FYI...
Fake 'refund' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/05/malw...w-up-with.html
20 May 2016 - "This spam comes from random senders and has a malicious attachment. Here is an example:
From: Frederic Spears
Date: 20 May 2016 at 10:29
Subject: Re:
Hi [redacted],
I wanted to follow up with you about your refund.
Please find the attached document
Regards,
Frederic Spears
CBS Corporation
The company name and sender's name varies from message to message. Attached is a ZIP file which contains elements of the recipient's name, which in turn contains one of a variety of malicious scripts. Out of the samples I have seen, I have so far found download locations of:
delicious-doughnuts .net/oqpkvlam
dev.hartis .org/asvfqh2vn
dugoutdad .com/0ygubbvvm
craftbeerventures .nl/hgyf46sx
babamal .com/av2qavqwv
forshawssalads .co.uk/af1fcqav
Only three of those download locations work so far (VirusTotal results [1] [2]..) and automated analysis of those [4] [5].. shows behaviour consistent with Locky ransomware. All of those reports show the malware phoning home to:
91.219.29.106 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.89 (Relink LLC, Russia / OVH, France)
138.201.118.102 (Hetzner, Germany)
Recommended blocklist:
91.219.29.106
51.254.240.89
138.201.118.102 "
1] https://virustotal.com/en/file/bf2e4...is/1463737477/
TCP connections
91.219.29.106
2] https://virustotal.com/en/file/d5cbb...is/1463738300/
TCP connections
91.219.29.106
4] https://malwr.com/analysis/NmQ1NmY1M...E5MDNjNDEyZGQ/
Hosts
138.201.118.102
5] https://malwr.com/analysis/NmU3MTZlZ...NkODA2N2U1MDk/
Hosts
138.201.118.102
- https://myonlinesecurity.co.uk/i-wan...eads-to-locky/
20 May 2016 - "Another email in the long line of nemucod JavaScript downloaders with the subject of 'Re: ' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: I wanted to follow up with you about your refund
Date: Fri 20/05/2016 10:24
Subject: Re:
Attachment: rob_refund_947CDB34.zip
Hi rob,
I wanted to follow up with you about your refund.
Please find the attached document
Regards,
Inez Castro
Workday, Inc.
20 May 2016: rob_refund_947CDB34.zip: Extracts to: history.6725.js.js - Current Virus total detections 5/57*
downloads from http ://carseatcoverwarehouse .com.au/zzvmvae (VirusTotal 6/57**). Payload Security***
Some other sites found include:
http ://delicious-doughnuts .net/oqpkvlam – currently 404 for me
http ://carseatcoverwarehouse .com.au/zzvmvae
http ://dev.hartis .org/asvfqh2vn
http ://honeystays .co.za/sajaafafa
http ://dvphysio .com.au/g0bpicjhbv
... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1463736198/
** https://www.virustotal.com/en/file/2...is/1463736629/
TCP connections
51.254.240.89
*** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.185.198.215
92.63.87.48
51.254.240.89
delicious-doughnuts .net - 213.160.76.117: https://www.virustotal.com/en/ip-add...7/information/
>> https://www.virustotal.com/en/url/36...46aa/analysis/
carseatcoverwarehouse .com.au - 192.185.198.215: https://www.virustotal.com/en/ip-add...5/information/
>> https://www.virustotal.com/en/url/ec...b119/analysis/
dev.hartis .org - 212.1.214.102: https://www.virustotal.com/en/ip-add...2/information/
>> https://www.virustotal.com/en/url/80...94ba/analysis/
honeystays .co.za - 188.40.0.214: https://www.virustotal.com/en/ip-add...4/information/
>> https://www.virustotal.com/en/url/34...b905/analysis/
dvphysio .com.au - 192.185.182.18: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/f8...06f9/analysis/
___
Ubiquiti AirOS routers hit with worm
- https://www.helpnetsecurity.com/2016...backdoor-worm/
May 20, 2016 - "A worm targeting wireless network equipment developed by US-based Ubiquity Networks has already managed to compromise thousands of routers across the world. To spread it, whoever is behind these attacks is exploiting an old bug* in airOS, the firmware that runs on the company’s networking devices... According to Symantec researchers**, once it leverages the exploit, the worm copies itself on the device and creates a backdoor account... Ubiquity has provided a list of devices/firmware versions that are safe from the exploit, and has advised users of others to update their firmware. They have also provided a removal tool[3] for the worm, which also has the option to upgrade firmware to the latest version (5.6.5)."
* https://community.ubnt.com/t5/airMAX...d/ba-p/1300494
** http://www.symantec.com/connect/fr/b...t-worm-attacks
3] https://community.ubnt.com/t5/airMAX...e/ba-p/1565949