SPAM frauds, fakes, and other MALWARE deliveries...

**AplusWebMaster** · 2016-04-07, 14:08

FYI...

Fake 'invoice' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/lates...macro-malware/
7 Apr 2016 - "A -series- of emails with the basic subject of 'invoice' pretending to come from random names with a malicious word doc attachment is another one from the current bot runs... Some of the subjects seen include:
Uta Mclaughlin: Latest Invoice
Meghan Mckay, Sales Invoice
Fwd:Camille Glover. Purchase Invoice
The email looks like:
From: Uta Mclaughlin <nickbockholdt@ gmx .de> / Meghan Mckay <ramykhalifa@ emerge-studio .com> /
Camille Glover <david@ deliciousworldcorp .com>
Date: Thu 07/04/2016 04:51
Subject: Uta Mclaughlin: Latest Invoice
Attachment: 4872113603.doc
Please review the document enclosed with this message.
Kind regards
Meghan Mckay

7 April 2016: 4872113603.doc - Current Virus total detections 3/57*
.. Payload Security** shows a download from creditprimo .com/h1.jpg?BbZJpyfbopM=12
which gives this image (VirusTotal 2/57***). The macro extracts the malware from the image to give
12120.exe (VirusTotal 2/57[4]). MALWR[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1460006738/

** https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
138.128.125.153

*** https://www.virustotal.com/en/file/9...is/1460008049/

4] https://www.virustotal.com/en/file/5...is/1460007688/

5] https://malwr.com/analysis/ODljMmY2N...hjNWFhMDk3Mzc/
___

Fake 'Your Latest Documents' SPAM - doc macro malware leads to Locky Ransomware
- https://myonlinesecurity.co.uk/your-...ky-ransomware/
7 Apr 2016 - "An email with the subject of 'Your Latest Documents' from Angel Springs Ltd [STA054C] pretending to come from ebilling@ angelsprings .com with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...C-848x1024.png

7 April 2016: G-A0288010040780590521.pdf / G-A0288010040780590521.docm - Current Virus total detections 9/56*
.. MALWR** shows a download from http ://360webhosts .com/0uh634 (VirusTotal 13/56***) which is the -same- malware as described HERE[4] which is actually a downloader that downloads from 185.103.252.148/files/o35jkR.exe which is Locky Ransomware (VirusTotal 2/56[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/9...is/1460028627/

** https://malwr.com/analysis/YmNjNDgwZ...IzNGQ0NzYyZGQ/
Hosts
202.87.31.185: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/1a...c663/analysis/
109.235.139.64

*** https://www.virustotal.com/en/file/f...is/1460027909/
TCP connections
109.235.139.64

4] https://myonlinesecurity.co.uk/dossi...macro-malware/

5] https://www.virustotal.com/en/file/f...is/1460026504/

185.103.252.148: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/3f...971a/analysis/

**AplusWebMaster** · 2016-04-09, 19:26

FYI...

Researchers shut down SPAM botnet - 4,000 Linux machines
- http://arstechnica.com/security/2016...inux-machines/
Apr 9, 2016 - "A botnet that enslaved about 4,000-Linux-computers and caused them to blast the Internet with spam for more-than-a-year has finally been shut down. Known as -Mumblehard- the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the -delisting- of -any- Mumblehard-based IP addresses... In the months following Eset's* discovery of Mumblehard in late 2014, company researchers worked with Estonian law enforcement and an industry partner to shut down the botnet. In February of this year, the group took control of the Internet address belonging to the command server, making it possible for researchers to "sinkhole" the botnet. Rather than connecting to the attackers' control server, the infected machines connected to benign machines operated by the takedown participants. By analyzing the incoming traffic, they estimated that about 4,000 computers were infected. Researchers still don't know how Mumblehard was able to initially take hold of its victims... The number of machines reporting to the sinkholed server has been slowly dropping as compromised systems are disinfected."
* http://www.welivesecurity.com/2016/0...from-spamming/

> http://www.welivesecurity.com/wp-con...le_stats_1.png
Stats from Mumblehard sinkhole

> http://www.welivesecurity.com/wp-con...le_stats_2.png
Statistics from our new sinkhole

**AplusWebMaster** · 2016-04-11, 14:26

FYI...

Ransomware: Past, Present, and Future
- https://blogs.cisco.com/security/tal...ent-and-future
Apr 11. 2016 - "... The problem we face is that every single business that -pays- to recover their files, is directly funding the development of the next generation of ransomware. As a result of this we’re seeing ransomware evolve at an alarming rate... Ransomware as we know it today has a sort of ‘spray and pray’ mentality; they hit as many individual targets as they can as quickly as possible. Typically, payloads are delivered via exploit kits or mass phishing campaigns. Recently a number of scattered ransomware campaigns deliberately targeting enterprise networks, have come to light. We believe that this is a harbinger of what’s to come — a portent for the future of ransomware. Traditionally, malware was never terribly concerned with the destruction of data or denial of access to its contents; With few notable exceptions, data loss was mostly a side-effect of malware campaigns. Most actors were concerned with sustained access to data or the resources a system provided to meet their objectives. Ransomware is a change to this paradigm from subversion of systems to outright extortion; actors are now denying access to data, and demanding money to restore access to that data..."
> http://blog.talosintel.com/2016/04/ransomware.html#more
___

Fake 'DTC Workshop' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/email...macro-malware/
11 Apr 2016 - "An email with the subject of 'Emailing: M_20150401_0729_AY56EMF __XLRAE55CF0L324298' pretending to come from DTC Workshop <workshop@ digitaltachocentre .co.uk> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: DTC Workshop <workshop@ digitaltachocentre .co.uk>
Date: Mon 11/04/2016 10:16
Subject: Emailing: M_20150401_0729_AY56EMF __XLRAE55CF0L324298
Attachment: M_20150401_0729_AY56EMF __XLRAE55CF0L324298.DOCM
Your message is ready to be sent with the following file or link
attachments:
M_20150401_0729_AY56EMF __XLRAE55CF0L324298
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.

11 April 2016: M_20150401_0729_AY56EMF __XLRAE55CF0L324298.DOCM Current Virus total detections 8/57*
.. MALWR** and Payload Security*** show a download from http ://oootels .ru/87t5gh (VirusTotal 5/56[/4])
which looks like Dridex banking Trojan but might be a rockloader Locky ransomware downloader
.. MALWR[5] analysis is inconclusive... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/d...is/1460366222/

** https://malwr.com/analysis/MmExZDQwY...FhYTQxZjJmOWU/
Hosts
90.156.201.101

*** https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
90.156.201.59
194.116.73.71

4] https://www.virustotal.com/en/file/0...is/1460365587/

5] https://malwr.com/analysis/MDZjMjdhY...FmYzVmOGEyZTU/

oootels .ru: 90.156.201.25
90.156.201.101
90.156.201.59: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/7a...3667/analysis/
90.156.201.67: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/86...26f7/analysis/

**AplusWebMaster** · 2016-04-12, 14:57

FYI...

PlusSized problem with Angler EK
- http://blog.dynamoo.com/2016/04/plus...blem-with.html
12 Apr 2015 - "PlusServer GmbH is a legitimate German hosting company. But unfortunately, the bad guys keep hosting Angler EK sites in their IP ranges over and over again. So far I have seen many /24 blocks which have effectively been burned by out-of-control Angler (and other EK) infections. There are many individual IPs too, but below I list some of the worst blocks (links go to Pastebin).
85.25.102.0/24
85.25.107.0/24
85.25.160.0/24
85.93.93.0/24
188.138.17.0/24
188.138.70.0/24
188.138.71.0/24
188.138.75.0/24
188.138.102.0/24
188.138.105.0/24
188.138.125.0/24
217.172.189.0/24
217.172.190.0/24
Blocking these ranges will block some legitimate sites, but if Angler is causing you a problem then I would lean towards blocking those ranges and accepting the chance of some minor or moderate collateral damage. There are other bad ranges here for other hosts too. In addition, some Angler activity has been observed in the following ranges but is not yet widespread (I will update if I see more activity):
62.75.167.0/24
85.25.41.0/24
85.25.43.0/24
85.25.74.0/24
85.25.79.0/24
85.25.106.0/24
85.25.207.0/24
85.25.218.0/24
85.25.237.0/24
188.138.33.0/24
188.138.41.0/24
188.138.57.0/24
188.138.68.0/24
188.138.69.0/24
188.138.102.0/24
PlusServer (or more likely one or more of their resellers) appear to be responsible for a large number of active Angler EK IPs (at a guesstimate, about a quarter). The problem is that some of these ranges are so badly infected (e.g. there are around 48 past and present bad IPs in 188.138.105.0/24) that the only safe option is to block traffic to those network ranges. With black hat hosts such as Qhoster or Host Sailor and to some extent Agava you can block the entire network ranges and not block anything of value at all. In using PlusServer, the bad guys can hide their evil sites among legitimate sites where administration might fear to block something accidentally. My personal opinion is that admins need to be bold and block anyway.. it should usually be possible to block individual sites where needed."
(Links w/more info on each range available at the dynamoo URL above.)
___

Evil networks to block...
- http://blog.dynamoo.com/2016/04/evil...016-04-11.html
Apr 11, 2016 23:07 - "... it has been a while since my last list of bad networks you might want to block. Hopefully in the next couple of days I will have another list outlining some bad problems with PlusServer IP ranges, in the mean time here are a load of network blocks with a high concentration of Angler EK and other nastiness. (The links go to my Pastebin with more details).
31.148.99.0/24
51.255.61.48/30
51.255.96.56/30
51.255.143.80/30
65.49.8.64/26
83.217.11.0/24
85.93.93.0/24
85.143.209.0/24
91.221.36.0/24
92.83.104.0/21
93.115.38.0/24
94.242.206.0/24
131.72.136.0/24
178.57.217.0/24
185.46.9.0/24
185.46.10.0/24
185.49.68.0/24
185.75.46.0/23
185.104.8.0/22
194.1.238.0/24
204.155.31.0/24
(Links w/more info on each range available at the dynamoo URL above.)

**AplusWebMaster** · 2016-04-13, 15:42

FYI...

Fake 'Business Card' SPAM - JS malware leads to Dridex
- https://myonlinesecurity.co.uk/busin...ns-js-malware/
13 Apr 2016 - "An empty/blank email with the subject of 'Business Card' pretending to come from Tracey Gittens <traceygittens@ hotmail .com> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
From: Tracey Gittens <traceygittens@ hotmail .com>
Date: Wed 13/04/2016 11:52
Subject: Business Card
Attachment: IMG_1670.ZIP

Body content: Completely blank/empty

13 April 2016: IMG_1670.ZIP: Extracts to: IMG_0505.js - Current Virus total detections 3/57*
.. MALWR** shows a download of Dridex Banking Trojan from
http ://beatingbingo .com/dat12223 (VirusTotal 8/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1460548644/

** https://malwr.com/analysis/YzYyM2ViM...RmZDlhZjQ4M2M/
Hosts
139.162.3.176: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/0e...c4fd/analysis/

*** https://www.virustotal.com/en/file/a...is/1460546538/
___

Fake 'Past Due' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/04/malw...4-13-2016.html
13 Apr 2016 - "This -fake- financial email comes with a malicious attachment:
From: Tran
Reply-To: Tran, Reuben - ADVANCED ONCOTHERAPY PLC [TranReuben1322@ telecom .kz]
Date: 13 April 2016 at 16:24
Subject: Past Due 04 13 2016 - ADVANCED ONCOTHERAPY PLC
Good morning,
Please advise status on these
If shipped, please send invoice & tracking ...

I have only seen a single copy of this, it is likely that the company name will vary from email to email. The attachment due #46691848.doc has a VirusTotal detection rate of 5/56*. According to this Malwr report** it downloads a file from:
mgmt.speraelectric .info/flows/login.php
Right at the moment this is just a copy of the Windows Calculator and is harmless, but the payload could be switched later to something more malicious, probably Locky ransomware or the Dridex banking trojan."
* https://www.virustotal.com/en/file/c.../#46691848.doc

** https://malwr.com/analysis/ZmM0ZThlZ...Y3NzdhZjY1ZTg/
Hosts
85.93.146.3: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/65...a820/analysis/
___

Fake 'Prompt response required' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/04/malw...-required.html
13 Apr 2016 - "This -fake- financial spam has a malicious attachment:
From: Hillary Odonnell [Hillary.OdonnellF@ eprose .fr]
Date: 13 April 2016 at 18:40
Subject: Prompt response required! Past due inv. #FPQ479660
Hello,
I am showing that invoice FPQ479660 is past due. Can you tell me when this invoice is scheduled for payment?
Thank you,
Jake Gill
Accounts Receivable Department
Diploma plc ...

The person it is "From", the reference number and the company name vary from spam to spam. All the samples I have seen have the name "Jake Gill" in the body text. Attached is a semi-random RTF document (for example, DOC02973338131560.rtf). There seem to be several different versions of the attachment, I checked four samples... and VirusTotal detection rates seem to be in the region of 7/57*. The Malwr reports for those samples are inconclusive... (as are the Hybrid Analyses...) but do show a failed lookup attempt for the domain onlineaccess.bleutree .us (actually hosted on 212.76.140.230 - MnogoByte, Russia). The payload appears to be Dridex. We can see a reference to that server at URLquery** which shows an attempted malicious download. It also appears in this Hybrid Analysis report***. At the moment however, the server appears to be not responding, but it appears that for that sample the-malware-communicated with:
195.169.147.88 (Culturegrid.nl, Netherlands)
178.33.167.120 (OVH, Spain)
210.70.242.41 (TANET, Taiwan)
210.245.92.63 (FPT Telecom Company, Vietnam)
These are all good IPs to block. According to DNSDB... other domains have all been hosted on the 212.76.140.230 address...You can bet that they are all malicious too.
Recommended blocklist:
212.76.140.230
195.169.147.88
178.33.167.120
210.70.242.41
210.245.92.63 "
* https://www.virustotal.com/en/file/0...c5e3/analysis/

** https://urlquery.net/report.php?id=1460476851963

*** https://www.hybrid-analysis.com/samp...nvironmentId=1

**AplusWebMaster** · 2016-04-14, 14:46

FYI...

Fake 'Act' SPAM - unknown ransomware
- https://myonlinesecurity.co.uk/act-unknown-ransomware/
14 Apr 2016 - "An email with the subject of 'Act' pretending to come from Nikolai Volkov <Volkov@ info .com> with a RAR attachment is another one from the current bot runs...
Update: I am informed that this is part of an “affiliate” ransomware scheme that is generally detected by Antiviruses as a generic detection of viruscoder xxxxx / filecoder xxxx, however each version is completely different and the decoder/decrypter is based on the affiliate and the infected computer’s ID strings and it is virtually impossible to decode /decrypt the infected /encrypted files. We do not know of any guaranteed tools that work. Although some generic decrypter tools from antivirus companies like Kaspersky, Bitdefender etc. might work on some versions by using a brute force approach. That would depend though on the degree of encryption that the “affiliate” put on the encryption method...

Screenshot: https://myonlinesecurity.co.uk/wp-co...l-1024x388.png

14 April 2016: act.rar: Extracts to: act.exe - Current Virus total detections 7/56*
.. MALWR**. When the malware is run on a test system, it puts a ransomware message on the desktop.
See screenshot:
> https://myonlinesecurity.co.uk/wp-co...ransomware.jpg
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1460582417/

** https://malwr.com/analysis/ZGYxZjRjM...M2M2ZhNzQ5YmM/
Hosts
192.99.14.211: https://www.virustotal.com/en/ip-add...1/information/
85.25.194.97: https://www.virustotal.com/en/ip-add...7/information/

**AplusWebMaster** · 2016-04-18, 17:18

FYI...

Fake 'Quote Price' SPAM - leads to malware
- http://blog.dynamoo.com/2016/04/malw...irm-quote.html
18 Apr 2016 - "This -fake- financial spam leads to malware:
From: khlee@ ahnchem .com sales
To:
Date: Mon, 18 Apr 2016 13:46:21 +0100
Subject: Re: Quote Price
Dear Sir
FYI,
Please do confirm the Quote Price and get back to me as soon as possible.
Regards
Sales Department

Attached is a fie with an unusual extension, ORDER LIST.ace which is actually a compressed archive (basically a modified ZIP file). It contains an -executable- ORDER LIST.exe which has a VirusTotal detection rate of 15/56*. That same VirusTotal report indicates traffic to:
booksam .tk/pony/gate.php
This is hosted on:
46.4.100.109 (Hetzner, Germany)
That IP address might be worth blocking. The Hybrid Analysis** indicates that this steals FTP and perhaps other passwords. This is a Pony loader which will probably try to download additional malware, but it is not clear what that it might be."
* https://www.virustotal.com/en/file/7...is/1460986926/
TCP connections
46.4.100.109: https://www.virustotal.com/en/ip-add...9/information/
>> https://www.virustotal.com/en/url/5b...05e2/analysis/

** https://www.hybrid-analysis.com/samp...nvironmentId=1
___

AdsTerra Malvertising
- https://blog.malwarebytes.org/threat...-malvertising/
Apr 18, 2016 - "The Magnitude EK has been on the forefront of most of the malvertising-driven attacks we have seen in the past few weeks. In fact, the intense activity it is generating is overshadowing other exploit kits and distribution methods such as compromised websites... The direct reason for this flood of Magnitude EK activity is the use of ad networks that are responsible for malvertising on a large scale. By far, the majority of incidents have come from AdsTerra (AKA TerraClicks) which we have contacted but have not heard back from... In the past two weeks, we have documented over -400- unique malvertising incidents coming out of AdsTerra. These malicious advertisements were displayed on a variety of adult sites and torrent portals and the ultimate payload was the Cerber ransomware. Those that do not get redirected to the Magnitude EK are likely to run into the infamous tech support scams... we have decided to blacklist the terraclicks[.]com domain which will effectively block any ad coming out of AdsTerra and prevent infections and scams."

terraclicks[.]com: 198.134.112.232: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/46...0942/analysis/

**AplusWebMaster** · 2016-04-19, 20:19

FYI...

Fake 'Angel Springs' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/your-...to-teslacrypt/
19 Apr 2016 - "An email with the subject of 'Your Latest Documents from Angel Springs Ltd [88665A9D]' [random numbered] pretending to come from random senders with a zip attachment is another one from the current bot runs... The email looks like:
From: Random senders
Date: Tue 19/04/2016 12:09
Subject: Your Latest Documents from Angel Springs Ltd [88665A9D]
Attachment: INF_88665A9D.zip
Dear Customer,
Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we’ve invested in upgrading our billing systems to make things a little easier for you.
Here’s a few ways we’ve made it easier for you:
Your new documents are now attached to your email. You don’t have to follow a link now to get to your documents.
Our customer portal has been upgraded to give you a clearer, simpler view of your documents and any outstanding invoices.
You can simply and easily raise any queries you may have through the customer portal.
Please note: you may wish to save your documents on initial viewing. However, after your first viewing you will be able to access copy documents by simply clicking the link.
If you would like to discuss or have any queries in relation to any of the documents then please do not hesitate to contact us on 0845 230 9555 and we will be more than happy to assist you. Please do not reply to this email.
To see Angel Springs latest special offer that will save you money and help support Make a Wish, please click on the attached document
With Kind Regards,
Angel Springs Ltd

19 April 2016: INF_88665A9D.zip: Extracts to: E-ZPass_00212297.doc.js - Current Virus total detections 7/57*
.. MALWR** shows a download of Teslacrypt ransomware from
http ://thereissomegoodqq .com/21.exe?1 ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1461082807/

** https://malwr.com/analysis/NTUzZjc1Y...UyYzIxM2JmZDI/
Hosts
54.212.162.6: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/42...be5b/analysis/
185.12.108.138: https://www.virustotal.com/en/ip-add...8/information/
176.57.209.25: https://www.virustotal.com/en/ip-add...5/information/
81.177.140.186: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'Latest order' SPAM - JS malware leads to Dridex
- https://myonlinesecurity.co.uk/fw-la...ads-to-dridex/
19 Apr 2016 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [random numbered] pretending to come from random senders with a zip attachment is another one from the current bot runs... All of these have random names as senders that matches the name in the body of the email. All the companies mentioned are totally random. The email looks like:
From: Kitty E Hampton <Kitty.Hampton3D@ vipnet .ci>
Date: Tue 19/04/2016 18:22
Subject: FW: Latest order delivery details
Attachment: shipping_inf8594263.zip
Dear customer,
We are happy to inform you that your recent order with Yazino has been scheduled for delivery
If you did not make an order with us or have any queries do not hesitate to contact us.
Do not forget to include delivery reference number from attachment in your request.
Thanks and have a good day
Truly yours,
Kitty Hampton ...

19 April 2016: shipping_inf8594263.zip: Extracts to: signed_30340JKINV2016.js - Current Virus total detections 0/57*
.. MALWR** shows a download of Dridex from
http ://ameritrade.healdsburgdistricthospital .net/vincent/carter.php which gives krebs is gay.exe (VirusTotal 5/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1461088509/

** https://malwr.com/analysis/Zjk3YWIzY...c4MjdjNjQyODc/
Hosts
212.109.223.112: https://www.virustotal.com/en/ip-add...2/information/
ameritrade.healdsburgdistricthospital .net: 212.109.223.112

*** https://www.virustotal.com/en/file/6...is/1461086145/
___

Fake 'Facture' SPAM - JS malware Locky downloader
- http://blog.dynamoo.com/2016/04/malw...-corrigee.html
19 Apr 2016 - "This French-language spam leads to malware:
From: Louis - Buvasport [louis64@ buvasport .com]
Date: 19 April 2016 at 13:29
Subject: Facture : 1985 corrigée
Cher Client,
Veuillez trouver en pièce-jointe, la facture de vos achats. SANS FRAIS DE TRANSPORT
Votre marchandise est partie et vous devriez la recevoir dans les prochains jours.
Si vous avez des questions, n'hésitez pas à nous contacter.
Cordialement,
BUVA SPORTS

Attached is a file 093887283-19.04.2016.zip which contains a semi-randomly named script (e.g. 741194709-18.04.2016.PDF.js) with VirusTotal detection rates of 6/56 [1] [2]. According to these Malwr reports [3] [4] the script downloads a file from one of the following locations:
pushdkim .com/267h67c5e
pay.360degreeinfo .com/267h67c5e
There are probably other scripts with different download locations, the binary has a detection rate of 10/55*.The Hybrid Analysis report** shows that this executable attempts to download another executable from:
buhjolk .at/files/Yd6aGF.exe
At the moment that location is 404ing and the main payload fails.. This is probably attempting to drop Locky ransomware. The loader also attempts to interact with some servers belonging to BMG, possibly to generate false data for anyone doing network analysis. To be on the safe side, it might be worth blocking:
93.79.82.215 (Telesweet, Ukraine) "
1] https://www.virustotal.com/en/file/d...is/1461072147/

2] https://www.virustotal.com/en/file/8...is/1461072158/

3] https://malwr.com/analysis/Njk3ZDQ0Z...Q4MmI3ZDgzOTM/
Hosts
96.47.237.49
109.235.139.64

4] https://malwr.com/analysis/ZGNlODVhN...NkZGZiNmMyYWY/
192.185.106.45
109.235.139.64

* https://www.virustotal.com/en/file/c...is/1461072738/
TCP connections
109.235.139.64
91.218.89.197

** https://www.hybrid-analysis.com/samp...nvironmentId=1
Contacted Hosts
109.235.139.64
93.79.82.215

buhjolk .at: 176.103.235.5
77.244.33.44
178.150.75.230
94.181.162.84
78.30.248.37
37.1.128.96
78.154.190.87
176.104.31.120
178.218.66.120
5.248.25.177

**AplusWebMaster** · 2016-04-20, 13:40

FYI...

Fake 'Document' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/04/malw...ouse-self.html
20 Apr 2016 - "This -fake- financial spam does not come from Beerhouse Self Drive but is instead a simple forgery with a malicious attachment:
From: Accounts at Beerhouse Self Drive [accounts3965@ beerhouse .co.uk]
Date: 20 April 2016 at 11:01
Subject: Document No™2958719
Thanks for using electronic billing
Please find your document attached
Regards
Beerhouse Self Drive

In the only sample I have seen so far, there is an attachment Document No 992958719.doc which has a VirusTotal detection rate of 7/56*. The Malwr report** for that document shows that it downloads a binary from:
bi.pushthetraffic .com/87ty8hbvcr44
There are probably many other download locations. This dropped file has a detection rate of 6/56***. The DeepViz report[4] and Hybrid Analysis[5] between then identify what is likely to be Dridex, phoning home to the following servers:
193.90.12.221 (MultiNet AS, Norway)
212.126.59.41 (Letshost / Digiweb, Ireland)
93.104.211.103 (Contabo GmbH, Germany)
155.133.82.82 (FUFO Studio Agata Grabowska, Poland)
212.50.14.39 (Computers Equipnemt, Bulgaria)
91.194.251.204 (TOV Dream Line Holding, Ukraine)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)
Recommended blocklist:
193.90.12.221
212.126.59.41
93.104.211.103
155.133.82.82
212.50.14.39
91.194.251.204
194.116.73.71
64.76.19.251 "
* https://www.virustotal.com/en/file/2...is/1461148270/

** https://malwr.com/analysis/ZGU4MzQ2Y...YxYTY1OTNkM2M/
Hosts
103.233.195.10

*** https://www.virustotal.com/en/file/9...is/1461148465/

4] https://sandbox.deepviz.com/report/h...b928bd2055c29/

5] https://www.hybrid-analysis.com/samp...nvironmentId=1

- https://myonlinesecurity.co.uk/docum...ads-to-dridex/
20 Apr 2016 - "An email with the subject of 'Document Not2152550' (random numbers) pretending to come from Accounts at Beerhouse Self Drive <accounts80ba@ beerhouse .co.uk> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Accounts at Beerhouse Self Drive <accounts80ba@ beerhousei.co.uk>
Date: Wed 20/04/2016 11:00
Subject: Document Not2152550
Thanks for using electronic billing
Please find your document attached
Regards
Beerhouse Self Drive

20 April 2016: Document No 742152550.doc - Current Virus total detections 6/57*
.. MALWR** shows a download of Dridex Banking Trojan from
http ://rightbrainstechnology .co.in/87ty8hbvcr44 (VirusTotal 6/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/8...is/1461146416/

** https://malwr.com/analysis/NDkzOGM5Y...ZmZjQ1NTY4NWI/
Hosts
143.95.38.5

*** https://www.virustotal.com/en/file/9...is/1461147163/
___

Fake 'WhatsApp' SPAM - leads to malware
- https://myonlinesecurity.co.uk/whats...e-pdf-malware/
20 Apr 2016 - "An email with the subject of 'You just missed a voice notice!' pretending to come with WhatsApp zip attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x507.png

20 April 2016: daquan36.zip: Extracts to: ulysses.exe - Current Virus total detections 19/57*
.. MALWR** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1461130799/
TCP connections
2.50.143.246: https://www.virustotal.com/en/ip-add...6/information/

** https://malwr.com/analysis/ZmRjODVmN...AzZTEwZDEwOTY/
Hosts
89.120.101.64: https://www.virustotal.com/en/ip-add...4/information/
___

Fake 'XL Copy Invoice' SPAM - xls macro malware leads to Dridex
- https://myonlinesecurity.co.uk/xl-co...ads-to-dridex/
20 Apr 2016 - "An email with the subject of 'XL Copy Invoice – 997063' pretending to come from Claire Runagall <ClaireR@ xljoinery .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Claire Runagall <ClaireR@ xljoinery .co.uk>
Date: Wed 20/04/2016 12:08
Subject: XL Copy Invoice – 997063
Attachment: 997063_Copy.xls
Hi ,
Please find attached copy invoice as requested
Kid regards
Claire Runagall
Finance Assistant
XL Joinery Limited ...

20 April 2016: 997063_Copy.xls - Current Virus total detections 4/56*
.. MALWR** shows a download of Dridex banking Trojan from
http ://dnssd-el-edcollege .org/87ty8hbvcr44 (VirusTotal 8/56***). Although this has the same file -names- as today’s earlier malspam run[4] delivering Dridex, it is a -different- file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/3...is/1461163278/

** https://malwr.com/analysis/YzVlMWFmZ...IwYmY1Zjc5YWE/
Hosts
143.95.38.5: https://www.virustotal.com/en/ip-add...5/information/

*** https://www.virustotal.com/en/file/f...is/1461161570/

4] https://myonlinesecurity.co.uk/docum...ads-to-dridex/
___

'Upgrade to New Outlook WebApp' - Phish
- https://myonlinesecurity.co.uk/upgra...-2-1-phishing/
19 Apr 2016 - "... phishing attempts against Microsoft Outlook Web Access (Microsoft Outlook Web App (formerly known as Outlook on the Web or Outlook Web Access) is a browser-based email client. Outlook Web App lets you access your Microsoft Exchange Server mailbox from almost any web browser.) These sort of phishing attempts are much harder to protect against, because the OWA web address will not be a Microsoft website or any common site name but is normally a subdomain or part of your own company web domain. To make it harder, many companies do have numerous different email domains, so email messages might come from any of the company domains... One of the many subjects in this sort of phishing attempt is 'Upgrade to New Outlook WebApp 2.1' or something very similar. This one wants only wants your email log in details...

Screenshot: https://myonlinesecurity.co.uk/wp-co...p-1024x708.png

If you are unwise enough to follow the link http ://www.uprmbih .ba/owa/1/2/index.htm you see a webpage looking like:
> https://myonlinesecurity.co.uk/wp-co...h-1024x561.png
... a very good imitation of a genuine Microsoft Office 365 / Outlook Web Access log on page. If you do fill in the details you get sent on to the -Genuine- Office 365 log in page:
- https://login.microsoftonline.com/
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

**AplusWebMaster** · 2016-04-21, 14:28

FYI...

Fake 'INVOICE' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/04/malw...002380112.html
21 Apr 2016 - "This -fake- financial spam does not come from BalanceUK Limited but is instead a simple forgery with a malicious attachment:
From: adminservices@ grouphomesafe .com
Date: 21 April 2016 at 10:33
Subject: "BalanceUK_INVOICE_X002380_1127878"
Thank you for placing your order with BalanceUK Ltd
Please find attached your document.
BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
Martock,
Somerset,
TA12 6HB ...

Attached is a ZIP file with a name that matches the reference in the subject field (e.g. BalanceUK_X271897_1127878.zip). Although I have seen a few samples with different names, they are all the same attachment. Inside that ZIP file is another ZIP file named 4812610-20.04.2016.zip and in there is a malicious script named 4812610-20.04.2016.js with a VirusTotal detection rate of 6/56*. This malicious script... downloads an executable from:
dd.ub .ac.id/9uhg5vd3
There are usually different download locations, but so far I have only seen the one. This has a detection rate of 5/56**. The Hybrid Analysis*** of the dropped binary shows network traffic to:
193.90.12.221 (MultiNet AS, Norway)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload is not clear, but is probably the Dridex banking trojan.
Recommeded blocklist:
193.90.12.221
200.159.128.144 "
* https://www.virustotal.com/en/file/f...is/1461231512/

** https://www.virustotal.com/en/file/f...is/1461232207/

*** https://www.hybrid-analysis.com/samp...nvironmentId=1

- https://myonlinesecurity.co.uk/balan...85-js-malware/
21 Apr 2016 - "An email with the subject of “BalanceUK_INVOICE_X714368_0134185” [random numbered] pretending to come from adminservices@ grouphomesafe .com with a zip attachment is another one from the current bot runs... The email looks like:
From: adminservices@ grouphomesafe .com
Date: Thu 21/04/2016 10:25
Subject: “BalanceUK_INVOICE_X714368_0134185”
Attachment: BalanceUK_X864886_0134185.zip
Thank you for placing your order with BalanceUK Ltd
Please find attached your document.
BalanceUK Limited,
30-32 Martock Business Park,
Great Western Road,
Martock,
Somerset,
TA12 6HB ...

21 April 2016: BalanceUK_X864886_0134185.zip: Extracts to: 3930404-19.04.2016.zip which extracts to 3930404-19.04.2016.js - Current Virus total detections 6/57*
.. MALWR** doesn’t shows any downloads but it is likely that something is preventing that. It is likely to be either a Dridex, Locky or Teslacrypt downloader... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1461230893/

** https://malwr.com/analysis/OWY1MTc4Y...c4OTJkOTM3MGM/
___

Fake 'Purchase Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/04/malw...ase-order.html
21 Apr 2016 - "This -fake- financial spam does not come from Covance but is instead a simple -forgery- with a malicious attachment:
From: FSPRD@ covance .com
Reply-To: donotreply@ covance .com
Date: 21 April 2016 at 12:03
Subject: Dispatched Purchase Order
Purchase Order, 11300 / 0006432242, has been Dispatched. Please detach and print the attached Purchase Order.
***Please do not respond to this e-mail as the mailbox is not monitored...

Attached is a file with a name matching the reference in the email, e.g. 0006432242.tgz which is a compressed archive file, containing in turn -another- archive file with a name like 5611205-19.04.2016.tar and that archive is a malicious script named in an almost identical format the the TAR file (e.g. 5611205-19.04.2016.js). This script has a typical detection rate of 8/56*. So far I have seen two versions of this script, downloading from:
mountainworldtreks .com/9uhg5vd3
secondary36.obec .go.th/9uhg5vd3
The downloaded binary is the -same- in both cases. This Hybrid Analysis** and DeepViz Analysis*** indicate network traffic to:
193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
64.76.19.251 (Impsat, Argentina)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
193.90.12.221
194.116.73.71
64.76.19.251
200.159.128.144 "
* https://www.virustotal.com/en/file/e...is/1461239783/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://sandbox.deepviz.com/report/h...525f4fa41ddfc/
___

Fake 'Latest order' SPAM - JS malware
- http://blog.dynamoo.com/2016/04/malw...-delivery.html
21 Apr 2016 - "This fake financial spam leads to malware:
From: Milan Bell [Milan.Bell5@ viuz-en-sallaz .fr]
Date: 21 April 2016 at 17:45
Subject: FW: Latest order delivery details
Good morning!
Hope you are good.
Yesterday and the day before my colleague (Glover Hector) sent you a request regarding the invoice INV_6325-2016-victimdomain .tld past due.
I kindly ask you to give us a reply finally. We're getting no answers from you. Please stop ignoring invoice requests.
Many thanks and good luck
Milan Bell
DORIC NIMROD AIR ONE LTD ...

The rather rude pitch here is a canny bit of social engineering, aimed to make you open-the-link -without- clicking. I have only seen one sample of this at present and I guess that the details vary from email to email. In this case the attachment was called pastdue_tovictimdomain.tld340231.zip containing a malicious script pastdue60121342016.js. This script has a VirusTotal detection rate of just 1/56*. The Malwr report and Hybrid Analysis** for this show it downloading a malicious binary from:
trendmicro.healdsburgdistricthospital .com/RIB/assets.php
Cheekily the URL references a well-known security company. The domain it is using is a -hijacked- GoDaddy domain, and the download location is actually hosted at:
176.103.56.30 (PE Ivanov Vitaliy Sergeevich / Xserver.ua, Ukraine)
You can bet that this is a malicious server and I recommend -blocking- it. This script downloads a binary named alarm.exe which has a detection rate of 4/56***. The Hybrid Analysis[4] for this sample shows network connections to:
103.245.153.154 (OrionVM, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (PT Telecom Company, Vietnam)
23.249.1.171 (Datacate , US)
It is not clear what the payload is, but there are indications it is the Dridex banking trojan.
Recommended blocklist:
176.103.56.30
103.245.153.154
176.9.113.214
210.245.92.63
23.249.1.171 "
* https://www.virustotal.com/en/file/9...is/1461257525/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://www.virustotal.com/en/file/d...is/1461257815/

4] https://www.hybrid-analysis.com/samp...nvironmentId=1
___

Earthquake Disaster Email SCAMS
- https://www.us-cert.gov/ncas/current...er-Email-Scams
April 20, 2016 - "The Federal Trade Commission (FTC) has released an alert on email -scams- that cite the recent earthquakes in Ecuador and Japan. The -scam-emails- may contain links-or-attachments that direct users to phishing or malware-infected websites. Donation requests from -fraudulent- charitable organizations commonly appear after major natural disasters. US-CERT encourages users to take the following measures to protect themselves:
> Review the FTC alert* and their information on Charity Scams**.
> Do not follow unsolicited web links or attachments in email messages.
> Keep antivirus and other computer software up-to-date..."

* https://www.consumer.ftc.gov/blog/ho...or-and-japan-0
April 20, 2016

** https://www.consumer.ftc.gov/feature...-charity-scams

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Thread Tools

Display

Fake 'invoice', 'Your Latest Documents' SPAM

Researchers shut down SPAM botnet

Ransomware: extortion, Fake 'DTC Workshop' SPAM

Evil networks to block ...

Fake 'Business Card', 'Past Due', 'Prompt response required' SPAM

Fake 'Act' SPAM

Fake 'Quote Price' SPAM, AdsTerra Malvertising

Fake 'Angel Springs', 'Latest order' , 'Facture' SPAM

Fake 'Document', 'WhatsApp', 'XL Copy Invoice' SPAM, MS Outlook Phish

Fake 'INVOICE', 'Purchase Order', 'Latest order' SPAM, Disaster Email SCAMS

Posting Permissions