Fake 'Transaction declined', 'New Fax', 'Your Invoice' SPAM, Win 0-day, Malvertising
FYI...
Fake 'Transaction declined' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/malspam-email-transaction-declined-delivers-locky/
1 Nov 2016 - "... Locky downloader... an email with the subject of 'Transaction declined' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with transaction-details_ containing a VBS file that pretends to be a PDF... One of the emails looks like:
From: Elena Cooper <Cooper52780@ centraldetraducao .com>
Date: Thu 01/09/2016 19:22
Subject: Transaction declined
Attachment: transaction-details_e78be58f7.zip
Dear [redacted],
This is to inform that the transaction you made yesterday is declined.
Please look through the attachment for the verification of the card details.
Best Regards,
Elena Cooper
Manual decoding of this slightly obfuscated vbs script shows Download locations are:
http ://17173wang .com/f6w0p
http ://cdxybg .com/iribzm
http ://51qudu .com/mqy2pj4
http ://sonsytaint .com/4mgxlrf
http ://koranjebus .net/4rwg5
1 November 2016: paytransaction-details_e78be58f7.zip: Extracts to: transaction_details_39B163E4_PDF.vbs
delivers [VirusTotal 8/55*].. f6w0p [VirusTotal 7/55**]. Neither MALWR nor Payload Security[3] seem able to actually get the download locations or any payload in these VBS files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c99b1da567baaa3d6db6bbe1/analysis/1477997125/
** https://www.virustotal.com/en/file/...03d4fb59419ec9973ee12a66/analysis/1477997325/
3] https://www.hybrid-analysis.com/sam...93dc99b1da567baaa3d6db6bbe1?environmentId=100
17173wang .com: 120.27.107.115: https://www.virustotal.com/en/ip-address/120.27.107.115/information/
cdxybg .com: 125.88.190.31: https://www.virustotal.com/en/ip-address/125.88.190.31/information/
51qudu .com: 118.123.18.92: https://www.virustotal.com/en/ip-address/118.123.18.92/information/
sonsytaint .com: 67.171.65.64: https://www.virustotal.com/en/ip-address/67.171.65.64/information/
138.201.244.4: https://www.virustotal.com/en/ip-address/138.201.244.4/information/
koranjebus .net: 67.171.65.64: https://www.virustotal.com/en/ip-address/67.171.65.64/information/
138.201.244.4: https://www.virustotal.com/en/ip-address/138.201.244.4/information/
- http://blog.dynamoo.com/2016/11/malware-spam-this-is-to-inform-that.html
1 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Transaction declined
From: Chandra Frye
Date: Tuesday, 1 November 2016, 10:48
Dear [redacted],
This is to inform that the transaction you made yesterday is declined.
Please look through the attachment for the verification of the card details.
Best Regards,
Chandra Frye
The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs)... communicates with the URLs below, but you can be sure that there are many more examples:
51qudu .com/mqy2pj4
bjzst .cn/qgq4dx
danapardaz .net/zrr8rtz
litchloper .com/66qpos7m
creaciones-alraune .es/dx8a5
adasia .my/f5qyi10
alecrim50 .pt/g28w495t
zizzhaida .com/a0s9b
silscrub .net/07ifycb
Hybrid Analysis is inconclusive*.
If I get hold of the C2s or other download locations then I will post them here."
* https://www.hybrid-analysis.com/sam...ba02a4233ccae7a0b4ac05b0b8e?environmentId=100
UPDATE: My usual reliable source tells me that these are all the download locations...
(Long list of domain-names at the dynamoo URL above.)
... These are the C2s:
91.234.32.202/linuxsucks .php (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
81.177.22.164/linuxsucks .php (NETPLACE, Russia)
Recommended blocklist:
91.234.32.202
81.177.22.164 "
___
Fake 'New Fax' SPAM - leads to TrickBot
- http://blog.dynamoo.com/2016/11/malware-spam-new-fax-message.html
1 Nov 2016 - "This -fake- fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..
Screenshot: https://3.bp.blogspot.com/-DtzfLWMD...GQlp8rT8kGq23QCLcB/s1600/confidential-fax.png
Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54*. Both the Malwr report** and Hybrid Analysis*** give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:
www .tessaban .com/img/safafaasfasdddd.exe
This is a -hacked- legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr[4] and Hybrid Analysis reports[5] give the following suspect traffic:
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)
... 3NT Solutions (aka Inferno Solutions/inferno .name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit... If we excise the domestic IPs and blackhole the 3NT/Inferno/uadomen .com ranges we get a recommended blocklist of:
37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24
However, there's more to this... The original email message is actually signed by local-fax .com and it turns out that this domain was created just -today- with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking. All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously..."
* https://virustotal.com/en/file/8e36...92944fd0898eb3924df07c8b8aad4c38347/analysis/
** https://malwr.com/analysis/NjliZDdmZmZiNzc5NGNjM2IyMDBjNTdlMjk1NGEzZjQ/
Hosts
61.19.247.54
78.47.139.102
54.197.246.207
64.182.208.181
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
*** https://www.hybrid-analysis.com/sam...898eb3924df07c8b8aad4c38347?environmentId=100
4] https://malwr.com/analysis/MWQxYWFiMjg1NzhkNGIxYjhmMWUwYTRjODQ1YjRjMzU/
Hosts
78.47.139.102
23.23.107.79
64.182.208.182
64.182.208.184
64.182.208.183
64.182.208.181
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
37.1.209.51
5] https://www.hybrid-analysis.com/sam...8b67a98bf82548a951f468f629b?environmentId=100
Contacted Hosts
91.219.28.77
193.9.28.24
37.1.209.51
138.201.44.28
- https://myonlinesecurity.co.uk/malspam-email-gds-new-fax-message-delivers-malware/
1 Nov 2016 - "An email with the subject of 'GDS – New Fax Message' pretending to come from GDS Fax <service@ gov-fax. co .uk> with a malicious word doc containing macros which downloads what looks like Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/11/gds-new-fax-message-1024x555.png
1 November 2016: gvt_uk_01112016.doc - Current Virus total detections 3/54*
MALWR** shows a download from http ://www .tessaban .com/img/safafaasfasdddd.exe (VirusTotal 10/56***)
Payload Security [1] [2] Dynamoos blog[3] gives details of a slightly different email delivering the same word docs & malware payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustotal.com/en/file/...5848dec65a46ca53a2b04ba3/analysis/1477997908/
** https://malwr.com/analysis/ZTI2ZjM1OWM1NjA3NDExZDk0ZTBjOTg4YWQxYzM2Mzc/
Hosts
61.19.247.54
78.47.139.102
54.243.164.241
64.182.208.182
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
37.1.209.51
*** https://www.virustotal.com/en/file/...7a98bf82548a951f468f629b/analysis/1478011826/
1] https://www.hybrid-analysis.com/sam...0485848dec65a46ca53a2b04ba3?environmentId=100
2] https://www.hybrid-analysis.com/sam...8b67a98bf82548a951f468f629b?environmentId=100
Contacted Hosts
91.219.28.77
193.9.28.24
37.1.209.51
138.201.44.28
3] http://blog.dynamoo.com/2016/11/malware-spam-new-fax-message.html
___
Fake 'Your Invoice' SPAM - delivers yet more Locky
- https://myonlinesecurity.co.uk/mals...639-delivers-yet-more-locky-ransomware-today/
1 Nov 2016 - "... Locky downloader... an email with the subject of 'Your Invoice: SIPUS16-953639' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with SIPUS16 containing a wsf file... One of the emails looks like:
From: invoicing@ costruzionieimpianti .com
Date: Tue 01/11/2016 15:47
Subject: Your Invoice: SIPUS16-953639
Attachment: SIPUS16-953639.zip
Dear Sirs,
Please find your invoice enclosed. We kindly ask you to respect our payment terms.
For questions please contact our sales office.
Kind regards,
Dorema UK Ltd.
1 November 2016: SIPUS16-953639.zip: Extracts to: INV_NO_79980148.wsf - Current Virus total detections 11/55*
.. MALWR** shows a download of an encrypted file from
http ://bappeda .palangkaraya .go.id/87yfhc?xFqceIrSlI=MNKhDTrM
which is transformed by the script to GdxPTYAwwe1.dll (VirusTotal 12/56***). Same malware and delivery method as this earlier malspam run[4] using fake invoices... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...88c4189f25fedf6c2244e16a/analysis/1478009132/
** https://malwr.com/analysis/YzFkZTIzNTdmZDhhNGZhZDllMDZkMzJkNTE5YjEzNWU/
Hosts
180.250.3.118
185.82.217.88
51.255.107.20
*** https://www.virustotal.com/en/file/...2696ac259c0e72874aa2fed9/analysis/1477647176/
4] https://myonlinesecurity.co.uk/mals...come-from-infoyour-own-domain-delivers-locky/
___
Windows 0-day vuln - CVE-2016-7855
- https://www.helpnetsecurity.com/2016/11/01/google-warns-actively-exploited-windows-zero-day/
Nov 1, 2016 - "Google has disclosed to the public the existence of a Windows zero-day vulnerability (CVE-2016-7855*) that is being actively exploited in the wild... The same vulnerability has been shared with both Microsoft and Adobe on October 21st, as it also affected Flash Player. But while Adobe has already pushed out an update with the patch[1], Microsoft has not been so quick.
1] https://helpx.adobe.com/security/products/flash-player/apsb16-36.html
... They have advised users to update Flash and implement the Microsoft patch as soon as it is made available..."
>> https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7855
11/01/2016 - "... as exploited in the wild in October 2016.
___
HookAds malvertising ...
- https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign/
Nov 1, 2016 - "... we wrote about a new piece of malware called ‘Trick Bot‘ which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered -another- malvertising campaign that started at least in mid August, and which leverages decoy adult portals to spread malware. Internally, we call it the 'HookAds campaign' based on a string found within the delivery URL... upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects... much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month... We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an -iframe- to adult banner is injected dynamically. The ad is served from a third-party server which performs -cloaking- in order to detect whether this is legitimate new traffic or not...
The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in:
> https://blog.malwarebytes.com/wp-content/uploads/2016/10/206.png
185.51.244.206 / 185.51.244.207 / 185.51.244.208
... The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF)...
Conclusion: The HookAds malvertising campaign is -still- running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit..."
IOCs
IPs:
185.51.244.206
185.51.244.207
185.51.244.208 ..."
(More detail at the malwarebytes URL above.)
:fear::fear:
FYI...
Fake 'Transaction declined' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/malspam-email-transaction-declined-delivers-locky/
1 Nov 2016 - "... Locky downloader... an email with the subject of 'Transaction declined' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with transaction-details_ containing a VBS file that pretends to be a PDF... One of the emails looks like:
From: Elena Cooper <Cooper52780@ centraldetraducao .com>
Date: Thu 01/09/2016 19:22
Subject: Transaction declined
Attachment: transaction-details_e78be58f7.zip
Dear [redacted],
This is to inform that the transaction you made yesterday is declined.
Please look through the attachment for the verification of the card details.
Best Regards,
Elena Cooper
Manual decoding of this slightly obfuscated vbs script shows Download locations are:
http ://17173wang .com/f6w0p
http ://cdxybg .com/iribzm
http ://51qudu .com/mqy2pj4
http ://sonsytaint .com/4mgxlrf
http ://koranjebus .net/4rwg5
1 November 2016: paytransaction-details_e78be58f7.zip: Extracts to: transaction_details_39B163E4_PDF.vbs
delivers [VirusTotal 8/55*].. f6w0p [VirusTotal 7/55**]. Neither MALWR nor Payload Security[3] seem able to actually get the download locations or any payload in these VBS files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c99b1da567baaa3d6db6bbe1/analysis/1477997125/
** https://www.virustotal.com/en/file/...03d4fb59419ec9973ee12a66/analysis/1477997325/
3] https://www.hybrid-analysis.com/sam...93dc99b1da567baaa3d6db6bbe1?environmentId=100
17173wang .com: 120.27.107.115: https://www.virustotal.com/en/ip-address/120.27.107.115/information/
cdxybg .com: 125.88.190.31: https://www.virustotal.com/en/ip-address/125.88.190.31/information/
51qudu .com: 118.123.18.92: https://www.virustotal.com/en/ip-address/118.123.18.92/information/
sonsytaint .com: 67.171.65.64: https://www.virustotal.com/en/ip-address/67.171.65.64/information/
138.201.244.4: https://www.virustotal.com/en/ip-address/138.201.244.4/information/
koranjebus .net: 67.171.65.64: https://www.virustotal.com/en/ip-address/67.171.65.64/information/
138.201.244.4: https://www.virustotal.com/en/ip-address/138.201.244.4/information/
- http://blog.dynamoo.com/2016/11/malware-spam-this-is-to-inform-that.html
1 Nov 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Transaction declined
From: Chandra Frye
Date: Tuesday, 1 November 2016, 10:48
Dear [redacted],
This is to inform that the transaction you made yesterday is declined.
Please look through the attachment for the verification of the card details.
Best Regards,
Chandra Frye
The name of the sender will vary. Attached is a ZIP file (e.g. transaction-details_4688d047f.zip) containing a malicious VBS script (e.g. transaction_details_63EC6F26_PDF.vbs)... communicates with the URLs below, but you can be sure that there are many more examples:
51qudu .com/mqy2pj4
bjzst .cn/qgq4dx
danapardaz .net/zrr8rtz
litchloper .com/66qpos7m
creaciones-alraune .es/dx8a5
adasia .my/f5qyi10
alecrim50 .pt/g28w495t
zizzhaida .com/a0s9b
silscrub .net/07ifycb
Hybrid Analysis is inconclusive*.
If I get hold of the C2s or other download locations then I will post them here."
* https://www.hybrid-analysis.com/sam...ba02a4233ccae7a0b4ac05b0b8e?environmentId=100
UPDATE: My usual reliable source tells me that these are all the download locations...
(Long list of domain-names at the dynamoo URL above.)
... These are the C2s:
91.234.32.202/linuxsucks .php (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
81.177.22.164/linuxsucks .php (NETPLACE, Russia)
Recommended blocklist:
91.234.32.202
81.177.22.164 "
___
Fake 'New Fax' SPAM - leads to TrickBot
- http://blog.dynamoo.com/2016/11/malware-spam-new-fax-message.html
1 Nov 2016 - "This -fake- fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..
Screenshot: https://3.bp.blogspot.com/-DtzfLWMD...GQlp8rT8kGq23QCLcB/s1600/confidential-fax.png
Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54*. Both the Malwr report** and Hybrid Analysis*** give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:
www .tessaban .com/img/safafaasfasdddd.exe
This is a -hacked- legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr[4] and Hybrid Analysis reports[5] give the following suspect traffic:
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen .com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)
... 3NT Solutions (aka Inferno Solutions/inferno .name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit... If we excise the domestic IPs and blackhole the 3NT/Inferno/uadomen .com ranges we get a recommended blocklist of:
37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24
However, there's more to this... The original email message is actually signed by local-fax .com and it turns out that this domain was created just -today- with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking. All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously..."
* https://virustotal.com/en/file/8e36...92944fd0898eb3924df07c8b8aad4c38347/analysis/
** https://malwr.com/analysis/NjliZDdmZmZiNzc5NGNjM2IyMDBjNTdlMjk1NGEzZjQ/
Hosts
61.19.247.54
78.47.139.102
54.197.246.207
64.182.208.181
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
*** https://www.hybrid-analysis.com/sam...898eb3924df07c8b8aad4c38347?environmentId=100
4] https://malwr.com/analysis/MWQxYWFiMjg1NzhkNGIxYjhmMWUwYTRjODQ1YjRjMzU/
Hosts
78.47.139.102
23.23.107.79
64.182.208.182
64.182.208.184
64.182.208.183
64.182.208.181
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
37.1.209.51
5] https://www.hybrid-analysis.com/sam...8b67a98bf82548a951f468f629b?environmentId=100
Contacted Hosts
91.219.28.77
193.9.28.24
37.1.209.51
138.201.44.28
- https://myonlinesecurity.co.uk/malspam-email-gds-new-fax-message-delivers-malware/
1 Nov 2016 - "An email with the subject of 'GDS – New Fax Message' pretending to come from GDS Fax <service@ gov-fax. co .uk> with a malicious word doc containing macros which downloads what looks like Trickbot banking Trojan...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/11/gds-new-fax-message-1024x555.png
1 November 2016: gvt_uk_01112016.doc - Current Virus total detections 3/54*
MALWR** shows a download from http ://www .tessaban .com/img/safafaasfasdddd.exe (VirusTotal 10/56***)
Payload Security [1] [2] Dynamoos blog[3] gives details of a slightly different email delivering the same word docs & malware payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustotal.com/en/file/...5848dec65a46ca53a2b04ba3/analysis/1477997908/
** https://malwr.com/analysis/ZTI2ZjM1OWM1NjA3NDExZDk0ZTBjOTg4YWQxYzM2Mzc/
Hosts
61.19.247.54
78.47.139.102
54.243.164.241
64.182.208.182
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
37.1.209.51
*** https://www.virustotal.com/en/file/...7a98bf82548a951f468f629b/analysis/1478011826/
1] https://www.hybrid-analysis.com/sam...0485848dec65a46ca53a2b04ba3?environmentId=100
2] https://www.hybrid-analysis.com/sam...8b67a98bf82548a951f468f629b?environmentId=100
Contacted Hosts
91.219.28.77
193.9.28.24
37.1.209.51
138.201.44.28
3] http://blog.dynamoo.com/2016/11/malware-spam-new-fax-message.html
___
Fake 'Your Invoice' SPAM - delivers yet more Locky
- https://myonlinesecurity.co.uk/mals...639-delivers-yet-more-locky-ransomware-today/
1 Nov 2016 - "... Locky downloader... an email with the subject of 'Your Invoice: SIPUS16-953639' (random numbers) coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with SIPUS16 containing a wsf file... One of the emails looks like:
From: invoicing@ costruzionieimpianti .com
Date: Tue 01/11/2016 15:47
Subject: Your Invoice: SIPUS16-953639
Attachment: SIPUS16-953639.zip
Dear Sirs,
Please find your invoice enclosed. We kindly ask you to respect our payment terms.
For questions please contact our sales office.
Kind regards,
Dorema UK Ltd.
1 November 2016: SIPUS16-953639.zip: Extracts to: INV_NO_79980148.wsf - Current Virus total detections 11/55*
.. MALWR** shows a download of an encrypted file from
http ://bappeda .palangkaraya .go.id/87yfhc?xFqceIrSlI=MNKhDTrM
which is transformed by the script to GdxPTYAwwe1.dll (VirusTotal 12/56***). Same malware and delivery method as this earlier malspam run[4] using fake invoices... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...88c4189f25fedf6c2244e16a/analysis/1478009132/
** https://malwr.com/analysis/YzFkZTIzNTdmZDhhNGZhZDllMDZkMzJkNTE5YjEzNWU/
Hosts
180.250.3.118
185.82.217.88
51.255.107.20
*** https://www.virustotal.com/en/file/...2696ac259c0e72874aa2fed9/analysis/1477647176/
4] https://myonlinesecurity.co.uk/mals...come-from-infoyour-own-domain-delivers-locky/
___
Windows 0-day vuln - CVE-2016-7855
- https://www.helpnetsecurity.com/2016/11/01/google-warns-actively-exploited-windows-zero-day/
Nov 1, 2016 - "Google has disclosed to the public the existence of a Windows zero-day vulnerability (CVE-2016-7855*) that is being actively exploited in the wild... The same vulnerability has been shared with both Microsoft and Adobe on October 21st, as it also affected Flash Player. But while Adobe has already pushed out an update with the patch[1], Microsoft has not been so quick.
1] https://helpx.adobe.com/security/products/flash-player/apsb16-36.html
... They have advised users to update Flash and implement the Microsoft patch as soon as it is made available..."
>> https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7855
11/01/2016 - "... as exploited in the wild in October 2016.
___
HookAds malvertising ...
- https://blog.malwarebytes.com/cybercrime/exploits/2016/11/the-hookads-malvertising-campaign/
Nov 1, 2016 - "... we wrote about a new piece of malware called ‘Trick Bot‘ which we caught in a malvertising attack via a high trafficked adult website. In the meantime, we uncovered -another- malvertising campaign that started at least in mid August, and which leverages decoy adult portals to spread malware. Internally, we call it the 'HookAds campaign' based on a string found within the delivery URL... upstream traffic to those adult sites also shows a pattern of malvertising via the usual suspects... much of the traffic sent to HookAds comes from malvertising on top adult sites that generate millions of visits a month... We estimate that at least one million visitors to adult websites were exposed to this particular campaign. Adult traffic is funneled to one of several decoy adult websites where an -iframe- to adult banner is injected dynamically. The ad is served from a third-party server which performs -cloaking- in order to detect whether this is legitimate new traffic or not...
The fake ad server infrastructure grew during the past few months and our honeypots caught 3 sequential IP addresses that host over a hundred rogue ad domains. All of these domains have been registered with the intention of looking like advertising platforms. While some domains were used for long periods of time, most switched every day or so to let a new one in:
> https://blog.malwarebytes.com/wp-content/uploads/2016/10/206.png
185.51.244.206 / 185.51.244.207 / 185.51.244.208
... The Flash exploit RIG-v uses is protected by SWFLOCK, an online obfuscator/cryptor for Flash files (other EKs like Magnitude use DoSWF)...
Conclusion: The HookAds malvertising campaign is -still- running at the time of writing this post, with new rogue ad domains getting registered each day. We are blocking the malicious IP range to protect our customers and Malwarebytes Anti-Exploit users are also shielded against the RIG exploit kit..."
IOCs
IPs:
185.51.244.206
185.51.244.207
185.51.244.208 ..."
(More detail at the malwarebytes URL above.)
:fear::fear:
Last edited: