Fake 'E-Ticket', 'invoice', 'Admin Exchange' SPAM
FYI...
Fake 'E-Ticket' SPAM – javascript malware
- http://myonlinesecurity.co.uk/e-tick...cript-malware/
21 Apr 2015 - "'E-Ticket 7694892' pretending to come from E-Ticket <online@ ticket .com> with a link to a zip attachment is another one from the current bot runs... The email looks like:
This is your e-ticket receipt.
SEAT / 30A/ZONE 3
DATE / TIME 7 MAY, 2014, 09:19 AM
ARRIVING / Tulsa
ST / OK
REF / KE.7818 BAG / 4PC
TOTAL PRICE / 438.16 USD
FORM OF PAYMENT / CC
Download E-Ticket 7694892
Yours sincerely,
American Airlines E-Ticket services.
21 April 2015: E-Ticket 7694892.zip: Extracts to: E-Ticket 7694892.js
Current Virus total detections: 9/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1429584330/
___
Fake 'invoice' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2015/04/malw...e-i413136.html
21 Apr 2015 - "This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
From: Lichelle Ebner [mailto:Lichelle5938@ lagrinding .co .uk]
Sent: Tuesday, April 21, 2015 9:55 AM
Subject: LAG invoice I413136
Dear Accounts Payable,
Attached is a copy of invoice I413136 .The items were shipped. Please feel free to contact me if you have any questions or cannot read the attachment.
Thank you for your business.
Sincerely,
Lichelle Ebner
L. A. Grinding Company
Ph. (818) 846-9134
FAX (818)846-1786
So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57* and which contains this malicious macro... in turn this downloads a component from:
http ://eternitymobiles .com/25/144.exe
..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56**. Automated analysis tools... show that it attempts to communicate with a familiar IP:
89.28.83.228 (StarNet SLR, Moldova)
According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56***.
Recommended blocklist:
89.28.83.228 ..."
* https://www.virustotal.com/en/file/d...is/1429609465/
** https://www.virustotal.com/en/file/8...is/1429609471/
*** https://www.virustotal.com/en/file/b...is/1429610872/
___
Fake 'Admin Exchange' SPAM – PDF malware
- http://myonlinesecurity.co.uk/admini...e-pdf-malware/
21 Apr 2015 - "'Administrator – Exchange Email id3405629' pretending to come from Administrator@ no-reply <Administrator@ your domain > with a zip attachment is another one from the current bot runs... The email looks like:
no-reply,
This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.
To open the attachment (Exchange_id3405629.zip) please use the following password: Ujh6JZ2mHN
Thank you,
Administrator
Note: the address it pretends to come from will be your own email domain and the link in the email will appear to be your own web site or domain.
21 April 2015: Exchange_id3405629.zip: Extracts to: Exchange.exe
Current Virus total detections: 1/54* NOTE: we are also seeing the same malware payload coming in as a -fake- fax, and with the subject of Internal ONLY . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/7...is/1429610427/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustotal.com/en/ip-add...4/information/
- http://threattrack.tumblr.com/post/1...nistrator-spam
Apr 21, 2015
Tagged: Exchange, Dyreza
___
Fake 'new my info' SPAM – PDF malware
- http://myonlinesecurity.co.uk/new-my...e-pdf-malware/
21 Apr 2015 - "'new my info' pretending to come from random names and email addresses with a zip attachment that is named after the alleged sender is another one from the current bot runs... The email looks like:
Hello! I have found some interesting information that you might need!
Check out the attached file!
Bicicletes Nadal Oliver, S.L.
Passeig Ferrocarril, 61
07500 Manacor (Mallorca)
Illes Balears
Tel.971-843358 ...
21 April 2015: warehouseop02.zip: Extracts to: Alla.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/0...is/1429618876/
___
Dridex re-directing to Malicious Dropbox hosted file via Google
- https://isc.sans.edu/diary.html?storyid=19609
2015-04-21 - "... this malware may use Google Analytics to count how many people opened the file, but I haven't confirmed that. Google -redirects- are however used to obscure the destination... Google will show a note that the user was redirected, but the file will download right away. It will not open, and the user will have to open it to enable the Macro to execute (DON'T)... Word document... example I received:
> https://isc.sans.edu/diaryimages/ima...26_43%20AM.png
... Virustotal only shows 4 "hits" out of 57* AV tools tested for this binary:
(More detail at the ISC URL above.)
* https://www.virustotal.com/en/file/e...is/1429631351/
File name: ACH transaction0336.doc
