Fake 'Invoice' SPAM, 'WakeMed' Phish
FYI...
Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoof...anking-trojan/
5 Jun 2017 - "... emails with random numbered -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice' pretending to come from a random first name Holmes at random email addresses but the body of the email imitates John Miller Ltd...
Screenshot: https://myonlinesecurity.co.uk/wp-co...er_-Holmes.png
... the PDF actually having some content that makes it almost look real:
> https://myonlinesecurity.co.uk/wp-co...129303_pdf.png
A4 Inv_Crd 21297.pdf - Current Virus total detections 9/56*. Payload Security**
drops Invoice_129302.docm (VirusTotal 8/59[3]) (Payload Security[4]) downloads an encrypted txt file from
http ://spaceonline .in\8yfh4gfff which is converted by the script to miniramon8.exe (VirusTotal 13/61[5])...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1496654801/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177
3] https://www.virustotal.com/en/file/b...is/1496654938/
4] https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
111.118.212.86
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177
5] https://www.virustotal.com/en/file/c...5e97/analysis/
spaceonline .in: 111.118.212.86: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/e3...915b/analysis/
___
- http://blog.dynamoo.com/2017/06/malw...d-invoice.html
5 Jun 2017 - "This spam pretends to come from John Miller Ltd (but doesn't) and comes with a malicious payload. The domain mentioned in the email does -not- match the company being spoofed, and varies from message to message.
Screenshot: https://3.bp.blogspot.com/-mxosSM7W0...ohn-miller.png
The attachment currently has a detection rate of about 9/56*. As is common with some recent attacks, the PDF actually contains an embedded Microsoft Office document. Hybrid Analysis** shows the malicious file downloading a component from cartus-imprimanta .ro/8yfh4gfff (176.126.200.56 - HostVision SRL, Romania) although other -variants- possibly exist. A file is dropped (in the HA report called miniramon8.exe) at detection rate of 11/61***. According to the Hybrid Analysis report, that attempts tom communicate with the following IPs:
192.48.88.167 (Tocici LLC, US)
89.110.157.78 (netclusive GmbH, Germany)
85.214.126.182 (Strato AG, Germany)
46.101.154.177 (Digital Ocean, Germany)
The payload is not clear at this time, but it will be nothing good.
Recommended blocklist:
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177 "
* https://virustotal.com/en/file/d9a96...is/1496654625/
** https://www.hybrid-analysis.com/samp...ironmentId=100
Contacted Hosts
176.126.200.56
192.48.88.167
89.110.157.78
85.214.126.182
46.101.154.177
*** https://virustotal.com/en/file/c7dc1...is/1496655625/
cartus-imprimanta .ro: 176.126.200.56: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/3d...0dc3/analysis/
___
'WakeMed' Phish
REAL 'WakeMed': http://www.wakemed.org/contact-us
Raleigh, NC 27610
FAKE/Phish: https://myonlinesecurity.co.uk/wakem...t-at-phishing/
5 June 2017
Screenshot: https://myonlinesecurity.co.uk/wp-co...RVICE-DESK.png
"... If you follow the link you see a very badly designed webpage, complete with spelling errors, obviously created by a non English speaker, looking like this:
(from: http ://itupdat.tripod .com/)
> https://myonlinesecurity.co.uk/wp-co...ipod_phish.png
... the spam -email- is a -compromised- (may be spoofed) Canadian Nova Scotia Department of Education address... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
itupdat.tripod .com: 209.202.252.101: https://www.virustotal.com/en/ip-add...1/information/
> https://www.virustotal.com/en/url/53...ddb7/analysis/
ccrsb .ca: 142.227.247.226: https://www.virustotal.com/en/ip-add...6/information/
___
Police dismantle crime network - online payment SCAMS
- https://www.helpnetsecurity.com/2017...crime-network/
June 5, 2017 - "The Polish National Police, working in close cooperation with its law enforcement counterparts in Croatia, Germany, Romania and Sweden, alongside Europol’s European Cybercrime Centre (EC3), have smashed a Polish organised crime network suspected of online payment scams and money laundering... Operation MOTO on 29-31 May 2017 resulted in 9 arrests including the criminal network’s masterminds, as well as 25 house searches in Poland. The perpetrators were advertising online cars as well as construction or agricultural machinery/vehicles, but never delivered the advertised goods to interested buyers, despite having received advance fee payments..."
