Fake 'old office facilities', 'Scanned image', 'Body content empty/blank' SPAM
FYI...
Fake 'old office facilities' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malw...acilities.html
2 Sep 2016 - "This spam has a malicious attachment:
Subject: old office facilities
From: Kimberly Snow (Snow.741@ niqueladosbestreu .com)
Date: Friday, 2 September 2016, 8:55
Hi Corina,
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Best wishes,
Kimberly Snow
The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number. Analysis is pending, but this Malwr report* indicates attempted communications to:
malwinstall .wang
sopranolady7 .wang
..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
UPDATE 1: According to this Malwr report** it drops a DLL with a detection rate of 10/58***. Also those mysterious .wang domains appear to be multihomed on the following IPs:
23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)
Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28 "
* https://malwr.com/analysis/OGI2NWI3Z...A3YWRkMzZmNGE/
Hosts
66.85.27.250
23.95.106.195
** https://malwr.com/analysis/OTA3MDk3Z...BhM2I4MTE0OTE/
Hosts
66.85.27.250
23.95.106.195
*** https://virustotal.com/en/file/9dc5a...c5c7/analysis/
VQpnPCqe.dll
- https://myonlinesecurity.co.uk/old-o...elivers-locky/
2 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'old office facilities' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Angelina Nielsen <Nielsen.83382@ parklawnsprinklers .com>
Date: Fri 02/09/2016 08:27
Subject: old office facilities
Attachment: 1fade4423b3a.zip
Hi Chasity,
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Best wishes,
Angelina Nielsen
2 September 2016: 1fade4423b3a.zip: Extracts to: office_facilities_059AB2E9.js - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from http ://malwinstall .wang/ezr08tjd which is transformed by the script to VQpnPCqe.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/e...is/1472801143/
** https://malwr.com/analysis/MzJkY2EzN...g4OGVhMzAyMDQ/
Hosts
23.95.106.195
66.85.27.250
*** https://www.virustotal.com/en/file/9...is/1472801991/
___
Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malw...mage-from.html
2 Sep 2016 - "This -fake- document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.
Subject: Scanned image from MX2310U@ victimdomain .tld
From: office@victimdomain.tld (office@ victimdomain .tld)
To: webmaster@victimdomain.tld;
Date: Friday, 2 September 2016, 2:29
Reply to: office@ victimdomain .tld [office@ victimdomain .tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception
File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) ...
Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component... The payload is Locky ransomware, phoning home to:
212.109.192.235/data/info.php [hostname: take. ru .com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers .xyz] (EDIS, Austria)
Recommended blocklist:
212.109.192.235
149.154.152.108 "
___
Fake 'Body content empty/blank' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/blank...s-locky-zepto/
2 Sep 2016 - "... Locky/Zepto downloaders... empty/blank email with the subject random numbers and either .jpg, gif, pdf, img, docx, tif, png etc. coming as usual from random names @ icloud .com with a random named zip attachment that is named the -same- as the numbers in the subject line containing a wsf file... One of the emails looks like:
From: Alejandra_6526@ icloud .com
Date: Fri 02/09/2016 12:27
Subject: 26889jpg
Attachment: 26889.zip
Body content: Empty/blank
2 September 2016: 26889.zip: Extracts to: W64pP.wsf - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
http ://maxshoppppsr .biz/js/y54g3tr?NxMSERb=asaGYkQ | http ://illaghettodelcircoletto .it/flkekqs?NxMSERb=asaGYkQ
http ://vimp.hi2 .ro/xqbqjyn?NxMSERb=asaGYkQ which is transformed by the script to vTFEncqFbOk1.dll (VirusTotal 5/58***)
All of them contact the C2 centre http ://149.154.152.108 /data/info.php to get & store the encryption key that is used to encrypt your files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/b...is/1472815578/
** https://malwr.com/analysis/YzJkMzM2M...ljNjI1ODBjNTY/
Hosts
89.42.39.81
195.110.124.188
66.85.27.252
149.154.152.108
*** https://www.virustotal.com/en/file/8...is/1472817060/
___
Bogus Windows error site - for iPad
- https://blog.malwarebytes.com/cyberc...ndows-fakeout/
2 Sep 2016 - "... The bogus error site is located at:
ipad-error-9023(dot)com
Given the URL, you’d expect to see some sort of iPad related shenanigans taking place – an interesting twist on the well worn theme of tech-support-scams. Who needs Windows desktops when you can go after the tablet market, right? Unfortunately for our scammers, it all goes a bit wrong in terms of being convincing with that whole iPad URL thing. Let me count the ways... text reads as follows:
Windows Security Error !
Your Hard drive will be DELETED if you close this page
You have a ZEUS virus! Please call Support Now!
Call Now to Report This Threat.
Do not Click ‘OK’ button below, doing so will start the hacking process.
... 'didn’t put much thought into this whole iPad thing, did they?...
> https://blog.malwarebytes.com/wp-con...al-dialogs.jpg
... a “prevent additional dialog” message from the browser? I’m guessing my PC hasn’t exploded yet. Maybe if I close the box and then hit the OK button:
> https://blog.malwarebytes.com/wp-con...age-locked.jpg
... While the attempted fakeout up above isn’t one of the best ones we’ve seen, there are plenty out there which succeed in their attempts at convincing device owners that they have a problem. From there, phone calls to “tech support” and payments to have the non-existent virus cleaned up are only a hop, step and jump away. If you think you may have been targeted by such scams – or just want to avoid such antics in the future – feel free to give our guide to Tech Support Scams* a read. It could well save you time and money – and a lot of increasingly infuriating phone calls..."
* https://blog.malwarebytes.com/tech-support-scams/
ipad-error-9023(dot)com: 107.180.21.58: https://www.virustotal.com/en/ip-add...8/information/
>> https://www.virustotal.com/en/url/15...5616/analysis/
