Results 1 to 10 of 1320

Thread: SPAM frauds, fakes, and other MALWARE deliveries...

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 2016-04-22, 14:11 #34
    AplusWebMaster
    AplusWebMaster is offline
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Fake 'Amazon', 'Workers Comp', 'Your Order Ref' SPAM, Nuclear EK

    FYI...

    Fake 'Amazon' SPAM - leads to malware
    - http://blog.dynamoo.com/2016/04/malw...order-has.html
    22 Apr 2016 - "This -fake- Amazon email leads to malware. On some mail clients there may be no body text:
    From: auto-shipping@ amazon .co.uk Amazon .co.uk
    To:
    Date: Fri, 22 Apr 2016 10:50:56 +0100
    Subject: Your Amazon.co.uk order has dispatched (#525-2814418-9619799)
    Dear Customer,
    Greetings from Amazon .co.uk,
    We are writing to let you know that the following item has been sent using Royal Mail...
    Your order #525-2814418-9619799 (received April 22, 2016)...

    Attached is a file with a name that matches the randomly-generated order (in this case, ORDER-525-2814418-9619799.docm). According to analysis by a couple of other trusted parties, the various versions of the malicious document download a binary from:
    www .smileybins .com.au/0u8ggf5f5
    kpmanish .com/0u8ggf5f5
    neoventtechnologies .com/0u8ggf5f5
    itronsecurity .com/0u8ggf5f5
    bnacoffees .com/0u8ggf5f5
    ambikaonline .com/0u8ggf5f5
    usacarsimportsac .com/0u8ggf5f5
    giftsandbaskets .co.th/0u8ggf5f5
    This dropped -executable- has a detection rate of 6/56*. The Hybrid Analysis** and DeepViz Analysis*** plus some data sourced from other parties (thank you) indicates that the malware calls back to the following IPs:
    186.250.48.10 (Redfox Telecomunicações Ltda., Brazil)
    193.90.12.221 (MultiNet AS, Norway)
    194.116.73.71 (Topix, Italy)
    200.159.128.144 (Novanet da Barra Ass e Inf LTDA, Brazil)
    The payload here appears to be the Dridex banking trojan.
    Recommended blocklist:
    186.250.48.10
    193.90.12.221
    194.116.73.71
    200.159.128.144     "
    * https://www.virustotal.com/en/file/1...is/1461324262/

    ** https://www.hybrid-analysis.com/samp...nvironmentId=1

    *** https://sandbox.deepviz.com/report/h...d02583f1ac809/
    ___

    Fake 'Workers Comp' SPAM - JS malware
    - https://myonlinesecurity.co.uk/gener...om-js-malware/
    22 Apr 2016 - "An email that appears to come from pacificpathins .com /Pacific Pathways insurance brokers with the subject of 'General Liability & Workers Compensation Insurance' pretending to come from Random names and email addresses with a zip attachment is another one from the current bot runs which downloads some unknown malware...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...e-1024x640.png

    21 April 2016: PPI QUOTE REQUEST_955015.zip: Extracts to: wrk_insur29uk22442016.js
    Current Virus total detections 2/57*.. MALWR** shows a download that is very offensively named from
    http ://inter.whyscc .com/gimme/some/loads_nigga.php which gave me favicon.ico which of course is -not- an icon file but a renamed.exe (VirusTotal 4/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
    * https://www.virustotal.com/en/file/8...is/1461327441/

    ** https://malwr.com/analysis/YjVlYWU3M...RmN2Y0YWUzNmM/
    Hosts
    193.201.227.59: https://www.virustotal.com/en/ip-add...9/information/

    *** https://www.virustotal.com/en/file/d...is/1461331736/

    inter.whyscc .com: 193.201.227.59
    ___

    Fake 'Your Order Ref' SPAM - doc malware
    - https://myonlinesecurity.co.uk/thank...d-doc-malware/
    22 Apr 2016 - "An email with the subject of 'Thank You For Your Order Ref 58380529' pretending to come from talkmobile <do_not_reply@ talkmobile .co.uk> with a malicious word doc attachment is another one from the current bot runs...

    Screenshot: https://myonlinesecurity.co.uk/wp-co...9-1024x314.png

    If you do open the word doc, this is where they invite you to double-click-the-image to see the invoice.
    That would -infect- you with whatever malware this malicious doc contains:
    > https://myonlinesecurity.co.uk/wp-co...e-1024x214.png

    21 April 2016: Invoice.docx - Current Virus total detections 3/57*
    .. An analyst managed to extract it for me and we got INVOIC~1.EXE which I think is supposed to be called Invoice_14_04_16_65216.exe (VirusTotal 2/55**) MALWR[4] which shows a dropped/extracted js file Rechnung_14_04_16_65216.js (VirusTotal 1/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
    * https://www.virustotal.com/en/file/f...is/1461335298/

    ** https://www.virustotal.com/en/file/4...is/1461338217/

    *** https://www.virustotal.com/en/file/9...is/1461338547/

    4] https://malwr.com/analysis/MjU2OGY1N...E2MzhlMzkyNzg/
    ___

    Nuclear EK cashes in on demand from cryptoransomware rings
    - http://arstechnica.com/security/2016...its-into-cash/
    Apr 22, 2016 - "Security researchers at Cisco Talos* and Check Point** have published reports detailing the inner workings of Nuclear, an "exploit kit" Web service that deployed malware onto victims' computers through malicious websites. While a significant percentage of Nuclear's infrastructure has been recently disrupted, the exploit kit is still operating — and looks to be a major contributor to the current crypto-ransomware epidemic... Much of Talos' data on Nuclear comes from tracking down the source of its traffic — a cluster of "10 to 15" IP addresses that were responsible for "practically all" of the exploit infrastructure. Those addresses were being hosted by a single cloud hosting provider—DigitalOcean. The hosting company's security team confirmed the findings to Talos and took down the servers — sharing what was on them with security researchers... At the same time, Check Point researchers had gained access to the paid malware delivery service's customer control panel... the vast majority of the traffic that hit Nuclear's exploit pages were redirected there by malicious advertisements — one Spanish-language ad for webcams pushed over 25,000 distinct visiting IP addresses to Nuclear in just one day, Talos found. Just one server analyzed by Talos "showed approximately 60,000 unique IP's [per day] connecting to this particular server," Biasni wrote. "This amount of activity far exceeds what we were expecting based on previous data analysis." Surprised at how so much traffic could get through websites without being noticed, Talos found the Spanish sex webcam ad was hosted on a single porn site — and accounted for nearly half the traffic to that server's landing pages. The elimination of the DigitalOcean infrastructure may change some of the tactics of Nuclear's operator, but the exploit kit is probably not going away. Cisco has added Snort intrusion detection rules to help try to catch Nuclear exploit attacks, and Check Point has added detection for Nuclear exploit landing pages and the exploits themselves."
    * http://blog.talosintel.com/2016/04/nuclear-exposed.html

    ** http://blog.checkpoint.com/2016/04/2...nfrastructure/

    Last edited by AplusWebMaster; 2016-04-22 at 20:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules