SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake 'Upcoming Payment', 'New Payment Received', '50 transactions' SPAM

FYI...

Fake 'Upcoming Payment' SPAM - JS malware delivers Dridex
- https://myonlinesecurity.co.uk/upcoming-payment-1-month-notice-js-malware-delivers-dridex/
6 May 2016 - "An email with the subject of 'Upcoming Payment – 1 Month Notice' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Dridex. In exactly the same way as THIS[1] earlier Malspam run, the encrypted JavaScript file contains a long list of compromised sites that the Dridex banking Trojan is downloaded from...
1] https://myonlinesecurity.co.uk/some...count-word-doc-macro-malware-leads-to-dridex/
One of the emails looks like:
From: Mona Gates <GatesMona02@ ideadigitale .org>
Date: Thu 05/05/2016 23:20
Subject: Upcoming Payment – 1 Month Notice
Attachment: user_data_37776.zip
Please, be informed regarding the upcoming payment ID:30724, which must be paid in full until the June 1st, 2016.
Additional information is enclosed in the file down below.

6 May 2016: user_data_37776.zip: Extracts to: details_uQG07BLH189.js - Current Virus total detections 1/56*
.. MALWR** shows a download of Dridex banking trojan from a long list of sites (VirusTotal 7/55***). Sites discovered listed inside the encrypted js file include: (other versions of this might well include other sites):
http ://fashionpoppers .com/adm.exe - 66.147.244.66
http ://sky-hero .com/adm.exe - 213.186.33.171
http ://wbsrainwater .com/adm.exe - 91.146.109.184
http ://burnspots .com/adm.exe - 160.153.32.229
http ://wholesalejaipurkurti .com/adm.exe - 46.166.163.195
http ://bedbugsurvivalguide .com/adm.exe - 54.241.22.111
http ://clearancezone .com.au/adm.exe - 184.164.156.210
http ://asiandukan .co.uk/adm.exe - 192.186.200.169
http ://ribastiendaonline .com/adm.exe - 185.92.247.46
http ://hogcustom .co.uk/adm.exe - 213.246.109.8
http ://shopnutri .com.br/adm.exe - 177.12.173.166
http ://metersdirect .com.au/adm.exe - 52.64.39.102
http ://buyemergencylight .com/adm.exe - 192.117.12.154
http ://lcdistributing .com/adm.exe - 192.249.113.43
http ://liftmaxthailand .com/adm.exe - 119.59.120.32
http ://millersportsaspen .com/adm.exe - 23.235.220.84
http ://hkautosports .com/adm.exe - 205.134.241.120
http ://syntechcs .co.uk/adm.exe - 188.65.114.122
http ://presspig .com/adm.exe - 70.40.220.100
http ://lojaturbo .com.br/adm.exe - 81.19.185.200
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...86a8e6fa54fec28d298bc594/analysis/1462487086/

** https://malwr.com/analysis/MjUxNzY0N2M4Yzc4NDc0ZmE3OGQ1ODJjMWJmNDc1OGQ/
Hosts
213.246.109.8
213.186.33.171
192.117.12.154
185.92.247.46
81.19.185.200
52.64.39.102
177.12.173.166
184.164.156.210
91.146.109.184
119.59.120.32
192.249.113.43
70.40.220.100
188.65.114.122
66.147.244.66
192.186.200.169
23.235.220.84
54.241.22.111
46.166.163.195
160.153.32.229
205.134.241.120

*** https://www.virustotal.com/en/file/...1e06c34273dd479308801139/analysis/1462507119/
___

Fake 'New Payment Received' SPAM - JS malware delivers Dridex
- https://myonlinesecurity.co.uk/new-payment-received-js-malware-delivers-dridex/
6 May 2016 - "Continuing with the overnight Malspam runs is yet another -Dridex- dropper with a long list of sites embedded inside the encrypted JavaScript file. This is an email with the subject of 'New Payment Received' pretending to come from random senders and email addresses with a zip attachment containing an encrypted JavaScript file... One of the emails looks like:
From: Kathie Miller <MillerKathie8660@ fixed-189-252-187-189-252-125 .iusacell .net>
Date: Fri 06/05/2016 02:01
Subject: New Payment Received
Attachment: caution_rob_522737.zip
You have just received a new payment! Trans number 97407. For more information please review the transaction report enclosed.

6 May 2016: caution_rob_522737.zip: Extracts to: cash_q9rTBHi225.js - Current Virus total detections 1/56*
.. MALWR** shows a download of Dridex banking Trojan from the same list of sites in THIS[1] post.
1] https://myonlinesecurity.co.uk/upcoming-payment-1-month-notice-js-malware-delivers-dridex/
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...137876e8a49902b20ef4ae50/analysis/1462497274/

** https://malwr.com/analysis/ZmVhZjIyMjZkOWNhNDllYjg4M2Y5M2JlYjc4NmI1Zjk/
Hosts
213.246.109.8
213.186.33.171
192.117.12.154
185.92.247.46
81.19.185.200
52.64.39.102
177.12.173.166
184.164.156.210
91.146.109.184
119.59.120.32
192.249.113.43
70.40.220.100
188.65.114.122
66.147.244.66
192.186.200.169
23.235.220.84
54.241.22.111
46.166.163.195
160.153.32.229
205.134.241.120
___

Fake '50 transactions' SPAM - JS malware delivers Locky
- https://myonlinesecurity.co.uk/i-ha...unt-actual-balance-js-malware-delivers-locky/
6 May 2015 - "An email with the subject of 'Re: ' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Helen Velazquez <VelazquezHelen20082@ sas-pt .com>
Date: Fri 06/05/2016 09:46
Subject: Re:
Attachment: spreadsheet_98B.zip
Good evening driver,
As promised, I have attached the spreadsheet contains last 50 transaction and your account actual balance.
Regards,
Helen Velazquez

6 May 2016: spreadsheet_98B.zip: Extracts to: transactions 11791799.js - Current Virus total detections 23/56*
.. MALWR doesn’t shows any downloads but a manual analysis gives me a download from
http ://girls.web-planet .su/hs93jaks (VirusTotal 3/55**).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7d7281a162181c8b430078d1/analysis/1441173827/

** https://www.virustotal.com/en/file/...19feb2606d5d53598b7dab2a/analysis/1462525419/
TCP connections
185.22.67.108: https://www.virustotal.com/en/ip-address/185.22.67.108/information/

girls.web-planet .su: 217.107.34.231: https://www.virustotal.com/en/ip-address/217.107.34.231/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'KPN', 'IMPORTANT TRANSACTION' SPAM, Malvertising Blogspot

FYI...

Fake KPN SPAM - CTB-Locker Ransomware
- https://blog.malwarebytes.org/cybercrime/2016/05/kpn-spam-results-in-ctb-locker-infection/
May 9, 2016 - "... an email claiming to be from KPN – a Dutch provider of internet, television, and phone – claiming an amount so high that it should raise questions or at least your blood pressure. We can safely assume that it is intended to peak the receivers curiosity enough to get them to click-one-of-the-links in the mail:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/mail.png
... The spam template is an exact replica of mail KPN sends out to clients. But the “From” address is “KPN-betaalafspraak[AT]kpn[DOT]com” where real ones should come from... The three links all point to the same web address www2[DOT]uebler-gmbh[DOT]de, which is a site that belongs to a German job coaching firm. We informed them of the fact that their site is being used for this, but haven’t heard back yet. We have also informed the Dutch provider KPN through the normal channels, which probably means we will only get an automated response. Clicking-the-links in the mail will result in the download of a zip file containing a file called “Factuur 00055783-63845853.PDF.exe” showing up with a PDF icon. This is a well-known trick to deceive users that have file extensions set to “Hide extensions for known file types” into thinking that they are about to open a (harmless) document... Double-clicking the file will result in the start of the CTB locker ransomware. It creates a copy of the executable with a different name (here hlbvlli.exe) in the %Temp% folder and the creation of a Scheduled Task that will trigger that copied file every time the compromised system boots... After encryption, users are presented with the below ransom note:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/CTBlocker.png
... these tricks as ransomware is becoming a bigger and more prevalent threat -every- day..."

www2[DOT]uebler-gmbh[DOT]de: 217.114.79.125: https://www.virustotal.com/en/ip-address/217.114.79.125/information/
>> https://www.virustotal.com/en/url/d...5f4ca4351a13d5ba31de903c88e67c7a6db/analysis/
___

Fake 'IMPORTANT TRANSACTION' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fwdimportant-transaction-sendout-review/
9 May 2016 - "An email that appears to come from Western Union with the subject of 'FWD:IMPORTANT TRANSACTION SENDOUT REVIEW' pretending to come from InternationalOperations@ ababank .com <spil@ tim .spil .co.id> with a zip attachment is another one from the current bot runs which delivers malware...

Screenshot: https://myonlinesecurity.co.uk/wp-c...WD-IMPORTANT-TRANSACTION-SENDOUT-1024x533.png

9 May 2016: Sendout-Transaction.zip: Extracts to: -2- identical files GRACE..jar and GRACE. MTCN9863521938- Copy.jar - Current Virus total detections 21/57*.. MALWR** ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...bf6eb456413419c5c3d6c79d/analysis/1462811540/

** https://malwr.com/analysis/ODkxZWZlYTlkNjZhNDQzY2I2ZjkzMmZlN2Q4ZTY3Njk/
___

Locky gets clever
- https://www.fireeye.com/blog/threat-research/2016/05/locky_gets_clever.html
May 9 2016 - "... Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor. FireEye Labs recently observed a new development in the way this ransomware communicates with its control server. Recent samples of Locky are once again being delivered via “Invoice”-related email campaigns, as seen in Figure 1.
1] https://www.fireeye.com/content/dam/fireeye-www/blog/images/Clever Locky Jain/Fig1.png
When the user runs the attached JavaScript, the JavaScript will attempt to download and execute the Locky ransomware payload from hxxp :// banketcentr .ru/v8usja. This new Locky variant was observed to be highly evasive in its network communication. It uses both symmetric and asymmetric encryption – unlike previous versions that use custom encoding – to communicate with its control server... Crimeware authors are constantly improving their malware. In this case, we see them evolving to protect their malware while maximizing its infection potential. Locky has moved from using simple encoding to obfuscate its network traffic to a complex encryption algorithm using hardware instructions that are very hard to crack. These types of advancements highlight the importance of remaining vigilant against suspicious emails and using advanced technologies to prevent infections..."

banketcentr .ru: 81.177.141.15: https://www.virustotal.com/en/ip-address/81.177.141.15/information/
>> https://www.virustotal.com/en/url/f...927ebe8fb534445d85c92c645dc81e97324/analysis/
___

Malvertising Blogspot: Scams, Adult Content and EK's
- https://blog.malwarebytes.org/threa...logspot-scams-adult-content-and-exploit-kits/
May 9, 2016 - "... malvertising can and does target free blogging platforms as well. Just this morning, our friends at Virus Bulletin Martijn Grooten and Adrian Luca wrote about some sites hosted on Google’s Blogspot service pushing tech support scams:
> https://www.virusbulletin.com/blog/2016/05/advertisements-blogspot-sites-lead-support-scam/
We also caught some malicious activity on the Blogger platform this past week via the PLYmedia ad network. Some Blogspot websites clearly abuse the platform and stuff ads everywhere:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/blogger_ads.png
When browsing that Blogspot site, we were automatically -redirected- to an adult page, which is definitely not good if you have kids around:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/match99.png
... There were also some -redirections- to the Angler-exploit-kit via -fake- advertisers using the fingerprinting technique:
Ad network: wafra.adk2x .com/ul_cb/imp?p=70368645&size=300×250&ct=html&ap=1300&u=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&r=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&iss=0&f=1
Rogue ad server: advertising.servometer .com/pagead/re136646/ad.jsp?click=%2F%2Fwafra.adk2x.com%2{redacted}
Google Open Referer: bid.g.doubleclick .net/xbbe/creative/click?r1=http%3A%2F%2Fstewelskoensinkeike.loanreview24.com%2FScKOygTMtj_rlf_qIEgRYCq.aspx
Angler EK landing: stewelskoensinkeike.loanreview24 .com/?k=pREU&o=gQ1U2eo&f=&t=MHl&b=O83rsW&g=&n=9rYB42&h=&j=aCYeE9iDym_Ao_T25Uhszm
... We have alerted Google about this issue and contacted PLYmedia to let them know about that rogue advertiser."

wafra.adk2x .com: 104.154.33.56
130.211.124.223
104.197.69.2
104.197.148.20
104.197.4.140
146.148.73.59
146.148.57.82
130.211.160.193
146.148.47.149
104.197.27.39
104.154.52.119
130.211.124.66

advertising.servometer .com: 51.255.17.36

stewelskoensinkeike.loanreview24 .com: Could not find an IP address for this domain name.
___

Hooplasearch and nt. hooplasearch .com Ads
- http://www.bleepingcomputer.com/virus-removal/remove-hooplasearch-ads
May 6, 2016 - "'Hoopla Search' is a browser hijacker program from the Adware.BrowseFox family that hijacks your browser's default search engine and installs addons and extensions that inject advertisements in web pages and search results. 'Hoopla Search' uses these addons or extensions to -inject- advertisements into the search results on search engines such as Google and Yahoo. When the extension is installed, it will also display its own Hoopla Search page instead of your default home page..."
(Removal instructions at the bleepingcomputer URL above.)

:fear::fear:

 

[AplusWebMaster]

Fake 'Draft Receipt', 'RE: ', 'credit card statement' SPAM

FYI...

Fake 'Draft Receipt' SPAM - malicious doc attachment
- https://myonlinesecurity.co.uk/malware-yafie-group-redraft-receipt/
10 May 2016 - "An email pretending to be a receipt containing terrible spelling or typing mistakes with the subject of 'Reraft Receipt' pretending to come from Awad S.Yafie <yinengchem@ yeah .net> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/05/Draft-Receipt-1024x614.png

The malicious word doc shows a blurred image that contains an embedded OLE object that will drop and run a file if you are unwise enough to follow their suggestion to double click to see content:
> https://myonlinesecurity.co.uk/wp-c...ick-on-the-file-to-view-Properly-1024x535.png

10 May 2016: Draft-MSK-001.docx - Current Virus total detections 15/56*
.. MALWR** which contains an embedded OLE object ..Properly.exe (VirusTotal 21/56***).. MALWR[4]
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d71cd6d0c5f2809c9312d757/analysis/1462832094/

** https://malwr.com/analysis/NmM1YTQzMTc4MjdlNDIyYjhlODRhMThjYjNlOTNmM2I/

*** https://www.virustotal.com/en/file/...5b05b326fdda87c9c9865c70/analysis/1462830481/

4] https://malwr.com/analysis/NWYyMTE1ZTUzMWRiNGUzMWIzZDk4MzU0OWIyNjY3ZTU/
___

Fake 'RE: ' SPAM - js malware downloads Locky
- https://myonlinesecurity.co.uk/malw...ion-you-requested-is-attached-leads-to-locky/
10 May 2016 - "An email with the subject of 'RE: ' pretending to come from random senders with a zip attachment is another one from the current bot runs... One of the emails looks like:
From: Therese Slater <SlaterTherese8877@ pldt .net>
Date: Tue 10/05/2016 09:42
Subject: RE:
Attachment: wire_xls_AA8.zip
hi rob,
As I promised, the information you requested is attached.
Regards,
Therese Slater

10 May 2016: wire_xls_AA8.zip: Extracts to: transactions 30248504.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky ransomware from
http ://jediff .com/fgh7hd (VirusTotal 7/57***) MALWR[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...3f1d82ef2d64cd0a0f541fde/analysis/1462870370/

** https://malwr.com/analysis/ODEwNGEwNTE1ZmFkNDVjMjhkOWYwMTExODY0ZWI4YzI/
Hosts
160.153.76.133: https://www.virustotal.com/en/ip-address/160.153.76.133/information/
>> https://www.virustotal.com/en/url/8...6ba4073f6e71f0e2a522d334f1bab8b3f55/analysis/
185.82.202.170: https://www.virustotal.com/en/ip-address/185.82.202.170/information/

*** https://www.virustotal.com/en/file/...9ec9433345c93a8a92d28771/analysis/1462871373/

4] https://malwr.com/analysis/NjY5OGI4MmMzZDRjNGE3MWE5ZjJkNWZiZTM4YTYyOTY/
Hosts
193.124.185.87: https://www.virustotal.com/en/ip-address/193.124.185.87/information/

jediff .com: 160.153.76.133

- http://blog.dynamoo.com/2016/05/malware-spam-as-promised-document-you.html
10 May 2016 - "This fairly brief spam has a malicious attachment:
From: Alexandra Nunez
Date: 10 May 2016 at 21:10
Subject: Re:
hi [redacted],
As promised, the document you requested is attached
Regards,
Alexandra Nunez

The name of the sender varies. Attached is a ZIP file with a name export_xls_nnn.zip or wire_xls_nnn.zip (where nnn are random letters and numbers) which contains multiple copies of the same malicious .js file (all apparently beginning urgent). These scripts download slightly different binaries from several locations including:
4hotdeals .com.au/j47sfe
stationerypoint .com.au/cnb3kjd
floranectar .com.au/er5tsd
togopp .com/vbg5gf
printjuce .com/rt5tdf
designitlikeal .com/cvb3ujd
There are probably many more download locations. The typical detection rate for these binaries is about 12/56 [1] [2]... and automated analysis [6] [7]... shows network traffic to:
5.34.183.40 (ITL, Ukraine)
185.82.202.170 (Host Sailor, United Arab Emirates / Romania)
185.14.28.51 (ITL, Netherlands)
92.222.71.26 (OVH, France)
88.214.236.11 (Overoptic Systems, UK / Russia)
The payload is Locky ransomware
Recommended blocklist:
5.34.183.40
185.82.202.170
185.14.28.51
92.222.71.26
88.214.236.11 "
1] https://www.virustotal.com/en/file/...b98df06c99f8ebf7da200c89aa66f7846ba/analysis/
TCP connections
92.222.71.26

2] https://www.virustotal.com/en/file/...c5e99dbfb5ca5d646ff5be4a5b34169c5a5/analysis/
TCP connections
185.82.202.170

6] https://malwr.com/analysis/ZGU3YjYxNjcwNGVmNGE2ZDllYjUxNjc1N2Q1NjkzZTY/
Hosts
185.82.202.170

7] https://malwr.com/analysis/NGY1YzE1MDdiYjJmNDdkOWIxZDRlMzdmMGM0ZTIyZDU/
Hosts
185.14.28.51
___

Fake 'credit card statement' SPAM - malicious attachment leads to Locky
- https://myonlinesecurity.co.uk/malw...redit-card-statement-attached-to-this-e-mail/
10 May 2016 - "An email with the subject of 'FW: 'pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking Trojan...
Update: according to Payload Security[6] the dropped malware is Locky...
This set of emails has a zip attachment that extracts to an HTA file which is an Internet explorer specific scripting file wrapped inside a standard HTML file that the browser runs. It probably can run however in Chrome, Firefox and any other browser in use. This HTA file is -obscufated- and encodes a long list of malware URLs inside it... One of the emails looks like:
From: Roselia Bellgrove <BellgroveRoselia914@ digicable .in>
Date: Tue 10/05/2016 10:05
Subject: FW:
Attachment: bruxner_copy_873488.zip
Please find your monthly credit card statement attached to this e-mail.
We would also like to let you know that your negative balance has reached a maximum limit.

10 May2016: bruxner_copy_873488.zip: Extracts to: details_v35xnsfc24.hta - Current Virus total detections 0/57*
.. MALWR** doesn’t show any downloads BUT JSUnpack[3] gives me the list of download locations, some of which are live and some are not responding, giving me 403 errors (VirusTotal 2/57[4]) MALWR[5]...
sky-hero .com/ad.exe - 213.186.33.171
buyemergencylight .com/ad.exe - 192.117.12.154
ribastiendaonline .com/ad.exe - 185.92.247.46
clearancezone .com.au/ad.exe - 184.164.156.210
zanvair .co.uk/ad.exe - 82.165.151.207
myfashionfavourites .com/ad.exe - 185.66.171.8
anustyle .co.uk/ad.exe - 46.30.212.102
metersdirect .com.au/ad.exe - 52.64.39.102
atlfitness .com.br/ad.exe - 179.107.83.250
shopnutri .com.br/ad.exe - 177.12.173.166
homesdreams .com/ad.exe - 188.40.28.173
liftmaxthailand .com/ad.exe - 119.59.120.32
new-exhibitions.heckfordclients .co.uk/ad.exe - 95.142.152.194
airconditioning-outlet .co.uk/ad.exe - 87.106.53.6
shoppingsin .com/ad.exe - 142.4.49.157
magnumautomotivo .com.br/ad.exe - 186.202.153.10
melodyderm .com/ad.exe - 23.235.196.128
metersdirect .com.au:80/ad.exe - 52.64.39.102
outletsmarcas .com/ad.exe - 67.20.76.133
shoesmackers .com/ad.exe - 74.220.207.142
store.pinkupcape .com/ad.exe - 67.231.106.60
vizyt-shop .com/ad.exe - 136.243.204.62
warehousestudiochicago .com/ad.exe - 166.62.10.30
mikronjoalheria .com.br/ad.exe - 162.213.193.150
getdattee .com/ad.exe - 50.63.119.14
videale .com.br/ad.exe —– 403 error / 186.202.126.233
pgkdistribution .co.uk/ad.exe - 160.153.50.192
aw-store .com/ad.exe - 160.153.33.104
gmdengineering .com.au/ad.exe - 103.38.10.109
lyintl .com/ad.exe - 23.229.242.166
fashionpoppers .com/ad.exe - 66.147.244.66
cenasuniformes .com.br/ad.exe - 200.98.197.36
merlindistribuidora .com.br/ad.exe - 186.202.153.108
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...52bac4673194dd70e393a236/analysis/1462871863/

** https://malwr.com/analysis/OWE3ODYzYjQ0MGVlNDlmZGE0NGVkZWY4NGRlY2UwYzU/

3] http://jsunpack.jeek.org/?report=9d67b3803d41c32d92807c7f92e81e80a5f0df22

4] https://www.virustotal.com/en/file/...0aa0c214352c52e4f83ba344/analysis/1462872640/

5] https://malwr.com/analysis/ZTM4Y2NlMWNhZjExNGZjNmJiOTVjNDQxMWY1NjA2ZDA/

6] https://www.hybrid-analysis.com/sam...7b00aa0c214352c52e4f83ba344?environmentId=100
Contacted Hosts
217.12.199.94: https://www.virustotal.com/en/ip-address/217.12.199.94/information/
>> https://www.virustotal.com/en/url/1...dc63aa7aa2eb6d659b7610671fdf5b70ebe/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Emailing: Photo', 'attached document' SPAM

FYI...

Fake 'Emailing: Photo' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spam-malware-emailing-photo-05-11-2016-82-95-82-delivers-locky/
11 May 2016 - "An email with the subject of 'Emailing: Photo 05-11-2016, 82 95 82' [random numbers] pretending to come from Your-own-email-address with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... One of the emails looks like:
From: your own email address
Date: Wed 11/05/2016 10:10
Subject: Emailing: Photo 05-11-2016, 82 95 82
Attachment: Photo 05-11-2016, 82 95 82.zip
Your message is ready to be sent with the following file or link
attachments:
Photo 05-11-2016, 82 95 82
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.

11 May 2016: Photo 05-11-2016, 82 95 82.zip: Extracts to: Photo 05-11-2016, 42 11 82.js
Current Virus total detections 2/56* | Hybrid analysis** | MALWR*** shows a download of Locky ransomware from
http ://gesdes .com/87yg7yyb (VirusTotal 5/57[4]) MALWR[5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...757583489f17f5a84008bc1b/analysis/1462957811/

** https://www.hybrid-analysis.com/sam...4b9757583489f17f5a84008bc1b?environmentId=100
Contacted Hosts
23.229.156.225
88.214.236.11
5.34.183.40

*** https://malwr.com/analysis/YWYwNmEzNmM3YTc2NDVmYTk1OTIwNmI0YTE1M2NhNjQ/
Hosts
23.229.156.225

4] https://www.virustotal.com/en/file/...ce081c4b627ec5d70b0285c6/analysis/1462958159/

5] https://malwr.com/analysis/YzkzOWNkNWZkNmI4NGIzNWI2ODJhOWE5MjJhN2NkY2I/

gesdes .com: 23.229.156.225: https://www.virustotal.com/en/ip-address/23.229.156.225/information/
>> https://www.virustotal.com/en/url/9...a8fa927cd693e9e02df6e079837675c8232/analysis/

- http://blog.dynamoo.com/2016/05/malware-spam-emailing-photo-05-11-2016.html
11 May 2016 - "This spam comes with a malicious attachment:
From: victim@ victimdomain .tld
To: victim@ victimdomain .tld
Date: 11 May 2016 at 12:39
Subject: Emailing: Photo 05-11-2016, 03 26 04
Your message is ready to be sent with the following file or link
attachments:
Photo 05-11-2016, 03 26 04
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.

It appears to come from the sender's own email address, but this is a simple forgery (explained here*). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
match the references in the email). It contains a .js file with a similar name.
* http://blog.dynamoo.com/2011/09/why-am-i-sending-myself-spam.html
Trusted third-party analysis (thank you!) shows the various scripts downloading from:
51941656 .de.strato-hosting .eu/87yg7yyb
67.222.43.30 /87yg7yyb
developinghands .com/87yg7yyb
gesdes .com/87yg7yyb
helpcomm .com/87yg7yyb
neihan8 .tk/87yg7yyb
oldtimerfreunde-pfinztal .de/87yg7yyb
otakutamashi .cl/87yg7yyb
sarikamisotelleri .com/87yg7yyb
This drops a file with a detection rate of 3/56*. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to:
185.82.202.170 (Host Sailor, United Arab Emirates)
88.214.236.11 (Overoptic Systems, UK / Russia)
5.34.183.40 (ITL, Ukraine)
According to a DeepViz report**, this sample has identical characteristics.
Recommended blocklist:
185.82.202.170
88.214.236.11
5.34.183.40 "
* https://www.virustotal.com/en/file/...2dee46db6d4fa446c5301e54/analysis/1462969284/

** https://sandbox.deepviz.com/report/hash/fdfe7c2af22ed79bc585990d77a918a7/
___

Fake 'attached document' SPAM - JS attachment leads to malware
- https://myonlinesecurity.co.uk/spam...attached-document-for-details-delivers-locky/
11 May 2016 - "A series of emails with random subjects pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs... UPDATE: none of the automatic analysers are actually showing Locky, so it might be Dridex... Some of the subjects seen include:
Re: employees
Re: paychecks
Re: other names
Re: company
Re: Items
Re: build assemblies
Re: transfers
Re: credit memos
Re: checks
Re: estimates
Re: Chart of Accounts
Re: receive payments
Re: credit card charges
Re: item receipts
Re: Vendors ...
One of the emails looks like:
From: Nelda Morton <MortonNelda80048@ static .vnpt.vn>
Date: Wed 11/05/2016 10:34
Subject: Re: employees
Attachment:
hello [ recipients name]
You may refer to the attached document for details.
Regards,
Nelda Morton

11 May 2016: vendors_0A591E.zip: Extracts to: -3- identical .js files - urgent 802194.js
Current Virus total detections 4/57* | Payload Security** | MALWR*** shows a download of Locky Ransomware from
http ://compfixuk .co.uk/uy3hds (VirusTotal 11/57[4]) MALWR[/5] | Payload Security[6]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."

* https://www.virustotal.com/en/file/...b4c594094401ba207e2018fa/analysis/1462960440/

** https://www.hybrid-analysis.com/sam...2d3b4c594094401ba207e2018fa?environmentId=100
Contacted Hosts
185.14.28.51
88.214.236.11
185.82.202.170

*** https://malwr.com/analysis/OWJmYWMxMTU1NGNjNGI3ZmE4NWY2YjJmMjE3MWU4YWE/
Hosts
81.201.141.119
92.222.71.26

4] https://www.virustotal.com/en/file/...d9f4cff02b288bbebf55e7c1/analysis/1462960706/

5] https://malwr.com/analysis/OGVmOWM2ZTU0ZmVlNDk3YmE0NThmMWIyMTUyNGFlNmQ/
Hosts
185.14.28.51
88.214.236.11

6] https://www.hybrid-analysis.com/sam...166d9f4cff02b288bbebf55e7c1?environmentId=100
Contacted Hosts
92.222.71.26

compfixuk .co.uk: 81.201.141.119: https://www.virustotal.com/en/ip-address/81.201.141.119/information/
>> https://www.virustotal.com/en/url/e...d76b3b7e3c8392f681db86097ddbd0056fb/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'application' SPAM

FYI...

Fake 'application' SPAM - JS malware attachment
- https://myonlinesecurity.co.uk/spam-malware-we-have-reviewed-your-application/
12 May 2016 - "Another email with the subject of 'FW: ' pretending to come from random senders with a zip attachment is another one from the current bot runs... One of the emails looks like:
From: Fannie Strickland <StricklandFannie70829@ hostviper .in>
Date: Thu 12/05/2016 00:37
Subject: FW:
Attachment: xerox.device1_copy_885254.zip
We have reviewed your application #885254 and would like to let you know that some imporant information is missing. Please, review the file attached and complete the highlighted parts to finalize the application process.

12 May 2016: xerox.device1_copy_885254.zip: Extracts to: confirm_bpwmj.js - Current Virus total detections 6/57*
.. MALWR** shows a download from
http ://panthai .com.br/NtJx6X (VirusTotal 5/57***) MALWR[4] | Payload Security[5]
Other sites found include: http ://festlanddesign .com/qcinTX but it looks like this particular Dridex malspam run drops multiple different file # as well as random file names... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...a20c05c05e63ac3fbd5b5f91/analysis/1463028499/

** https://malwr.com/analysis/YjJmZDE4NzA4ZDM2NDgxYThiZjU3NDkwMDQ3NzBkYjk/
Hosts
200.98.201.219

*** https://www.virustotal.com/en/file/...665a7eabc9fcf7adf1b6ff44/analysis/1463012592/

4] https://malwr.com/analysis/ZTk5ZTVhYzQwMmNkNDA1ZWE4YjUwZmVhN2JmMzcyNWY/

5] https://www.hybrid-analysis.com/sam...5da665a7eabc9fcf7adf1b6ff44?environmentId=100
Contacted Hosts
24.199.222.250
213.192.1.171
188.120.253.193
162.251.84.219

panthai .com.br: 200.98.201.219: https://www.virustotal.com/en/ip-address/200.98.201.219/information/
>> https://www.virustotal.com/en/url/d...bc4fe51f2e513bfb47fdf3335615f4a6d6e/analysis/

festlanddesign .com: 176.28.36.108: https://www.virustotal.com/en/ip-address/176.28.36.108/information/
>> https://www.virustotal.com/en/url/2...1cb1a2b50106ecbce5abcc840fe67663e6b/analysis/

:fear::fear:

 

[AplusWebMaster]

Separate 0-day vulns under attack, Tech Support Imposters

FYI...

Separate 0-day vulns under attack
- http://arstechnica.com/security/201...ld-0day-attacks-exploiting-windows-and-flash/
5/10/2016 - "... something that doesn't happen every day: the disclosure of -two- zero-day vulnerabilities, one in the Microsoft operating system[1] and the other in Adobe's Flash Player[2]. The Windows bug is being actively exploited in the wild, making it imperative that users install fixes that Microsoft released today as part of its May Patch Tuesday. Cataloged as CVE-2016-0189*, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites...
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0189
Last revised: 05/11/2016 - '... Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site...'
7.6 HIGH
... Separately, Adobe officials warned that a newly discovered Flash** vulnerability also gives attackers the ability to remotely hijack machines. It was first reported by researchers from security firm FireEye, and exploits exist in the wild...
** https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4117
Last revised: 05/13/2016 - '... Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in May 2016...'
10.0 HIGH
... in-the-wild attacks reported by Symantec[3]... FireEye published a blog post[4]... that described how attackers managed to infect-more-than-100-organizations in North America using a zero-day vulnerability. The bug, however, was CVE-2016-0167, a privilege escalation flaw that Microsoft fixed*** in -last- month's Patch Tuesday..."
*** https://technet.microsoft.com/en-us/library/security/ms16-039.aspx

1] http://technet.microsoft.com/security/bulletin/MS16-051
May 10, 2016
- https://technet.microsoft.com/library/security/ms16-053
May 10, 2016 - Applies to:
Windows Server 2008 R2 Service Pack 1
Windows Server 2008 Service Pack 2
Windows Vista Service Pack 2
2] https://helpx.adobe.com/security/products/flash-player/apsb16-15.html
May 12, 2016
3] http://www.symantec.com/connect/blo...day-exploit-used-targeted-attacks-south-korea
10 May 2016
4] https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html
May 11, 2016
___

Tech Support Imposters ...
- https://blog.malwarebytes.org/cyber...support-imposters-part-ii-where-are-they-now/
May 13, 2016 - "... Fraud is still fraud, no matter how long your disclaimer is. Takedowns have been sent, and Malwarebytes will continue to monitor for the next time this group tries again. For more information on what you should know about tech support scammers to defend yourself, please check out the article here."
> https://blog.malwarebytes.org/tech-support-scams/

:fear::fear:

 

[AplusWebMaster]

Fake 'Attached Picture', 'spreadsheet', 'Anti-Fraud' SPAM, Lloyds, Capital One -Phish

FYI...

Fake 'Attached Picture' SPAM - attachment leads to malware
- https://myonlinesecurity.co.uk/spam...rom-scanner-copier-at-your-own-email-address/
16 May 2016 - "Another empty-blank-email email with the subject of 'Attached Picture' pretending to come from copier/scanner/[random numbers] @ your-own-email-address with a zip attachment is another one from the current bot runs which downloads what is likely to be Dridex... One of the emails looks like:
From: copier [random numbers] @ your own email address
Date: Mon, 16 May 2016 10:05:40
Subject: Attached Picture
Attachment: mandy@ ... _0779_436592056.zip

Body content: Blank/Empty

11 May 2016: Current Virus total detections 23/56* - MALWR** shows a download of an -unknown- malware from
http ://www.puertasjoaquin .com/987t5t7g?VOoIYjOJwN=BpMuEo (VirusTotal 2/57***) MALWR[4] | Payload Security[5]
None of the auto analysers are able to give a definite result as to what the malware is. It is more likely to be Dridex banking Trojan rather than Locky ransomware, when this happens... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7d7281a162181c8b430078d1/analysis/1441173827/

** https://malwr.com/analysis/Y2M1NGNmOGJlNjk1NDliNDlkNWQzNzRkZTNhNDc5MzY/
Hosts
81.88.48.79

*** https://www.virustotal.com/en/file/...f4b7121814deae399466157d/analysis/1463394033/

4] https://malwr.com/analysis/ODkwM2E4ZmM4ZDc3NDFjMTlhODA4MDYxODFkMTUyMTE/

5] https://www.hybrid-analysis.com/sam...256f4b7121814deae399466157d?environmentId=100

puertasjoaquin .com: 81.88.48.79: https://www.virustotal.com/en/ip-address/81.88.48.79/information/
>> https://www.virustotal.com/en/url/6...d12300224b4523557af634ec2134988f547/analysis/
___

Fake 'spreadsheet' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/05/malware-spam-i-have-attached-revised.html
16 May 2016 - "This spam has a malicious attachment:
From: Britney Hart
Date: 16 May 2016 at 13:15
Subject: Re:
hi [redacted]
I have attached a revised spreadsheet contains customers. Please check if it's correct
Regards,
Britney Hart

Other variations of the body text seen so far:
I have attached a revised spreadsheet contains general journal entries. Please check if it's correct
I have attached a revised spreadsheet contains estimates. Please check if it's correct
Attached is a ZIP file with three identical malicious .js files. The ones I have seen so far download from
fundaciontehuelche .com.ar/897kjht4g34
thetestserver .net/fg45g4g
technobuz .com/876jh5g4g4
There are probably other download locations. Each one downloads a slightly different binary (VirusTotal prognosis [1] [2]..) and automated analysis [5] [6].. shows the malware phoning home to:
188.127.231.124 (SmartApe, Russia)
31.184.197.72 (Petersburg Internet Network, Russia)
92.222.71.26 (RunAbove / OVH, France)
149.202.109.202 (Evgenij Rusachenko aka lite-host.in, Russia / OVH, France)
The payload is Locky ransomware.
Recommended blocklist:
188.127.231.124
31.184.197.72
92.222.71.26
149.202.109.202 "
1] https://www.virustotal.com/en/file/...61d5a494a663c318fd5d5c9c/analysis/1463401158/

2] https://www.virustotal.com/en/file/...3cd0110ab3ac5bec569abf02/analysis/1463401746/

5] https://malwr.com/analysis/ZjhlNGNjMjQyMDZkNGJiODk2NTlkMWIzZjIxNjgyYmY/

6] https://malwr.com/analysis/Zjc1MWFhNmJmOTk0NDU5ZGJmMWFjYWFmMDY3MTU5MjY/
___

Fake 'Anti-Fraud' SPAM - delivers Locky ransomware
- https://myonlinesecurity.co.uk/spam-malware-anti-fraud-system-332571-delivers-locky/
16 May 2016 - "An email that pretends to alert you to strange activity on your credit card, with the subject of 'Anti-Fraud System-332571' [random numbered] pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Mirabel Orton <OrtonMirabel31@ une .net.co>
Date: Mon 16/05/2016 17:10
Subject: Anti-Fraud System-332571
Attachment: bruxner_data_332571.zip
We have noticed a strange activity. Please, confirm the transaction made from your card and listed in the document attached.

16 May 2016: bruxner_data_332571.zip: Extracts to: post_scan_rhgzp.js - Current Virus total detections 23/56*
.. MALWR** shows a download of Locky ransomware from
http ://steeldrill .com.au/Cs0St6.exe (VirusTotal 6/57***) MALWR[4] | Payload Security[/5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/ PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7d7281a162181c8b430078d1/analysis/1441173827/

** https://malwr.com/analysis/M2ZlYjk2M2M4YmRiNDc5NTg3Y2I4YWIxODc0ZjFjY2U/
Hosts
203.143.85.203

*** https://www.virustotal.com/en/file/...7b43deea6cd18d4ed92e7e43/analysis/1463415891/

4] https://malwr.com/analysis/YWQ0Nzg4ODhiZTIyNDdjZGJiZDBkY2VlNzM3ZDZkY2E/

5] https://www.hybrid-analysis.com/sam...8427b43deea6cd18d4ed92e7e43?environmentId=100
Contacted Hosts
217.12.199.151: https://www.virustotal.com/en/ip-address/217.12.199.151/information/
>> https://www.virustotal.com/en/url/5...cbdd137795e7541ada3dae28c3474d3e18e/analysis/

steeldrill .com.au: 203.143.85.203: https://www.virustotal.com/en/ip-address/203.143.85.203/information/
>> https://www.virustotal.com/en/url/f...3258f534d7d26fada3218dfc5f057626b0e/analysis/
___

Fake 'Security report' SPAM - malicious attachment
- https://myonlinesecurity.co.uk/spam-malware-security-report/
16 May 2016 - "An email with the subject of 'Security report' pretending to come from random senders with a zip attachment is another one from the current bot runs... Looks like Locky... One of the emails looks like:
From: Gwennie Patron <PatronGwennie32083@ babygate .net>
Date: Mon 16/05/2016 18:55
Subject: Security report
Attachment:
Hello ,due to the technical problems associated with our security system, we kindly ask our customers to review the recent report in order to approve your last transactions. Thanks

16 May 2016: securityx062CBD2.zip: Extracts to: data_xe2q2mizervx.js - Current Virus total detections 2/57*
.. Payload security** shows a download from one of these 3 locations
mantisputters .com/s7LUXu.exe | blueoxaladdin .com/pArFOY.exe | produtosvivabem .com.br/51aIMi.exe
(VirusTotal 3/57[3]) MALWR[4] | Payload Security [5]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...9f2846ce71e533ec75f89758/analysis/1463421357/

** https://www.hybrid-analysis.com/sam...1189f2846ce71e533ec75f89758?environmentId=100
Contacted Hosts
52.4.223.98
65.23.141.248
186.202.59.80

3] https://www.virustotal.com/en/file/...37a00e6fc2a73e61fbb499fa/analysis/1463422004/

4] https://malwr.com/analysis/OTY2M2VlZTIxNzQyNDU2NDllNWEzMTlkMmJhZmUyNTc/

5] https://www.hybrid-analysis.com/sam...4f837a00e6fc2a73e61fbb499fa?environmentId=100

mantisputters .com: 52.4.223.98: https://www.virustotal.com/en/ip-address/52.4.223.98/information/
>> https://www.virustotal.com/en/url/1...9d90147d070c1ba461e968c53bd5a6242e0/analysis/

blueoxaladdin .com: 65.23.141.248: https://www.virustotal.com/en/ip-address/65.23.141.248/information/
>> https://www.virustotal.com/en/url/f...8e655eed77b85d084d7739c49f1afb198f2/analysis/

produtosvivabem .com.br: 186.202.59.80: https://www.virustotal.com/en/ip-address/186.202.59.80/information/
___

Lloyds bank - Phish
- https://myonlinesecurity.co.uk/why-phishing-works-so-well/
16 May 2016 - "... the phishers use domain names that are so believable and the registrars allow them to register the domains...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/05/lloyds_phish-1024x786.png

The link in the email goes to http ://bank-update .com/personal/logon/ ... It even has the Lloyds bank icon in url bar. All they needed to do to make it 100% believable was either add a cheap or free SSL certificate or use a padlock symbol as an icon instead of the Lloyds black horse icon:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/05/lloyds_bank_update-1024x588.png
This asks you for your user name & password and then 3 characters from your secret information ( as does the genuine Lloyds bank) then full secret information and phone number, then secret information, phone number and password, then -bounces- you to genuine Lloyds bank site."

bank-update .com: 66.225.198.23: https://www.virustotal.com/en/ip-address/66.225.198.23/information/
>> https://www.virustotal.com/en/url/a...5be77fac616bd6b8f2fd759f1d670cfe67b/analysis/
104.128.234.224: https://www.virustotal.com/en/ip-address/104.128.234.224/information/
>> https://www.virustotal.com/en/url/e...ec2ed98e3b43cfbde4417a5fef598101bb4/analysis/
___

Capital One - Phish
- https://myonlinesecurity.co.uk/phishing-e-payment-alert-on-your-account-capital-one-360/
16 May 2016 - "... more difficult to detect phishing attempt this time... Many card companies and banks do send PDF files as attachments with credit card statements. Some no doubt will have links to the bank website. Starts with a Blank email.

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/05/capital_one_pdf.png

The link in the PDF goes to http ://demelos .com.au/classes/commons/config/actionnn.htm which sends you on to http ://https-secure-capitalone360 .com-myaccount-banking.demelos .com.au/e8ea76f546cb0ea35cc83e95d7ae37eb/
where you see this webpage and it goes on to atypical phishing page asking for loads of personal & private details that compromise you completely.":
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/05/capital_one_web_phish-1024x656.png

demelos .com.au: 27.121.64.122: https://www.virustotal.com/en/ip-address/27.121.64.122/information/
>> https://www.virustotal.com/en/url/e...e64ad22bdd26bcdde62cdfc344ce707858b/analysis/

>> https://www.virustotal.com/en/url/d...fd7e74e7852073a0cda34df500741e20e77/analysis/
___

The Million-Machine 'Clickfraud' Botnet
- http://www.computerworld.com/articl...d-botnet-now-infects-almost-1m-computers.html
May 16, 2016 - "... The click-fraud botnet earns its creators money through Google's AdSense for Search program, according to researchers from security firm Bitdefender*. The affiliate program, intended for website owners, allows them to place a Google-powered custom search engine on their websites to generate revenue when users click on ads displayed in the search results... Strategies have changed dramatically in the past few years, with new approaches... this botnet's operators -intercept- Google, Bing, and Yahoo searches performed by users on their own computers and replace the legitimate results with those generated by their custom search engine. They do this using a malware program that Bitdefender products detect as Redirector.Paco. Since mid-September 2014, Redirector.Paco has infected more than 900,000 computers worldwide, mainly from India, Malaysia, Greece, the U.S., Italy, Pakistan, Brazil, and Algeria, the Bitdefender researchers said in a blog post Monday*..."
* https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botnet/

:fear::fear:

 

[AplusWebMaster]

Multiple Locky ransomware emails/attachments; TechSupportScams - phone extortion

FYI...

Fake Multiple subjects SPAM - attachments delivering Locky ransomware
- https://myonlinesecurity.co.uk/spam...-attachments-all-delivering-locky-ransomware/
17 May 2016 - "... Locky ransomware emails overnight with varying subjects all pretending to come from random senders with either zip attachments or word doc macro attachments... Some of the subjects seen include:
Your .pdf document is attached
Re:
Hedy Castaneda
Dara Keith
The word doc ones have a subject that matches the alleged sender. One of the emails with a word doc attachment looks like:
From: Dara Keith <admin@ hk-mst .com>
Date: Tue 17/05/2016 04:49
Subject: Dara Keith
Attachment: 706-d4390-lncnvy.dotm
Hello
Please find the report attached to this message. The Payment should appear in 1-2 days.
Dara Keith
Alternative body content
Please review the report attached to this email. The Transfer will be posted within one day.
Best regards

17 May 2016: 706-d4390-lncnvy.dotm - Current Virus total detections 2/57* 2/56[1] 2/57[2].. MALWR [a] [b1].. doesn’t show any downloads. It is likely that the download sites will match the other Locky downloaders using zip attachments. I am waiting for full analysis...
Update: finally got an analysis from Payload security[7] of 1 of the word doc files which shows a download from
xlstrategy .com/ch.jpg?Ux=43 which is a genuine jpg, however the jpg contains malware -embedded- inside it, which is extracted via the malicious-macro and a VBS file that the macro creates (VirusTotal 4/57[8]). This actually is Dridex banking trojan not Locky.
7] https://www.hybrid-analysis.com/sam...6a8f25394106acb3c8cae2e0d06?environmentId=100
Contacted Hosts
107.180.20.71: https://www.virustotal.com/en/ip-address/107.180.20.71/information/
>> https://www.virustotal.com/en/url/2...2d71a05934e67480f1acf4f1e8034545ac2/analysis/

8] https://www.virustotal.com/en/file/...5cf3be69902379506385e7f2/analysis/1463492903/

* https://www.virustotal.com/en/file/...b29b7263708bb58805b21fc9/analysis/1463461891/

1] https://www.virustotal.com/en/file/...794ae37b45d788cf2b18ea8e/analysis/1463467476/

2] https://www.virustotal.com/en/file/...e085f51ab518f3d7e2dfbf68/analysis/1463467521/

a] https://malwr.com/analysis/MzQwN2Y1MDI1YTNjNDc0ZWEwOWU4YjE1M2UxMTAyOWY/

b1] https://malwr.com/analysis/MGE2MjA1ZjcxY2U3NGY0ODhjMTRhZmFlNDc3OWM2ZDQ/

One of the emails with a zip attachment looks like:
From: Your own email address
Date: Tue 17/05/2016 01:38
Subject: Your .pdf document is attached
Attachment: D948699.zip

Body content: Blank/Empty email body

17 May 2016: D948699.zip: extracts to 20160516_38064087_27108995.js - Current Virus total detections 9/57[3]
.. downloads from hrlpk .com/7834hnf34?XrkJSbPOxS=klrLzHBbOX (VirusTotal 11/56[4])
3] https://www.virustotal.com/en/file/...38ae15bf50fed478bc69bced/analysis/1463459479/

4] https://www.virustotal.com/en/file/...e8f833dc7ce603ebf6782048/analysis/1463457732/
TCP connections
217.12.199.151: https://www.virustotal.com/en/ip-address/217.12.199.151/information/

hrlpk .com: 203.124.43.226: https://www.virustotal.com/en/ip-address/203.124.43.226/information/
>> https://www.virustotal.com/en/url/4...2f3bbe3e3a420c62da6af51222af3e33020/analysis/

Another one of the emails with a zip attachment looks like:
From: Ryan Solomon <SolomonRyan332@ cparsons .net>
Date: Tue 17/05/2016 01:42
Subject: Re:
Attachment: sales orders_BEA6B3A2.zip
hi vbygry
Please refer to the attached document contains sales orders
Let me know if it’s correct
Regards,
Ryan Solomon

17 May 2016: sales orders_BEA6B3A2.zip: extracts to history 8426558.js - Current Virus total detections 6/57[5]
.. downloads from http ://fundacionbraun .com/gh567jj56 (VirusTotal 11/57[6]) The zip attachment here contains 3 identical copies of the .js file all padded with loads of //// to confuse analysis and make them look much bigger than they are...
5] https://www.virustotal.com/en/file/...6a476accd63203b7f009ee26/analysis/1463462139/

6] https://www.virustotal.com/en/file/...61d6fbe6d422b24dca6ab6ff/analysis/1463447956/
TCP connections
188.127.231.124: https://www.virustotal.com/en/ip-address/188.127.231.124/information/

fundacionbraun .com: 209.126.254.163: https://www.virustotal.com/en/ip-address/209.126.254.163/information/
>> https://www.virustotal.com/en/url/a...207cc0df1aa02a549c52b788155f68b5ac4/analysis/

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake 'car booking' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spam-malware-thank-you-for-booking-you-car-with-us-delivers-locky/
17 May 2016 - "... an email with the subject of 'FW: ' pretending to be a notification of a car booking and also pretending to come from random senders with a zip attachment containing a nemucod javascript downloader is also another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Jo-Ann Crowe <CroweJo-Ann0223@ londonrelax .co.uk>
Date: Tue 17/05/2016 07:54
Subject: FW:
Attachment: copy-20160517122213.zip
Thank you for booking you car with us, we hope you enjoy our service. Rental agreement is enclosed to this e-mail.

17 May 2016: copy-20160517122213.zip: Extracts to: data_vevbypapxx.js - Current Virus total detections 4/57*
.. MALWR** shows a download of Locky ransomware from
http ://myfloralkart .com/MwtBk1.exe (VirusTotal 21/56***).... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...0bf853390d0bb51a724c086b/analysis/1463468058/

** https://malwr.com/analysis/ODhmNDNmYmNiMDNjNGVlMTg5NTRlNjQ5MDc4NWY4ZmM/
Hosts
198.57.205.1: https://www.virustotal.com/en/ip-address/198.57.205.1/information/
128.199.120.158
176.58.99.126: https://www.virustotal.com/en/ip-address/176.58.99.126/information/

*** https://www.virustotal.com/en/file/...37a00e6fc2a73e61fbb499fa/analysis/1463463109/

myfloralkart .com: 128.199.120.158: https://www.virustotal.com/en/ip-address/128.199.120.158/information/
>> https://www.virustotal.com/en/url/6...3ad0870e5542cdb54e81a4e3eb4e55feb16/analysis/
___

Fake 'contract' SPAM - downloads Locky
- https://myonlinesecurity.co.uk/spam...g-our-company-and-signing-a-contract-with-us/
17 May 2016 - "... email with the subject of 'FW: ' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Susann Faitele <FaiteleSusann335@ webtravelmarket .com>
Date: Tue 17/05/2016 11:34
Subject: FW:
Attachment: security-20160517160422.zip
Thanks for choosing our company and signing a contract with us, we’re sending you a copy as promised.

17 May 2016: security-20160517160422.zip: Extracts to -2- different files data_veivommzha.js
Current Virus total detections 4/57* and archive_doctomjjz.js (VirusTotal 4/56**) - MALWR [1] [2] shows a download of Locky ransomware from one of these sites (VirusTotal 4/56[3])
http ://soco-care .be/zcHRd8.exe
http ://delicadinha .com.br/MSr7Uy.exe
http ://pro.monbento .com/8Uya5I.exe
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...f6bb6cbad941817ee6eb1902/analysis/1463481488/

** https://www.virustotal.com/en/file/...9ecb52ee9d80e68ee0fb5619/analysis/1463481291/

1] https://malwr.com/analysis/ZmFjZWI2MDAxOGM4NDQxNjliNGE0MWQ4MTIyN2Q0Y2Y/
Hosts
201.94.232.185: https://www.virustotal.com/en/ip-address/201.94.232.185/information/
>> https://www.virustotal.com/en/url/7...0d70794039c3685c5e2594a1994decfe960/analysis/
79.174.131.11: https://www.virustotal.com/en/ip-address/79.174.131.11/information/
>> https://www.virustotal.com/en/url/f...d47b27d2aa9be9a1f6fcee0179a6e791bd0/analysis/
188.165.125.141: https://www.virustotal.com/en/ip-address/188.165.125.141/information/
>> https://www.virustotal.com/en/url/6...9b37daff796265fcc6e00277e5a7a4f09b0/analysis/

2] https://malwr.com/analysis/MGEwMTk5NDc1NDE4NDMzYThlODBjMzVhMmQ4NDJmYjg/
Hosts
201.94.232.185
79.174.131.11
188.165.125.141

3] https://www.virustotal.com/en/file/...87d63ffaec6b05b9d3b1915a/analysis/1463485442/
___

Fake 'Per E-Mail' SPAM - malicious attachment is Locky ransomware
- http://blog.dynamoo.com/2016/05/malware-spam-per-e-mail-senden.html
17 May 2016 - "This German-language -spam- comes with a malicious attachment. It appears to come from the victim themselves, but this is just a simple-forgery.
From: victim@ victimdomain .tld
Date: 17 May 2016 at 13:28
Subject: Per E-Mail senden: DOC0000329040
Folgende Dateien oder Links können jetzt als Anlage mit Ihrer Nachricht
gesendet werden:
DOC0000329040

Attached is a ZIP file that matches the reference number in the subject and body text. I have only seen one sample, downloading a binary from:
katyco .net/0uh8nb7
The VirusTotal detection rate is 4/57*, the comments in that report indicate that this is Locky ransomware and the C&C servers are at:
188.127.231.124 (SmartApe, Russia)
176.53.21.105 (Radore Veri Merkezi Hizmetleri, Turkey)
217.12.199.151 (ITL, Ukraine)
107.181.174.15 (Total Server Solutions, US)
Recommended blocklist:
188.127.231.124
176.53.21.105
217.12.199.151
107.181.174.15 "
* https://www.virustotal.com/en/file/...ab1f3b736856f6be279d4e7a8113ad065d5/analysis/
Comments:
> https://myonlinesecurity.co.uk/spam-malware-per-e-mail-senden-print0008451941-delivers-locky/
17 May 2016
>> https://malwr.com/analysis/NmZiZmZhOTE0Mzk2NGQwNDgyNjdkNTU2NjViZDNhM2Q/
Hosts
203.162.53.112: https://www.virustotal.com/en/ip-address/203.162.53.112/information/

katyco .net: 203.162.53.112
___

Fake 'BILL' SPAM - downloads Locky
- https://myonlinesecurity.co.uk/spam-malware-bill-store-nellimarla-jute-mills-co-ltd/
17 May 2016 - "An email with the subject of 'BILL' pretending to come from Store-Nellimarla Jute Mills Co Ltd. <yfstore857@ slsenterprise .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs downloading Locky... The email looks like:
From: . <yfstore857@ slsenterprise .com>
Date:
Subject: BILL
Attachment:
Sir,
Please find the attached file.

17 May 2016: Bill_481575758.xls - Current Virus total detections 6/57*
.. MALWR** shows a download from
http ://seahawkexports .com/89yg67no (VirusTotal ***).. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a45361f93e746af2d88afacc/analysis/1463496996/

** https://malwr.com/analysis/M2VmM2ZjOWFmZWY3NDFiZmFhYTE3Yzk0MGFkYzk4MjE/
Hosts
43.242.215.197: https://www.virustotal.com/en/ip-address/43.242.215.197/information/
>> https://www.virustotal.com/en/url/0...6b384a8e0a9be9e9a14f41330fec5046167/analysis/

*** https://www.virustotal.com/en/file/...35c06efdeadac292221caa9c/analysis/1463500609/

seahawkexports .com: 43.242.215.197
___

Tech Support Scammers - 'Screen Lockers'
- https://blog.malwarebytes.org/cyber...ort-scammers-get-serious-with-screen-lockers/
May 17, 2016 - "... -bogus- browser locks and -fake- AV alerts which are mostly an annoyance and can somewhat easily be disabled... But things have been changing with more serious malware-like techniques to force people into calling rogue tech support call centres. We previously saw a case of fake Blue Screen Of Death (BSOD) actually locking-up people’s desktops and now there is a growing demand for such ‘products’. Below is a Facebook post advertising a 'locker' specifically designed for tech support scams. It tricks users into thinking their Windows license has expired and blocks them from using their computer:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/FB_posting.png
To be clear, this is -not- a fake browser pop up that can easily be terminated by killing the application or restarting the PC. No, this is essentially a piece of malware that starts automatically, and typical Alt+F4 or Windows key tricks will -not- get rid of it. There is an entire ecosystem to distribute these tech support lockers, which includes bundling them into affiliate (Pay Per Install) applications. What you -thought- was a PC optimizer or Flash-Player-update turns out to be a bunch of useless toolbars and, in some cases, one of these lockers. Another reason yet, if there weren’t enough already to -stay-away- from-adware-supported-programs... This is a -fake- Windows update but the average user will probably not see the difference. More troubling is the next screen that comes up and effectively -disables-the-computer- because of an expired license key. The message looks legitimate with the license key and computer name being retrieved from the victim’s actual computer:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/key.png
The only recourse it seems is to call the toll-free number for assistance. As you can imagine, these fake Windows programs are great leads for tech support call centres waiting to collect the credit card numbers of unsuspecting users. We called the number (1-844-872-8686) provided on the locked screen and after much back and forth, the technician revealed a hidden functionality to this locker... However, the rogue ‘Microsoft technician’ would not proceed any further until we paid the $250 fee to unlock the computer, which we weren’t going to... these Windows lockers are a real pain to get rid of and until you do so, your computer is completely unusable. Just in the past few days we have noticed more and more users complaining about these new lockers. This increased sophistication means that people can no longer simply rely on common sense or avoid the typical cold calls from ‘Microsoft’. Now they need to also have their machines protected from these attacks because scammers have already started manufacturing malware tailored for what is essentially plain and simple extortion over the phone..."

:fear::fear:

 

[AplusWebMaster]

Fake 'DOC', 'Invoice', 'DHL shipment', 'Remittance Advice' SPAM

FYI...

Fake 'DOC' SPAM - JS malware
- https://myonlinesecurity.co.uk/spam...etending-to-come-from-your-own-email-address/
18 May 2015 - "Another email with the subject of 'Emailing: DOC 05-18-2016, 04 49 68' [random numbered] pretending to come from your own email address with a zip attachment is another one from the current bot runs... slightly different subjects all with random numbers after the date
Emailing: Picture 05-18-2016, 34 57 55
Emailing: DOC 05-18-2016, 04 49 68
Emailing: Image 05-18-2016, 12 20 14
Emailing: photo 05-18-2016, 60 93 51
... One of the emails looks like:
From: Your own email address
Date: Wed 18/05/2016 11:31
Subject: Emailing: DOC 05-18-2016, 04 49 68
Attachment: DOC 05-18-2016, 04 49 68.zip
Your message is ready to be sent with the following file or link
attachments:
DOC 05-18-2016, 04 49 68
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.

18 May 2016: DOC 05-18-2016, 04 49 68.zip: Extracts to: HWC4703756.js - Current Virus total detections 6/57*
.. MALWR** shows a download from feedconsumer.upfrontjournal .com/erg54g4?ooGXPymBM=fNULIh (VirusTotal 3/56***)
Payload security[4] shows this downloads a further file from diolrilk .at/files/cyAOiY.exe (virustotal 1/57[5])
which makes this more likely to be Dridex banking Trojan rather than a ransomware version... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...abacd9f535c6bd7cb4908f13/analysis/1463568343/

** https://malwr.com/analysis/OTM4NTg0NmM3ODBjNDk2YjkyYTc3ZWI1NzVlYzBhYmQ/
Hosts
173.236.177.29: https://www.virustotal.com/en/ip-address/173.236.177.29/information/

*** https://www.virustotal.com/en/file/...d8266b27b76988219e47134a/analysis/1463567581/
TCP connections
109.235.139.64: https://www.virustotal.com/en/ip-address/109.235.139.64/information/
31.8.133.98: https://www.virustotal.com/en/ip-address/31.8.133.98/information/

4] https://www.hybrid-analysis.com/sam...b3ad8266b27b76988219e47134a?environmentId=100
Contacted Hosts
109.235.139.64: https://www.virustotal.com/en/ip-address/109.235.139.64/information/
5.105.221.126: https://www.virustotal.com/en/ip-address/5.105.221.126/information/

5] https://www.virustotal.com/en/file/...368dae48304bdb32de758a6a/analysis/1463569252/
___

Fake 'Invoice' SPAM - JS malware drops Dridex
- https://myonlinesecurity.co.uk/spam-malware-invoice-1723-812595-drops-dridex/
18 May 2016 - "An email with the subject of 'Invoice 1723-812595' [random numbered] pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which contains what looks like the embedded Dridex binary inside the 274 kb .JS file in a base 64 encoded section... One of the emails looks like:
From: Vasquez.Jaspero@ hcrltd .com.br
Date: Wed 18/05/2016 11:54
Subject: Invoice 1723-812595
Attachment: Invoice 1723-812595.zip
Hi,
Please find attached copy of invoice SN04359806 as requested. I would be grateful if you could reply to this email to ensure I have sent it to the correct address.
Kind Regards, Jasper Vasquez

18 May 2016: Invoice 1723-812595.zip: Extracts to: invoice_6126.js - Current Virus total detections 1/57*
.. MALWR** shows no downloads but shows the dropped bin file in base64 encoding (VirusTotal 3/57***)
.. Payload security[4] gives some more information, but not much... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...842812bb9ce876256fabea78/analysis/1463569142/

** https://malwr.com/analysis/ZmNmZGE1NDI1Y2MxNGI3YWExNzdhNTUzM2MzZjU2Nzk/

*** https://www.virustotal.com/en/file/...1e74d0bc31224da4685b99bf/analysis/1463570330/

4] https://www.hybrid-analysis.com/sam...2b4842812bb9ce876256fabea78?environmentId=100
___

Fake 'DHL shipment' SPAM - doc malware
- https://myonlinesecurity.co.uk/spam-malware-shipment-address-confirmation-re-send/
18 May 2016 - "An email with the subject of 'shipment address confirmation (re-send)' pretending to come from info <info@ dhl-services .com> with a zip attachment that extracts to a malicious word doc is another one from the current bot runs... The email looks like:
From: info <info@ dhl-services .com>
Date: Wed 18/05/2016 14:25
Subject: shipment address confirmation (re-send)
Attachment: dhl shipment #000516.zip
Dear all
After reviewing your shipment BL container number; we need to confirm, did your company change shipment address? If yes, attach you can find the information to re-confirm your shipment address.
We require your quick confirmation and reply to this development
Regards.
Alice M. York,
5/17/2016
Oversea Frieght Information Manager,
WorldWide Delivery Services DHL ...

18 May 2016: dhl shipment #000516.zip: extracts to shipment details.doc - Current Virus total detections 12/55*
.. MALWR** didn’t show any download but a manual analysis showed a download from
http ://revery.5gbfree .com/rollas/wanfile.exe which is saved to %APPDATA%\flash.exe and autorun (VirusTotal 8/57***)
MALWR[4].. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d24c47847861008563ff1e9f/analysis/1463526808/

** https://malwr.com/analysis/MjU5MjkwODg4MDZkNDIwNTljOTEwYzFlZjBkMWFmNjY/

*** https://www.virustotal.com/en/file/...97add148ced9b4e98f84a1eb/analysis/1463526879/

4] https://malwr.com/analysis/NmQ1MmU0ZDExMmJhNDNlNjhmMmE1MWI1MTg3MzM2YTI/
Hosts
23.94.151.38: https://www.virustotal.com/en/ip-address/23.94.151.38/information/

revery.5gbfree .com: 209.90.88.138: https://www.virustotal.com/en/ip-address/209.90.88.138/information/
>> https://www.virustotal.com/en/url/d...8386293737a9b086377b7cf616845f6265d/analysis/
___

Fake 'Remittance Advice' SPAM - doc malware
- https://myonlinesecurity.co.uk/spam-malware-remittance-advice-word-doc-with-embedded-ole-object/
18 May 2016 - "An email with the subject of 'Remittance Advice' pretending to come from random senders and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Diana Raveche <Diana@ lappgroup .com>
Date: Tue 17/05/2016 15:33
Subject: Remittance Advice
Attachment: 59350_Copy_PS13149_(1).docx
Dear Sirs,
Please find attached remittance advice(s) for reconciliation.
Should you have any queries, kindly contact the address below
Best regards
Daniel Sefah
Treasurer
Manganese Company Limited

18 May 2016: 59350_Copy_PS13149_(1).docx - Current Virus total detections 16/56*
.. MALWR** contains an embedded OLE object that when extracted gives 'Double Click on file to view clear Swift' copy.exe (VirusTotal 14/56***) MALWR[4] which shows a connection to
http ://cf34064.tmweb .ru/cgi-bin/eke/gate.php which gave a 404 when I tried, which might mean it has been taken down or it insists on a referrer from the actual word doc or the extracted malware which several antiviruses detect as a fareit password stealer Trojan. Payload security doesn’t give much more useful info either...
> https://myonlinesecurity.co.uk/wp-c...on-file-to-view-clear-Swift-copy-1024x549.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...73afaa2e55c7fb031c177025/analysis/1463574035/

** https://malwr.com/analysis/MTE2MDQ5YzIyZmRmNDY5MjgwOGEzNGQ3YTlhNGNhMjc/

*** https://www.virustotal.com/en/file/...ca275b28ddca15411b9e927b/analysis/1463574066/

4] https://malwr.com/analysis/MTc2Y2QxNmMxOWQxNGM5MmJkMGUxOTE2MDUwMzIzZjM/
Hosts
92.53.118.64: https://www.virustotal.com/en/ip-address/184.95.37.110/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Thank you', 'WhatsApp', 'Scanned image' SPAM, TeslaCrypt master key

FYI...

Fake 'Thank you' SPAM - JS malware attachment
- https://myonlinesecurity.co.uk/spam-malware-thank-you-from-random-companies/
19 May 2016 - "An email with the subject of 'Thank you!' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads some unknown malware... One of the emails looks like:
From: Stevie Fry <FryStevie3913@ divtec .ch>
Date: Thu 19/05/2016 10:49
Subject: Thank you!
Attachment: webmaster_order_04FDEC03.zip
Hello webmaster,
Please find enclosed invoice no. 871824
Thank you for your order.
We look forward to doing business with you again.
Regards,
Stevie Fry
Pioneer Natural Resources Company

19 May 2016: webmaster_order_04FDEC03.zip: Extracts to: -4- identical copies of history_048.js
Current Virus total detections 6/56*. MALWR** shows a download from
http ://dub3tv .com/2e22dfs (VirusTotal 2/56***). Payload Security[4] | Malwr[5]. Nothing so far is actually telling us what the payload is, but it is likely to be either Locky or Dridex... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...40098fba8d2fe1fbba552f62/analysis/1463654399/

** https://malwr.com/analysis/N2I1ZjkzMDNiYTY1NDQ2OWE4MTk2YTk4MWVhYmRmNWU/
Hosts
184.168.107.21: https://www.virustotal.com/en/ip-address/184.168.107.21/information/

*** https://www.virustotal.com/en/file/...39ede7b071755ef772e21e83/analysis/1463654794/

4] https://www.hybrid-analysis.com/sam...25d39ede7b071755ef772e21e83?environmentId=100

5] https://malwr.com/analysis/MTNlNzQwYjgyMmY4NGNhMDllMzI4ZTkxYTc5MGU1ZjU/
___

Fake 'WhatsApp' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/spam-malware-you-got-a-voice-message-whatsapp-delivers-locky/
19 May 2016 - "An email with the subject of 'You got a voice message!' pretending to come from WhatsApp <Cleo477@ gmx .de> with a zip attachment is another one from the current bot runs which downloads Locky Ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/05/You-got-a-voice-message-1024x522.png

19 May 2016: MSG0002959373787821.wav.zip: Extracts to: MSG00033066464574474.wav.js
Current Virus total detections 8/56*. MALWR** shows a download of Locky from
http ://denzil .com.au/grh5444tg?WKInfNTzzF=VQkztyPupI (VirusTotal 4/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine WAV/DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b0241f0dadc8c273d745bcbc/analysis/1463652406/

** https://malwr.com/analysis/OTRlNmU0ZjA4ODE4NDUzMmJkM2FmNDNmMmNiMzVlMmY/
Hosts
223.130.27.201
89.108.84.155
92.63.87.48

*** https://www.virustotal.com/en/file/...655825ef6804fe39e81eb906/analysis/1463653169/
TCP connections
92.63.87.48: https://www.virustotal.com/en/ip-address/92.63.87.48/information/

denzil .com.au: 223.130.27.201: https://www.virustotal.com/en/ip-address/223.130.27.201/information/
>> https://www.virustotal.com/en/url/a...3b5a5578a415ae9d99067b6e332841571b5/analysis/
___

Fake 'Scanned image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scan...me-from-your-own-email-domain-delivers-locky/
19 May 2016 - "Another email pretending to come from your-own-email-domain with the subject of 'Scanned image' pretending to come from admin <southlandsxxxx@ victimdomain .tld> with a zip (rar) attachment is another one from the current bot runs which downloads Locky Ransomware... One of the emails looks like:
From: admin <southlandsxxxx@ victimdomain .tld>
Date: Thu 19/05/2016 19:52
Subject: Scanned image
Attachment: MSG00087072.rar
Image data in PDF format has been attached to this email.

19 May 2016: MSG00087072.rar: Extracts to: MSG0004219280705535.js - Current Virus total detections 9/57*
.. MALWR** shows a download of Locky ransomware from
freesource .su/437gfinw2 (VirusTotal 3/56***)
Other sites found include:
freesource .su/437gfinw2 - 136.243.176.66
der-werbemarkt .de/437gfinw2 - 85.158.182.96
criticalcontactinfo .com/437gfinw2 - 192.73.242.42
empiredeckandfence .com/437gfinw2 - 192.185.225.43
... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...cd412f79ddb3dfb865c4f9b1/analysis/1463686171/

** https://malwr.com/analysis/ZjBjOTNmOWNlMjc4NDYzZWE3OTQ0NGEzMzQyMDYwYjU/
Hosts
92.63.87.48

*** https://www.virustotal.com/en/file/...1f490618da5131ae6aae0bcd/analysis/1463684566/
TCP connections
92.63.87.48: https://www.virustotal.com/en/ip-address/92.63.87.48/information/

freesource .su: 136.243.176.66: https://www.virustotal.com/en/ip-address/136.243.176.66/information/
>> https://www.virustotal.com/en/url/6...3f5f238268835128f8483aa90f5a05d14ab/analysis/
der-werbemarkt .de: 85.158.182.96: https://www.virustotal.com/en/ip-address/85.158.182.96/information/

criticalcontactinfo .com: 192.73.242.42: https://www.virustotal.com/en/ip-address/192.73.242.42/information/

empiredeckandfence .com: 192.185.225.43: https://www.virustotal.com/en/ip-address/192.185.225.43/information/
___

White hats bake TeslaCrypt master key into universal decryptor
Ransomware authors appear to have given up...
- http://www.theregister.co.uk/2016/0...slacrypt_master_key_into_universal_decryptor/
19 May 2016 - "The authors of the TeslaCrypt ransomware have handed over their master keys in what appears to be a decision to kill off the net menace. An Eset researcher noticed the gradual decline of TeslaCrypt and, posing as a victim, asked the malware authors for a key. The authors surprisingly offered a free master key and the security wonk quickly produced a free universal decryption tool*. It means victims of two of the worst ransomware tools can decrypt their files for free, with Kaspersky white hats producing a decryption tool yesterday** for the Cryptxxx malware..."
* http://download.eset.com/special/ESETTeslaCryptDecryptor.exe

** http://www.theregister.co.uk/2016/05/18/cryptxxx_decrypted/

- http://support.eset.com/kb6051/
Last Revised: May 19, 2016

Identify the ransomware you’re dealing with...
> https://id-ransomware.malwarehunterteam.com/index.php
"This service currently detects 87 different ransomwares..."
Updated 05/19/2016

> http://www.bleepingcomputer.com/new...huts-down-and-releases-master-decryption-key/
May 18, 2016

:fear::fear:

 

[AplusWebMaster]

Fake 'refund' SPAM, Router 'worm'

FYI...

Fake 'refund' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/05/malware-spam-i-wanted-to-follow-up-with.html
20 May 2016 - "This spam comes from random senders and has a malicious attachment. Here is an example:
From: Frederic Spears
Date: 20 May 2016 at 10:29
Subject: Re:
Hi [redacted],
I wanted to follow up with you about your refund.
Please find the attached document
Regards,
Frederic Spears
CBS Corporation

The company name and sender's name varies from message to message. Attached is a ZIP file which contains elements of the recipient's name, which in turn contains one of a variety of malicious scripts. Out of the samples I have seen, I have so far found download locations of:
delicious-doughnuts .net/oqpkvlam
dev.hartis .org/asvfqh2vn
dugoutdad .com/0ygubbvvm
craftbeerventures .nl/hgyf46sx
babamal .com/av2qavqwv
forshawssalads .co.uk/af1fcqav
Only three of those download locations work so far (VirusTotal results [1] [2]..) and automated analysis of those [4] [5].. shows behaviour consistent with Locky ransomware. All of those reports show the malware phoning home to:
91.219.29.106 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.89 (Relink LLC, Russia / OVH, France)
138.201.118.102 (Hetzner, Germany)
Recommended blocklist:
91.219.29.106
51.254.240.89
138.201.118.102 "
1] https://virustotal.com/en/file/bf2e...9d07ff41f00433509b5f5e2d/analysis/1463737477/
TCP connections
91.219.29.106

2] https://virustotal.com/en/file/d5cb...b1ea6814f6c583b59ae66ca4/analysis/1463738300/
TCP connections
91.219.29.106

4] https://malwr.com/analysis/NmQ1NmY1M2IzNTBmNDFiMGI5YjNkY2E5MDNjNDEyZGQ/
Hosts
138.201.118.102

5] https://malwr.com/analysis/NmU3MTZlZThhNGJkNDFmMzk2NzdhMDNkODA2N2U1MDk/
Hosts
138.201.118.102

- https://myonlinesecurity.co.uk/i-wanted-to-follow-up-with-you-about-your-refund-leads-to-locky/
20 May 2016 - "Another email in the long line of nemucod JavaScript downloaders with the subject of 'Re: ' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: I wanted to follow up with you about your refund
Date: Fri 20/05/2016 10:24
Subject: Re:
Attachment: rob_refund_947CDB34.zip
Hi rob,
I wanted to follow up with you about your refund.
Please find the attached document
Regards,
Inez Castro
Workday, Inc.

20 May 2016: rob_refund_947CDB34.zip: Extracts to: history.6725.js.js - Current Virus total detections 5/57*
downloads from http ://carseatcoverwarehouse .com.au/zzvmvae (VirusTotal 6/57**). Payload Security***
Some other sites found include:
http ://delicious-doughnuts .net/oqpkvlam – currently 404 for me
http ://carseatcoverwarehouse .com.au/zzvmvae
http ://dev.hartis .org/asvfqh2vn
http ://honeystays .co.za/sajaafafa
http ://dvphysio .com.au/g0bpicjhbv
... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...d485cd7140ec86e4127a1eb7/analysis/1463736198/

** https://www.virustotal.com/en/file/...8178b97fdfdf6a60482267e7/analysis/1463736629/
TCP connections
51.254.240.89

*** https://www.hybrid-analysis.com/sam...d65be42bfad1acdd05a5fd0cb90?environmentId=100
Contacted Hosts
192.185.198.215
92.63.87.48
51.254.240.89

delicious-doughnuts .net - 213.160.76.117: https://www.virustotal.com/en/ip-address/213.160.76.117/information/
>> https://www.virustotal.com/en/url/3...d9009940a8df88571a95b9d899fc15746aa/analysis/
carseatcoverwarehouse .com.au - 192.185.198.215: https://www.virustotal.com/en/ip-address/192.185.198.215/information/
>> https://www.virustotal.com/en/url/e...426b6799efd7a8332d053dbf22bd7c4b119/analysis/
dev.hartis .org - 212.1.214.102: https://www.virustotal.com/en/ip-address/212.1.214.102/information/
>> https://www.virustotal.com/en/url/8...136f6fb320a65d54b0b47708065ebcb94ba/analysis/
honeystays .co.za - 188.40.0.214: https://www.virustotal.com/en/ip-address/188.40.0.214/information/
>> https://www.virustotal.com/en/url/3...0f9f898ed4f15ad2acbcdce66893507b905/analysis/
dvphysio .com.au - 192.185.182.18: https://www.virustotal.com/en/ip-address/192.185.182.18/information/
>> https://www.virustotal.com/en/url/f...439b1dadd3e1b46ffef84c82ee48e2006f9/analysis/
___

Ubiquiti AirOS routers hit with worm
- https://www.helpnetsecurity.com/2016/05/20/ubiquity-routers-backdoor-worm/
May 20, 2016 - "A worm targeting wireless network equipment developed by US-based Ubiquity Networks has already managed to compromise thousands of routers across the world. To spread it, whoever is behind these attacks is exploiting an old bug* in airOS, the firmware that runs on the company’s networking devices... According to Symantec researchers**, once it leverages the exploit, the worm copies itself on the device and creates a backdoor account... Ubiquity has provided a list of devices/firmware versions that are safe from the exploit, and has advised users of others to update their firmware. They have also provided a removal tool[3] for the worm, which also has the option to upgrade firmware to the latest version (5.6.5)."
* https://community.ubnt.com/t5/airMA...GHSwitch-and-airGateway-Released/ba-p/1300494

** http://www.symantec.com/connect/fr/blogs/thousands-ubiquiti-airos-routers-hit-worm-attacks

3] https://community.ubnt.com/t5/airMA...y-Notice-and-airOS-5-6-5-Release/ba-p/1565949

:fear::fear:

 

[AplusWebMaster]

Fake 'invoice', 'bank account deleted' SPAM, Tech Spt SCAM, Hacks target more banks

FYI...

Fake 'invoice' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/plea...file-we-spoke-about-yesterday-leads-to-locky/
23 May 2016 - "... an email with the subject of 'Re: ' pretending to come from random senders and email addresses with a zip attachment is another one which downloads Locky ransomware... One of the emails looks like:
From: Elizabeth Simpson <SimpsonElizabeth4937@ anapest .com>
Date: Mon 23/05/2016 09:15
Subject: Re:
Attachment: copy_invoice_17DF6BE6.zip
Hi jipy,
Please find attached the file we spoke about yesterday.
Thank you,
Elizabeth Simpson
Deutsche Bank AG

23 May 2016: copy_invoice_17DF6BE6.zip: Extracts to: history.8519.js.js.js - Current Virus total detections 1/57*
MALWR** shows a download of Locky from
http ://stylelk .com/12opjwfh (VirusTotal 0/56***). MALWR[4] which is -altered- by the javascript to create
gCBkMdFX463HMBEP.exe (VT 5/57[5]). MALWR [6]. Manual analysis shows also alternative download locations from
maibey .com/bakcy9s (VT 0/56[7]), bekith .com/twe4puv (VT 0/55[8])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...341af25d4025d4e39d774c10/analysis/1463991056/

** https://malwr.com/analysis/YzhhZjcwYzM5MjdiNDg5NmFhNDk2YzdlMmI2ZjE0NWI/
Hosts
160.153.71.230
31.41.44.45
92.63.87.53
176.31.47.100
188.166.168.250
178.63.238.188

*** https://www.virustotal.com/en/file/...cde20587365d063a613cb391/analysis/1463992536/

4] https://malwr.com/analysis/Njk4ZGMzYWQ0Y2IzNDY0NmJjNDJiODc0OGUyMjAzNjY/

5] https://www.virustotal.com/en/file/...33a00c4fbf14d21906b65c9e/analysis/1463993646/
TCP connections
92.63.87.53
31.41.44.45
188.166.168.250
176.31.47.100
178.63.238.188

6] https://malwr.com/analysis/NzYxNTZkOTAzODI2NGFkODlhMzE2NmVkZDZmNWQ3YmE/
Hosts
188.166.168.250
176.31.47.100
92.63.87.53
31.41.44.45
178.63.238.188

7] https://www.virustotal.com/en/file/...2fe907cb82504c2b17f9d553/analysis/1463991121/

8] https://www.virustotal.com/en/file/...4b8efebb6872017eb502ccb3/analysis/1463992820/

- http://blog.dynamoo.com/2016/05/malware-spam-please-find-attached-file.html
23 May 2016 - "This spam appears to come from random senders, and leads to Locky ransomware:
From: Graham Roman
Date: 23 May 2016 at 11:59
Subject: Re:
Hi [redacted]
Please find attached the file we spoke about yesterday.
Thank you,
Graham Roman
PCM, Inc.

Attached is a ZIP file starting with copy_invoice_ and then a random sequence. This contains a malicious script file which in the sample I analysed downloads an obfuscated binary from:
oakidea .com/by2eezw8
islandflavaja .com/0p1nz
dragqueenwig .com/itukabk
Automated analysis of the script [1] [2] shows it dropping a file klA1KMQj2D.exe which has a VirusTotal detection rate of 5/56*. Those prior reports plus these additional analyses of the binary [3] [4] [5] show network traffic to:
188.166.168.250 (Digital Ocean, UK)
31.41.44.45 (Relink Ltd, Russia)
92.63.87.53 (MWTV, Latvia)
Those reports all demonstrate clearly that this is Locky ransomware, although the barely encrypted downloaded binaries are a -new- feature. Those prior reports plus these additional analyses of the binary [3] [4] [5] show network traffic to:
188.166.168.250 (Digital Ocean, UK)
31.41.44.45 (Relink Ltd, Russia)
92.63.87.53 (MWTV, Latvia) ...
UPDATE: Trusted third-party analysis (thank you) shows some additional download locations...
... One additional C2 server:
176.31.47.100 (Unihost, Seychelles / OVH , France)
Recommended blocklist:
188.166.168.250
31.41.44.45
92.63.87.53
176.31.47.100 "
1] https://malwr.com/analysis/NzIyZWNjYzAwM2E1NGE2YmJkOWE2OWM0NDA0YzY4Nzg/
Hosts
216.70.68.223
92.63.87.53

2] https://www.hybrid-analysis.com/sam...6de343011e904fe80f90eb96573?environmentId=100
Contacted Hosts
188.166.168.250

* https://virustotal.com/en/file/24b2...60a97b4db59baf29e81731a3/analysis/1464002438/
TCP connections
188.166.168.250

3] https://sandbox.deepviz.com/report/hash/86fa752330fb189952a69742244b5890/

4] https://malwr.com/analysis/ZDNjZTc1ZTVhMTUzNDRjZTk4ZDgyNjIzNTgyZWMwZWU/
Hosts
188.166.168.250

5] https://www.hybrid-analysis.com/sam...0fd60a97b4db59baf29e81731a3?environmentId=100
Contacted Hosts
31.41.44.45
188.166.168.250
___

Fake 'bank account deleted' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/05/malware-spam-your-bank-account-has-been.html
23 May 2016 - "This alarming looking spam has a malicious attachment:
From: Bradyrian Hassell
Date: 23 May 2016 at 14:00
Subject: Account Deleted
Your bank account has been deleted, more information attached.

I have only seen a single copy of this and the ZIP file attached was corrupt, however, it is very likely that this is a variant of the Locky ransomware run from earlier today*."
* http://blog.dynamoo.com/2016/05/malware-spam-please-find-attached-file.html
___

DMA Locker 4.0 – Known Ransomware preps for Massive Distribution
- https://blog.malwarebytes.org/threa...somware-preparing-for-a-massive-distribution/
23 May 2016 - "... Behavioral analysis: In contrast to the previous versions, DMA Locker 4.0 cannot encrypt files offline. It needs to download the public RSA key from its C&C. That’s why, if the file has been opened on the computer without the internet connection, it will just install itself and wait. If the machine is connected – it runs silently until it finish encrypting the files. This time DMA Locker comes with a deception layer added – packed sample have an icon pretending a PDF document:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/icon.png
... After it finishes the encryption process, a red window, similar to the one known form the previous editions pops up:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/dma_gui4.png
... The recently observed changes suggest that the product is preparing to be distributed on a massive scale. Few important things got automated. Distribution is now exploit kit based – that makes it reach much more targets..."
(More detail at the malwarebytes URL above.)
___

Tech Support Scammers using Winlogon
- https://blog.malwarebytes.org/cybercrime/2016/05/tech-support-scammers-using-winlogon/
May 23, 2016 - "... Tech Support Scammers are using every trick in the malware-authors-book to get new 'customers'. Here is one that takes over the victims’ Windows system after a reboot by using the Winlogon-Shell registry value... This makes sure that the user gets access to his Taskbar and Desktop (among other things). It can be changed by so-called skins or replacement shells with the users’ consent, but in this case it was done -without- consent... This resulted in this screen after the user logged on:
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/TSSscreen.png
... The installer is a file called 'Hotstar.exe' and was submitted to us by a fellow researcher. We suspect the file was hosted on the site amiga[dot]tech, because of two reasons. The installer opens two browser windows and one of those -queries- that site. The other one opens up exetracking.weebly .com, a site that can be used to keep track of the number of installs, but the account of this author was -suspended- a few weeks ago. The other reason is that amiga[dot]tech still hosts a file called Hotstar.exe, but this one installs a -fake- registry cleaner (The type that finds -896- infections in 0.2 seconds on a -clean- Virtual Machine):
> https://blog.malwarebytes.org/wp-content/uploads/2016/05/infections.png
... We looked at another Tech Support Scam using scare-tactics to lure victims into calling their phone number. The method is a bit different, but the end-goal is the same. Take the money and run. So save yourself the hassle and get protected..."

amiga[dot]tech: 107.180.51.27: https://www.virustotal.com/en/ip-address/107.180.51.27/information/
>> https://www.virustotal.com/en/url/a...5286a59b1d709e4e423f1f2f8ea9b5708d6/analysis/
Malware site ...

exetracking.weebly .com: 199.34.228.53: https://www.virustotal.com/en/ip-address/199.34.228.53/information/
>> https://www.virustotal.com/en/url/6...ddaf0c9024264ccf1c4dacd0f84c0aba807/analysis/
Malware site ...

199.34.228.54: https://www.virustotal.com/en/ip-address/199.34.228.54/information/

weebly .com: 74.115.50.109: https://www.virustotal.com/en/ip-address/74.115.50.109/information/
>> https://www.virustotal.com/en/url/7...7fef8b0319ac6f69802b17e9cd99aa1648a/analysis/
74.115.50.110: https://www.virustotal.com/en/ip-address/74.115.50.110/information/
>> https://www.virustotal.com/en/url/a...87a6586f5b46396655e06bddc3b33b336b0/analysis/
___

Hacks probe defenses of Middle East banks
Targeted Attacks...
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
May 22, 2016 - "In the first week of May 2016... a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our attention since they were using unique -scripts- not commonly seen in crimeware campaigns... The attackers sent multiple emails containing macro-enabled-XLS-files to employees working in the banking sector in the Middle East. The themes of the messages used in the attacks are related to IT Infrastructure such as a log of Server Status Report or a list of Cisco Iron Port Appliance details. In one case, the content of the email appeared to be a legitimate email conversation between several employees, even containing contact details of employees from several banks. This email was then forwarded to several people, with the malicious Excel file attached... This was done for the purpose of social engineering – specifically, to convince the victim that enabling-the-macro did in fact result in the 'unhiding' of additional spreadsheet data... This attack also demonstrates that macro malware is effective even today. Users can protect themselves from such attacks by -disabling- Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly 'trusted' sources..."
(More detail at the fireeye URL above.)

Disable -macros- in Office
> https://support.office.com/en-us/ar...ents-7b4fdd2e-174f-47e2-9611-9efe4f860b12#bm2
"... Macro security settings are located in the Trust Center. However, if you work in an organization, your system administrator might have changed the default settings to prevent anyone from changing any settings.
Note: When you change your macro settings in the Trust Center, they are changed only for the Office program that you are currently using. The macro settings are -not- changed for all your Office programs..."
YMMV.

1. DO NOT follow the advice they give to enable macros or enable editing to see the content.
2. The basic rule is NEVER open any attachment to an email, unless you are expecting it - and refer to Rule #1.
___

Ransomware prevalence
- https://atlas.arbor.net/briefs/index#-610101497
May 19, 2016 - "Analysis: Analysts at Microsoft took a three-month snapshot of ransomware incidents ending in mid-May highlighting the overall breadth of compromises they observed. The table provided a list of the top 20 countries where Microsoft discovered ransomware victims... The top ten listed accounted for 651,801 known compromises..."
> https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/
"... The following table* shows the top 20 countries where ransomware is most prevalent..."
* https://msdnshared.blob.core.windows.net/media/2016/05/R_consumer2.png
Ransomware timeline:
- https://msdnshared.blob.core.windows.net/media/2016/05/R_consumer6.png

:fear::fear:

 

[AplusWebMaster]

Fake 'Exchange Rates', 'New Message', 'logon attempt', 'SAFARI LPO' SPAM, Evil nets

FYI...

Fake 'Exchange Rates' SPAM - Java malware
- https://myonlinesecurity.co.uk/updated-exchange-rates-for-all-agents-java-malware/
24 May 2016 - "An email with the subject of 'Updated Exchange Rates For All Agents' pretending to come from Western Union Business Solution <Gerard.Evans@ westernunion .com> with a zip attachment is another one from the current bot runs which delivers a java jacksbot. If you do not have Java installed, then you are safe from this malware...

Screenshot: https://myonlinesecurity.co.uk/wp-c...ed-Exchange-Rates-For-All-Agents-1024x750.png

24 May 2016: New Rates 23_may_2016.rar: Extracts to: Updated rates and adjusted commission fees..jar and
wu fx updated rates.jpg (which is same image as in email). Current Virus total detections 23/57*. MALWR** which doesn't show much, because Java isn’t enabled on the sandbox... Payload Security*** finally gave a report but all it shows is a connection to a dynamic DNS service zingaremit2016.duckdns .org but I still don’t know what for except to divert silently to the actual malware sites and prevent antivirus companies & researchers finding and closing the site... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...20adcb1e660fa05ac2288c24/analysis/1464063358/

** https://malwr.com/analysis/YjJmNTI3N2VmNzVlNGFhY2I4MGFjMGI5NDIzZGUzNjc/

*** https://www.hybrid-analysis.com/sam...e8220adcb1e660fa05ac2288c24?environmentId=100
Contacted Hosts
89.163.154.146
___

Fake 'New Message' SPAM - js malware attachment
- https://myonlinesecurity.co.uk/new-message-from-administrator/
24 May 2016 - "An email with the subject of 'New Message from Administrator' pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads some malware probably Locky ransomware with anti-debugging, anti-analysis protection... One of the emails looks like:
From: Filide Macpherson <MacphersonFilide57@ wateen .net>
Date: Tue 24/05/2016 11:05
Subject: New Message from Administrator
Attachment: copy_577640.zip
You have 1 new message from Administrator. To read it, please open the attachment down below.

24 May 2016: copy_577640.zip: Extracts to: post_scan_7QeOo.js - Current Virus total detections 4/57*
.. MALWR** shows a download from http ://shop2gather .com/0WEGev.exe (VirusTotal 2/56***). MALWR[4] crashed on running this download. Payload security[5] doesn’t give any real useful info, except to suggest anti-debugging and analysis protection... Other sites found in this malware campaign include:
http ://shop2gather .com/0WEGev.exe - 191.234.21.43
http ://davidjubermann .com/kgRATz.exe - 103.16.128.166
http ://americanaintl .com/lFsXD3.exe - 175.45.50.235 giving me a 404
http ://puntacanaprivateoutlet .com/ogZ4Le.exe - 185.42.104.144
http ://piyopiyo .co.uk/XGh7zQ.exe - 23.229.156.163
... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...4de82f585d07534d5d1c1c41/analysis/1464085967/

** https://malwr.com/analysis/NTkzMzkxMWYzMmVlNGUxMDhiNDdiODAyYjFiMjliNDU/
Hosts
191.234.21.43

*** https://www.virustotal.com/en/file/...b8fdb29ab22302e159001ced/analysis/1464086027/

4] https://malwr.com/analysis/NWRiNGM1ODUwNWVlNGIyY2E1NzliMjFkNjc1YzQ3MDI/

5] https://www.hybrid-analysis.com/sam...191b8fdb29ab22302e159001ced?environmentId=100
___

Fake 'logon attempt' SPAM - doc malware
- https://myonlinesecurity.co.uk/suspicious-logon-attempt-or-account-compromised-leads-to-dridex/
24 May 2016 - "An email with the subject of 'Suspicious logon attempt' pretending to come from random senders, companies and email addresses with a malicious word doc inside a zip attachment is another one from the current bot runs... This looks like Dridex using an encrypted-base64-encoded-file inside the word doc that is converted and extracted using Microsoft certutil, using this new method described by MalwareTech Blog[1]...
1] http://www.malwaretech.com/2016/05/dridex-updates-payload-distribution.html
The email looks like:
From: Clay.Mortonp@raiosoldas .com.br
Date: Tue 24/05/2016 11:30
Subject: Suspicious logon attempt
Attachment: Security Report.zip
Attention!
Suspicious logon attempt to your account was detected (Firefox browser, IP-address: 199.30.218.0)
Reason: unusual IP
Please refer to the attached report to view further detailed information.
OROGEN GOLD PLC ...

24 May 2016: Security Report.zip: extracts to Security Report ID(12093937).doc
Current Virus total detections 3/57*. MALWR** - Payload Security***. Neither online sandbox managed to extract a working malware, but all indications point to Dridex... Update: .. THIS is the Dridex payload (VirusTotal 10/56[4]).
.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...e7fb071946a1499fe7e07f3c/analysis/1464086262/

** https://malwr.com/analysis/NWQ4YzFlYWNiZjI3NGU3NGE3MTQ2Yjg0ZjZlOGVmYWI/

*** https://www.hybrid-analysis.com/sam...4a4e7fb071946a1499fe7e07f3c?environmentId=100

4] https://virustotal.com/en/file/45b8...1ac33a3e9a3f2dc35c1ef1ae08bf61dd999/analysis/

- http://blog.dynamoo.com/2016/05/malware-spam-account-compromised.html
24 May 2016 - "These -fake- security warnings come with a malicious attachment:
From: Jennings.KarlaVk@ ttnet .com.tr
Date: 24 May 2016 at 11:48
Subject: Account Compromised
Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: 108.127.172.96)
Reason: unusual IP
Please refer to the attached report to view further detailed information.
BMJ Group ...
> Sent from iPad

In the two samples I have seen, there are attachments named Security Report.zip and Security Notification.zip which in turn contain a Word document with a name such as Security Report ID(11701573).doc . The two documents that I have seen have detection rates of about 3/56 [1] [2]...
UPDATE: According to a third party analysis, this apparently drops Dridex which phones home to:
210.245.92.63 (FPT Telecom Company, Vietnam)
162.251.84.219 (PDR Solutions, US)
80.88.89.222 (Aruba, Italy)
213.192.1.171 (EASY Net, Czech Republic)
Recommended blocklist:
210.245.92.63
162.251.84.219
80.88.89.222
213.192.1.171 "
1] https://virustotal.com/en/file/b3fa...e72e1d64c4d58436b7de6895/analysis/1464089508/

2] https://virustotal.com/en/file/62a5...e5a0e132fc4cf70cb2688543/analysis/1464089505/
___

Fake 'SAFARI LPO' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/safari-lpo-mal-337659-leads-to-locky/
24 May 2016 - "An email with the subject of 'SAFARI LPO [MAL] 337659' [random numbered] pretending to come from purchase@ safarigroup .net with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: purchase@ safarigroup .net
Date: Tue 24/05/2016 12:31
Subject: SAFARI LPO [MAL] 337659
Attachment: LPOMAL337659-6A9-5006.zip
Please find the attachment

24 May 2016: LPOMAL337659-6A9-5006.zip: Extracts to: IGFH-3503688.js - Current Virus total detections 23/56*
.. MALWR** shows downloads from
http ://alpadv .com/65g434f?YgXKzKkla=TeWMgeqci (VirusTotal 2/56***) or
http ://angelocc.php5 .cz/43454yt32?NjprTmi=EqTcdjEWuM (currently giving me a 404 not found) or
http ://panaceya.nichost .ru/sdfg4g3?gzVmzLqQLkU=oDlhsxWsTBF
Other download sites I have been informed about include :
http ://agro-bum .eu/43454yt32
http ://protei .me/43454yt32
http ://keiciuosi .lt/43454yt32
http ://BenavidezHoy .com/43454yt32
... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7d7281a162181c8b430078d1/analysis/1441173827/

** https://malwr.com/analysis/OGVlYzg4ZmQ3ZmFiNDBlNjlmM2IzOGU5MGI5Y2U0Y2Y/
Hosts
195.208.1.161
185.82.216.45
173.236.147.27
104.18.36.113
217.198.115.56

*** https://www.virustotal.com/en/file/...bc512da8f5605676c31c093f/analysis/1464089771/
TCP connections
185.82.216.45

alpadv .com: 173.236.147.27: https://www.virustotal.com/en/ip-address/173.236.147.27/information/
>> https://www.virustotal.com/en/url/9...654dceb5ba45927848403252a60a4d80dcc/analysis/
angelocc.php5 .cz: 217.198.115.56: https://www.virustotal.com/en/ip-address/217.198.115.56/information/
>> https://www.virustotal.com/en/url/6...4bb7e6cda9771f9b0d073b4c08d05c55b47/analysis/
panaceya.nichost .ru: 195.208.1.161: https://www.virustotal.com/en/ip-address/195.208.1.161/information/

agro-bum .eu: 188.116.19.62: https://www.virustotal.com/en/ip-address/188.116.19.62/information/
>> https://www.virustotal.com/en/url/3...1e1f6320f86b4bca2016c3cf893445599ad/analysis/
protei .me: 198.46.81.204: https://www.virustotal.com/en/ip-address/198.46.81.204/information/
>> https://www.virustotal.com/en/url/d...b7c0ba59d563d7a0c812c4fdb079fb2f2b5/analysis/
keiciuosi .lt: 194.135.87.62: https://www.virustotal.com/en/ip-address/194.135.87.62/information/
>> https://www.virustotal.com/en/url/c...dfe1f9037dd80f7f2f9b8b8ecfde6808411/analysis/
benavidezhoy .com: 69.16.243.28: https://www.virustotal.com/en/ip-address/69.16.243.28/information/
>> https://www.virustotal.com/en/url/f...37eb1e98f1463a92913573ef8f59393129d/analysis/
___

Fake 'Your Payment' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/we-have-received-your-payment-thank-you-49407b2-delivers-locky/
24 May 2016 - "An email with the subject of 'We Have Received Your Payment – Thank You (#49407B2)' [random numbered] pretending to come from random senders and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Chung House <HouseChung30291@ privateclientlegal .com>
Date: Tue 24/05/2016 14:40
Subject: We Have Received Your Payment – Thank You (#49407B2)
Attachment: details_074728.zip
Your payment has been successfully received. Please, notice that in order to ship your order, we need you to fill out the additional form enclosed down below.

24 May 2016: details_074728.zip: Extracts to: letter_kWRDn1.js - Current Virus total detections 3/57*
.. MALWR** shows a download of Locky from
http ://shop.deliciescatalanes .com/SMjheb.exe (VirusTotal 2/56***). MALWR[4]. Manual analysis shows an alternative download from http ://shop.vixtro .com/z2qLMy.exe ... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...f347ffef8fe7b55fd8361aba/analysis/1464099776/

** https://malwr.com/analysis/NzI5M2E5...DIzN2Y/share/b3b1980902de4472a9bcbb031824f131
Hosts
212.92.57.70
31.41.44.45

*** https://www.virustotal.com/en/file/...f0db033633238417fb4dfe62/analysis/1464091820/

4] https://malwr.com/analysis/NmRjN2NhZWMxOWJiNGViNWEzMGIzZGY1NGU5NTJlYjQ/
Hosts
185.82.216.45

shop.vixtro .com: 202.126.109.134: https://www.virustotal.com/en/ip-address/202.126.109.134/information/
>> https://www.virustotal.com/en/url/4...9a4fac288ffe4ed402c4065811f0282c01d/analysis/
___

Evil network: OVH - Angler EK cluster
- http://blog.dynamoo.com/2016/05/evil-network-ovh-kaminskiyradiologistnet.html
24 May 2016 - "Here's an Angler EK cluster, hosted on multiple ranges rented from OVH France.. working first from this list of Angler IPs in OVH address space we can see a common factor.
5.135.249.214
5.135.249.215
51.255.59.119
51.255.59.120
51.255.59.121
51.255.59.123
91.134.206.128
91.134.206.129
91.134.206.130
91.134.206.131
91.134.204.217
91.134.204.218
91.134.204.219
91.134.204.243
91.134.204.245
91.134.204.247
One handy thing that OVH does with suballocated ranges is give clear details about the customer. This certainly helps track down abusers. In this case, the ranges these IPs are in are allocated to:
ORG-KM91-RIPE reference can be looked up on the RIPE database[1]: giving more of these little /30 blocks:
1] https://apps.db.ripe.net/search/full-text.html
5.135.249.212/30
51.255.59.116/30
51.255.59.120/30
51.255.59.124/30
91.134.206.128/30
91.134.204.212/30
91.134.204.216/30
91.134.204.220/30
91.134.204.240/30
91.134.204.244/30
91.134.204.248/30
91.134.204.252/30
164.132.223.192/30
OVH have been pretty good at cleaning up this sort of thing lately (unlike PlusServer*) so hopefully they will get this under control. If you want to find other Angler EK ranges then I have a bunch of 'em in my Pastebin**."
* http://blog.dynamoo.com/2016/04/plusserver-has-plussized-problem-with.html

** http://pastebin.com/u/dynamoo

:fear::fear:

 

[AplusWebMaster]

Fake 'invoices', 'Operational Expense', 'URGENT DELIVERY' SPAM, 'WhatsApp Gold' SCAM

FYI...

Fake 'invoices' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/05/malware-spam-following-phone.html
25 May 2016 - "These -fake- financial spams come from different companies, all with a malicious attachment.
From: Frank.ClaraZO@ pr-real .com
Date: 25 May 2016 at 11:34
Subject: The invoices from INCHCAPE PLC
Hello,
Following the phone conversation with the accounting department represantatives I'm sending you the invoices.
Thank you for attention,
Kind regards
Clara Frank
INCHCAPE PLC ...
> Sent from Iphone

Attached is a ZIP file with a name similar to Invoice 5044-032841.zip which in turn contains a malicious script named in a similar manner to invoice(677454).js which typically has a detection rate of 3/56*. Hybrid Analysis** of that sample shows the script creating a PFX (personal certificate) file which is then transformed into a PIF (executable) file using the certutil.exe application. This PIF file itself has a detection rate of 6/56*** but automated analysis [1] [2].. is inconclusive. The behaviour is somewhat consistent with the Dridex banking trojan but may possibly be Locky ransomware."
* https://virustotal.com/en/file/375a...2754e8cf328d91d8ac67034f/analysis/1464173596/

** https://www.hybrid-analysis.com/sam...2152754e8cf328d91d8ac67034f?environmentId=100

*** https://virustotal.com/en/file/ceeb...50aedb3b8a605e3ce807708f/analysis/1464174246/

1] https://malwr.com/analysis/M2M0ZDRkYjY1OWM1NDVlNjg5YWM1M2I4YTNkNTIwZTY/

2] https://www.hybrid-analysis.com/sam...22350aedb3b8a605e3ce807708f?environmentId=100
___

Fake 'Operational Expense' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/05/malware-spam-operational-expense-leads.html
25 May 2016 - "This -fake- financial spam leads to malware:
From: Theodora Hamer
Date: 25 May 2016 at 12:17
Subject: Operational Expense
Operational Expense of 7,350,80 USD has been credited from your account. For more details please refer to the report that can be found down below

This analysis is based on a trusted source (thank you!). Attached is a ZIP file containing a malicious script, downloading from:
alborzcrane .com/g1slEn.exe
alborzcrane .com/Z94n5r.exe
alintagranito .com/fOA8Bl.exe
alintagranito .com/xB7nku.exe
amazoo.com .br/R0koId.exe
avayeparseh .com/s0faxS.exe
buzzimports .com.au/cRQVC4.exe
buzzimports .com.au/ECScwi.exe
galabel .com/lRkuJX.exe
galabel .com/oQz26K.exe
jett .com/6APaSk.exe
kitchen38 .com/HYPETS.exe
kitchen38 .com/V1ygc2.exe
onestopcableshop .com/J7t6au.exe
osdc .eu/gct5TH.exe
osdc .eu/n2UuEj.exe
purfectcar .com/9OaoqM.exe
purfectcar .com/sHXqZT.exe
wisebuy .com/WiOqzB.exe
yearnjewelry .com/OnvBrc.exe
yearnjewelry .com/t8HnK3.exe
zhaoyk .com/Dmv3As.exe
zhaoyk .com/JbO9uX.exe
This drops what is apparently Locky ransomware, with a detection rate of 3/56*. This phones home to:
164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)
This Hybrid Analysis** shows the Locky ransomware in action.
Recommended blocklist:
164.132.40.47
104.131.182.103 "
* https://virustotal.com/en/file/047c...f84a74252db0bc116b982f8dd02db85cf88/analysis/

** https://www.hybrid-analysis.com/sam...2db0bc116b982f8dd02db85cf88?environmentId=100
___

Fake 'URGENT - DELIVERY' SPAM - leads to malware
- http://blog.dynamoo.com/2016/05/malware-spam-urgent-delivery-jobin.html
25 May 2016 - "This -fake- delivery spam leads to malware:
From: Justin harmon
Date: 25 May 2016 at 12:30
Subject: URGENT - DELIVERY
Dear customer.
Please find the attachment.
Thanks & Best Regards
Jobin Jacob
HYTEX ...

Attached is a ZIP file that contains one of many scripts that downloads a binary from one of the following locations (according to a trusted third party, thank you!):
avi-vest .ro/3g34t3t4tggrt?[random-string]=[random-string]
bankruptcymag .com/3g34t3t4tggrt?[random-string]=[random-string]
bizconsulting .ro/3g34t3t4tggrt?[random-string]=[random-string]
brunohenrique .net/3g34t3t4tggrt?[random-string]=[random-string]
cjglobal .co/3g34t3t4tggrt?[random-string]=[random-string]
comecomunicare .eu/3g34t3t4tggrt?[random-string]=[random-string]
crimeshurt .com/3g34t3t4tggrt?[random-string]=[random-string]
digitacaoveloz .com.br/3g34t3t4tggrt?[random-string]=[random-string]
globalcredithub .com/3g34t3t4tggrt?[random-string]=[random-string]
lifeclinics .net/3g34t3t4tggrt?[random-string]=[random-string]
orobos .nyc/3g34t3t4tggrt?[random-string]=[random-string]
selonija .lv/3g34t3t4tggrt?[random-string]=[random-string]
smp.com .mx/3g34t3t4tggrt?[random-string]=[random-string]
sweethomesgroup .com/3g34t3t4tggrt?[random-string]=[random-string]
tspipp .tsu.tula .ru/3g34t3t4tggrt?[random-string]=[random-string]
unijovem .com.br/3g34t3t4tggrt?[random-string]=[random-string]
www .appoutpost .com/3g34t3t4tggrt?[random-string]=[random-string]
Where [random-string] seems to be a random alphanumeric string. The dropped binary is Locky ransomware (as seen in this Malwr report*) which phones home to:
164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)
These are the same C2 servers as found here**."
* https://malwr.com/analysis/YTc2MTIxZjFmNjIwNDBlY2IwZTQ0MDVkY2VlZjkwYmM/
Hosts
2.49.203.206
164.132.40.47

** http://blog.dynamoo.com/2016/05/malware-spam-operational-expense-leads.html
___

Fake 'Weekly report' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/05/malware-spam-weekly-report-please-find.html
25 May 2016 - "This -fake- financial spam comes from random senders and companies and has a malicious attachment:
From: Alicia Ramirez
Date: 25 May 2016 at 14:22
Subject: Weekly report
Hi [redacted],
Please find attached the Weekly report.
King regards,
Alicia Ramirez
Castle (A.M.) & Co.

There are a -large- number of these, with a ZIP file -attached- containing malicious scripts with a typical detection rate of 3/56*. In this sample Malwr** analysis, it downloads a file from:
test.glafuri .net/yxk6s
There will certainly be a LOT of other download locations. The dropped file GSKQtcnNu8MS.exe has a detection rate of 4/55*** and that same VirusTotal report indicates C2 traffic to:
138.201.93.46 (Hetzner, Germany)
91.200.14.139 (PP SKS-LUGAN, Ukraine)
104.131.182.103 (Digital Ocean, US)
164.132.40.47 (OVH, France)
Even though other automated analysis -failed- [1] [2] this time we have previously identified -two- of those IPs[3] as being Locky ransomware, so there is little doubt that this will be more of the same.
Recommended blocklist:
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47 "
* https://virustotal.com/en/file/9846...3080984d2dcf5f7f27990ac2c769bf5b177/analysis/

** https://malwr.com/analysis/OWNkNDJjNGI3Y2RiNGUxMThiOGEyODQzN2IzM2JmMWY/
Hosts
176.223.121.193

*** https://virustotal.com/en/file/366d...2208d1b657452be4ed75d94feadbc3b5f47/analysis/
TCP connections
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47
69.195.129.70

1] https://www.hybrid-analysis.com/sam...57452be4ed75d94feadbc3b5f47?environmentId=100

2] https://malwr.com/analysis/ZWZmZmMzMGE1NmYyNGI2NmJlMTUzNmFiYjM2NTg0Mzc/

3] http://blog.dynamoo.com/2016/05/malware-spam-operational-expense-leads.html
___

Fake 'Pan Card' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/attached-is-the-pan-card-as-requested-delivers-locky/
25 May 2016 - "An email with the subject of 'Pan Card' pretending to come from email2jbala . <email2jbala@ gmail .com> with a malicious word doc attachment downloads Locky ransomware... 'never heard of a 'PAN card' and had to do a Google search to find out what it is. 'Turns out to be an Indian Identity card for income tax payments... The email looks like:
From: email2jbala . <email2jbala@igmail .com>
Date: Wed 25/05/2016 15:37
Subject: Pan Card
Attachment: 2015-25-05_333317.docm
Attached is the PAN card as requested.
You can mail me form 16.

25 May 2016: 2015-25-05_333317.docm - Current Virus total detections 7/55*
.. MALWR** shows a download from
http ://www.asysa .cl/k7jhrt4hertg which gave the hendibe.exe which doesn’t look like an .exe file but is an HTML file (VirusTotal 0/57***) (Currently giving me a 404 'not found'). An alternative version gave me
http ://majaz .co.uk/k7jhrt4hertg (VirusTotal 6/56[4]) which is the same Locky ransomware version from earlier today[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5aa5f6bee0846fe405e255eb/analysis/1464187080/

** https://malwr.com/analysis/ZGQxODFiN2M2Mjk0NDIxYzhjNmY2OWI5YTFjY2M5YzU/
Hosts
186.67.227.204

*** https://www.virustotal.com/en/file/...e0f5eb0e65643bb0a3d034cd/analysis/1464191429/

4] https://www.virustotal.com/en/file/...77853291235f0a470c94fbfb/analysis/1464189317/
TCP connections
164.132.40.47

5] https://myonlinesecurity.co.uk/urgent-delivery-jobin-jacob-hytex-delivers-locky/

asysa .cl: 186.67.227.204: https://www.virustotal.com/en/ip-address/186.67.227.204/information/
>> https://www.virustotal.com/en/url/a...67f352b5f35d8efa0754d3e40641c3fd834/analysis/
majaz .co.uk: 81.27.85.11: https://www.virustotal.com/en/ip-address/81.27.85.11/information/
>> https://www.virustotal.com/en/url/e...764b23c5038a096147b7f5946c705a2173a/analysis/
___

'WhatsApp Gold' SCAM - spreads malware
- http://www.actionfraud.police.uk/news/dont-install-whatsapp-gold-it-contains-malware-may16
24 May 2016 - "WhatsApp users are being tricked by fraudsters into downloading a -fake- version of WhatsApp which infects Android devices with malware. The "secret" messages sent to peoples inboxes claim you have an exclusive chance to download “WhatsApp Gold”. The scam messages claim to offer enhanced features used by celebrities. Victims are urged to sign up via-a-link-provided... After clicking-on-the-link you will be -redirected- to a -fake- page and your Android device will become infected with malware. If you have already followed the link to download the software, install some -antivirus- software onto your device to remove the malware..."
> https://www.helpnetsecurity.com/2016/05/25/whatsapp-gold-malware/
May 25, 2016 - "... messages that offer 'WhatsApp Gold'..." [which does NOT exist.]

:fear::fear:

 

[AplusWebMaster]

Fake 'document', 'new fax' SPAM, 'Summons', 'Telegraphic transfer' - Phish

FYI...

Fake 'document' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/05/malware-spam-please-find-attached.html
26 May 2016 - "This spam appears to come from different companies and senders, and has a malicious attachment:
From: Sara Osborne
Date: 26 May 2016 at 10:53
Subject: RE:
Dear sales,
Please find attached a document containing our responses to the other points which we
discussed on Monday 23th May.
Please let me know if you have any queries
Regards,
Wayfair Inc.
Sara Osborne

Attached is a ZIP file (the ones I have seen so far all begin with responses_) which contains a malicious script name in a similar way to employees -382-.js. These have a typical detection rate of 4/56*. Two samples analysed by Malwr [1] [2] show download locations from:
newgeneration2010 .it/mkc27f
projectodetalhe .pt/do5j36a
There will be many other download locations too. These drop two different binaries (VirusTotal results [3] [4]). Those two VT results plus these two DeepViz analyses [5] [6] show the malware phoning home to:
138.201.93.46 (Hetzner, Germany)
107.181.187.12 (Total Server Solutions, US)
212.109.219.31 (JSC Server, Russia)
5.152.199.70 (Redstation, UK)
This behaviour is consistent with Locky ransomware.
Recommended blocklist:
138.201.93.46
107.181.187.12
212.109.219.31
5.152.199.70 "
* https://virustotal.com/en/file/d0d6...fc3deefda0b41b1454bd66b5/analysis/1464257175/

1] https://malwr.com/analysis/Y2YwZGJiYTY2MGJjNDFmN2E2OGRiMjJhN2Q5N2ZkYWE/
Hosts
217.73.226.220

2] https://malwr.com/analysis/NmIwYzJmM2EzYzkzNDdhZjllNmMwM2M4YjM5YjE0Nzg/
Hosts
50.87.30.230

3] https://virustotal.com/en/file/eb85...9248df6c9808f130d1d85f0f/analysis/1464258206/
TCP connections
138.201.93.46

4] https://virustotal.com/en/file/a762...31b2d54bd1f09d57a4371548/analysis/1464258217/
TCP connections
212.109.219.31

5] https://sandbox.deepviz.com/report/hash/06616d1fbb32687a6be3cfcac4596264/

6] https://sandbox.deepviz.com/report/hash/420e191a7edfaef909ae92a895d04552/
___

Fake 'document' SPAM - jpg embedded malware
- https://myonlinesecurity.co.uk/i-ha...company-delivers-a-jpg-with-embedded-malware/
26 May 2016 - "A series of emails spoofing different companies with the subject of 'I/we have attached the [document/file/declaration]' from [random company name] coming from random senders with a malicious word doc attachment is another one from the current bot runs... Other subject lines include:
Please review the attached relation from
Some of the alleged senders with compromised email address I have received from include:
Nec Consulting <audiovideo7@ yandex .com>
Turpis Inc. <rahul_k@ asus .com>
Pharetra Sed Consulting <dibyendu@ digitexwebitsolutions .com>
Aliquet Proin Velit Inc. <jdybala@ realmindhosting .com>
Lobortis Corporation <apayne@ msicorp .com>
The email looks like:
From: Nec Consulting <audiovideo7@ yandex .com>
Date: Thu 26/05/2016 05:06
Subject: I have attached the document from Nec Consulting.
Attachment: 2-7925_273378123.dot
I have attached the document from Nec Consulting.

26 May 2016: 2-7925_273378123.dot - Current Virus total detections 4/57*
.. Payload security** shows a download from 3dcadtools .com/img.jpg?FL=1 (VirusTotal 4/56***) which gives a proper jpg that contains embedded malware... will update later when one of the analysts has done it.
Screenshot of image: https://myonlinesecurity.co.uk/wp-content/uploads/2016/05/jpg.png
.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...8f0ee14563576f173d472e4d/analysis/1464239384/

** https://www.hybrid-analysis.com/sam...a688f0ee14563576f173d472e4d?environmentId=100
Contacted Hosts
208.66.129.67: https://www.virustotal.com/en/ip-address/208.66.129.67/information/

*** https://www.virustotal.com/en/file/...8391ea58cdefe2dc228c9ed8/analysis/1464242851/

3dcadtools .com: 208.66.129.67
___

Fake 'Summons' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/summons-on-the-case-4e459e46-delivers-locky-ransomware/
26 May 2016 - "... An email with the subject of 'Summons On The Case #4E459E46' [random numbered] pretending to come from random senders with a zip attachment containing a JavaScript file which downloads Locky. It downloads the same Locky version from the -same- locations described by Techhelplist[1]. So far he has found 150 odd download locations for this version. It should be noted that these JavaScript files have 2 encrypted download locations in them...
1] https://techhelplist.com/spam-list/1080-credit-card-has-been-declined-malware
26 May 2016 - "... Checks in with these C2 sites:
212.109.219.31: https://www.virustotal.com/en/ip-address/212.109.219.31/information/
>> https://www.virustotal.com/en/url/3...36dd8452d251fcb5cf01f42f576aa622759/analysis/
5.152.199.70: https://www.virustotal.com/en/ip-address/5.152.199.70/information/
>> https://www.virustotal.com/en/url/9...04fa9741038a4afd77f3d082c2561c01971/analysis/
107.181.187.12: https://www.virustotal.com/en/ip-address/107.181.187.12/information/
>> https://www.virustotal.com/en/url/b...6ce6d20c1632b1287d9d29d61a4fbb96cc3/analysis/
..."
One of the emails looks like:
From: Faye Third <ThirdFaye15@ booneritterinsurance .com>
Date: Thu 26/05/2016 17:02
Subject: Summons On The Case #4E459E46
Attachment: copy_260713.zip
Good day, You are being summonsed to the court on the case #4E459E46. The penalty in the amount of $9,793,18 will be assigned in case you don’t show up. Information on the case is listed in the document enclosed.

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

'Telegraphic transfer' - Phish
- http://blog.dynamoo.com/2016/05/phish-please-find-attached-telegraphic.html
26 May 2016 - "At first glance this spam looks like malware, but it appears to be a -phish- instead:
From: General trading ltd [info@ 7studio .co]
Date: 26 May 2016 at 05:04
Subject: Payment
Dear Sir/Ma'am!
As requested by our customer
Please find attached telegraphic transfer copy for payment made to your account today.
Kindly confirm once you received this payment.
Regards
Muhammad Farooq
Exchange Manager,
MCB New Garden Exchange
U.A.E (1080) ...

Attached is a file TT-USD.pdf .. as a rule I would recommend -not- opening PDF files or other attachments from -unknown- sources. When you open the file it looks like this:
> https://2.bp.blogspot.com/-B-_Ep2-M...0l_Cps7A52aOmttfpD_pwCLcB/s1600/pdf-phish.jpg

Yes, it does look that blurry. The enticement here is to click-the-link in the document, which is something I wouldn't recommend that you do because it could lead to a malicious download, exploit kit or in this case a simple phishing page hosted on poloimport2012 .com:
> https://4.bp.blogspot.com/-X0D3k1PP...pGXIFww0tTVTYhHIHDQCLcB/s1600/pdf-phish-2.jpg

poloimport2012 .com: 192.185.214.25: https://www.virustotal.com/en/ip-address/192.185.214.25/information/
>> https://www.virustotal.com/en/url/c...51b8cdcda46c3d7794fded46b904317f752/analysis/

This seems to be phishing for general webmail credentials. Of course, once a hacker has those they can use your account to send spam or even rifle through your private emails and reset passwords and gain access to other important accounts.Signing in with any credentials appears to fail*, but of course the bad guys have just harvested your password..
* https://3.bp.blogspot.com/-Ud6V07Wn...iG8B-e0z_vgGG6-dq9wCLcB/s1600/pdf-phish-3.jpg
.. I don't recommend opening files like this and clicking-links to see where they go. I use a test environment to do this, but some similar spam emails can deliver malware that will silently plant itself on your computer which can be even more dangerous than this phish."
___

Fake 'new fax' SPAM - ransomware
- https://myonlinesecurity.co.uk/you-...from-your-own-email-address-delivers-malware/
25 May 2016 - "An email with the subject of 'You have received a new fax' pretending to come from Incoming Fax <Incoming.Fax@ victim domain .tld> with a zip attachment is another one from the current bot runs which delivers some malware... Edit: I am being told it is cerber ransomware:
> http://www.bleepingcomputer.com/new...ly-encrypts-your-data-but-also-speaks-to-you/
One of the emails looks like:
From: Incoming Fax <Incoming.Fax@ victim domain .tld>
Date: Wed 25/05/2016 19:27
Subject: You have received a new fax
Attachment: IncomeMessage.zip
You have received fax from XEROX41733530 at thespykiller .co.uk
Scan date: Wed, 25 May 2016 10:26:43 -0800
Number of page(s): 15
Resolution: 400×400 DPI
Name: Fax5704504
Attached file is scanned image in PDF format.

25 May 2016: IncomeMessage.zip: Extracts to: IncomeMessage127286.scr - Current Virus total detections 3/57*
.. MALWR** shows some strange data files created/dropped by this that I assume need decrypting into an exe file. It also drops opencandy.dll, whether this is connected with the Open Candy adware or is just a coincidental name is open for discussion... Payload Security*** tells us it contacts 1 domain and -16385- hosts. View the network section[1] for more details... being told it is cerber ransomware... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...e70de9cdb7e8a1be8ffc9e09/analysis/1464200261/

** https://malwr.com/analysis/N2U5YTJlNDQwYjM2NDExY2I0Njg3ZWQzYTVjYjUxYmU/

*** https://www.hybrid-analysis.com/sam...ba2e70de9cdb7e8a1be8ffc9e09?environmentId=100
Contacted Hosts
ipinfo .io: 54.93.140.37: https://www.virustotal.com/en/ip-address/54.93.140.37/information/

1] https://www.hybrid-analysis.com/sam...9e09?environmentId=100#sample-network-traffic

:fear::fear:

 

[AplusWebMaster]

Fake 'Information request' SPAM, 'Final PO Contract', 'Window Users Award' - Phish

FYI...

Ransomware - Free Tools
- http://free.antivirus.com/us/index.html
May 26, 2016 - "These free ransomware tools can help users who have been infected with certain versions of ransomware and crypto-ransomware, allowing them to regain access to their system and files..."
> Crypto-Ransomware File Decryptor Tool:
- https://esupport.trendmicro.com/solution/en-US/1114221.aspx
> Lock Screen Ransomware Tool - unavailable at this time - check back later.
___

Fake 'Information request' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/information-request-delivers-locky/
27 May 2016 - "... an email with the subject of 'Information request' pretending to come from random senders with a zip attachment which downloads Locky ransomware... One of the emails looks like:
From: Damien Benson <BensonDamien52@ silvanasoda .com.br>
Date: Fri 27/05/2016 11:38
Subject: Information request
Attachment: changes_scan.910.zip
Dear scan.910,
As per our discussion yesterday, please find attached the amended meeting minutes.
I have accepted the majority of the changes requested, however there are some that I have left in the document.
I have included the edits as track changes.
Please confirm that the changes we have made are acceptable.
Many thanks
Regards,
Freshpet, Inc.
Damien Benson ...

27 May 2016: changes_scan.910.zip: Extracts to: changes-4354-.js - Current Virus total detections 2/57*
.. MALWR** shows a download... from http ://genius-versand .de/n2e2n (VirusTotal 0/57***) which is another one of these malware that get downloaded as an encrypted text file that needs to be decrypted by the javascript (which is itself encrypted) to give a working .exe file and bypass antivirus & perimeter defences that block download of executable files. Payload security[4] gives us TC9ck9tl.exe (VirusTotal 7/57[5]). These all have anti analysis/Anti sandbox/VM protection to prevent analysis by security companies and researchers... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...90e5ffa140dfa2e323b510d6/analysis/1464345360/

** https://malwr.com/analysis/YTFkYjA3ZjIwZGJkNDNmOWEyNGE3OGNmMGY0MjIyNjA/
Hosts
78.46.53.123: genius-versand .de: https://www.virustotal.com/en/ip-address/78.46.53.123/information/
>> https://www.virustotal.com/en/url/b...f575332fb4d60ce579405a4e84219b2efa7/analysis/

*** https://www.virustotal.com/en/file/...46bd13db5b4642e3e9ca3542/analysis/1464346231/

4] https://www.hybrid-analysis.com/sam...eaf90e5ffa140dfa2e323b510d6?environmentId=100
Contacted Hosts
78.46.53.123

5] https://www.virustotal.com/en/file/...fe78adad708a79c4c7a15fa8/analysis/1464346123/
TCP connections
5.152.199.70: https://www.virustotal.com/en/ip-address/5.152.199.70/information/
>> https://www.virustotal.com/en/url/9...04fa9741038a4afd77f3d082c2561c01971/analysis/

- http://blog.dynamoo.com/2016/05/malware-spam-as-per-our-discussion.html
27 May 2016 - "This spam leads to Locky ransomware:
From: Meagan Branch
Date: 27 May 2016 at 12:35
Subject: Information request
Dear [redacted],
As per our discussion yesterday, please find attached the amended meeting minutes.
I have accepted the majority of the changes requested, however there are some that I have left in the document.
I have included the edits as track changes.
Please confirm that the changes we have made are acceptable.
Many thanks
Regards,
Oramed Pharmaceuticals Inc.
Meagan Branch ...

The senders vary from email to email. Attached is a ZIP file with a malicious script, which in the examples that I have found downloads one of a variety of malicious executables [1] [2].. which call home to the -same- IP addresses found in this earlier spam run*.
1] https://virustotal.com/en/file/ac32...ebde9ad70a0d1d6e7e8062ed/analysis/1464345833/
TCP connections
5.152.199.70

2] https://virustotal.com/en/file/dae6...37df4e485ea834ae58d36009/analysis/1464345851/
TCP connections
193.9.28.13

* http://blog.dynamoo.com/2016/05/malware-spam-neue-abrechnung-nr-746441.html
27 May 2016 - "... The payload is Locky ransomware.
Recommended blocklist:
193.9.28.13
5.152.199.70
212.109.219.31
107.181.187.12 "
___

'Final PO Contract' - Phish
- http://blog.dynamoo.com/2016/05/phish-final-po-contractxlsx.html
27 May 2016 - "This spam email is phishing for email credentials. Unlike some, this one seems to be quite well done and might convince unsuspecting people that it is genuine.
From: M Tufail Shakir [admin@ ebookmalls .com]
Date: 27 May 2016 at 08:42
Subject: Re: Final PO Contract..xlsx
Please see below attachment for the final signed contract
Regards,
27-05-2016
Tom Yip | Regional Sales Team | Marchon Eyewear (HK) Ltd...

The link in this email goes to:
cagselectrical .com.au/libraries/emb/excel/excel/index.php?email=[redacted]
This gives a pretty convincing looking facsimile of an Excel spreadsheet, prompting for credentials:
> https://2.bp.blogspot.com/-lNnthg-6...si3cVlpHHXMK_WUzumACLcB/s1600/excel-phish.jpg
Entering any combination of username and password seems to work, then you get -redirected- to a GIF of a spreadsheet:
> https://2.bp.blogspot.com/-SgxiI71M...0c19Lb9xXyZCDGUOACLcB/s1600/excel-phish-2.jpg
Curiously, this GIF is not part of a phishing site but is on a wholly legitimate site belonging to a software company called Aspera (you can see it here):
> http://download.asperasoft.com/download/docs/console/2.0/linux/html/index.html
The asperasoft .com domain is NOT involved in the phishing nor has it been compromised. As ever, I would advise you -not- to explore links like this as they might lead to an exploit kit or malware, and bear in mind that some phishing pages are better than others, and this is one of the more convincing ones that I have seen recently."

cagselectrical .com.au: 103.1.110.130: https://www.virustotal.com/en/ip-address/103.1.110.130/information/
>> https://www.virustotal.com/en/url/0...06d1930a958a0ad06bb7182b0629fd59dbc/analysis/
___

'Window Users Award' - Phish
- https://myonlinesecurity.co.uk/microsoft-window-users-award-microsoft-lottery-scam/
27 May 2016 - "An email with the subject of 'Microsoft Window Users Award' pretending to come from Mr. Thomas Fisher <11@ nokopings .jp.tn> with a PDF attachment is a phishing scam... One of the emails looks like:
From: Mr. Thomas Fisher <11@ nokopings .jp.tn>
Date: Fri 27/05/2016 08:40
Subject: Microsoft Window Users Award..,
Attachment: convert to microsoft.pdf

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/05/microsoft-lottery-scam-1024x550.png

:fear::fear:

 

[AplusWebMaster]

Fake 'Account Suspended', 'Proposal', 'New Message', 'New Company Order', SPAM

FYI...

Fake 'Account Suspended' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fraudlent-behavior-account-suspended-malspam-delivers-locky/
31 May 2016 - "... an email with the subject of 'Fraudlent Behavior – Account Suspended' pretending to come from random senders with a zip attachment which downloads Locky ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-c...dlent-Behavior-Account-Suspended-1024x447.png

31 May 2016: caution_ubmit_63883018.zip: Extracts to: details_AbSfS.js - Current Virus total detections 3/57*
.. MALWR** shows a download of Locky ransomware from
http ://handmee .com/hIPTXx (VirusTotal 3/57***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...207e02811b6e32b8e921913a/analysis/1464686472/

** https://malwr.com/analysis/NzM3MTg4OTk3MGFhNGMzNDgwNWU4NjVmYWY3NzczNmM/
Hosts
134.0.10.15
93.170.123.60

*** https://www.virustotal.com/en/file/...400dc3baaa5e344ff1ec47ad/analysis/1464687464/
TCP connections
195.154.69.90

handmee .com: 134.0.10.15: https://www.virustotal.com/en/ip-address/134.0.10.15/information/
>> https://www.virustotal.com/en/url/2...3505a8f64de6c8174e07683e4d8215a2873/analysis/
___

Fake 'Proposal' SPAM - RTF attachment malware
- https://myonlinesecurity.co.uk/the-...es-declaration-malspam-broken-malware-macros/
31 May 2016 - "An email where the subject is the word 'FWD: ' or 'Fw: ' and the alleged senders name pretending to come from random senders with a malicious word RTF doc spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Blossom J. Evans <garry@ tierneyandco .com>
Date: Tue 31/05/2016 10:47
Subject:Fw:Blossom J. Evans
Attachment: r03va37cl81h.rtf
The attached proposal includes declaration.
Blossom J. Evans

31 May 2016: r03va37cl81h.rtf - Current Virus total detections 4/57*
.. Malwr** isn’t showing any download or dropped content. Payload Security*** shows a download from
admiralty .co.za/jsckhr.jpg?TXnIQmQZO=59 (VirusTotal 3/57[4]) which should be converted-by-the-macro to an exe file (however Payload does not show any actual .exe file in the report)..
31 May 2016: u18c.rtf - Current Virus total detections 4/57[5]. Malwr[6] isn’t showing any download or dropped content. Payload Security[7] shows the same jpg download as the other rtf file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...68d24dd616c879083480b8b6/analysis/1464688896/

** https://malwr.com/analysis/ZDkzZDJkMWNhY2RlNDAxYmIyMmEyNjUxNTE0OTg2MTQ/

*** https://www.hybrid-analysis.com/sam...67568d24dd616c879083480b8b6?environmentId=100
Contacted Hosts
41.72.154.148: https://www.virustotal.com/en/ip-address/41.72.154.148/information/

4] https://www.virustotal.com/en/file/...0b3894f3001f1f40fc6adfe7/analysis/1464690295/

5] https://www.virustotal.com/en/file/...2e689098d279695d3fc04cf2/analysis/1464689088/

6] https://malwr.com/analysis/ZDkzZDJkMWNhY2RlNDAxYmIyMmEyNjUxNTE0OTg2MTQ/

7] https://www.hybrid-analysis.com/sam...b2f2e689098d279695d3fc04cf2?environmentId=100
Contacted Hosts
41.72.154.148

admiralty .co.za: 41.72.154.148
___

Fake 'New Message' SPAM - attachment leads to Locky
- http://blog.dynamoo.com/2016/05/malware-spam-you-have-1-new-message.html
31 May 2016 - "This -fake- financial spam has a malicious attachment:
From: Lanna Weall
Date: 31 May 2016 at 12:18
Subject: New Message from your bank manager
You have 1 new message from bank manager. To read it, please open the attachment down below.

In the sample I saw there was an attachment see_it_77235678.zip containing a malicious script warning_letter_Bdrh5W.js (detection rate 4/57*) and the Malwr analysis** of that sample shows that it downloads a binary from:
pvprojekt .pl/oLlqvX
The dropped binary is Locky ransomware with a detection rate of 4/56***. All those reports plus these analyses [1] [2] [3] show network traffic to:
85.17.19.102 (Leaseweb, Netherlands)
195.154.69.90 (Iliad Entreprises, France)
93.170.123.60 (PE Gornostay Mikhailo Ivanovich / time-host.net, Ukraine)
A trusted source (thank you) indicated that there was a earlier Locky campaign today...
Recommended blocklist:
85.17.19.102
195.154.69.90
93.170.123.60 "
* https://virustotal.com/en/file/2bcb...9ba910e3f9ec4ed5c1b0f8d13cb2d47a77b/analysis/

** https://malwr.com/analysis/YTI4OTk3ZTlmMGNlNGEwYThjNjk3MmNjNmYwNDAxNTk/
Hosts
193.107.88.86
85.17.19.102

*** https://virustotal.com/en/file/03e3...400dc3baaa5e344ff1ec47ad/analysis/1464694646/
TCP connections
195.154.69.90

1] https://malwr.com/analysis/YmIyMzlmNjQ2MTkxNDllNThhZTNkMjU3YWU1NTNlNDk/
Hosts
195.154.69.90

2] https://www.hybrid-analysis.com/sam...651400dc3baaa5e344ff1ec47ad?environmentId=100

3] https://sandbox.deepviz.com/report/hash/6f8987e28fed878d08858a943e7c6e7c/

- https://myonlinesecurity.co.uk/new-message-from-your-bank-manager-malspam-delivers-locky/
31 May 2016
Screenshot: https://myonlinesecurity.co.uk/wp-c...w-Message-from-your-bank-manager-1024x386.png
"... This one delivers the -same- Locky payload from the -same- sites in today’s earlier malspam run[1]..."
1] https://myonlinesecurity.co.uk/fraudlent-behavior-account-suspended-malspam-delivers-locky/
___

Fake 'New Company Order' SPAM - leads to malware
- http://blog.dynamoo.com/2016/05/malware-spam-new-company-order-abc.html
31 May 2016 - "This -fake- financial spam leads to malware:
From: accounting@ abcimportexport .com
Reply-To: userworldz@ yahoo .com
To: Recipients [accounting@ abcimportexport .com]
Date: 31 May 2016 at 12:31
Subject: New Company Order
Good Day,
Find the attached specifications in the purchase order for our company mid year order & projects before sending your Proforma Invoice and do get back to me with your quotations asap.
An Official order placement will follow as soon as possible.
CLICK HERE TO DOWNLOAD & VIEW PURCHASE ORDER IF DOESNT WORK THEN CLICK
HERE TO DOWNLOAD SECURE PURCHASE ORDER ...
ABC Import & Export,LLC 2534 Royal Lane
Suite # 205
Dallas,Texas 75229
USA ...

The link in the email message goes to gallery.mailchimp .com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip . This contains a malicious executable scan purchase orders.exe which has a detection rate of 3/56*. That VirusTotal report and these other analyses [1] [2].. shows network traffic to:
185.5.175.211 (Voxility SRL, Romania)
This executable drops another similar EXE [4] [5].. which phones home to the same IP. Between them, these reports indicate some sort of keylogger. There seems to be little of anything of value in this /24, so I would recommend blocking 185.5.175.0/24 "
* https://virustotal.com/en/file/0e79...ee6daf60eecbc11ab1a29219/analysis/1464698175/
TCP connections
185.5.175.211

1] https://malwr.com/analysis/NDcyYzBkNGJiNzk3NDA4MTg1MDJlYWY4MDc2ODMzOGE/
Hosts
185.5.175.211

2] https://www.hybrid-analysis.com/sam...688ee6daf60eecbc11ab1a29219?environmentId=100
Contacted Hosts
185.5.175.211

4] https://virustotal.com/en/file/0417...f6863cc828c81282710853f163c265fe1a6/analysis/
TCP connections
185.5.175.211

5] https://malwr.com/analysis/OGVkNjQwOGYyNTI2NDk0Y2JkNzkxMzJiNGE5OTUyZjE/
Hosts
185.5.175.211
___

Fake 'Lottery Ticket' SPAM - downloads Locky
- https://myonlinesecurity.co.uk/lottery-ticket-71088492-malspam-leads-to-locky/
31 May 2016 - "... email from the Locky gang with the subject of 'Lottery Ticket #71088492' [random numbered] pretending to come from random senders with a zip attachment which downloads Locky ransomware... One of the emails looks like:
From: Jesse Amis <AmisJesse74004@ sabanet .ir>
Date: Tue 31/05/2016 15:34
Subject: Lottery Ticket #71088492
Attachment: warning_71088492.zip
The e-version of your lottery ticket is enclosed to this e-mail.

31 May 2016: warning_71088492.zip: Extracts to: scanned_doc_Ay9bE.js - Current Virus total detections 8/57*
.. MALWR shows a download of Locky from
http ://lizdion .net/9cRXIl (VirusTotal ***) Which is the -same- Locky ransomware version that has been used all day... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...18395aa088eefa601a9f7881/analysis/1464705905/

** https://malwr.com/analysis/ODQxNWUwY2ZjZTI2NDM3Y2JlMzkxYWJmMzU3NjU3ZjM/
Hosts
97.74.158.1
93.170.123.60

*** https://www.virustotal.com/en/file/...400dc3baaa5e344ff1ec47ad/analysis/1464706206/
TCP connections
195.154.69.90

lizdion .net: 97.74.158.1: https://www.virustotal.com/en/ip-address/97.74.158.1/information/
>> https://www.virustotal.com/en/url/b...c657c93c1c5f00f6e9db315d67bdff658c2/analysis/
___

Crypto-ransomware attacks Win7 and later ...
- http://blog.trendmicro.com/trendlab...indows-7-later-scraps-backward-compatibility/
May 31. 2016 - "... new ZCRYPT ransomware family*... family only targets systems with newer versions of Windows, specifically Windows 7 and later:
* https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_zcrypt.a
... It makes the usual threats of deleting the files if the victim don’t pay up within a week. Ransom is set at 1.2 BTC (approximately 500 US dollars), with the ransom going up to 5 BTC (approximately 2,200 US dollars) after four days. The ransom note looks like this:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/05/zcrypt.png
... According to our analysis, it fails to either encrypt the files properly or display the ransom note when launched in an older version of Windows, such as Windows XP. The malware calls a function which does not exist in earlier versions of Windows; this breaks-it for the older operating systems... this particular family also tried to spread via USB flash disks: it plants a copy of itself onto removable drives.
This is relatively unusual in crypto-ransomware... The threat actor also enjoyed free anonymity because the domain registration masked the actual identity of registrant. The C&C domain is already tagged “canceled, suspended, refused, or reserved”.
Industry Practices: Backing up is still the best defense against crypto-ransomware; the 3-2-1 rule ensures that users still have a copy of their data even if they are affected by similar threats. We strongly advise against paying the ransom; this only ensures that the threat will continue to become bigger..."
>> https://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html

:fear::fear:

 

[AplusWebMaster]

Fake 'ACH Bank account' SPAM, Phishing - Q1 2016

FYI...

Fake 'ACH Bank account' SPAM - delivers Cerber ransomware
- https://myonlinesecurity.co.uk/ach-bank-account-information-form-malspam-delivers-cerber-ransomware/
31 May 2016 - "An email with the subject of 'ACH – Bank account information form' pretending to come from Ali Bolton <Ali.Bolton@ jpmchase .com> with a zip attachment which downloads Cerber ransomware... One of the emails looks like:
From: Ali Bolton <Ali.Bolton@ jpmchase .com>
Date: Tue 31/05/2016 21:29
Subject: ACH – Bank account information form
Attachment: Check_Copy_Void.zip
Please fill out and return the attached ACH form along with a copy of a voided check.
Ali Bolton,
JPMorgan Chase
GRE Project Accounting
Vendor Management & Bid/Supervisor ...

31 May 2016: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr - Current Virus total detections 5/57*
.. Payload security** doesn’t show any download location of any further malware but the network section shows a connection to ipinfo .io and -16386- hosts which is a definite indication of Cerber ransomware.
MALWR*** doesn’t show anything interesting and is only mentioned for other researchers to download the sample. Whoever uploaded at Payload Security declined to share the sample... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...9d510708d14ac17d62ab8240/analysis/1464726882/

** https://www.hybrid-analysis.com/sam...88b9d510708d14ac17d62ab8240?environmentId=100

*** https://malwr.com/analysis/OGQ4ODRkMGU2ODU4NDg2YThhMTRhOWUwNTg0OTU3ZWU/

ipinfo .io: 52.3.78.30: https://www.virustotal.com/en/ip-address/52.3.78.30/information/
>> https://www.virustotal.com/en/url/a...856a23bf16d8203d6a07ad03e2a18980842/analysis/
54.84.252.139: https://www.virustotal.com/en/ip-address/54.84.252.139/information/
>> https://www.virustotal.com/en/url/d...a48f8ed32ac3507816dbf9d7aab64b6e375/analysis/
54.88.175.149: https://www.virustotal.com/en/ip-address/54.88.175.149/information/
>> https://www.virustotal.com/en/url/a...856a23bf16d8203d6a07ad03e2a18980842/analysis/
___

DRIDEX Poses as Fake Certificate in Latest Spam Run
- http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-poses-as-fake-certificate/
Jun 1, 2016 - "... we observed a sudden spike in DRIDEX–related spam emails after its seeming ‘hiatus.’ This spam campaign mostly affected users in the United States, Brazil, China, Germany, and Japan:
> https://blog.trendmicro.com/trendla...s/2016/05/dridex_spam_affectedcountries-2.jpg
... Instead of the usual -fake- invoice or notification baits, DRIDEX plays on people’s fears of having their accounts compromised. Besides the change in email subjects, DRIDEX also has new tricks... On top of its macro usage, it also leverages Certutil*, a type of command-line program in relation to certificate services to pass it off as a legitimate certificate. These two elements (use of macros and Certutil) combined together can add to DRIDEX’s prevalence and pose challenges to detection...
* https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx
... Despite DRIDEX’s prevalence, users and organizations can do simple preventive measures such as not opening attachments and enabling macros when you receive emails from unknown sources. When you get emails about compromised accounts, check and verify first the source... enterprises can create policies that will block off email messages with attachments from unknown sources..."
(More detail at the trendmicro URL above.)
___

Windows 0-day vuln for sale ...
- https://www.trustwave.com/Resources/SpiderLabs-Blog/Zero-Day-Auction-for-the-Masses/
May 31, 2016 - "... a zero day being offered-for-sale stood out among the other offerings in an underground market for Russian-speaking cyber criminals. This specific forum serves as a collaboration platform where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose... The zero day in question claims to be a Local Privilege Escalation (LPE) vulnerability in Windows... We have notified Microsoft of the zero day offering and we continue to monitor the situation. We plan to update this blog post should we come across any new information."
> https://www.helpnetsecurity.com/2016/06/01/windows-zero-day-exploit/
___

APWG - Phishing Trends Report - Q1 2016
> https://apwg.org/apwg-news-center/APWG-News/
May 23 2016: "APWG releases its Phishing Trends Report for Q1 2016:
Some Key Findings in this report:
• The Retail/Service sector remained the most- targeted industry sector during the first quarter of 2016, with 42.71% of attacks.
• The number of brands targeted by phishers in the first quarter remained constant – ranging from 406 to 431 brands each month.
• The United States continued its position at top on the list of nations hosting phishing websites.
• In Q1 2016, 20 million -new- malware samples were captured.*
• The world's most-infected countries are led by China, where 57.24% of computers are infected, followed by Taiwan (49.15%) and Turkey at 42.52%."
> PDF/Full report: https://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf

* https://www.av-test.org/en/statistics/malware/
See "Total Malware" - charted

:fear::fear:

 

[AplusWebMaster]

Extortion Email Schemes

FYI...

IC3 Warns of Extortion Email Schemes
- https://www.us-cert.gov/ncas/current-activity/2016/06/01/IC3-Warns-Extortion-Email-Schemes
June 01, 2016 - "The Internet Crime Complaint Center (IC3) has issued an alert on extortion schemes that relate to recent high-profile data thefts. Fraudsters often use the news release of high-profile data breaches to scare victims into clicking-on-a-link or paying a ransom.
US-CERT encourages users and administrators to review the IC3 Alert* for details and refer to US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* https://www.ic3.gov/media/2016/160601.aspx
June 01, 2016 - "The Internet Crime Complaint Center (IC3) continues to receive reports from individuals who have received extortion attempts via e-mail related to recent high-profile data thefts. The recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient's social media contacts, family, and friends if a ransom is not paid. The recipient is instructed to pay in Bitcoin, a virtual currency that provides a high degree of anonymity to the transactions. The recipients are typically given a short deadline. The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200..."

** https://www.us-cert.gov/ncas/tips/ST04-014

:fear::fear:

 

[AplusWebMaster]

Fake 'PayPal' SPAM, More Tech Support Scams

FYI...

Fake 'PayPal' SPAM - malware delivery
- https://myonlinesecurity.co.uk/spam2ls-suspicious-activity-on-your-paypal-account-delivers-malware/
3 June 2016 - "An email with the subject of 'Spam2Ls Suspicious activity on your PayPal Account' pretending to come from PayPal <service@ intl.paypal .com> with a -link- in the email that when -clicked- downloads a password stealing malware. At first, I thought this was a typical badly done phishing attempt, but no! this is a genuine malware delivery attempt... the link in the email http ://188.120.230.100 /paypal/report.pdf- and note the – after the pdf... Of course it is -not- a PDF but delivers report.exe. I am being told that this is - a version of LATENT BOT:
- https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html

188.120.230.100: https://www.virustotal.com/en/ip-address/188.120.230.100/information/
>> https://www.virustotal.com/en/url/c...49de52944ba797f580af38f2d2e7336110b/analysis/

Update: a -second- run of this email with the subject just saying: 'Suspicious activity on your PayPal Account' and contains a link to http ://188.120.225.210 /paypal/report.pdf-

188.120.225.210: https://www.virustotal.com/en/ip-address/188.120.225.210/information/
>> https://www.virustotal.com/en/url/f...03655dedb17ce8060a0ca6d656efd531348/analysis/

Screenshot: https://myonlinesecurity.co.uk/wp-c...-activity-on-your-PayPal-Account-1024x399.png

3 June 2016: report.exe - Current Virus total detections 9/56*
.. MALWR** ... Payload Security*** ... shows interesting connections where this malware posts files to a webserver and downloads various data and zip files. All the zip files I tried, were not actually zip files but encrypted data... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...340540bcbb3132f6f84ec7e4/analysis/1464928075/

** https://malwr.com/analysis/MTI5OGZjMDg3YzhkNGNlOGJmYWFkZGY1NzJhYjAyZDE/
Hosts
107.161.145.159

*** https://www.reverse.it/sample/03a47...bd6340540bcbb3132f6f84ec7e4?environmentId=100
Contacted Hosts
107.161.145.159: https://www.virustotal.com/en/ip-address/107.161.145.159/information/
>> https://www.virustotal.com/en/url/8...4aa5ec419fe46e6d8ef937d7ea7f8c24d15/analysis/
___

More Tech Support Scams
- https://www.ic3.gov/media/2016/160602.aspx
June 2, 2016 - "The Internet Crime Complaint Center (IC3) is receiving an increase in complaints related to technical support scams, where the subject claims to be an employee (or an affiliate) of a major computer software or security company offering technical support to the victim. Recent complaints indicate some subjects are claiming to be support for cable and Internet companies to offer assistance with digital cable boxes and connections, modems, and routers. The subject claims the company has received notifications of errors, viruses, or security issues from the victim's internet connection. Subjects are also claiming to work on behalf of government agencies to resolve computer viruses and threats from possible foreign countries or terrorist organizations. From January 1, 2016, through April 30, 2016, the IC3 received 3,668 complaints with adjusted losses of $2,268,982...
Technical Details ...
Variations and Trends ...
Additional Threats ...
Defense and Mitigation ..."
(More detail at the ic3 URL above.)
___

Apple - all services resume after outage
- http://www.reuters.com/article/us-apple-disruption-idUSKCN0YO2R3
Jun 3, 2016 - "Apple Inc said all its services, including the popular App Store, have resumed following an outage that started late afternoon on Thursday. Apple's U.S. web page showed* all applications had resumed as of 11:55 p.m. Eastern Daylight Time (0355 GMT)... services related to iCloud and the Photos application have also resumed..."
* https://www.apple.com/in/support/systemstatus/

:fear::fear: