FYI...

Fake 'FedEx/USPS' SPAM - updates
- https://myonlinesecurity.co.uk/spoof...d-locky-sites/
28 Dec 2016

29 December 2016: (Payload Security report[6]) Contacted Hosts (169)
cobycaresfoundation .org: 72.47.244.92: https://www.virustotal.com/en/ip-add...2/information/
dev.zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-add...4/information/
shark1.idhost .kz: 82.200.247.240: https://www.virustotal.com/en/ip-add...0/information/
italysfinestdesign .it: 217.72.102.152: https://www.virustotal.com/en/ip-add...2/information/
salutgaudi .com: 185.2.4.20: https://www.virustotal.com/en/ip-add...0/information/
zodia-q .com: 153.121.37.174: https://www.virustotal.com/en/ip-add...4/information/

/counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

/counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

> 2nd version today (Payload Security Report[7]) Contacted Hosts (7)

/counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

/counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

6] https://www.hybrid-analysis.com/samp...ironmentId=100

7] https://www.hybrid-analysis.com/samp...ironmentId=100
___

Updated Sundown EK ...
- http://blog.trendmicro.com/trendlabs...steganography/
Dec 29, 2016 - "... On December 27, 2016, we noticed that Sundown was updated... The PNG files weren’t just used to store harvested information; the malware designers now used -steganography- to hide their exploit code. The newly updated exploit kit was used by multiple-malvertising-campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets:
> https://blog.trendmicro.com/trendlab...nography-1.jpg
... previous Sundown versions directly connected victims to the Flash-exploit-file on their landing page. In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page. The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code... we found that it included the exploit code targeting CVE-2015-2419, a vulnerability in the JScript handling of Internet Explorer. A Flash exploit for CVE-2016-4117 is also retrieved by the exploit code. The landing page itself includes an exploit targeting another Internet Explorer (IE) vulnerability, CVE-2016-0189... The Sundown exploit kit exploits vulnerabilities in Adobe Flash and JavaScript, among others... Indicators of Compromise: The following domains were used by the Sundown Exploit kit with the matching IP addresses:
xbs.q30 .biz (188.165.163.228)
cjf.0340 .mobi (93.190.143.211)
The Chthonic sample has the following SHA1 hash:
c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9
The sample also used the following C&C server:
pationare .bit"

pationare .bit: 'Could not find an IP address for this domain name.'

188.165.163.228: https://www.virustotal.com/en/ip-add...8/information/

93.190.143.211: https://www.virustotal.com/en/ip-add...1/information/