Suspicious Domains, Fake 'Re:payment', 'Confidential account documents' SPAM
FYI...
Suspicious Domains Tracking ...
- https://isc.sans.edu/diary/rss/23046
2017-11-16 - "Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network...
Happy hunting!
[1] https://isc.sans.edu/suspicious_domains.html
[2] https://en.wikipedia.org/wiki/Domain...tion_algorithm
[3] http://securityaffairs.co/wordpress/...ll-switch.html
[4] http://misp-project.org/
[5] https://blog.rootshell.be/2017/10/31...ing-misp-iocs/ "
(MUCH more detail at the isc URL above.)
___
Fake 'Re:payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-...ivers-malware/
16 Nov 2017 - "An email with the subject of 'Re:payment' coming from [redacted]@ cs .com with a zip attachment which contains some sort of malware...
Screenshot: https://myonlinesecurity.co.uk/wp-co...ent_cs_com.png
Bank receipt pdf.zip: Extracts to: Bank receipt pdf.exe - Current Virus total detections 15.68*. Hybrid Analysis**...
This malware file attempts to download from these -3- sites:
http ://www.plasticbags .info/na/?id=ct7EX847F+fIn3VkER7xV/XU/exdWHV6LvmrngXmar4Pbag2la+n0AnpQnxVHV21Mp6i4Q==&Lv18=bLUdWtwp4bJhJP -or-
http ://www.nettopolis .email/na/?id=DetlfAibiVhB/jSD5CdGOk3sftJHeNpzwT01DHDpstch9neoK+a+bAVv0IXcSJ5QPSyr6g==&Lv18=bLUdWtwp4bJhJP
-both- of which fail to respond. Both sites are hosted on Godaddy (184.168.221.53) and have a temporary holding / domain parking page with the usual adverts. Both sites were registered in early September 2017. Either Godaddy has exploitable vulnerabilities on their Domain Parking pages or they were registered by criminals who haven’t set up the domains properly yet.
http ://www.marlow-and-co .com/na/?id=mLSZLOZGg8XOoWhtThKSW1hFX7QHeHYwxlPs7+FwgoIusw3OZOrPJE6119RFPiuJf6vG8Q==&Lv18=bLUdWtwp4bJhJP&sql=1
which is hosted in Japan (183.90.253.3) and gives a 404...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/7...is/1510806654/
** https://www.hybrid-analysis.com/samp...ironmentId=100
File Details
Bank receipt pdf.exe
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted...
plasticbags .info: 50.63.202.62: https://www.virustotal.com/en/ip-add...2/information/
nettopolis .email: 184.168.221.53: https://www.virustotal.com/en/ip-add...3/information/
marlow-and-co .com: 183.90.253.3: https://www.virustotal.com/en/ip-add...3/information/
___
Fake 'Confidential account documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-...anking-trojan/
16 Nov 2017 - "An email with the subject of 'Confidential account documents' pretending to come from Barclays Bank but actually coming from a look-a-like or typo-squatted domain <secure@ barclaysdocuments .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The attachment has random numbers protected**.doc ...
Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar.
barclaysdocuments .com hosted on and emails sent via 134.19.180.171 | 94.100.21.212 | 185.117.74.216 | 94.75.219.142 |
Screenshot: https://myonlinesecurity.co.uk/wp-co...-documents.png
Protected80.doc - Current Virus total detections 5/55*. Payload Security**...
This malware file downloads from
http ://simplicitybystrasser .com/images/ser.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aqv6.exe (VirusTotal 10/68***).
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-co...cted80_doc.png
... You -cannot- enter the password because that is an-image of a password-entry-box and they hope you will enable the macros (DON'T) ... and get infected...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/4...is/1493724795/
SecureMessage.doc
** https://www.hybrid-analysis.com/samp...ironmentId=100
DNS Requests
216.138.226.110
50.19.97.123
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86
*** https://www.virustotal.com/en/file/a...is/1510840036/
Aqv6.exe
simplicitybystrasser .com: 23.235.209.96: https://www.virustotal.com/en/ip-add...6/information/
> https://www.virustotal.com/en/url/86...b00f/analysis/
