SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

FYI...

Fake 'Amazon' SPAM - leads to malware
- http://blog.dynamoo.com/2016/04/malw...order-has.html
22 Apr 2016 - "This -fake- Amazon email leads to malware. On some mail clients there may be no body text:
From: auto-shipping@ amazon .co.uk Amazon .co.uk
To:
Date: Fri, 22 Apr 2016 10:50:56 +0100
Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)
Dear Customer,
Greetings from Amazon .co.uk,
We are writing to let you know that the following item has been sent using Royal Mail...
Your order #525-2814418-9619799 (received April 22, 2016)...

Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:
www .smileybins .com.au/0u8ggf5f5
kpmanish .com/0u8ggf5f5
neoventtechnologies .com/0u8ggf5f5
itronsecurity .com/0u8ggf5f5
bnacoffees .com/0u8ggf5f5
ambikaonline .com/0u8ggf5f5
usacarsimportsac .com/0u8ggf5f5
giftsandbaskets .co.th/0u8ggf5f5
This dropped -executable- has a detection rate of 6/56*. The Hybrid Analysis** and DeepViz Analysis*** plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs:
186.250.48.10 (Redfox Telecomunicações Ltda., Brazil)
193.90.12.221 (MultiNet AS, Norway)
194.116.73.71 (Topix, Italy)
200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
The payload here appears to be the Dridex banking trojan.
Recommended blocklist:
186.250.48.10
193.90.12.221
194.116.73.71
200.159.128.144 "
* https://www.virustotal.com/en/file/1...is/1461324262/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://sandbox.deepviz.com/report/h...d02583f1ac809/
___

Fake 'Workers Comp' SPAM - JS malware
- https://myonlinesecurity.co.uk/gener...om-js-malware/
22 Apr 2016 - "An email that appears to come from pacificpathins .com /Pacific Pathways insurance brokers with the subject of 'General Liability & Workers Compensation Insurance' pretending to come from Random names and email addresses with a zip attachment is another one from the current bot runs which downloads some unknown malware...

Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x640.png

21 April 2016: PPI QUOTE REQUEST_955015.zip: Extracts to: wrk_insur29uk22442016.js
Current Virus total detections 2/57*.. MALWR** shows a download that is very offensively named from
http ://inter.whyscc .com/gimme/some/loads_nigga.php which gave me favicon.ico which of course is -not- an icon file but a renamed.exe (VirusTotal 4/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1461327441/

** https://malwr.com/analysis/YjVlYWU3M...RmN2Y0YWUzNmM/
Hosts
193.201.227.59: https://www.virustotal.com/en/ip-add...9/information/

*** https://www.virustotal.com/en/file/d...is/1461331736/

inter.whyscc .com: 193.201.227.59
___

Fake 'Your Order Ref' SPAM - doc malware
- https://myonlinesecurity.co.uk/thank...d-doc-malware/
22 Apr 2016 - "An email with the subject of 'Thank You For Your Order Ref 58380529' pretending to come from talkmobile <do_not_reply@ talkmobile .co.uk> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...9-1024x314.png

If you do open the word doc, this is where they invite you to double-click-the-image to see the invoice.
That would -infect- you with whatever malware this malicious doc contains:
> https://myonlinesecurity.co.uk/wp-co...e-1024x214.png

21 April 2016: Invoice.docx - Current Virus total detections 3/57*
.. An analyst managed to extract it for me and we got INVOIC~1.EXE which I think is supposed to be called Invoice_14_04_16_65216.exe (VirusTotal 2/55**) MALWR[4] which shows a dropped/extracted js file Rechnung_14_04_16_65216.js (VirusTotal 1/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1461335298/

** https://www.virustotal.com/en/file/4...is/1461338217/

*** https://www.virustotal.com/en/file/9...is/1461338547/

4] https://malwr.com/analysis/MjU2OGY1N...E2MzhlMzkyNzg/
___

Nuclear EK cashes in on demand from cryptoransomware rings
- http://arstechnica.com/security/2016...its-into-cash/
Apr 22, 2016 - "Security researchers at Cisco Talos* and Check Point** have published reports detailing the inner workings of Nuclear, an "exploit kit" Web service that deployed malware onto victims' computers through malicious websites. While a significant percentage of Nuclear's infrastructure has been recently disrupted, the exploit kit is still operating — and looks to be a major contributor to the current crypto-ransomware epidemic... Much of Talos' data on Nuclear comes from tracking down the source of its traffic — a cluster of "10 to 15" IP addresses that were responsible for "practically all" of the exploit infrastructure. Those addresses were being hosted by a single cloud hosting provider—DigitalOcean. The hosting company's security team confirmed the findings to Talos and took down the servers — sharing what was on them with security researchers... At the same time, Check Point researchers had gained access to the paid malware delivery service's customer control panel... the vast majority of the traffic that hit Nuclear's exploit pages were redirected there by malicious advertisements — one Spanish-language ad for webcams pushed over 25,000 distinct visiting IP addresses to Nuclear in just one day, Talos found. Just one server analyzed by Talos "showed approximately 60,000 unique IP's [per day] connecting to this particular server," Biasni wrote. "This amount of activity far exceeds what we were expecting based on previous data analysis." Surprised at how so much traffic could get through websites without being noticed, Talos found the Spanish sex webcam ad was hosted on a single porn site — and accounted for nearly half the traffic to that server's landing pages. The elimination of the DigitalOcean infrastructure may change some of the tactics of Nuclear's operator, but the exploit kit is probably not going away. Cisco has added Snort intrusion detection rules to help try to catch Nuclear exploit attacks, and Check Point has added detection for Nuclear exploit landing pages and the exploits themselves."
* http://blog.talosintel.com/2016/04/nuclear-exposed.html

** http://blog.checkpoint.com/2016/04/2...nfrastructure/

[AplusWebMaster]

FYI...

FAREIT strain abuses PowerShell
- http://blog.trendmicro.com/trendlabs...ng-powershell/
Apr 25, 2016 - "... Last March 2016, we noted that PowerWare crypto-ransomware* also abused PowerShell. Recently, we spotted a new attack where PowerShell was abused to deliver a FAREIT variant... users can either receive a spam mail with a document that has malicious .PDF file or a Word document file with malicious macro codes:
> https://blog.trendmicro.com/trendlab...04/FAREIT1.jpg
... When (IF) users run the PDF, it will execute the PowerShell to perform its malicious routine. Based on our analysis, when users open the PDF file, the -malicious- PDF will utilize OpenAction to execute its malicious code. TSPY_FAREIT is downloaded on the systems, stealing a plethora of information such as stored information (usernames, passwords) in certain browsers, stored email credentials, and bitcoin-related details, among others. If the recipients get emails with documents containing malicious-macros, enabling the macro feature will result to the execution of the malware on the system as well... Both PDF and macros are also used in some organizations and enterprises, thus employees who received such FAREIT-related spam emails won’t suspect anything malicious... Users are advised to be wary in opening emails even if these came from seemingly known sources. Installing security software on the system that can detect these spammed messages and malicious files can secure users from possible information theft..."
* http://blog.trendmicro.com/trendlabs...ets-tax-files/
___

Fake 'PDF' SPAM - malicious attachment
- https://myonlinesecurity.co.uk/ihre-...e-pdf-malware/
25 Apr 2016 - "A German language email pretending to be a Vodafone invoice or bill with the subject of 'Ihre Mobilfunk – Rechnung vom 25\04\2016 im Anhang als PDF' pretending to come from VodafoneOnline_Rechnung@ vodafone .com with a zip attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-co...F-1024x626.png

25 April 2016: Ihre Rechnung vom 25.04.2016 als pdf_.zip: Extracts to: Ihre Rechnung vom 25.04.2016 als pdf_.PDF.exe - Current Virus total detections 5/56* | Payload Security**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1461569966/

** https://www.reverse.it/sample/ee08ca...nvironmentId=4
___

Evil networks to block 2016-04-25
- http://blog.dynamoo.com/2016/04/evil...016-04-25.html
25 Apr 2016 - "Following on from this post* and previous ones in that series, here is a new set of IP ranges where the Angler EK seems to be clustering. In addition, I updated the list of PlusServer ranges** where Angler is becoming a critical problem too.
5.39.47.0/27
31.25.241.0/24
46.183.220.128/25
51.254.69.64/26
85.14.253.128/25
91.227.18.96/27
95.46.98.0/24
95.215.108.0/24
131.72.139.0/24
185.45.193.0/24
185.49.69.0/24
192.52.167.0/24
193.9.28.0/24
209.126.120.0/24
209.126.122.0/24
209.126.123.0/24
212.76.140.0/24 "
* http://blog.dynamoo.com/2016/04/evil...016-04-11.html

** http://blog.dynamoo.com/2016/04/plus...blem-with.html
___

New Downloader for Locky
- https://www.fireeye.com/blog/threat-...ader_forl.html
Apr 22, 2016 - "... Conclusion: The actors behind the Locky ransomware are actively seeking new ways to successfully install their malware on victim computers. That may be one of the reasons this new downloader is used and being introduced to the -current- distribution framework. This downloader can be a new platform for installing other malware (“Pay-per-Install”)...
URLs:
mrsweeter .ru/87h78rf33g: 5.101.152.66
185.130.7.22 /files/sBpFSa.exe
185.130.7.22 /files/WRwe3X.exe
slater.chat .ru/gvtg77996: 195.161.119.85
hundeschulegoerg .de/gvtg77996: 212.40.179.111
buhjolk .at/files/dIseJh.exe
buhjolk .at/files/aY5TFn.exe: 91.210.111.82
46.173.174.124
176.117.68.154
93.89.216.141
37.57.186.76
134.249.10.204
109.161.105.218
5.105.23.25
176.210.28.55
46.98.79.204 "
(More detail at the fireeye URL above.)

[AplusWebMaster]

FYI...

Fake 'Missing payments' SPAM - leads to malware
- http://blog.dynamoo.com/2016/04/malw...ments-for.html
26 Apr 2016 - "This -fake- financial spam leads to malware:
From: Jeffry Rogers [Jeffry.RogersA5@ thibaultlegal .com]
Date: 26 April 2016 at 12:58
Subject: Missing payments for invoices inside
Hi there!
Hope you are good.
Hope you are good. We're missing payments on our statements for the invoices included in this email. Please let us know, when the payments will be initiated.
BTW, trying to get reply from you for a long time. This is not junk, do not ignore it please.
Kind Regards
Jeffry Rogers
Henderson Group ...

I have only seen a single sample of this, it is likely that the company names and sender will vary. Attached is a file missing_quickbooks982.zip which contains a malicious obfuscated javascript 91610_facture_2016.js which attempts to download a component from:
web.spartanburgcommunitycollege .com/gimme/some/loads_nigga.php
This drops a file pretending to be favicon.ico which is actually an -executable- with a detection rate of 3/56*. This Hybrid Analysis** and this DeepViz report*** indicate network traffic to:
103.245.153.154 (OrionVM Retail Pty Ltd, Australia)
176.9.113.214 (Hetzner, Germany)
210.245.92.63 (FPT Telecom Company, Vietnam)
213.192.1.171 (EASY Net, Czech Republic)
The payload isn't exactly clear, but it looks like Dridex rather than Locky. Almost certainly one of the two.
Recommended blocklist:
103.245.153.154
176.9.113.214
210.245.92.63
213.192.1.171 "
* https://www.virustotal.com/en/file/0...7183/analysis/

** https://www.hybrid-analysis.com/samp...nvironmentId=4

*** https://sandbox.deepviz.com/report/h...ece8ba36c281b/
___

Fake 'You account' SPAM - malware tech support SCAM
- https://myonlinesecurity.co.uk/you-a...-support-scam/
26 Apr 2016 - "An email with the subject of 'You account have a problem' pretending to come from No answer@ your email domain addressed to victim@ your email domain tries to get you to download a load of crapware -or- sends you to a tech support -scam- site that locks your browser, pretends you are infected and continually screeches at you to ring the number on the pop up to help. These are -not- coming from your email server...

Screenshot: https://myonlinesecurity.co.uk/wp-co...m-1024x468.png

If you are unwise enough to follow-the-link, you first go to
http ://multidekor-illumination .com/wp-content/themes/inovado/framework/plugins/ which -redirects- you to various pages, which either try to persuade you to download a load of crapware masquerading as either a flash player update -or- a Java update -or- display a bright red fake Microsoft alert page at
777secureyoursystem .com/1/ with pop ups saying you are infected, with an audio in background...

26 April 2016: adobe_flash_setup-26105491.exe -or- java_runtime_enviroment_setup-26106084.exe
Current Virus total detections 11/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e...is/1461681165/

multidekor-illumination .com: 52.29.158.152: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/1c...9580/analysis/
777secureyoursystem .com: 166.62.6.52: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/4c...2004/analysis/
___

Malvertising on Pirate Bay drops Ransomware
- https://blog.malwarebytes.org/threat...ps-ransomware/
Apr 26, 2016 - "Popular torrent site The Pirate Bay was serving ransomware via a malvertising attack this week-end. The fraudulent advertiser was using a ‘pop-under’ to silently -redirect- users to the Magnitude exploit kit and infect them with the Cerber ransomware. This is part of the same Magnitude EK malvertising campaigns we have documented previously* on this blog. The ad network changes, but the modus operandi remains the same:
> https://blog.malwarebytes.org/wp-con.../04/Flow-1.png
Malvertising:
Fraudulent domain:
traffic.adxprts .com/?placement=[redacted]&redirect
delivery.adxprts .com/delivery.php?url=http%3A%2F%2Ftrafficholder.com%2Fin%2Fpop.php%3Fpenthubcom
Ad network:
trafficholder .com/in/pop.php?penthubcom
Magnitude EK Gates:
gamesheep .me: A temporary error occurred during the lookup...
veronagames .me: 185.130.226.107: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/df...4143/analysis/
... RiskIQ** also spotted the same advertiser pushing -fake- software. That domain has now been obliterated by CloudFlare."
* https://blog.malwarebytes.org/cyberc...-malvertising/

** https://sf.riskiq.net/bl/156607452/4...Dy07cn7g%3D%3D

[AplusWebMaster]

FYI...

Fake 'clients recent bill' SPAM - JS malware
- https://myonlinesecurity.co.uk/pleas...ll-js-malware/
27 Apr 2016 - "An email pretending to say 'Please see attached file regarding clients recent bill'... pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking malware... One of the emails looks like:
From: Isabella Allison <AllisonIsabella408@ webmail.kirpicik .com>
Date: Wed 27/04/2016 10:11
Subject: FW:
Attachment: gzi-bill_7B07A7.rar
Dear gzi,
Please see attached file regarding clients recent bill.
Should you need further assistances lease feel free to email us.
Best Regards,
Yours sincerely,
Isabella Allison
Executive Director Finance & Information Systems
-Or-
Dear rob,
Please see attached file regarding clients recent bill.
Should you need further assistances lease feel free to email us.
Best Regards,
Yours sincerely,
Harriett Santiago
CEO

27 April 2016: gzi-bill_7B07A7.rar: Extracts to: 0a1f583.js - Current Virus total detections 2/57*
.. Payload security** doesn’t show any download but a manual analysis shows a download of what is probably Dridex banking Trojan from
http ://adamauto .nl/gdh46ss (VirusTotal 7/57***). There is also a file with a single character name of approx. 145kb inside the zip file that just contains padding and no real content:
> https://myonlinesecurity.co.uk/wp-co...b-1024x317.png
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1461748399/

** https://www.reverse.it/sample/3955dd...nvironmentId=4

*** https://www.virustotal.com/en/file/c...is/1461750602/
TCP connections
139.59.166.196: https://www.virustotal.com/en/ip-add...6/information/

adamauto .nl: 5.61.252.121: https://www.virustotal.com/en/ip-add...1/information/
___

Fake 'latest price list' SPAM - js malware Dridex
- https://myonlinesecurity.co.uk/our-l...alware-dridex/
27 Apr 2016 - "An email pretending to say 'Thank you Our latest price list is attached. For additional information, please contact your local ITT office' with the subject of 'Price list' pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking malware... One of the emails looks like:
From: Rosanne Frost <FrostRosanne34713@ ttnet .com.tr>
Date: Wed 27/04/2016 10:11
Subject: Price list
Attachment: 97258_rob_F68A02.rar
Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

27 April 2016: 97258_rob_F68A02.rar: Extracts to: e456b94.js Current Virus total detections 2/57*
.. a manual analysis shows a download of what is probably Dridex banking Trojan from
http ://onlinecrockpotrecipes .com/k2tspa (VirusTotal 6/57**) Which although a different file # is probably the
-same- Dridex banking trojan as today’s other similar malspam run[3]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1461751559/

** https://www.virustotal.com/en/file/3...is/1461752457/
TCP connections
107.170.20.33: https://www.virustotal.com/en/ip-add...3/information/

3] https://myonlinesecurity.co.uk/pleas...ll-js-malware/

onlinecrockpotrecipes .com: 192.232.212.44: https://www.virustotal.com/en/ip-add...4/information/

- http://blog.dynamoo.com/2016/04/malw...est-price.html
27 Apr 2016 - "This -fake- financial spam leads to malware:
From: Andrew Boyd [BoydAndrew46@ infraredequipamentos .com.br]
Date: 27 April 2016 at 12:23
Subject: Price list
Thank you. Our 'latest price list' is attached. For additional information, please contact your local ITT office.

The sender's name varies, the subject and body text appear to be the same. Attached is a RAR archive that combines some elements of the recipient's email address in it, e.g. CAA30_info_D241AE.rar. Thanks to analysis from a trusted source (thank you!) it appears that there are several -scripts- downloading a binary from one of the following locations:
aaacollectionsjewelry .com/ur8fgs
adamauto .nl/gdh46ss
directenergy .tv/l2isd
games-k. ru/n8eis
jurang .tk/n2ysk
lbbc .pt/n8wisd
l-dsk .com/k3isfa
mavrinscorporation .ru/hd7fs
myehelpers .com/j3ykf
onlinecrockpotrecipes .com/k2tspa
pediatriayvacunas .com/q0wps
soccerinsider .net/mys3ks
warcraft-lich-king .ru/i4ospd
This downloads Locky ransomware. The executable then phones home to the following servers:
176.114.3.173 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
139.59.166.196 (Digital Ocean, Singapore)
107.170.20.33 (Digital Ocean, US)
146.185.155.126 (Digital Ocean, Netherlands)
Recommended blocklist:
176.114.3.173
139.59.166.196
107.170.20.33
146.185.155.126 "
___

Fake 'transfer cancelled' SPAM - JS malware
- https://myonlinesecurity.co.uk/the-t...lware-attempt/
27 Apr 2016 - "An email saying 'The transfer, recently initiated from your online banking account, was cancelled' with random characters/numbers as the subject coming from random names and email addresses with a link-in-the-email is another one from the current bot runs... They have now uploaded the actual malware files to the compromised servers which deliver the full working Invoice_Details.js which when run will download files like:
http ://charlottealeman .com/e.exe: 213.186.33.17: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/0a...5423/analysis/
http ://fcpekernanec .com/e.exe: 213.186.33.17
http ://setup-media .com/e.exe: 46.30.212.100: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/8c...7e99/analysis/
http ://sharedharvest .org/e.exe: 75.126.26.226: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/78...f3f8/analysis/
http ://sofec .net/e.exe: 217.16.2.18: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/1d...9668/analysis/
http ://vandaco .net/e.exe: 107.180.3.113: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/72...37b2/analysis/
(VirusTotal 4/56*) which is Dridex banking Trojan.
The email looks like:
From: Alfonso Diaz <roberto@ deman .com.br>
Date: Wed 27/04/2016 11:53
Subject: 7707_860-m_p
Attachment: none
The transfer, recently initiated from your online banking account, was cancelled.
Aborted transfer
Transfer Case ID FL5I56IJ6K9P
Amount 3087.19 USD
Order Date 13.41 Tue, Apr 26 2016
Rejection Reason View details
Please click the link given at the top to see more details about your order

... 'Think -before- you click'..."
* https://www.virustotal.com/en/file/f...is/1461740787/
___

Fake 'Message' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/04/malw...rnp0bb8a7.html
27 AQpr 2016 - "This Spanish-language spam leads to malware:
From: CLAUDIA MARTINEZ [contab_admiva2@ forrosideal .com]
Date: 27 April 2016 at 16:22
Subject: Message from "RNP0BB8A7"
Este e-mail ha sido enviado desde "RNP0BB8A7" (Aficio MP 171).
Datos escaneo: 27.04.2016 00:31:10 (+0000)
Preguntas a: soporte@ victimdomain .tld

Attached is a randomly-named ZIP file (e.g. 053324_00238.zip) which contains a malicious script (e.g. 0061007_009443.js). The samples I have seen download a binary from:
mebdco .com/8759j3f434
amwal .qa/8759j3f434
ecmacao .com/8759j3f434
lifeiscalling-sports .com/8759j3f434
This drops a version of what appears to be Locky ransomware with a detection rate of zero*. I know from another source, that these additional download locations were being used for an English-language spam run this afternoon:
absxpintranet .in/8759j3f434
amismaglaj .com.ba/8759j3f434
caegpa .com/8759j3f434
codeaweb .net/8759j3f434
coorgcalling .com/8759j3f434
gedvendo .com/8759j3f434
gedvendo .com.pe/8759j3f434
mc2academy .com/8759j3f434
teyseerlab .com/8759j3f434
www .adgroup .ae/8759j3f434
www .rumbafalcon .com/8759j3f434
DeepViz report shows the malware phoning home to:
107.170.20.33 (Digital Ocean, US)
139.59.166.196 (Digital Ocean, Singapore)
146.185.155.126 (Digital Ocean, Netherlands)
There's a triple whammy for Digital Ocean!...
Recommended blocklist:
107.170.20.33
139.59.166.196
146.185.155.126 "
* https://www.virustotal.com/en/file/d...0111/analysis/
0/55
___

Fake 'Invoice' SPAM - JS malware
- https://myonlinesecurity.co.uk/invoi...80-js-malware/
27 Apr 2016 - "An email with the subject of 'Invoice 44738447 19/12 £4024.80' [random numbered] pretending to come from random senders with a zip attachment is another one from the current bot runs... The email looks like:
From: Lela Hines <HinesLela95@ plus .pl>
Date: Wed 27/04/2016 17:31
Subject: Invoice 44738447 19/12 £4024.80
Attachment: invoice44738447.doc
Hi,
I had a lovely break and now I’m back to work.
Many thanks for the payments made. There is just one invoice that has not been paid and does not seem to have a query against it either.
Its invoice 44738447 19/04 $5,712.37 P/O CQCJB 15391
Can you have a look at it for me please?
Thank-you !
Kind regards
Lela Hines
Credit Control
Finance Department
CounterPath Corporation ...

27 April 2016: invoice44738447.doc which is actually a zip file that Extracts to:
2016 Sales Invoice 700422016.pdf.js - Current Virus total detections 7/56*
.. Payload security** shows a download of Dridex banking Trojan from
api.spartanburg-community-college .net/follow-us/on/twitter.php which gives DridexBOT.twitter (VirusTotal 5/56***)...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1461774742/
7/56

** https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
109.234.35.185: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/d2...e967/analysis/

*** https://www.virustotal.com/en/file/8...is/1461777828/
5/56

[AplusWebMaster]

FYI...

Fake 'FW: Invoice' SPAM - JS malware
- https://myonlinesecurity.co.uk/fw-invoice-js-malware/
28 Apr 2016 - "Another set of emails with the subject of 'FW: Invoice' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads some sort of malware... One of the emails looks like:
From: Autumn Gilbert <GilbertAutumn041@ foxyfolk.worldonline .co.uk>
Date: Thu 28/04/2016 10:08
Subject: FW: Invoice
Attachment: no-reply_invoice_59C05D.zip
Please find attached invoice #312148
Have a nice day
Autumn Gilbert
Business Development Director ...

28 April 2016: no-reply_invoice_59C05D.zip: Extracts to: 63e0f3bc.js - Current Virus total detections 1/57*
.. Payload security[3] download... appears to be Locky ransomware from the Payload security screenshots... A manual analysis shows a download from
http ://banketcentr .ru/v8usja (VirusTotal 5/57**)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/b...is/1461834603/

** https://www.virustotal.com/en/file/e...is/1461835068/

3] https://www.reverse.it/sample/b6528e...nvironmentId=4
Contacted Hosts
81.177.6.123
51.254.240.60

banketcentr .ru: 81.177.6.123: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/84...334b/analysis/

- http://blog.dynamoo.com/2016/04/malw...-multiple.html
28 Apr 2016 - "This -fake- financial spam comes from randomly-generated senders, for example:
From: Britt Alvarez [AlvarezBritt29994@ jornalaguaverde .com.br]
Date: 28 April 2016 at 11:40
Subject: FW: Invoice
Please find attached invoice #342012
Have a nice day

Attached is a ZIP file containing elements of the recipient's email address. In turn, this contains a malicious script that downloads a binary from one of many locations. The ones I have seen are:
http ://rabitaforex .com/pw3ksl
http ://tribalsnedkeren .dk/n4jca
http ://banketcentr .ru/v8usja
http ://3dphoto-rotate .ru/h4ydjs
http ://switchright .com/2yshda
http ://cafe-vintage68 .ru/asad2fl
http ://minisupergame .ru/a9osfg
The payload looks like Locky ransomware. The DeepViz report* shows it phoning home to:
83.217.26.168 (Firstbyte, Russia)
31.41.44.246 (Relink, Russia)
91.219.31.18 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.60 (Relink, Russia / OVH, France)
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua. Ukraine)
These two Hybrid Analysis reports [1] [2] show Locky more clearly.
Recommended blocklist:
83.217.26.168
31.41.44.246
91.219.31.18
51.254.240.60
91.234.32.19 "
* https://sandbox.deepviz.com/report/h...d62adb8cbc9ad/

1] https://www.hybrid-analysis.com/samp...nvironmentId=1

2] https://www.hybrid-analysis.com/samp...nvironmentId=4
___

Fake 'Scan436' SPAM - leads to Locky ransomware
- http://blog.dynamoo.com/2016/04/mini...-to-locky.html
28 Apr 2016 - "There is currently a very minimalist spam run leading to Locky ransomware, for example:
From: victim@ victimdomain .tld
To: victim@ victimdomain .tld
Date: 28 April 2016 at 11:21
Subject: Scan436

The spam appears to come from the victim's own email address. There is no body text, but attached is a ZIP file with a name matching the subject, e.g.:
file238.zip
file164.zip
file84.zip
Document4.zip
Doc457.zip
Scan1.zip
Doc5.zip
file394.zip
Scan436.zip
Inside is a semi-randomly named script that downloads malware. Download locations I have seen so far are:
nailahafeez.goldendream .info/8778h4g
kfourytrading .com/8778h4g
kasliknursery .com/8778h4g
allied .link/8778h4g
xtrategiamx .com/8778h4g
The downloaded executable is Locky ransomware and has a VirusTotal detection rate of 2/56*. This Hybrid Analysis** shows Locky quite clearly, and this DeepViz report*** shows it phoning home to:
51.254.240.60 (Relink LLC, Russia / OVH, France)
31.41.44.246 (Relink LLC, Russia)
83.217.26.168 (Firstbyte, Russia)
Recommended blocklist:
31.41.44.246
51.254.240.60
83.217.26.168 "
* https://www.virustotal.com/en/file/6...is/1461840396/

** https://www.hybrid-analysis.com/samp...nvironmentId=4

*** https://sandbox.deepviz.com/report/h...a91494be3648e/

- https://myonlinesecurity.co.uk/blank...wnloads-locky/
29 Apr 2016 - "... another set of -blank- emails with varying subjects like Scan10, Document0, Doc9, file337 [all random numbered] pretending to come from your own email address with a zip attachment is another one from the current bot runs which downloads rockloader which in turn downloads Locky ransomware... I have only seen 2 variant names of the js files inside these zips. 001371310.js and SCAN007960203.js, but there probably are numerous others. (I have received over -100- copies...). The zip name matches the subject which so far has been one of these 4 variants: Scan, Document, Doc, or File, all with random numbers between 0 and 999 appended. One of the emails looks like:
From: ans@ thespykiller .co.uk
To: ans@ thespykiller .co.uk
Date: Thu 28/04/2016 10:34
Subject: Document0
Attachment: Document0.zip

Body content: Totally Blank/Empty

28 April 2016: Document0.zip : Extracts to: 001371310.js - Current Virus total detections 4/57*
.. Payload security** file337.zip: Extracts to: SCAN007960203.js - Current Virus total detections 4/57***
.. Payload security[4] shows a download from
http ://nailahafeez.goldendream .info/8778h4g which is Rockloader (VirusTotal 0/46[5]) probably eventually downloading Locky Ransomware. Download sites so far discovered include:
http ://allieddiesel .com/8778h4g
http ://citycollection .com.tr/8778h4g
http ://xtrategiamx .com/8778h4g
http ://nailahafeez.goldendream .info/8778h4g
honafelastin .com/8778h4g ...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/2...is/1461836295/

** https://www.reverse.it/sample/2deb04...nvironmentId=4
Contacted Hosts
207.58.129.29
109.235.139.64
94.41.119.143
31.41.44.246

*** https://www.virustotal.com/en/file/8...is/1461836412/

4] https://www.reverse.it/sample/86a237...nvironmentId=4
Contacted Hosts
88.202.227.70
109.235.139.64
77.122.120.173
83.217.26.168

5] https://www.virustotal.com/en/file/6...is/1461837500/
___

Fake 'Unpaid Fine' SPAM - JS malware
- https://myonlinesecurity.co.uk/unpai...79-js-malware/
28 April 2016 - "An email with the subject of 'Unpaid Fine – Case No.743379' [random numbered] pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads some malware... One of the emails looks like:
From: Erick Macalister <MacalisterErick998@ cost2build .co.za>
Date: Thu 28/04/2016 13:26
Subject: Unpaid Fine – Case No.743379
Attachment: unity_unity8_invoices_743379.zip
You have received a fine on March 20th, 2016 for the amount of $397,31 and despite our constant reminders it hasnt been paid yet.Please, review the enclosed document as soon as possible.

28 April 2016: unity_unity8_invoices_743379.zip: Extracts to: details.jse - Current Virus total detections 3/57*
.. Payload security** shows an attempted download from
substance-europe .com/OtgUIH.exe which currently seems to be unavailable. I am looking for other download sites, that will probably deliver either Locky ransomware or Dridex banking Trojan...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4...is/1461848553/

** https://www.reverse.it/sample/4687c7...nvironmentId=4
Contacted Hosts
173.247.250.242: https://www.virustotal.com/en/ip-add...2/information/
___

Fake 'IMPORTANT' SPAM - JS malware
- https://myonlinesecurity.co.uk/email...nt-js-malware/
28 Apr 2016 - "... emails with -multiple- subjects including 'Amount overdue [IMPORTANT]' and 'Latest invoice [IMPORTANT]' pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads some malware... A very high proportion of the emails are misconfigured and come in broken with the attachment embedded in the body of the email. A lot however come in as fully -working- emails although they have part of the body content attached as a txt file and as a html file. These have multiple subjects including:
Amount overdue [IMPORTANT]
Latest invoice [IMPORTANT]
Payment overdue notification [Urgent]
Amount overdue notification [Urgent]
Unpaid invoice notification Sonic Foundry, Inc.
Invoice overdue [IMPORTANT]
Recent invoice unpaid [Urgent] ...
Amount overdue from Chicago Rivet & Machine Co.
Recent invoice [IMPORTANT]
Final letter before commencing legal action [Urgent]
One of the working emails looks like:

Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x702.png

28 April 2016: Latest invoice51958.zip Extracts to: 2016INV-APR23521.pdf.js - Current Virus total detections 23/56*
.. Payload Security** finally caught up with their backlog of submissions... this is Dridex from
http ://24.dailyeq .com/i-wanna/more/followers.php -or-
http ://int.ayuda-integral .net/i-wanna/more/followers.php delivering tw33t.me (VirusTotal 6/56***)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/

** https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
212.109.193.218: https://www.virustotal.com/en/ip-add...8/information/

*** https://www.virustotal.com/en/file/0...7b67/analysis/

24.dailyeq .com: 212.109.193.218
int.ayuda-integral .net: 212.109.193.218

[AplusWebMaster]

FYI...

Fake 'Attached Doc' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/04/malw...-attached.html
29 Apr 2016 - "This -fake- document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple -forgery- with a malicious attachment. Example subjects include:
Attached Doc
Attached Image
Attached Document
Attached File
Example senders:
epson@ victimdomain .tld
scanner@ victimdomain .tld
xerox@ victimdomain .tld
There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of -malicious- scripts, the ones that I have seen download a binary from:
emcartaz .net.br/08j78h65e
kizilirmakdeltasi .net/08j78h65e
easytravelvault .com/08j78h65e
64.207.144.148 /08j78h65e
cdn.cs2.pushthetraffic .com/08j78h65e
The VirusTotal detection rate for the dropped binary is 3/55*. That VirusTotal report and this Hybrid Analysis** show subsequent traffic to:
giotuipo .at/api/
giotuipo .at/files/dDjk3e.exe
giotuipo .at/files/VTXhFO.exe
The payload is Locky ransomware. This is hosted on what appears to be a bad server at:
134.249.238.140 (Kyivstar GSM, Ukraine)
Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo .at domain shows that it is multihomed on many IPs:
109.194.247.26 (ER-Telecom Holding, Russia)
95.189.128.70 (Sibirtelecom, Russia)
79.119.196.161 (RCS & RDS Business, Romania)
5.248.229.186 (Lanet Network Ltd, Ukraine)
188.230.17.38 (Airbites, Ukraine)
134.249.238.140 (Kyivstar, Ukraine)
5.58.29.200 (Lanet Network Ltd, Ukraine)
212.3.103.225 (Apex, Ukraine)
93.95.187.243 (Triolan, Ukraine)
178.151.243.153 (Triolan, Ukraine)
These IPs are likely to be highly dynamic, so blocking them may or may not work. If you want to try, here is a recommended blocklist:
109.194.247.26
95.189.128.70
79.119.196.161
5.248.229.186
188.230.17.38
134.249.238.140
5.58.29.200
212.3.103.225
93.95.187.243
178.151.243.153 "
* https://www.virustotal.com/en/file/c...is/1461917718/

** https://www.hybrid-analysis.com/samp...nvironmentId=4

- https://myonlinesecurity.co.uk/anoth...ivering-locky/
29 Apr 2016 - "... another set of emails with -blank- empty bodies pretending to come from scanner@, copier@, epson@, canon@, hp@ and any other copier/printer/scanner/MFD at your-own-domain with one of these subjects 'Attached Doc / Attached File / Attached Image / Attached Document' with a zip attachment is another one trying to download Locky ransomware and other malware files... your email domain is -not- sending these emails. You have -not- been hacked. One of the emails looks like:
From: epson@ thespykiller .co.uk
Date: Fri 29/04/2016 09:15
Subject: Attached Document
Attachment: submit@ thespykiller .co.uk_62693_220554.zip

Body content: Totally blank/empty

29 April 2016: submit@ thespykiller .co.uk_62693_220554.zip : Extracts to: 85006886_575150306.js
Current Virus total detections 4/57*. Payload Security** shows a download of -3- files from
giotuipo .at/files/VTXhFO.exe (VirusTotal 1/56***) and giotuipo .at/files/dDjk3e.exe (VirusTotal 1/56[4]) and
limaoagencia .com.br/08j78h65e (VirusTotal 1/56[5]). Payload Security[6] which is definitely rockloader which normally downloads Locky ransomware. The first 2 files although appear to be .exe files are actually encrypted data that the rockloader uses to perform various tasks. The payload security report indicates that these might be necurs / fareit/ pony related...This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1461917777/

** https://www.reverse.it/sample/cad0d8...nvironmentId=4

*** https://www.virustotal.com/en/file/3...is/1461918182/

4] https://www.virustotal.com/en/file/5...is/1461918177/

5] https://www.virustotal.com/en/file/5...is/1461918177/

6] https://www.reverse.it/sample/c4e241...nvironmentId=4
Contacted Hosts
109.235.139.64
134.249.238.140
51.254.240.60
185.130.7.22
___

Fake 'Unpaid Invoice' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/04/malw...er-unpaid.html
29 Apr 2016 - "This -fake- financial spam leads to malware:
From: Janis Faulkner [FaulknerJanis8359@ ono .com]
Date: 29 April 2016 at 11:13
Subject: Second Reminder - Unpaid Invoice
We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail
Regards,
Janis Faulkner
Chief Executive Officer - Food Packaging Company

Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website:
> https://4.bp.blogspot.com/-aSblAORl_...vira-blurb.png
The scripts I have seen download slightly different binaries from the following locations:
cafeaparis .eu/f7yhsad
amatic .in/hdy3ss
zona-sezona .com.ua/hj1lsp
avcilarinpazari .com/u7udssd
VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2].... In addition to those reports, various automated analyses [5] [6]... show that this is Locky ransomware phoning home to:
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
83.217.8.155 (Park-web Ltd, Russia)
31.41.44.246 (Relink Ltd, Russia)
89.108.84.155 (Agava Ltd, Russia)
51.254.240.60 (Relink, Russia / OVH, France)
I -strongly- recommend that you block traffic to:
91.234.32.19
83.217.8.155
31.41.44.246
89.108.84.155
51.254.240.60 "
1] https://www.virustotal.com/en/file/2...9792/analysis/

2] https://www.virustotal.com/en/file/c...is/1461925401/

5] https://www.hybrid-analysis.com/samp...nvironmentId=1

6] https://sandbox.deepviz.com/report/h...bddda6f34a980/

- https://myonlinesecurity.co.uk/secon...ira-antivirus/
29 Apr 2016 - "... An email with the subject of 'Second Reminder – Unpaid Invoice' pretending to come from the usual random senders with a zip attachment...
NOTE: although all copies I have seen so far of this particular email has only had the innocent Avira details, it is highly possible that some files will contain a genuine malware. Do-not-open the JS file... You will be infected.
Update: Dynamoo* has seen some copies that do also contain the malware payload - I have also now received a couple with javascript hidden amongst the mass of repeated-Avira-blurb that will deliver Locky ransomware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://blog.dynamoo.com/2016/04/malw...er-unpaid.html
29 Apr 2016
___

Fake 'hi prnt' SPAM - JS malware delivers Locky
- https://myonlinesecurity.co.uk/hi-pr...elivers-locky/
29 Apr 2016 - "Another -blank- email with the subject of 'hi prnt' with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: your-own-email-address
Date:
Subject: hi prnt
Attachment: 1708279_830428394.zip

Body content: Completely empty/blank

28 April 2016: 1708279_830428394.zip : Extracts to: 24614230_356663117.js - Current Virus total detections 3/57*
.. Manual analysis shows a download of Locky Ransomware from
gridandgreen .co.th/08j78h65e (VirusTotal **)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1461947772/

** https://www.virustotal.com/en/file/e...is/1461946616/

gridandgreen .co.th: 119.59.120.4: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/c6...90b9/analysis/
___

New release of PCI DSS v3.2 is available
- https://isc.sans.edu/diary.html?storyid=21003
2016-04-29 - "A new version of the standard was released today, version 3.2. There are a number of changes that will affect those that need to comply with the standard, especially for service providers. For service providers struggling to move customers away from SSL and weak TLS there is some good news. The deadline for this requirement has been moved to June 30 2018. Service providers will however be required to have a secure environment (i.e. accepting TLS v1.2 or v1.1) by June 30 2016 (yes two months). This shouldn't be to onerous as most service providers will already have this in place. There are a few new requirements in the standard. The majority of these only apply to service providers and relate to ensuring that processes are followed throughout the year rather than a once a year effort. They are 'best practice' until 1 February 2018, after which they -must- be in place. A number of these are also quarterly requirements. They include:
• 3.5.1 – Maintain a documented description of the cryptographic architecture.
• 11.3.4.1 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
• 12.4 – Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program.
• 12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
The other big change affecting everyone relates to multi factor authentication for administration of the Cardholder Data Environment (CDE). Currently this requirement is only needed when remote access is used to access the CDE. This requirement has now been extended to include ALL administrative access of the CDE. This means that you will need to roll out some form of multi factor authentication for all administrative access to the environment. Other changes in the standard are generally clarifications..."
___

Locky Ransomware Spreads via Flash and Windows Kernel Exploits
- http://blog.trendmicro.com/trendlabs...rnel-exploits/
Apr 28, 2016 - "In early April of this year a zero-day exploit (designated as CVE-2016-1019) was found in Adobe Flash Player. This particular flaw was soon used by the Magnitude Exploit Kit, which led to an Adobe out-of-cycle patch*. This flaw was being used to lead to drive-by download attacks with Locky ransomware as the payload... We recently saw a new -variant- of this attack that added an unusual twist. On top of the Flash exploit, an old escalation of privileges exploit in Windows (CVE-2015-1701) was used to bypass sandbox technologies... The network traffic was consistent with the use of a CVE-2016-1019 exploit. Meanwhile, the downloader used an unusual kernel exploit. It connected to a command-and-control (C&C) server located at 202[.]102[.]110[.]204:80 and installed the Locky ransomware. To do this, it would use several kernel-level system mechanisms: work items, system threads, and asynchronous procedure calls (APC). These do-not-require any files to be created, and allow the malware to be installed onto the system -without- detection. The downloader also hides its malicious behavior at runtime and compromises svchost.exe, the system process used by Windows to host various services. It also checks the version of Windows in use and the date when the vulnerable file (win32k.sys) was modified before attempting the exploit; this may be done to reduce the risk of detection. The exploit may have been used to avoid detection, particularly those using sandboxing technology. In addition, the cloaking behavior based on this kernel exploit adds complexity and makes analysis and sandbox detection more difficult. A code branch found during analysis suggests different kernel exploits may be used for later versions of Windows... We strongly advise users to update their systems with the latest version of Adobe Flash Player*. Keeping software up-to-date is another means of securing your system against exploit attacks. It is also best to always back up your data and avoid paying any ransom as this -doesn’t- guarantee that you will retrieve your files back..."
* https://helpx.adobe.com/content/help...apsb16-10.html

> https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-1019
Last revised: 04/11/2016 - "... as exploited in the wild in April 2016"
Impact Subscore: 10.0

> https://web.nvd.nist.gov/view/vuln/d...=CVE-2015-1701
Last revised: 04/01/2016 - "... as exploited in the wild in April 2015"
Impact Subscore: 10.0

202.102.110.204: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/72...2dc2/analysis/

[AplusWebMaster]

FYI...

Fake 'Chrome update for Android'
- https://isc.sans.edu/diary.html?storyid=21007
2016-05-02 - "... numerous reports of a -fake- update for Chrome for Android. A fake update for Android is not in itself very unusual or interesting, but this particular bit of malware is somewhat more insidious than most.
The update, titled "Update_chrome.apk" requests administrative access to the device and then takes a page out of Zeus and other credential stealing malware and captures banking and personal information. When the user makes a purchase in the Google Play store the malware uses a very realistic looking payment page that captures a screenshot of any credit card information entered and sends it to Russia. The malware -prevents- its removal. At this point the only way to remove the malware is by returning the device to factory defaults, causing all user data to be lost. More information on this malware can be found over at the zScaler website*.
This reiterates the usual methodology for software management on these devices. Always get your updates from reputable sources such as Google Play, and if you do need to install updates from a third party developer you need to validate the update before installation."
* https://www.zscaler.com/blogs/resear...-chrome-update
April 28, 2016
___

Fake 'online order' SPAM - Malspam
- https://myonlinesecurity.co.uk/your-...k-you-malspam/
2 May 2016 - "A series of emails coming from random senders and email addresses pretending to be an order from some random company is either trying to download malware via-the-link, is a phishing email or is just pure spam. All the links are to different web addresses, with a very high proportion looking like hacked/compromised WordPress sites. All the ones I have received have a message saying 'content cannot be displayed in a frame'. The url that the frame tries to use is http ://207.244.95.41 /facebookapi/ which -redirects- to name of hacked site/order_details.html which for me, based in UK, just sends me to the genuine ATT .com site in USA with a log in page... Just delete the email and do-not-follow the links to be safe.
Update: I am being told that these are using the Angler-exploit-kit to take over the computer. If you have the required vulnerable-versions of Adobe flash, Java, Adobe reader, Silverlight or any other vulnerable-browser-plugin.

One of the emails looks like:
From: Random names and email addresses
Date: Mon 02/05/2016 18:10
Subject: Your online order was successfully submitted. Thank you!
Attachment: None
Thank you for your recent order with Hyatt Hotels Corporation. We were happy to serve your needs.
Please visit our site to view the order details.
We look forward to seeing you at Hyatt Hotels Corporation again soon.
Another body read:
Thank you for your recent order with Eldorado Gold Corporation. We were happy to serve your needs.
Please visit our site to view the order details.
We look forward to seeing you at Eldorado Gold Corporation again soon.

Screenshot of one of the websites:
> https://myonlinesecurity.co.uk/wp-co...t-1024x218.png

207.244.95.41: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/4a...e728/analysis/

[AplusWebMaster]

FYI...

Fake 'Third Reminder' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/05/malw...tstanding.html
3 May 2016 - "This -fake- financial spam has a malicious attachment. It comes from random senders. Last week a -fake- 'Second Reminder' spam was sent out.
From: Ernestine Perkins
Date: 3 May 2016 at 08:54
Subject: Third Reminder - Outstanding Account
Dear Client,
We have recently sent you a number of letters to remind you that the balance of $9308.48 was overdue.
For details please check document attached to this mail
We ask again that if you have any queries or are not able to make full payment immediately, please contact us.
Regards,
Ernestine Perkins
Franchise - Sales Manager / Director - Business Co

Attached is a ZIP file which in the samples I have seen begins with Scan_ or Document_ each one of which contains four identical copies of the same script, e.g.:
48524088_48524088 - copy (2).js
48524088_48524088 - copy (3).js
48524088_48524088 - copy (4).js
48524088_48524088 - copy.js
48524088_48524088.js
Typical detection rates for the scripts seem to be about 3/56*. The samples I have seen download a malicious binary from one of the following locations (there are probably more):
digigoweb .in/k3lxe
rfacine .com.br/z0odld
boontur .com/b2hskde
These binaries are all slightly different, with detection rates of 4 to 6 out of 56 [1] [2]... Various automated analyses [4] [5]... show that this is Locky ransomware, and it phones home to:
31.184.197.126 (Petersburg Internet Network, Russia)
78.47.110.82 (Hetzner, Germany)
91.226.93.113 (Sobis, Russia)
91.219.29.64 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
Recommended blocklist:
31.184.197.126
78.47.110.82
91.226.93.113
91.219.29.64 "
* https://www.virustotal.com/en/file/e...is/1462262631/

1] https://www.virustotal.com/en/file/c...is/1462262799/

2] https://www.virustotal.com/en/file/0...is/1462263548/

4] https://malwr.com/analysis/NGVkMjJjY...JlMzZmZDcxYzI/

5] https://malwr.com/analysis/OTliYTczZ...FkNDgwN2RlNTM/

- https://myonlinesecurity.co.uk/third...strikes-again/
3 May 2016: Scan_E1F.zip: Extracts to: 34405282_34405282.js and -4- identical copies of the same file.
Current Virus total detections 3/57*. MALWR** shows a download of.. Locky ransomware from
http ://dreamsmarketing .in/v67jsw ...
* https://www.virustotal.com/en/file/3...is/1462266377/

** https://malwr.com/analysis/YWYzMjAwM...k0YzQ3NWUwZDE/
Hosts
199.189.253.226: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/06...dba3/analysis/

dreamsmarketing .in: 199.189.253.226
___

Fake 'e-invoice' SPAM - doc macro malware downloads Dridex
- https://myonlinesecurity.co.uk/your-...nloads-dridex/
3 May 2016 - "An email with the subject of 'Your latest e-invoice from TNT 7072492051_3470848' (random numbers) pretending to come from eInvoicing <groupadmine3767379DONOTREPLY@ tnt .com> (random numbers after the groupadmine) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: eInvoicing <groupadmine3767379DONOTREPLY@ tnt .com> (random numbers after the groupadmine)
Date: Tue 03/05/2016 10:49
Subject: Your latest e-invoice from TNT 7072492051_3470848
Attachment: 2986010236_1941512.docm
PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
Please find enclosed your latest invoice ...

3 May 2016: 2986010236_1941512.docm - Current Virus total detections 3/56*
.. MALWR shows a download of Dridex banking Trojan from
http ://le-journal-du-cun .info/09u8h676rc (VirusTotal 6/56**)
Additional download locations include:
http ://zalatajkiado .hu/09u8h676rc
http ://bezpiecznie.w8w .pl/09u8h676rc
http ://gepto-automates .com/09u8h676rc
http ://color-druck-ftp .net/09u8h676rc
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/0...is/1462266856/

** https://www.virustotal.com/en/file/a...is/1462269627/

le-journal-du-cun .info: 217.76.132.57: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/0a...79bc/analysis/
zalatajkiado .hu: 88.151.103.221: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/02...deb3/analysis/
bezpiecznie.w8w .pl: 193.203.99.112: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/73...bb3c/analysis/
gepto-automates .com: 217.76.132.26: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/ea...3cdf/analysis/
color-druck-ftp .net: 46.30.212.10: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/c7...4b23/analysis/
___

Fake 'You Are Fired' SPAM - JS malware downloads Locky
- https://myonlinesecurity.co.uk/you-a...wnloads-locky/
3 May 2016 - "... an email with the subject of 'You Are Fired 24534F3' [random characters] pretending to come from random names and email addresses with a zip attachment.. when/IF you open the .JS file inside it downloads Locky ransomware... it hasn’t come from your employer, but... some recipients will panic and blindly open the file and get all their files encrypted by Locky Ransomware. One of the emails looks like:
From: Dotty Rios <RiosDotty7658@ meliajogja .com>
Date: Tue 03/05/2016 12:38
Subject: You Are Fired 24534F3
Attachment: bolujou_data_54115.zip
We regret to inform you, yet we no longer need require your services.
Attached you can find additional information and the payout roll for the last month.

3 May 2016: bolujou_data_54115.zip: Extracts to: trans3470.js - Current Virus total detections 1/57*
.. Payload Security** MALWR*** shows a download from
http ://tumarketingdiario .com/cE7ZM5.exe (VirusTotal 5/57[4]) MALWR[5].. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/a...is/1462275481/

** https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
65.60.47.53
91.226.93.113

*** https://malwr.com/analysis/MTM2NDAwZ...RhN2VkZjc5MjI/
Hosts
65.60.47.53

4] https://www.virustotal.com/en/file/4...is/1462275722/

5] https://malwr.com/analysis/NjRiYTdhM...VkMjNlOTdmNTQ/

- http://blog.dynamoo.com/2016/05/malw...-leads-to.html
3 May 2016 - "This spam email comes with a malicious attachment.
From: Elfrida Wymer [WymerElfrida9172@ recordshred .com]
Date: 3 May 2016 at 12:40
Subject: You Are Fired BBF904D
We regret to inform you, yet we no longer need require your services.
Attached you can find additional information and the payout roll for the last month.

It's a bit of a self-fulfilling prophecy. If you are daft enough to download the ZIP file, and extract and run the script then perhaps you WILL get fired. According to this Malwr report*, the twice-obfuscated-script in the sample I saw downloads a binary from:
niagara .vn.ua/5wpSRm.exe
This Hybrid Analysis** indicates that this is Locky ransomware. The DeepViz report*** shows network traffic to:
31.184.197.126 (Petersburg Internet Network, Russia)
91.226.93.113 (Sobis, Russia)
91.219.29.64 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
This is a subset of the IPs found in this earlier spam run[4], I recommend you block-the-lot."

* https://malwr.com/analysis/ODc0ZWY5N...YxNzlkMzU5NWM/
Hosts
185.68.16.6: https://www.virustotal.com/en/ip-add...6/information/

** https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
31.184.197.126

*** https://sandbox.deepviz.com/report/h...9657b42fcb4e6/

4] http://blog.dynamoo.com/2016/05/malw...tstanding.html

niagara .vn.ua: 185.68.16.6
___

Fake 'New Job Offer' SPAM - JS malware delivers Locky
- https://myonlinesecurity.co.uk/new-j...er-js-malware/
3 May 2016 - "... a new job paying somewhere between $300 and $1000 per day depending on which email you receive. The email has a subject of 'New Job Offer [random amounts and characters]' pretending to come from random email addresses with a zip attachment which -if- you run the .js file inside it will download Locky ransomware... One of the emails looks like:
From: Taisha Bodily <BodilyTaisha42@ firsttimelogistics .com.br>
Date: Tue 03/05/2016 13:02
Subject: New Job Offer ($499,65/day – 2C9FFF5)
Attachment: derek_copy_956559.zip
No skills are required, perfect for housewives, students and young men. Salary: $5,000/month, offer code:2C9FFF5.
Check out the information leaflet attached to this e-mail.

3 May 2016: derek_copy_956559.zip: Extracts to: show2719.js - Current Virus total detections 4/57*
.. MALWR shows a download of Locky ransomware from
http ://conchaespina .es/SGnTkN.exe (VirusTotal 5/56**).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1462277136/

** https://www.virustotal.com/en/file/4...is/1462276640/

conchaespina .es: 212.227.247.202: https://www.virustotal.com/en/ip-add...2/information/
___

Fake 'Amazon' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/your-...ivering-locky/
3 May 2016 - "... an email with the subject of 'Your Amazon .co.uk order has dispatched (#758-8060509-6716957)' [random numbered] pretending to come from Amazon .com <auto-shipping@ amazon .com>. This is delivering the -same- Locky Ransomware version as described in this earlier post:
> https://myonlinesecurity.co.uk/help-...88-js-malware/
One of the emails looks like:
From: Amazon .com <auto-shipping@ amazon .com>
Date: blank
Subject: Your Amazon .co.uk order has dispatched (#758-8060509-6716957)
Attachment: ORDER-758-8060509-6716957.zip

Body content: Totally blank

Other download sites in this malspam run delivering Locky include:
http ://14daystresscure .com/89yg7g87byi - 192.185.64.62
http ://apteka24.strefa .pl/89yg7g87byi - 217.74.66.167
http ://bara.ovh .org/89yg7g87byi - 46.105.198.1
http ://discountghd .org/89yg7g87byi - 210.1.60.27
http ://ikiartimatbaa .com/89yg7g87byi - 94.73.150.20
http ://istvest .com/89yg7g87byi - 79.98.29.30
http ://kroppo.za .pl/89yg7g87byi - 193.203.99.115
http ://metin2dlz.hi2 .ro/89yg7g87byi - 89.42.39.75
http ://paraisofuneraria .com.br/89yg7g87byi - 177.12.164.96
http ://physiob .de/89yg7g87byi - 81.169.145.163
http ://virusremovals .org/89yg7g87byi - 173.254.28.156
These sites have been used to deliver different several-versions-of-Locky at differing times today... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake 'Invoice' SPAM - leads to Angler EK
- https://myonlinesecurity.co.uk/invoi...r-exploit-kit/
3 May 2016 - "An email with the subject of 'Invoice 80005 from VeriSign, Inc.' pretending to come from VeriSign with-a-link is another one from the current bot runs which tries to infect your computer via the Angler exploit kit on the remote site... link in the -iframe- is to
http ://207.244.95.42 /twitterapi/ .. Yesterday it was to
http ://207.244.95.41 /twitterapi/ ..

Screenshot: https://myonlinesecurity.co.uk/wp-co...n-1024x661.png

The -link- behind 'view invoice' takes you to various compromised sites all with an -iframe- to the Angler exploit kit... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."

207.244.95.42: https://www.virustotal.com/en/ip-add...2/information/

207.244.95.41: https://www.virustotal.com/en/ip-add...1/information/
>> https://www.virustotal.com/en/url/4a...e728/analysis/
___

Fake 'CamScanner' SPAM - JS malware delivering Locky
- https://myonlinesecurity.co.uk/scann...ky-ransomware/
2 May 2016 - "... an email with the subject of 'New Doc 134 Page 3 (random doc number, random page number)' pretending to come from 'CamScanner' <your-own-email-address>... delivers exactly the -same- Locky ransomware versions form the same download locations as described in these [1] [2] earlier posts...

Screenshot: https://myonlinesecurity.co.uk/wp-co...r-1024x355.png

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://myonlinesecurity.co.uk/new-j...er-js-malware/

2] https://myonlinesecurity.co.uk/you-a...wnloads-locky/
___

Fake 'Service Fee' SPAM - JS malware leads to Locky
- https://myonlinesecurity.co.uk/inter...eads-to-locky/
3 May 2016 - "... an email saying you need to pay $99 for the 'requested local repairs on your street' with the subject of 'Internet Service Fee (235424ID) [random characters]' pretending to come from random email addresses... this is downloading the -same- Locky ransomware version as described in these earlier posts [1] [2]... One of the emails looks like:
From: Emmeline Speak <SpeakEmmeline282@ sriinc .org>
Date: Tue 03/05/2016 15:19
Subject: Internet Service Fee (235424ID)
Attachment: caution_addy-C3F7893_235424.zip
Our company has made requested local repairs on your street. You are obligated to pay a fee of $99.00.
More information in the document enclosed.

This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://myonlinesecurity.co.uk/new-j...er-js-malware/

2] https://myonlinesecurity.co.uk/you-a...wnloads-locky/

[AplusWebMaster]

FYI...

Fake 'info' SPAM - JS malware downloads Locky
- https://myonlinesecurity.co.uk/blank...wnloads-locky/
4 May 2016 - "A -blank- email with the subject of 'info' pretending to come from asisianu@ pauleycreative .co.uk with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: asisianu@ pauleycreative .co.uk
Date: Wed 04/05/2016 14:20
Subject: info
Attachment: info.zip

Body content: Totally blank/empty

4 May 2016: info.zip: Extracts to: document_copy.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky ransomware from
http ://tasox .eu/v/log.php?f=403 (VirusTotal 5/57***). I was unable to get any malware myself direct from the website. The downloaded malware came from MALWR.
Update: It looks like this is actually part of the recent Angler kit malspam campaign, where the gate link is malspammed out. Then it -redirects- via an -iframe- to another site then bounces on the Angler site, where it downloads Locky or whichever other Malware/Trojan/Ransomware it wants to infect you or compromise you with... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1462350988/

** https://malwr.com/analysis/NzM5Y2MyM...M4YWVmODEyMGU/
Hosts
212.47.208.164: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/16...fe12/analysis/
138.201.95.72: https://www.virustotal.com/en/ip-add...2/information/

*** https://www.virustotal.com/en/file/e...is/1462351541/
TCP connections
31.184.197.126: https://www.virustotal.com/en/ip-add...6/information/
___

Fake 'scan10001' SPAM - JS malware delivers Locky
- https://myonlinesecurity.co.uk/email...ivers-locky-b/
4 May 2016 - "An email with the subject of 'Emailing: scan10001' pretending to come from Ahmed Al-Zamil <ahmed.al-zamil@ torathuna .com> with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Ahmed Al-Zamil <ahmed.al-zamil@ torathuna .com>
Date: Wed 04/05/2016 12:16
Subject: Emailing: scan10001
Attachment: scan10001.rar
Your message is ready to be sent with the following file or link
attachments:
scan10001
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.

4 May 2016: scan10001.rar: Extracts to: 2016-80506_2016052.js - Current Virus total detections 23/56*
... downloads Locky ransomware from
kochgruppe-franken .de/09u87tgy (VirusTotal 3/56**) which is exactly the -same- Locky version as described in THIS earlier post[1], so they will be using the same download locations in both campaigns... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/

** https://www.virustotal.com/en/file/0...is/1462360492/

1] https://myonlinesecurity.co.uk/mpsmo...macro-malware/

kochgruppe-franken .de: 81.169.145.160: https://www.virustotal.com/en/ip-add...0/information/
>> https://www.virustotal.com/en/url/9a...388d/analysis/
___

Fake 'transaction history' SPAM - JS malware downloads Locky
- https://myonlinesecurity.co.uk/your-...it-js-malware/
4 May 2016 - "An email with the subject of 'RE: ' pretending to come from random names & email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware... has a massive 525kb js file inside the zip. The zip actually contains 3 identical copies of the same file... One of the emails looks like:
From: Zackary Ramsey <RamseyZackary1901@ anno1911 .nl>
Date:Wed 04/05/2016 16:21
Subject: Re:
Attachment: transactions_632.zip
Hi, beavers
Your balance and recent transaction history is attached to this mail. Please verify it
Regards,
Zackary Ramsey

4 May 2016: transactions_632.zip: Extracts to: 51434_51434.js - Current Virus total detections 1/56*
.. MALWR** shows a download of Locky ransomware from
http ://richmondsofa .com/v6yhsa (VirusTotal 5/56***).. The basic rule is NEVER open any attachment to an email, unless you are expecting it...:
* https://www.virustotal.com/en/file/b...is/1462376280/

** https://malwr.com/analysis/MzM1Mjc5N...E3Zjc1ZDU1Yjg/
Hosts
46.30.212.96: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/0c...3183/analysis/
185.22.67.108: https://www.virustotal.com/en/ip-add...8/information/

*** https://www.virustotal.com/en/file/c...is/1462376825/
TCP connections
185.22.67.108
___

CBS-affiliated TV Stations expose Visitors to Angler EK / Malvertising
- https://blog.malwarebytes.org/threat...r-exploit-kit/
May 4, 2016 = "A rogue advertiser managed to subvert the Taggify self-serve ad platform to push the Angler exploit kit to unsuspecting visitors of two CBS affiliated TV stations. One in St. Louis called KMOV, and the other WBTV, is located in Charlotte, North Carolina. This malvertising attack leveraged a familiar technique of -hijacking- GoDaddy accounts to create various subdomains pointing to malicious servers. These are used to host the ad content (JavaScript, image, etc.) but also to hide malicious code and alternate between clean and infected adverts depending on multiple factors (time of day, user agent, IP blacklist, etc). While the main malvertising domain was actually parked (its name was registered but there is no relevant content) the subdomain is happily hosting an ad banner:
> https://blog.malwarebytes.org/wp-con..._subdomain.png
Web crawlers and scanners will be served the ‘normal’ ad banner, genuine users will be handed an extraneous iframe, -redirecting- to the infamous Angler exploit kit:
> https://blog.malwarebytes.org/wp-con...16/05/Flow.png
Attack flow:
Publisher: kmov .com
Ad platform: data.rtbfy .com/rtb2?{redacted}
Rogue advertiser: som.barkisdesign .com/creatives/tag.js?cp=309505341&domain=kmov .com
Angler EK: parkwateavereverende .fredricholmgren .se/sinuously/0679/31/74/283325.html?utm_source=kmov .com
The Angler exploit kit has been known to actively push its own version of ransomware, dubbed CryptXXX as well as other types of malware via the Bedep Trojan. The best line of defense against malvertising and ransomware attacks remains a combination of safe practices (regular updates, backups) and layered protection (Anti-Malware, Anti-Exploit). We have informed the ad platform, publisher and GoDaddy about this attack which was still ongoing at the time of posting.
IOCs:
som .barkisdesign .com
199.255.137.197: https://www.virustotal.com/en/ip-add...7/information/

parkwateavereverende .fredricholmgren .se: 46.30.212.217:
- https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/ed...3d5a/analysis/
___

Big data breaches found at major Email services
- http://www.reuters.com/article/us-cy...-idUSKCN0XV1I6
May 4, 2016 - "Hundreds-of-millions of -hacked- usernames and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru (MAILRq.L), Russia's most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security*. It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago.
Holden was previously instrumental in uncovering some of the world's biggest known data breaches, affecting tens of millions of users at Adobe Systems (ADBE.O), JPMorgan (JPM.N) and Target (TGT.N) and exposing them to subsequent cyber crimes. The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records. After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world's three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers..."
* http://holdsecurity.com/news/the_collector_breach/

> http://arstechnica.com/security/2016...a-is-98-bogus/
May 6, 2016

[AplusWebMaster]

FYI...

• https://blogs.msdn.com/themes/blogs/...006&GroupKeys=
“… be aware that malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists…”

Fake 'Statement' SPAM - leads to Dridex
- http://blog.dynamoo.com/2016/05/malw...-attached.html
5 May 2016 - "This -fake- financial spam leads to malware. Details change slightly from email to email:
From: Administrator [adminHb@ victimdomain .tld]
Date: 5 May 2016 at 11:29
Subject: Statement 6BBC0E
Please See Attached

Scanned by MailDefender Plus, powered by Symantec Email Security.cloud ...
This email has been checked for viruses by Avast antivirus software...

It must be safe.. scanned by both Symantec and Avast! Well, of course that's just BS and the attached DOC file leads to malware, specifically the -same- payload as seen in this slightly earlier spam run*."
* http://blog.dynamoo.com/2016/05/malw...scan-data.html
5 May 2016 - "This -fake- document scan appears to come from within the victim's own domain (but this is just a simple forgery) and has a malicious attachment:
From: DocuCentre-IV [DocuCentre1230@ victimdomain .tld]
Date: 5 May 2016 at 10:27
Subject: Scan Data
Number of Images: 1
Attachment File Type: PDF ...

Details vary slightly from message to message. Attached is a DOC file (not a PDF) starting with PIC, DOC or IMG in the samples I have seen plus a random number. Typical VirusTotal detection rates are 6/56 [1].. [6]. Various automated analyses of these documents [7].. [17] show a binary being downloaded from the following locations:
fm1.ntlweb .org/87hcnrewe
iconigram .com/87hcnrewe
www .sammelarmband .de/87hcnrewe
hospice.psy .free.fr/87hcnrewe
This dropped file has a detection rate of 5/46*. This Hybrid Analysis** and this DeepViz report*** show subsequent network traffic to:
192.241.252.152 (Digital Ocean, US)
195.169.147.26 (Culturegrid.nl, Netherlands)
70.164.127.132 (Southland Technology, US)
The characteristics of the payload suggest this is the Dridex banking trojan.
Recommended blocklist:
192.241.252.152
195.169.147.26
70.164.127.132 "
1] https://www.virustotal.com/en/file/a...4fab/analysis/

6] https://www.virustotal.com/en/file/9...c46b/analysis/

7] https://malwr.com/analysis/MzZiZDQzZ...RlY2FjNzYwZjM/

17] https://www.hybrid-analysis.com/samp...nvironmentId=4

* https://www.virustotal.com/en/file/8...is/1462442350/

** https://www.hybrid-analysis.com/samp...nvironmentId=1

*** https://sandbox.deepviz.com/report/h...4e194d6388e68/

- https://myonlinesecurity.co.uk/scan-...macro-malware/
5 May 2016 - "An email with the subject of 'Scan Data' pretending to come from DocuCentre-IV <DocuCentre071@ your- email-address > with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: DocuCentre-IV <DocuCentre071@ your-email-address >
Date: Thu 05/05/2016 10:26
Subject: Scan Data
Attachment: SCAN000209053.doc
Number of Images: 1
Attachment File Type: PDF

Or version 2 (administrator version):
Please See Attached

Scanned by MailDefender Plus, powered by Symantec Email Security.cloud ...
This email has been checked for viruses by Avast antivirus software...

5 May 2016: SCAN000209053.doc - Current Virus total detections 5/56*
.. MALWR** shows a download from
http ://www.sammelarmband .de/87hcnrewe (VirusTotal ***).. MALWR (on that) is inconclusive but looks like either Locky ransomware or Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/2...is/1462440302/

** https://malwr.com/analysis/NDMxYTVlN...FmOTgwMWE1ZTI/
Hosts
81.169.145.92: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/a2...fc85/analysis/

sammelarmband .de: 81.169.145.92

*** https://www.virustotal.com/en/file/8...6b3e/analysis/
___

Fake 'Certificate UPDATE' SPAM - JS malware
- https://myonlinesecurity.co.uk/certi...ss-js-malware/
5 May 2016 - "An email pretending to be a notification that you need to update your webmail certificate with the subject of 'Certificate UPDATE' pretending to come from 'Incoming Fax <Incoming.Fax@ your-own-email-domain > with a zip attachment is another one from the current bot runs... The attachment name matches the certificate number in the body of the email...

Screenshot: https://myonlinesecurity.co.uk/wp-co...E-1024x613.png

5 May 2016: Certificate_9298-4437-QBXB-3356-CUBF-3728.zip: Extracts to: Certificate.js
Current Virus total detections 4/54*: MALWR** shows a download from
http ://www .valvedistributors .com.au/wp-content/uploads/2016/04/certificateA79EF99W89Q7.exe (VirusTotal 3/55***)
.. MALWR[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1462443505/

** https://malwr.com/analysis/ZDM3NTJiZ...UyMzJlM2U4NDY/
Hosts
104.28.27.13: https://www.virustotal.com/en/ip-add...3/information/
>> https://www.virustotal.com/en/url/e0...5852/analysis/

*** https://www.virustotal.com/en/file/3...is/1462446273/

4] https://malwr.com/analysis/OTNiOTM2O...I3ZDY2MzE0Nzk/
___

Fake 'Refund Unsuccessful' SPAM - JS malware
- https://myonlinesecurity.co.uk/refun...nd-js-malware/
5 May 2016 - "An email with the subject of 'Refund Unsuccessful C1CE' [random characters] pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads some malware... One of the emails looks like:
From: Adriane Casson <CassonAdriane21541@ bob-bike .com>
Date: Thu 05/05/2016 13:37
Subject: Refund Unsuccessful C1CE
Attachment: copy_gr_695715.zip
Your order has been cancelled, however, we are not able to proceed with the refund of $140,47.
All the information on your case C1CE is listed in the document below.

5 May 2016: copy_gr_695715.zip: Extracts to: doc_QZOImnHYub.js - Current Virus total detections 1/55*
.. MALWR** shows a download from
http ://jtapecustom .com/adm.exe (VirusTotal 4/56***)... possibly Dridex, but might be Locky... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/6...is/1462452122/

** https://malwr.com/analysis/MzMzZGMyM...RmODkxY2ZkM2E/
Hosts
162.13.162.105: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/b5...b1da/analysis/

*** https://www.virustotal.com/en/file/4...is/1462452536/
___

Fake 'Ticket' SPAM - JS malware delivers Locky
- https://myonlinesecurity.co.uk/blank...elivers-locky/
5 May 2016 - "... a -blank- email with the subject of 'Ticket' pretending to come from random names @ gmail .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware... they have just spoofed the @Gmail address... One of the emails looks like:
From: Justine walker <Everette6879@ gmail .com>
Date: Thu 05/05/2016 17:18
Subject: Ticket
Attachment: TICKET-T007054882478807.zip

Body content: totally -blank-

5 May 2016: TICKET-T007054882478807.zip: Extracts to: VA4309497433399300.js - Current Virus total detections 1/55*
A manual analysis shows a download of Locky from
lovesanimals .com/09y8hb7v6y7g (VirusTotal 2/55**) MALWR[3] | Payload Security[/4]
Other download sites found so far include:
buntrocks .com/09y8hb7v6y7g - 64.22.106.154
www .semann .de/09y8hb7v6y7g - 81.169.145.77
http ://svitpokrivli .com/09y8hb7v6y7g - 91.203.144.46
http ://drdianateachertraining .com/09y8hb7v6y7g - 74.220.207.114
advocacyhealthcare .com/09y8hb7v6y7g - 162.144.5.3
barebooger .com/09y8hb7v6y7g - 162.210.102.65
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/5...is/1462465832/

** https://www.virustotal.com/en/file/8...is/1462464264/

3] https://malwr.com/analysis/ZjAxOWQ0Y...JiYjk4MzE5Njc/

4] https://www.hybrid-analysis.com/samp...nvironmentId=4
Contacted Hosts
138.201.95.72: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/ee...0b7d/analysis/
___

Fake 'Your ID card has been found' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/your-...macro-malware/
5 May 2016 - "An email with the subject of 'Your ID card has been found' pretending to come from random email addresses with a malicious word doc RTF attachment is another one from the current bot runs... The attachment name is created by prepending the recipients name (the first part before the @ in the email address to _copy/ details/scan_random numbers .rtf). The email looks like:
From: Alois.Lorenz7@ ozsu .com.tr
Date: Thu 05/05/2016 18:15
Subject: Your ID card has been found
Attachment: amy.hewitt_copy_792752.rtf
Hello, we have found your ID card on April 29th, 2016.
Please review the scanned version let us know if it’s yours.

5 May 2016: amy.hewitt_copy_792752.rtf - Current Virus total detections 3/56*
.. MALWR shows a download from
http ://911.sos-empleados .net/newera/walkthisland/greenland.php which gave me sashagrey.jpg (-not- a jpg but a renamed .exe) (VirusTotal 4/56**).. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/f...is/1462468652/

** https://www.virustotal.com/en/file/7...is/1462469305/

911.sos-empleados .net: 31.131.22.156: https://www.virustotal.com/en/ip-add...6/information/
>> https://www.virustotal.com/en/url/df...6bc3/analysis/
___

Fake 'Someone Might Be Using Your Account' SPAM - doc macro malware leads to Dridex
- https://myonlinesecurity.co.uk/someo...ads-to-dridex/
5 May 2016 - "An email with the subject of 'Someone Might Be Using Your Account 022FCF' [random characters] pretending to come from random names and email addresses with a malicious word doc rtf -or- a zip file attachment is another one from the current bot runs... The email looks like:
From: Jenna Lynn <LynnJenna657@ etoz .com.my>
Date:
Subject: Someone Might Be Using Your Account 022FCF
Attachment: [either word rtf doc like fininfo_38955.rtf -or- zip file like derek_account_39115.zip]
Your account was access on April 12, 2016 at 09:07 PM from Barcelona, Spain.
Please, confirm the details and check the security report enclosed.

5 May 2016: fininfo_38955.rtf - Current Virus total detections 3/56*
.. MALWR** shows a download from
http ://911.sos-empleados .net/newera/walkthisland/greenland.php which is the same as THIS post[1]
5 May 2016: derek_account_39115.zip extracts to: details_G1xAIwQEscaW4ULy.js
Current Virus total detections 1/56***. MALWR**** shows a download from
http ://jtapecustom .com/adm.exe Which is the -same- malware as THIS post[2].."
* https://www.virustotal.com/en/file/6...is/1462472152/

** https://malwr.com/analysis/YWVkNDZjO...EyNmZiMDAxYTU/
Hosts
31.131.22.156

*** https://www.virustotal.com/en/file/7...is/1462472608/

**** https://malwr.com/analysis/MjM2ODYxY...NmNmFlOGNhYjM/
Hosts
162.13.162.105

1] https://myonlinesecurity.co.uk/your-...macro-malware/

2] https://myonlinesecurity.co.uk/refun...nd-js-malware/
___

Fake 'online order' SPAM - doc rtf macro malware
- https://myonlinesecurity.co.uk/thank...macro-malware/
4 May 2016 - "An email with the subject of 'Thank you! Your online order was placed successfully' pretending to come from random names and email addresses with a malicious word RTF doc attachment is another one from the current bot runs... The email looks like:
From: Hickman.Fuchs82@ vsepaketi .ru
Date: Wed 04/05/2016 19:48
Subject: Thank you! Your online order was placed successfully
Attachment: rechn_comerz(052016)_5964.rtf
Thank you for shopping with Sumitomo Mitsui Financial Group Inc
Your order status was changed to [PROCESSING]. You can view order details in the document attached
We’ll send you email once the goods will be passed to delivery notifying the status change to [DISPATCHED]
If you have any queries do not hesitate to contact us via email or telephone.
Kind Regards,
Hickman Fuchs
Sumitomo Mitsui Financial Group Inc ...

4 May 2016: rechn_comerz(052016)_5964.rtf - Current Virus total detections 2/56*
.. MALWR** shows a download from
http ://sin.grupo-integral .co/lexisnexis/search/bgreport.php which gave me _Locky_5300ad7f.exe (VirusTotal ***)
.. MALWR[4]... Update: I am assured that this is Locky ransomware.. the failure of MALWR to analyse it is due to VM awareness, so it acts different... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/1...is/1462389649/

** https://malwr.com/analysis/YTIxOWQzZ...E2MjA4YTVhMjg/
Hosts
146.120.89.47: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/85...1c6f/analysis/

*** https://www.virustotal.com/en/file/b...c1a0/analysis/

4] https://malwr.com/analysis/YjI2NWVhO...NjYzMzNzQxOGE/