FYI...
Fake 'Message from scanner' SPAM – PDF malware
- http://myonlinesecurity.co.uk/messag...e-pdf-malware/
24 Aug 2015 - "'Message from scanner' pretending to come from scanner.coventrycitycentre@ brianholt .co.uk with a zip attachment but a completely -empty/blank- body of the email is another one from the current bot runs...
Screenshot: http://myonlinesecurity.co.uk/wp-con...om-scanner.png
24 August 2015: Sscanner15081208190.zip: Extracts to: Sscanner15081208190.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8...is/1440408248/
- http://blog.dynamoo.com/2015/08/malw...m-scanner.html
24 Aug 2015 - "... malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54*. The Hybrid Analysis report** shows the malware POSTing to:
smboy .su/mu/tasks.php
.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to -block- the whole range to be on the safe side. The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware."
* https://www.virustotal.com/en/file/8...is/1440414098/
** https://www.hybrid-analysis.com/samp...nvironmentId=1
95.172.146.73: https://www.virustotal.com/en/ip-add...3/information/
___
German site dwdl .de -hacked- serving malware via 94.142.140.222
- http://blog.dynamoo.com/2015/08/popu...de-hacked.html
24 Aug 2015 - "... German media website dwdl .de has been -hacked- and is serving up malware, according to this URLquery report*. URLquery's IDS function detects what looks like the RIG Exploit kit:
> https://3.bp.blogspot.com/-pFLpyrW75...00/dwdl-de.png
The exploit is injected code pointing to a server at 94.142.140.222 (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops .com which is a -hijacked- GoDaddy domain. The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:
> https://3.bp.blogspot.com/-XrAJ6DxnJ..._graph.php.gif
VirusTotal** gives an overview of other malicious domains on this server. It indicates that the following domains have been -hijacked- and malicious subdomains set up..."
(Long list at the dynamoo URL - top of this post.)
* http://urlquery.net/report.php?id=1440424952903
** 94.142.140.222: https://www.virustotal.com/en/ip-add...2/information/