SPAM frauds, fakes, and other MALWARE deliveries...

Fake iPhone emails, Snapchat downloads ...

FYI...

Fake ‘Sent from my iPhone’ themed emails - expose users to malware
- http://www.webroot.com/blog/2013/11...nt-iphone-themed-emails-expose-users-malware/
Nov 19, 2013 - "Cybercriminals are currently mass mailing tens of thousands of malicious emails, supposedly including a photo attachment that’s been “Sent from an iPhone”. The social engineering driven spam campaign is, however, the latest attempt by a cybercriminal/group of cybercriminals that we’ve been monitoring for a while, to attempt to trick gullible users into unknowingly joining the botnet operated by the malicious actor(s) behind the campaign. Detection rate for the spamvertised attachment: MD5: 46e077f058f5a6eddee3c851f8e56838 – * ... Trojan.Win32.Neurevt.jl; Trojan:Win32/Neurevt.A... Once executed, the sample attempts to contact the following C&C servers:
91.109.14.224
31.7.35.112
49.50.8.93
173.0.131.15
209.50.251.101
88.198.7.211
64.120.153.69
219.94.206.70
173.231.139.57
next to the well known by now, networksecurityx.hopto .org (1) a C&C host..."
* https://www.virustotal.com/en/file/...0954525d89011909a0466217/analysis/1384441224/

Diagnostic page for hopto .org
1) http://google.com/safebrowsing/diagnostic?site=hopto.org/
"... Part of this site was listed for suspicious activity 731 time(s) over the past 90 days... Malicious software includes 817 exploit(s), 113 trojan(s), 59 virus. Successful infection resulted in an average of 5 new process(es) on the target machine. This site was hosted on 80 network(s)... Over the past 90 days, hopto .org appeared to function as an intermediary for the infection of 140 site(s)... this site has hosted malicious software over the past 90 days. It infected 210 domain(s)..."
___

Fake Snapchat downloads in Search Engine Ads
- http://www.threattracksecurity.com/it-blog/fake-snapchat-downloads-search-engine-ads/
Nov 19, 2013 - "Hot on the heels of fake Snapchat Adware installs*, we have advert results in both Google and Bing adverts leading to non-existent downloads of Snapchat in return for an Adware bundle. Here’s Google:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapchat-googlesearch.png
The site in question here is soft1d(dot)com
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/soft1dprompt.jpg
Here’s Bing:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/snapadsbing.jpg
The ad in question is the one in the bottom right hand corner for download-apps(dot)org/snapchat
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/download-apps-snap.jpg
Both sites lead to the same install. Comments from Matthew, one of our researchers in the Labs who discovered this: 'When you run the installer it precedes to install Fast Media Converter (Zango/Pinball Corp/BlinkX/LeadImpact) and LyricsViewer (Crossrider) with the only notice being from the page shown in the “prompt” screenshots. After loading those, it proceeds to offer you some more: a Conduit Toolbar and Dealply. In the end there is no Snapchat install or even a replacement for Snapchat'...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/ignition-snap-1.png
.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/ignition-snap-3.png
VirusTotal has this one pegged at 4/47** ..."
* http://www.threattracksecurity.com/it-blog/fake-snapchat-install-leads-adware/
Nov 1, 2013
** https://www.virustotal.com/en/file/...87063ad932f6d3793bdee4a57b8bb504b40/analysis/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Job Offer Notification Email Messages - 2013 Nov 19
Fake Monthly Report Notification Email Messages - 2013 Nov 19
Fake Invoice Attachment Email Messages - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Payment Information Notification Email Messages - 2013 Nov 19
Email Messages with Malicious Attachments - 2013 Nov 19
Fake Picture Sharing Email Messages - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Product Quote Request - 2013 Nov 19
Fake Fax Message Delivery Email Messages - 2013 Nov 19
Fake Payment Confirmation Email Messages - 2013 Nov 19
Fake Personal Photo Sharing Email Messages - 2013 Nov 19
Fake Payment Invoice Email Messages - 2013 Nov 19
Fake Shipment Tracking Information Email Messages - 2013 Nov 19
Fake Product Order Notification Email Messages - 2013 Nov 19
Fake Scanned Image Notification Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Product Purchase Order Email Messages - 2013 Nov 19
Fake Bank Payment Notification Email Messages - 2013 Nov 19
Fake Customer Complaint Attachment Email Messages - 2013 Nov 19
(More info and links at the cisco URL above.)

:mad: :mad:
 
Last edited:
Fake mileage reimbursement email, Red Cross 419 Scam, Bitcoin badness ...

FYI...

Fake mileage reimbursement email leads to malware ...
- http://www.webroot.com/blog/2013/11...le-state-business-themed-emails-lead-malware/
Nov 20, 2013 - "Want to file for mileage reimbursement through a STD-261 form? You may want to skip the tens of thousands of -malicious- emails currently in circulation, attempting to trick users into executing the malicious attachment. Once downloaded, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign, undermining the confidentiality and integrity of the host.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-con...eering_Malware_Malicious_Software-1024x64.png
Detection rate for the spamvertised attachment: MD5: 3aaa04b0762d8336379b8adedad5846b – * ... Trojan.Win32.Bublik.bkri; TrojanDownloader:Win32/Upatre.A. Once executed, the sample starts listening on ports 8412 and 3495... It then attempts to phone back to the following C&C servers... (long list of IP's listed at the first webroot URL above)..."
* https://www.virustotal.com/en/file/...78f2a84c61816ccda953cd9c/analysis/1384525049/
___

Red Cross 419 Scam exploits Typhoon Haiyan
- http://www.threattracksecurity.com/it-blog/red-cross-419-scam-exploits-typhoon-haiyan/
Nov 20, 2013 - "There are a number of emails currently in circulation attempting to cash in on the generosity of individuals and organisations wanting to assist the Typhoon Haiyan relief efforts. Another one just landed in our spamtraps, and reads as follows:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/fakehaiyanmail-wm.jpg
... If the poor spelling and generally dreadful formatting of the mail doesn’t give the game away, hopefully the free Yahoo email address will help to tip the balance. This is absolutely a scam, and one that should be directed to the recycle bin / spam folder with all due haste. Elsewhere, Trend Micro are seeing missives related to fake Navy donations* and Symantec are dealing with one “Andrew Stevens” who is asking for donations** via Western Union. You can be sure more of these will emerge in the coming weeks, so please be cautious and don’t reply to any email sent out of the blue. No matter how convincing the mail appears to be, there’s a very good chance your money is going to end up with someone other than who you intended it for."
* http://blog.trendmicro.com/trendlabs-security-intelligence/watching-out-for-typhoon-haiyan-scams

** http://www.symantec.com/connect/blogs/scams-emerge-typhoon-haiyan-strikes-philippines
___

Bitcoin Boom leads to Malware Badness
- http://www.threattracksecurity.com/it-blog/bitcoin-boom-leads-malware-badness/
Nov 20, 2013 - "... you may be tempted to mine some Bitcoins via the art of downloading random files from the internet... The are certainly more than enough options to choose from; Youtube videos, promo sites, Pastebin posts – you name it, they’re all out there and they’re all clamouring for your attention. Just keep in mind that you never really know what you’re signing up to when playing the random download game... Scammers are promoting “no survey Bitcoin generators”, which come with -surveys- attached regardless.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins3.jpg
If no survey is available, you’re encouraged to pay for a premium account to access the download.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins4.jpg
Elsewhere, the below Pastebin page directs individuals to a Mediafire download. Note that they claim it is “legit”, but the file isn’t theirs and they won’t accept responsibility for any “inconvenience”. Never a good sign, really.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins1.jpg
...
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/bitcoins2.jpg
... VirusTotal currently flagging it at 8/47*. We’re also seeing a number of files on MEGA, which claim to be Bitcoin Generators (with one claiming to offer up 0.06975 mBTC “every couple of hours” in return for filling in some CAPTCHA codes)... An additional file below (also hosted on MEGA) already flags up at 17/47** on VirusTotal, and we also detect this as Trojan.Win32.Generic!BT... trying to go down the fast and easy route ensures there’s a lot to lose too. If you’re late to the Bitcoin party, bandwagon jumping may result in a nasty fall."
* https://www.virustotal.com/en/file/...1846387ba72691b26ab924ffb89c357aa24/analysis/

** https://www.virustotal.com/en/file/...f7b93b1a2f96a8c6209ae57e9e1901cff38/analysis/

:mad::mad: :fear:
 
Last edited:
Fake ADP SPAM ...

FYI...

Fake ADP Anti-Fraud Secure Update Spam
- http://threattrack.tumblr.com/post/67663410958/adp-anti-fraud-secure-update-spam
Nov 21, 2013 - "Subjects Seen:
ALERT! From ADP: 2013 Anti-Fraud Secure Update
Typical e-mail details:
Dear Valued ADP Client,
We are pleased to announce that ADP Payroll System released secure upgrades to your computer.
A new version of secure update is available.
Our development division strongly recommends you to download this software update.
It contains new features:
The certificate will be attached to the computer of the account holder, which disables any fraud activity
Any irregular activity on your account is detected by our safety centre
Download the attachment. Update will be automatically installed by double click.
We value our partnership with you and take pride in the confidence that you place in us to process payroll on your behalf. As always, your ADP Service Team is happy to assist with any questions you may have.

Malicious File Name and MD5:
2013 Anti-Fraud Secure Update.zip (7DF767E9225803F5CA6C1ED9D2B5E448)
2013 Anti-Fraud Secure Update.exe (6A9D66DF6AE25A86FCF1BBFB36002D44)

Screenshot: https://gs1.wac.edgecastcdn.net/801...17cc819c7/tumblr_inline_mwmemcErG21r6pupn.png

Tagged: ADP, Upatre.

:mad::fear::mad:
 
Fake WhatsApp SPAM, Pokemon phish, TESCO phish ...

FYI...

Fake WhatsApp SPAM - exposes users to malware ...
- http://www.webroot.com/blog/2013/11...ification-themed-emails-expose-users-malware/
Nov 22, 2013 - "... intercepted a currently circulating malicious spam campaign impersonating WhatsApp — yet again — in an attempt to trick its users into thinking that they’ve received a voice mail. Once socially engineered users execute the malicious attachment found in the fake emails, their PCs automatically join the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised malicious email:
> https://www.webroot.com/blog/wp-con...ing_Malware_Malicious_Software_Cybercrime.png
Detection rate for the spamvertised attachment: MD5: 41ca9645233648b3d59cb52e08a4e22a – * ... TrojanDownloader:Win32/Kuluoz.D. Once executed, it phones back to:
hxxp ://103.4.18.215:8080 /460326245047F2B6E405E92260B09AA0E35D7CA2B1
70.32.79.44
84.94.187.245
172.245.44.180
103.4.18.215
172.245.44.2 ...
* https://www.virustotal.com/en/file/...c4b49b4e7b7f5e6c4b04cccb/analysis/1384979533/
___

Watch where you’re logging in ...
- http://www.threattracksecurity.com/it-blog/tesco-bank-credit-card-customers-watch-youre-logging/
Nov 22, 2013 - "If you do your online banking with TESCO, or indeed have a credit card with them you may want to be on the lookout for the following website which is hosting a rather large tally of login pages. The site in question is:
mrqos(dot)com(dot)au/kate/tess/tescr/login(dot)html
and that particular site was flagged not so long ago in the Zone-H defacement mirror, with “KEST” compromising it on or around the 15th of October, 2013.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco0.jpg
Here’s 100 or so identical HTML pages in one directory offering up a TESCO credit card login:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco3.jpg
All of the above pages present end-users with the following login screen:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/tesco4.jpg
The page asks end-users to login to “Tesco bank online banking” with “credit card” mentioned in the top right hand corner. After entering a username, the page asks for more information... you should only ever log in on the homepage of your bank or credit card. Visiting it from URLs in emails or random messages sent your way just won’t cut the mustard – physically type in the URL, ensure there’s a padlock and the connection is encrypted. You won’t find padlocks or encryption on the above pages..."
___

Pokemon X and Y Tumblrs: Warn your Kids
- http://www.threattracksecurity.com/it-blog/pokemon-x-y-tumblrs-warn-kids/
Nov 22, 2013 - "A gentle reminder not to leave your kids alone with their best friend ever, the internet. Pokemon X and Y is by all accounts a raging success, and if the smaller members of your household go Googling for things related to said title, they may well end up on a site such as the below promising a PC download of the new game.
pokemonxetyromemulateur(dot)tumblr(dot)com
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload1.jpg
This site intends to direct the end-user to a cookie-cutter blog located at
pokemonxyemulator(dot)blogspot(dot)ro
The site pops a -survey- with offers likely dictated by region. What’s worrying here is if kids arrive on this site given the Pokemon theme, they could well be presented with survey questions asking for personal information alongside the more typical installs (and installs aren’t really something you want to be presenting kids with either).
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload2.jpg
In this case, one of the links leads to an iLivid install.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/pokedownload3.jpg
... it mentions a -toolbar- install which is pre-ticked in the next screen... What’s on offer here isn’t a big deal, but there’s no way you can predict what will be on the other end of a survey popup – everything from personal information requests and ringtone offers to Adware and (occasionally) Malware have all been sitting in wait on the other side of that “Complete this” button. While adults may hopefully steer clear of a lot of these antics, any kids going click happy in Pokemon land (or any other themed set of search engine queries) probably won’t be so lucky..."

:mad: :fear:
 
Last edited:
Fake PayPal SPAM, gov, .edu - Phish ...

FYI...

Fake PayPal Spam
- http://threattrack.tumblr.com/post/68070828047/paypal-resolution-of-case-spam
Nov 25, 2013 - "Subjects Seen:
Resolution of case #PP-016-353-161-368
Typical e-mail details:
Transaction ID: 27223374MSB9Y6FV6
Our records indicate that you never responded to requests for additional
information about this claim. We hope you review the attached file and solve the situation amicably.
For more details please see the attached file (Case_9503665.zip)
Sincerely,
Protection Services Department

Malicious File Name and MD5:
Case_9503665.zip (040D3AA61ADB6431576D27E14BA12E43)
Case_.exe (8DB3C24FCD0EF4A660636250D0120B23)

Screenshot: https://gs1.wac.edgecastcdn.net/801...d84a17410/tumblr_inline_mwtvpuDtlR1r6pupn.png

Tagged: PayPal, Upatre
___

Fake HSBC emails - malware
- http://www.webroot.com/blog/2013/11...-e-advice-themed-emails-expose-users-malware/
Nov 25, 2013 - "HSBC customers, watch what you execute on your PCs. A circulating malicious spam campaign attempts to socially engineer you into thinking that you’ve received a legitimate ‘payment e-Advice’. In reality, once you execute the attachment, your PC automatically joins the botnet operated by the cybercriminal(s) behind the campaign.
Sample screenshot of the spamvertised email:
> https://www.webroot.com/blog/wp-con...al_Engineering_Malware_Malicious_Software.png
Detection rate for the spamvertised attachment: MD5: 2fbf89a24a43e848b581520d8a1fab27 – * ...Trojan.Win32.Bublik.blgc. Once executed, the sample starts listening on ports 3670 and 6652..."
* https://www.virustotal.com/en/file/...3df8eb0ebdd6fb0e8b94182e/analysis/1385042183/
___

.gov, .edu - Phish ...
- http://www.threattracksecurity.com/it-blog/gov-edu-phish-oh/
Nov 25, 2013 - "We’ve noticed a couple of .cn URLs which customers of ANZ will probably want to steer clear of.
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz0.jpg
syftec(dot)gov(dot)cn
... appears to be a site about the county-level city Shangyu. One of the URLs on the site is
syftec(dot)gov(dot)cn/images/online/
... which takes users to:
rh(dot)buaa(dot)edu(dot)cn/js/online
... which is a .Edu URL called “China Domestic Research Project for ITER”, with the sub-heading “Key technologies research for remote handling manipulator using in nuclear environment”.
Here’s the frontpage, minus the js/online directory:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz1.jpg
Here’s what is located at the rh(dot)buaa(dot)edu(dot)cn/js/online URL:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz2.jpg
The page asks for name, DOB, address, card number, expiration date and security code. Hitting the log on button will direct users to the genuine ANZ website. The URL has already been blacklisted by Google Safebrowsing:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2013/11/cnanz4.jpg
What’s interesting here is if the URL forwarding end-users from the .gov site to the .edu page is supposed to be there, or it too has been compromised to direct more users to the ANZ “login”. It’s possible the .gov site once forwarded them to a formerly legitimate page on the .edu portal which has since been compromised. However, the .edu page isn’t on Internet Archive so it’s hard to say one way or the other. What we can say for certain is that customers of ANZ should only log in on the genuine ANZ website*, and that .gov URLs are prime targets..."
* https://www.anz.com/

:mad: :fear:
 
Last edited:
Fake Facebook pwd, Xerox fax SPAM, Fake Loan site ...

FYI...

Fake Facebook pwd SPAM - Recoverypassword.zip and Facebook-SecureMessage.exe
- http://blog.dynamoo.com/2013/11/you-requested-new-facebook-password.html
26 Nov 2013 - "This -fake- Facebook message comes with a malicious attachment:
Date: Tue, 26 Nov 2013 04:58:18 +0300 [11/25/13 20:58:18 EST]
From: Facebook [update+hiehdzge@ facebookmail .com]
Subject: You requested a new Facebook password!
facebook
Hello,
You have received a secure message. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
Read your secure message by opening the attachment, Facebook-SecureMessage.zip.
Didn't request this change?
If you didn't request a new password, let us know immediately.
This message was sent to [redacted] at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303

Screenshot: https://lh3.ggpht.com/-20l6OoLiEfc/UpSqzbqg9yI/AAAAAAAACSE/yW-Pfq5-JW8/s1600/facebook3.png

The attachment is Recoverypassword.zip which in turn contains a malicious executable Facebook-SecureMessage.exe which has a VirusTotal detection rate of 16/42*. Automated analysis tools... shows attempted connections to developmentinn .com on 38.102.226.252 (Cogent, US) and spotopia .com on 199.229.232.99 (Enzu, US). Note that the servers on those IPs host dozens of legitimate sites and I cannot say for certain if they are all compromised or not."
* https://www.virustotal.com/en-gb/fi...d9f5755eff61109be377caa4/analysis/1385474059/

- https://www.virustotal.com/en/ip-address/199.229.232.99/information/
___

Xerox Incoming Fax Spam
- http://threattrack.tumblr.com/post/68163781381/xerox-incoming-fax-spam
Nov 26, 2013 - "Subjects Seen:
INCOMING FAX REPORT : Remote ID: 633-553-5385 [/i]
Typical e-mail details:
INCOMING FAX REPORT
Date/Time: 11/26/2013 04:51:31 EST
Speed: 17766 bps
Connection time: 07:01
Pages: 3
Resolution: Normal
Remote ID: 633-553-5385
Line number: 633-553-5385
DTMF/DID:
Description: Сost sheet for first half of 2013.pdf

Malicious File Name and MD5:
IncomingFax.zip (A5E6AB0F6ECF230633B91612A79BF875)
IncomingFax.exe (B048E178F86F6DBD54D84F488120BB9B)

Screenshot: https://gs1.wac.edgecastcdn.net/801...ff35f21e2/tumblr_inline_mwvl3vV45y1r6pupn.png

Tagged: Xerox, Upatre
___

Something evil on 46.19.139.236
- http://blog.dynamoo.com/2013/11/something-evil-on-4619139236.html
26 Nov 2013 - "46.19.139.236 (Private Layer Inc, Switzerland) seems to be serving up some sort of Java -exploit- kit via injection attacks which is utilising hijacked legitimate domains, but the domains in use seem to rotate pretty quickly and I haven't got a copy of the payload, but VirusTotal has some examples* ..."
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ip-address/46.19.139.236/information/
___

Fake Loan site delivers adware
- http://www.threattracksecurity.com/it-blog/beware-of-trustfinancial-dot-org/
Nov 26, 2013 - "... a fake loan page from an equally fake financial institution called “Trust Financial Group”.
> http://www.threattracksecurity.com/.../2013/11/02D3B1F566A419CEFACB8E96C52913E1.jpg
Once users visit trustfinancial(dot)org, they are -redirected- to a default page serving a loan decision document. In order for visitors to see its unblurred version, they have to install a “secure loan viewer” application. Unfortunately, users will find out that the name of the program is actually called “Search Smarted and Search Assistor” and is signed by a verified publisher called Access Financial Resources, Inc.
> http://www.threattracksecurity.com/.../2013/11/B98992173625FF8F069029FFC1704ACD.jpg
Here’s another sample that we have acquired:
> http://www.threattracksecurity.com/.../2013/11/36311B015C8950A6322B3B49590EE75C.jpg
A quick search on Google for the name points me to a small company of financial planners in Oklahoma, but I can’t find connections to any legitimate software it’s involved in or to “Trust Financial Group”. We can count on the idea that whoever is behind the bogus page and brand had used the name of a legitimate small financial company to make the certificate appear more authentic, which in turn makes the applications seem legit. Unfortunately, this is -not- the case. The files are not document viewer applications, but they are -adware- programs that, once installed, -injects- ads into search engine results.
> http://www.threattracksecurity.com/.../2013/11/C936F07A4085EBFA62BE550F9F6D03F2.jpg
... Eric Howes, ThreatTrack Security’s Principal Lab Researcher, “The domains used here are all anonymously registered. And while this attack technically isn’t a phishing attack, it is exploiting users’ trust and faith in financial institutions to trick them into installing adware.” Our researchers have further determined that the ads being injected are pulled through the domain, ez-input(dot)info, which was also registered anonymously..."
___

Blackshades Rat usage on the rise...
- http://www.symantec.com/connect/blogs/blackshades-rat-usage-rise-despite-author-s-alleged-arrest
Nov 25, 2013 - "... Blackshades RAT, detected by Symantec products as W32.Shadesrat, will gather passwords and credentials from infected systems, sending them back to the malicious command-and-control (C&C) server. This increase in activity prompted us to investigate the main C&C servers that manage the latest infections. Upon investigation, we found a connection to the Cool Exploit Kit, which has been used to distribute W32.Shadesrat, but also several -other- malware families.
Shadesrat evolution since July 2013:
> http://www.symantec.com/connect/sit...user-2935611/Shadesrat and Cool Exploit 1.png
For the last few years we have seen a spectacular increase of attacks against Web servers using recently discovered vulnerabilities to target industries, think tanks, government institutions and users. In all cases, the attacker’s goal is very clear; to execute a malicious payload on the user’s computer. The attackers managed to do this using different exploit kits. When Symantec observed the increase of W32.Shadesrat infections, we identified hundreds of C&C servers being used to gather credentials from compromised computers. W32.Shadesrat targets a wide variety of credentials including email services, Web services, instant messaging applications, and FTP clients. Spammers looking for new mail credentials, attackers trying to continue their security breaches with access to new servers and services, and attackers looking for specific information to exfiltrate might be interested in this kind of information. During our research, we found that nearly all of the C&C servers have hosted exploit kits at some point, and until the arrest of the author of the Blackhole Exploit Kit and the Cool Exploit Kit, the latter has been the most prevalent. These kits try to exploit different vulnerabilities in the user’s computer to execute a malicious payload and infect them. Underground teams have a wide range of resources to perform their attacks.
> http://www.symantec.com/connect/sit...user-2935611/Shadesrat and Cool Exploit 2.png
We also observed that after the arrest of the author of the Blackhole Exploit Kit and Cool Exploit Kit, both exploit kits have nearly disappeared, leaving Neutrino as the new kit of choice.
> http://www.symantec.com/connect/sit...user-2935611/Shadesrat and Cool Exploit 3.png
Once an unsuspecting user has been compromised, -multiple- payloads are downloaded and used to retain control by using Remote Administration Tools or downloaders that enable them to install additional malware with new functionalities. The C&C servers also spread the following other malware threats.
> http://www.symantec.com/connect/sit...user-2935611/Shadesrat and Cool Exploit 4.png
... The distribution of the threats suggests that the attackers attempted to infect as many computers as possible. The attackers do not seem to have targeted specific people or companies. This demonstrates how complete the threat landscape is, as well as the resources that attackers have at their disposal. Don’t forget to make sure that your software is up-to-date and that your antivirus solution has the latest definitions."

:mad::mad: :fear:
 
Last edited:
Fake ADP, D&B, Tax Return SPAM ...

FYI...

Fake ADP SPAM - Reference #274135902580" / Transaction.exe
- http://blog.dynamoo.com/2013/11/adp-reference-274135902580-spam.html
27 Nov 2013 - "Is it Salesforce or ADP? Of course.. it is -neither- ...
Date: Wed, 27 Nov 2013 11:50:07 +0100 [05:50:07 EST]
From: "support@ salesforce .com" [support@ salesforce .com]
Subject: ADP - Reference #274135902580
We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.
Transaction details are shown in the attached file.
Reference #274135902580
This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY...

Attached is a file Transaction_274135902580.zip which in turn contains a malicious executable named Transaction.exe which has an icon to make it look like a PDF file and a VirusTotal detection rate of 8/48*...
> https://lh3.ggpht.com/-SxwSXmXNPHs/UpX1fXSXObI/AAAAAAAACSY/UNYcz2opuj4/s1600/transaction.png
Malwr reports an attempted connection to seribeau .com on 103.6.196.152 (Exa Bytes Network, Malaysia). This IP has several -hundred- legitimate web sites on it, and it is not possible to determine if these are clean or infected."
* https://www.virustotal.com/en-gb/fi...f7ddcc7d4b6a4d875de95068/analysis/1385558999/

- https://www.virustotal.com/en/ip-address/103.6.196.152/information/
___

Dun & Bradstreet iUpdate Spam
- http://threattrack.tumblr.com/post/68263874738/dun-bradstreet-iupdate-spam
Nov 27, 2013 - "Subjects Seen:
D&B iUpdate : Company Request Processed
Typical e-mail details:
Thank you,
Your request has been successfully processed by D&B.
All information has been reviewed and validated by D&B.
Please Find your Order Information attached.

Malicious File Name and MD5:
CompanyInfo.zip (22CC978F9A6AEE77E653D7507B35CD65)
CompanyInfo.exe (2F3C1473F8BCF79C645134ED84F5EF62)

Screenshot: https://gs1.wac.edgecastcdn.net/801...c04e8a72a/tumblr_inline_mwxg59IRwc1r6pupn.png

Tagged: Dun & Bradstreet, Upatre
___

Tax Return Accountant’s Letter Spam
- http://threattrack.tumblr.com/post/68262070063/tax-return-accountants-letter-spam
Nov 27, 2013 - "Subjects Seen:
FW: 2012 and 2013 Tax Documents; Accountant’s Letter
Typical e-mail details:
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant’s letter.

Malicious File Name and MD5:
<e-mail recipient>.zip (BC8FC4D02BB86F957F5AE0818D94432F)
TaxReturn.exe (E85AD4B09201144ACDC04FFC5F708F03)

Screenshot: https://gs1.wac.edgecastcdn.net/801...1fd1fe365/tumblr_inline_mwxeqis2ka1r6pupn.png

Tagged: Tax Return, Upatre
___

Russian Photo Attachment Spam
- http://threattrack.tumblr.com/post/68274420361/russian-photo-attachment-spam
Nov 27, 2013 - "Subjects Seen:
Hello
Typical e-mail details:
Hi
My name is Yulia.
I am from Russia.
Look my photo in attachment.

Malicious File Name and MD5:
DSC_0492(copy).jpg.zip (41B37B08293C1BFE76458FA806796206)
DSC_0492(copy).jpg.exe (AC7CD2087014D9092E48CE465E4F902D)

Screenshot: https://gs1.wac.edgecastcdn.net/801...46f2231dd/tumblr_inline_mwxmtdo5Ih1r6pupn.png

Tagged: Photo, Sirefef, .

:fear: :mad:
 
Last edited:
Fake Skype voicemail SPAM ...

FYI...

Fake Skype voicemail - Trojan SPAM ...
- http://www.theregister.co.uk/2013/11/28/skype_voicemail_alert_spam_flings_zeus_trojan/
28 Nov 2013 - "A spam run of fake Skype voicemail alert emails actually comes packed with malware, a UK police agency warns*. Action Fraud said the zip file attachments come contaminated with a variant of the notorious ZeuS banking Trojan. Messages typically come with the subject line “You received a new message from Skype voicemail service”. The emails contain a copyright notice and a disingenuous warning that "Skype staff will NEVER ask you for your password via email", all in a bid to appear genuine..."
* http://www.actionfraud.police.uk/alert-fake-voicemail-emails-from-skype-contain-virus-nov13

- http://blog.mxlab.eu/2013/11/26/fak...from-skype-voicemail-service-contains-trojan/

:mad: :fear:
 
Fake 'planned outage' SPAM, Toolbar uses Your System to make BTC

FYI...

Fake 'planned outage' SPAM - attachment contains trojan ...
- http://blog.mxlab.eu/2013/12/02/ema...ave-and-backup-attached-file-contains-trojan/
Dec 2, 2013 - "MX Lab... started to intercept a new trojan distribution campaign by email with the subject “Important update. Please read”. This email is sent from the spoofed address “mail server update” and has the following body:
Dear user!
This is a planned Outage for our MAIL Services on Mon, 02 Dec 2013 11:30:14 +0300
Our MailServer is currently experiencing some problems. It should be working again as usual shortly.
If you want to keep previous saved emails
please download and save your backup from the attached file.
Please do not reply to this message.
This is a mandatory notification containing information about important changes in the products you are using.

Screenshot of the message: http://img.blog.mxlab.eu/2013/20131202_planned_outage.gif

The attached ZIP file has the name saved_mailbox_yoct_F479657BA8.zip and contains the 115 kB large file saved_mail_user_id_8349653__random_numbers__6587234.eml. The trojan is known as Trojan/Win32.Zbot, W32/Trojan.RSKY-7175, Win32/PSW.Fareit.A, Trojan.Ransom.RV or Mal/Generic-S. At the time of writing, 7 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 8ff5f6c1e5b368c2e9de2a0d98364f9cae6560ba54874f55779b78a0f487745c
The trojan is capable of downloading files from the internet and according to Malwr it can steal information from local internet browsers and harvest credentials from FTP clients. This last one can perhaps be use to upload a virus or malware to hosts that can use this location for other campaigns.
The trojan will start a new service, make some Windows registry modifications and will make contact with hosts to download a file from:
hxxp ://62.76.45.242/our/1.exe
hxxp ://62.76.42.218/our/1.exe
hxxp ://62.76.45.242/our/2.exe
hxxp ://62.76.42.218/our/2.exe
hxxp ://networksecurityx .hopto .org
The file 1.exe is 369kB large and is identified as W32/Trojan.RSKY-7175 or Trojan.Ransom.RV. The file 2.exe couldn’t be downloaded, the host gave us an 404 error. This executable will create a process ihre.exe on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system and collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 8989, 0.0.0.0 on port 2626 and 0.0.0.0 on port 0. At the time of writing, 2 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink*** and Malwr permalink**** for more detailed information.
SHA256: 8b9ed72674c49abc1aa0ab1c94a8fa13a1b471c23e799c7cce173a67603cb407."
* https://www.virustotal.com/en/file/...54874f55779b78a0f487745c/analysis/1385977408/

** https://malwr.com/analysis/MmRjZDMzZDI0MjgyNGRjZjk5ODAwYWVhNzI0MGJiMzU/

*** https://www.virustotal.com/en/file/...3e799c7cce173a67603cb407/analysis/1385978531/

**** https://malwr.com/analysis/Y2QzOWY1NWIzYzY4NDRhZTlhNjdlMTNkZTJmY2JkODY/

- https://www.virustotal.com/en/ip-address/62.76.45.242/information/

- http://google.com/safebrowsing/diagnostic?site=hopto.org/
"... this site was listed for suspicious activity 695 time(s) over the past 90 days..."
___

Toolbar uses Your System to make BTC ...
- http://blog.malwarebytes.org/fraud-...toolbar-peddlers-use-your-system-to-make-btc/
Nov 29, 2013 - "Potentially Unwanted Programs or PUPs as we like to call them, are things like Toolbars, Search Agents, etc. Unnecessary junk for your desktop that usually involves monitoring your surfing/shopping habits and slowing down your system with their sub-par software that ends up hurting you much more than helping. A recent and unfortunate discovery by some of our users revealed that some of these programs do more than just cover your desktop in ads, they also steal your systems resources for mining purposes... we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/VictorPost-1024x420.png
... we received a request for assistance from one of our users about a file that was taking up 50 percent of the system resources on their system. After trying to remove it by deleting it, he found that it kept coming back, the filename was “jh1d.exe”... We did some research and found out that the file in question was a Bitcoin Miner known as “jhProtominer”, a popular mining software that runs via the command line. However, it wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe” . Monitor.exe* was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT. We were able to find out the connection between WBT and Mutual Public thanks to an entry in the Sarasota Business Observer:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/WBT_is_MP.png
Another product belonging to Mutual Public is known as Your Free Proxy.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/11/YourFreeProxy.png
Your Free Proxy uses the Mutual Public Installer (monitor.exe), obtaining it from an Amazon cloud server... We checked out this cloud server and found monitor.exe but also some additional interesting files, notably multiple types of “silent” installers and a folder called “coin-miner”... We at Malwarebytes are putting our foot down and detecting these threats as what they are, giving our users the option to remove them and never look back..."
* https://www.virustotal.com/en/file/...e74a3dd573cdfdcf0e8bfbf8966ed66353e/analysis/
File name: vti-rescan
Detection ratio: 1/48
Analysis date: 2013-11-29

:mad: :fear:
 
Last edited:
Fake AMEX SPAM, Threat Outbreak Alerts ...

FYI...

Fake AMEX SPAM
- http://threattrack.tumblr.com/post/68886754223/american-express-secure-message-spam
Dec 3, 2013 - "Subjects Seen:
Confidential - Secure Message from AMEX
Typical e-mail details:
The security of your personal information is of the utmost importance to American Express, so we have sent the attached as a secure electronic file.
Note: The attached file contains encrypted data.
If you have any questions, please call us at 800-524-3645, option 1. Representatives are available to assist you Monday through Thursday between 8:00 a.m. and 8:00 p.m. ET and Friday between 8:00 a.m. and 6:00 p.m. ET.
The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
Thank you,
American Express

Malicious File Name and MD5:
SecureMail.zip (2986FFD9B827B34DCB108923FEA1D403)
SecureMail.exe (7DC5BF7F5F3EAF118C7A6DE6AF921017)

Screenshot: https://gs1.wac.edgecastcdn.net/801...72696dee8/tumblr_inline_mx8op1XMJQ1r6pupn.png

Tagged: American Express, Upatre
___

Fake eFax SPAM
- http://blog.dynamoo.com/2013/12/another-day-another-fake-efax-spam.html
3 Dec 2013 - "These fake eFax spams are getting a bit dull. As you might expect, this one comes with a malicious attachment.
Date: Tue, 3 Dec 2013 15:15:03 -0800 [18:15:03 EST]
From: eFax Corporate [message@ inbound .efax .com]
Subject: Fax transmission: -5219616961-5460126761-20130705352854-84905.zip
Please find attached to this email a facsimile transmission we have just received on your behalf
(Do not reply to this email as any reply will not be read by a real person)

Attached is a ZIP file which in this case is called -2322693863-6422657608-20130705409306-09249.zip (with a VirusTotal detection rate of 6/48*) which in turn contains a malicious executable fax-report.exe which has an icon that makes it look like a PDF file and has a VirusTotal detection rate of 4/48**.
> http://1.bp.blogspot.com/-riDinrvAIZ8/Up5qPTdSDVI/AAAAAAAACTM/5XIcLTSsYks/s1600/fax-report.png
Automated analysis tools... show an attempted communication with tuhostingprofesional .net on 188.121.51.69 (GoDaddy, Netherlands) which contains about 8 legitimate domains which may or may not have been compromised."
* https://www.virustotal.com/en/file/...edde9f11e339597c760e9e1b/analysis/1386113630/

** https://www.virustotal.com/en/file/...33084a937b0666007b318dc4/analysis/1386113237/
___

Fake Fax/Voice SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/03/email-faxnachricht-von-unknown-an-03212-1298305-contains-trojan/
Dec 3, 2013 - "... new trojan distribution campaign by email with the subject “Faxnachricht von unknown an 03212-1298305″. This email is send from the spoofed address “”WEB.DE Fax und Voice” <fax-021213-voice@webde.de>” and has the followingvery short body:
Fax und Voice
The attached ZIP file has the name WEB.DE Fax und Voice.zip and contains the 120 kB large file WEB.DE Fax und Voice.exe. The trojan is known as TR/Dropper.VB.3500, Virus.Win32.Heur.p, Trojan.Packed.25042, Win32/TrojanDownloader.Wauchos.X, PE:Trojan.VBInject!1.64FE or Troj/Agent-AFAX. At the time of writing, 15 of the 48 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information."
SHA256: 8d2fe8b6c370c0568f93bb4eee838dc4514f2cc5578424b7376ed21e4ca9091b
* https://www.virustotal.com/en/file/...dc4514f2cc5578424b7376ed21e4ca9091b/analysis/

** https://malwr.com/analysis/ZWMxYjQ3YWEyNzY0NGVlNjgyMWVkNzI5OGUwZmEwZGQ/
___

Fake Mastercard SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/03/imp...th-trojan-disguised-as-email-from-mastercard/
Dec 3, 2013 - "... trojan distribution campaign appears with more or less the same lay out in the email that targets Mastercard holders with the subject “Important notification for a Mastercard holder”. MX Lab... intercepted these emails that are sent from the spoofed address “MasterCard” and has the following body:
Important notification for a Mastercard holder!
Your Bank debit card has been temporarily blocked
We’ve detected unusual activity on your Bank debit card . Your UK Bank debit card has been temporarily blocked, please fill document in attachment and contact us
About MasterCard Global Privacy Policy Copyright Terms of Use
© 1994-2013 MasterCard

Screenshot: http://img.blog.mxlab.eu/2013/20131203_mastercard.gif

The attached ZIP file has the name MasterCard_D77559FFA7.zip and contains the 131 kB large file MasterCard_info_pdf_34857348957239509857928472389469812364912034237412893476812734.pdf.exe. The trojan is known as PasswordStealer.Fareit, Trojan-PWS/W32.Tepfer.131072.HS, PE:Malware.Obscure/Huer!1.9E03, Troj/Agent-AFAZ or Trojan.DownLoader9.22851. At the time of writing, 12 of the 48 AV engines did detect the trojan at Virus Total. Use the... Malwr permalink* for more detailed information."
* https://malwr.com/analysis/Yjk0NjczNDAyMDZlNDMzMDk4NjU5NGQzOGQyNGM0OTU/
___

Threat Outbreak Alerts
- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Fax and Voice Notification Email Messages - 2013 Dec 03
Fake Purchase Order Request Email Messages - 2013 Dec 03
Fake Payment Confirmation Notification Email Messages - 2013 Dec 03
Fake Shipping Order Information Email Messages - 2013 Dec 03
Fake Product Inquiry Email Messages - 2013 Dec 03
Fake Product Purchase Order Email Messages - 2013 Dec 03
Fake Meeting Invitation Email Messages - 2013 Dec 03
Fake Fax Message Delivery Email Messages - 2013 Dec 03
Fake Failed Delivery Notification Email Messages - 2013 Dec 03
Malicious Personal Pictures Attachment Email Messages - 2013 Dec 03
Fake Payment processing Notification Email Messages - 2013 Dec 03
Fake Unpaid Debt Invoice Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Product Order Quotation Email Messages - 2013 Dec 03
Fake Payroll Invoice Notification Email Messages - 2013 Dec 03
Email Messages with Malicious Attachments - 2013 Dec 03
Fake Financial Document Email Messages - 2013 Dec 03
(More detail and links at the cisco URL above.)

:fear: :mad:
 
Last edited:
Fake Amazon SPAM, Job SCAMS ...

FYI...

Fake Amazon SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/04/ama...h-attached-order-details-zip-contains-trojan/
Dec 4, 2013 - "... new trojan distribution campaign by email with the subject “order #852-9045074-5639529 or “order ID801-7322179-4122684". This email is sent from the spoofed address “”AMAZON.CO.UK” <SALES@ AMAZON .CO .UK>”and has the following body:
Good evening,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order ID266-3050394-3760006 Placed on December 2, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon.co.uk

The attached ZIP file has the name Order details.zip and contains the 86 kB large file Order details.exe. The trojan is known as Trojan-PWS.Fareit, Trojan.Inject.RRE, PE:Malware.FakeDOC@CV!1.9C3C or Mal/Generic-S. At the time of writing, 5 of the 46 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 0cb39edbc66388a3315b84e0aa9f95b9e58ce4aab3e3e188ba0537694956afbc."
* https://www.virustotal.com/en/file/...b3e3e188ba0537694956afbc/analysis/1386150729/

** https://malwr.com/analysis/YTk5MDIzNzM1OTJiNDAwOWExODFhMzYzNDlhY2ZhY2Q/

79.187.164.155 - PL
- https://www.virustotal.com/en/ip-address/79.187.164.155/information/

- http://blogs.appriver.com/Blog/bid/100278/Just-In-Time-for-the-Holidays
Dec 03, 2013 - "... floods of -fake- Amazon.com "Order Details" notifications are hitting our filters... They are out in full force."
Screenshot: http://blogs.appriver.com/Portals/53864/images/Amazon-resized-600.png
___

Fake Amazon.co.uk SPAM / Order details.zip
- http://blog.dynamoo.com/2013/12/fake-amazoncouk-spam-order-detailszip.html
4 Dec 2013 - "This -fake- Amazon spam comes with a malicious attachment:
Date: Wed, 4 Dec 2013 11:07:00 +0200 [04:07:00 EST]
From: "AMAZON.CO.UK" [SALES@ AMAZON .CO .UK]
Subject: order ID718-4116431-2424056
Good evening, Thanks for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order ID757-7743075-1612424 Placed on December 1, 2013 Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon. co .uk

Attached is a ZIP file Order details.zip which in turn contains a malicious executable Order details.exe which has a VirusTotal detection rate of 15/49*. Automated analysis tools... are fairly inconclusive, but do show some apparent traffic to 79.187.164.155 (TP, Poland) plus the creation of a key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Start WingMan Profiler to run the malware at startup."
* https://www.virustotal.com/en-gb/fi...b3e3e188ba0537694956afbc/analysis/1386166395/
___

Fake Royal Mail SPAM - malicious attachment
- http://blog.mxlab.eu/2013/12/04/new...l-from-royal-mail-regarding-detained-package/
Dec 4, 2013 - "... Today’s campaign is slightly different and carrying a new variant of the trojan. This email is send from the spoofed address “RoyalMail Notification”, the SMTP from address on server level is now noreply@ royalmail .com, the subject has changed to “ATTN: Lost / Missing package” and has the following body:
Mail – Lost / Missing package – UK Customs and Border Protection
Royal Mail has detained your package for some reason (for example, lack of a proper invoice, bill of sale, or other documentation, a possible trademark violation, or if the package requires a formal entry) the RM International Mail Branch holding it will notify you of the reason for detention (in writing) and how you can get it released.
Please fulfil the documents attached.

Screenshot: http://img.blog.mxlab.eu/2013/20131202_royalmail.gif

The attached ZIP file has the name RoyalMail_ID_D6646FD113.zip and contains the 82 kB large file Royal-Mail_Report_03485734895374895637249865238746532649573245.pdf. The trojan is known as TR/Crypt.Xpack.32532, Trojan.DownLoader9.22851, Trojan.Win32.Inject (A), Trojan.Win32.Inject.gtgw, PWSZbot-FMU!4948180CFBA9, Trojan.Agent.ED or Troj/DwnLdr-LEX. This executable will create a process on an infected system, modifies the Windows registry, change the firewall policies, installs itself to run when booting the system, it can steal information from local internet browsers, harvest credentials from FTP clients, collects information to fingerprint the system, peforms HTTP requests and starts servers listening on 0.0.0.0 on port 6274, 0.0.0.0 on port 2865 and 0.0.0.0 on port 0 (note that the ports in use have changed in this new variant).
At the time of writing, 8 of the 47 AV engines did detect the trojan at Virus Total. Use the Virus Total permalink* and Malwr permalink** for more detailed information.
SHA256: 36edcd915f489fcac41d9a8db210db74fb35ccb03c4b86575f0bfa55a8655d66.
UPDATE: The message now comes with subject “Warning: Lost/Missing package” and contains the file RoyalMail_Report_IDEEAA87302A.zip. Once extracted the file Royal_report_4935865497637856239875696597694892346545692354.pdf.exe is available. At the time of writing, 3 of the 49 AV engines did detect the trojan at Virus Total.
Use the Virus Total permalink*** or Malwr permalink**** for more detailed information.
SHA256: 1c264ebf37829848920221b067ef13ad90968b332c91cc04a5f58cb9a0dcc4db."
* https://www.virustotal.com/en/file/...3c4b86575f0bfa55a8655d66/analysis/1386160116/

** https://malwr.com/analysis/MjNjZTZjMzA3YTI4NGI2MmI2NTI3MjRhYzYyN2FkYWY/

*** https://www.virustotal.com/en/file/...2c91cc04a5f58cb9a0dcc4db/analysis/1386167663/

**** https://malwr.com/analysis/YTI1YmQxZDk1OTRmNGE5OTg3ZjhmNjkzYzg3N2I4OWE/
___

Fake Dept of Treasury SPAM / FMS-Case.exe
- http://blog.dynamoo.com/2013/12/department-of-treasury-notice-of.html
4 Dec 2013 - "This spam says Salesforce.com at the top but the rest is allegedly from some US Government department or other (pay attention people!). Anyway, it has a malicious attachment.
Date: Wed, 4 Dec 2013 08:24:02 -0500 [08:24:02 EST]
From: "support@salesforce.com" [support@ salesforce .com]
Subject: Department of Treasury Notice of Outstanding Obligation - Case CWK8SSU4K6CN852
Important please review and sign the attached document!
We have received notification from the Department of the Treasury,
Financial Management Service (FMS) that you have an outstanding
obligation with the Federal Government that requires your immediate
attention.
In order to ensure this condition does not affect any planned
contract or grant activity, please review and sign the attached document and if
you are unable to understand the attached document please call FMS at 1-800-304-3107
to address this issue. Please make sure the person making the telephone call has the
Taxpayer Identification Number available AND has the authority/knowledge
to discuss the debt for the contractor/grantee.
Questions should be directed to the Federal Service Desk ...

Attached is a file FMS-Case-CWK8SSU4K6CN852.zip which in turn contains a malicious executable FMS-Case.exe which has a VirusTotal detection rate of 7/49*. Automated analysis tools... show an attempted connection to worldofchamps .com on 198.1.78.171 (Websitewelcome, US) and a download from [donotclick]deshapran .com/img/deshp.exe on 182.18.143.140 (Pioneer eLabs, India). This second part has a VirusTotal detection rate of 6/47**, although automated analysis tools are inconclusive***. I recommend blocking -both- those domains."
* https://www.virustotal.com/en-gb/fi...88c46a84a57290dcb4574c40/analysis/1386170174/

** https://www.virustotal.com/en-gb/fi...f4f91f87f5be77e53b1182bb/analysis/1386170947/

*** https://malwr.com/analysis/NWJmNGQyNjRmMjIyNDFiNTllMzU3ZTE0MTlmMDU0NTY/
___

Job SCAMS - "british-googleapps .com" (and other googleapps .com domains)
- http://blog.dynamoo.com/2013/12/british-googleappscom-and-other.html
4 Dec 2013 - "This following spam email is attempting to recruit money mules:
From: arwildcbrender@ victimdomain .com
to: arwildcbrender@ victimdomain .com
date: 4 December 2013 07:49
subject: Employment you've been searching!
Hello, We have an excellent opportunity for an apprentice applicant to join a rapidly expanding company.
An at home Key Account Manager Position is a great opportunity for stay at home parents
or anyone who wants to work in the comfort of their own home.
This is a part time job / flexible hrs for European citizens only,This is in view of our not having a branch office presently in Europe,
also becouse of paypal and ebay policies wich is prohibit to work directly with residents of some countries.
Requirements: computer with Internet access, valid email address, good typing skills.
If you fit the above description and meet the requirements, please apply to this ad stating your location.
You will be processing orders from your computer. How much you earn is up to you.
The average is in the region of 750-1000 GBP per week, depending on whether you work full or part time.
Region: United Kingdom only.
If you would like more information, please contact us stating where you are located and our job reference number - 42701-759/3HR.
Please only SERIOUS applicants.
If you are interested, please reply to: Gene@british-googleapps .com

Sample subjects include:
Employment you've been searching!
Career opportunity inside
Job ad - see details! Sent through Search engine...
british-googleapps .com is registered with completely fake details and uses a mail server on 50.194.47.186 (Comcast Business, US) to process mail. There are several other similar domain names being used for the same scam... In addition to those, all these following IPs and domains are in use by the scammers either now or recently. All the domains are registered through scam-friendly Chinese registrar BIZCN to ficticious registrants.
50.194.47.186 - US
175.67.90.27 - CN
95.94.135.113 - PT
220.67.126.175 - KR ..."
(Many URLs listed at the dynamoo URL above.)

:mad: :fear:
 
Last edited:
Bogus Firefox and Media Player downloads ...

FYI...

Bogus Firefox and Media Player downloads - 89.248.164.219 and 217.23.2.233
- http://blog.dynamoo.com/2013/12/something-unpleasant-on-89248164219-and.html
5 Dec 2013 - "The IPs 89.248.164.219 (Ecatel, Netherlands) and 217.23.2.233 and (Worldstream, Netherlands) appear to be hosting some sort of -bogus- Firefox* and Media Player** downloads. (You can see the VirusTotal reports here*** and here****). All the domains in use appear at first glance to be genuine but are basically some sort of typosquatting. A full list of all the subdomains I can find are at the end of the blog, but in the meantime I recommend using the following blocklist:
89.248.164.219
217.23.2.233 ..."
(Long list of URLs at the dynamoo URL above.)
* http://urlquery.net/report.php?id=8165658

** http://urlquery.net/report.php?id=8165615

*** https://www.virustotal.com/en-gb/ip-address/89.248.164.219/information/

**** https://www.virustotal.com/en-gb/ip-address/217.23.2.233/information/

Bogus Browser Update ...
- http://www.webroot.com/blog/2013/12...malicious-javasymbianandroid-browser-updates/
Dec 5, 2013 - "... a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a -bogus- “Browser Update“, which in reality is a premium rate SMS malware.
Sample screenshot of the landing page upon automatic redirection:
> https://www.webroot.com/blog/wp-con..._Java_Symbian_Malware_Fake_Browser_Update.png
Landing page upon redirection: hxxp ://mobleq .com/e/4366
Domain name reconnaissance: mobleq .com – 91.202.63.75 ...
Detection rates for the multi mobile platform variants:
MD5: a4b7be4c2ad757a5a41e6172b450b617 – * HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: 1a2b4d6280bae654ee6b9c8cfe1204ab – ** Java.SMSSend.780; TROJ_GEN.F47V1117
MD5: 2ff587ffb2913aee16ec5cae7792e2a7 – *** ..."
* https://www.virustotal.com/en/file/...5db3020e626ade7c77a889d36e1b3b19fce/analysis/

** https://www.virustotal.com/en/file/...3a098d472bc0b0c4c6a4ee03/analysis/1386176451/

*** https://www.virustotal.com/en/file/...0fd739e38e2f46e1c7e37bac/analysis/1386176560/

- https://www.virustotal.com/en/ip-address/91.202.63.75/information/
___

Something evil on 192.95.1.190
- http://blog.dynamoo.com/2013/12/something-evil-on-192951190.html
5 Dec 2013 - "It looks like there is some sort of exploit kit on 192.95.1.190 (OVH, Canada) [example*] spreading through injection attacks although at the moment I can't reproduce the issue. In any case, I would recommend -blocking- that IP... Some of the subdomains in use are listed here**..."
(More dot biz URLs listed at the dynamoo URL above.)
* https://www.virustotal.com/en-gb/ur...0442b45c6a95b4281f5f185e458161a79f3/analysis/

** http://pastebin.com/JREzW6vm

- https://www.virustotal.com/en/ip-address/192.95.1.190/information/

:fear::fear: :mad:
 
Last edited:
Malware sites to block - 9/12/2013

FYI...

Malware sites to block 9/12/2013
- http://blog.dynamoo.com/2013/12/malware-sites-to-block-9122013.html
9 Dec 2013 - "These malicious sites and IPs are related to this attack (thanks to the folks at ThreatTrack Security for the tip). Although a lot of the sites are not currently resolving, those that are up are hosted on 37.59.254.224 and 37.59.232.208 which are a pair of OVH IPs suballocated to:
organisation: ORG-RL152-RIPE
org-name: R5X .org ltd
org-type: OTHER
address: Krasnoselskaja 15-219
address: 346579 Moscow
address: RU
abuse-mailbox: abuse@ r5x .org
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
source: RIPE # Filtered
R5X .org IPs have featured a couple of times before here [1] [2] so I would suggest -blocking- any that you find. I'll do some research on those soon, but in the meantime I would recommend blocking the following IPs and domains. Domains that are already flagged by Google are highlighted.
37.59.232.208/28
37.59.254.224/28 ..."
(Many URLs listed at the dynamoo URL above.)
1] http://blog.dynamoo.com/2013/09/6rfnet-and-something-evil-on.html

2] http://blog.dynamoo.com/2012/08/something-evil-on-1786319512826.html

- http://google.com/safebrowsing/diagnostic?site=AS:16276
"... over the past 90 days, 4217 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-09, and the last time suspicious content was found was on 2013-12-09..."
___

Fake Billing Invoice malware spam
- http://blog.dynamoo.com/2013/12/tnt-uk-limited-self-billing-invoice.html
9 Dec 2013 - "This fairly terse spam email comes with a malicious attachment:
Date: Mon, 9 Dec 2013 20:32:19 +0800 [07:32:19 EST]
From: Accounts Payable TNT [accounts.payable@ tnt .co .uk]
Subject: TNT UK Limited Self Billing Invoice 5321378841
Download the attachment. Invoice will be automatically shown by double click.

Attached is an archive file called TNT UK Self Billing Invoice.zip (VirusTotal detection rate 6/49*) which in turn contains a malicious executable TNT UK Self Billing Invoice.exe (detection rate 6/47**) which has an icon that makes it look like a PDF file.
> https://lh3.ggpht.com/-NNMZumhc_ug/UqXfV-JQT3I/AAAAAAAACT0/JbtcZarxowE/s1600/tnt.png
Automated analysis tools... show an attempted connection to 2dlife .com on 5.9.182.220 (JoneSolutions.Com, Philippines). I can see only two domains on this server, the other one being 2dlife .fr so I would assume that both are compromised and blocking access to this IP address is the way to go."
* https://www.virustotal.com/en-gb/fi...9eb98e9cbe4fe31382a973cf/analysis/1386602037/

** https://www.virustotal.com/en-gb/fi...2356d59c6f82beecb76da113/analysis/1386602000/

- https://www.virustotal.com/en/ip-address/5.9.182.220/information/
___

Multi-hop iframe campaign - client-side exploit malware
- http://www.webroot.com/blog/2013/12...leads-cocktail-client-side-exploits-part-two/
Dec 9, 2013 - "... The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure... currently active malicious iframe campaign that continues to serving a cocktail of (patched*) client-side exploits, to users visiting legitimate Web sites... Domain names reconnaissance:
hxxp ://www3.judtn3qyy1yv-4.4pu .com – 188.116.34.246
hxxp ://www1.gtyg4h3.4pu .com – 188.116.34.246
find-and-go .com – 78.47.4.17
... malicious scripts, dropped malicious files..."
(More detail at the webroot URL above.)
* http://www.zdnet.com/blog/security/seven-myths-about-zero-day-vulnerabilities-debunked/7026

- https://www.virustotal.com/en/ip-address/188.116.34.246/information/

:fear: :mad:
 
Last edited:
Evil network: R5X .org, EUROPOL scareware...

FYI...

Evil network: R5X .org / OVH
- http://blog.dynamoo.com/2013/12/evil-network-r5xorg-ovh.html
10 Dec 2013 - "Russian web host R5X .org has featured on this blog a few times before, but I took the opportunity to look at it a little more closely... Out of 300 domains that I found hosted now or recently in R5X .org's space (rented from OVH), 177 (59%) are flagged as malicious by Google, and 230 (77%) are flagged as spam or malware by SURBL. MyWOT ratings indicate that there are no legitimate sites in the IP address ranges I checked. R5X .org doesn't have a network of its own but it rents IPs from OVH. I have identified several small netblocks which I strongly recommend that you -block- although there may be others.
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30 ...
A list of all the domains I can find, current IP addresses, MyWOT rating, the Google prognosis and SURBL codes can be found here* [csv] else I recommend using the following blocklist:
37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30 ..."
(More detail at the dynamoo URL above.)
* http://www.dynamoo.com/files/r5x-org.csv
___

"EUROPOL" scareware / something evil on 193.169.87.247
- http://blog.dynamoo.com/2013/12/europol-scareware-something-evil-on.html
10 Dec 2013 - "193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is -locked- using the following domains:
a1751 .com
b4326 .com
d2178 .com
f1207 .com
h5841 .com
k6369 .com
The -scareware- is multilingual and detects the country that the visitor is calling from. In this case I visited from the UK and got the following:
> http://3.bp.blogspot.com/-J6hJIZ3fRzU/UqcdAZQLanI/AAAAAAAACUI/pBsB0ZBF00E/s1600/europol.png
... The text varies depending on the country the visitor is in... The bad guys use subdomains to obfuscate the domain somewhat, so instead of just getting f1207 .com (for example), you get europol.europe .eu.id176630100-8047697129.f1207 .com instead which looks a little more official. You can see some more examples here*... 193.169.87.247 forms part of 193.169.86.0/23 AS48031 which has a so-so reputation according to Google, it does look like there are a lot of legitimate sites in the neighbourhood as well as these malicious ones.
Recommended blocklist:
193.169.87.247
a1751 .com
b4326 .com
d2178 .com
f1207 .com
h5841 .com
k6369 .com
Update: a similar attack has also taken place on 193.169.86.250 on the same netblock."
* https://www.virustotal.com/en-gb/ip-address/193.169.87.247/information/

- https://www.virustotal.com/en-gb/ip-address/193.169.86.250/information/

- http://google.com/safebrowsing/diagnostic?site=AS:48031
"... over the past 90 days, 206 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2013-12-09, and the last time suspicious content was found was on 2013-12-09..."
___

Fake Amazon .co.uk order SPAM / AM-ORDER-65HNA1972.exe
- http://blog.dynamoo.com/2013/12/fake-amazoncouk-order-spam-am-order.html
10 Dec 2013 - "This -fake- Amazon spam has a malicious attachment:
Date: Tue, 10 Dec 2013 11:19:03 +0200 [04:19:03 EST]
From: blackjacksxjt@ yahoo .com
Subject: order #822-8266277-7103199
Good evening,
Thank you for your order. We�ll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.co.uk.
Order Details
Order #481-0295978-7625805 Placed on December 8, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .co .uk

Screenshot: http://techhelplist.com/images/stories/amazon-order-virus-10dec2013.png

Attached is an archive file AM-ORDER-65HNA1972.zip (VirusTotal detections 9/47*) which in turn contains a malicious executable AM-ORDER-65HNA1972.exe (VirusTotal detections 9/49**) which has an icon to make it look like some sort of document.
> https://lh3.ggpht.com/-iL24C02iQD0/Uqc5UVD9uxI/AAAAAAAACUY/mIqo2BZhA4s/s1600/amazon-order.png
Automated analysis tools seem to be timing out... indicating perhaps that it has been hardened against sandbox analysis."
* https://www.virustotal.com/en-gb/fi...21946a47f532b792ff2fb5a6/analysis/1386690407/

** https://www.virustotal.com/en-gb/fi...f2ac8d3715b7106afe6eab36/analysis/1386690064/

:fear::fear: :mad:
 
Last edited:
Fake WhatsApp SPAM ...

FYI...

Fake WhatsApp SPAM / IMG003299.zip
- http://blog.dynamoo.com/2013/12/your-friend-has-just-sent-you-pic-spam.html
11 Dec 2013 - "This -fake- WhatsApp message has a malicious attachment.
Date: Wed, 11 Dec 2013 18:29:19 +0700 [06:29:19 EST]
Subject: Your friend has just sent you a pic
Hi!
Your friend has just sent you a photograph in WhatsApp. Open attachments to see what it is.

Screenshot: https://lh3.ggpht.com/-AJQc-jYcGAQ/Uqhm_0JsT9I/AAAAAAAACU4/uu5v94u_a2o/s400/whatsapp.png

Attached to the email is an archive IMG003299.zip (VirusTotal detections 7/43*) which in turn contains a malicious executable IMG003299.exe (VirusTotal detections 9/49**). Automated analysis tools... don't reveal very much about the malware in question however."
* https://www.virustotal.com/en-gb/fi...00144b5521c7870b1848be5f/analysis/1386767572/

** https://www.virustotal.com/en-gb/fi...dc1d1c50c06e0fe9065f6793/analysis/1386767585/
___

Fake Wells Fargo SPAM / WF_Docs_121113.exe
- http://blog.dynamoo.com/2013/12/wells-fargo-spam-wfdocs121113exe.html
11 Dec 2013 - "This fake Wells Fargo spam has a malicious attachment:
Date: Wed, 11 Dec 2013 17:03:26 +0100 [11:03:26 EST]
From: Kerry Pettit [Kerry.Pettit@ wellsfargo .com]
Subject: FW: Important docs
We have received this documents from your bank, please review attached documents.
Kerry Pettit
Wells Fargo Accounting
817-295-1849 office
817-884-0882 cell Kerry.Pettit@ wellsfargo .com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE ...

Attached to the email is a ZIP file starting with WF_Docs_ and ending with the first part of the recipient's email address, inside that is a ZIP file with the date encoded into the filename WF_Docs_121113.exe. VirusTotal detections for the ZIP are 6/49* and are 6/47** for the EXE.
Automated analysis... shows an attempted connection to hortonnovak .com on 194.28.87.121 (Hostpro, Ukraine). There is only one site that I can see on this IP, so I would recommend blocking one or the other or -both- of them."
* https://www.virustotal.com/en-gb/fi...cfb83911d8b9df3a56db35d6/analysis/1386779806/

** https://www.virustotal.com/en-gb/fi...e952aac83213754f206cdb79/analysis/1386779808/

- https://www.virustotal.com/en/ip-address/194.28.87.121/information/
___

Facebook Phishing and Malware via Tumblr redirects
- https://isc.sans.edu/diary/Facebook+Phishing+and+Malware+via+Tumblr+Redirects/17207
Last Updated: 2013-12-11 13:43:23 UTC - "... The initial bait is a message that you may receive from one of your Facebook friends, whose account was compromised. The message claims to contain a link to images that show a crime that was committed against the friend or a close relative of the friend. The image below shows an example, but the exact message varies. The images then claim to be housed on Tumblr.
> https://isc.sans.edu/diaryimages/images/Screen Shot 2013-12-10 at 9_37_46 PM.png
The Tumblr links follow a pattern, but appear to be different for each recipient. The host name is always two or three random English words, and the URL includes a few random characters as an argument. The preview of the Tumblr page lists some random words and various simple icons. Once the user clicks on the link to the Tumblr page, they are immediately redirected to a very plausible Facebook phishing page, asking the user to log in. The links I have seen so far use the "noxxos .pw" domain, which uses a wildcard record to resolve to 198.50.202.224 ... The fake Facebook page will ask the user for a username and password as well as for a "secret question". Finally, the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the site attempts to run a java applet (likely an exploit, but haven't analyzed it yet), and the user is sent to a Youtube look-alike page asking the user to download and install an updated "Youtube Player". The player appears to be a generic downloader with mediocre AV detection.
- https://www.virustotal.com/en/file/...5e8e1070bd81bc7491ab625b/analysis/1386730327/
(was 3/42 when I first saw it. Now 10/42 improved). As an indicator of compromise, it is probably best right not to look for DNS queries for "noxxos .pw" as well as connections to 198.50.202.224 ..."

- https://www.virustotal.com/en-gb/ip-address/198.50.202.224/information/
___

NatWest Banking Phish
- http://threattrack.tumblr.com/post/69721298913/natwest-banking-phish
Dec 11, 2013 - "Subjects Seen:
Account Alert !
Typical e-mail details:
Dear <removed>
Your password was entered incorrectly more than 5 times.
Because of that , our security team had to suspend your accounts and all the funds inside.
Your account access and the hold on your funds will be released as soon as you verify your information.
Review Your Account Activity
We are sorry for this inconvenience but this is a security measure which we must apply to ensure your account safety.
If you have already confirmed your information then please disregard this message
Thanks for choosing NatWest UK
NatWest Security Team

Malicious URLs: didooc .co .uk/images/stories/android/index.php
149.255.62.19 - https://www.virustotal.com/en-gb/ip-address/149.255.62.19/information/

Screenshot: https://31.media.tumblr.com/313a5cf56ecbca5bfc7af94a66ca3691/tumblr_inline_mxnvtazkSB1r6pupn.png

:mad: :fear::sad:
 
Last edited:
Top 5 Most Dangerous Email Subjects ...

FYI...

Top 5 Most Dangerous Email Subjects ...
- http://community.websense.com/blogs...-email-subjects-top-10-hosting-countries.aspx
11 Dec 2013 - "... the top five subject lines in worldwide phishing emails are the following: (Based on research conducted 1/1/13-9/30/13)
1. Invitation to connect on LinkedIn
2. Mail delivery failed: returning message to sender
3. Dear <insert bank name here> Customer
4. Comunicazione importante
5. Undelivered Mail Returned to Sender
The list above portrays how cybercriminals are attempting to fool recipients into clicking a malicious link or downloading an infected file by using business-focused and legitimate-looking subject lines. Scammers will use any means necessary to increase the likelihood of an inspire-to-click campaign...
> http://community.websense.com/cfs-f...0_ml_2D00_Nov2013_5F00_WEB.jpg_2D00_550x0.jpg
___

Fake tech support scams/SPAMs on YouTube
- http://blog.malwarebytes.org/fraud-...ammers-spam-youtube-with-robot-like-warnings/
Dec 12, 2013 - "... In a twisted new variant, crooks are calling out to all antivirus / anti-malware customers and urging them to fix their computers now. One such account was spamming -YouTube- with hundreds of videos, all using a computer-generated voice and personalized for each AV/Anti-Malware company:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/vendors.png
... The company behind this scam is “My Tech Gurus” (http ://www.mytechgurus .com):
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/website.png
Once on the phone, I am quickly directed to a remote technician and instructed to hang the call to pursue the support session directly through the chat window on my computer:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/chatsession1.png
... If the ‘technician’ were honest, she would tell me there is absolutely nothing wrong with this computer... Instead she wastes no time in making up fake errors... here is the ‘technical’ explanation:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/thedetails.png
Of course, fixing those ‘errors’ is not going to be free:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/pay.png
... most of their website’s traffic comes from… India:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/12/india.png
... we encourage everyone to report each incident. We have created a guide* for victims that describes the variations of scams and what to do in each case. It may seem like a never-ending battle, but at the end of the day, if we’ve managed to save even just one person, then we can feel confident we’re doing the right thing..."
* http://blog.malwarebytes.org/tech-support-scams/
___

Fake FedEx SPAM - Malware Emails
- http://www.hoax-slayer.com/fedex-shipping-confirmation-malware-email.shtml
Dec 12, 2013 - "Email purporting to be from delivery company FedEx claims that a package delivery could not be completed because important information was missing. Recipients are instructed to click a link to verify their identity or risk having the package returned to sender... invites users to download "verification manager" software. If downloaded and run, the bogus "verification manager" will install malware on the user's computer:
From: FedEx UK
Subject: Package for you
SHIPPING CONFIRMATION
Dear [email address removed]
We have a package for you!
Unfortunately some important information is missing to complete the delivery.
Please follow the link to verify your identity:
verify your identity now!
You have 24 hours to compleate the verification! Otherwise the package will be returned to sender!
Order confirmation number: 56749951703
Order date: 03/12/2013
Thank you for choosing FedEx...
> http://www.hoax-slayer.com/images/fedex-verify-identity-malware-1.jpg
... Those who fall for the ruse and click the link will be taken to a -bogus- website tricked up to resemble a genuine FedEx webpage. Once on the page, they will be instructed to download and install a piece of software called the "FedEx Verification Manager", as shown in the following screenshot:
> http://www.hoax-slayer.com/images/fedex-verify-identity-malware-2.jpg
... following the instructions will not install a verification manager as claimed. Instead, it will install a trojan on the victim's computer..."
___

Spam Campaign delivers Liftoh Downloader
- http://www.secureworks.com/cyber-th...ats/spam-campaign-delivers-liftoh-downloader/
12/12/13 - "... researchers analyzed an ongoing spam campaign that uses the "UPS delivery notification tracking number" lure to infect unsuspecting users. While UPS-related spam emails are common, this particular campaign has been observed since October 2013 and uses exploit-laden documents to deliver its payload. The initial delivered payload is the Liftoh downloader trojan, which in turn downloads additional malware as a secondary payload onto the victim's system... the spam email containing a link to a malicious "Rich Text Format" (RTF) file. The malicious RTF is attached to the email, disguised as a .doc file.
> http://www.secureworks.com/assets/image_store/png/page.intelligence.threats.liftoh.1.png
... The spoofed sender is <auto-notify @ ups . com> or <auto @ ups . com>, but the headers reveal some of the actual senders (see Table 1). Some of the hosts listed in Table 1 may have appeared in DNS blacklisting lists such as SpamhausDBL, PSBL, SURBL, and SORBS, and some hosts are offline as of this publication. These hosts might have been compromised and used for SMTP relays, or could be part of a “use-and-throw” attacker-owned spam infrastructure... researchers observed the following domains in spam recipient email addresses:
gicom . nl
mvdloo . nl
cneweb . de
yahoo . fr
helimail . de
online . fr
tq3 . co. uk
excel . co. jp
smegroup . co . uk
fujielectric . co . jp
st-pauls . hereford . sch . uk
The RTF file contains exploits for patched vulnerabilities CVE-2012-0158 (MSCOMCTL.OCX RCE vulnerability) and CVE-2010-3333 (RTF stack buffer overflow vulnerability). Opening the RTF file drops and launches an empty document file in the user's %TEMP% folder with filename "cv.doc". Successful execution of the exploit code drops the Liftoh downloader malware onto the victim's system. This malware was observed spreading via Skype and other instant messenger applications in May 2013. Liftoh also downloaded the Phopifas worm as a secondary payload... event monitoring shows organizations in the following market verticals have been affected by Liftoh:
Banking
Manufacturing
Healthcare
Legal
Credit unions
Retail
Technology providers
... It is very likely that the threat actors will switch to other delivery mechanisms in the future that use social engineering techniques to maximize infection yields. It is also likely that the threat actors may leverage the Liftoh downloader to deliver a variety of other malware as secondary payloads..."
(More detail at the secureworks URL above.)
___

64-bit ZeuS - enhanced with Tor - banking malware
- https://www.securelist.com/en/blog/...e_move_64_bit_ZeuS_has_come_enhanced_with_Tor
Dec 11, 2013 - "The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And what’s the most notorious banking malware? ZeuS, of course – the trendsetter for the majority of today’s banking malware... we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside... Whatever the intentions were of the malware author that created this piece of ZeuS – be it a marketing ploy or the groundwork for some future needs – a pure 64-bit ZeuS does finally exist, and we can conclude that a new milestone in the evolution of ZeuS has been reached. Moreover, this sample has revealed that another distinct feature has been added to ZeuS functionality - ZeuS malware has the ability to work on its own via the Tor network with onion CnC domains, meaning it now joins an exclusive group of malware families with this capability."

:mad: :fear:
 
Last edited:
Fake Amazon order SPAM ...

FYI...

Fake Amazon order SPAM
- http://threattrack.tumblr.com/post/69880436154/amazon-com-order-confirmation-spam
Dec 13, 2013 - "Subjects Seen:
Your Amazon.com order HZ1517235
Typical e-mail details:
Good day,
Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order WD4202401 Placed on December 9, 2013
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon. Amazon .com

Malicious File Name and MD5:
ORDER_JB46238.zip (765FD2406623781F6F9EB4893C681A5B)
ORDER_JB46238.exe (26E57BDE90B43CF6DAE6FD5731954C61)

Screenshot: https://gs1.wac.edgecastcdn.net/801...2d0ae1c5a/tumblr_inline_mxr13wZhzU1r6pupn.png

Tagged: Amazon, Wauchos
___

Bitcoin stealing SPAM
- http://www.arbornetworks.com/asert/2013/12/bitcoin-alarm-bitcoin-stealing-spam/
Dec 12, 2013 - "The rise in Bitcoin values seems to have caused an equal increase of Bitcoin -spam- as malware authors attempt to make money off the many new market participants. One site that was spammed to me three times in one day is bitcoin-alarm .net. I ignored it the first two times, but they must have really wanted me to look at it, so who am I not to oblidge.
> http://www.arbornetworks.com/asert/wp-content/uploads/2013/12/btclogo-300x36.png
The site promises a tool to notify you of market changes by SMS, without ever mentioning any nefarious behaviour. YouTube videos teach you what Bitcoin is, and how to install this free tool. They even provide a link so you can donate to the author, although it appears no one has chosen to do so. This I have to download.
> http://www.arbornetworks.com/asert/wp-content/uploads/2013/12/AppScreenshot.png
The download BitcoinAlarm.exe (MD5: edfa12d4a454b0eb786bbe92050ab88a) had just 1 hit on VirusTotal* when I first scanned it... This free utility is nothing more than malware with very low detection rate being spammed to anyone that might have a Bitcoin sitting around. When I checked the domain with urlvoid it had zero ‘bad’ reports and was -not- blacklisted... On a recheck BitcoinAlarm.exe’s detection is up to 14 of 49 scanners, and the download link appears to return 404..."
* https://www.virustotal.com/en/file/...374c2b8e6670640c121582690dab00573a0/analysis/

82.221.129.16
- https://www.virustotal.com/en/ip-address/82.221.129.16/information/
___

Fake - Halifax Bank Phishing Scam
- http://www.hoax-slayer.com/halifax-third-party-intrusions-phishing.shtml
Dec 13, 2013 - "... The email is -not- from Halifax. Links in the message open a -fake- website that contains web forms designed to steal the recipient's account login details, credit card data and other personal information...
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-1.jpg
... According to this message, which purports to be from UK bank, Halifax, third party intrusions have been detected on the recipient's account and, as a result, the account has been limited for security reasons. Supposedly, to restore access, the account holder must confirm his or her identity and verify that the account has not been used for fraud. The email instructs the recipient to access a "validation form" by clicking a link... Halifax customers who fall for the lies in the scam email and click the link will be taken to a -fake- website designed to look like the real Halifax site and asked to login:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-2.jpg
Next, they will be asked to provide name and contact information:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-3.jpg
And, on a final form, they will be asked to provide their card details:
> http://www.hoax-slayer.com/images/halifax-intrusions-phishing-4.jpg
After the final form is completed, victims will be automatically redirected to the genuine Halifax website and, at least until the criminals begin using the stolen information, they may remain unaware that they have just been scammed. Using the information provided on the fake forms, the scammers can hijack genuine Halifax accounts, lock out their rightful owners and commit banking and credit card fraud. The bank has published information about Halifax phishing scams, including how to report any that you receive, on its website*..."
* http://www.halifax.co.uk/aboutonline/security/common-threats/phishing/

:fear: :mad:
 
Last edited:
Malware Spam uses geolocation ...

FYI...

Malware Spam uses Geolocation to Mass Customize Filename
- https://isc.sans.edu/diary.html?storyid=17222
Last Updated: 2013-12-14 15:16:44 UTC - " Malicious e-mails usually fall into two groups: Mass-mailed generic e-mails, and highly customized spear phishing attempts. In between these two groups fall e-mails that obviously do more to "mass customize" the e-mail based on information retrieved from other sources. E-mails that appear to come from your Facebook friends, or malware that harvests other social networks like Linkedin to craft a more personalized message... received one e-mail... falls into the third category. The sender went through the trouble to craft a decent personalized message, trying to make me install some Spyware. In this example, the e-mail advised me of a new "WhatsApp" message that may be waiting for me. The e-mail looks legit, and even ithe link is formed to make it look like a voicemail link with the little "/play" ending:
> https://isc.sans.edu/diaryimages/images/Screen Shot 2013-12-14 at 9_48_56 AM.png
... the executable you are offered as you download the emails. The downloaded file is a ZIP file, and the file name of the included executable is adjusted to show a phone number that matches the location of the IP address from which the e-mail is downloaded... anti-malware coverage is -bad- according to Virustotal [1]. Anubis doesn't show much interesting stuff here, but I wouldn't be surprised if the malware detected that it ran in an analysis environment [2]. Interestingly, it appears to pop up Notepad with a generic error message..."
[1] https://www.virustotal.com/en/file/...8dc3bd2411b0ad90cbcae194/analysis/1387029444/
[2] http://anubis.iseclab.org/?action=result&task_id=15eb462c46d9b95f4ed4d2750b1a52b0a

A few variants...
- http://blog.dynamoo.com/2013/12/your-friend-has-just-sent-you-pic-spam.html
11 Dec 2013

- http://www.webroot.com/blog/blog/20...ification-themed-emails-expose-users-malware/
Nov 22, 2013

:mad: :fear:
 
Last edited:
Bogus Firefox add-on joins PC's to botnet - drive-by malware

FYI...

Bogus Firefox add-on joins PC's to botnet - drive-by malware
- http://krebsonsecurity.com/2013/12/botnet-enlists-firefox-users-to-hack-web-sites/
Dec 16, 2013 - "An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for vulnerabilities that can be used to install malware... The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim... SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases. Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.
The fraudulent Firefox add-on:
> http://krebsonsecurity.com/wp-content/uploads/2013/12/sql-addon.png
The malicious code comes from sources referenced in this Malwar writeup* and this Virustotal** entry... On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant”... The malicious add-on then conducts tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities..."
(More detail at the krebsonsecurity URL above.)
* https://malwr.com/analysis/MTI2YzFkODZkNzA0NDVkYTkzNDBmZTg5YjdkMjM3MDA/

- https://malwr.com/

** https://www.virustotal.com/en/file/...b0c7fe264f1eb183ea3a74565ad20d3cb8a/analysis/

- https://addons.mozilla.org/en-US/firefox/blocked/i508
Blocked on December 16, 2013...
"Microsoft .NET Framework Assistant (malware) has been blocked for your protection.
Why was it blocked?
This is -not- the Microsoft .NET Framework Assistant created and distributed by Microsoft. It is a -malicious- extension that is distributed under the same name to trick users into installing it, and turns users into a botnet that conducts SQL injection attacks on visited websites..."

- https://www.virustotal.com/en/ip-address/216.250.115.143/information/
2013-12-18
- http://google.com/safebrowsing/diagnostic?site=AS:8560
___

More Fake Amazon order SPAM ...
- http://www.hoax-slayer.com/amazon-order-details-malware.shtml
Dec 16, 2013 - "... The email is -not- from Amazon and the attached file does not contain order details. Instead, the attached .zip file harbours a malicious .exe file that, if opened, can install a trojan on the user's computer...
> http://www.hoax-slayer.com/images/amazon-order-details-malware-2013-1.jpg
... Amazon did -not- send the email and the attached .zip file does not contain order details as claimed. If opened, the .zip file reveals a .exe file. And, if users run this .exe file, a trojan may be installed on their computers... such trojans can harvest personal and financial information such as account login data from the compromised computer and send it to criminals waiting online. It may also allow the criminals to take control of the infected computer. The criminals hope that at least a few recipients, who have not made any recent Amazon orders, will be panicked into opening the attachment in the mistaken belief that a purchase has been made in their names... users who have recently bought items on Amazon might be tricked into opening the attachment in the belief that the file it contains pertains to their order..."
___

Bitcoin price hike spurs Malware, Wallet Theft
- http://blog.trendmicro.com/trendlab...itcoin-price-hike-spurs-malware-wallet-theft/
Dec 16, 2013 - "The past few weeks have been rather exciting for Bitcoin owners and speculators, with prices peaking at over $1200 per BTC... This is giving rise to more Bitcoin-related threats. Victims are now being used either to “mine” Bitcoins; in addition the Bitcoin wallets of existing users are now tempting targets for theft as well. From September to November, feedback from the Smart Protection Network indicated that more than 12,000 PCs globally had been affected by Bitcoin-mining malware:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/12/bitcoin.jpg
... Bitcoin is promoted as being “anonymous”, but in a way nothing could be further from the truth. Because all Bitcoin transactions are public, it is possible to see all the transactions a user has made. Therefore, given enough circumstantial evidence, it may be possible to get the identity of a user... while Bitcoin may be a product of the 21st century, at the same time it is something that has been around for centuries – cash. The same caution and prudence that applies to handling cash should be applied here as well."
___

Google Play - suspicious apps leak Google Account IDs
- http://blogs.mcafee.com/mcafee-labs/suspicious-apps-on-google-play-leak-google-account-ids
Dec 16, 2013 - "The Google account ID (or account name), which in most cases is a Gmail address, is one of the key identifiers of -Android- device users. McAfee has confirmed a substantial amount of suspicious apps secretly collect Google account IDs on Google Play. In these cases, the corresponding Google account password is not collected, but leaking only IDs still poses a certain level of security and privacy risk. Two particular apps, one a dating service app and the other a fortune app, retrieve Google account IDs and send them to their web server just after they launch and without prior notice to users. The total number of downloads of each app is between 10,000 and 50,000...
> http://blogs.mcafee.com/wp-content/uploads/galeaker-1.png
Another set of suspicious apps, from various categories, shown in the figure below* secretly send a device’s Google account ID, IMEI, and IMSI to a single, shared remote web server just after launch and without any prior notice. The aggregate download count of this set of apps amounts to at least several million, probably because they are localized for many languages. It appears the main targets are Japanese users...
* http://blogs.mcafee.com/wp-content/uploads/galeaker-2.png
More than 30 suspicious apps leak Google account IDs, IMEI, and IMSI... We have not confirmed why the app developers secretly collect Google account IDs, or how they use them and how they manage the data securely. And we have not so far observed any malicious activities based on the stolen data. But at least these apps should notify users of the collection and of the intended use of their data–and give them opportunity to -decline- the data transfer. Android apps can retrieve Google account IDs with GET_ACCOUNTS permission granted at installation and by using one of the methods of the AccountManager class. This permission is often requested when an app uses the Google Cloud Messaging feature, which is a standard mechanism provided by Google to allow server-to-device push notification. As such, users cannot judge if granting this permission is really safe; some apps request this permission for GCM, but others for collecting account information for potentially malicious purposes...
A GET_ACCOUNTS permission request:
> http://blogs.mcafee.com/wp-content/uploads/galeaker-3e.png
... With the GET_ACCOUNTS permission granted, Android apps can also retrieve account names for services other than Google that have been registered in the device, including Facebook, Twitter, LinkedIn, Tumblr, WhatsApp, and so on. Users will face these same issues once these other account names are stolen... We strongly recommend that users review the privacy settings on all the services they employ and disable the “allow search by email address” option unless they really want it. Users should also -not- expose their account names..."

:fear::fear: :mad:
 
Last edited:
You must log in or register to reply here.
Back
Top