Fake 'purchase order', 'Ref', 'Fax' SPAM
FYI...
Fake 'purchase order' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ering-malware/
23 Aug 2017 - "... an email with the subject of 'RFQ072017' coming from Stafford Shawn <staffordshawn1@ yahoo .com> (possibly random senders) but definitely coming via Yahoo email network with a zip attachment containing a file that pretends to be a pdf file but is an .exe file... All detections on VirusTotal are heuristic or generic detections but it is quite well detected.
Update: I am reliably informed it is nanocore RAT 1.2.2.0...
Screenshot: https://myonlinesecurity.co.uk/wp-co.../RFQ072017.png
SCAN_PO#20170823.PDF.z: Extracts to: SCAN_PO#20170823.PDF.z.exe - Current Virus total detections 23/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/c...is/1503458477/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
185.12.45.79
___
Fake 'Ref' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
23 Aug 2017 - "An email with the subject of 'Ref: 72381821' pretending to come from Barclays Bank but actually coming from a look-a-like domain Barclays <message@ barclaysmail .co.uk> -or- Barclays <message@ barclays-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are barclaysmail .co.uk 46.21.147.128 AS35017 Swiftway Sp. z o.o. and barclays-mail .co.uk 85.93.88.35 malta2333.startdedicated .net AS8972 Host Europe GmbH...
Screenshot: https://myonlinesecurity.co.uk/wp-co...lays-email.png
Ref72381821.doc - Current Virus total detections 4/58*. Payload Security**... This malware file downloads from
http ://eva-wagner .net/picture_library/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to hgfudf.exe and autorun (VirusTotal 18/63***). An alternative download location is
http ://eva-poldi .at/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/5...is/1503484026/
attachment20170823-17020-5y3sht.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
62.138.14.149
37.120.182.208
51.254.164.249
188.165.62.11
*** https://www.virustotal.com/en/file/6...e212/analysis/
hgfudf.exe
eva-wagner .net: 148.251.26.133: https://www.virustotal.com/en/ip-add...3/information/
> https://www.virustotal.com/en/url/02...b542/analysis/
eva-poldi .at: 62.138.14.149: https://www.virustotal.com/en/ip-add...9/information/
> https://www.virustotal.com/en/url/08...d639/analysis/
___
Fake 'Fax' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky...email-malspam/
22 Aug 2017 - "... series of Locky downloaders... an email with the subject of 'Fax from: (01242) 856225' [random numbers] pretending to come from Free Fax to Email <freefaxtoemail@ random email domain>...
Screenshot: https://myonlinesecurity.co.uk/wp-co...242-856225.png
Fax278044344f0dd0b.rar: Extracts to: Fax1423519vc18e7c3.js - Current Virus total detections 16/55*
Payload Security** - delivers /REjhb54 (VirusTotal ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1480616575/
-6dt874p53077.js
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
192.169.226.106
82.118.17.218
5.196.99.239
*** https://www.virustotal.com/#/file/61...2471/detection
??
