FYI...
Fake 'Upcoming Payment' SPAM - JS malware delivers Dridex
- https://myonlinesecurity.co.uk/upcom...livers-dridex/
6 May 2016 - "An email with the subject of 'Upcoming Payment – 1 Month Notice' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Dridex. In exactly the same way as THIS[1] earlier Malspam run, the encrypted JavaScript file contains a long list of compromised sites that the Dridex banking Trojan is downloaded from...
1] https://myonlinesecurity.co.uk/someo...ads-to-dridex/
One of the emails looks like:
From: Mona Gates <GatesMona02@ ideadigitale .org>
Date: Thu 05/05/2016 23:20
Subject: Upcoming Payment – 1 Month Notice
Attachment: user_data_37776.zip
Please, be informed regarding the upcoming payment ID:30724, which must be paid in full until the June 1st, 2016.
Additional information is enclosed in the file down below.
6 May 2016: user_data_37776.zip: Extracts to: details_uQG07BLH189.js - Current Virus total detections 1/56*
.. MALWR** shows a download of Dridex banking trojan from a long list of sites (VirusTotal 7/55***). Sites discovered listed inside the encrypted js file include: (other versions of this might well include other sites):
http ://fashionpoppers .com/adm.exe - 66.147.244.66
http ://sky-hero .com/adm.exe - 213.186.33.171
http ://wbsrainwater .com/adm.exe - 91.146.109.184
http ://burnspots .com/adm.exe - 160.153.32.229
http ://wholesalejaipurkurti .com/adm.exe - 46.166.163.195
http ://bedbugsurvivalguide .com/adm.exe - 54.241.22.111
http ://clearancezone .com.au/adm.exe - 184.164.156.210
http ://asiandukan .co.uk/adm.exe - 192.186.200.169
http ://ribastiendaonline .com/adm.exe - 185.92.247.46
http ://hogcustom .co.uk/adm.exe - 213.246.109.8
http ://shopnutri .com.br/adm.exe - 177.12.173.166
http ://metersdirect .com.au/adm.exe - 52.64.39.102
http ://buyemergencylight .com/adm.exe - 192.117.12.154
http ://lcdistributing .com/adm.exe - 192.249.113.43
http ://liftmaxthailand .com/adm.exe - 119.59.120.32
http ://millersportsaspen .com/adm.exe - 23.235.220.84
http ://hkautosports .com/adm.exe - 205.134.241.120
http ://syntechcs .co.uk/adm.exe - 188.65.114.122
http ://presspig .com/adm.exe - 70.40.220.100
http ://lojaturbo .com.br/adm.exe - 81.19.185.200
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3...is/1462487086/
** https://malwr.com/analysis/MjUxNzY0N...JjMWJmNDc1OGQ/
Hosts
213.246.109.8
213.186.33.171
192.117.12.154
185.92.247.46
81.19.185.200
52.64.39.102
177.12.173.166
184.164.156.210
91.146.109.184
119.59.120.32
192.249.113.43
70.40.220.100
188.65.114.122
66.147.244.66
192.186.200.169
23.235.220.84
54.241.22.111
46.166.163.195
160.153.32.229
205.134.241.120
*** https://www.virustotal.com/en/file/c...is/1462507119/
___
Fake 'New Payment Received' SPAM - JS malware delivers Dridex
- https://myonlinesecurity.co.uk/new-p...livers-dridex/
6 May 2016 - "Continuing with the overnight Malspam runs is yet another -Dridex- dropper with a long list of sites embedded inside the encrypted JavaScript file. This is an email with the subject of 'New Payment Received' pretending to come from random senders and email addresses with a zip attachment containing an encrypted JavaScript file... One of the emails looks like:
From: Kathie Miller <MillerKathie8660@ fixed-189-252-187-189-252-125 .iusacell .net>
Date: Fri 06/05/2016 02:01
Subject: New Payment Received
Attachment: caution_rob_522737.zip
You have just received a new payment! Trans number 97407. For more information please review the transaction report enclosed.
6 May 2016: caution_rob_522737.zip: Extracts to: cash_q9rTBHi225.js - Current Virus total detections 1/56*
.. MALWR** shows a download of Dridex banking Trojan from the same list of sites in THIS[1] post.
1] https://myonlinesecurity.co.uk/upcom...livers-dridex/
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/f...is/1462497274/
** https://malwr.com/analysis/ZmVhZjIyM...JlYjc4NmI1Zjk/
Hosts
213.246.109.8
213.186.33.171
192.117.12.154
185.92.247.46
81.19.185.200
52.64.39.102
177.12.173.166
184.164.156.210
91.146.109.184
119.59.120.32
192.249.113.43
70.40.220.100
188.65.114.122
66.147.244.66
192.186.200.169
23.235.220.84
54.241.22.111
46.166.163.195
160.153.32.229
205.134.241.120
___
Fake '50 transactions' SPAM - JS malware delivers Locky
- https://myonlinesecurity.co.uk/i-hav...elivers-locky/
6 May 2015 - "An email with the subject of 'Re: ' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Helen Velazquez <VelazquezHelen20082@ sas-pt .com>
Date: Fri 06/05/2016 09:46
Subject: Re:
Attachment: spreadsheet_98B.zip
Good evening driver,
As promised, I have attached the spreadsheet contains last 50 transaction and your account actual balance.
Regards,
Helen Velazquez
6 May 2016: spreadsheet_98B.zip: Extracts to: transactions 11791799.js - Current Virus total detections 23/56*
.. MALWR doesn’t shows any downloads but a manual analysis gives me a download from
http ://girls.web-planet .su/hs93jaks (VirusTotal 3/55**).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/1...is/1441173827/
** https://www.virustotal.com/en/file/f...is/1462525419/
TCP connections
185.22.67.108: https://www.virustotal.com/en/ip-add...8/information/
girls.web-planet .su: 217.107.34.231: https://www.virustotal.com/en/ip-add...1/information/