Page 97 of 132 FirstFirst ... 478793949596979899100101107 ... LastLast
Results 961 to 970 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

  1. #961
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Upcoming Payment', 'New Payment Received', '50 transactions' SPAM

    FYI...

    Fake 'Upcoming Payment' SPAM - JS malware delivers Dridex
    - https://myonlinesecurity.co.uk/upcom...livers-dridex/
    6 May 2016 - "An email with the subject of 'Upcoming Payment – 1 Month Notice' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Dridex. In exactly the same way as THIS[1] earlier Malspam run, the encrypted JavaScript file contains a long list of compromised sites that the Dridex banking Trojan is downloaded from...
    1] https://myonlinesecurity.co.uk/someo...ads-to-dridex/
    One of the emails looks like:
    From: Mona Gates <GatesMona02@ ideadigitale .org>
    Date: Thu 05/05/2016 23:20
    Subject: Upcoming Payment – 1 Month Notice
    Attachment: user_data_37776.zip
    Please, be informed regarding the upcoming payment ID:30724, which must be paid in full until the June 1st, 2016.
    Additional information is enclosed in the file down below.


    6 May 2016: user_data_37776.zip: Extracts to: details_uQG07BLH189.js - Current Virus total detections 1/56*
    .. MALWR** shows a download of Dridex banking trojan from a long list of sites (VirusTotal 7/55***). Sites discovered listed inside the encrypted js file include: (other versions of this might well include other sites):
    http ://fashionpoppers .com/adm.exe - 66.147.244.66
    http ://sky-hero .com/adm.exe - 213.186.33.171
    http ://wbsrainwater .com/adm.exe - 91.146.109.184
    http ://burnspots .com/adm.exe - 160.153.32.229
    http ://wholesalejaipurkurti .com/adm.exe - 46.166.163.195
    http ://bedbugsurvivalguide .com/adm.exe - 54.241.22.111
    http ://clearancezone .com.au/adm.exe - 184.164.156.210
    http ://asiandukan .co.uk/adm.exe - 192.186.200.169
    http ://ribastiendaonline .com/adm.exe - 185.92.247.46
    http ://hogcustom .co.uk/adm.exe - 213.246.109.8
    http ://shopnutri .com.br/adm.exe - 177.12.173.166
    http ://metersdirect .com.au/adm.exe - 52.64.39.102
    http ://buyemergencylight .com/adm.exe - 192.117.12.154
    http ://lcdistributing .com/adm.exe - 192.249.113.43
    http ://liftmaxthailand .com/adm.exe - 119.59.120.32
    http ://millersportsaspen .com/adm.exe - 23.235.220.84
    http ://hkautosports .com/adm.exe - 205.134.241.120
    http ://syntechcs .co.uk/adm.exe - 188.65.114.122
    http ://presspig .com/adm.exe - 70.40.220.100
    http ://lojaturbo .com.br/adm.exe - 81.19.185.200
    ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1462487086/

    ** https://malwr.com/analysis/MjUxNzY0N...JjMWJmNDc1OGQ/
    Hosts
    213.246.109.8
    213.186.33.171
    192.117.12.154
    185.92.247.46
    81.19.185.200
    52.64.39.102
    177.12.173.166
    184.164.156.210
    91.146.109.184
    119.59.120.32
    192.249.113.43
    70.40.220.100
    188.65.114.122
    66.147.244.66
    192.186.200.169
    23.235.220.84
    54.241.22.111
    46.166.163.195
    160.153.32.229
    205.134.241.120


    *** https://www.virustotal.com/en/file/c...is/1462507119/
    ___

    Fake 'New Payment Received' SPAM - JS malware delivers Dridex
    - https://myonlinesecurity.co.uk/new-p...livers-dridex/
    6 May 2016 - "Continuing with the overnight Malspam runs is yet another -Dridex- dropper with a long list of sites embedded inside the encrypted JavaScript file. This is an email with the subject of 'New Payment Received' pretending to come from random senders and email addresses with a zip attachment containing an encrypted JavaScript file... One of the emails looks like:
    From: Kathie Miller <MillerKathie8660@ fixed-189-252-187-189-252-125 .iusacell .net>
    Date: Fri 06/05/2016 02:01
    Subject: New Payment Received
    Attachment: caution_rob_522737.zip
    You have just received a new payment! Trans number 97407. For more information please review the transaction report enclosed.


    6 May 2016: caution_rob_522737.zip: Extracts to: cash_q9rTBHi225.js - Current Virus total detections 1/56*
    .. MALWR** shows a download of Dridex banking Trojan from the same list of sites in THIS[1] post.
    1] https://myonlinesecurity.co.uk/upcom...livers-dridex/
    .. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/f...is/1462497274/

    ** https://malwr.com/analysis/ZmVhZjIyM...JlYjc4NmI1Zjk/
    Hosts
    213.246.109.8
    213.186.33.171
    192.117.12.154
    185.92.247.46
    81.19.185.200
    52.64.39.102
    177.12.173.166
    184.164.156.210
    91.146.109.184
    119.59.120.32
    192.249.113.43
    70.40.220.100
    188.65.114.122
    66.147.244.66
    192.186.200.169
    23.235.220.84
    54.241.22.111
    46.166.163.195
    160.153.32.229
    205.134.241.120

    ___

    Fake '50 transactions' SPAM - JS malware delivers Locky
    - https://myonlinesecurity.co.uk/i-hav...elivers-locky/
    6 May 2015 - "An email with the subject of 'Re: ' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
    From: Helen Velazquez <VelazquezHelen20082@ sas-pt .com>
    Date: Fri 06/05/2016 09:46
    Subject: Re:
    Attachment: spreadsheet_98B.zip
    Good evening driver,
    As promised, I have attached the spreadsheet contains last 50 transaction and your account actual balance.
    Regards,
    Helen Velazquez


    6 May 2016: spreadsheet_98B.zip: Extracts to: transactions 11791799.js - Current Virus total detections 23/56*
    .. MALWR doesn’t shows any downloads but a manual analysis gives me a download from
    http ://girls.web-planet .su/hs93jaks (VirusTotal 3/55**).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1441173827/

    ** https://www.virustotal.com/en/file/f...is/1462525419/
    TCP connections
    185.22.67.108: https://www.virustotal.com/en/ip-add...8/information/

    girls.web-planet .su: 217.107.34.231: https://www.virustotal.com/en/ip-add...1/information/

    Last edited by AplusWebMaster; 2016-05-06 at 15:29.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #962
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'KPN', 'IMPORTANT TRANSACTION' SPAM, Malvertising Blogspot

    FYI...

    Fake KPN SPAM - CTB-Locker Ransomware
    - https://blog.malwarebytes.org/cyberc...ker-infection/
    May 9, 2016 - "... an email claiming to be from KPN – a Dutch provider of internet, television, and phone – claiming an amount so high that it should raise questions or at least your blood pressure. We can safely assume that it is intended to peak the receivers curiosity enough to get them to click-one-of-the-links in the mail:
    > https://blog.malwarebytes.org/wp-con...16/05/mail.png
    ... The spam template is an exact replica of mail KPN sends out to clients. But the “From” address is “KPN-betaalafspraak[AT]kpn[DOT]com” where real ones should come from... The three links all point to the same web address www2[DOT]uebler-gmbh[DOT]de, which is a site that belongs to a German job coaching firm. We informed them of the fact that their site is being used for this, but haven’t heard back yet. We have also informed the Dutch provider KPN through the normal channels, which probably means we will only get an automated response. Clicking-the-links in the mail will result in the download of a zip file containing a file called “Factuur 00055783-63845853.PDF.exe” showing up with a PDF icon. This is a well-known trick to deceive users that have file extensions set to “Hide extensions for known file types” into thinking that they are about to open a (harmless) document... Double-clicking the file will result in the start of the CTB locker ransomware. It creates a copy of the executable with a different name (here hlbvlli.exe) in the %Temp% folder and the creation of a Scheduled Task that will trigger that copied file every time the compromised system boots... After encryption, users are presented with the below ransom note:
    > https://blog.malwarebytes.org/wp-con.../CTBlocker.png
    ... these tricks as ransomware is becoming a bigger and more prevalent threat -every- day..."

    www2[DOT]uebler-gmbh[DOT]de: 217.114.79.125: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/d7...a6db/analysis/
    ___

    Fake 'IMPORTANT TRANSACTION' SPAM - delivers malware
    - https://myonlinesecurity.co.uk/fwdim...endout-review/
    9 May 2016 - "An email that appears to come from Western Union with the subject of 'FWD:IMPORTANT TRANSACTION SENDOUT REVIEW' pretending to come from InternationalOperations@ ababank .com <spil@ tim .spil .co.id> with a zip attachment is another one from the current bot runs which delivers malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...T-1024x533.png

    9 May 2016: Sendout-Transaction.zip: Extracts to: -2- identical files GRACE..jar and GRACE. MTCN9863521938- Copy.jar - Current Virus total detections 21/57*.. MALWR** ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1462811540/

    ** https://malwr.com/analysis/ODkxZWZlY...ZlN2Q4ZTY3Njk/
    ___

    Locky gets clever
    - https://www.fireeye.com/blog/threat-...ts_clever.html
    May 9 2016 - "... Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor. FireEye Labs recently observed a new development in the way this ransomware communicates with its control server. Recent samples of Locky are once again being delivered via “Invoice”-related email campaigns, as seen in Figure 1.
    1] https://www.fireeye.com/content/dam/...0Jain/Fig1.png
    When the user runs the attached JavaScript, the JavaScript will attempt to download and execute the Locky ransomware payload from hxxp :// banketcentr .ru/v8usja. This new Locky variant was observed to be highly evasive in its network communication. It uses both symmetric and asymmetric encryption – unlike previous versions that use custom encoding – to communicate with its control server... Crimeware authors are constantly improving their malware. In this case, we see them evolving to protect their malware while maximizing its infection potential. Locky has moved from using simple encoding to obfuscate its network traffic to a complex encryption algorithm using hardware instructions that are very hard to crack. These types of advancements highlight the importance of remaining vigilant against suspicious emails and using advanced technologies to prevent infections..."

    banketcentr .ru: 81.177.141.15: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/f8...7324/analysis/
    ___

    Malvertising Blogspot: Scams, Adult Content and EK's
    - https://blog.malwarebytes.org/threat...-exploit-kits/
    May 9, 2016 - "... malvertising can and does target free blogging platforms as well. Just this morning, our friends at Virus Bulletin Martijn Grooten and Adrian Luca wrote about some sites hosted on Google’s Blogspot service pushing tech support scams:
    > https://www.virusbulletin.com/blog/2...-support-scam/
    We also caught some malicious activity on the Blogger platform this past week via the PLYmedia ad network. Some Blogspot websites clearly abuse the platform and stuff ads everywhere:
    > https://blog.malwarebytes.org/wp-con...logger_ads.png
    When browsing that Blogspot site, we were automatically -redirected- to an adult page, which is definitely not good if you have kids around:
    > https://blog.malwarebytes.org/wp-con...05/match99.png
    ... There were also some -redirections- to the Angler-exploit-kit via -fake- advertisers using the fingerprinting technique:
    Ad network: wafra.adk2x .com/ul_cb/imp?p=70368645&size=300×250&ct=html&ap=1300&u=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&r=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&iss=0&f=1
    Rogue ad server: advertising.servometer .com/pagead/re136646/ad.jsp?click=%2F%2Fwafra.adk2x.com%2{redacted}
    Google Open Referer: bid.g.doubleclick .net/xbbe/creative/click?r1=http%3A%2F%2Fstewelskoensinkeike.loanreview24.com%2FScKOygTMtj_rlf_qIEgRYCq.aspx
    Angler EK landing: stewelskoensinkeike.loanreview24 .com/?k=pREU&o=gQ1U2eo&f=&t=MHl&b=O83rsW&g=&n=9rYB42&h=&j=aCYeE9iDym_Ao_T25Uhszm
    ... We have alerted Google about this issue and contacted PLYmedia to let them know about that rogue advertiser."

    wafra.adk2x .com: 104.154.33.56
    130.211.124.223
    104.197.69.2
    104.197.148.20
    104.197.4.140
    146.148.73.59
    146.148.57.82
    130.211.160.193
    146.148.47.149
    104.197.27.39
    104.154.52.119
    130.211.124.66


    advertising.servometer .com: 51.255.17.36

    stewelskoensinkeike.loanreview24 .com: Could not find an IP address for this domain name.
    ___

    Hooplasearch and nt. hooplasearch .com Ads
    - http://www.bleepingcomputer.com/viru...oplasearch-ads
    May 6, 2016 - "'Hoopla Search' is a browser hijacker program from the Adware.BrowseFox family that hijacks your browser's default search engine and installs addons and extensions that inject advertisements in web pages and search results. 'Hoopla Search' uses these addons or extensions to -inject- advertisements into the search results on search engines such as Google and Yahoo. When the extension is installed, it will also display its own Hoopla Search page instead of your default home page..."
    (Removal instructions at the bleepingcomputer URL above.)

    Last edited by AplusWebMaster; 2016-05-10 at 00:31.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #963
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Draft Receipt', 'RE: ', 'credit card statement' SPAM

    FYI...

    Fake 'Draft Receipt' SPAM - malicious doc attachment
    - https://myonlinesecurity.co.uk/malwa...draft-receipt/
    10 May 2016 - "An email pretending to be a receipt containing terrible spelling or typing mistakes with the subject of 'Re:Draft Receipt' pretending to come from Awad S.Yafie <yinengchem@ yeah .net> with a malicious word doc attachment is another one from the current bot runs...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...t-1024x614.png

    The malicious word doc shows a blurred image that contains an embedded OLE object that will drop and run a file if you are unwise enough to follow their suggestion to double click to see content:
    > https://myonlinesecurity.co.uk/wp-co...y-1024x535.png

    10 May 2016: Draft-MSK-001.docx - Current Virus total detections 15/56*
    .. MALWR** which contains an embedded OLE object ..Properly.exe (VirusTotal 21/56***).. MALWR[4]
    DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/0...is/1462832094/

    ** https://malwr.com/analysis/NmM1YTQzM...hjYjNlOTNmM2I/

    *** https://www.virustotal.com/en/file/5...is/1462830481/

    4] https://malwr.com/analysis/NWYyMTE1Z...U0OWIyNjY3ZTU/
    ___

    Fake 'RE: ' SPAM - js malware downloads Locky
    - https://myonlinesecurity.co.uk/malwa...eads-to-locky/
    10 May 2016 - "An email with the subject of 'RE: ' pretending to come from random senders with a zip attachment is another one from the current bot runs... One of the emails looks like:
    From: Therese Slater <SlaterTherese8877@ pldt .net>
    Date: Tue 10/05/2016 09:42
    Subject: RE:
    Attachment: wire_xls_AA8.zip
    hi rob,
    As I promised, the information you requested is attached.
    Regards,
    Therese Slater


    10 May 2016: wire_xls_AA8.zip: Extracts to: transactions 30248504.js - Current Virus total detections 5/57*
    .. MALWR** shows a download of Locky ransomware from
    http ://jediff .com/fgh7hd (VirusTotal 7/57***) MALWR[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/9...is/1462870370/

    ** https://malwr.com/analysis/ODEwNGEwN...ExODY0ZWI4YzI/
    Hosts
    160.153.76.133: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/86...3f55/analysis/
    185.82.202.170: https://www.virustotal.com/en/ip-add...0/information/

    *** https://www.virustotal.com/en/file/6...is/1462871373/

    4] https://malwr.com/analysis/NjY5OGI4M...ZiZTM4YTYyOTY/
    Hosts
    193.124.185.87: https://www.virustotal.com/en/ip-add...7/information/

    jediff .com: 160.153.76.133

    - http://blog.dynamoo.com/2016/05/malw...ument-you.html
    10 May 2016 - "This fairly brief spam has a malicious attachment:
    From: Alexandra Nunez
    Date: 10 May 2016 at 21:10
    Subject: Re:
    hi [redacted],
    As promised, the document you requested is attached
    Regards,
    Alexandra Nunez


    The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:
    4hotdeals .com.au/j47sfe
    stationerypoint .com.au/cnb3kjd
    floranectar .com.au/er5tsd
    togopp .com/vbg5gf
    printjuce .com/rt5tdf
    designitlikeal .com/cvb3ujd
    There are probably many more download locations. The typical detection rate for these binaries is about 12/56 [1] [2]... and automated analysis [6] [7]... shows network traffic to:
    5.34.183.40 (ITL, Ukraine)
    185.82.202.170 (Host Sailor, United Arab Emirates / Romania)
    185.14.28.51 (ITL, Netherlands)
    92.222.71.26 (OVH, France)
    88.214.236.11 (Overoptic Systems, UK / Russia)
    The payload is Locky ransomware
    Recommended blocklist:
    5.34.183.40
    185.82.202.170
    185.14.28.51
    92.222.71.26
    88.214.236.11
    "
    1] https://www.virustotal.com/en/file/c...46ba/analysis/
    TCP connections
    92.222.71.26

    2] https://www.virustotal.com/en/file/9...c5a5/analysis/
    TCP connections
    185.82.202.170

    6] https://malwr.com/analysis/ZGU3YjYxN...c1N2Q1NjkzZTY/
    Hosts
    185.82.202.170

    7] https://malwr.com/analysis/NGY1YzE1M...dmMGM0ZTIyZDU/
    Hosts
    185.14.28.51
    ___

    Fake 'credit card statement' SPAM - malicious attachment leads to Locky
    - https://myonlinesecurity.co.uk/malwa...o-this-e-mail/
    10 May 2016 - "An email with the subject of 'FW: 'pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking Trojan...
    Update: according to Payload Security[6] the dropped malware is Locky...
    This set of emails has a zip attachment that extracts to an HTA file which is an Internet explorer specific scripting file wrapped inside a standard HTML file that the browser runs. It probably can run however in Chrome, Firefox and any other browser in use. This HTA file is -obscufated- and encodes a long list of malware URLs inside it... One of the emails looks like:
    From: Roselia Bellgrove <BellgroveRoselia914@ digicable .in>
    Date: Tue 10/05/2016 10:05
    Subject: FW:
    Attachment: bruxner_copy_873488.zip
    Please find your monthly credit card statement attached to this e-mail.
    We would also like to let you know that your negative balance has reached a maximum limit.


    10 May2016: bruxner_copy_873488.zip: Extracts to: details_v35xnsfc24.hta - Current Virus total detections 0/57*
    .. MALWR** doesn’t show any downloads BUT JSUnpack[3] gives me the list of download locations, some of which are live and some are not responding, giving me 403 errors (VirusTotal 2/57[4]) MALWR[5]...
    sky-hero .com/ad.exe - 213.186.33.171
    buyemergencylight .com/ad.exe - 192.117.12.154
    ribastiendaonline .com/ad.exe - 185.92.247.46
    clearancezone .com.au/ad.exe - 184.164.156.210
    zanvair .co.uk/ad.exe - 82.165.151.207
    myfashionfavourites .com/ad.exe - 185.66.171.8
    anustyle .co.uk/ad.exe - 46.30.212.102
    metersdirect .com.au/ad.exe - 52.64.39.102
    atlfitness .com.br/ad.exe - 179.107.83.250
    shopnutri .com.br/ad.exe - 177.12.173.166
    homesdreams .com/ad.exe - 188.40.28.173
    liftmaxthailand .com/ad.exe - 119.59.120.32
    new-exhibitions.heckfordclients .co.uk/ad.exe - 95.142.152.194
    airconditioning-outlet .co.uk/ad.exe - 87.106.53.6
    shoppingsin .com/ad.exe - 142.4.49.157
    magnumautomotivo .com.br/ad.exe - 186.202.153.10
    melodyderm .com/ad.exe - 23.235.196.128
    metersdirect .com.au:80/ad.exe - 52.64.39.102
    outletsmarcas .com/ad.exe - 67.20.76.133
    shoesmackers .com/ad.exe - 74.220.207.142
    store.pinkupcape .com/ad.exe - 67.231.106.60
    vizyt-shop .com/ad.exe - 136.243.204.62
    warehousestudiochicago .com/ad.exe - 166.62.10.30
    mikronjoalheria .com.br/ad.exe - 162.213.193.150
    getdattee .com/ad.exe - 50.63.119.14
    videale .com.br/ad.exe —– 403 error / 186.202.126.233
    pgkdistribution .co.uk/ad.exe - 160.153.50.192
    aw-store .com/ad.exe - 160.153.33.104
    gmdengineering .com.au/ad.exe - 103.38.10.109
    lyintl .com/ad.exe - 23.229.242.166
    fashionpoppers .com/ad.exe - 66.147.244.66
    cenasuniformes .com.br/ad.exe - 200.98.197.36
    merlindistribuidora .com.br/ad.exe - 186.202.153.108
    .. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/e...is/1462871863/

    ** https://malwr.com/analysis/OWE3ODYzY...Y4NGRlY2UwYzU/

    3] http://jsunpack.jeek.org/?report=9d6...e81e80a5f0df22

    4] https://www.virustotal.com/en/file/5...is/1462872640/

    5] https://malwr.com/analysis/ZTM4Y2NlM...QxMWY1NjA2ZDA/

    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    217.12.199.94: https://www.virustotal.com/en/ip-add...4/information/
    >> https://www.virustotal.com/en/url/14...0ebe/analysis/

    Last edited by AplusWebMaster; 2016-05-11 at 00:20.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #964
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Emailing: Photo', 'attached document' SPAM

    FYI...

    Fake 'Emailing: Photo' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spam-...elivers-locky/
    11 May 2016 - "An email with the subject of 'Emailing: Photo 05-11-2016, 82 95 82' [random numbers] pretending to come from Your-own-email-address with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... One of the emails looks like:
    From: your own email address
    Date: Wed 11/05/2016 10:10
    Subject: Emailing: Photo 05-11-2016, 82 95 82
    Attachment: Photo 05-11-2016, 82 95 82.zip
    Your message is ready to be sent with the following file or link
    attachments:
    Photo 05-11-2016, 82 95 82
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments. Check your e-mail
    security settings to determine how attachments are handled.


    11 May 2016: Photo 05-11-2016, 82 95 82.zip: Extracts to: Photo 05-11-2016, 42 11 82.js
    Current Virus total detections 2/56* | Hybrid analysis** | MALWR*** shows a download of Locky ransomware from
    http ://gesdes .com/87yg7yyb (VirusTotal 5/57[4]) MALWR[5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/b...is/1462957811/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    23.229.156.225
    88.214.236.11
    5.34.183.40


    *** https://malwr.com/analysis/YWYwNmEzN...I0YTE1M2NhNjQ/
    Hosts
    23.229.156.225

    4] https://www.virustotal.com/en/file/5...is/1462958159/

    5] https://malwr.com/analysis/YzkzOWNkN...E5MjJhN2NkY2I/

    gesdes .com: 23.229.156.225: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/91...8232/analysis/

    - http://blog.dynamoo.com/2016/05/malw...5-11-2016.html
    11 May 2016 - "This spam comes with a malicious attachment:
    From: victim@ victimdomain .tld
    To: victim@ victimdomain .tld
    Date: 11 May 2016 at 12:39
    Subject: Emailing: Photo 05-11-2016, 03 26 04
    Your message is ready to be sent with the following file or link
    attachments:
    Photo 05-11-2016, 03 26 04
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments. Check your e-mail
    security settings to determine how attachments are handled.


    It appears to come from the sender's own email address, but this is a simple forgery (explained here*). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
    match the references in the email). It contains a .js file with a similar name.
    * http://blog.dynamoo.com/2011/09/why-...self-spam.html
    Trusted third-party analysis (thank you!) shows the various scripts downloading from:
    51941656 .de.strato-hosting .eu/87yg7yyb
    67.222.43.30 /87yg7yyb
    developinghands .com/87yg7yyb
    gesdes .com/87yg7yyb
    helpcomm .com/87yg7yyb
    neihan8 .tk/87yg7yyb
    oldtimerfreunde-pfinztal .de/87yg7yyb
    otakutamashi .cl/87yg7yyb
    sarikamisotelleri .com/87yg7yyb
    This drops a file with a detection rate of 3/56*. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to:
    185.82.202.170 (Host Sailor, United Arab Emirates)
    88.214.236.11 (Overoptic Systems, UK / Russia)
    5.34.183.40 (ITL, Ukraine)
    According to a DeepViz report**, this sample has identical characteristics.
    Recommended blocklist:
    185.82.202.170
    88.214.236.11
    5.34.183.40
    "
    * https://www.virustotal.com/en/file/b...is/1462969284/

    ** https://sandbox.deepviz.com/report/h...5990d77a918a7/
    ___

    Fake 'attached document' SPAM - JS attachment leads to malware
    - https://myonlinesecurity.co.uk/spam-...elivers-locky/
    11 May 2016 - "A series of emails with random subjects pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs... UPDATE: none of the automatic analysers are actually showing Locky, so it might be Dridex... Some of the subjects seen include:
    Re: employees
    Re: paychecks
    Re: other names
    Re: company
    Re: Items
    Re: build assemblies
    Re: transfers
    Re: credit memos
    Re: checks
    Re: estimates
    Re: Chart of Accounts
    Re: receive payments
    Re: credit card charges
    Re: item receipts
    Re: Vendors ...
    One of the emails looks like:
    From: Nelda Morton <MortonNelda80048@ static .vnpt.vn>
    Date: Wed 11/05/2016 10:34
    Subject: Re: employees
    Attachment:
    hello [ recipients name]
    You may refer to the attached document for details.
    Regards,
    Nelda Morton


    11 May 2016: vendors_0A591E.zip: Extracts to: -3- identical .js files - urgent 802194.js
    Current Virus total detections 4/57* | Payload Security** | MALWR*** shows a download of Locky Ransomware from
    http ://compfixuk .co.uk/uy3hds (VirusTotal 11/57[4]) MALWR[/5] | Payload Security[6]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."

    * https://www.virustotal.com/en/file/6...is/1462960440/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    185.14.28.51
    88.214.236.11
    185.82.202.170


    *** https://malwr.com/analysis/OWJmYWMxM...JmMjE3MWU4YWE/
    Hosts
    81.201.141.119
    92.222.71.26


    4] https://www.virustotal.com/en/file/5...is/1462960706/

    5] https://malwr.com/analysis/OGVmOWM2Z...IyMTUyNGFlNmQ/
    Hosts
    185.14.28.51
    88.214.236.11


    6] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    92.222.71.26

    compfixuk .co.uk: 81.201.141.119: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/e4...56fb/analysis/

    Last edited by AplusWebMaster; 2016-05-11 at 19:18.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #965
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'application' SPAM

    FYI...

    Fake 'application' SPAM - JS malware attachment
    - https://myonlinesecurity.co.uk/spam-...r-application/
    12 May 2016 - "Another email with the subject of 'FW: ' pretending to come from random senders with a zip attachment is another one from the current bot runs... One of the emails looks like:
    From: Fannie Strickland <StricklandFannie70829@ hostviper .in>
    Date: Thu 12/05/2016 00:37
    Subject: FW:
    Attachment: xerox.device1_copy_885254.zip
    We have reviewed your application #885254 and would like to let you know that some imporant information is missing. Please, review the file attached and complete the highlighted parts to finalize the application process.


    12 May 2016: xerox.device1_copy_885254.zip: Extracts to: confirm_bpwmj.js - Current Virus total detections 6/57*
    .. MALWR** shows a download from
    http ://panthai .com.br/NtJx6X (VirusTotal 5/57***) MALWR[4] | Payload Security[5]
    Other sites found include: http ://festlanddesign .com/qcinTX but it looks like this particular Dridex malspam run drops multiple different file # as well as random file names... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1463028499/

    ** https://malwr.com/analysis/YjJmZDE4N...kwMDQ3NzBkYjk/
    Hosts
    200.98.201.219

    *** https://www.virustotal.com/en/file/c...is/1463012592/

    4] https://malwr.com/analysis/ZTk5ZTVhY...VhN2JmMzcyNWY/

    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    24.199.222.250
    213.192.1.171
    188.120.253.193
    162.251.84.219


    panthai .com.br: 200.98.201.219: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/d1...6d6e/analysis/

    festlanddesign .com: 176.28.36.108: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/2a...3e6b/analysis/

    Last edited by AplusWebMaster; 2016-05-12 at 18:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #966
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Separate 0-day vulns under attack, Tech Support Imposters

    FYI...

    Separate 0-day vulns under attack
    - http://arstechnica.com/security/2016...ows-and-flash/
    5/10/2016 - "... something that doesn't happen every day: the disclosure of -two- zero-day vulnerabilities, one in the Microsoft operating system[1] and the other in Adobe's Flash Player[2]. The Windows bug is being actively exploited in the wild, making it imperative that users install fixes that Microsoft released today as part of its May Patch Tuesday. Cataloged as CVE-2016-0189*, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites...
    * https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-0189
    Last revised: 05/11/2016 - '... Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site...'
    7.6 HIGH
    ... Separately, Adobe officials warned that a newly discovered Flash** vulnerability also gives attackers the ability to remotely hijack machines. It was first reported by researchers from security firm FireEye, and exploits exist in the wild...
    ** https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-4117
    Last revised: 05/13/2016 - '... Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016...'
    10.0 HIGH
    ... in-the-wild attacks reported by Symantec[3]... FireEye published a blog post[4]... that described how attackers managed to infect-more-than-100-organizations in North America using a zero-day vulnerability. The bug, however, was CVE-2016-0167, a privilege escalation flaw that Microsoft fixed*** in -last- month's Patch Tuesday..."
    *** https://technet.microsoft.com/en-us/.../ms16-039.aspx

    1] http://technet.microsoft.com/security/bulletin/MS16-051
    May 10, 2016
    - https://technet.microsoft.com/library/security/ms16-053
    May 10, 2016 - Applies to:
    Windows Server 2008 R2 Service Pack 1
    Windows Server 2008 Service Pack 2
    Windows Vista Service Pack 2
    2] https://helpx.adobe.com/security/pro...apsb16-15.html
    May 12, 2016
    3] http://www.symantec.com/connect/blog...ks-south-korea
    10 May 2016
    4] https://www.fireeye.com/blog/threat-...ent-cards.html
    May 11, 2016
    ___

    Tech Support Imposters ...
    - https://blog.malwarebytes.org/cyberc...-are-they-now/
    May 13, 2016 - "... Fraud is still fraud, no matter how long your disclaimer is. Takedowns have been sent, and Malwarebytes will continue to monitor for the next time this group tries again. For more information on what you should know about tech support scammers to defend yourself, please check out the article here."
    > https://blog.malwarebytes.org/tech-support-scams/

    Last edited by AplusWebMaster; 2016-05-13 at 23:12.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #967
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Attached Picture', 'spreadsheet', 'Anti-Fraud' SPAM, Lloyds, Capital One -Phish

    FYI...

    Fake 'Attached Picture' SPAM - attachment leads to malware
    - https://myonlinesecurity.co.uk/spam-...email-address/
    16 May 2016 - "Another empty-blank-email email with the subject of 'Attached Picture' pretending to come from copier/scanner/[random numbers] @ your-own-email-address with a zip attachment is another one from the current bot runs which downloads what is likely to be Dridex... One of the emails looks like:
    From: copier [random numbers] @ your own email address
    Date: Mon, 16 May 2016 10:05:40
    Subject: Attached Picture
    Attachment: mandy@ ... _0779_436592056.zip


    Body content: Blank/Empty

    11 May 2016: Current Virus total detections 23/56* - MALWR** shows a download of an -unknown- malware from
    http ://www.puertasjoaquin .com/987t5t7g?VOoIYjOJwN=BpMuEo (VirusTotal 2/57***) MALWR[4] | Payload Security[5]
    None of the auto analysers are able to give a definite result as to what the malware is. It is more likely to be Dridex banking Trojan rather than Locky ransomware, when this happens... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1441173827/

    ** https://malwr.com/analysis/Y2M1NGNmO...RkZTNhNDc5MzY/
    Hosts
    81.88.48.79

    *** https://www.virustotal.com/en/file/e...is/1463394033/

    4] https://malwr.com/analysis/ODkwM2E4Z...YxODFkMTUyMTE/

    5] https://www.hybrid-analysis.com/samp...ironmentId=100

    puertasjoaquin .com: 81.88.48.79: https://www.virustotal.com/en/ip-add...9/information/
    >> https://www.virustotal.com/en/url/6e...f547/analysis/
    ___

    Fake 'spreadsheet' SPAM - malicious attachment
    - http://blog.dynamoo.com/2016/05/malw...d-revised.html
    16 May 2016 - "This spam has a malicious attachment:
    From: Britney Hart
    Date: 16 May 2016 at 13:15
    Subject: Re:
    hi [redacted]
    I have attached a revised spreadsheet contains customers. Please check if it's correct
    Regards,
    Britney Hart


    Other variations of the body text seen so far:
    I have attached a revised spreadsheet contains general journal entries. Please check if it's correct
    I have attached a revised spreadsheet contains estimates. Please check if it's correct

    Attached is a ZIP file with three identical malicious .js files. The ones I have seen so far download from
    fundaciontehuelche .com.ar/897kjht4g34
    thetestserver .net/fg45g4g
    technobuz .com/876jh5g4g4
    There are probably other download locations. Each one downloads a slightly different binary (VirusTotal prognosis [1] [2]..) and automated analysis [5] [6].. shows the malware phoning home to:
    188.127.231.124 (SmartApe, Russia)
    31.184.197.72 (Petersburg Internet Network, Russia)
    92.222.71.26 (RunAbove / OVH, France)
    149.202.109.202 (Evgenij Rusachenko aka lite-host.in, Russia / OVH, France)
    The payload is Locky ransomware.
    Recommended blocklist:
    188.127.231.124
    31.184.197.72
    92.222.71.26
    149.202.109.202
    "
    1] https://www.virustotal.com/en/file/7...is/1463401158/

    2] https://www.virustotal.com/en/file/a...is/1463401746/

    5] https://malwr.com/analysis/ZjhlNGNjM...IzZjIxNjgyYmY/

    6] https://malwr.com/analysis/Zjc1MWFhN...FmMDY3MTU5MjY/
    ___

    Fake 'Anti-Fraud' SPAM - delivers Locky ransomware
    - https://myonlinesecurity.co.uk/spam-...elivers-locky/
    16 May 2016 - "An email that pretends to alert you to strange activity on your credit card, with the subject of 'Anti-Fraud System-332571' [random numbered] pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
    From: Mirabel Orton <OrtonMirabel31@ une .net.co>
    Date: Mon 16/05/2016 17:10
    Subject: Anti-Fraud System-332571
    Attachment: bruxner_data_332571.zip
    We have noticed a strange activity. Please, confirm the transaction made from your card and listed in the document attached.


    16 May 2016: bruxner_data_332571.zip: Extracts to: post_scan_rhgzp.js - Current Virus total detections 23/56*
    .. MALWR** shows a download of Locky ransomware from
    http ://steeldrill .com.au/Cs0St6.exe (VirusTotal 6/57***) MALWR[4] | Payload Security[/5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/ PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1441173827/

    ** https://malwr.com/analysis/M2ZlYjk2M...IxODc0ZjFjY2U/
    Hosts
    203.143.85.203

    *** https://www.virustotal.com/en/file/e...is/1463415891/

    4] https://malwr.com/analysis/YWQ0Nzg4O...VlNzM3ZDZkY2E/

    5] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    217.12.199.151: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/5e...e18e/analysis/

    steeldrill .com.au: 203.143.85.203: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/f5...6b0e/analysis/
    ___

    Fake 'Security report' SPAM - malicious attachment
    - https://myonlinesecurity.co.uk/spam-...curity-report/
    16 May 2016 - "An email with the subject of 'Security report' pretending to come from random senders with a zip attachment is another one from the current bot runs... Looks like Locky... One of the emails looks like:
    From: Gwennie Patron <PatronGwennie32083@ babygate .net>
    Date: Mon 16/05/2016 18:55
    Subject: Security report
    Attachment:
    Hello ,due to the technical problems associated with our security system, we kindly ask our customers to review the recent report in order to approve your last transactions. Thanks


    16 May 2016: securityx062CBD2.zip: Extracts to: data_xe2q2mizervx.js - Current Virus total detections 2/57*
    .. Payload security** shows a download from one of these 3 locations
    mantisputters .com/s7LUXu.exe | blueoxaladdin .com/pArFOY.exe | produtosvivabem .com.br/51aIMi.exe
    (VirusTotal 3/57[3]) MALWR[4] | Payload Security [5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/3...is/1463421357/

    ** https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    52.4.223.98
    65.23.141.248
    186.202.59.80


    3] https://www.virustotal.com/en/file/0...is/1463422004/

    4] https://malwr.com/analysis/OTY2M2VlZ...lkMmJhZmUyNTc/

    5] https://www.hybrid-analysis.com/samp...ironmentId=100

    mantisputters .com: 52.4.223.98: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/16...42e0/analysis/

    blueoxaladdin .com: 65.23.141.248: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/fd...98f2/analysis/

    produtosvivabem .com.br: 186.202.59.80: https://www.virustotal.com/en/ip-add...0/information/
    ___

    Lloyds bank - Phish
    - https://myonlinesecurity.co.uk/why-p...works-so-well/
    16 May 2016 - "... the phishers use domain names that are so believable and the registrars allow them to register the domains...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...h-1024x786.png

    The link in the email goes to http ://bank-update .com/personal/logon/ ... It even has the Lloyds bank icon in url bar. All they needed to do to make it 100% believable was either add a cheap or free SSL certificate or use a padlock symbol as an icon instead of the Lloyds black horse icon:
    > https://myonlinesecurity.co.uk/wp-co...e-1024x588.png
    This asks you for your user name & password and then 3 characters from your secret information ( as does the genuine Lloyds bank) then full secret information and phone number, then secret information, phone number and password, then -bounces- you to genuine Lloyds bank site."

    bank-update .com: 66.225.198.23: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/a5...e67b/analysis/
    104.128.234.224: https://www.virustotal.com/en/ip-add...4/information/
    >> https://www.virustotal.com/en/url/e6...1bb4/analysis/
    ___

    Capital One - Phish
    - https://myonlinesecurity.co.uk/phish...pital-one-360/
    16 May 2016 - "... more difficult to detect phishing attempt this time... Many card companies and banks do send PDF files as attachments with credit card statements. Some no doubt will have links to the bank website. Starts with a Blank email.

    Screenshot: https://myonlinesecurity.co.uk/wp-co...al_one_pdf.png

    The link in the PDF goes to http ://demelos .com.au/classes/commons/config/actionnn.htm which sends you on to http ://https-secure-capitalone360 .com-myaccount-banking.demelos .com.au/e8ea76f546cb0ea35cc83e95d7ae37eb/
    where you see this webpage and it goes on to atypical phishing page asking for loads of personal & private details that compromise you completely.":
    > https://myonlinesecurity.co.uk/wp-co...h-1024x656.png

    demelos .com.au: 27.121.64.122: https://www.virustotal.com/en/ip-add...2/information/
    >> https://www.virustotal.com/en/url/e1...858b/analysis/

    >> https://www.virustotal.com/en/url/d7...0e77/analysis/
    ___

    The Million-Machine 'Clickfraud' Botnet
    - http://www.computerworld.com/article...computers.html
    May 16, 2016 - "... The click-fraud botnet earns its creators money through Google's AdSense for Search program, according to researchers from security firm Bitdefender*. The affiliate program, intended for website owners, allows them to place a Google-powered custom search engine on their websites to generate revenue when users click on ads displayed in the search results... Strategies have changed dramatically in the past few years, with new approaches... this botnet's operators -intercept- Google, Bing, and Yahoo searches performed by users on their own computers and replace the legitimate results with those generated by their custom search engine. They do this using a malware program that Bitdefender products detect as Redirector.Paco. Since mid-September 2014, Redirector.Paco has infected more than 900,000 computers worldwide, mainly from India, Malaysia, Greece, the U.S., Italy, Pakistan, Brazil, and Algeria, the Bitdefender researchers said in a blog post Monday*..."
    * https://labs.bitdefender.com/2016/05...kfraud-botnet/

    Last edited by AplusWebMaster; 2016-05-16 at 23:56.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #968
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Multiple Locky ransomware emails/attachments; TechSupportScams - phone extortion

    FYI...

    Fake Multiple subjects SPAM - attachments delivering Locky ransomware
    - https://myonlinesecurity.co.uk/spam-...ky-ransomware/
    17 May 2016 - "... Locky ransomware emails overnight with varying subjects all pretending to come from random senders with either zip attachments or word doc macro attachments... Some of the subjects seen include:
    Your .pdf document is attached
    Re:
    Hedy Castaneda
    Dara Keith

    The word doc ones have a subject that matches the alleged sender. One of the emails with a word doc attachment looks like:
    From: Dara Keith <admin@ hk-mst .com>
    Date: Tue 17/05/2016 04:49
    Subject: Dara Keith
    Attachment: 706-d4390-lncnvy.dotm
    Hello
    Please find the report attached to this message. The Payment should appear in 1-2 days.
    Dara Keith

    Alternative body content
    Please review the report attached to this email. The Transfer will be posted within one day.
    Best regards


    17 May 2016: 706-d4390-lncnvy.dotm - Current Virus total detections 2/57* 2/56[1] 2/57[2].. MALWR [a] [b1].. doesn’t show any downloads. It is likely that the download sites will match the other Locky downloaders using zip attachments. I am waiting for full analysis...
    Update: finally got an analysis from Payload security[7] of 1 of the word doc files which shows a download from
    xlstrategy .com/ch.jpg?Ux=43 which is a genuine jpg, however the jpg contains malware -embedded- inside it, which is extracted via the malicious-macro and a VBS file that the macro creates (VirusTotal 4/57[8]). This actually is Dridex banking trojan not Locky.
    7] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    107.180.20.71: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/2b...5ac2/analysis/

    8] https://www.virustotal.com/en/file/5...is/1463492903/

    * https://www.virustotal.com/en/file/d...is/1463461891/

    1] https://www.virustotal.com/en/file/d...is/1463467476/

    2] https://www.virustotal.com/en/file/3...is/1463467521/

    a] https://malwr.com/analysis/MzQwN2Y1M...E1M2UxMTAyOWY/

    b1] https://malwr.com/analysis/MGE2MjA1Z...FlNDc3OWM2ZDQ/

    One of the emails with a zip attachment looks like:
    From: Your own email address
    Date: Tue 17/05/2016 01:38
    Subject: Your .pdf document is attached
    Attachment: D948699.zip


    Body content: Blank/Empty email body

    17 May 2016: D948699.zip: extracts to 20160516_38064087_27108995.js - Current Virus total detections 9/57[3]
    .. downloads from hrlpk .com/7834hnf34?XrkJSbPOxS=klrLzHBbOX (VirusTotal 11/56[4])
    3] https://www.virustotal.com/en/file/6...is/1463459479/

    4] https://www.virustotal.com/en/file/d...is/1463457732/
    TCP connections
    217.12.199.151: https://www.virustotal.com/en/ip-add...1/information/

    hrlpk .com: 203.124.43.226: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/43...3020/analysis/

    Another one of the emails with a zip attachment looks like:
    From: Ryan Solomon <SolomonRyan332@ cparsons .net>
    Date: Tue 17/05/2016 01:42
    Subject: Re:
    Attachment: sales orders_BEA6B3A2.zip
    hi vbygry
    Please refer to the attached document contains sales orders
    Let me know if it’s correct
    Regards,
    Ryan Solomon


    17 May 2016: sales orders_BEA6B3A2.zip: extracts to history 8426558.js - Current Virus total detections 6/57[5]
    .. downloads from http ://fundacionbraun .com/gh567jj56 (VirusTotal 11/57[6]) The zip attachment here contains 3 identical copies of the .js file all padded with loads of //// to confuse analysis and make them look much bigger than they are...
    5] https://www.virustotal.com/en/file/5...is/1463462139/

    6] https://www.virustotal.com/en/file/d...is/1463447956/
    TCP connections
    188.127.231.124: https://www.virustotal.com/en/ip-add...4/information/

    fundacionbraun .com: 209.126.254.163: https://www.virustotal.com/en/ip-add...3/information/
    >> https://www.virustotal.com/en/url/ae...5ac4/analysis/

    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    ___

    Fake 'car booking' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spam-...elivers-locky/
    17 May 2016 - "... an email with the subject of 'FW: ' pretending to be a notification of a car booking and also pretending to come from random senders with a zip attachment containing a nemucod javascript downloader is also another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
    From: Jo-Ann Crowe <CroweJo-Ann0223@ londonrelax .co.uk>
    Date: Tue 17/05/2016 07:54
    Subject: FW:
    Attachment: copy-20160517122213.zip
    Thank you for booking you car with us, we hope you enjoy our service. Rental agreement is enclosed to this e-mail.


    17 May 2016: copy-20160517122213.zip: Extracts to: data_vevbypapxx.js - Current Virus total detections 4/57*
    .. MALWR** shows a download of Locky ransomware from
    http ://myfloralkart .com/MwtBk1.exe (VirusTotal 21/56***).... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/2...is/1463468058/

    ** https://malwr.com/analysis/ODhmNDNmY...Q5MDc4NWY4ZmM/
    Hosts
    198.57.205.1: https://www.virustotal.com/en/ip-add...1/information/
    128.199.120.158
    176.58.99.126: https://www.virustotal.com/en/ip-add...6/information/

    *** https://www.virustotal.com/en/file/0...is/1463463109/

    myfloralkart .com: 128.199.120.158: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/60...eb16/analysis/
    ___

    Fake 'contract' SPAM - downloads Locky
    - https://myonlinesecurity.co.uk/spam-...tract-with-us/
    17 May 2016 - "... email with the subject of 'FW: ' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
    From: Susann Faitele <FaiteleSusann335@ webtravelmarket .com>
    Date: Tue 17/05/2016 11:34
    Subject: FW:
    Attachment: security-20160517160422.zip
    Thanks for choosing our company and signing a contract with us, we’re sending you a copy as promised.


    17 May 2016: security-20160517160422.zip: Extracts to -2- different files data_veivommzha.js
    Current Virus total detections 4/57* and archive_doctomjjz.js (VirusTotal 4/56**) - MALWR [1] [2] shows a download of Locky ransomware from one of these sites (VirusTotal 4/56[3])
    http ://soco-care .be/zcHRd8.exe
    http ://delicadinha .com.br/MSr7Uy.exe
    http ://pro.monbento .com/8Uya5I.exe
    This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1463481488/

    ** https://www.virustotal.com/en/file/9...is/1463481291/

    1] https://malwr.com/analysis/ZmFjZWI2M...Q4MTIyN2Q0Y2Y/
    Hosts
    201.94.232.185: https://www.virustotal.com/en/ip-add...5/information/
    >> https://www.virustotal.com/en/url/78...e960/analysis/
    79.174.131.11: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/f2...1bd0/analysis/
    188.165.125.141: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/6c...09b0/analysis/

    2] https://malwr.com/analysis/MGEwMTk5N...VhMmQ4NDJmYjg/
    Hosts
    201.94.232.185
    79.174.131.11
    188.165.125.141


    3] https://www.virustotal.com/en/file/5...is/1463485442/
    ___

    Fake 'Per E-Mail' SPAM - malicious attachment is Locky ransomware
    - http://blog.dynamoo.com/2016/05/malw...il-senden.html
    17 May 2016 - "This German-language -spam- comes with a malicious attachment. It appears to come from the victim themselves, but this is just a simple-forgery.
    From: victim@ victimdomain .tld
    Date: 17 May 2016 at 13:28
    Subject: Per E-Mail senden: DOC0000329040
    Folgende Dateien oder Links können jetzt als Anlage mit Ihrer Nachricht
    gesendet werden:
    DOC0000329040


    Attached is a ZIP file that matches the reference number in the subject and body text. I have only seen one sample, downloading a binary from:
    katyco .net/0uh8nb7
    The VirusTotal detection rate is 4/57*, the comments in that report indicate that this is Locky ransomware and the C&C servers are at:
    188.127.231.124 (SmartApe, Russia)
    176.53.21.105 (Radore Veri Merkezi Hizmetleri, Turkey)
    217.12.199.151 (ITL, Ukraine)
    107.181.174.15 (Total Server Solutions, US)
    Recommended blocklist:
    188.127.231.124
    176.53.21.105
    217.12.199.151
    107.181.174.15
    "
    * https://www.virustotal.com/en/file/4...65d5/analysis/
    Comments:
    > https://myonlinesecurity.co.uk/spam-...elivers-locky/
    17 May 2016
    >> https://malwr.com/analysis/NmZiZmZhO...U2NjViZDNhM2Q/
    Hosts
    203.162.53.112: https://www.virustotal.com/en/ip-add...2/information/

    katyco .net: 203.162.53.112
    ___

    Fake 'BILL' SPAM - downloads Locky
    - https://myonlinesecurity.co.uk/spam-...-mills-co-ltd/
    17 May 2016 - "An email with the subject of 'BILL' pretending to come from Store-Nellimarla Jute Mills Co Ltd. <yfstore857@ slsenterprise .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs downloading Locky... The email looks like:
    From: . <yfstore857@ slsenterprise .com>
    Date:
    Subject: BILL
    Attachment:
    Sir,
    Please find the attached file.


    17 May 2016: Bill_481575758.xls - Current Virus total detections 6/57*
    .. MALWR** shows a download from
    http ://seahawkexports .com/89yg67no (VirusTotal ***).. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/6...is/1463496996/

    ** https://malwr.com/analysis/M2VmM2ZjO...k0MGFkYzk4MjE/
    Hosts
    43.242.215.197: https://www.virustotal.com/en/ip-add...7/information/
    >> https://www.virustotal.com/en/url/01...6167/analysis/

    *** https://www.virustotal.com/en/file/b...is/1463500609/

    seahawkexports .com: 43.242.215.197
    ___

    Tech Support Scammers - 'Screen Lockers'
    - https://blog.malwarebytes.org/cyberc...creen-lockers/
    May 17, 2016 - "... -bogus- browser locks and -fake- AV alerts which are mostly an annoyance and can somewhat easily be disabled... But things have been changing with more serious malware-like techniques to force people into calling rogue tech support call centres. We previously saw a case of fake Blue Screen Of Death (BSOD) actually locking-up people’s desktops and now there is a growing demand for such ‘products’. Below is a Facebook post advertising a 'locker' specifically designed for tech support scams. It tricks users into thinking their Windows license has expired and blocks them from using their computer:
    > https://blog.malwarebytes.org/wp-con...FB_posting.png
    To be clear, this is -not- a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will -not- get rid of it. There is an entire ecosystem to distribute these tech support lockers, which includes bundling them into affiliate (Pay Per Install) applications. What you -thought- was a PC optimizer or Flash-Player-update turns out to be a bunch of useless toolbars and, in some cases, one of these lockers. Another reason yet, if there weren’t enough already to -stay-away- from-adware-supported-programs... This is a -fake- Windows update but the average user will probably not see the difference. More troubling is the next screen that comes up and effectively -disables-the-computer- because of an expired license key. The message looks legitimate with the license key and computer name being retrieved from the victim’s actual computer:
    > https://blog.malwarebytes.org/wp-con...016/05/key.png
    The only recourse it seems is to call the toll-free number for assistance. As you can imagine, these fake Windows programs are great leads for tech support call centres waiting to collect the credit card numbers of unsuspecting users. We called the number (1-844-872-8686) provided on the locked screen and after much back and forth, the technician revealed a hidden functionality to this locker... However, the rogue ‘Microsoft technician’ would not proceed any further until we paid the $250 fee to unlock the computer, which we weren’t going to... these Windows lockers are a real pain to get rid of and until you do so, your computer is completely unusable. Just in the past few days we have noticed more and more users complaining about these new lockers. This increased sophistication means that people can no longer simply rely on common sense or avoid the typical cold calls from ‘Microsoft’. Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone..."

    Last edited by AplusWebMaster; 2016-05-17 at 20:35.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #969
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'DOC', 'Invoice', 'DHL shipment', 'Remittance Advice' SPAM

    FYI...

    Fake 'DOC' SPAM - JS malware
    - https://myonlinesecurity.co.uk/spam-...email-address/
    18 May 2015 - "Another email with the subject of 'Emailing: DOC 05-18-2016, 04 49 68' [random numbered] pretending to come from your own email address with a zip attachment is another one from the current bot runs... slightly different subjects all with random numbers after the date
    Emailing: Picture 05-18-2016, 34 57 55
    Emailing: DOC 05-18-2016, 04 49 68
    Emailing: Image 05-18-2016, 12 20 14
    Emailing: photo 05-18-2016, 60 93 51

    ... One of the emails looks like:
    From: Your own email address
    Date: Wed 18/05/2016 11:31
    Subject: Emailing: DOC 05-18-2016, 04 49 68
    Attachment: DOC 05-18-2016, 04 49 68.zip
    Your message is ready to be sent with the following file or link
    attachments:
    DOC 05-18-2016, 04 49 68
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments. Check your e-mail
    security settings to determine how attachments are handled.


    18 May 2016: DOC 05-18-2016, 04 49 68.zip: Extracts to: HWC4703756.js - Current Virus total detections 6/57*
    .. MALWR** shows a download from feedconsumer.upfrontjournal .com/erg54g4?ooGXPymBM=fNULIh (VirusTotal 3/56***)
    Payload security[4] shows this downloads a further file from diolrilk .at/files/cyAOiY.exe (virustotal 1/57[5])
    which makes this more likely to be Dridex banking Trojan rather than a ransomware version... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/a...is/1463568343/

    ** https://malwr.com/analysis/OTM4NTg0N...I1NzVlYzBhYmQ/
    Hosts
    173.236.177.29: https://www.virustotal.com/en/ip-add...9/information/

    *** https://www.virustotal.com/en/file/a...is/1463567581/
    TCP connections
    109.235.139.64: https://www.virustotal.com/en/ip-add...4/information/
    31.8.133.98: https://www.virustotal.com/en/ip-add...8/information/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    Contacted Hosts
    109.235.139.64: https://www.virustotal.com/en/ip-add...4/information/
    5.105.221.126: https://www.virustotal.com/en/ip-add...6/information/

    5] https://www.virustotal.com/en/file/7...is/1463569252/
    ___

    Fake 'Invoice' SPAM - JS malware drops Dridex
    - https://myonlinesecurity.co.uk/spam-...-drops-dridex/
    18 May 2016 - "An email with the subject of 'Invoice 1723-812595' [random numbered] pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which contains what looks like the embedded Dridex binary inside the 274 kb .JS file in a base 64 encoded section... One of the emails looks like:
    From: Vasquez.Jaspero@ hcrltd .com.br
    Date: Wed 18/05/2016 11:54
    Subject: Invoice 1723-812595
    Attachment: Invoice 1723-812595.zip
    Hi,
    Please find attached copy of invoice SN04359806 as requested. I would be grateful if you could reply to this email to ensure I have sent it to the correct address.
    Kind Regards, Jasper Vasquez


    18 May 2016: Invoice 1723-812595.zip: Extracts to: invoice_6126.js - Current Virus total detections 1/57*
    .. MALWR** shows no downloads but shows the dropped bin file in base64 encoding (VirusTotal 3/57***)
    .. Payload security[4] gives some more information, but not much... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/1...is/1463569142/

    ** https://malwr.com/analysis/ZmNmZGE1N...UzM2MzZjU2Nzk/

    *** https://www.virustotal.com/en/file/1...is/1463570330/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100
    ___

    Fake 'DHL shipment' SPAM - doc malware
    - https://myonlinesecurity.co.uk/spam-...ation-re-send/
    18 May 2016 - "An email with the subject of 'shipment address confirmation (re-send)' pretending to come from info <info@ dhl-services .com> with a zip attachment that extracts to a malicious word doc is another one from the current bot runs... The email looks like:
    From: info <info@ dhl-services .com>
    Date: Wed 18/05/2016 14:25
    Subject: shipment address confirmation (re-send)
    Attachment: dhl shipment #000516.zip
    Dear all
    After reviewing your shipment BL container number; we need to confirm, did your company change shipment address? If yes, attach you can find the information to re-confirm your shipment address.
    We require your quick confirmation and reply to this development
    Regards.
    Alice M. York,
    5/17/2016
    Oversea Frieght Information Manager,
    WorldWide Delivery Services DHL ...


    18 May 2016: dhl shipment #000516.zip: extracts to shipment details.doc - Current Virus total detections 12/55*
    .. MALWR** didn’t show any download but a manual analysis showed a download from
    http ://revery.5gbfree .com/rollas/wanfile.exe which is saved to %APPDATA%\flash.exe and autorun (VirusTotal 8/57***)
    MALWR[4].. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/b...is/1463526808/

    ** https://malwr.com/analysis/MjU5MjkwO...FlZjBkMWFmNjY/

    *** https://www.virustotal.com/en/file/d...is/1463526879/

    4] https://malwr.com/analysis/NmQ1MmU0Z...I1MTg3MzM2YTI/
    Hosts
    23.94.151.38: https://www.virustotal.com/en/ip-add...8/information/

    revery.5gbfree .com: 209.90.88.138: https://www.virustotal.com/en/ip-add...8/information/
    >> https://www.virustotal.com/en/url/d2...265d/analysis/
    ___

    Fake 'Remittance Advice' SPAM - doc malware
    - https://myonlinesecurity.co.uk/spam-...ed-ole-object/
    18 May 2016 - "An email with the subject of 'Remittance Advice' pretending to come from random senders and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    From: Diana Raveche <Diana@ lappgroup .com>
    Date: Tue 17/05/2016 15:33
    Subject: Remittance Advice
    Attachment: 59350_Copy_PS13149_(1).docx
    Dear Sirs,
    Please find attached remittance advice(s) for reconciliation.
    Should you have any queries, kindly contact the address below
    Best regards
    Daniel Sefah
    Treasurer
    Manganese Company Limited


    18 May 2016: 59350_Copy_PS13149_(1).docx - Current Virus total detections 16/56*
    .. MALWR** contains an embedded OLE object that when extracted gives 'Double Click on file to view clear Swift' copy.exe (VirusTotal 14/56***) MALWR[4] which shows a connection to
    http ://cf34064.tmweb .ru/cgi-bin/eke/gate.php which gave a 404 when I tried, which might mean it has been taken down or it insists on a referrer from the actual word doc or the extracted malware which several antiviruses detect as a fareit password stealer Trojan. Payload security doesn’t give much more useful info either...
    > https://myonlinesecurity.co.uk/wp-co...y-1024x549.png
    ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/2...is/1463574035/

    ** https://malwr.com/analysis/MTE2MDQ5Y...Q3YTlhNGNhMjc/

    *** https://www.virustotal.com/en/file/d...is/1463574066/

    4] https://malwr.com/analysis/MTc2Y2QxN...E2MDUwMzIzZjM/
    Hosts
    92.53.118.64: https://www.virustotal.com/en/ip-add...0/information/

    Last edited by AplusWebMaster; 2016-05-18 at 22:49.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #970
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Thank you', 'WhatsApp', 'Scanned image' SPAM, TeslaCrypt master key

    FYI...

    Fake 'Thank you' SPAM - JS malware attachment
    - https://myonlinesecurity.co.uk/spam-...dom-companies/
    19 May 2016 - "An email with the subject of 'Thank you!' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads some unknown malware... One of the emails looks like:
    From: Stevie Fry <FryStevie3913@ divtec .ch>
    Date: Thu 19/05/2016 10:49
    Subject: Thank you!
    Attachment: webmaster_order_04FDEC03.zip
    Hello webmaster,
    Please find enclosed invoice no. 871824
    Thank you for your order.
    We look forward to doing business with you again.
    Regards,
    Stevie Fry
    Pioneer Natural Resources Company


    19 May 2016: webmaster_order_04FDEC03.zip: Extracts to: -4- identical copies of history_048.js
    Current Virus total detections 6/56*. MALWR** shows a download from
    http ://dub3tv .com/2e22dfs (VirusTotal 2/56***). Payload Security[4] | Malwr[5]. Nothing so far is actually telling us what the payload is, but it is likely to be either Locky or Dridex... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1463654399/

    ** https://malwr.com/analysis/N2I1ZjkzM...k4MWVhYmRmNWU/
    Hosts
    184.168.107.21: https://www.virustotal.com/en/ip-add...1/information/

    *** https://www.virustotal.com/en/file/d...is/1463654794/

    4] https://www.hybrid-analysis.com/samp...ironmentId=100

    5] https://malwr.com/analysis/MTNlNzQwY...kxYTc5MGU1ZjU/
    ___

    Fake 'WhatsApp' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/spam-...elivers-locky/
    19 May 2016 - "An email with the subject of 'You got a voice message!' pretending to come from WhatsApp <Cleo477@ gmx .de> with a zip attachment is another one from the current bot runs which downloads Locky Ransomware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x522.png

    19 May 2016: MSG0002959373787821.wav.zip: Extracts to: MSG00033066464574474.wav.js
    Current Virus total detections 8/56*. MALWR** shows a download of Locky from
    http ://denzil .com.au/grh5444tg?WKInfNTzzF=VQkztyPupI (VirusTotal 4/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine WAV/DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/4...is/1463652406/

    ** https://malwr.com/analysis/OTRlNmU0Z...NmMmNiMzVlMmY/
    Hosts
    223.130.27.201
    89.108.84.155
    92.63.87.48


    *** https://www.virustotal.com/en/file/5...is/1463653169/
    TCP connections
    92.63.87.48: https://www.virustotal.com/en/ip-add...8/information/

    denzil .com.au: 223.130.27.201: https://www.virustotal.com/en/ip-add...1/information/
    >> https://www.virustotal.com/en/url/a4...71b5/analysis/
    ___

    Fake 'Scanned image' SPAM - delivers Locky
    - https://myonlinesecurity.co.uk/scann...elivers-locky/
    19 May 2016 - "Another email pretending to come from your-own-email-domain with the subject of 'Scanned image' pretending to come from admin <southlandsxxxx@ victimdomain .tld> with a zip (rar) attachment is another one from the current bot runs which downloads Locky Ransomware... One of the emails looks like:
    From: admin <southlandsxxxx@ victimdomain .tld>
    Date: Thu 19/05/2016 19:52
    Subject: Scanned image
    Attachment: MSG00087072.rar
    Image data in PDF format has been attached to this email.


    19 May 2016: MSG00087072.rar: Extracts to: MSG0004219280705535.js - Current Virus total detections 9/57*
    .. MALWR** shows a download of Locky ransomware from
    freesource .su/437gfinw2 (VirusTotal 3/56***)
    Other sites found include:
    freesource .su/437gfinw2 - 136.243.176.66
    der-werbemarkt .de/437gfinw2 - 85.158.182.96
    criticalcontactinfo .com/437gfinw2 - 192.73.242.42
    empiredeckandfence .com/437gfinw2 - 192.185.225.43
    ... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/c...is/1463686171/

    ** https://malwr.com/analysis/ZjBjOTNmO...EzMzQyMDYwYjU/
    Hosts
    92.63.87.48

    *** https://www.virustotal.com/en/file/a...is/1463684566/
    TCP connections
    92.63.87.48: https://www.virustotal.com/en/ip-add...8/information/

    freesource .su: 136.243.176.66: https://www.virustotal.com/en/ip-add...6/information/
    >> https://www.virustotal.com/en/url/62...14ab/analysis/
    der-werbemarkt .de: 85.158.182.96: https://www.virustotal.com/en/ip-add...6/information/

    criticalcontactinfo .com: 192.73.242.42: https://www.virustotal.com/en/ip-add...2/information/

    empiredeckandfence .com: 192.185.225.43: https://www.virustotal.com/en/ip-add...3/information/
    ___

    White hats bake TeslaCrypt master key into universal decryptor
    Ransomware authors appear to have given up...
    - http://www.theregister.co.uk/2016/05...sal_decryptor/
    19 May 2016 - "The authors of the TeslaCrypt ransomware have handed over their master keys in what appears to be a decision to kill off the net menace. An Eset researcher noticed the gradual decline of TeslaCrypt and, posing as a victim, asked the malware authors for a key. The authors surprisingly offered a free master key and the security wonk quickly produced a free universal decryption tool*. It means victims of two of the worst ransomware tools can decrypt their files for free, with Kaspersky white hats producing a decryption tool yesterday** for the Cryptxxx malware..."
    * http://download.eset.com/special/ESE...tDecryptor.exe

    ** http://www.theregister.co.uk/2016/05...xxx_decrypted/

    - http://support.eset.com/kb6051/
    Last Revised: May 19, 2016

    Identify the ransomware you’re dealing with...
    > https://id-ransomware.malwarehunterteam.com/index.php
    "This service currently detects 87 different ransomwares..."
    Updated 05/19/2016

    > http://www.bleepingcomputer.com/news...ecryption-key/
    May 18, 2016

    Last edited by AplusWebMaster; 2016-05-20 at 00:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •