FYI...
Fake 'Invoice' SPAM - malicious attachment
- https://myonlinesecurity.co.uk/fw-invoice_515002/
21 June 2016 - "An email pretending to be a sage invoice with the subject of 'FW: Invoice_515002' coming from “postmaster@footballplayers19.gq”@ footballplayers19 .gq; on behalf of; Leanna Sage Whitaker <postmaster@footballplayers19 .gq> with a zip attachment... We have been seeing a few emails over the last couple of weeks from the footballplayers*.g* domains. Some pure spam, some phishing and some malware. It looks like a mailing list that must have some vulnerability to allow external users to be sent emails via them. One of the emails looks like:
From:”postmaster@footballplayers19.gq”@ footballplayers19 .gq; on behalf of; Leanna Sage Whitaker <postmaster@ footballplayers19 .gq>
Date: Tue 21/06/2016 10:05
Subject: FW: Invoice_515002
Attachment:
Please see attached copy of the original invoice (sage_invoice_131340_711410101502668.pdf).
21 June 2016: sage_invoice_515002_3841674267107.zip: Extracts to: sage_invoice_225224_4233.exe
Current Virus total detections 6/56*.. Payload Security** shows it posts some information to a Ukrainian IP 217.12.199.87... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/d...is/1466500334/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
217.12.199.87: https://www.virustotal.com/en/ip-add...7/information/
___
Fake 'RE:' SPAM - Locky .js attachment
- https://myonlinesecurity.co.uk/it-lo...locky-is-back/
21 June 2016 - "It looks like Locky ransomware is back tonight with a series of generic emails pretending to be invoices with the subject of 'RE:' pretending to come from random senders with a zip attachment which downloads what looks suspiciously like Locky Ransomware... None of the auto analysers can effectively decode these encrypted javascripts inside the zips... One of the emails looks like:
From: Titus Sampson <Sampson.FAC43DD@ melhonretail .com>
Date: Tue 21/06/2016 18:16
Subject: RE:
Attachment: wilbarger_invoice_181696.zip
Dear wilbarger:
Please find attached our invoice for services rendered and additional disbursements in the above-
mentioned matter.
Hoping the above to your satisfaction, we remain.
Sincerely,
Titus Sampson
General Manager
21 June 2016: wilbarger_invoice_181696.zip: Extracts to: addition-546.js - Current Virus total detections 2/56*
.. I am being told one of sites containing an encrypted Locky binary is easysupport .us/fl85xie ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1466529396/
easysupport .us: 198.58.93.28: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/08...d3b2/analysis/