SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

QuickBooks Spam

FYI...

QuickBooks Payment Overdue Spam
- http://threattrack.tumblr.com/post/103653348923/quickbooks-payment-overdue-spam
Nov 26, 2014 - "Subjects Seen:
Payment Overdue
Typical e-mail details:
Please find attached your invoices for the past months. Remit the payment by 07/22/2014 as outlines under our “Payment Terms” agreement.
Thank you for your business,
Sincerely,
Lucio Gee
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY.

Malicious File Name and MD5:
Invoice_[-var=partorderb].zip (A3374A3639D4F8EBF105B8FFA1ACB4D1)
Invoice_0128648.scr (08AEA8B75143DC788A52568E823DD10E)

Screenshot: https://gs1.wac.edgecastcdn.net/801...5795007bc/tumblr_inline_nfnt72zuuJ1r6pupn.png

Tagged: QuickBooks, Upatre

:fear::fear:

 

[AplusWebMaster]

Fake HMRC SPAM - PDF malware

FYI...

Fake HMRC SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/hmrc-...8j9-wdwk-1nmj-p0za-received-fake-pdf-malware/
27 Nov 2014 - "'HMRC taxes application with reference 68J9 WDWK 1NMJ P0ZA received' pretending to come from noreply@ taxreg.hmrc .gov.uk with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
The application with reference number 68J9 WDWK 1NMJ P0ZA submitted by you or your agent to register for HM Revenue & Customs (HMRC) taxes has been received and will now be verified. HMRC will contact you if further information is needed.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

27 November 2014: HM Revenue & Customs – TAX.zip: Extracts to: HM Revenue & Customs – TAX.scr
Current Virus total detections: 2/56* ( same malware as THIS**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...0b80e92e239db41f8a4f46b0/analysis/1417085413/
... Behavioural information
TCP connections
95.211.199.37: https://www.virustotal.com/en/ip-address/95.211.199.37/information/
83.125.22.167: https://www.virustotal.com/en/ip-address/83.125.22.167/information/

** http://myonlinesecurity.co.uk/info-santanderbillpayment-co-uk-fake-pdf-malware/
___

Tainted network: Crissic Solutions (167.160.160.0/19)
- http://blog.dynamoo.com/2014/11/tainted-network-crissic-solutions.html
27 Nov 2014 - "Several IPs hosted on the Crissic Solutions range of 167.160.160.0/19 (suballocated from QuadraNet) have been hosting exploit kits in the past few days, leading to Cryptolocker and other nastiness. I analysed over 1500 sites hosted in the Crissic IP address range... and many sites were already marked as being -malicious- by Google, and some other sites obviously follow the same naming pattern and must be considered as malicious... Given the concentration of active malicious servers in 167.160.165.0/24 and 167.160.166.0/24 then I would recommend -blocking- your traffic to those ranges at least temporarily, despite there being legitimate sites in that range. You might choose to block the entire /19 of course, I will leave you to look at the evidence..."
More detail at the dynamoo URL above.)

:fear:

 

[AplusWebMaster]

Black Friday - deal or no deal

FYI...

Black Friday: deal or no deal
- https://blog.malwarebytes.org/online-security/2014/11/black-friday-deal-or-no-deal/
Nov 27, 2014 - "... Spammers and scammers have risen to the occasion with deals that are too good to be true such as in this example for -fake- Gucci products. This was reported in a Tweet by Denis Sinegubko, from Unmask Parasites*
* http://www.unmaskparasites.com/ -- https://twitter.com/unmaskparasites
'Denis @unmaskparasites - Chinese spammers are ready for Black Friday. Found these domains in code on a hacked site: GucciBlackFridays .com, BlackFridayCDN .com'
... and also a security researcher at Sucuri** -- http://sucuri.net/ -- http://blog.sucuri.net/2014/11
The site boasts incredible prices on normally very expensive merchandise... Shoppers might get fooled by the security badges and stamps, which of course are only here for show... Traffic to these -bogus- sites will come from spam or, as in this case, from compromised websites... This code resides on the compromised server and performs different checks, in particular whether the user visiting the page is real or a search engine... When Black Friday is over, the crooks will be ready to serve you special deals for Cyber Monday... There certainly are good deals to be made during this holiday season but you really ought to be careful what you click on. You might order counterfeit goods or have your banking credentials stolen and money depleted..."
(More detail at the malwarebytes URL above.)

- https://blog.malwarebytes.org/onlin...-and-cyber-monday-online-shopping-made-safer/
Nov 24, 2014

- http://www.trendmicro.com/vinfo/us/...uide-to-avoiding-cyber-monday-scams-on-mobile
Nov 24, 2014

- http://www.trendmicro.com/vinfo/us/...ng-safe-from-online-threats-this-thanksgiving
Nov 21, 2014
___

Lots of Black Friday SPAM & Phishing
- https://isc.sans.edu/diary.html?storyid=19003
2014-11-28 23:20:46 UTC - "Likely every reader out there, their friends and family, even their pets with email accounts, have received Black Friday SPAM or phishing attempts today. Our own Dr. J sent the handlers an Amazon sample for 'One Click Black Friday Rewards'.
Of course, that one click goes -nowhere- near Amazon and directs you to the likes of Black Fiday (yes, it's misspelled) at hXXp ://www.jasbuyersnet .com/cadillac/umbered/sedatest/styes/coleuses/unterrified.htm. Can't speak to the payload there, don't bother, just use it at as ammo for heightened awareness and safe shopping on line during these holidays, and...well, all the time. Be careful out there.
Cheers and happy holidays."
___

Best Buy Order Spam
- http://threattrack.tumblr.com/post/103809164928/best-buy-order-spam
Nov 28, 2014 - "Subjects Seen:
Details of Your Order From Best Buy
Typical e-mail details:
E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days.
Upon confirmation you may pick it in any nearest store of Best Buy.
Detailed order information is attached to the letter.
Wishing you Happy Thanksgiving!
Best Buy

Malicious File Name and MD5:
BestBuy_Order.exe (bff17aecb3cc9b0281275f801026b75d)

Screenshot: https://gs1.wac.edgecastcdn.net/801...00a50953b/tumblr_inline_nfrayxzYyG1r6pupn.jpg

Tagged: Best Buy, Kuluoz

:fear::fear:

 

[AplusWebMaster]

Dridex Phish uses malicious word docs

FYI...

Dridex Phish uses malicious word docs
- https://isc.sans.edu/diary.html?storyid=19011
2014-12-01 - "... During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex... The emails contained malicious Word documents, and with macros enabled, these documents -infected- Windows computers with Dridex malware. Various people have posted about Dridex [1] [2], and some sites like Dynamoo's blog and TechHelpList... often report on these and other phishing campaigns... On 11 Nov 2014, I saw at least 60 emails with 'Duplicate Payment Received' in the subject line. This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe... Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) [3]... File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block..."
1] http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html

2] http://www.abuse.ch/?p=8332

3] https://isc.sans.edu/diaryimages/images/brad5.png

4] http://doc.emergingthreats.net/2019478

62.76.185.127: https://www.virustotal.com/en/ip-address/62.76.185.127/information/
___

Fake 'New offer Job' SPAM - PDF malware
- http://myonlinesecurity.co.uk/new-offer-job-fake-pdf-malware/
1 Dec 2014 - "'New offer Job' with a zip attachment pretending to come from Job service <billiond8@ greatest3threeisland .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
New offer for you, see attached here.

There is also a version around with the subject of 'Tiket alert' pretending to come from FBR service <newspaperedixv@ greatest3threeisland .com>
Look at the attached file for more information.
Assistant Vice President, FBR service
Management Corporation

Both emails contain the same malware as does today’s version of 'my new photo malware'*
1 December 2014 : tiket.zip: Extracts to: tiket.exe
Current Virus total detections: 5/19** . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/new-photo-malware/

** https://www.virustotal.com/en/file/...1bcbe03c4fc709ee5173f07e/analysis/1417475226/
___

Phishing scam that hit Wall Street might work against you
- http://arstechnica.com/security/201...-wall-street-just-might-work-against-you-too/
Dec 1 2014 - "Researchers have uncovered a group of Wall Street-savvy hacks that have penetrated the e-mail accounts of more than 100 companies, a feat that has allowed them to obtain highly valuable plans concerning corporate acquisitions and other insider information.
> http://cdn.arstechnica.net/wp-content/uploads/2014/12/outlook-phish-640x359.jpg
FIN4, as the group is known, relies on a set of extremely simple tactics that in many cases has allowed them to remain undetected since at least the middle of 2013, according to a report published Monday from security firm FireEye*. Members boast a strong command of the English language and knowledge of corporate finance and Fortune 500 culture. They use that savvy to send highly targeted spearphishing e-mails that harvest login credentials for Microsoft Outlook accounts. The group then uses compromised accounts of one employee, customer, or partner to send spearphishing e-mails to other company insiders. At times, the attackers will -inject- a malicious message into an ongoing e-mail discussion among multiple people, furthering their chances of success. E-mails are sent from the accounts of people the target knows, and they discuss mergers, acquisitions, or other topics already in progress. The attackers often bcc other recipients to make it more difficult to detect the malicious e-mail. The messages appear to be written by native English speakers and often contain previously exchanged Microsoft Office documents that embed hidden malicious macros. This results in fraudulent e-mails that are extremely hard to detect, even by some people who have been trained to spot such phishing campaigns... FireEye researchers said FIN4 members have compromised the accounts of C-level executives, legal counsel, regulatory and compliance personnel, scientists, and advisors of more than 100 companies. About 80 of them are publicly traded companies, while the remaining 20 are Wall Street firms that advise corporations on legal or securities matters or possible or pending mergers and acquisitions. As a result, the group stood to make a windfall if it used the insider information to buy or sell stocks before the information became widely known... Embedded in the previously stolen documents are Visual Basic Applications (VBA) macros that prompt readers to enter the Outlook user names and passwords. The scripts then funnel the credentials to servers controlled by the attackers. In other, earlier cases, the spearphishing e-mails contained links to fake Outlook Web App login pages that prompted visitors to enter their passwords. Some of the attacks FireEye observed targeted multiple parties inside law firms, consultancies, and corporations as they discussed particular pending business deals. In one instance, attackers used previously acquired access to e-mail accounts at an advisory firm to harvest information being exchanged about an acquisition under consideration involving one of its clients... the best thing any potential target can do is to educate employees how to spot phishing attacks. The FIN4 attackers have just raised the bar, so chances are most education programs should be revised to help employees spot these new and improved tactics."
* https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html

- http://www.reuters.com/video/2014/12/02/cyber-spies-steal-corporate-secrets-to-r?videoId=347691634
Dec 01, 2014
Video: 02:09

- http://www.computerworld.com/articl...-after-insider-info-to-game-stock-market.html
Dec 1, 2014
> http://core0.staticworld.net/images/article/2014/12/fin4-targets-100533260-large.idge.jpg

- http://www.theregister.co.uk/2014/12/02/malware_raids_stock_markets/
2 Dec 2014
> http://regmedia.co.uk/2014/12/02/11223.png
___

Europol and US customs seize 292 domains selling counterfeit goods
- http://www.theinquirer.net/inquirer...s-seize-292-domains-selling-counterfeit-goods
Dec 1, 2014 - "... Interpol in conjunction with US Immigration and Customs Enforcement has seized the domains of almost 300 websites that were selling counterfeit merchandise. The law enforcement agencies, not to mention politicians, are concerned that citizens are being taken for mugs online and cannot resist spending good money on fake rubbish... Europol said that the seizures involved 25 law enforcement agencies from 19 countries and participation from the US National Intellectual Property Rights Coordination Center... The websites offered a mix of content, ranging from luxury goods and sportswear to CDs and DVDs. The domains are now in the hands of the national governments involved in the shutdowns, and the gear is presumably facing some sort of immolation. Operation In Our Sites has closed down 1,829 domains so far..."
___

O/S Market Share - Nov 2014
- http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0

Browser Market Share - Nov 2014
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
___

PoS Malware 'd4re|dev1|' attacking Ticket Machines and Electronic Kiosks
- https://www.intelcrawler.com/news-24
Nov 26, 2014 - "... new type of Point-of-Sale malware called “d4re|dev1|”. This new strain of malware, which is hitting Mass Transit Systems, acts as an advanced backdoor with remote administration, having RAM scrapping and keylogging features. This new POS malware find adds to a growing list of POS variants being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. Variants recently identified and profiled by IntelCrawler include POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal. The exploitation of merchants is taking place on a global scale as outlined by the IntelCrawler POS infection map*.
* https://www.intelcrawler.com/analytics/pmim
... The malware has a “File Upload” option, which can be used for remote payload updating. The process of malware was masked under “PGTerm.exe” or “hkcmd.exe”, as well as legitimate names of software such as Google Chrome. Adversaries use this option for the installation of additional backdoors and tools, which allows them to avoid infrastructure limitations and security policies designed for detection. This broad lateral approach shows that serious cybercriminals are not interested in just one particular Point-of-Sale terminal – they are looking for enterprise wide network environments, having tens of connected devices accepting payments and returning larger sets of spoils to their C2 servers... As this POS malware market is evolving, new security measures are needed to combat the seemingly continuous strains being developed by the underground. In addition to consulting your PCI vendor, IntelCrawler strongly recommends to encapsulate any administration channels to the -VPN- as well as to limit the software environment for operators, using proper access control lists and updated security polices..."

:fear:

 

[AplusWebMaster]

Fake Walmart 'Order Details', 'Voice Message from Message Admin' SPAM...

FYI...

Fake Walmart 'Order Details' SPAM opens malware site
- http://www.hoax-slayer.com/walmart-order-details-malware.shtml
Dec 2, 2014 - "Email purporting to be from Walmart claims that you can click a link to read more information about a recent order. The email is a scam... Clicking the link opens a website that contains malware. This attack is very similar to another malware campaign in which -bogus- emails claim to be from Costco*...
> http://www.hoax-slayer.com/images/walmart-order-details-malware-1.jpg
This email, which claims to be from retail giant Walmart, advises that your order is ready to be picked up at any local store. It invites you to -click-a-link- to find out more information about the supposed order... the email is -not- from Walmart and has nothing to do with any order you have made. The goal of the email is simply to trick you into clicking the link. If you receive this email, you may be concerned that fraudulent purchases have been made in your name and click the link in the hope of finding out more details... the link opens a compromised website that harbours malware. In some versions, the malicious download may start automatically. In other cases, a notice on the website may instruct you to download a file to view the order information. Generally, the download will be a .zip file that contains a .exe file inside. Clicking the .exe file will install the malware on your computer. The exact malware payload delivered in such attacks may vary... This attack closely mirrors another current malware campaign that uses emails that falsely claim to be from Costco*. Again, the email claims that you can get information about recent purchase by clicking a link. Clicking downloads a .zip file that contains malware."
* http://www.hoax-slayer.com/costco-order-notification-malware.shtml
Nov 28, 2014
> http://www.hoax-slayer.com/images/costco-order-notification-malware-2.jpg
___

Fake 'FEDEX TRACK' 'FEDEX INFO' SPAM - contains trojan
- http://blog.mxlab.eu/2014/12/02/fake-emails-from-fedex-track-or-fedex-info-contains-trojan/
Dec 2, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
- Ezekiel Francis your agent FEDEX
- Bullock, Tiger P. agent FEDEX
- Quin Greer FEDEX company
This email is sent from the -spoofed- address “FEDEX TRACK <******@ care .it>”, FEDEX INFO <fedexservice@ care .info> or “FEDEX INFO <fedextechsupport@ care .org>” and has the following body:
Dear Customer!
We attempted to deliver your package on December 2th, 2014, 10:50 AM.
The delivery attempt failed because the address was business closed or nobody could sign for it.
To pick up the package,please, print the invoice that is attached to this email and visit Fedex location indicated in the receipt.
If the package is not picked up within 48 hours, it will be returned to the shipper.
Label/Receipt Number: 45675665665
Expected Delivery Date: December 2th, 2014
Class: International Package Service
Service(s): Delivery Confirmation
Status: Notification sent
Thank you ...

The attached file Package.zip contains the 180 kB large file 45675665665.scr... At the time of writing, 3 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/...f6daed3432cbd61bef50e705350904ebd3b/analysis/
___

Iran hacks target airlines, energy, defense companies
- http://www.reuters.com/article/2014/12/02/us-cybersecurity-iran-idUSKCN0JG18I20141202
Dec 2, 2014 - "Iranian hackers have infiltrated major airlines, energy companies, and defense firms around the globe over the past two years in a campaign that could eventually cause physical damage, according to U.S. cyber security firm Cylance*. The report comes as governments scramble to better understand the extent of Iran's cyber capabilities, which researchers say have grown rapidly as Tehran seeks to retaliate for Western cyber attacks on its nuclear program... The California-based company said its researchers uncovered breaches affecting more than 50 entities in 16 countries, and had evidence they were committed by the same Tehran-based group that was behind a previously reported 2013 cyber attack on a U.S. Navy network. It did not identify the companies targeted, but said they included major aerospace firms, airports and airlines, universities, energy firms, hospitals, and telecommunications operators based in the United States, Israel, China, Saudi Arabia, India, Germany, France, England and others. Cylance said it had evidence the hackers were Iranian, and added the scope and sophistication of the attacks suggested they had state backing... Cylance Chief Executive Stuart McClure said the Iranian hacking group has so far focused its campaign - dubbed Operation Cleaver - on intelligence gathering, but that it likely has the ability to launch attacks. He said researchers who succeeded in gaining access to some of the hackers' infrastructure found massive databases of user credentials and passwords from organizations including energy, transportation, and aerospace companies, as well as universities. He said they also found diagrams of energy plants, screen shots demonstrating control of the security system for a major Middle Eastern energy company, and encryption keys for a major Asian airline... Cylance said its researchers also obtained hundreds of files apparently stolen by the Iranian group from the U.S. Navy's Marine Corps Intranet (NMCI). U.S. government sources had confirmed that Iran was behind the 2013 NMCI breach..."
* http://blog.cylance.com/operation-cleaver-prevention-is-everything
Dec 2, 2014
- http://www.cylance.com/operation-cl...b7a0c3ee|25e0e347-ef8e-475e-9c59-4b051299b3ea
___

Fake 'Voice Message from Message Admin' SPAM - leads to malware
- http://blog.mxlab.eu/2014/12/01/fak...74669888-from-message-admin-leads-to-malware/
Dec 1, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Voice Message #0174669888″ (number will vary). This email is sent from the -spoofed- address 'Message Admin <NoRepse@ voiceservice .com>” and has the following body:

Voice redirected message
hxxp ://www.studio37kriswhite .com/voicemail/listen.php
Sent: Mon, 1 Dec 2014 19:06:35 +0000

Voice redirected message
hxp ://thepinkcompany .com/voicemail/listen.php
Sent: Mon, 1 Dec 2014 20:10:47 +0000

The embedded URL leads to a web page with a Javascript that is making use of an ActiveXObject to download the file voice646-872-8712_wav.zip. Once extracted, the 43 kB large file voice646-872-8712_wav.exe is present. The trojan is known as W32.HfsAutoA.631F, Trojan.DownLoader11.46947, UDSangerousObject.Multi.Generic , Upatre.FE or BehavesLike.Win32.Backdoor.pz.
The trojan is capable of starting a listening server, make HTTP requests, can fingerprint a system and have outbound communication. A service bowmc.exe will be installed, the TCP port 1034 will be opened and connection with the IP on port 21410 and 21397 will be openened for outbound traffic. At the time of writing, 8 of the 55* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/...06e6ab5375a1876f2b1f6cca/analysis/1417468098/
... Behavioural information
TCP connections
192.186.219.137: https://www.virustotal.com/en/ip-address/192.186.219.137/information/
UDP communications
91.200.16.56: https://www.virustotal.com/en/ip-address/91.200.16.56/information/
91.200.16.37: https://www.virustotal.com/en/ip-address/91.200.16.37/information/

:fear::fear:

 

[AplusWebMaster]

Malware on Crissic Solutions, Fake 'Fedex Unable to deliver your item' SPAM

FYI...

More malware on Crissic Solutions LLC
- http://blog.dynamoo.com/2014/12/more-malware-on-crissic-solutions-llc.html
3 Dec 2014 - "Another bunch of IPs on Crissic Solutions LLC, leading to what appears to be the Angler EK (see this URLquery report*):
167.160.164.102: https://www.virustotal.com/en/ip-address/167.160.164.102/information/
167.160.164.103: https://www.virustotal.com/en/ip-address/167.160.164.103/information/
167.160.164.141: https://www.virustotal.com/en/ip-address/167.160.164.141/information/
167.160.164.142: https://www.virustotal.com/en/ip-address/167.160.164.142/information/
... domains are being exploited (although there will probably be more soon)... Subdomains in use start with one of qwe. or asd. or zxc... Crissic Solutions LLC operates 167.160.160.0/19 which does have some legitimate sites in it, but since I have previously recommended** blocking 167.160.165.0/24 and 167.160.166.0/24 and now with -multiple- servers on 167.160.164.0/24 also compromised then I suspect that temporarily blocking the entire /19 is the way to go."
* http://urlquery.net/report.php?id=1417554412643

** http://blog.dynamoo.com/2014/11/tainted-network-crissic-solutions.html
___

Fake 'Fedex Unable to deliver your item' SPAM - malware
- http://myonlinesecurity.co.uk/fedex-unable-deliver-item-00486182-malware/
3 Dec 2014 - "'FedEx Unable to deliver your item, #00486182' pretending to come from FedEx International Economy with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
FedEx ®
Dear Customer,
We could not deliver your parcel.
Please, open email attachment to print shipment label.
Regards,
Francis Huber,
Delivery Agent.
(C) 2014 FedEx. The content of this message is protected by copyright and trademark laws. All rights reserved.

3 December 2014: Label_00486182.zip: Extracts to: Label_00486182.doc.js
Current Virus total detections: 4/55* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c93462810bd632e51e228fd3/analysis/1417611902/
___

Be Wary of ‘Order Confirmation’ Emails
- http://krebsonsecurity.com/2014/12/be-wary-of-order-confirmation-emails/
Dec 3, 2014 - "If you receive an email this holiday season asking you to “confirm” an online e-commerce order or package shipment, please resist the urge to -click- the included -link- or attachment: Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.
'Order confirmation' malware email blasted out by the Asprox spam botnet:
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/hd-asprox-600x273.png
Seasonal scams like these are a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25:
This Asprox malware email poses as a notice about a wayward package from a WalMart order.
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/wm-asprox-600x308.png
According to Malcovery*, a company that closely tracks email-based malware attacks, these phony “order confirmation” spam campaigns began around Thanksgiving, and use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet. Asprox is a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email...
Target is among the many brands being spoofed by Asprox this holiday season:
>> http://krebsonsecurity.com/wp-content/uploads/2014/12/tg-asprox-600x373.png
... do not click the embedded links or attachments..."

* http://blog.malcovery.com/blog/asprox-malware-threat-targets-holiday-shoppers
Dec 3, '14

:fear:

 

[AplusWebMaster]

Something evil on 46.161.30.0/24, FedEx phish ...

FYI...

Something evil on 46.161.30.0/24
- http://blog.dynamoo.com/2014/12/something-evil-on-4616130024.html
4 Dec 2014 - "The IP address range of 46.161.30.0/24 (KolosokIvan-net) appears to be dedicated purely to providing phone-home servers for TorrentLocker or some other similar malware. In the past, this IP range has hosted various sites which have moved off... There are no legitimate sites in this network range, so I strongly recommend that you -block- the entire 46.161.30.0/24 range."
(More detail at the dynamoo URL above.)
___

Fake 'Quickbooks intuit unpaid invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/quickbooks-intuit-unpaid-invoice-fake-pdf-malware/
4 Dec 2014 - "'Quickbooks intuit unpaid invoice' with a zip attachment pretending to come from Elena.Lin@ intuit .com <Elena.Lin@ quickbooks .com> is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review the attached invoice and pay this invoice at your earliest convenience. Feel free to contact us if you have any
questions.
Thank you.

4 December 2014 : invoice72.zip: Extracts to: invoice72.scr
Current Virus total detections: 6/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...6a7d432b50078e16d77480c1/analysis/1417726300/
... Behavioural information
TCP connections
80.248.222.238: https://www.virustotal.com/en/ip-address/184.95.37.110/information/
198.58.84.150: https://www.virustotal.com/en/ip-address/198.58.84.150/information/
UDP communications
198.27.81.168: https://www.virustotal.com/en/ip-address/198.27.81.168/information/
192.95.17.62: https://www.virustotal.com/en/ip-address/192.95.17.62/information/
___

Fake 'FedEx Delivery' confirmation - phishing 419 SCAM
- http://myonlinesecurity.co.uk/fedex-delivery-notification-confirmation-phishing-419-scam/
4 Dec 2014 - "'FedEx Delivery Notification. (Confirmation)' pretending to come from FedEx Courier Delivery <FedExdelivery@ FedEx .com> is a phishing scam. When I first saw these emails start to come in, I thought it was a follow 0n to the current malware spreading campaign Fedex Unable to deliver your item, #00486182 malware but no, it is a pure and simple phishing scam trying to get you to voluntarily give your details. It is most likely a 419 scam which will ask for a fee to expedite the delivery. Just look at all the spelling and grammar mistakes in the email, but of course most victims just don’t read emails closely, just blindly follow instructions and do what is asked without thinking. Email looks like:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/fedex_delivery_phish.jpg

... it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake Air Canada emails with ticket and flight confirmation leads to malicious ZIP file
- http://blog.mxlab.eu/2014/12/03/new...ght-confirmation-leads-to-malicious-zip-file/
Dec 3, 2014 - "... intercepted a new trojan distribution campaign by email with the subjects like:
Order #70189189901 successfully – Ticket and flight details
Order #70189101701 paid – E-ticket and flight details
This email is sent from the -spoofed- address “Aircanada .com” <tickets@ aircanada .com>” and has the following body:
Dear client,
Your order has been successfully processed and your credit card charged.
ELECTRONIC TICKET – 70189101701
FLIGHT – QB70189101701CA
DATE / TIME – Dec 4th 2014, 15:30
ARRIVING – Quebec
TOTAL PRICE / 575.00 CAD
Your ticket can be downloaded and printed from the following URL: ...
hxxps ://www.aircanada .com/travelInformation/viewOrderInfo.do?ticket_number=70189101701& view_pdf=yes
For information regarding your order, contact us by visiting our website: ...
Thank you for choosing Air Canada

The embedded URL does -not- point the browser to the real web site address but to hxxp ://ravuol .com/wp-content/plugins/revslider/temp/update_extract/revslider/pdf_ticket_QB70189189901CA.zip. Once this file is extracted you will have the 209 kB large file pdf_ticket_QB70189189901CA.pif. The trojan is known as Trojan.MalPack or a variant of Win32/Injector.BQPL. This trojan has the ability to fingerprint the system, start a server listening on a local machine, create Zeus mutexes, installs itself to autorun, modifies local firewall and policies. At the time of writing, 2 of the 52* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/...da221578667a1fa59feb3b2c94aabae96fb/analysis/

ravuol .com / 192.232.218.114: https://www.virustotal.com/en/ip-address/192.232.218.114/information/

:fear:

 

[AplusWebMaster]

Fake Voicemail, Remittance Advice SPAM

FYI...

Fake Voicemail SPAM - wav malware
- http://myonlinesecurity.co.uk/stuar...ge-01438351556night-message-fake-wav-malware/
5 Dec 2014 - "'Voicemail Message (01438351556>Night Message) From:01438351556' pretending to come from stuartclark146@ gmx .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

IP Office Voicemail redirected message

5 December 2014: voicemsg.wav.zip : Extracts to: voicemsg.exe
Current Virus total detections: 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...56b93564af037dd322232a9f/analysis/1417779780/
___

Fake Remittance Advice SPAM
- http://blog.dynamoo.com/2014/12/k-j-watking-co-fake-remittance-advice.html
5 Dec 2014 - "... The spam comes with an Excel spreadsheet which contains a malicious macro.
Some sample spams are as follows:
From: Brenton Glover
Date: 5 December 2014 at 07:20
Subject: Remittance Advice for 430.57 GBP
Please find attached a remittance advice for recent BACS payment.
Any queries please contact us.
Brenton Glover
Senior Accounts Payable Specialist
K J Watking & Co

I have seen two versions of these, neither of which are detected as malicious by any vendors [1] [2]. Each spreadsheet contains a different but similar malicious macro... which then download a binary... Recommended blocklist:
194.146.136.1
84.92.26.50
79.137.227.123
124.217.199.218 "
1] https://www.virustotal.com/en/file/...248c60214f00d91faf219d66/analysis/1417773044/

2] https://www.virustotal.com/en/file/...805e06989a40fde0147267b1/analysis/1417773050/

- http://myonlinesecurity.co.uk/k-j-watking-co-remittance-advice-excel-malware/
5 December 2014 : BAC_002163F.xls (253KB) - Current Virus total detections: 0/55*
* https://www.virustotal.com/en/file/...b9b89dfe88fdbef3c9cf826e/analysis/1417779426/
5 December 2014 : BAC_644385B.xls (290KB) - Current Virus total detections: 0/55**
** https://www.virustotal.com/en/file/...805e06989a40fde0147267b1/analysis/1417779139/

- http://blog.mxlab.eu/2014/12/05/email-remittance-advice-for-245-58-gbp-contains-malicious-xls-file/
Dec 5, 2014
> https://www.virustotal.com/en/file/...879c9ad471ba8e1f8db6a2c4/analysis/1417768835/
___

Fake Order/Invoice SPAM - malicious .doc attachment
- http://blog.dynamoo.com/2014/12/mathew-doleman-lightmoorhomescouk-spam.html
5 Dec 2014 - "This -spam- came through into my mailbox horribly mangled and needed some assembly to make it malicious (everything was in a Base 64 attachment). After some work it appears to have a malicious Word document attached.
From: Mathew Doleman [order@ lightmoorhomes .co .uk]
Date: 5 December 2014 at 08:32
Subject: Order no. 98348936010
Thank you for using our services!
Your order #98348936010 will be shipped on 08-12-2014.
Date: December 04, 2014
Price: 177.69
Payment method: Credit card
Transaction number: OVFTMZERLXVNPXLPXB
Please find the detailed information on your purchase in the attached file (2014-12-4_12-32-28_98348936010.doc)
Best regards,
Sales Department
Mathew Doleman
+07966 566663

The attachment is 2014-12-4_12-32-28_98348936010.doc which looks like an old-style .DOC file, but is actually a newer format .DOCX document, which is poorly detected by AV vendors* ... Some investigation shows that it contains a malicious macro... The macro downloads a file from http ://hiro-wish .com/js/bin.exe which is completely undetected by any AV vendor** at present... The VirusTotal report** shows it phoning home to:
46.4.232.200 (Dmitry Zheltov / Hetzner, Germany)
Recommended blocklist:
203.172.141.250
46.4.232.200
74.208.11.204
hiro-wish .com "
* https://www.virustotal.com/en/file/...ecff6e83e2db7ab99a444717/analysis/1417776108/

** https://www.virustotal.com/en/file/...fba6c99e9c3300014fcc08b3/analysis/1417775973/
___

Fake 'Package delivery failed' SPAM - PDF malware
- http://myonlinesecurity.co.uk/package-delivery-failed-fake-pdf-malware/
5 Dec 2014 - "'Package delivery failed' pretending to come from Canada Post with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From: Canada Post [mailto:shipping@ canadapost .ca]
Sent: December 5, 2014 2:31
To: e-Bills – [redacted]
Subject: Package delivery failed
Image removed by sender.
Dear customer,
A delivery attempt has been made on December 3rd, 2014.
The delivery failed because nobody was present at the receiver’s address.
Redelivery can be arranged by visiting our nearest office and presenting a printed copy of the shipping invoice.
TRACKING Number: 3765490000465274
Originating from : RICHMOND
The shipping invoice, necessary for the redelivery arrangements can be automatically downloaded by visiting the tracking section, in our website: ...

5 December 2014: canpost_3765490000465274_trk.zip: Extracts to:
canpost_3765490000465274_trk.pif . Current Virus total detections: 5/55*
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7b758cd5358897e126c81929/analysis/1417725574/
___

Halifax phish...
- http://myonlinesecurity.co.uk/halifax-phishing/
5 Dec 2014 - "This Halifax phishing attempt starts with an email saying 'Your Account' pretending to come from Halifax <update@halifax .co .uk> is one of the latest phish attempts to steal your Bank, credit card and personal details. This one only wants your personal details,and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well:
1] http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/halifax_phish_email.jpg
...
2] http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/halifax_fake-site.jpg
... the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format..."

:fear:

 

[AplusWebMaster]

Fake Invoice, Transaction SPAM - malicious doc, zip attachment

FYI...

Fake Invoice SPAM - malicious doc attachment
- http://blog.dynamoo.com/2014/12/soo-sutton-invoice-224245-from-power-ec.html
8 Dec 2014 - "... this -fake- invoice comes with a malicious Word document attached.
From: soo.sutton966@ powercentre .com
Date: 8 December 2014 at 10:57
Subject: INVOICE 224245 from Power EC Ltd
Please find attached INVOICE number 224245 from Power EC Ltd

Attached are one of two Word documents -both- with the name 224245.doc but with slightly different macros. Neither are currently detected by any AV vendors [1] [2]. Inside the DOC is one of two malicious macros... which then downloads an executable from one of the following locations:
http ://aircraftpolish .com/js/bin.exe
http ://gofoto .dk/js/bin.exe
This file is then saves as %TEMP%\CWRSNUYCXKL.exe and currently has zero detections at VirusTotal. The ThreatExpert report shows that it connects to:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1 Internet, US)
According to the Malwr report this executable drops a DLL with a slightly better detection rate of 5/53*.
Recommended blocklist:
203.172.141.250
74.208.11.204
aircraftpolish .com
gofoto .dk "
1] https://www.virustotal.com/en/file/...b3b31ca2d98c5abc5832a150/analysis/1418035603/

2] https://www.virustotal.com/en/file/...e5924919c8ac9fe8b1fb495a4e2df98ed22/analysis/

* https://www.virustotal.com/en/file/...5a7ac8d2cc9b6a4018511c88/analysis/1418037172/

- http://myonlinesecurity.co.uk/pleas...-number-224244-power-ec-ltd-word-doc-malware/
8 Dec 2014
___

Fake 'Transaction confirmation' SPAM - doc malware
- http://myonlinesecurity.co.uk/shipping-status-transaction-confirmation-fake-word-doc-malware/
8 Doc 2014 - "'Shipping status: Transaction confirmation' with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The subjects include (all having random numbers, senders, sales clerks names, telephone numbers, order numbers and amounts. Most pretend to come from sale@ or order@ < random company> )
Shipping status: Transaction confirmation: 77951286043
Order info: 50664959001
Payment info: 22908714125
Payment confirmation: 6322896965

They look like:
Shipping status: Transaction confirmation: 77951286043Greetings,
Your order #77951286043 will be shipped on 16.12.2014.
Date: December 08, 2014. 01:27pm
Price: £163.10
Transaction number: 43595D828F1A5A
Please find the detailed information on your purchase in the attached file order2014-12-08_77951286043.zip
Yours truly,
Sales Department
Keisha Konick ...
-or-
Hello,
Your order #50664959001 will be shipped on 17-12-2014.
Date: December 08, 2014. 01:49pm
Price: £181.71
Transaction number: 1E51D75638EEDA4499
Please find the detailed information on your purchase in the attached file item2014-12-08_50664959001.zip
Kind regards,
Sales Department
Sanjuanita Mandeville ...

Every single attachment received so far today (and there are hundreds) has a different file # so it is difficult to get a viable detection rate at Virus total. The zip attachment extracts to another zip & then to a scr file with an icon looking like it is a word doc.
8 December 2014: order2014-12-08_77951286043.zip: Extracts to: sale2014-12-08_97164185939.scr
Current Virus total detections: 3/55* .
8 December 2014: item2014-12-08_24831482215.zip: Extracts to: item2014-12-08_79359848638.scr
Current Virus total detections: 5/55**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...4eedd7537a5aa38361542f3c/analysis/1418050446/
... Behavioural information
TCP connections
157.56.96.55: https://www.virustotal.com/en/ip-address/157.56.96.55/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.96: https://www.virustotal.com/en/ip-address/95.101.0.96/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
217.16.10.3: https://www.virustotal.com/en/ip-address/217.16.10.3/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/

** https://www.virustotal.com/en/file/...13b7d437d9b4019a8a96b02f/analysis/1418050480/
... Behavioural information
TCP connections
191.232.80.55: https://www.virustotal.com/en/ip-address/191.232.80.55/information/
213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
95.101.0.90: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
195.60.214.11: https://www.virustotal.com/en/ip-address/195.60.214.11/information/
217.16.10.3: https://www.virustotal.com/en/ip-address/217.16.10.3/information/
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___

Fake HSBC Advising SPAM - leads to malware
- http://blog.mxlab.eu/2014/12/08/fake-email-from-hsbc-advising-service-leads-to-malware/
Dec 8, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Payment Advice – Advice Ref:[GB659898] / CHAPS credits” (number in subject will vary). This email is sent from the spoofed address “HSBC Advising Service <advising.service@ hsbc .com>” and has the following body:
Sir/Madam,
Please download document from dropbox, payment advice is issued at the request of our customer. The advice is or your reference only.
Download link: ...
Yours faithfully,
Global Payments and Cash Management
HSBC ...

In this sample, the embedded URl directs us to hxxp ://paparellalogistica .it/banking/document.php where the file documentXXX.zip (name contains number that will vary) is downloaded.The trojan is known as Upatre-FAAJ!BADD639EC640, HB_Arkam or Virus.Win32.Heur.c. The trojan will create a new service gtpwz.exe on the system, modify some Windows registry and can connect to the IP 62.210.204.149 on port 33294 and 33321 for outbound traffic. At the time of writing, 5 of the 53* AV engines did detect the trojan at Virus Total..."
* https://www.virustotal.com/en/file/...3338d220b66742c510c0895766fe0b70b9a/analysis/
... Behavioural information
TCP connections
62.210.204.149: https://www.virustotal.com/en/ip-address/62.210.204.149/information/
188.132.235.180: https://www.virustotal.com/en/ip-address/188.132.235.180/information/
UDP communications
208.97.25.20: https://www.virustotal.com/en/ip-address/208.97.25.20/information/
208.97.25.6: https://www.virustotal.com/en/ip-address/208.97.25.6/information/

:fear:

 

[AplusWebMaster]

Something evil on 5.196.33.8/29, Phishing SCAM

FYI...

Something evil on 5.196.33.8/29
- http://blog.dynamoo.com/2014/12/something-evil-on-519633829.html
9 Dec 2014 - "This Tweet* from @Kafeine about the Angler EK drew my attention to a small block of OVH UK addresses of 5.196.33.8/29 which appear to be completely dedicated to distributing malware.
Specifically, VirusTotal lists badness on the following IPs:
5.196.33.8: https://www.virustotal.com/en/ip-address/5.196.33.8/information/
5.196.33.9: https://www.virustotal.com/en/ip-address/5.196.33.9/information/
5.196.33.10: https://www.virustotal.com/en/ip-address/5.196.33.10/information/
There are also some doubtful looking IP addresses on 5.196.33.15** which may we have a malicious purpose... suggest that you treat them as malicious.
Recommended blocklist:
5.196.33.8/29 ..."
(Long list at the dynamoo URL at the top of this post.)
* https://twitter.com/kafeine/status/541550193649680385

** https://www.virustotal.com/en/ip-address/5.196.33.15/information/
___

Fake 'UPS Customer Service' SPAM - PDF malware
- http://myonlinesecurity.co.uk/ups-customer-service-fake-pdf-malware/
9 Dec 2014 - "'UPS Customer Service' pretending to come from UPS Customer Service [mailto:upsdi@ ups .com] is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
From: UPS Customer Service [mailto:upsdi@ ups .com]
Sent: December 9, 2014 11:25
To: [redacted]
Subject: [SPAM] UPS Customer Service
IMPORTANT DELIVERY
Dear [redacted]
You have received an important delivery from UPS Customer Service.
Please pick up the ePackage at the following Web address:
The ePackage will expire on Thursday December 11, 2014, 00:00:00 EDT
…………………………………………………………….
HOW TO PICK UP YOUR ePackage
* If the Web address above is highlighted, click on it to open a browser window. You will automatically be taken to the ePackage.
* If the Web address above is not highlighted, then follow these steps:
– Open a web browser window.
– Copy and paste the entire Web address into the ‘location’ or ‘address’ bar of the browser.
– Press enter.
Once you arrive at the ePackage web page, you can access the attached files and/or private message.
…………………………………………………………….
If you require assistance please contact UPS Customer Service.
Please note: This e-mail was sent from an auto-notification system that cannot accept incoming e-mail. Please do not reply to this message.
This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review,
dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organizations is strictly prohibited.
__________________________________
Delivered by UPS ePackage

9 December 2014: ePackage_12092014_42.pdf.zip: Extracts to: ePackage_12092014_42.pdf.scr
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...18f9d869e376948b004c2e71/analysis/1418149697/
... Behavioural information
TCP connections
54.225.211.214: https://www.virustotal.com/en/ip-address/54.225.211.214/information/
194.150.168.70: https://www.virustotal.com/en/ip-address/194.150.168.70/information/
___

Phishing SCAM - 'Your Email Address Transmitting Viruses'
- http://www.hoax-slayer.com/email-address-transmitting-viruses-phishing.shtml
Dec 9, 2014 - "... The email is -not- from any email administrator or service provider. It is a phishing scam designed to steal your account login details via a fake login form. If you click the link and login on the -fake- site, your email account may be hijacked by criminals and used for spam and scam campaigns... Example:

Subject: Take note [email address removed]: Your email address will be terminated now
Dear [email address removed]
Your email address (removed) has been transmitting viruses to our servers and will be deactivated permanently if not resolved.
You are urgently required to sanitize your email or your access to email services will be terminated
Click here now to scan and sanitize your e-mail account
Note that failure to sanitize your email account immediately will lead to permanent deactivation without warning.
We are very sorry for the inconveniences this might have caused you and we assure you that everything will return to normal as soon as you have done the needful.
Admin

According to this email, which claims - rather vaguely - to be from 'Admin', your email has been transmitting viruses to the sender's servers. The email warns that your account will be deactivated permanently if you do not resolve the issue. The message instructs you to 'urgently' click a link to run a scan and 'sanitize your e-mail account'... Clicking the link takes you to a fraudulent webpage that includes a stolen Norton Antivirus logo and a login box (See screenshot below*). The page instructs you to login with your email address and password to run a 30 second scan. After 'logging in', a 'Please wait - scanning' message will be displayed for a few seconds. Finally, a 'Scan Complete' message will be shown. At this point, you may believe that the viruses have been removed and you have successfully resolved the issue... however, the criminals behind the scam can collect your login details and hijack your real email account. They may use the hijacked account to launch further spam and scam campaigns in your name..."
* http://www.hoax-slayer.com/images/email-address-tansmitting-viruses.jpg

:fear:

 

[AplusWebMaster]

Fake 'Remittance Advice' SPAM, Zeus phish...

FYI...

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/spam-remittance-advice-from-anglia.html
10 Dec 2014 - "This spam email does not come from Anglia Engineering Solutions Ltd but instead comes from a criminally-operated botnet and has a malicious attachment.
From: Serena Dotson
Date: 10 December 2014 at 10:33
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 334563N]
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Serena Dotson
Anglia Engineering Solutions Ltd ...

The sender's name, ID number and attachment name vary from spam email to spam email. It comes with one of two Excel attachments, both of which are malicious but are undetected by any AV product [1] [2] which contains one of two malicious macros... which attempts to download an executable from the following locations:
http ://217.174.240.46:8080/stat/lld.php
http ://187.33.2.211:8080/stat/lld.php
This file is downloaded as test.exe and is then copied to %TEMP%\LNUDTUFLKOJ.exe. This executable has a VirusTotal detection rate of just 1/55*. The ThreatTrack report... shows attempted connections to the following IPs:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
84.92.26.50 (PlusNet, UK)
87.106.246.201 (1&1, Germany)
Traffic to 194.146.136.1 is also confirmed by VirusTotal. The Malwr report shows the same traffic. The payload is most likely Dridex, a banking trojan. I recommend that you block traffic to the following IPs:
194.146.136.1
84.92.26.50
87.106.246.201
217.174.240.46
187.33.2.211 "
1] https://www.virustotal.com/en/file/...115d67788e673b18a303b578/analysis/1418208470/

2] https://www.virustotal.com/en/file/...4f8b27599e5fb6d3c660ad94/analysis/1418208468/

* https://www.virustotal.com/en/file/...b0f43e4552bd27488091da94/analysis/1418208856/

- http://myonlinesecurity.co.uk/remittance-advice-anglia-engineering-solutions-ltd-excel-xls-malware/
10 Dec 2014
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Anglia-Engineering-Solutions.jpg

* https://www.virustotal.com/en/file/...4f8b27599e5fb6d3c660ad94/analysis/1418209362/

** https://www.virustotal.com/en/file/...115d67788e673b18a303b578/analysis/1418209779/
___

Fake JPMorgan Chase – ACH – Bank account info SPAM – PDF malware
- http://myonlinesecurity.co.uk/gre-p...nk-account-information-form-fake-pdf-malware/
10 Dec 2014 - "'ACH – Bank account information form' pretending to come from random names at jpmchase.com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please fill out and return the attached ACH form along with a copy of a voided check.
Jules Hebert,
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor
Fax-602-221-2251
Jules.Hebert@ jpmchase .com
GRE Project Accounting

10 December 2014: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr
Current Virus total detections: 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...4d245e9d68b9ed1276dac0d7/analysis/1418238116/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
213.175.194.96: https://www.virustotal.com/en/ip-address/213.175.194.96/information/
UDP communications
107.23.150.92: https://www.virustotal.com/en/ip-address/107.23.150.92/information/
___

Fake 'PRODUCT ENQUIRY' SPAM - jpg malware
- http://myonlinesecurity.co.uk/re-product-enquiry-fake-jpg-malware/
10 Dec 2014 - "'RE: PRODUCT ENQUIRY' coming from a random company with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Hello,
We are very interested in your product line. We got your profile from sister-companies. Can you please email me the list of all your Class A products and their prices? How much is the minimum order for shipping? What is the mode of payment and can you ship to Stockholm (SWEDEN)?
Please refer to the attached photo in my email. I was informed that this was purchased from your company. I would also like to order this product. Can you send the product code in your reply.
Thank you very much
Stven Clark
Lindhagensgatan 90,
112 18 Stockholm,
SWEDEN…

10 December 2014: Product Image NO. 1_jpeg…………….. (1).7z:
Extracts to: Product Image NO. GXD46474848494DHW_jpeg…………….. (1).exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...61e68304241255a68f8c15d7/analysis/1418220978/
___

85% of website scams - China
- http://www.theregister.co.uk/2014/12/10/chinese_responsible_for_85_per_cent_of_website_scams/
10 Dec 2014 - "Chinese internet users are behind 85 per cent of -fake- websites, according to a semi-annual report [PDF*] from the Anti-Phishing Working Group (APWG). Of the 22,679 -malicious- domain registrations that the group reviewed, over 19,000 were registered to servers based in China. This is in addition to nearly 60,000 websites that were hacked in the first half of 2014 and then used to acquire people's details and credit card information while pretending to offer real goods or services. Chinese registrars were also the worst offenders, with nine of the top ten companies with the highest percentages of phished domains based in China. Dot-com domains are the most popular for phishing sites, being used in 51 per cent of cases, but when it comes down to the percentage of phished domains against the number of domains under that registry, the clear winner is the Central African Republic's dot-cf, with more than 1,200 phished domain out of a total of 40,000 (followed by Mali's dot-ml, Palau's dot-pw and Gabon's dot-ga). Despite concerted efforts to crack down on fake websites, little improvement was made on the last report in terms of uptime (although it is significantly lower than when the group first started its work back in 2010). The average uptime of a phishing site was 32 hours, whereas the median was just under 9 hours. As for the phishers' targets: Apple headed the list for the first time being used in 18 per cent of all attacks, beating out perennial favorite PayPal with just 14 per cent. Despite some fears, the introduction of hundreds of new generic top-level domains has not led to a noticeable increase in phishing, according to the report. The authors posit that this may because of the higher average price of new gTLDs, although they expect the new of new gTLD phished domains to increase as adoption grows and websites are compromised. Around 20 per cent of phishing attacks are achieved through hacking of vulnerable shared hosting providers..."
* http://docs.apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf
___

Zeus malware thru browser warning: social engineering...
- http://blog.phishlabs.com/zeus-malw...wser-warning-social-engineering-at-its-finest
Dec 5, '14 - "Zeus malware continues to plague the Internet with distributions through spam emails and embeds in compromised corners of the web – all designed to exploit unsuspecting consumers. PhishLabs’ R.A.I.D. (Research Analysis and Intelligence Division) recently observed the Zeus malware being distributed through an alarmingly convincing browser warning that prompts viewers to download and “restore settings”... designed to manipulate viewers so that they believe the alert is based on security preferences that he or she has previously set up. The message creates a sense of urgency and fear, warning of “unusual activity”... Generally speaking, grammar and spelling are often indicators of fake or malicious requests that lead to malware but cybercriminals have caught on to this vulnerability and stepped up their game. Although it is not perfect, the warning observed in this case was much more accurate than what we usually see. The warning states:
"REPORTED BROWSER ONLINE DOCUMENT FILE READER WARNING”. We have detected unusual activities on your browser and the Current Online Document File Reader has been blocked base on your security preferences. It is recommended that you update to the latest version available in order to restore your settings and view Documents."
Browser warning leading to Zeus malware download:
> http://info.phishlabs.com/hs-fs/hub/326665/file-2183047529-png/blog-files/Zeus_Browser_Warning.png
The fake browser warning requires the user to click the "Download and Install" button. Once clicked, the victim is redirected to a site that downloads the Zeus executable (Zbot) malware. The R.A.I.D was able to track the malware back to the Zeus control panel...
Zeus (Zbot) malware control panel:
> http://info.phishlabs.com/hs-fs/hub/326665/file-2184127607-png/blog-files/Zeus_Control_Panel..png
Web users should be on the lookout for this kind of social engineering that capitalizes on fear and misleads users to believe the alert is showing up based on user-defined preferences. Zeus is a dangerous malware that continues to be distributed through sophisticated avenues. In the past, Zeus infections have led to exploitation of machines, making them part of a -botnet-, as well as bank account takeovers and fraud."

:fear::fear:

 

[AplusWebMaster]

Fake Invoice 'UK Fuels E-bill', 'RBS Important Docs' SPAM, Phish, More Ransomware ...

FYI...

Fake Invoice 'UK Fuels E-bill' SPAM - malicious doc attachment
- http://blog.dynamoo.com/2014/12/uk-fuels-e-bill-ebillinvoicecom-spam.html
11 Dec 2014 - "This -fake- invoice comes with a malicious attachment:
From: invoices@ ebillinvoice .com
Date: 11 December 2014 at 08:06
Subject: UK Fuels E-bill
Customer No : 35056
Email address : [redacted]
Attached file name : 35056_49_2014.doc
Dear Customer
Please find attached your invoice for Week 49 2014.
In order to open the attached DOC file you will need
the software Microsoft Office Word.
If you have any queries regarding your e-bill you can contact us at invoices@ ebillinvoice .com.
Yours sincerely
Customer Services
UK Fuels Ltd ...

This spam is not from UK Fuels Ltd or ebillinvoice .com and is a forgery. Attached is a malicious Word document which in the sample I have seen is undetected by AV vendors*. This downloads a file from the following location:
http ://KAFILATRAVEL .COM/js/bin.exe
This is downloaded and saved to %TEMP%\LNKCLHSARFL.exe. This binary only has a detection rate of 3/56** at VirusTotal. The Malwr report shows that it POSTs data to 203.172.141.250 (Ministry of Education, Thailand), which has been commonly used in this sort of attack (I strongly recommend that you -block- this IP). It also drops a DLL which is probably Dridex, which has a detection rate of only 1/55***."
* https://www.virustotal.com/en/file/...7b27f13e9cea590cc6e1bb87/analysis/1418293134/

** https://www.virustotal.com/en/file/...a1c266037fcbbd283e9923ad/analysis/1418293637/

*** https://www.virustotal.com/en/file/...a76903357ed1616d096e1962/analysis/1418294506/

- http://myonlinesecurity.co.uk/uk-fuels-e-bill-word-doc-malware/
11 December 2014 : 35056_49_2014.doc (89kb) Current Virus total detections: 0/56*
35056_49_2014.doc (69kb) Current Virus total detections: 0/56**
* https://www.virustotal.com/en/file/...7b27f13e9cea590cc6e1bb87/analysis/1418285959/

** https://www.virustotal.com/en/file/...d3178d6b3cf60850091f4dc7/analysis/1418285875/
___

Fake 'RBS Important Docs' SPAM – doc malware
- http://myonlinesecurity.co.uk/rbs-important-docs-word-doc-malware/
11 Dec 2014 - "'RBS Important Docs' pretending to come from Lenore Hinkle <Lenore@ rbs .co .uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please review attached documents regarding your account.
Tel: 01322 182123
Fax: 01322 011929
email: Lenore@ rbs .co.uk
This information is classified as Confidential unless otherwise stated.

11 December 2014: RBS_Account_Documents.doc (1mb) Current Virus total detections: 1/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2cb53162bad1436b4d5f0de5/analysis/1418306209/
___

REVETON Ransomware spreads ...
- http://blog.trendmicro.com/trendlab...preads-with-old-tactics-new-infection-method/
Dec 11, 2014 - "... Over the past few months spanning October up to the last weeks of November, we observed a noticeable increase in REVETON malware variants, in particular, TROJ_REVETON.SM4 and TROJ_REVETON.SM6... Below is the warning message along with a MoneyPak form to transfer the payment of $300 USD. The message also warns users that they have only 48 hours to pay the fine.
Fake warning messages from Homeland Security and the ICE Cyber Crime Center:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/homeland_ice.png
... the healthcare industry seems to be the most affected industry by this malware and mostly centered in the United States, followed by Australia. Below is a ranking of most affected countries by this new wave of REVETON malware spanning October to November 2014.
Data for TROJ_REVETON.SM4 and TROJ_REVETON.SM6 for October – November 2014:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/reveton-new-infect2.jpg
... It might be jarring for users to suddenly receive a message supposedly sent by law enforcement agencies. However, they need to keep in mind that this is just a tactic intended to “scare” users into paying the fee. Users might also be tempted to pay the ransom to get their computers up and running once again. Unfortunately, there is no guarantee that paying the ransom will result in having the computer screen unlocked. Paying the ransom will only guarantee more money going into the pockets of cybercrooks... Some ransomware variants arrive as attachments of spammed messages. As such, users should be wary of opening emails and attachments, especially those that come from unverified sources. If the email appears to come from a legitimate source (read: banks and other institutions), users should verify the email with the bank. If from a personal contact, -confirm- if they sent the message. Do not rely solely on trust by virtue of relationship, as friends or family members may be victims of spammers as well."
___

Phish: CloudFlare SSL certificate abused
- https://blog.malwarebytes.org/fraud...cate-from-cloudflare-abused-in-phishing-scam/
Dec 11, 2014 - "... received a phishing email pretending to come from LogMeIn, the popular remote administration tool. It uses a classic scare tactic “We were unable to charge your credit card for the due amount.( Merchant message – Insufficient funds )” to trick the user into opening up a
-fake- invoice:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/unphish.png
... What struck our interest here was the fact that this link was https based. It was indeed a secure connection... with a valid certificate:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/certificatechain.png
On September 29, CloudFlare, a CDN and DNS provider amongst other things, announced Universal SSL, a feature available to all its paid and free customers. It is not the first time cyber-criminals are abusing CloudFlare, and this case is not entirely surprising. By giving a false sense of security (the HTTPS padlock), users are more inclined to follow through and download the malicious file.
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/properties.png
... CloudFlare is issuing a warning that the URL is a ‘Suspected phishing site':
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/warning.png
In some regard SSL certifications may become like digitally signed files, where while they do add a level of trust one should still exercise caution and not blindly assume everything is fine. It might be difficult to keep up with each and every new site that wants to abuse the system (cat-and-mouse game)... We can certainly expect cyber criminals to start using SSL more and more given that it is freely available and not extremely difficult to put in place. Another standard known as Extended Validation Certificate SSL (EV SSL) requires additional validation than plain SSL, but again, this does not make things simple for the end user. If regular SSL is deemed weak, then we have a bit of a problem... We have reported this URL to CloudFlare and hope they can revoke the SSL certificate and shutdown the site."

:fear:

 

[AplusWebMaster]

Info-Stealing file infector hits US, UK

FYI...

Info-Stealing file infector hits US, UK
- http://blog.trendmicro.com/trendlabs-security-intelligence/info-stealing-file-infector-hits-us-uk/
Dec 11, 2014 5:15 pm (UTC-7) - "... there has been a spike in infections related to the malware URSNIF. The URSNIF family is known to steal information such as passwords. Spyware are always considered high risk, but these URSNIF variants can cause damage beyond info-stealing. These URSNIF variants are file-infectors — which is the cause of the noted spike... the countries most affected by the spike are the United States and the United Kingdom. These two countries comprise nearly 75% of all the infections related to these URSNIF variants. Canada and Turkey are the next countries most affected by malware.
Countries affected by URSNIF spike, based on data gathered for December 2014 so far:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/URSNIF-spike.jpg
Additional feedback shows that education, financial, and manufacturing were among the industries affected by this spike... It infects all .PDF, .EXE, and .MSI files found in all removable drives and network drives. URSNIF packs the found files and embeds them to its resource section. When these infected files were executed, it will drop the original file in %User Temp% (~{random}.tmp.pdf, ~{random}.tmp.exe) and then execute it to trick user that the opened file is still fine... After deleting the original .PDF file, it will create an .EXE file using the file name of the original .PDF file. As for .MSI and .EXE files, it will insert its code to the current executable. It will only infect .EXE files with “setup” on its filename.
Difference between an infected (top) and clean (bottom) .PDF file. The infected file is 3.18 MB while the clean file is 2.89 MB:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/URSNIF-spike3.png
For MSI files, it will execute the original file first before executing the malware code. For .PDF and .EXE files, it will produce a dropper-like Trojan, which will drop and execute the original file and the main file infector... The malware family URSNIF is more known as spyware. Variants can monitor network traffic by hooking network APIs related to top browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox. It is also known for gathering information. However, the fact that a family known for spyware now includes file infectors shows that cybercriminals are not above tweaking established malware to expand its routines... A different file infector type (e.g., appending) requires a different detection for security solutions; not all solutions may have this detection. Another notable feature for this particular malware is that it starts its infection routine 30 minutes after its execution... variants often arrive via spammed messages and Trojan dropper/downloader malware. Users need a comprehensive security solution that goes beyond detecting and blocking malware. Features like email reputation services which can detect and block spam and other email-related threats can greatly boost a computer’s security... infected .PDF and .EXE files as PE_URSNIF.A2. Infected .MSI files are detected as PE_URSNIF.A1.
Hash of the related file:
dd7d3b9ea965af9be6995e823ed863be5f3660e5
44B7A1555D6EF109555CCE88F2A954CAFE56B0B4
EFC5C6DCDFC189742A08B25D8842074C16D44951
FD3EB9A01B209572F903981675F9CF9402181CA1 "
___

Fake 'Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2014/12/wavecablecom-order-r58551-spam.html
12 Dec 2014 - "This -fake- invoice comes with a malicious attachment.
From: kaybd2@ wavecable .com
Date: 12 December 2014 at 17:17
Subject: Order - R58551
Thanks for placing order with us today! Your order is now on process.
Outright Purchase: 6949 US Dollars
Please click the word file provided below to see more details about your order.
BILLING DETAILS
Order Number: ZJW139855932
Purchase Date: 13.07 11.12.2014
Customer Email: info@ [redacted]

Attached is a malicious Word document INVOICE_7794.DOC which has a detection rate of 4/56* on VirusTotal... macro downloads an executable from:
http ://www.2fs. com .au/tmp/rkn.exe
That has a VirusTotal detection rate of 5/55**... A malicious DLL is dropped onto the system with a VirusTotal detection rate of 2/56***. The only detections are generic, but similar dropped DLLs have been the Dridex banking trojan.
Recommended blocklist:
209.208.62.36
5.187.1.78
46.250.6.1
5.135.28.106
66.213.111.72
95.211.188.129 "
* https://www.virustotal.com/en/file/...d1af673ebdcc148c2200b229/analysis/1418406000/

** https://www.virustotal.com/en/file/...9c7c42a12dc959f5e5db0e56/analysis/1418406121/

*** https://www.virustotal.com/en/file/...1724f351cdd193e30e2618c4/analysis/1418408045/
___

Spammers Accelerate Dyre Distribution
- http://www.threattracksecurity.com/it-blog/dyre-spam/
Dec 12, 2014 - "... Over the last few weeks, the cybercriminals behind Dyre have continued to refine their delivery tactics, and the Trojan is now capable of helping to spread itself and other malware. Our researchers have observed that systems infected with Dyre are not only at risk of the malware stealing log-in credentials, but it may also receive commands to download and install additional spammers – including the Cutwail/Pushdo botnet – to more broadly propagate Dyre. Pushdo is responsible for a large portion of Upatre spam, and the botnet is actively distributing Dyre and other malware, including the data-encrypting ransomware CryptoWall... The bad guys are pulling out all the stops when it comes to distributing their malicious spam. Everything from fraudulent PayPal security alerts to a Top Gun-inspired tale about a Norwegian fighter pilot crossing paths with a Russian MiG to a fake survey purporting to ask recipients their opinions on the controversial events in Ferguson, Missouri, have all been employed to trick recipients into clicking links and opening infected attachments. We recently observed Dyre downloading three spammers. The first, is Pushdo, which runs its own spammer modules. The second and third are a standalone spammers, one of which hijacks the victim’s Microsoft Outlook application to send personal emails with attachments harboring Upatre. The third spammer (see images and email text below from a small sampling) is generating a separate campaign and is increasing in frequency over the last several weeks. All this signals that Dyre is poised to become a more pervasive threat and increasingly active in malicious spam campaigns.
> http://www.threattracksecurity.com/...ds/2014/12/CNN-Norwegian-Russian-MiG-Spam.png
(Multiple other SPAM samples shown at the threattracksecurity URL at the top of this post.)
...Ensure your antivirus and endpoint security is up-to-date, and deploy a robust email security solution to protect your organization from malicious spam. IT admins should continue to educate their users about email-borne threats and stress that despite them being at work, they shouldn’t click links and open attachments without regard for security... Consumers should -always- be cautious about what they click, and if there is any doubt about a warning, special offer or request for private information, contact the bank, retailer or service provider directly by -phone- to confirm."
___

Wire transfer spam spreads Upatre
- http://blogs.technet.com/b/mmpc/archive/2014/12/11/wire-transfer-spam-spreads-upatre.aspx
11 Dec 2014 - "... currently monitoring a spam email campaign that is using a wire transfer claim to spread Trojan:Win32/Upatre. It is important to note that customers running up-to-date Microsoft security software are protected from this threat..."

:fear::fear:

 

[AplusWebMaster]

Fake 'Payment Advice' SPAM, GoDaddy Phish ...

FYI...

Fake 'Payment Advice' SPAM - malicious doc attached
- http://blog.dynamoo.com/2014/12/malware-spam-ifs-applications.html
15 Dec 2014 - "This -fake- payment advice spam is not from Vitacress but is a -forgery- with a malicious Word document attached.
From: IFS Applications [Do_Not_Reply@ vitacress .co.uk]
Date: 15 December 2014 at 07:49
Subject: DOC-file for report is ready
The DOC-file for report Payment Advice is ready and is attached in this mail.

Attached is a file Payment Advice_593016.doc which is actually one of two different documents with zero detections at VirusTotal [1] [2] and contain one of two malicious macros... that download a malware binary from one of the following locations:
http ://gv-roth .de/js/bin.exe
http ://notaxcig .com/js/bin.exe
This file is saved as %TEMP%\DYIATHUQLCW.exe and is currently has a VirusTotal detection rate of just 1/52*. The ThreatExpert report and Malwr report shows attempted connections to the following IPs which have been used in many recent attacks and should be -blocked- if you can:
203.172.141.250 (Ministry of Education, Thailand)
74.208.11.204 (1&1, US)
The malware almost definitely drops the Dridex trojan onto the target system, but I have not been able to get a sample of this yet."
1] https://www.virustotal.com/en/file/...a6f3ad735c3a20f81891b601/analysis/1418633977/

2] https://www.virustotal.com/en/file/...4ce8e89bfc0db1a25c5b34fe/analysis/1418633990/

* https://www.virustotal.com/en/file/...e200dcd44baf898771f61d97/analysis/1418634587/

>> http://myonlinesecurity.co.uk/ifs-applications-doc-file-report-ready-word-doc-malware/
15 Dec 2014
1] https://www.virustotal.com/en/file/...4ce8e89bfc0db1a25c5b34fe/analysis/1418628093/

2] https://www.virustotal.com/en/file/...a6f3ad735c3a20f81891b601/analysis/1418628835/

- http://blog.mxlab.eu/2014/12/15/ema...icious-word-macro-file-that-downloads-trojan/
Dec 15, 2014
> https://www.virustotal.com/en/file/...07c104aa3d4e200dcd44baf898771f61d97/analysis/
... Behavioural information
TCP connections
74.208.11.204: https://www.virustotal.com/en/ip-address/74.208.11.204/information/
___

GoDaddy 'Account Notice' - Phish ...
- http://www.hoax-slayer.com/godaddy-account-error-phishing-scam.shtml
Dec 15, 2014 - "Email purporting to be from web hosting company GoDaddy claims that your account may pose a potential performance risk to the server because it contains 'too many directories'... The email is -not- from GoDaddy. It is a phishing scam designed to steal your GoDaddy login details. A link in the message takes you to a -fake- Go Daddy login page...
Example:
Subject: Account Notice : Error # 7962
Dear Valued GoDaddy Customer: Brett Christensen
Your account contains more than 3331 directories and may pose a potential performance risk to the server.
Please reduce the number of directories for your account to prevent possible account deactivation.
In order to prevent your account from being locked out we recommend that you create special TMP directory.
Or use the link below :
[Link Removed]
Sincerely,
GoDaddy Customer Support...

... criminals responsible for this phishing attack can use the stolen login details to hijack the victims' GoDaddy account. Once they have gained access to the account, the criminals can take control of the victim's website and email addresses and use them to perpetrate, spam, scam, and malware attacks. Always login to your online accounts by entering the web address into your browser's address bar rather than by clicking-a-link in an email."

:fear:

 

[AplusWebMaster]

Fake 'eFax Drive' SPAM

FYI...

Fake 'eFax Drive' SPAM - malicious ZIP
- http://blog.mxlab.eu/2014/12/16/url...ved-a-new-fax-leads-to-malicious-zip-archive/
Dec 16, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “You’ve received a new fax”. This email is sent from the -spoofed- address and has the following body:
New fax at SCAN9106970 from EPSON by https ://******* .com
Scan date: Tue, 16 Dec 2014 13:17:59 +0000
Number of pages: 2
Resolution: 400×400 DPI
You can secure download your fax message at:
hxxp: //nm2b .org/bhnjhkkgvq/ufqielyyva.html
(eFax Drive is a file hosting service operated by J2, Inc.)

The downloaded file document7241_pdf.zip contains the 33 kB large file document7241_pdf.scr. The trojan is known as Packed.Win32.Katusha.1!O or Malware.QVM20.Gen. At the time of writing, 2 of the 54 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/...f0f0e5dad338c37cfedd4e6f30e37f6499c/analysis/

nm2b .org: 173.254.28.126: https://www.virustotal.com/en/ip-address/173.254.28.126/information/
___

Fake 'Bank account frozen' SPAM - doc malware
- http://myonlinesecurity.co.uk/bank-account-frozen-notice-note-attention-fake-word-doc-malware/
16 Dec 2014 - "'Bank account frozen notice, note, attention. Attention #CITI-44175PI-77527' with a cab attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
Notification Number: 8489465
Mandate Number: 6782144
Date: December 16, 2014. 01:13pm
In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file “CITI-44175PI-77527.cab” for details.
Yours truly,
Kathy Schuler ...

16 December 2014: CITI-44175PI-77527.cab : Extracts to: CITI-44175PI-77527.scr
Current Virus total detections: 3/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word.doc file instead of the .scr file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b8f1b04a07e0fb43cbcfea54/analysis/1418745402/
___

Wells Fargo Secure Meessage Spam
http://threattrack.tumblr.com/post/105365947973/wells-fargo-secure-meessage-spam
Dec 16, 2014 - "Subjects Seen:
You have a new Secure Message
Typical e-mail details:
You have received a secure message
Read your secure message by download document-75039.pdf. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.
In order to view the secure message please download it using our Cloud Hosting:
nexpider .com/sawdnilhvi/ckyilmmoca.html

Malicious URLs:
nexpider .com/sawdnilhvi/ckyilmmoca.html
Malicious File Name and MD5:
document82714.scr (98FE8CAD93B6FCDE63421676534BCC57)

Screenshot: https://gs1.wac.edgecastcdn.net/801...bb92d35e4/tumblr_inline_ngostrpvc41r6pupn.png

Tagged: Upatre, Wells Fargo
____

Trawling for Phish
- https://blog.malwarebytes.org/online-security/2014/12/trawling-for-phish/
Dec 16, 2014 - "... avoid on your travels, whether you’re sent a link to them directly or see the URLs linked in an email. First up, a page located at:
secure-dropboxfile (dot)hotvideostube(dot)net/secure-files-dropbox/document/
It claims to offer a shared Dropbox document in return for entering your email credentials. It follows the well-worn pattern of offering multiple login options for different types of email account, including Gmail, AOL, Windows Live, Yahoo and “other”:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn1.jpg
The website itself has a poor reputation on Web of Trust, has been listed as being compromised on defacement archives and was also hosting a banking phish not so long ago. Should visitors attempt to login, it sends them to a shared Google Document (no Dropbox files on offer here) which is actually a “public prayer request” spreadsheet belonging to a Church:
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn3.jpg
The next page is Google Drive themed and located at:
yellowpagesexpress (dot)com/cgi-bin/Secure Management/index(dot)php
> https://blog.malwarebytes.org/wp-content/uploads/2014/12/dboxprn2.jpg
As before, it asks the visitor to login with the widest possible range of common email accounts available, before sending those who enter their details to an entirely unrelated Saatchi Art investment webpage. Readers should always be cautious around pages claiming to offer up files in return for email logins – it’s one of the most common tactics for harvesting password credentials."

:fear:

 

[AplusWebMaster]

Fake 'PL REMITTANCE' malware, 'Blocked ACH Transfer' SPAM, Exploit Kits in 2014

FYI...

Fake 'PL REMITTANCE' malware SPAM
- http://blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html
17 Dec 2014 - "This -fake- remittance advice comes with a malicious Excel attachment.
From: Briana
Date: 17 December 2014 at 08:42
Subject: PL REMITTANCE DETAILS ref844127RH
The attached remittance details the payment of £664.89 made on 16-DEC-2014 by BACSE.
This email was generated using PL Payment Remittance of Integra Finance System.
Can you please check that your supplier details are correct, if any changes are required please email back to this email address quoting your remittance reference.

The reference in the subject and the name of the Excel attachment differ from email to email, but are always consistent in the same message. There are two poorly detected malicious Excel files that I have seen [1] [2] containing two slightly different macros.. which then reach out to the following download locations:
http ://23.226.229.112:8080/stat/lldv.php
http ://38.96.175.139:8080/stat/lldv.php
The file from these locations is downloaded as test.exe and is then saved to %TEMP%\VMHKWKMKEUQ.exe. This has a VirusTotal detection rate of 1/55*. The ThreatTrack report shows it POSTing to the following IP:
194.146.136.1 (PE "Filipets Igor Victorovych", Ukraine)
This IP has been used in several recent attacks and I strongly recommend blocking it. The Malwr report also shows it dropping a malicious DLL identified as Dridex. The ThreatExpert report gives some different IPs being contacted:
80.237.255.196 (Denes Balazs / HostEurope, Germany)
85.25.20.107 (PlusServer, Germany)
The Ukrainian IP is definitely malicious, but if you wanted to establish maximum protection then I would recommend the following blocklist:
194.146.136.1
80.237.255.196
85.25.20.107
23.226.229.112
38.96.175.139 "
1] https://www.virustotal.com/en/file/...350023b075a7b5b88ceddc4d/analysis/1418810946/

2] https://www.virustotal.com/en/file/...75df4b279c8653f428b6cae3/analysis/1418810941/

* https://www.virustotal.com/en/file/...55053403b1a6fec0c895a264/analysis/1418810686/

> http://blog.mxlab.eu/2014/12/17/new...s-ref1790232eg-with-malcious-xls-in-the-wild/
Dec 17, 2014
Screenshot of the XLS: http://img.blog.mxlab.eu/2014/20141205_remittance_01.gif
- https://www.virustotal.com/en/file/...842f715600e75df4b279c8653f428b6cae3/analysis/

> http://myonlinesecurity.co.uk/integ...tance-details-ref6029413oh-excel-xls-malware/
17 Dec 2014
- https://www.virustotal.com/en/file/...75df4b279c8653f428b6cae3/analysis/1418816542/

> https://www.virustotal.com/en/file/...350023b075a7b5b88ceddc4d/analysis/1418817871/
___

Fake 'Blocked ACH Transfer' SPAM - malicious DOC attachment
- http://blog.dynamoo.com/2014/12/blocked-ach-transfer-spam-has-malicious.html
17 DEC 2014 - "Another spam run pushing a malicious Word attachment..
Date: 17 December 2014 at 07:27
Subject: Blocked ACH Transfer
The ACH transaction (ID: 618003565), recently sent from your online banking account, was rejected by the Electronic Payments Association.
Canceled transaction
ACH file Case ID 623742
Total Amount 2644.93 USD
Sender e-mail info@mobilegazette.com
Reason for rejection See attached word file
Please see the document provided below to have more details about this issue...
Screenshot: https://2.bp.blogspot.com/-HHVnC18smUE/VJGXBjF2VVI/AAAAAAAAF-o/yzQZ2etQFYk/s1600/ach.png

Attached is a file ACH transaction 3360.doc which isn't actually a Word 97-2003 document at all, but a malicious Word 2007 document that would normally have a .DOCX extension (which is basically a ZIP file). The current VirusTotal detection rate of this is just 1/55*. Inside this is a malicious macro... which downloads a file from:
http ://www.lynxtech .com.hk/images/tn.exe
This has a VirusTotal detection rate of just 1/54**. The Malwr report shows it POSTING to 5.187.1.78 (Fornex Hosting, Germany) and also a query to 209.208.62.36 (Atlantic.net, US). Presumably this then drops additional components onto the infected system, although I do not know what they are.
Recommended blocklist:
5.187.1.78
209.208.62.36 "
* https://www.virustotal.com/en/file/...0833848233da057ebf842660/analysis/1418826644/

** https://www.virustotal.com/en/file/...3159883147f141742eb9fc75/analysis/1418826840/
___

Exploit Kits in 2014
- http://blog.trendmicro.com/trendlabs-security-intelligence/whats-new-in-exploit-kits-in-2014/
Dec 17, 2014 - "... Exploits targeting Internet Explorer, Silverlight, and Adobe Flash vulnerabilities were frequently used by exploit kits in the past year. The four vulnerabilities below were some of the most frequently targeted by exploit kits:
CVE-2013-0074 (Silverlight)
CVE-2014-0515 (Adobe Flash)
CVE-2014-0569 (Adobe Flash)
CVE-2014-2551 (Internet Explorer)
The most notable change in this list is the relative absence of Java vulnerabilities. Exploit kits have been removing Java because of the increasing use of click-to-play for Java applets, rendering Java a far less attractive target for exploits. The tables below shows which exploits are in use by exploit kits:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/exploit-kit-usage.png
Plugin Detection: Almost all exploit kits run some sort of software that detect the browser platform a would-be victim is running in order to determine which exploit to send to the user.
The code necessary to do this varies from one exploit kit to another, and is actually fairly complex due to the number of permutations of browsers and plugins that are possible.
Two exploit kits – Nuclear and FlashPack – use a legitimate JavaScript library, PluginDetect. This minimizes the work the creators of the exploit kit need to do, as well as providing a complete set of features. However, this also means that this library has known characteristics: this makes it more visible to security vendors looking for sites used by exploit kits. By contrast, most exploit kits write their own library to perform this task. This makes detection harder, but it also reduces the capabilities of the libraries. Many of these libraries, for example, will only function under Internet Explorer. The Magnitude exploit kit uses a third method – server-side code – too. The following table summarizes which libraries are used.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/12/exploit-kit-detect-b.png
Antivirus Detection: A new feature that has been added to exploit kits is the ability to detect installed security software. If certain specific security products are installed, the exploit kit will stop itself from running. Both antivirus products and virtual machine software can be targeted in this manner. This behavior is possible due to a vulnerability in Internet Explorer (CVE-2013-7331). This vulnerability allows an attacker to check for the presence of files and folders on an affected system. It was first reported to Microsoft in February 2014, but was only patched in September of the same year as part of MS14-052. The following table summarizes the products that each exploit kit detects:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2014/11/exploit-kit-software.png
Obfuscation Techniques: Exploit kits regularly use various techniques to obfuscate their activity, but some exploit kits have added new techniques. In both of these cases, the attackers are using legitimate tools to obfuscate their files. The Angler exploit kit now uses the Pack200 format to help avoid detection. Pack200 is a compactive archive format that was developed by Sun (Java’s original developers) to compress .JAR files significantly. Tools to uncompress these files are provided as part of the Java development kit, but many security products don’t support these formats (so they are unable to scan the said malicious file)...
Summary: Exploit kit developers have not been idle in the year since the collapse of the Blackhole exploit kit. They have made various improvements that help improve the capabilities of these tools. The defenses against these tools on the part of users remains the same. We highly recommend that users implement all updates to their software as is practical, since many of the vulnerabilities targeted by attackers have long been fixed by software vendors."
___

Dyre Banking Trojan - Secureworks
- http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/
Dec 17 2014

:fear::fear:

 

[AplusWebMaster]

WordPress sites infected with Malware, Fake 'AquAid Card', Fake 'JPMorgan' SPAM ...

FYI...

More than 100,000 'WordPress sites infected with Malware'
- https://www.sans.org/newsletters/newsbites/xvi/99#301
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
> http://arstechnica.com/security/201...rdpress-sites-infected-by-mysterious-malware/
Dec 15, 2014
(More links at the sans URL above.)

* http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html
Dec 14, 2014
___

Fake 'AquAid Card' SPAM – doc malware
- http://myonlinesecurity.co.uk/tracey-smith-aquaid-card-receipt-word-doc-malware/
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
Hi
Please find attached receipt of payment made to us today
Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Card-Receipt-Aquaid-malicious-email.jpg

The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
* https://www.virustotal.com/en/file/...dc8ba1c4d7dd22031e55a922/analysis/1418893740/

** https://www.virustotal.com/en/file/...207fbd1595a964084bb8a375/analysis/1418891360/

*** https://www.virustotal.com/en/file/...b61dabb2ba03de09311a1827/analysis/1418891888/


> http://blog.dynamoo.com/2014/12/malware-spam-aquaidcouk-card-receipt.html
18 Dec 2014
- https://www.virustotal.com/en/file/...207fbd1595a964084bb8a375/analysis/1418893415/
... Recommended blocklist:
74.208.11.204
81.169.156.5 "
___

Fake 'Internet Fax' SPAM - trojan Upatre.FH
- http://blog.mxlab.eu/2014/12/18/email-internet-fax-job-contains-url-that-downloads-trojan-upatre-fh/
Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
Fax image data
hxxp ://bursalianneler .com/documents/fax.html

The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/...704288fc5232fac81a228a5f2b4f577f048/analysis/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
192.185.52.226: https://www.virustotal.com/en/ip-address/192.185.52.226/information/
78.46.73.197: https://www.virustotal.com/en/ip-address/78.46.73.197/information/
UDP communications
203.183.172.196: https://www.virustotal.com/en/ip-address/203.183.172.196/information/
203.183.172.212: https://www.virustotal.com/en/ip-address/203.183.172.212/information/
___

Fake 'JPMorgan Chase' SPAM - fake PDF malware
- http://myonlinesecurity.co.uk/jpmorgan-chase-co-received-new-secure-message-fake-pdf-malware/
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is a secure, encrypted message.
Desktop Users:
Open the attachment (message_zdm.html) and follow the instructions.
Mobile Users:
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Need Help?
Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/You-have-received-a-new-secure-message.jpg

17 December 2014: message_zdm.zip: Extracts to: message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...2a56dcd87d252df2606c0e19/analysis/1418844158/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
217.199.168.166: https://www.virustotal.com/en/ip-address/217.199.168.166/information/
UDP communications
217.10.68.152: https://www.virustotal.com/en/ip-address/217.10.68.152/information/
217.10.68.178: https://www.virustotal.com/en/ip-address/217.10.68.178/information/

- http://threattrack.tumblr.com/post/105464831328/jp-morgan-chase-secure-message-spam
Dec 18, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/801...23b9140b5/tumblr_inline_ngqwacJHwm1r6pupn.png
Tagged: JPMorgan, Upatre
___

ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
- http://arstechnica.com/security/201...ne-database-breached-in-spearphishing-attack/
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
* https://www.icann.org/news/announcement-2-2014-12-16-en

* https://czds.icann.org/en
___

Worm exploits nasty Shellshock bug to commandeer network storage systems
- http://arstechnica.com/security/201...ck-bug-to-commandeer-network-storage-systems/
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
* http://arstechnica.com/security/201...big-security-hole-on-anything-with-nix-in-it/

** https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061

:fear::fear:

 

[AplusWebMaster]

Fake 'BACS payment' SPAM - XLS malware ...

FYI...

Fake 'BACS payment' SPAM - XLS malware
- http://myonlinesecurity.co.uk/bacs-payment-ref9408yc-excel-xls-malware/
19 Dec 2014 - "'BACS payment Ref:9408YC' coming from random email addresses with a malicious Excel XLS attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please see below our payment confirmation for funds into your account on Tuesday re invoice 9408YC
Accounts Assistant
Tel: 01874 430 632
Fax: 01874 254 622

19 December 2014: 9408YC.xls - Current Virus total detections: 0/53* 0/55** 0/53***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...8e3298f367a4557b5b360eba/analysis/1418987287/

** https://www.virustotal.com/en/file/...7bedda7df7065269cd52cb39/analysis/1418987903/

*** https://www.virustotal.com/en/file/...1a64c896c468a72beccb70c5/analysis/1418987497/

- http://blog.dynamoo.com/2014/12/malware-spam-bacs-payment-ref901109rw.html
19 Dec 2014
> https://www.virustotal.com/en/file/...d979f7adee0fc998037d4f10/analysis/1418994768/
"... UPDATE: A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal*..."
* https://www.virustotal.com/en/file/...d979f7adee0fc998037d4f10/analysis/1418994768/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustotal.com/en/ip-address/194.146.136.1/information/
___

Fake ACH SPAM
- http://blog.dynamoo.com/2014/12/malware-spam-blocked-transaction-case.html
19 Dec 2014 - "This -fake- ACH spam leads to malware:
Date: 19 December 2014 at 16:06
Subject: Blocked Transaction. Case No 970332
The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.
Canceled ACH transaction
ACH file Case ID 083520
Transaction Amount 1458.42 USD
Sender e-mail info@victimdomain
Reason of Termination See attached statement
Please open the word file enclosed with this email to get more info about this issue.

In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54*. Inside are a series of images detailing how to turn off macro security.. which is a very -bad- idea.
1] https://1.bp.blogspot.com/-zPH8zcx7OrY/VJR1Q7QBOEI/AAAAAAAAGAM/xX6zhss2M4Q/s1600/image3.png

2] https://2.bp.blogspot.com/-84ljBD1vRQg/VJR1Ru59Q2I/AAAAAAAAGAU/WcH0b9IEjII/s1600/image4.png

3] https://1.bp.blogspot.com/-vCCQWdg2iQ0/VJR1R9zpj1I/AAAAAAAAGAY/ASyT9ZXBVz8/s1600/image5.png

4] https://4.bp.blogspot.com/-cCjgc3glQpg/VJR1SDKNwjI/AAAAAAAAGAc/c_b1Rf1nawQ/s1600/image6.png

If you enable macros, then this macro... will run which will download a malicious binary from http ://nikolesy .com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51** as is identified as the Dridex banking trojan."
* https://www.virustotal.com/en/file/...52f718148958b72209e084ac/analysis/1419014981/

** https://www.virustotal.com/en/file/...50d67bb8e0c82574eed694e4/analysis/1419015141/
___

Fake 'my-fax' SPAM
- http://blog.dynamoo.com/2014/12/malware-spam-no-replaymy-faxcom.html
19 Dec 2014 - "This -fake- fax spam leads to malware:
From: Fax [no-replay@ my-fax .com]
Date: 19 December 2014 at 15:37
Subject: Employee Documents - Internal Use
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: http ://crematori .org/myfax/company.html
Documents are encrypted in transit and store in a secure repository...

... Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55*. Most automated analysis tools are inconclusive... but the VT report shows network connections to the following locations:
http ://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http ://202.153.35.133:40542/1912uk22//1/0/0/
http ://natural-anxiety-remedies .com/wp-includes/images/wlw/pack22.pne
Recommended blocklist:
202.153.35.133
natural-anxiety-remedies .com "
* https://www.virustotal.com/en/file/...51233742f2cd979ab43a5dcb/analysis/1419003908/

202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
___

Fake 'Target Order Confirmation' - malware SPAM
- http://www.hoax-slayer.com/target-order-information-malware.shtml
Dec 19, 2014 - "Order confirmation email purporting to be from Target claims that the company's online store has an order addressed to you... The email is -not- from Target. The link in the message opens a compromised website that contains malware. The Target version is just one in a series of similar malware messages that have falsely claimed to be from well-known stores, including Walmart, Costco and Wallgreens...
> http://www.hoax-slayer.com/images/target-order-information-malware-1.jpg
If you use a non-Windows operating system, you may see a message claiming that the download is not compatible with your computer. If you are using one of the targeted operating systems, the malicious file may start downloading automatically. Alternatively, a message on the website may instruct you to click a link to download the file. Typically, the download will be a .zip file that hides a .exe file inside. Opening the .exe file will install the malware. The malware payload used in these campaigns can vary. But, typically, the malware can steal personal information from your computer and relay it to online scammers. The malware in this version is designed to add your computer to the infamous Asprox Botnet... This email is just one in a continuing series of malware messages that claim to be from various high profile stores, including Costco, Walmart and Wallgreens. Other versions list order or transaction details, but do not name any particular store. Again, links in the messages lead to malware websites. In some cases, the malware is contained in an attached file. If you receive one of these -bogus- emails, do -not- click any links or open any attachments..."
___

Walgreens Order Spam
- http://threattrack.tumblr.com/post/105606986528/walgreens-order-spam
Dec 19, 2014 - "Subjects Seen:
Order Status
Typical e-mail details:
E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.
Detailed order information is provided here.
Walgreens

Malicious URLs:
rugby-game .com/search.php?w=ZT5EpruzameN92MeSlvI09DbnfrIhx1yqu3wrootEpM=
Malicious File Name and MD5:
Walgreens_OrderID-543759.exe (39CEBF3F19AF4C4F17CA5D8EFB940CB6)

Screenshot: https://gs1.wac.edgecastcdn.net/801...b0af8a91d/tumblr_inline_ngu2ovU7f51r6pupn.png

Tagged: Walgreens, Kuluoz
___

Ars was briefly hacked yesterday; here’s what we know
If you have an account on Ars Technica, please change your password today..
- http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/
Dec 16 2014 - "At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core... "All the Things"... by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). Out of an excess of caution, we strongly encourage all Ars readers - especially any who have reused their Ars passwords on other, more sensitive sites - to change their passwords today. We are continuing with a full autopsy of the hack and will provide updates if anything new comes to light..."

:fear::fear:

 

[AplusWebMaster]

US-CERT Targeted Destructive Malware Alert TA14-353A, Fake FedEx SPAM – malware

FYI...

Targeted Destructive Malware - Alert (TA14-353A)
- https://www.us-cert.gov/ncas/alerts/TA14-353A
Last revised: Dec 20, 2014 - "Systems Affected: Microsoft Windows
Overview: US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2*. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host...
Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
... *summary of the C2 IP addresses:
203.131.222.102 Thailand...
217.96.33.164 Poland...
88.53.215.64 Italy...
200.87.126.116 Bolivia...
58.185.154.99 Singapore...
212.31.102.100 Cypress...
208.105.226.235 United States..."
(More detail at the us-cert URL above.)

203.131.222.102: https://www.virustotal.com/en/ip-address/203.131.222.102/information/
217.96.33.164: https://www.virustotal.com/en/ip-address/217.96.33.164/information/
88.53.215.64: https://www.virustotal.com/en/ip-address/88.53.215.64/information/
200.87.126.116: https://www.virustotal.com/en/ip-address/200.87.126.116/information/
58.185.154.99: https://www.virustotal.com/en/ip-address/58.185.154.99/information/
212.31.102.100: https://www.virustotal.com/en/ip-address/212.31.102.100/information/
208.105.226.235: https://www.virustotal.com/en/ip-address/208.105.226.235/information/

- http://arstechnica.com/security/201...-sony-studio-contained-a-cocktail-of-badness/
Dec 19 2014
> http://cdn.arstechnica.net/wp-content/uploads/2014/12/c2-ip-addresses.png
___

Fake FedEx SPAM – malware
- http://myonlinesecurity.co.uk/fedex-postal-notification-service-malware/
20 Dec 2014 - "'Postal Notification Service' pretending to come from FedEx with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2014/12/Fedex-Postal-Notification-Service.jpg

20 December 2014 : notification.zip: Extracts to: notification_48957348759483759834759834758934798537498.exe
Current Virus total detections: 1/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...a7794512913751d48421a860/analysis/1419076775/

"Package Delivery" Themed Scam Alert
- https://www.us-cert.gov/ncas/curren...C-Releases-Package-Delivery-Themed-Scam-Alert
Dec 19, 2014
> http://www.consumer.ftc.gov/blog/package-delivery-scam-delivered-your-inbox

:fear:

 

[AplusWebMaster]

Angler EK on 193.109.69.59, Fake 'Employee Documents' Fax SPAM - malware ...

FYI...

Angler EK on 193.109.69.59
- http://blog.dynamoo.com/2014/12/angler-ek-on-1931096959.html
22 Dec 2014 - "193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit... infection chain... The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:
qwe.holidayspeedsix .biz
qwe.holidayspeedfive .biz
qwe.holidayspeedseven .biz
A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted* in this /23 indicates that most of them appear to be selling counterfeit goods, so -blocking- the entire /23 will probably be no great loss.
Recommended -minimum- blocklist:
193.109.69.59
holidayspeedsix .biz
holidayspeedfive .biz
holidayspeedseven .biz "
* http://www.dynamoo.com/files/mmuskatov.csv

193.109.69.59: https://www.virustotal.com/en/ip-address/193.109.69.59/information/
___

Fake 'Tiket alert' SPAM
- http://blog.dynamoo.com/2014/12/tiket-alert-spam-tiket-really.html
22 Dec 2014 - "Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

From: FBR service [jon.wo@ fbi .com]
Date: 22 December 2014 at 18:29
Subject: Tiket alert
Look at the link file for more information.
http <redacted>
Assistant Vice President, FBR service
Management Corporation

I have seen another version of this where the download location is negociomega .com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe. This has a VirusTotal detection rate of 2/54*. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:
http ://202.153.35.133 :42463/2212us12//0/51-SP3/0/
http ://202.153.35.133 :42463/2212us12//1/0/0/
http ://moorfuse .com/images/unk12.pne
202.153.35.133 is Excell Media Pvt Ltd, India.
Recommended blocklist:
202.153.35.133
moorfuse .com
mitsuba-kenya .com
negociomega .com "
* https://www.virustotal.com/en/file/...bab19f3a9941158fd33291af/analysis/1419277515/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
188.132.231.115: https://www.virustotal.com/en/ip-address/188.132.231.115/information/
___

Fake 'Employee Documents' Fax SPAM
- http://blog.mxlab.eu/2014/12/19/ema...replaymy-fax-com-leads-to-malicious-zip-file/
Dec 19, 2014 - "... intercepted quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is sent from the spoofed address “Fax <no-replay@ my-fax .com>” and has the following body:
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Fax Documents
DOCUMENT LINK: ... <redacted>
Documents are encrypted in transit and store in a secure repository ...

The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe. The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ... Virus Total*..."
* https://www.virustotal.com/en/file/...8be35012aaa51233742f2cd979ab43a5dcb/analysis/
File name: fax8127480_924.exe
Detection ratio: 26/53
Analysis date: 2014-12-22
... Behavioural information
TCP connections
202.153.35.133: https://www.virustotal.com/en/ip-address/202.153.35.133/information/
174.127.104.112: https://www.virustotal.com/en/ip-address/174.127.104.112/information/
83.166.234.251: https://www.virustotal.com/en/ip-address/83.166.234.251/information/
23.10.252.26: https://www.virustotal.com/en/ip-address/23.10.252.26/information/
50.7.247.42: https://www.virustotal.com/en/ip-address/50.7.247.42/information/
217.172.180.178: https://www.virustotal.com/en/ip-address/217.172.180.178/information/
UDP communications
173.194.71.127: https://www.virustotal.com/en/ip-address/173.194.71.127/information/

:fear::fear: