn/ty43ff333.exe
zecapesca .com/ty43ff333.exe
This payload has a detection rate of 4/56**. The malware calls back to:
84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)
McHost is almost purely a black-hat ISP in my opinion and should be blocked-on-sight.
Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24 "
* http://blog.dynamoo.com/2011/09/why-...self-spam.html

** https://www.virustotal.com/en/file/6...6760/analysis/
TCP connections
84.19.170.249: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/01...cd59/analysis/

5.135.76.18: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/ab...5e43/analysis/

109.234.35.128: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/ae...c893/analysis/
___

Locky ransomware downloads -hijacked- by vigilante - delivering Eicar test file...
- https://myonlinesecurity.co.uk/locky...-file-instead/
29 Mar 2016 - "Another set of -empty/blank- emails that pretend to come from your own email address. This particular bunch have multiple subjects but all starting with 'CCE29032016' and attachments that also start with 'CCE29032016'. Some of the subjects and attachments I have seen include:
CCE29032016_00095.jpg
CCE29032016_00065.docx
CCE29032016_00067.tiff
CCE29032016_00050.pdf
CCE29032016_00002.gif
These are obviously designed to make you think they are coming from a printer, scanner or Multi-functional device on your network. They are -not- image or word files despite the extensions and icons saying they are:
> https://myonlinesecurity.co.uk/wp-co...fake-files.png
These attachments are -not- what they appear to be and are actually renamed zip files with the icons of the files they pretend to be, containing a js file. These files download what is -supposed- to be Locky ransomware from several locations. The ones I have discovered so far include:
http ://chilloutplanet .com/ty43ff333.exe
tbde. com .vn/ty43ff333.exe
canadattparts .com/ty43ff333.exe
... add to the twist all the files that I have seen are -not- Locky ransomware but instead all of these already compromised sites have been discovered by what we think is a “white hat” hacker vigilante who has replaced the locky files with a “safe” file that contains the words 'STUPID LOCKY' then a load of symbols that I won’t post here and EICAR-STANDARD-ANTIVIRUS-TEST-FILE. This would or should be flagged by EVERY antivirus in existence as the Eicar test file (and for that reason I will not post it even in plain text, because many antiviruses would immediately block access to this site). See screenshot:
> https://myonlinesecurity.co.uk/wp-co...upid-locky.png
It looks like most 'victims' will have been lucky this time, although I am sure there will be some sites in this malspam run that didn’t get discovered by the vigilante and -continue- to infect victims... -Never- attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just -delete- the unexpected zip and not risk any infection."

chilloutplanet .com: 109.71.69.138: https://www.virustotal.com/en/ip-add...8/information/

tbde. com .vn: 162.243.4.79: https://www.virustotal.com/en/ip-add...9/information/

canadattparts .com: 104.131.133.51: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/53...0c4d/analysis/
___

'Petya' ransomware encrypts files, disks, locks users out of computers
- https://www.helpnetsecurity.com/2016...cks-computers/
March 29, 2016 - "A -new- type of ransomware does not only encrypt the victims’ files, but also their disk’s Master File Table (MFT), and it replaces the boot drive’s existing Master Boot Record (MBR) with a malicious loader. It makes the entire computer -unusable- until the ransom is paid or until the victims decide to cut their losses, repair the MBR themselves, and reinstall Windows. The ransomware is called Petya, and is currently being delivered via spear-phishing campaigns aimed at German companies’ HR departments. The -fake- emails are made to look like they are coming from a legitimate job seeker, and instruct the recipient to download the sender’s CV from a Dropbox account. If the recipient falls for the trick, downloads the file, fails to notice that it’s an executable and runs it, the computer will crash because Petya overwrites the MBR of the entire hard drive. The computer will then show the infamous “Blue Screen of Death,” and reboot. The next thing the victim sees is a -fake- CHKDSK notice:
> https://www.helpnetsecurity.com/imag...ake-chkdsk.jpg
GData researchers have examples* of the spear-phishing emails, and a video of Petya in action. Trend Micro researchers confirmed** that the ransomware encrypts both part of the disk and victims’ files. They have also notified Dropbox of the fact that their service is being used to propagate the malware, and the company has removed the malicious file along with other links that stored the same file. The malware doesn’t allow the user to restart the computer in Safe Mode. According to Bleeping Computer’s Lawrence Abrams, there is currently no way to restore the files without paying the ransom, nor to decrypt the MFT. Users can repair the MBR and reinstall Windows, but all their files will be lost..."
* https://blog.gdatasoftware.com/2016/...ts-hard-drives

** http://blog.trendmicro.com/trendlabs...ers-computers/

Video 0:51 > http://arstechnica.com/security/2016...pts-hard-disk/

**AplusWebMaster** · 2016-03-30, 11:41

FYI...

- https://atlas.arbor.net/briefs/index#-318909613
"... At the present, Locky developers are completely reliant upon some level of user interaction. Educating your workforce on potential threats and the overall threat vectors is still the best way to inhibit threats like Locky."

Fake 'Additional Info' SPAM - leads to ransomware
- http://blog.dynamoo.com/2016/03/malw...formation.html
30 Mar 2016 - "This spam has a malicious attachment, leading to ransomware.
From: Joe holdman [holdmanJoe08@ seosomerset .co.uk]
Date: 30 March 2016 at 08:55
Subject: RE: Additional Information Needed #869420
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.

The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default. An analysis of three scripts [1] [2] [3] shows binary downloads from:
cainabela .com/zFWvTM.exe
downloadroot .com/vU4VAZ.exe
folk.garnet-soft .com/jDFXfL.exe
This binary has a detection rate of 6/56*. Automated analysis [4] [5] shows network traffic to:
93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)
These characteristics are consistent with Locky ransomware.
Recommended blocklist:
93.170.131.108: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/cd...c486/analysis/
5.135.76.18: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/7d...27df/analysis/
82.146.37.200: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/6a...bbd2/analysis/
"
1] https://www.virustotal.com/en/file/b...is/1459325489/

2] https://www.virustotal.com/en/file/3...is/1459325501/

3] https://www.virustotal.com/en/file/8...is/1459325510/

* https://www.virustotal.com/en/file/8...is/1459325587/

4] https://www.hybrid-analysis.com/samp...nvironmentId=4

5] https://sandbox.deepviz.com/report/h...292fcc77cd45e/
___

Fake 'scanner, prtr' SPAM - leads to Locky ransomware
- https://myonlinesecurity.co.uk/more-...ky-ransomware/
20 Mar 2016 - "... another series of emails that pretend to be coming from a scanner, printer or multifunctional device at your own email domain with a zip attachment is another one from the current bot runs... In exactly the same way as one of yesterday’s malspam runs* the subjects pretend to be emailing an image or document file:
* https://myonlinesecurity.co.uk/locky...-file-instead/
Some of the subjects seen today include:
Emailing: FILE-57146596.tiff
Emailing: docment-6419593.tiff
Emailing: sheet 462244150.JPEG
Emailing: DOC-109.JPEG
Emailing: file_29.TIFF
Emailing: list-51210168.docx ...
One of the emails looks like:
From: CANON <CANON@ your-own-email-domain >
Date: Wed 30/03/2016 12:41
Subject: Emailing: FILE-57146596.tiff
Attachment:FILE-57146596.tiff.zip
Your message is ready to be sent with the following file or link attachments:
FILE-57146596.tiff
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled...

30 March 2016: FILE-57146596.tiff.zip: Extracts to: 414-7888138-1994311.js - Current Virus total detections 5/56*
downloads Locky ransomware from
http ://tmecvn .com/45t3443r3 (VirusTotal 9/56**). Other download locations... include:
http ://bezuhova .ru/45t3443r3
http ://thespinneyuk .com/45t3443r3
http ://tishaclothing .co.za/45t3443r3
http ://formalizar .com.br/45t3443r3
http ://tde.tne .cl/45t3443r3
http ://journal.egostile .net/45t3443r3
http ://cheapairticketindia .net/45t3443r3
http ://creditfinancebank .ru/45t3443r3 and I am sure loads of others will appear during the day... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1459336685/

** https://www.virustotal.com/en/file/b...is/1459341039/
TCP connections
5.135.76.18: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/7d...27df/analysis/
___

Fake -Multiple- Subjects/senders/content SPAM - download Locky ransomware
- https://myonlinesecurity.co.uk/multi...ky-ransomware/
30 Mar 2016 - "... a whole series of -different- email -subjects- and body-content coming from random-senders downloading Locky ransomware from multiple-places...
Some of the subjects include:
FW:Expenses Report # 109681 – 03/2016
payment confirmation
Additional Costs
recent bill
RE: Additional Information Needed #075573

The bodies of these emails have -varied- content like these:
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
-Or-
Dear xerox.774,
Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email me.
Best regards
Cleo Morris
Chief Executive Officer

... These -all- download Locky ransomware from -various- sites, some of which include:
http ://drirenaeris .com.au/b7eir (VirusTotal 3/56*)
http ://fabiocaminero .com/2L5pGE.exe (VirusTotal 7/56**)
http ://cssrd.org.lb/VPNQ4Z.exe (VirusTotal 7/56***) ...
These are -more- of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1459341652/
TCP connections
51.254.240.45: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/e4...e2bd/analysis/

** https://www.virustotal.com/en/file/8...is/1459343160/

*** https://www.virustotal.com/en/file/8...is/1459343160/

- http://blog.dynamoo.com/2016/03/malw...-leads-to.html
30 Mar 2016 - "... -another- malicious spam run... drops Locky ransomware. Again... phones home to the -same- IPs reported here[1]."
1] http://blog.dynamoo.com/2016/03/malw...formation.html
___

Fake 'scanned document' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/scann...macro-malware/
29 Mar 2016 - "An email with the subject of 'scanned document' pretending to come from Tara Savill <tara@ charismabathrooms .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...t-1024x642.png

29 March 2016: CCF26062014_00002.docm - Current Virus total detections 7/57*
.. MALWR** shows a download of Dridex banking malware from
http ://1901.magflags .de/media/5478hj.exe
Other sites: some of which were also in THIS earlier run*** ... include:
http ://youngstownliquidation .com/5478hj.exe
http ://balikmalzemelerim .com/5478hj.exe
http ://me-shop .net/5478hj.exe
http ://stremyanki .kz/5478hj.exe
http ://mojomojito .com/5478hj.exe
http ://baldwinsun .com/media/5478hj.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1459249209/

** https://malwr.com/analysis/OWI5NTZhY...UzZmEzZmIxMTQ/
Hosts
144.76.126.6: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/73...2087/analysis/

*** https://myonlinesecurity.co.uk/europ...macro-malware/

**AplusWebMaster** · 2016-03-31, 13:52

FYI...

Fake 'Print' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/an-em...ky-ransomware/
31 Mar 2016 - "A series of emails with the basic subject of 'print' pretending to come from random names with a number at Gmail .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware... Some of the subjects I have seen so far include:
print please
hi prnt
print
hello print
One of the emails looks like:
From: admin <andrew03@ gmail .com>
Date: Mon 04/01/2016 13:31
Subject: print please
Attachment: New Text Document (3).rar
–40719049546ef6119a6e83c9e005
Content-Type: text/plain; charset=UTF-8
–40719049546ef6119a6e83c9e005
Content-Type: text/html; charset=UTF-8
<div dir=”ltr”><br></div>
–40719049546ef6119a6e83c9e005–
–bf5dda1905937f96d0871d6d3006
Content-Type: application/octet-stream; name=”New Text Document (3).rar ...

31 March 2016: New Text Document(3).rar: Extracts to: New Text Document(95).js - Current Virus total detections 4/57*
.. MALWR** didn’t show any download but a manual analysis of the JS file gave me Locky Ransomware from
http ://bianca .com .tr/87h78rf33g (VirusTotal 4/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1459419468/

** https://malwr.com/analysis/MGFiN2I0O...ZjYTI5ZjJiY2M/

*** https://www.virustotal.com/en/file/6...is/1459419544/
TCP connections
88.198.119.177: https://www.virustotal.com/en/ip-add...7/information/
___

Fake 'FaxEmail' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/faxem...ky-ransomware/
31 Mar 2016 - "An email with the subject of 'FaxEmail Fax from 0632136978' (random number) pretending to come from random number @ f2em .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-co...8-1024x585.png

31 March 2016: 783836325-7101s-452012.zip: Extracts to: 21255715-6613c-370201.js
Current Virus total detections 4/56*. MALWR** shows a download of Locky Ransomware from
http ://mentaldevelopment .ir/87h78rf33g (VirusTotal 3/57***)
Other download locations so far discovered include:
http ://meimeiwang .com.cn/87h78rf33g
remontobuvidoma .ru/87h78rf33g (giving a '404 not found')
anop .ir/87h78rf33g
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...is/1459428459/

** https://malwr.com/analysis/ODNmYTM1M...JmZjNiZjkzODE/
Hosts
185.8.173.39
81.177.181.164

*** https://www.virustotal.com/en/file/7...is/1459428606/
TCP connections
88.198.119.177
___

Fake 'Photos' SPAM - JS malware delivers Locky ransomware
- https://myonlinesecurity.co.uk/photo...ky-ransomware/
31 Mar 2016 - "A blank/empty email with the subject of 'Photos' pretending to come from Nadia María Ochoa <nadia_m_ochoa018@ yahoo .es> (random numbers after nadia_m_ochoa) with a zip attachment is another one from the current bot runs... The email looks like:
From: Nadia María Ochoa <nadia_m_ochoa018@ yahoo .es>
Date: Thu 31/03/2016 14:32
Subject: Photos
Attachment: Photos.zip

Body content: Totally Blank

31 March 2016: Photos.zip: Extracts to: 84628561-8282f-490006.js - Current Virus total detections 4/57*
.. downloads Locky ransomware from
site.ipark .tur.br/87h78rf33g (VirusTotal 3/57**). Others sites discovered include
http ://mrsweeter .ru/87h78rf33g which is currently giving a '404' although was used earlier today for delivering Locky. It is almost certain that all the sites in THIS*** post which are delivering the same Locky ransomware file will also be used in a -differing- version of this email... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1459431093/

** https://www.virustotal.com/en/file/7...is/1459428606/
TCP connections
88.198.119.177: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/72...1a7d/analysis/

*** https://myonlinesecurity.co.uk/faxem...ky-ransomware/

**AplusWebMaster** · 2016-04-01, 14:00

FYI...

Fake 'REFUND DEPOSIT' SPAM - fake PDF malware
- https://myonlinesecurity.co.uk/your-...e-pdf-malware/
Updated: 1 Apr 2016 - "An email with the subject of 'YOUR REFUND DEPOSIT COPY' pretending to come from Lloyds Bank <refund@ lloydsbank .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...POSIT-COPY.png

31 March 2016: Attach.zip: Extracts to: Deposit Slip.exe - Current Virus total detections 8/57*
.. MALWR** | Payload Security***
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1459447576/

** https://malwr.com/analysis/YzJhMjI3M...FjYzg5ZWQ2NzI/

*** https://www.reverse.it/sample/874970...nvironmentId=4
Contacted Hosts
5.254.112.27
___

Fake 'photos' 'selfie' SPAM - JS malware
- https://myonlinesecurity.co.uk/image...es-js-malware/
1 Apr 2016 - "... numerous emails with the subject of 'images', 'photos' or 'selfie' pretending to come from random names and numbers at yahoo .es with a zip attachment is another one from the current bot runs which downloads what looks like Locky ransomware... some of these with no extension for the attachment... One of the email looks like:
From: Maite STEPHENS <GALEANA965@ yahoo .es>
Date: Fri, 01 Apr 2016 10:35:17 +0100
Subject: images
Attachment: Photos(80).zip

Body content: Empty/blank body

1 April 2016: Photos(80).zip: Extracts to: IMG0000024405.js - Current Virus total detections 3/56*
.. downloads what looks like Locky ransomware from
http ://rhcequestrian .com/89uyg65fyguy (VirusTotal 5/57**)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1459503374/

** https://www.virustotal.com/en/file/c...is/1459503652/
TCP connections
88.198.119.177: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/72...1a7d/analysis/
___

Fake 'Votre demande' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/votre...ky-ransomware/
1 Apr 2016 - "... an email written in French with the subject of 'Votre demande – 4906548' [random numbered] pretending to come from Darlene Walden <Darlene.Walden@ gouv .fr> with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: Darlene Walden <Darlene.Walden@ gouv .fr>
Date: Fri 01/04/2016 09:11
Subject: Votre demande – 4906548
Attachment: Cas_4906548.zip
Monsieur / Madame,
Nous avons bien recu votre mail nous demandant de ne pas donner suite a votre demande
d’assurance du 01/04/2016 referencee en marge.
De ce fait, nous procedons a l’annulation de cette derniere a sa date d’effet et vous
precisons que vous ne pourriez vous prevaloir d’aucune garantie.
Pour plus de details s’il vous plait verifier fichier joint (Cas_4906548)
Nous vous remercions de bien vouloir en prendre note...
Translates to:
Sir / Madam,
We have received your mail asking us not to follow your request
Insurance 04/01/2016 referenced margin.
Therefore, we proceed to the cancellation of the latter has its effective date and you
Note that you could avail you of any warranty.
For more details please check attachment (Cas_4906548)
Thank you kindly take note...

1 April 2016: Cas_4906548.zip: Extracts to: Cas_2466628.js - Current Virus total detections 3/57*
.. Payload Security** shows a download of Locky Ransomware from
tag2change .com/images/old/note.exe (VirusTotal 2/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1459501792/

** https://www.reverse.it/sample/ea0d4b...nvironmentId=4
Contacted Hosts
108.175.14.122: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/dc...e550/analysis/

*** https://www.virustotal.com/en/file/2...is/1459502285/
___

Fake 'boss scams' meet AI robocallers - dangerous escalation of Fraud
- http://blog.dynamoo.com/2016/04/fake...allers-in.html
1 Apr 2016 - "Many of us will be familiar with the 'fake boss' scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady-bank-account for a business transaction you are not allowed to talk about. This type of -fraud- is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and -convincing- calls have to be made to unsuspecting-minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.
Now, the notorious Russian gang dubbed 'Den Duraka' by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer. Sporting the clumsy Russian acronym 'LOZHNYY', this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using -hacked- credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers. Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were -not- suspicious as this seemed consistent with the behaviour of their CEOs. Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely -ignore- any communications from your CEO and indeed any C-level executive..."
___

Petya Ransomware - Malwarebytes analysis
- https://blog.malwarebytes.org/threat...ya-ransomware/
April 1, 2016 - "Petya is different from the other popular ransomware these days. Instead of encrypting files one by one, it denies access to the full system by attacking low-level structures on the disk. This ransomware’s authors have not only created their own boot loader but also a tiny kernel, which is 32 sectors long. Petya’s dropper writes the malicious code at the beginning of the disk. The affected system’s master boot record (MBR) is overwritten by the custom boot loader that loads a tiny malicious kernel. Then, this kernel proceeds with further encryption. Petya’s ransom note states that it encrypts the full disk, but this is not true. Instead, it encrypts the master file table (MFT) so that the file system is -not- readable.
PREVENTION TIP: Petya is most dangerous in the Stage 2 of the infection, that starts when system is being rebooted after the BSOD caused by the dropper. In order to prevent your computer from going automatically to this stage, turn off automatic restart after a system failure (see how to do it):
> https://support.microsoft.com/en-us/kb/307973
If you detect Petya in Stage 1, your data still can be recovered. More information about it you can find here:
> https://hshrzd.wordpress.com/2016/03...a-key-decoder/
... Behavioral analysis: This ransomware is delivered via scam emails themed as a job application. E-mail comes with a Dropbox link, where the malicious ZIP is hosted. This initial ZIP contains two elements:
- a -photo- of a young man, purporting to be an applicant (in fact it is a publicly-available-stock image)
- an -executable- pretending to be a CV in a self-extracting archive or in PDF (in fact it is a malicious dropper in the form of a 32bit PE file):
> https://blog.malwarebytes.org/wp-con...etya_exe-1.png
In order to execute its -harmful- features, it needs to run with Administrator privileges. However, it doesn’t even try to deploy any user account control (UAC) bypass technique. It relies fully on social engineering. When we try to run it, UAC pops up this alert:
> https://blog.malwarebytes.org/wp-con.../uac_popup.png
After deploying the application, the system crashes. When it restarts, we see the following screen, which is an -imitation- of a CHKDSK scan:
> https://blog.malwarebytes.org/wp-con.../2016/03/1.png
In -reality- the malicious kernel is already encrypting. When it finishes, the affected user encounters this blinking screen with an ASCII art:
> https://blog.malwarebytes.org/wp-con.../2016/03/2.png
Pressing a key leads to the main screen with the ransom note and all information necessary to reach the Web panel and proceed with the payment:
> https://blog.malwarebytes.org/wp-con.../2016/03/3.png
... We noted that the website for the victim is well prepared and very informative. The menu offers several language versions, but so far only English works:
> https://blog.malwarebytes.org/wp-con...in-768x707.png
It also provides a step-by-step process on how affected users can recover their data:
> https://blog.malwarebytes.org/wp-con...de-768x707.png
... We expect that cybercriminals release as little information about themselves as possible. But in this case, the authors and/or distributors are very open, sharing the team name—”Janus Cybercrime Solutions”—and the project release date—12th December 2015...
Conclusion: In terms of architecture, Petya is very advanced and atypical. Good quality FUD, well obfuscated dropper – and the heart of the ransomware – a little kernel – depicts that authors are highly skilled. However, the chosen low-level architecture enforced some limitations, i.e.: small size of code and inability to use API calls. It makes cryptography difficult. That’s why the key was generated by the higher layer – the windows executable. This solution works well, but introduces a weakness that allowed to restore the key (if we manage to -catch- Petya at -Stage1- -before- the key is erased)..."
(More detail at the malwarebytes URL at the top of this post.)
___

Ransomware and Recent Variants
- https://www.us-cert.gov/ncas/alerts/TA16-091A
March 31, 2016
___

- https://www.virusbulletin.com/blog/2...-threat-model/
"... Preventing macro malware from infecting your machine is really simple: -don't- enable macros, no matter how much a document urges you to do so..."

**AplusWebMaster** · 2016-04-04, 14:35

FYI...

Fake 'VeriFone' SPAM - JS malware
- https://myonlinesecurity.co.uk/verif...ce-js-malware/
4 Apr 2016 - "An email with the subject of 'VeriFone Services UK and Ireland Ltd' pretending to come from donotreply_invoices@ verifone .com with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: donotreply_invoices@ verifone .com
Date: Mon 04/04/2016 10:29
Subject: VeriFone Services UK and Ireland Ltd
Attachment: VeriFone_20160404095713.zip
Please see attached Invoice(s).
Thanks and Regards,
VeriFone Services UK and Ireland Ltd
Confidentiality Note: This email message contains information that is confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this message is prohibited. If you have received this message or attachment in error, please notify us immediately by email and delete the original...

4 April 2016:VeriFone_20160404095713.zip: Extracts to: VeriFone_20160404092434.js
Current Virustotal detections 3/57*. MALWR** shows a download from
http ://tag2change .com/images/old/note.exe (VirusTotal 4/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1459766150/

** https://malwr.com/analysis/YTliMjcxY...c3MTA5NTMyYjI/
Hosts
108.175.14.122: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/dc...e550/analysis/

*** https://www.virustotal.com/en/file/d...is/1459766714/
___

Fake 'Refund' SPAM - JS malware leads to Teslacrypt ransomware
- https://myonlinesecurity.co.uk/refun...pt-ransomware/
4 Apr 2016 - "An email with the subject of 'Refund for #18613 – $2,179,44' [random number, random amount] pretending to come from random names, companies and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... One of the emails looks like:
From: Pongky Morrill <MorrillPongky34@ bitsport .ru>
Date: Mon 04/04/2016 12:20
Subject: Refund for #18613 – $2,179,44
Attachment: copy_nz_930864.zip
Your refund request has been processed.
Please, find the confirmation attached to this e-mail.

4 April 2016: copy_nz_930864.zip: Extracts to: letter_EWxago.js - Current Virus total detections 6/57*
.. MALWR** shows a download of a -new- version of Teslacrypt ransomware from
http ://greetingseuropasqq .com/80.exe?1 (VirusTotal 7/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/c...is/1459768523/

** https://malwr.com/analysis/ZTdmNzIwN...Q4ZTZmZjU1YTU/
Hosts
54.212.162.6
217.70.180.150
107.180.43.132
107.180.4.122
76.162.168.113
192.186.220.8
71.18.247.59

*** https://www.virustotal.com/en/file/d...is/1459772578/
TCP connections
217.70.180.150
107.180.43.132
___

Fake 'photos' SPAM - from your own email address delivering Locky ransomware
- https://myonlinesecurity.co.uk/photo...ut-empty-zips/
4 Apr 2016 - "An email with the subject of 'Photos' [random number between 1 and 4] pretending to come from your own email address with a zip attachment is -supposed- to be another one from the current bot runs which downloads Dridex, Locky or some other malware but is malformed-and-misconfigured so the attached zip is -empty- ... They use email addresses and subjects that will entice a user to read the email and open the attachment...
Update: Some working copies now trickling through containing -nemucod- downloaders delivering Locky ransomware. The email looks like:
From: Your email address
Date: Mon 04/04/2016 10:48
Subject: Photos 3
Attachment: 20160404_074897_resized.zip
Envoyé de mon Galaxy S6 edge+ Orange

Update: Managed to get a 'working' copy...
4 April 2016: 20160404_409472_resized.zip: Extracts to: 20160401_833019_resized.js
Current Virus total detections 2/57*.. downloads what looks like Locky ransomware from
http ://taytantalya .com/54eftygub (VirusTotal 2/56**)
Some other locations seen include:
hatgiongrangdong .com/54eftygub and
amid-s .com.ua/54eftygub
http ://2ws .club/54eftygub
http ://asensor .com.sg/54eftygub
http ://freya58 .ru/54eftygub
http ://lindecoration .com/54eftygub
http ://lxtrading .com.sg/54eftygub
http ://sargentojoe .com.br/54eftygub
http ://stylekoko .com/54eftygub
http ://waxmod .com/54eftygub ...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1459764701/

** https://www.virustotal.com/en/file/7...is/1459763558/
TCP connections
91.209.77.86: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/e4...d291/analysis/
___

Fake 'Your Booking' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/chang...pt-ransomware/
4 Apr 2016 - "An email with the subject of 'Changes in Your Booking (Booking Nr:46081)' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt... The email looks like:
From: Trudey Daniel <DanielTrudey588@ eskweb .net>
Date: Mon 04/04/2016 14:40
Subject: Changes in Your Booking (Booking Nr:46081)
Attachment: aqq_copy_830379.zip
There has been some important change in your booking (Booking Nr:46081). Please review the confirmation below.

4 April 2016: aqq_copy_830379.zip: Extracts to: doc_xXsKNB.js - Current Virus total detections 5/57*
.. Downloads Teslacrypt from the same locations as This earlier post**... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1459777068/

** https://myonlinesecurity.co.uk/refun...pt-ransomware/
___

Fake 'Your parcel' SPAM - JS malware
- https://myonlinesecurity.co.uk/your-...an-js-malware/
4 Apr 2016 - "An email with the subject of 'Your parcel #898322, Status: Arrived Otis Ryan' [random numbered] pretending to come from Otis Ryan <cobranza@ moldecor .com> with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: Otis Ryan <cobranza@ moldecor .com>
Date:
Subject: Your parcel #898322, Status: Arrived Otis Ryan
Attachment: Otis Ryan.zip
Valued Customer, Otis Ryan
The check of 255.00$ for the parcel #617473 was received by our company and now has the Status: Paid.
Our people has already shipped the purchase.
Please, Be sure to write us back if you already received the order, as it should have been delivered on February 3, 2016.
If you have any questions, you can check the details order enclosed to this e-mail, or call our department and we will offer you the other options.

4 April 2016: Otis Ryan.zip: Extracts to: Otis Ryan.js - Current Virus total detections 3/57*
.. MALWR** doesn’t show any downloads but Payload security[1] shows a download of some malware from
yuilouters .com/img/sc.php?m=c2FuZHJhQG9uZWtuaWdodC5jby51aw%3D%3D&f=img.jpg (VirusTotal 4/56***). MALWR[2] - This isn’t a JPG (image file) but a -renamed- .exe file -despite- the icon showing it to be a jpg... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1459789450/

** https://malwr.com/analysis/OTUyMWQ0Y...ZmYzhkZDZiNTc/

1] https://www.reverse.it/sample/3da03a...nvironmentId=4
Host Address
130.255.129.102: https://www.virustotal.com/en/ip-add...2/information/

*** https://www.virustotal.com/en/file/6...is/1459790694/

2] https://malwr.com/analysis/ZjRjMjg3M...cwYjdlNGFjZGQ/

yuilouters .com: 193.33.197.174
176.105.171.196
46.98.193.150
176.124.235.127
176.103.235.5
178.217.162.239
5.1.14.100
79.113.106.239
86.126.0.128
176.36.70.114

**AplusWebMaster** · 2016-04-05, 12:31

FYI...

Fake 'Receipt' SPAM - xls macro malware
- https://myonlinesecurity.co.uk/recei...macro-malware/
5 Apr 2016 - "An email with the subject of 'Receipt' pretending to come from Mike <mike@ xencourier .co.uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Mike <mike@ xencourier .co.uk>
Date: Tue 05/04/2016 10:10
Subject: Receipt
Attachment: scan0001.xls
Hi
Here is your credit card receipt attached. VAT invoice to follw in due course.
Best regards
Mike ...

5 April 2016: scan0001.xls - Current Virus total detections 4/57*
.. REVERSEIT** and MALWR*** show a download from
http ://unifire .in/43tgw - MALWR[4] VirusTotal 3/56[5]. I am unsure whether this is Dridex or Locky ransomware, judging by the auto analysis, I am guessing on Dridex with an anti-analysis component... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1459847342/

** https://www.reverse.it/sample/5e6ced...nvironmentId=4
Contacted Hosts
184.154.132.107
195.169.147.78

*** https://malwr.com/analysis/YmFhZDA4O...U5Y2IyNDVjZDY/
Hosts
184.154.132.107: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/24...23d3/analysis/

4] https://malwr.com/analysis/MzE4MTc4Y...IxNWYyYmIwZmY/

5] https://www.virustotal.com/en/file/8...is/1459847771/
___

Fake 'Your Balance' SPAM - leads to Teslacrypt
- https://myonlinesecurity.co.uk/actua...pt-ransomware/
5 Apr 2016 - "An email with the subject of 'Actual Status on Your Balance 49166' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... The email looks like:
From: Random senders
Date: Tue 05/04/2016 13:05
Subject: Actual Status on Your Balance 49166
Attachment: zi_invoices_764173.zip
Please find attached your actual statement for the period of 02/2016 to 03/2016.

5 April 2016: zi_invoices_764173.zip: Extracts to: check_WuKGkn.js - Current Virus total detections 23/56*
.. downloads Teslacrypt ransomware from
http ://marvellrulesqq .com/70.exe?1 (VirusTotal 5/56**)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/

** https://www.virustotal.com/en/file/f...is/1459859633/
TCP connections
23.229.239.227

marvellrulesqq .com: 185.118.142.154: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/88...3956/analysis/
54.212.162.6: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/9f...d5de/analysis/
104.161.60.151: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'Bank' SPAM - doc malware
- https://myonlinesecurity.co.uk/pfi-0...d-doc-malware/
5 Apr 2016 - "This email that appears to be from Union National Bank-Egypt with the subject of 'PFI -05.04.16' pretending to come from CEO Finexx Group <sales@ salesbabu .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...u-1024x597.png

5 April 2016 : Invvoice.docx - Current Virus total detections 8/56*
.. MALWR** - This -malicious- word doc has an -embedded- .exe file that gets extracted and decoded when you click-on-the-icon inside the word doc to deliver MICROSOFT.exe (VirusTotal 7/55***). This was passed on to me by another analyst... When I extracted the malware from the word doc I got THIS (VT 7/57[4]) differently detected malware... See screenshot (below):
> https://myonlinesecurity.co.uk/wp-co...x-1024x532.png
These embedded OLE objects will extract from ANY office program that can read & display word docs, as far as I am aware this also includes open office, libre office and all the other non-Microsoft programs. If you do follow their advice and click-on-the-object... it is game-over and you-are-compromised... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1459854693/

** https://malwr.com/analysis/OGFiODhjN...ljMGUxMWFhNzk/

*** https://www.virustotal.com/en/file/a...is/1459854644/
TCP connections
93.184.220.29
104.86.111.136

4] https://www.virustotal.com/en/file/3...is/1459861778/
___

Fake 'Invoice - e-pay' SPAM - JS malware leads to Dridex
- https://myonlinesecurity.co.uk/invoi...ads-to-dridex/
5 Apr 2015 - "An email with the subject of 'Invoice: 912409' pretending to come from UK e-pay Email Server (epay UK) <DO.NOT.REPLY.TO@ uk.epayworldwide .com> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
From: UK e-pay Email Server (epay UK) <DO.NOT.REPLY.TO@ uk.epayworldwide .com>
Date: Tue 05/04/2016 12:24
Subject: Invoice: 912409
Attachment: PeriodSummarybyTerminal.zip
Account: 912409

5 April 2016: PeriodSummarybyTerminal.zip: Extracts to: KFVL-902246613812.js - Current Virus total detections 6/57*
.. Downloads Dridex banking Trojan from
http ://mekongtrails .com/4543t43 (VirusTotal 5/56**) Which appears to be the -same- version and also using the -same- file names and the -same- other download locations as THIS earlier malspam run***... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1459859137/

** https://www.virustotal.com/en/file/8...is/1459858301/

*** https://myonlinesecurity.co.uk/recei...macro-malware/

mekongtrails .com: 173.236.74.11: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/14...b5f6/analysis/
___

Fake 'Unpaid Bill' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/unpai...to-teslacrypt/
5 Apr 2016 - "An email with the subject of 'Unpaid Bill for Car Repair Service 7650' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
From: Random
Date: Tue 05/04/2016 16:33
Subject: Unpaid Bill for Car Repair Service 7650
Attachment: copy_xerox.device5_868199.zip
We kindly ask you to review our unpaid bill again and send us the payment in order to avoid additional costs.

5 April 2016: copy_xerox.device5_868199.zip: Extracts to: finance_NJTugN.js - Current Virus total detections 7/57*
.. MALWR** and payload security*** shows a download of Teslacrypt from
marvellrulesqq .com/70.exe?1 (VirusTotal 4/56[4]) or
http ://marvellrulesqq .com/80.exe?1 (VirusTotal 4/57[5]). Although both files are the same size they have different sha1# ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1459871414/

** https://malwr.com/analysis/YjNkMDg3M...ZiYjFiMGYyNGY/
Hosts
104.161.60.151
23.229.239.227
194.228.3.204

*** https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
54.212.162.6
23.229.239.227
194.228.3.204

4] https://www.virustotal.com/en/file/7...is/1459872787/
TCP connections
23.229.239.227
194.228.3.204
107.180.26.75
192.185.151.39

5] https://www.virustotal.com/en/file/8...is/1459873099/
TCP connections
23.229.239.227
194.228.3.204

marvellrulesqq .com: 185.118.142.154: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/ff...2817/analysis/
54.212.162.6: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/9f...d5de/analysis/
104.161.60.151: https://www.virustotal.com/en/ip-add...1/information/

**AplusWebMaster** · 2016-04-06, 15:14

FYI...

Fake 'Voicemail' SPAM - JS malware
- https://myonlinesecurity.co.uk/soho6...37-js-malware/
4 Apr 2016 - "An email with the subject of 'New Voicemail Message From 07792084437' [random numbers] pretending to come from Soho66 <noreply@ soho66 .co.uk> with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: Soho66 <noreply@ soho66 .co.uk>
Date:
Subject: New Voicemail Message From 07792084437
Attachment: MSG0000060895.WAV.RAR
Hi,
You have been left a 0:19 long message (number 11) in mailbox 1006 from 07792060895, on Wed, 06 Apr 2016 06:13:47 -0400
The voicemail message has been attached to this email as a wave file – which you can play on most computers.
Our Regards
The Soho66 Customer Team
Please do not reply to this message. This is an automated message which comes from an unattended mailbox...

6 April 2016: MSG0000060895.WAV.RAR: Extracts to: MSG00004481919.WAV.js - Current Virus total detections 5/57*
.. MALWR** shows a download from http ://mapstor .org/1278u0 (VirusTotal 1/57***). MALWR[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...is/1459938427/

** https://malwr.com/analysis/ZjM2YjA4O...lhMDU4NTBmMDk/
Hosts
104.27.167.24: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/c4...40e7/analysis/

*** https://www.virustotal.com/en/file/f...is/1459939012/

4] https://malwr.com/analysis/NTU2YjIzY...VkOWQ0YWJhZmI/
___

Fake 'Invoicing' SPAM - JS malware
- https://myonlinesecurity.co.uk/liber...ng-js-malware/
6 Apr 2016 - "An email with no subject pretending to come from Liberty Wines, Invoicing <invoicing@ libertywines .co.uk> with a zip attachment is another one from the current bot runs which downloads an unknown malware probably either Locky ransomware or Dridex banking Trojan... The email looks like:
From: , Invoicing <invoicing@ libertywines .co.uk>
Date: Wed 06/04/2016 11:50
Subject: [blank/empty]
Attachment: Sales-Invoice LWIN0136332.rar
Dear Customer,
Please find attached your invoice, number: LWIN0136332.
Kind regards,
Liberty Wines

6 April 2016: Sales-Invoice LWIN0136332.rar: Extracts to: MSG00008141521.WAV.js - Current Virus total detections 5/57*
.. MALWR** shows a download from http ://vnnsports .com/1278u0 which although a different # is the -same- malware as described in THIS earlier post***... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1459939899/

** https://malwr.com/analysis/MTc4YTRhM...RiNTczNGIxMGY/
Hosts
184.154.132.107: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/e5...9b1b/analysis/

*** https://myonlinesecurity.co.uk/soho6...37-js-malware/
___

Fake 'Document(1)' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/docum...macro-malware/
6 Apr 2016 - "A blank/empty email with the subject of 'Document(1)' pretending to come from your own email address with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: your email address
Date: Wed 06/04/2016 14:15
Subject: Document(1)
Attachment: Document(1).doc

Body content: Totally empty/Blank

6 April 2016: Document(1).doc - Current Virus total detections 10/56*
.. MALWR shows a download of Dridex banking Trojan from
http ://jabez .jp/1278u0 (VirusTotal 12/57**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1459948652/

** https://www.virustotal.com/en/file/e...is/1459961706/
TCP connections
109.235.139.64

jabez .jp: 120.136.14.15: https://www.virustotal.com/en/ip-add...5/information/
___

Fake 'Remittance Details' SPAM - rtf macro malware delivers Dridex
- https://myonlinesecurity.co.uk/remit...livers-dridex/
6 Apr 2016 - "An email with the subject of 'Remittance Details (USD 7956.88) – your-web-address' pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... One of the emails looks like:
From: random senders
Date: Wed 06/04/2016 16:04
Subject: Remittance Details (USD 7956.88) – securityandprivacy.co.uk
Attachment: Invoice Number 0297376 – Issue Date 02165639.rtf
Dear All
Please find attached your banking details and do note the difference from the one we have We are to proceed with the payment of USD 7956.88 so please do verify attached bank details to avoid making payment to the wrong person as it is our custom. Please reply if you have any questions. Thanks Beryl Frye NAMIBIAN RESOURCES...

6 April 2016: Invoice Number 0297376 – Issue Date 02165639.rtf - Current Virus total detections 4/56*
.. MALWR** shows a download of Dridex banking Trojan from
http ://shop.bleutree .biz/tablets/galaxytab3.php which gave me crypted122med.exe (VirusTotal 5/56***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1459960107/

** https://malwr.com/analysis/Nzk4YWE5N...YzMWRmNDg5NmY/
Hosts
85.143.209.13: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/6d...9d13/analysis/

*** https://www.virustotal.com/en/file/9...is/1459960596/

shop.bleutree .biz: 85.143.209.13
___

Fake 'Security Update' SPAM - BT phish
- https://myonlinesecurity.co.uk/atten...e-bt-phishing/
6 Apr 2016 - "'Attention! Security Update' pretending to come from BT is one of the latest -phish- attempts to steal your BT details and your Bank, credit card and personal details... This one wants your personal details, BT log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x781.png

... When (IF) you fill in your user name and password you are sent to a page where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake 'Your order', 'Payment Receipt', 'Attached docs', 'Sixt Invoice' SPAM

Fake 'Invoice Copy' SPAM

Fake 'Overdue Incoices', 'FW: attached invoice', 'Document(1).pdf', 'invoice' SPAM

Fake 'Credit Card Declined', 'Payment', 'New Order' SPAM - 'Petya' ransomware

Fake 'Additional Info', 'scanner, prtr', 'scanned document' SPAM

Fake 'Print', 'FaxEmail', 'Photos' SPAM

Fake 'REFUND DEPOSIT', 'photos' 'selfie', 'Votre demande' SPAM, 'Petya' analysis

Fake 'VeriFone', 'Refund', 'photos', 'Your Booking', 'Your parcel' SPAM

Fake 'Receipt', 'Your Balance', 'Bank', 'Invoice - e-pay', 'Unpaid Bill' SPAM

Fake 'Voicemail', 'Invoicing', 'Document(1)', 'Remittance Details' SPAM

Posting Permissions