Fake Gov't Websites, Web Site Defacements, Fake 'UNPAID INVOICES' SPAM...
FYI...
- http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-defacements/
Apr 7, 2015
Fake Government Websites ...
- https://www.us-cert.gov/ncas/current-activity/2015/04/07/IC3-Issues-Alert-Fake-Government-Websites
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has released an alert that warns consumers of fraudulent government-services websites that mimic legitimate ones. Scam operators lure consumers to these -fraudulent- websites in order to steal their personal identifiable information (PII) and collect fees for services that are never delivered. US-CERT encourages users to review the IC3 Alert* for details and refer to the US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* http://www.ic3.gov/media/2015/150407-2.aspx
Apr 7, 2015
** https://www.us-cert.gov/ncas/tips/ST04-014
Apr 7, 2015
___
Web Site Defacements ...
- https://www.us-cert.gov/ncas/current-activity/2015/04/07/IC3-Releases-Alert-Web-Site-Defacements
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has issued an alert addressing recently perpetrated Web site defacements. The defacements advertise themselves as associated with the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). However, FBI assesses that the perpetrators are -not- actually associated with this group. The perpetrators exploit WordPress content management system (CMS) vulnerabilities, leading to disruptive and costly effects. Users and administrators are encouraged to review the IC3 Alert* for details and refer to the US-CERT Alert TA13-024A** for information on CMS security."
* http://www.ic3.gov/media/2015/150407-1.aspx
Apr 7, 2015
** http://www.us-cert.gov/ncas/alerts/TA13-024A
Apr 7, 2015
___
Fake 'UNPAID INVOICES' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-two-unpaid-invoices-wayne.html
8 Apr 2015 - "This -fake- invoice spam is not from Orion Plastics but is instead a simple forgery with a malicious attachment.
From: Wayne Moore [wayne44118@ orionplastics .net]
Date: 8 April 2015 at 09:03
Subject: TWO UNPAID INVOICES
4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
INVOICE # 029911 DATED 1/7/15 FOR $840.80
INVOICE # 030042 DATED 1/30/15 FOR $937.00
PLEASE ADVISE WHEN YOU SENT CHECK AND TO WHAT ADDRESS
I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT
REGARDS-WAYNE
In this case the email was -malformed- and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56*. Extracting the document revealed this malicious macro... which downloads an additional component from:
http ://fzsv .de/11/004.exe
There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54**. Automated analysis tools... shows it phoning home to the following IPs:
37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)
The Malwr report shows it attempting to connect to a couple of Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:
90.84.136.185
184.25.56.220
According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57**.
Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46
MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877 "
* https://www.virustotal.com/en/file/...16f70fefcc4471b6318d0ce4/analysis/1428485931/
** https://www.virustotal.com/en/file/...d7e9ceb234db1f477e2faf2d/analysis/1428485937/
___
Fake 'BACS Transfer' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bacs-transfer-remittance-for-jsag783gbp-fake-pdf-malware/
8 Apr 2015 - "'BACS Transfer : Remittance for JSAG783GBP' pretending to come from random names and email addresses at natwest .com with a zip attachment is another one from the current bot runs... The email which has random amounts looks like:
We have arranged a BACS transfer to your bank for the following amount : 4278.00
Please find details attached.
8 April 2015: BACS_Transfer_AQ004719.zip : Extracts to: BACS_Transfer_AQ004719.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...c3028ceb8ffd431110e2616a/analysis/1428491113/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
66.7.216.61: https://www.virustotal.com/en/ip-address/66.7.216.61/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Fake 'Password Re-activation' SPAM - PDF malware
- http://myonlinesecurity.co.uk/bankline-roi-password-re-activation-form-fake-pdf-malware/
8 Apr 2015 - "'Bankline ROI – Password Re-activation Form' pretending to come from various names and email addresses @rbs .co .uk with a zip attachment is another one from the current bot runs... The email looks like:
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.
Fax to 1850 262125 or alternatively you may wish to email the completed document, by attaching it to an email and sending it to banklineadministration@ rbs .co .uk
On receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email.
<<Bankline_Password_reset_3978322.pdf>>
Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.
Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.
If you are the sole Standard Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in a Standard Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.
If you require any further assistance then please do not hesitate to contact us on 1850 245140 and one of our associates will be happy to assist you.
Regards
Bankline Product Support ...
Same malware payload, although -renamed- as Bankline_Password_reset_0319234.zip (random numbers) as today’s NatWest attempt BACS Transfer : Remittance for JSAG783GBP – fake PDF malware* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/bacs-transfer-remittance-for-jsag783gbp-fake-pdf-malware/
___
Fake 'Invoice' SPAM - malicious doc/xls
- http://blog.dynamoo.com/2015/04/malware-spam-invoice-from-company-name.html
8 Apr 2015 - "This -Dridex- spam takes a slightly different approach from other recent ones. Instead of -attaching- a malicious Office document, it downloads it from a compromised server instead. The example I saw read:
From: Mitchel Levy
Date: 8 April 2015 at 13:45
Subject: Invoice from MOTHERCARE
Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.
Download your invoice here.
Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.
Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei .com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example: http ://victimbfe .afinanceei .com/victim@ victim .domain/
This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:
> https://4.bp.blogspot.com/-vUPtkxCCOGs/VSUoF2z9iSI/AAAAAAAAGeI/y_3wZi6iXMo/s1600/dridex-landing.png
... The link in the email downloads a file from:
http ://31.24.30.12 /api/Invoice.xls
At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http ://31.24.30.12 /api/ shows a -fake- page pretending to be from Australian retailer Kogan:
> https://4.bp.blogspot.com/-Lp2QSnPComc/VSUsA5UN8PI/AAAAAAAAGeU/Hf7-6GPdBQo/s1600/fake-kogan.png
As you might guess, Invoice.xls contains a malicious macro... but the real action is some data hidden in the spreadsheet itself... it instructs the computer to download a malicious binary from:
http ://46.30.43.102 /cves/kase.jpg
This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC. This binary has a VirusTotal detection rate of 6/57*. Automated analysis tools... show it communicating with the following IPs:
109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)
In addition there are some Akamai IPs which look benign...
184.25.56.212
184.25.56.205
2.22.234.90
According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack:
> http://blog.dynamoo.com/2015/04/malware-spam-two-unpaid-invoices-wayne.html
Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12
MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478 "
* https://www.virustotal.com/en/file/...5bd5de461b026ff6d63d0b5c/analysis/1428499086/
:fear::fear:
FYI...
- http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-defacements/
Apr 7, 2015
Fake Government Websites ...
- https://www.us-cert.gov/ncas/current-activity/2015/04/07/IC3-Issues-Alert-Fake-Government-Websites
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has released an alert that warns consumers of fraudulent government-services websites that mimic legitimate ones. Scam operators lure consumers to these -fraudulent- websites in order to steal their personal identifiable information (PII) and collect fees for services that are never delivered. US-CERT encourages users to review the IC3 Alert* for details and refer to the US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* http://www.ic3.gov/media/2015/150407-2.aspx
Apr 7, 2015
** https://www.us-cert.gov/ncas/tips/ST04-014
Apr 7, 2015
___
Web Site Defacements ...
- https://www.us-cert.gov/ncas/current-activity/2015/04/07/IC3-Releases-Alert-Web-Site-Defacements
Apr 7, 2015 - "The Internet Crime Complaint Center (IC3) has issued an alert addressing recently perpetrated Web site defacements. The defacements advertise themselves as associated with the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). However, FBI assesses that the perpetrators are -not- actually associated with this group. The perpetrators exploit WordPress content management system (CMS) vulnerabilities, leading to disruptive and costly effects. Users and administrators are encouraged to review the IC3 Alert* for details and refer to the US-CERT Alert TA13-024A** for information on CMS security."
* http://www.ic3.gov/media/2015/150407-1.aspx
Apr 7, 2015
** http://www.us-cert.gov/ncas/alerts/TA13-024A
Apr 7, 2015
___
Fake 'UNPAID INVOICES' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/04/malware-spam-two-unpaid-invoices-wayne.html
8 Apr 2015 - "This -fake- invoice spam is not from Orion Plastics but is instead a simple forgery with a malicious attachment.
From: Wayne Moore [wayne44118@ orionplastics .net]
Date: 8 April 2015 at 09:03
Subject: TWO UNPAID INVOICES
4/3----- LAST WEEK I CALLED REGARDS TWO UNPAID INVOICES FROM JAN 2015
INVOICE # 029911 DATED 1/7/15 FOR $840.80
INVOICE # 030042 DATED 1/30/15 FOR $937.00
PLEASE ADVISE WHEN YOU SENT CHECK AND TO WHAT ADDRESS
I HAVE ATTACHED THE NEW REMIT TO ADDRESS IN CASE YOU DON’T HAVE IT
REGARDS-WAYNE
In this case the email was -malformed- and the attachment REMITTANCE & WIRE TRANSFER ADDRESS.DOC wasn't downloadable (this may be a temporary problem). The document has a detection rate of just 1/56*. Extracting the document revealed this malicious macro... which downloads an additional component from:
http ://fzsv .de/11/004.exe
There are usually other download locations in different variants of the document, but the downloaded executable will be the same. The executable is saved as %TEMP%\c48.exe. This malicious binary has a detection rate of 6/54**. Automated analysis tools... shows it phoning home to the following IPs:
37.140.199.100 (Reg.Ru Hosting, Russia)
176.67.160.187 (UK2, UK)
81.148.134.130 (BT, UK)
46.228.193.201 (Aqua Networks Ltd, Germany)
83.136.80.46 (myLoc, Germany)
The Malwr report shows it attempting to connect to a couple of Akamai IPs that I suspect are NOT malicious and would cause collateral damage if blocked:
90.84.136.185
184.25.56.220
According to the same Malwr report it drops a Dridex DLL with a detection rate of 4/57**.
Recommended blocklist:
37.140.199.100
176.67.160.187
81.148.134.130
46.228.193.201
83.136.80.46
MD5s:
3e3a09644170ad3184facb4cace14f8a
671c65cedc8642adf70ada3f74d5da19
14c2795bcc35c3180649494ec2bc7877 "
* https://www.virustotal.com/en/file/...16f70fefcc4471b6318d0ce4/analysis/1428485931/
** https://www.virustotal.com/en/file/...d7e9ceb234db1f477e2faf2d/analysis/1428485937/
___
Fake 'BACS Transfer' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bacs-transfer-remittance-for-jsag783gbp-fake-pdf-malware/
8 Apr 2015 - "'BACS Transfer : Remittance for JSAG783GBP' pretending to come from random names and email addresses at natwest .com with a zip attachment is another one from the current bot runs... The email which has random amounts looks like:
We have arranged a BACS transfer to your bank for the following amount : 4278.00
Please find details attached.
8 April 2015: BACS_Transfer_AQ004719.zip : Extracts to: BACS_Transfer_AQ004719.scr
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...c3028ceb8ffd431110e2616a/analysis/1428491113/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustotal.com/en/ip-address/216.146.43.70/information/
141.105.141.87: https://www.virustotal.com/en/ip-address/141.105.141.87/information/
66.7.216.61: https://www.virustotal.com/en/ip-address/66.7.216.61/information/
UDP communications
23.101.187.68: https://www.virustotal.com/en/ip-address/23.101.187.68/information/
___
Fake 'Password Re-activation' SPAM - PDF malware
- http://myonlinesecurity.co.uk/bankline-roi-password-re-activation-form-fake-pdf-malware/
8 Apr 2015 - "'Bankline ROI – Password Re-activation Form' pretending to come from various names and email addresses @rbs .co .uk with a zip attachment is another one from the current bot runs... The email looks like:
Please find the Re-activation form attached, send one per user ensuring only one box is selected in section 3. A signatory on the bank mandate must sign the form.
Fax to 1850 262125 or alternatively you may wish to email the completed document, by attaching it to an email and sending it to banklineadministration@ rbs .co .uk
On receipt of the completed form we will respond to the request within 2 working hours and communicate this to the user by email.
<<Bankline_Password_reset_3978322.pdf>>
Please note – The life-span of an activation code is 21 days; after this time, the activation code will expire and a new one must be ordered.
Please be aware when choosing a new pin and password for the service, it is important not to use pin/passwords that you have used before but to use completely different details.
If you are the sole Standard Administrator may I take this opportunity to suggest when you are reinstated on the system, to set up another User in a Standard Administrator role. This will prevent you being locked out completely and allow you to order a new activation code from within the system and reset your security sooner.
If you require any further assistance then please do not hesitate to contact us on 1850 245140 and one of our associates will be happy to assist you.
Regards
Bankline Product Support ...
Same malware payload, although -renamed- as Bankline_Password_reset_0319234.zip (random numbers) as today’s NatWest attempt BACS Transfer : Remittance for JSAG783GBP – fake PDF malware* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/bacs-transfer-remittance-for-jsag783gbp-fake-pdf-malware/
___
Fake 'Invoice' SPAM - malicious doc/xls
- http://blog.dynamoo.com/2015/04/malware-spam-invoice-from-company-name.html
8 Apr 2015 - "This -Dridex- spam takes a slightly different approach from other recent ones. Instead of -attaching- a malicious Office document, it downloads it from a compromised server instead. The example I saw read:
From: Mitchel Levy
Date: 8 April 2015 at 13:45
Subject: Invoice from MOTHERCARE
Your latest invoice is now available for download. We kindly advise you to pay the invoice in time.
Download your invoice here.
Thanks for attention. We appreciate your business.
If you have any queries, please do not hesitate to contact us.
Mitchel Levy, MOTHERCARE
The link in the email has an address using the domain afinanceei .com plus a subdomain based on the recipients email address. It also has the recipients email address embedded in the URL, for example: http ://victimbfe .afinanceei .com/victim@ victim .domain/
This is hosted on 31.24.30.12 (Granat Studio / Tomgate LLC, Russia) and it leads to a landing page that looks like this:
> https://4.bp.blogspot.com/-vUPtkxCCOGs/VSUoF2z9iSI/AAAAAAAAGeI/y_3wZi6iXMo/s1600/dridex-landing.png
... The link in the email downloads a file from:
http ://31.24.30.12 /api/Invoice.xls
At the moment the download server seems very unstable and is generating a lot of 500 errors. Incidentally, http ://31.24.30.12 /api/ shows a -fake- page pretending to be from Australian retailer Kogan:
> https://4.bp.blogspot.com/-Lp2QSnPComc/VSUsA5UN8PI/AAAAAAAAGeU/Hf7-6GPdBQo/s1600/fake-kogan.png
As you might guess, Invoice.xls contains a malicious macro... but the real action is some data hidden in the spreadsheet itself... it instructs the computer to download a malicious binary from:
http ://46.30.43.102 /cves/kase.jpg
This is saved as %TEMP%\dfsdfff.exe. Unsurprisingly, 46.30.43.102 is another Russian IP, this time EuroByte LLC. This binary has a VirusTotal detection rate of 6/57*. Automated analysis tools... show it communicating with the following IPs:
109.74.146.18 (VNET a.s., Bulgaria)
176.81.92.142 (Telefonica, Spain)
147.96.6.154 (Universidad Complutense De Madrid, Spain)
199.201.121.169 (Synaptica, Canada)
210.205.126.189 (Nowonwoman, Korea)
37.58.49.37 (Leaseweb, Germany)
87.117.229.29 (iomart, UK)
108.61.189.99 (Choopa LLC, US)
116.75.106.118 (Hathway, India)
107.191.46.222 (Choopa LLC, Canada)
In addition there are some Akamai IPs which look benign...
184.25.56.212
184.25.56.205
2.22.234.90
According to this Malwr report it drops several files including a malicious Dridex DLL which is the same one found in this attack:
> http://blog.dynamoo.com/2015/04/malware-spam-two-unpaid-invoices-wayne.html
Recommended blocklist:
109.74.146.18
176.81.92.142
147.96.6.154
199.201.121.169
210.205.126.189
37.58.49.37
87.117.229.29
108.61.189.99
116.75.106.118
107.191.46.222
46.30.43.102
31.24.30.12
MD5s:
e8cd8be37e30c9ad869136534f358fc5
671c65cedc8642adf70ada3f74d5da19
a4af11437798b7de5a0884623ed42478 "
* https://www.virustotal.com/en/file/...5bd5de461b026ff6d63d0b5c/analysis/1428499086/
:fear::fear:
Last edited:
angerousObject.Multi.Generic, Heur.I or Trojan.Win32.Qudamah.Gen.3. At the time of writing, 3 of the 57 AV engines did detect the trojan at Virus Total*..."