SPAM frauds, fakes, and other MALWARE deliveries...

Fake 'Invoice', 'Receipt' SPAM

FYI...

Fake 'Invoice' SPAM - leads to malware/Trojan
- https://myonlinesecurity.co.uk/emot...sing-updated-word-docs-with-encoded-sections/
31 July 2017 - "Following on from THIS* -fake- invoice email is a -newer- version with a different word doc at the end of the link-in-the-email. Today’s email with the subject of 're: Invoice 622806' pretending to come from senders with a known connection to the recipient. The link-in-the-email leads to a malicious word doc that eventually delivers Emotet/Geodo banking Trojan...
* https://myonlinesecurity.co.uk/invoice-notification-with-id-number-40533-delivers-malware/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/invoice-622806.png

ZDFRRI208.doc - Current Virus total detections 1/58[1]. Payload Security[2] doesn’t show any download... Twitter contacts Malwarehunterteam[3] and Antelox[4] have found some of the associated download urls and payload...
Theses word docs are using various tricks that make it difficult for the online sandboxes to decode/analyse, find the download sites and download the eventual payload. The url so far found is
http ://macsys.ca/ZQRZCy/ but... there are others.
1] https://www.virustotal.com/en/file/...6e9e88bbc444e56c4f74dfc5/analysis/1501480309/
BNCKKK930.doc

2] https://www.hybrid-analysis.com/sam...00e6e9e88bbc444e56c4f74dfc5?environmentId=100

3] https://twitter.com/malwrhunterteam/status/891913205047590913

4] https://twitter.com/Antelox/status/891914028246638592

Update: another contact[5] has found the complete list[5a] (pastebin[6])
http ://macsys .ca/ZQRZCy/ > 216.177.130.19
http ://paulplusa .com/jUiYKJFIuj/ > 216.97.239.25
http ://josephconst .com/cByNSVwsK/ > 67.228.48.40
http ://cs-skiluj.sanfre .eu/PSArDr/ > 185.5.98.24
http ://itdoctor .ca/jgaeQ/ > 67.205.112.177

5] https://twitter.com/phage_nz/status/891922001647894528

5a] https://twitter.com/phage_nz/status/891918128627597315

6] https://pastebin.com/Cdvat2Bp

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
> https://www.hybrid-analysis.com/sam...891b8946fa7bb17c848a1e4c203?environmentId=100
Contacted Hosts
207.210.245.164
___

Fake 'Receipt' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/more...ment-receipt-emails-deliver-globe-ransomware/
31 July 2017 - "... malware downloaders pretending to be a 'payment receipt' -or- a 'receipt' is an email with the subject of 'Receipt 21426' coming or pretending to come from donotreply@ random email addresses with a zip attachment containing a .vbs file that delivers globe ransomware. The zip name corresponds with the subject line. There are a mass of subject lines today. Some of the patterns include:
Receipt#83396
Receipt 21426
Payment-421
Payment Receipt 222
Payment Receipt#97481
Payment Receipt_8812
Receipt-351
Payment Receipt_03950 ...
One of the emails looks like:
From: donotreply@ blueprintrecruitment .co.uk
Date: Mon 31/07/2017 11:15
Subject: Receipt 21426
Attachment: P21426.zip
[Body content:]
Attached is the copy of your payment receipt.

P21426.zip: Extracts to: 20172.2017-07-31_75.20.68.vbs - Current Virus total detections 7/58*. Payload Security** shows a download of a txt file from
http ://koewege .de/98wugf56? > 81.169.145.77
which is simply renamed by the script to a random named .exe file (VirusTotal 14/64[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fff59b77d266b55dbcd711d6/analysis/1501499651/
20172.2017-07-31_75.20.68.vbs

** https://www.hybrid-analysis.com/sam...ad7fff59b77d266b55dbcd711d6?environmentId=100
Contacted Hosts
81.169.145.77

3] https://www.virustotal.com/en/file/...d3d0720851230ec93a81fa27/analysis/1501501469/

4] https://www.hybrid-analysis.com/sam...bcad3d0720851230ec93a81fa27?environmentId=100
Associated URLs: http ://okdomvrn .ru/98wugf56?
okdomvrn .ru: 92.53.96.9: https://www.virustotal.com/en/ip-address/92.53.96.9/information/
> https://www.virustotal.com/en/url/7...b9e526a104c503b9772e197cf40fcf380ed/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'secure message' 'Voicemail' SPAM

FYI...

Fake 'secure message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...ing-malspam-delivers-trickbot-banking-trojan/
1 Aug 2017 - "An email with the subject of 'You have a new secure message waiting' pretending to come from Santander but actually coming from a look-alike-domain Santander <pleasedonotreply@ -santandersecuremessage- .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-c...der-You-have-a-new-secure-message-waiting.png

SecureMessage.doc - Current Virus total detections 5/58* Payload Security** shows a download from
http ://lexpertpret .com/fr/nologo.png which of course is -not- an image file but a renamed .exe file that gets renamed to ywbltmn.exe and autorun (VirusTotal 16/63[3]) (Payload Security[4]). An alternative download location is
https ://hvsglobal .co.uk/image/nologo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...51f2c9601671f35873688307/analysis/1501605462/
SecureMessage.doc

** https://www.hybrid-analysis.com/sam...25051f2c9601671f35873688307?environmentId=100
Contacted Hosts
216.138.226.110
146.255.36.1
69.247.60.183
46.105.250.84
91.206.4.216

3] https://www.virustotal.com/en/file/...c16161f49eac1accea1fc6ec/analysis/1501604882/
ywbltmn.exe

4] https://www.hybrid-analysis.com/sam...401c16161f49eac1accea1fc6ec?environmentId=100

lexpertpret .com: 216.138.226.110: https://www.virustotal.com/en/ip-address/216.138.226.110/information/
> https://www.virustotal.com/en/url/7...0aff7f3a396ace462e7eae8b574ce55c217/analysis/

hvsglobal .co.uk: 192.185.37.229: https://www.virustotal.com/en/ip-address/192.185.37.229/information/
> https://www.virustotal.com/en/url/9...e9e3bf72051a4dde83f7da0db4af4ceea4b/analysis/
___

Fake 'Voicemail' SPAM - delivers Trojan
- https://myonlinesecurity.co.uk/fake...935am-malspam-delivers-emotet-banking-trojan/
1 Aug 2017 - "... an email with the subject of 'Voicemail From 845-551-#### at 9:35AM' pretending to come from Microsoft Voice <MSVoice@ your own email domain> downloads Emotet banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Voicemail-From-845-551-8266-at-935AM.png

VM97358238_20170801.zip: Extracts to: VM9742814303_20170801.vbs Current Virus total detections 16/55*
Payload Security**. Manual analysis of the vbs file shows these download sites hardcoded in a base64 encoding with a bit of extra nonsense padding to try to hide them (there will be loads of other sites in other vbs files attached to a -different- version of this)
showyourdeal .com/JHghjHy6? > 143.95.99.159
89tg7gjkkhhprottity .com/af/JHghjHy6 > 91.214.114.154
mybutterhalf .com/JHghjHy6? > 208.91.198.170
dreamoneday .com/JHghjHy6? > 103.21.58.181
These are downloaded as txt files but are simply renamed .exe files (VirusTotal 16/55[3]) (Payload Security[4])...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js

** https://www.hybrid-analysis.com/sam...a965bba634bb787321db9672cfa?environmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

3] https://www.virustotal.com/en/file/...5bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js

4] https://www.hybrid-analysis.com/sam...a965bba634bb787321db9672cfa?environmentId=100
Contacted Hosts
82.211.96.24
91.201.41.145
31.41.47.50
46.8.29.155
52.34.245.108
54.240.162.137

Update: it appears that this is more likely to be Globeimposter ransomware* not Emotet. It looks like I was mislead by initial detections on VirusTotal and the delivery method.
* https://twitter.com/VK_Intel/status/892613372889399296
2nd Update 2 August 2017: This campaign has continued on and off all night (UK time) with a slight change to the zip file names. From exactly midnight UK time last night the last part of the zip name ( the date) changed from VM#######_20170801.zip to VM#######_20170802.zip. Looking through a few of the nearly 600 I received, it looks like the download sites are the -same- as many of the sites in yesterday’s (and earlier) Trickbot and globeimposter campaigns that I didn’t report on because of other real world commitments. A list of sites can be seen in VT comments**. Just change /98wugf56 to /JHghjHy6 (quite a few sites are live using the latest file name format).
** https://www.virustotal.com/en/file/...d66c630ebcad3d0720851230ec93a81fa27/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'Online Bill' SPAM

FYI...

Fake 'Online Bill' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoo...ill-is-ready-to-view-delivers-banking-trojan/
2 Aug 2017 - "... malspam campaign pretending to be a 'Vodafone bill'. These started earlier this morning with links-in-the-email to a compromised or fraudulently set up SharePoint business site that soon stopped delivering the malware payloads. They then quickly switched to a whole host of other compromised sites to host the word doc that is the first stage in the malware download process. This is definitely a dyre based banking Trojan and might be Dridex or might be Trickbot...

Screenshot: https://myonlinesecurity.co.uk/wp-c...-Manager-Your-Phone-Bill-is-ready-to-view.png

Bill_02082017.doc - Current Virus total detections 21/59*. Payload Security** downloads an encrypted txt file from one of these 3 sites (may be more in other macros so far not examined):
http ://ortaokuldayiz .com/82yyfh3 > 94.73.148.130
http ://trredfcjrottrdtwwq .net/af/82yyfh3 > 54.214.108.57
http ://eoliko .com/82yyfh3 > 5.100.152.26
which is converted by the script to sultan8.exe (VirusTotal 16/63[3]) (Payload Security[/4])...
Eset Ireland did mention this one earlier today:
> https://blog.eset.ie/2017/08/02/fake-vodafone-bill-spreads-trojan-malware/
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1b4b6b1cdaf041c7629924cc35d0b159eb8/analysis/
Bill_02082017.doc

** https://www.hybrid-analysis.com/sam...daf041c7629924cc35d0b159eb8?environmentId=100
Contacted Hosts
94.73.148.130
37.120.182.208
191.7.30.30
194.87.102.119
172.97.69.140

3] https://www.virustotal.com/en/file/...28b45a83574809d982afc7586859b665b22/analysis/
82yyfh3.exe

4] https://www.hybrid-analysis.com/sam...574809d982afc7586859b665b22?environmentId=100
Filename: 82yyfh3

:fear::fear: :mad:
 
Last edited:
Fake 'Secure Email' SPAM, 'Payment copy' - Phish

FYI...

Fake 'Secure Email' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...age-malspam-delivers-trickbot-banking-trojan/
3 Aug 2017 - "An email with the subject of 'Nationwide Secure Email – Secured Message' pretending to come from Nationwide but actually coming from a look-a-like domain <secured@ nationwidesecure .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan... Today’s example of the spoofed domain is nationwidesecure .co.uk 184.168.221.37 ip-184-168-221-37 .ip.secureserver .net...

The word doc attachment looks like this and tells you to use the non existent passphrase to open it. The blue moving circle makes you think that you need to enable the content & macros to see the hidden secure content.
DO NOT enable the macros or content. You WILL be infected:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/nationwide-Secure_doc.png

Secure.doc - Current Virus total detections 7/58*. Payload Security** shows a download from
http ://catterydelacanaille .be/logo.png which of course is -not- an image file but a renamed .exe file
that gets renamed to tyltl.exe and autorun (VirusTotal 15/65[3]). An alternative download location is
http ://carriereiserphotography .com/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...da19a501e5cf81553f7d0801/analysis/1501756792/
Secure.doc

** https://www.hybrid-analysis.com/sam...b5ada19a501e5cf81553f7d0801?environmentId=100
Contacted Hosts
89.255.9.40
37.120.182.208
185.30.144.205

3] https://www.virustotal.com/en/file/...dd79b51dc458862f6f2843e7/analysis/1501755791/
tyltl.exe

catterydelacanaille .be: 89.255.9.40: https://www.virustotal.com/en/ip-address/89.255.9.40/information/
> https://www.virustotal.com/en/url/3...f036484d04b9cc92ba15ec20688dba44ba2/analysis/

carriereiserphotography .com: 72.32.177.50: https://www.virustotal.com/en/ip-address/72.32.177.50/information/
> https://www.virustotal.com/en/url/1...91d17d0eb36ec4a4b73c24ea7b67ebb9dce/analysis/
___

'Payment copy' - Phish
- https://myonlinesecurity.co.uk/paym...leads-to-phishing-for-your-email-credentials/
3 Aug 2017 - "... phishing attempts for email credentials. This one is slightly different than many others and surprisingly creative from the phisher. It pretends to be a message saying to 'download a payment copy and please ship the goods' they have ordered...

Screenshot: https://myonlinesecurity.co.uk/wp-c...opy-please-ship-immediately-phishing-scam.png

If you follow the link inside the email you see a webpage looking like this:
http ://clcktoviewnow.a-acheter .org/ which contains an -Iframe- to
http ://www.pensiunea-ciobanelu .ro/view-ttcpy/
which actually displays the phishing attempt:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/email_settings_pensiunea.png

After you input your email address and password, you get told “Please wait download will start in a minute”. It never does, there is no download of anything, whether malware or a genuine “fake” invoice or payment receipt and this is simply a phishing -scam- to get your email account credentials:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/email_settings_pensiunea2.png

... these emails use Social engineering tricks to persuade you to open the attachments or follow links in emails..."

clcktoviewnow.a-acheter .org: 85.14.138.114: https://www.virustotal.com/en/ip-address/85.14.138.114/information/
> https://www.virustotal.com/en/url/1...73f38f853a3bd3e9174add43ba8a852319e/analysis/

pensiunea-ciobanelu .ro: 89.40.32.15: https://www.virustotal.com/en/ip-address/89.40.32.15/information/
> https://www.virustotal.com/en/url/e...c7ffe3bb2f4a6f30a95fb81692addc18c36/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'Beneficiary’s Details', 'Secure Email' SPAM

FYI...

Fake 'Beneficiary’s Details' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/fake-beneficiarys-details-delivers-java-adwind/
14 Aug 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... 'previously mentioned many of these HERE*. We have been seeing these sort of emails almost every day and there was nothing much to update. Today’s has a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically...
* https://myonlinesecurity.co.uk/?s=java+adwind

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/AU1427913065-PIN-12602119326.png

The link in the email body goes to
http ://karizma-co .com/wp-admin/user/Beneficiary%27s Details.R01 (VirusTotal 0/65[1]) (almost certainly a compromised WordPress website) where a zip file is downloaded.
Beneficiary’s Details.zip - Extracts to Beneficiary’s Details.jar (478kb) - Current Virus total detections 1/59[2]
Payload Security[3]... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustotal.com/en/url/1...a47fd8db46708ba03f478c85/analysis/1502700304/

2] https://www.virustotal.com/en/file/...32fba9a672399f11af206ec9/analysis/1502679993/
Xpressmoney Global network.jar

3] https://www.hybrid-analysis.com/sam...15c32fba9a672399f11af206ec9?environmentId=100
File Details:
Beneficiary's Details.jar

karizma-co .com: 5.189.185.178: https://www.virustotal.com/en/ip-address/5.189.185.178/information/
___

Fake 'Secure Email' SPAM - delivers trickbot
- https://myonlinesecurity.co.uk/fake-you-have-a-santander-secure-email-delivers-trickbot/
14 Aug 2017 - "An email with the subject of 'You have a Santander Secure Email' pretending to come from Santander Bank but actually coming from a look-a-like domain <message@ santanderdocs .co.uk> with an html attachment which downloads a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is
santanderdocs .co.uk: 160.153.162.141: https://www.virustotal.com/en/ip-address/160.153.162.141/information/
> https://www.virustotal.com/en/url/1...cb643ec42ea48b0421e2ad95128b3a1ffb3/analysis/

I don’t have an actual email. The information was forwarded to me and only has the basic details with -no- email body content. The email looks like:
From: Santander <message@santanderdocs .co.uk>
Date: 14 August 2017 20:12
Subject: You have a Santander Secure Email
Attachment: SecureDoc.html

Screenshot of word doc: Beware of the -login- in the word doc. It is only there to persuade the recipient to enable content which allows the macros-to-run and infect you. Do NOT follow those instructions:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/santander_SecureDoc.png

SecureDoc.doc - Current Virus total detections 3/58*. Payload Security**. This malware file downloads from
http ://cfigueras .com/armanistand.png which of course is -not- an image file but a renamed .exe file that gets renamed to Cqgcf.exe (VirusTotal 10/64[3]). An alternative download location is
http ://centromiosalud .es/armanistand.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...25b738375a8ee192e02fe602/analysis/1502715405/

** https://www.hybrid-analysis.com/sam...2b425b738375a8ee192e02fe602?environmentId=100
Contacted Hosts
178.255.225.215
158.69.26.138
46.160.165.31

3] https://www.virustotal.com/en/file/...35f6052533226d0444731688/analysis/1502713865/

cfigueras .com: 51.254.83.173: https://www.virustotal.com/en/ip-address/51.254.83.173/information/
> https://www.virustotal.com/en/url/c...625a2d1c0814d4af5e8ec6a773a31aff174/analysis/

centromiosalud .es: 178.255.225.215: https://www.virustotal.com/en/ip-address/178.255.225.215/information/
> https://www.virustotal.com/en/url/d...2ea97a5bd04f3779b06baac6074bb5fd183/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'eFax' SPAM, 'Locky' returns, Paypal phish

FYI...

Fake 'eFax' SPAM - delivers trickbot
- https://myonlinesecurity.co.uk/fake-efax-delivers-trickbot-banking-trojan/
15 Aug 2017 - "An email with the subject of 'eFax' pretending to come from eFax but actually coming from a look-a-like domain eFax <noreply@ faxdocuments120 .ml> with a malicious word doc attachment is today’s latest spoof of a well known company, messaging service, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/faxdocuments120.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/efax42542153_2425_doc.png

efax42542153_2425.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
http ://cfigueras .com/nothing44.png which of course is -not- an image file but a renamed .exe file that gets renamed to Qhdizwg.exe and autorun (VirusTotal 14/64***). An alternative download location is
http ://cfai66 .fr/nothing44.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...470d3af7fe1bb317c5123593/analysis/1502883132/
efax42542153_2425.doc

** https://www.hybrid-analysis.com/sam...be0470d3af7fe1bb317c5123593?environmentId=100
Contacted Hosts
51.254.83.173
158.69.26.138
185.141.26.86
185.40.20.42

*** https://www.virustotal.com/en/file/...0b116ac7b4bed067948b315e/analysis/1502881050/
Qhdizwg.exe

cfigueras .com: 51.254.83.173: https://www.virustotal.com/en/ip-address/51.254.83.173/information/
> https://www.virustotal.com/en/url/d...73f3904d86e2a63faf4fb3d7924945c777e/analysis/

cfai66 .fr: 87.252.5.144: https://www.virustotal.com/en/ip-address/87.252.5.144/information/
> https://www.virustotal.com/en/url/7...ca8ea7ed1dc050726a14a379593bc957f20/analysis/
___

Locky ransomware returns - two new "flavors"
- https://blog.malwarebytes.com/cyber...are-returns-to-the-game-with-two-new-flavors/
Aug 16, 2017 - "We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware... From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random] .htm“. Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus .html“... Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script:
> https://blog.malwarebytes.com/wp-content/uploads/2017/08/Nercus_MalSpam.png
... The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should
-never- assume Locky is gone simply because it’s not active at a particular given time..."
(More detail at the first malwarebytes URL above.)
___

Paypal phish - fake verification
- https://isc.sans.edu/diary/22726
2017-08-16 - "They are plenty of phishing kits in the wild that try to lure victims to provide their credentials. Services like Paypal are nice targets and we can find new -fake- pages almost daily. Sometimes, the web server isn’t properly configured and the source code is publicly available... I presume that the kit is related to a spam campaign but I did not get the initial email. Based on the quality of the kit, I suspect the email to be properly written. As usual, it starts with the classic Paypal login page:
- https://isc.sans.edu/diaryimages/images/paypal-20170816-1.png
Then a fake verification page is displayed to warn the victim that a check of the account must be performed. Note that the values are hard coded:
- https://isc.sans.edu/diaryimages/images/paypal-20170816-2.png
The next steps ask the victim to enter his/her details, including banking details:
- https://isc.sans.edu/diaryimages/images/paypal-20170816-4.png
Graphically, the different pages are very clean and use components from the Paypal website to reproduce a look and feel very close to the official pages... There is also a second check of the IP address included in the PHP code. If a valid IP address or User-Agent is detected, an HTTP error 404 (page not found) is returned... When the verification screens are displayed to the victim, fields are prefilled with the extracted information from Paypal. This is really evil! All fields are also validated to prevent garbage and increase the change to capture real data. Depending on the card number that the victim provided, a next screen is presented to fill bank details. Based on the source code, three countries are targeted: US, CA and UK. Depending on the bank, specific forms are displayed to request valid connection details... At the end of the “verification process”, an email is sent to the attacker with all the victim's details. The destination is a gmail .com account... If most phishing kits remain simple and can be easily spotted by the victims, some of them are really well developed and harder-to-catch, especially if the URL used is nicely chosen and distributed via HTTPS. This kit was huge with more than 300 files in a 1.8MB ZIP file. Take care!"

:fear::fear: :mad:
 
Last edited:
Fake 'invoice', 'Outstanding invoices' SPAM

FYI...

Fake 'invoice' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/fake-xero-accounting-software-invoice-delivers-dridex-banking-trojan/
17 Aug 2017 - "... an email with the subject of 'Your Xero Invoice INV-0855485' coming from subscription.notifications@ xeronet .org which uses -compromised- sharepoint aka onedrive for business accounts to deliver Dridex banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Your-Xero-Invoice-INV-0855485.png

The -link- in the body of the email is to
https ://lakesambel-my.sharepoint .com/personal/contact_caravanparkbeechworth_com_au/_layouts/15/guestaccess.aspx?docid=03b4b6316d9ca4fa48971a9101a38b364&authkey=Afo8hRz5LV65-XWim02sZtg
where a zip file containing a .js file is downloaded.

Xero Invoice.zip: Extracts to: Xero Invoice.js - Current Virus total detections 20/57[1]. Payload Security[2]
This malware downloads from
https ://stakks-my.sharepoint .com/personal/accounts_stakks_com_au/_layouts/15/guestaccess.aspx?docid=0426cc21c900f4425bfd868cf0a9bc836&authkey=AdVBGQCO-SGtytiexhgUfw8
to deliver documents.xero which is -renamed- to Y739Ayh.exe (VirusTotal 34/65[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/...243aebecd2ab30933c0c89e2/analysis/1502950371/

2] https://www.hybrid-analysis.com/sam...024243aebecd2ab30933c0c89e2?environmentId=100
Contacted Hosts
13.107.6.151
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229

3] https://www.virustotal.com/en/file/...054acbf7b6f4c304ea6c3728886fd2c0aea/analysis/

4] https://www.hybrid-analysis.com/sam...b6f4c304ea6c3728886fd2c0aea?environmentId=100
Contacted Hosts
185.174.100.16
117.121.243.232
74.208.64.187
104.236.218.169
31.31.77.229

lakesambel-my.sharepoint .com: 13.107.6.151: https://www.virustotal.com/en/ip-address/13.107.6.151/information/

stakks-my.sharepoint .com: 13.107.6.151
___

Fake 'Outstanding invoices' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/outstanding-invoices-email-1-of-2-malspam-delivers-locky-ransomware/
17 Aug 2017 - "An email with the subject of 'Outstanding invoices email 1 of 2' pretending to come from random names and email addresses with a malicious word doc attachment delivers Locky Ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Outstanding-invoices-email-1-of-2.png

056757.doc - Current Virus total detections 15/58*. Payload Security**.
This malware downloads from
http ://campingtossa .com/87wifhFsdf (VirusTotal 23/63***).
There will be dozens if not hundreds of other downloads sites in different versions of these word docs...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...bc5ab06767fdab23298c1e47/analysis/1502969190/

** https://www.hybrid-analysis.com/sam...21ebc5ab06767fdab23298c1e47?environmentId=100
Contacted Hosts
188.93.73.211
212.109.220.109

*** https://www.virustotal.com/en/file/...99d09a94c26035d6185803ea/analysis/1502969865/
87wifhFsdf.exe

campingtossa .com: 188.93.73.211: https://www.virustotal.com/en/ip-address/188.93.73.211/information/

:fear::fear: :mad:
 
Last edited:
Fake 'order' SPAM, Cloud: User Account Attacks

FYI...

Fake 'order' SPAM - links deliver malware
- https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/
18 Aug 2017 - "... an email with the subject of 'Your order no 8194788 (random numbers) has been processed' coming from random names @ creatingkindly .com which delivers some sort of malware... These pretend to be an order confirmation for cotton material from a -random- name shop with a -fake- address...

Screenshot: https://myonlinesecurity.co.uk/wp-c.../Your-order-no-8194788-has-been-processed.png

The email has a -link- in the body to
http ://michellesteve .com/victim_name/8194788.php?recipient-id=bzmqkpohrma&=282193283842&395981697844=760611824 which downloads document.zip: which Extracts to: document.lnk
- Current Virus total detections 6/55[1]. Payload Security[2].
An alternative email had the -link- to
http ://letsgetvisibility .com/victim_name/6290807.php?id-ee=ycttmymbp&=vdfq&jxkhgrs=vddrhdu
which currently gives me a 404 on the entire domain although it does have registration details from 2015.
This malware downloads from
http ://otp.forgetmenotbeading .com/valid.bin which is -renamed- by the script to combo.exe
(VirusTotal 8/61[3]) Payload Security[4]...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it... -Never- attempt to open a zip directly from your email, that is a guaranteed way to get infected... just delete the unexpected zip and not risk any infection..."
1] https://www.virustotal.com/en/file/...d884087e6fc4836107efb7f2/analysis/1503034822/
document.zip

2] https://www.hybrid-analysis.com/sam...746c1709056ad0103add0eaa81d?environmentId=100

3] https://www.virustotal.com/en/file/...631d6f6b7dc0768958f7107a/analysis/1503034808/
valid.bin

4] https://www.hybrid-analysis.com/sam...2d0631d6f6b7dc0768958f7107a?environmentId=100
Contacted Hosts
65.55.50.189
185.117.73.5

creatingkindly .com: 50.63.202.38: https://www.virustotal.com/en/ip-address/50.63.202.38/information/

michellesteve .com: 185.61.152.60: https://www.virustotal.com/en/ip-address/185.61.152.60/information/

letsgetvisibility .com: A temporary error occurred during the lookup...

[Corrected to:] otp.forgetmenotbeading .com: 185.183.97.141: https://www.virustotal.com/en/url/1...407b4371d3b3ca71ef9d16d44b22467607e/analysis/
___

Cloud: User Account Attacks jumped 300% since 2016
... Most of these Microsoft user account compromises can be attributed to weak, guessable passwords and poor password management...
- http://www.darkreading.com/cloud/mi...attacks-jumped-300--since-2016/d/d-id/1329666
8/17/2017 - "... 'One of the most critical things a user can do to protect themselves is to use a unique password for every site and never reuse passwords across multiple sites', the report* states... Attackers -frequently- compromise cloud services like Azure to enter a business and weaponize virtual machines so they can launch attacks like spam campaigns, brute force attacks, phishing, and port scanning..."
* http://download.microsoft.com/downl...33/Security_Intelligence_Report_Volume_22.pdf

:fear::fear: :mad:
 
Last edited:
Fake 'please print' 'images etc', 'O2 Bill' SPAM

FYI...

Fake 'please print' 'images etc' SPAM - delivers Cerber
- http://blog.dynamoo.com/2017/08/cerber-spam-please-print-images-etc.html
21 Aug 2017 - "I only have a couple of samples of this spam, but I suspect it comes in many different flavours..

Subject: images
From: "Sophia Passmore" [Sophia5555@ victimdomain .tld]
Date: Fri, May 12, 2017 7:18 pm

*Sophia Passmore*
--
Subject: please print
From: "Roberta Pethick" [Roberta5555@ victimdomain .tld]
Date: Fri, May 12, 2017 7:18 pm

*Roberta Pethick*

In these two samples there is an attached .7z archive (MD5 31c144629bfdc6c8011c492e06fe914d) with a VirusTotal detection rate of 18/58*. Both samples contained a malicious Javascript named 20170821_08914700.js ...
Automated analysis [1] [2] shows a download from the following locations:
gel-batterien-agm-batterien .de/65JKjbh??TqCRhOAQ=TqCRhOAQ [46.4.91.144 - Hetzner, Germany]
droohsdronfhystgfh .info/af/65JKjbh?TqCRhOAQ=TqCRhOAQ [119.28.100.249 - Tencent, China]
The Hybrid Analysis report[1] shows an executable being dropped which is Ceber Ransomware (MD5 c7d79f5d830b1b67c5eb11de40a721b4), with a VT detection of 22/64[3].
Recommended blocklist:
46.4.91.144
119.28.100.249 "
* https://virustotal.com/#/file/27b49...36998f771788712c6075e41541d82dee573/detection
??

1] https://www.hybrid-analysis.com/sam...b0aff2ee4452916699454bb0799?environmentId=100
Contacted Hosts
46.4.91.144
119.28.100.249
216.58.206.228

2] https://malwr.com/analysis/NjRlNDBiZDE2NDNmNDQ4MWI1NmFjNmVmMTJlNjg3Y2M/
Hosts
46.4.91.144
119.28.100.249

3] https://www.virustotal.com/en/file/...6122cacc373fc3b26cb572fdf77472a234c/analysis/
___

Fake 'O2 Bill' SPAM - delivers Emotet banking Trojan
- https://myonlinesecurity.co.uk/fake-o2-bill-delivers-emotet-banking-trojan/
21 Aug 2017 - "... an email with the subject of 'My O2 Business – Your O2 Bill is ready' – (recipient’s name) coming from random senders which delivers Emotet banking Trojan. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in -all- the campaigns...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/O2_bill.png

Update 22 August 2017: a new malspam run this morning with a slightly changed subject 'Your O2 bill is ready' – (recipient name) still coming from random senders but pretending to come from 'O2 bill'. There has also been several different -fake- 'invoice' versions spoofing or faking various companies, some known & some completely made up today. The word docs have been -identical- and the -sites- are used in all the campaigns...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/O2_bill.png

The link in the email is to various sites where a word doc is downloaded. Some sites include:
http ://ekomer .es/HPRKFQZXAP5465294/ > 5.145.175.240
http ://eyelife .org/Rech-59081174958/ > 188.65.115.132
http ://cruisecapital .co.uk/gescanntes-Dokument-38085714326/ > 173.236.152.205
http ://theglobetrotters .org/Rechnung-55894642722/ > 69.195.116.213
http ://bryntel .com/JWYFPGLBMH8935758/ > 50.87.66.150
http ://itgrammatics .com/VMZJSGJXBS6464519/ > 178.159.253.100
http ://atitmedia .com/RIVTDJLDUW6513072/ > 109.104.86.127
http ://bytesoftware .com.br/FXXIGOFTER8590131/ > 216.172.172.168
http ://hapmag .com/VVHMVGTRCP7428957/ > 143.95.238.54
http ://marianamengote .com/RLDXAIYKZD2314573/ > 173.254.28.19
The word doc when opened [ and -if- you are unwise enough to enable macros ] will drop an encoded/obfuscated PowerShell script that has several obfuscated hard coded URLs inside it which download the actual Emotet banking Trojan. These do need quite a bit of decoding to get to the payload.
Some of today’s Urls are:
http ://ohleronline .com/qnhvqLeGds/ > Could not find an IP address for this domain name.
http ://wilsondesign .com.au/EmOYzciXN/ > 192.232.203.190
http ://effectiveit .com.au/zrMwJInVT/ > 175.107.174.7
http ://portseven .com.br/AEVHV/ > 67.23.238.138
http ://nubodyofdallas .com/FwJSgvPKF/ > 74.124.198.22
... The basic rule is NEVER open any attachment -or- link ln an email, unless you are expecting it...
Analysis reports: Note the binaries update at frequent intervals during the day (time of the malware campaign) so you will get -different- versions/file hashes from those mentioned here."
Word Doc: > https://www.virustotal.com/en/file/...737a8b8b3ff241fe2bf2f26d585d17ec54e/analysis/
Rech-03674886877.doc
O2 bill - 000952128372.doc

> https://www.hybrid-analysis.com/sam...6c7b77cf6272a6e11e99fcec9e6?environmentId=100

Dropped binary: > https://www.virustotal.com/en/file/...0c372e2c7096fab47a315275/analysis/1503320867/
nvidiamath.exe

> https://www.virustotal.com/en/file/...f10b37fc084974bad9474e71/analysis/1503333837/
vHsZK.exe

> https://www.hybrid-analysis.com/sam...5adf10b37fc084974bad9474e71?environmentId=100
Contacted Hosts
104.236.252.178
storagewmi.exe

> https://www.hybrid-analysis.com/sam...bb90c372e2c7096fab47a315275?environmentId=100
HTTP Traffic
104.236.252.178

:fear::fear: :mad:
 
Last edited:
Fake 'Voicemail Service', 'Payments request', 'Purchase Order' SPAM

FYI...

Fake 'Voicemail Service' SPAM - delivers ransomware
- http://blog.dynamoo.com/2017/08/malware-spam-from-voicemail-service.html
22 Aug 2017 - "This -fake- voicemail leads to malware:
Subject: [PBX]: New message 46 in mailbox 461 from "460GOFEDEX" <8476446077>
From: "Voicemail Service" [pbx@ local]
Date: Tue, August 22, 2017 10:37 am
To: "Evelyn Medina"
Priority: Normal
Dear user:
just wanted to let you know you were just left a 0:53 long message (number 46)
in mailbox 461 from "460GOFEDEX" <8476446077>, on Tue, 22 Aug 2017 17:37:58 +0800
so you might want to check it when you get a chance. Thanks!
--Voicemail Service

The numbers and details -vary- from message to message, however the format is always the same. Attached is a RAR file with a name similar to msg0631.rar which contains a malicious script named msg6355.js...
The script has a VirusTotal detection rate of 14/59*.
According to automated analysis [1] [2] the script reaches out to the following URLs:
5.196.99.239/imageload.cgi [5.196.99.239 - OVH, Ireland / Just Hosting, Russia. Hostname: noproblem.one]
garage-fiat.be/jbfr387??qycOuKnvn=qycOuKnvn [91.234.195.48 - Ligne Web Services, France]
A -ransomware- component is dropped (probably Locky) with a detection rate of 16/64[3]."
* https://virustotal.com/#/file/ac87d...1edc655134956b4522bca54ce4f500ae059/detection
??

1] https://malwr.com/analysis/NDI0ZWUyNDE1NmM3NGRmOTkzNzgwMWE0OWUxNGZkMTA/
msg6355.js
Hosts
91.234.195.48
5.196.99.239

2] https://www.hybrid-analysis.com/sam...34956b4522bca54ce4f500ae059?environmentId=100
Contacted Hosts
216.58.209.238
91.234.195.48
5.188.63.30

3] https://www.virustotal.com/en/file/...e6ce0dccfdcd05d7c9b81802369f9bcd38f/analysis/
jbfr387

> https://myonlinesecurity.co.uk/more...n-mailbox-101-from-100gofedex-delivers-locky/
22 Aug 2017 - "... an email with the subject of '[PBX]: New message 10 in mailbox 101 from 100GOFEDEX' <7820413853> pretending to come from 'Voicemail Service' <pbx@ local>... The new message number, mailbox number, gofedex number and telephone number are all random. All of these are being sent to Evelyn Medina <random_name@ recipient_domain .tld>...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/pbx-voicemail.png

msg0575.rar: Extracts to: msg0575.js - Current Virus total detections 16/55*. Payload Security** delivers
bURnweP2.exe VirusTotal 16/65***...
There are literally hundreds of sites listed in the different versions of js files - when one of the other researchers uploads a list of today’s sites, I will edit this post to link to it...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js

** https://www.hybrid-analysis.com/sam...1e7164c05bf7f75653a45015b5d?environmentId=100
File Details
msg4975.js
Contacted Hosts
37.247.123.33
94.242.59.239
5.196.99.239

*** https://www.virustotal.com/en/file/...e6ce0dccfdcd05d7c9b81802369f9bcd38f/analysis/
jbfr387[1].3164.dr
___

Fake 'Payments request' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-spoofed-hsbc-payments-request-delivers-trickbot-banking-trojan/
22 Aug 2017 - "An email with the subject of 'Payments request' pretending to come from HSBC but actually coming from a look-a-like domain <message@ hsbc-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... Today’s example of the spoofed domain is hsbc-mail .co.uk 89.233.106.146. As usual they are registered via Godaddy as registrar and the emails are being sent via sent 89.233.106.146 AS35017 Swiftway Sp. z o.o...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/spoofed-HSBC-Payments-request.png

Word doc looks like: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/hsbc-paymentsdocuments_doc.png

PaymentDocuments.doc - Current Virus total detections 3/59*. Payload Security**. This malware file downloads from
http ://pfsmoney .com/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to vgjqlt.exe and autorun (VirusTotal 13/65***).
An alternative download location is
http ://panda .biz/logo.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...0b347c89e3a353aee85f50d9b0450ca3167/analysis/

** https://www.hybrid-analysis.com/sam...e3a353aee85f50d9b0450ca3167?environmentId=100
Contacted Hosts
195.191.25.102
37.120.182.208
194.87.144.16
172.93.37.143

*** https://www.virustotal.com/en/file/...317be4cf86aad286950e1179/analysis/1503394753/

pfsmoney .com: 162.144.12.198: https://www.virustotal.com/en/ip-address/162.144.12.198/information/
> https://www.virustotal.com/en/url/5...f3b161d81f52aaac26533b07745d07901b0/analysis/

panda .biz: 192.64.147.215: https://www.virustotal.com/en/ip-address/192.64.147.215/information/
___

Fake 'Purchase Order' SPAM - delivers nanocore RAT
- https://myonlinesecurity.co.uk/ange...purchase-order-malspam-delivers-nanocore-rat/
22 Aug 2017 - "... an email with the subject of 'Purchase Order' coming from Angelika Rodriguez <zales@ municipiodepaute .gob.ec>[1] which delivers what is probably a nanocore RAT (it matches yara sigs for that malware)...
1] http://www.reputationauthority.org/lookup.php?ip=181.113.129.250&d=gob.ec

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Angelika-Rodriguez-purchase-order.png

Purchase_Order_List_Aug.zip: Extracts to: Purchase_Order_List_Aug.exe - Current Virus total detections 12/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7e585520026a235265850406/analysis/1503426139/
Purchase_Order_List_Aug.exe

** https://www.hybrid-analysis.com/sam...3787e585520026a235265850406?environmentId=100
Contacted Hosts
174.127.99.135

:fear::fear: :mad:
 
Last edited:
Fake 'purchase order', 'Ref', 'Fax' SPAM

FYI...

Fake 'purchase order' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-purchase-order-delivering-malware/
23 Aug 2017 - "... an email with the subject of 'RFQ072017' coming from Stafford Shawn <staffordshawn1@ yahoo .com> (possibly random senders) but definitely coming via Yahoo email network with a zip attachment containing a file that pretends to be a pdf file but is an .exe file... All detections on VirusTotal are heuristic or generic detections but it is quite well detected.
Update: I am reliably informed it is nanocore RAT 1.2.2.0...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/RFQ072017.png

SCAN_PO#20170823.PDF.z: Extracts to: SCAN_PO#20170823.PDF.z.exe - Current Virus total detections 23/64*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...8fc6f9acc043aa60c73567c5/analysis/1503458477/

** https://www.hybrid-analysis.com/sam...f3f8fc6f9acc043aa60c73567c5?environmentId=100
Contacted Hosts
185.12.45.79
___

Fake 'Ref' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-barclays-bank-ref-72381821-delivers-trickbot-banking-trojan/
23 Aug 2017 - "An email with the subject of 'Ref: 72381821' pretending to come from Barclays Bank but actually coming from a look-a-like domain Barclays <message@ barclaysmail .co.uk> -or- Barclays <message@ barclays-mail .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are barclaysmail .co.uk 46.21.147.128 AS35017 Swiftway Sp. z o.o. and barclays-mail .co.uk 85.93.88.35 malta2333.startdedicated .net AS8972 Host Europe GmbH...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Ref-72381821-fake-Barclays-email.png

Ref72381821.doc - Current Virus total detections 4/58*. Payload Security**... This malware file downloads from
http ://eva-wagner .net/picture_library/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to hgfudf.exe and autorun (VirusTotal 18/63***). An alternative download location is
http ://eva-poldi .at/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d50178b169971e7302d847d7/analysis/1503484026/
attachment20170823-17020-5y3sht.doc

** https://www.hybrid-analysis.com/sam...1fed50178b169971e7302d847d7?environmentId=100
Contacted Hosts
62.138.14.149
37.120.182.208
51.254.164.249
188.165.62.11

*** https://www.virustotal.com/en/file/...597e33a1e8485ee1f0ed478cba45a21e212/analysis/
hgfudf.exe

eva-wagner .net: 148.251.26.133: https://www.virustotal.com/en/ip-address/148.251.26.133/information/
> https://www.virustotal.com/en/url/0...7240e8cf03d2318e9a0cd50b7316672b542/analysis/

eva-poldi .at: 62.138.14.149: https://www.virustotal.com/en/ip-address/62.138.14.149/information/
> https://www.virustotal.com/en/url/0...b939c56b33ddc28f367f0fec73bfc36d639/analysis/
___

Fake 'Fax' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-via-fake-free-fax-to-email-malspam/
22 Aug 2017 - "... series of Locky downloaders... an email with the subject of 'Fax from: (01242) 856225' [random numbers] pretending to come from Free Fax to Email <freefaxtoemail@ random email domain>...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Fax-from-01242-856225.png

Fax278044344f0dd0b.rar: Extracts to: Fax1423519vc18e7c3.js - Current Virus total detections 16/55*
Payload Security** - delivers /REjhb54 (VirusTotal ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5bba634bb787321db9672cfa/analysis/1480616575/
-6dt874p53077.js

** https://www.hybrid-analysis.com/sam...bdb0d1efe3ad428a23654014a0c?environmentId=100
Contacted Hosts
192.169.226.106
82.118.17.218
5.196.99.239

*** https://www.virustotal.com/#/file/6...a2a4a3cc3767f29b10b87dd8598bfda2471/detection
??

:fear::fear: :mad:
 
Last edited:
Fake 'Invoice' SPAM

FYI...

Fake 'Invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malware-spam-customer-service-copy-of.html
23 Aug 2017 - "This fairly generic spam leads to Locky ransomware:
Subject: Copy of Invoice 3206
From: "Customer Service"
Date: Wed, August 23, 2017 9:12 pm
Please download file containing your order information.
If you have any further questions regarding your invoice, please call Customer Service.
Please do not reply directly to this automatically generated e-mail message.
Thank you.
Customer Service Department

A -link-in-the-email- downloads a malicious VBS script, and because it's quite late I'll just say that Hybrid Analysis* has seen it all before. The download EXE (VT 21/64**) script POSTS to 5.196.99.239 /imageload.cgi (Just Hosting, Russia) which is in a network block that also had a fair bit of Angler*** last year, so I would recommend blocking all traffic to 5.196.99.0/24."
* https://www.hybrid-analysis.com/sam...cc64e45e503d5ee98ec8d1067f6?environmentId=100
Contacted Hosts
212.89.16.143
46.183.165.45
62.109.16.214
5.196.99.239
216.58.204.132
216.58.204.142

** https://www.virustotal.com/en/file/...514d47d5496ab5c23f38cda1f0d57dd6cd1/analysis/

*** https://pastebin.com/D5pXvR1W

:fear::fear: :mad:
 
Fake 'Secure Message', 'BT bill' SPAM

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake-bank-of-america-secure-message-delivers-trickbot-banking-trojan/
24 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from Bank of America but actually coming from a look-a-like domain Bank of America <message@ bofamsg .com> or Bank of America <message@ bofa-msg .com> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/bofa_securemessage_email.png

SecureMessage.doc - Current Virus total detections 7/58*. Payload Security**. This malware file downloads from
http ://esp .jp/serca.png which of course is -not- an image file but a renamed .exe file that gets renamed to Aoitas.exe (VirusTotal ***). An alternative download location is
http ://enyahoikuen .com/serca.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...f6d811b219ff1c4758cbf9f3ee9f2941ffa/analysis/
SecureMessage.doc

** https://www.hybrid-analysis.com/sam...19ff1c4758cbf9f3ee9f2941ffa?environmentId=100
Contacted Hosts
121.50.42.51
78.47.139.102
195.133.197.70
79.124.78.81

*** https://www.virustotal.com/en/file/...aa75b600f4e671373e678b6bd10f9b74c77/analysis/
serca.png

esp .jp: 121.50.42.51: https://www.virustotal.com/en/ip-address/121.50.42.51/information/
> https://www.virustotal.com/en/url/8...91f2bc03823d5ced01f2a79778a0a973f3a/analysis/

enyahoikuen .com: 202.231.207.151: https://www.virustotal.com/en/ip-address/202.231.207.151/information/
> https://www.virustotal.com/en/url/e...8233704a1cbe1d2c39294860a2f35fe4cd1/analysis/
___

Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/locky-delivered-by-fake-bt-bill/
24 Aug 2017 - "... Locky downloader... an email with the subject of 'New BT Bill' pretending to come from BT Business <btbusiness@ bttconnect .com> with a-link-in-the-body- of the email to download a zip file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Locky_BT-bill.png

bill-201708.zip: Extracts to: bill-201708.exe - Current Virus total detections 19/65*. Payload Security**.
Currently all the copies I am seeing (hundreds of them) have -2- download links in the email body:
http ://kabbionionsesions .net/af/bill-201708.rar -and- http ://metoristrontgui .info/af/bill-201708.zip
-both- domains have been spreading Locky all day. The downloads are extremely slow but I eventually got the zip version. Also several emails with
http ://kabbionionsesions .net/af/download.php (currently 404) and
http ://kabbionionsesions .net/af/bill-201708.7z (also 404)...
The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...cc23d3a04b04f761684cc86e/analysis/1503597867/
bill-201708.exe

** https://www.hybrid-analysis.com/sam...12fcc23d3a04b04f761684cc86e?environmentId=100
Contacted Hosts
185.179.190.31
216.58.206.228
216.58.206.238

kabbionionsesions .net: 47.89.246.2: https://www.virustotal.com/en/ip-address/47.89.246.2/information/
> https://www.virustotal.com/en/url/2...86a99478da0f5c30e489274a5675a1c68bd/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'Secure Message', 'Sage invoice', 'Voicemail' SPAM

FYI...

Fake 'Secure Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake...age-malspam-delivers-trickbot-banking-trojan/
25 Aug 2017 - "An email with the subject of 'You have a new secure Message' pretending to come from Lloyds Bank but actually coming from a look-a-like domain Lloyds Bank <message@ lloydsbankmsg .com> or Lloyds Bank <message@ lloydsbank-msg .com> with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan... spoofed domains are lloydsbankmsg .com 46.21.147.242 and lloydsbank-msg .com 109.235.52.44 ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/fake-lloyds-bank-secure-message-email.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/lloyds-bank-EncryptedMessage_doc.png

EncryptedMessage.doc - Current Virus total detections 6/58*. Payload Security**. This malware file downloads from
http ://fabianpfau .de/logo.png which of course is -not- an image file but a renamed .exe file that gets renamed to lnmflgf.exe (VirusTotal 13/65***). An alternative download location is
http ://evakrause .nl/logo.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...06f24f91e0f56348c092c502/analysis/1503657342/
EncryptedMessage.doc

** https://www.hybrid-analysis.com/sam...f1806f24f91e0f56348c092c502?environmentId=100
Contacted Hosts
176.28.13.220
216.239.32.21
131.153.40.196

*** https://www.virustotal.com/en/file/...e740f6434d94f9c900f15094/analysis/1503658322/
lnmflgf.exe

fabianpfau .de: 176.28.13.220: https://www.virustotal.com/en/ip-address/176.28.13.220/information/
> https://www.virustotal.com/en/url/f...48f8e21838e5308b542d6d02fa0f60694d1/analysis/

evakrause .nl: 94.126.70.16: https://www.virustotal.com/en/ip-address/94.126.70.16/information/
> https://www.virustotal.com/en/url/3...51c8210e1a7b12e4b3d82eeb6a392534f8c/analysis/
___

Fake 'Sage invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malware-spam-your-sage-subscription.html
25 Aug 2017 - "This -fake- Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much[1] by the bad guys is a bit of a mystery.
[1] http://blog.dynamoo.com/search?q=sage

Screenshot: https://1.bp.blogspot.com/-d685K3ap...8gOmwmE1PE_LHpJgUFUaIkQCLcBGAs/s1600/sage.png

The link-in-the-email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.
helpmatheogrow .com/SINV0709.rar
hendrikvankerkhove .be/SINV0709.rar
heinverwer .nl/SINV0709.rar
help .ads .gov.ba/SINV0709.rar
harvia .uz/SINV0709.rar
The RAR file itself contains a malicious VBS script... with a detection rate of 19/56*, which attempts to download another component from:
go-coo .jp/HygHGF
hausgerhard .com/HygHGF
hausgadum .de/HygHGF
bromesterionod .net/af/HygHGF
hartwig-mau .de/HygHGF
hecam .de/HygHGF
haboosh-law .com/HygHGF
hbwconsultants .nl/HygHGF
hansstock .de/HygHGF
heimatverein-menne .de/HygHGF
Automated analysis of the file [1] [2] shows a dropped binary with a 39/64** detection rate, POSTing to 46.183.165.45 /imageload.cgi (Reg.Ru, Russia)
Recommended blocklist:
46.183.165.45 "
* https://virustotal.com/en/file/aa75...d9d8ea99ca2db718e8bc6092dc07fda9b2c/analysis/
bill-201708.exe

1] https://malwr.com/analysis/ODY3NjZjZmYxNDk0NGU2ZTk4ZGM4MTQyMTEzNDU0MWY/
SINV0709.vbs
Hosts
203.183.65.225
46.183.165.45

2] https://www.hybrid-analysis.com/sam...ca2db718e8bc6092dc07fda9b2c?environmentId=100
Contacted Hosts
203.183.65.225
46.183.165.45

** https://www.virustotal.com/en/file/...f890a01212fcc23d3a04b04f761684cc86e/analysis/
bill-201708.exe

... Fake 'Sage invoice' variant - delivers Locky
> https://myonlinesecurity.co.uk/your-sage-subscription-invoice-is-ready-deliver-locky-ransomware/
24 Aug 2017

Screenshot: https://myonlinesecurity.co.uk/wp-c...p_Your-Sage-subscription-invoice-is-ready.png

> https://www.virustotal.com/en/file/...db718e8bc6092dc07fda9b2c/analysis/1503606828/
SINV0709.vbs
15/57

SINV0711.docm - Current Virus total detections *. Payload Security**...

* https://www.virustotal.com/en/file/...e6d7c8f67fd732fe3ff85001/analysis/1503602547/
SINV0711.docm
9/59

** https://www.hybrid-analysis.com/sam...436e6d7c8f67fd732fe3ff85001?environmentId=100
Contacted Hosts
83.169.35.187
185.179.190.31

help.ads .gov.ba: 80.65.162.70: https://www.virustotal.com/en/ip-address/80.65.162.70/information/
> https://www.virustotal.com/en/url/c...ef56587be3bbbcd1d4e0f68d9b6e2348ebb/analysis/

hausverwaltungfrankfurt .de: 83.169.35.187: https://www.virustotal.com/en/ip-address/83.169.35.187/information/
> https://www.virustotal.com/en/url/9...51044b04ed0b0cce32cc6217d776d04699b/analysis/
___

Fake 'Voicemail' SPAM - leads to Locky
- http://blog.dynamoo.com/2017/08/malware-spam-voicemail-service-new.html
25 Aug 2017 - "The jumble of numbers in this spam is a bit confusing. Attached is a malicious RAR file that leads to Locky ransomware.
Subject: New voice message 18538124076 in mailbox 185381240761 from "18538124076" <6641063681>
From: "Voicemail Service" [vmservice@ victimdomain .tdl]
Date: Fri, August 25, 2017 12:36 pm
Dear user:
just wanted to let you know you were just left a 0:13 long message (number 18538124076)
in mailbox 185381240761 from "18538124076" <6641063681>, on Fri, 25 Aug 2017
14:36:41 +0300
so you might want to check it when you get a chance. Thanks!
--Voicemail Service

Attached is a RAR file containing a malicious VBS script. The scripts are all slightly different, meaning that the RARs are too... The VBS script is similar to this* (variable names seem to change mostly) with a detection rate of about 15/59**. Hybrid Analysis*** shows it dropping a Locky executable with a 18/65[4] detection rate which phones home to 46.17.44.153 /imageload.cgi (Baxnet, Russia) which I recommend that you block."
* https://pastebin.com/UK2MYHct

** https://virustotal.com/en/file/2120...43fbe2e213f1c9970208612a7834b170b55/analysis/
20170825_ID904754594.vbs

*** https://www.hybrid-analysis.com/sam...13f1c9970208612a7834b170b55?environmentId=100
Contacted Hosts
216.58.208.206
92.51.164.62
185.179.190.31
46.17.44.153
216.58.213.132
216.58.206.238
95.141.44.61

4] https://www.virustotal.com/en/file/...4dea05149295773badc126a61961525c251/analysis/
UYGgfhRDSaa

:fear::fear: :mad:
 
Last edited:
Fake 'DHL', 'Purchase Contract' SPAM

FYI...

Fake 'DHL' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-dhl-global-freight-consignment-form-malspam-delivers-malware/
26 Aug 2017 - "... an email with the subject of 'DHL GLOBAL FREIGHT CONSIGNMENT FORM' coming from DHL GLOBAL WORLD WIDE AGENT <deddi@ karebet-group .com> with an .ace attachment delivers malware... returns are coming back from several antivirus companies describing this as .Win32.SpyEyes[1]...
1] https://www.microsoft.com/en-us/wds...clopedia-description?Name=Trojan:Win32/Spyeye

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/DHL-GLOBAL-FREIGHT-CONSIGNMENT-FORM.png

DHL GLOBAL Consignment form……………………………..ace: Extracts to: Purchase order.exe
Current Virus total detections 17/65*. Payload Security**. This drops a modified version of itself as win32.exe (VirusTotal 17/64***) it also contacts
http :// 98.142.221.58/~comsgautopart/.regedit/mail/home/gate.php ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ddf94e8494ece49b03cfc47d/analysis/1503723385/
Purchase order.exe

** https://www.hybrid-analysis.com/sam...96bddf94e8494ece49b03cfc47d?environmentId=100

*** https://www.virustotal.com/en/file/...1e4818964358dc35abcb8dc1/analysis/1503723627/
win32.exe

98.142.221.58: https://www.virustotal.com/en/ip-address/98.142.221.58/information/
___

Fake 'Purchase Contract' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/purchase-contract-of-po30po31-delivers-java-adwind/
26 Aug 2017

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Purchase-Contract-of-PO30-PO31.png

Doc Purchase Contract of PO30PO31.jar (547kb) - Current Virus total detections *. Payload Security**...

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...e6d7a0277a1bfbeecc2233cf/analysis/1503773842/
Doc Purchase Contract of PO30PO31.jar

** https://www.hybrid-analysis.com/sam...953e6d7a0277a1bfbeecc2233cf?environmentId=100
Contacted Hosts
5.178.43.16

:fear::fear: :mad:
 
Last edited:
Defray - New Ransomware ...

FYI...

Defray - New Ransomware targets Education and Healthcare
> https://www.helpnetsecurity.com/2017/08/28/custom-ransomware-delivered/
Aug 28, 2017

>> https://www.darkreading.com/applica...hits-healthcare-manufacturing-/d/d-id/1329725
8/25/2017

> https://www.proofpoint.com/us/threa...-targeting-education-and-healthcare-verticals
Aug 24, 2017 - "... distribution of Defray has several notable characteristics:
Defray is currently being spread via Microsoft Word document attachments in email
The campaigns are as small as several messages each
The lures are custom crafted to appeal to the intended set of potential victims
The recipients are individuals or distribution lists, e.g., group@ and websupport@
Geographic targeting is in the UK and US
Vertical targeting varies by campaign and is narrow and selective
On August 22, Proofpoint researchers detected an email campaign targeted primarily at Healthcare and Education involving messages with a Microsoft Word document containing an embedded executable... Defray may cause other general havoc on the system by -disabling- startup recovery and -deleting- volume shadow copies. On Windows 7 the ransomware monitors and kills running programs with a GUI, such as the task manager and browsers. We have not observed the same behavior on Windows XP..."
Indicators of Compromise (IOCs) [ ... more listed at the proofpoint URL above. ]
C&C IP
145.14.145.115: https://www.virustotal.com/en/ip-address/145.14.145.115/information/

:fear::fear: :mad:
 
Fake 'BT bill', 'scan' SPAM, Amazon phish

FYI...

Fake 'BT bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake...address-or-company-delivers-locky-ransomware/
29 Aug 2017 - "... Locky downloader... email has the subject of 'Overdue BT bill' pretending to come from random names at your-own-email-address...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/overdue-BT-bill.png

Scan_201708293861.zip: Extracts to: scan_201708292366.zip which eventually extracts to scan_201708292366.vbs - Current Virus total detections 11/59*. Payload Security**... first attachment I chose leads to a site giving a 404 so the results are very good. Another attachment gives better results
(VirusTotal 0/58***) where another researcher has filled in all then blanks in the comments[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...043e1a40a92abd3c73d85f46/analysis/1503998928/
scan_201708292366.vbs

** https://www.hybrid-analysis.com/sam...91b043e1a40a92abd3c73d85f46?environmentId=100
Contacted Hosts
81.2.195.144

*** https://www.virustotal.com/en/file/...1dece632daa0466e3eae807a/analysis/1503999225/

4] https://twitter.com/Racco42/status/902465569965973504

> https://www.virustotal.com/en/file/...77bb06ca1919ab9bda1585a7/analysis/1503999480/
9/65
___

Fake 'scan' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/you-...nagement-malspam-delivering-locky-ransomware/
29 Aug 2017 - "... Locky downloader... an email with the subject of 'You have received a scan from AT Management' pretending to come from Scan @ AT Management <scan_754@ atmanagement .co.uk> [random numbers after the scan_]. All these are being addressed to Accounts: <name@ victiomdomain .tld>...

Screenshot: https://myonlinesecurity.co.uk/wp-c...u-have-received-a-scan-from-AT-Management.png

... same sites, file names and payload as today’s earlier ^malspam run^ delivering Locky ransomware:
> https://myonlinesecurity.co.uk/fake...address-or-company-delivers-locky-ransomware/

... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Amazon phish...
- https://myonlinesecurity.co.uk/you-sold-an-item-spam-is-an-amazon-phishing-attempt/
29 Aug 2017 - "We see a lot of Amazon phishing attempts. This one is quite different to the usual ones we see. Although there are a lot of Amazon sellers, the chances of a mass malspam like this one actually being received by a seller is quite small compared with the more usual 'payment review' or 'your account was signed into from an unknown computer' or similar scams.
'You sold an item' pretending to come from Amazon <selleramazon@ reply.amazon .com> is one of the latest phish attempts to steal your Amazon Account and your Bank details. This one only wants your Amazon log in details and bank details. Many of them are also designed to specifically steal your email and other log in details as well...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Amazon_phishing_You_sold_an_item.png

The link-in-the-email goes to:
https ://www.google .co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&cad=rja&uact=8&ved=0ahUKEwiO9aOs-vvVAhXBZFAKHY3XCYgQFghJMAc&url=http%3A%2F%2Fwww.almatulum.com%2Fcontact-2%2F&usg=AFQjCNFdrv7025EsAfzW8QKj40lSrovIbA
which redirects to:
https ://directele .net/user_guide/documentation/amazon.co.uk/Amazon-Sign-In.htm?adenlankenadransakbnizwetmilrtuniietnnudbenwdiaateaaleeaallilaadmusmdzmnlelubbaalamzsnaittsndakaweiuidaawnamdlerendeuedimnailtrdtaknzeaanmleni4493782410

If you follow the link you see a webpage looking like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/amazon_phish_directele_net.png

When you fill in your user name and password you get a page looking like this, asking for your bank sort code and bank-account-number. I am not quite sure what they can do with this on its own without passwords or bank login details. However knowing that quite a high proportion of users do re-use login details and passwords on multiple sites, it is not beyond the realms of possibility that your Amazon account, email log in and bank log in all -share- a password:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/amazon_phish_directele_net_1.png

You then get -redirected- to the genuine Amazon suite for your country..."

directele .net: 166.62.73.164: https://www.virustotal.com/en/ip-address/166.62.73.164/information/
> https://www.virustotal.com/en/url/7...47343722f6de5b877c455612997d6db1909/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'Emailing Payment', 'E-invoice', 'Secure email message' SPAM - more...

FYI...

Fake 'Emailing Payment' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/more-locky-ransomware-delivered-by-emailing-payment_201708-malspam/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'Emailing: Payment_201708-838 [the “Emailing: Payment_201708-” stays consistent but the final 3 to 5 digits are random] pretending to come from random names at your-own-email-address or company-domain-addresses to another random name at your-own-domain...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Emailing-Payment_201708-838.png

Payment_201708-838.7z: Extracts to: Payment_201708-2866.jse - Current Virus total detections 14/59*.
Payload Security**. Locky payload: (VirusTotal 31/65***).
Another researcher has posted already about this one with several links to download sites and C2 IP numbers:
> https://hazmalware.wordpress.com/20...ayment_201708-1234-leads-to-locky-ransomware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d5618f63eaefeff2d75ba87c/analysis/1504067419/

** https://www.hybrid-analysis.com/sam...f07d5618f63eaefeff2d75ba87c?environmentId=100
Contacted Hosts
81.90.36.32
46.183.165.45
74.125.206.106
8.250.3.254
74.125.206.106

*** https://www.virustotal.com/en/file/...6b66162cfe8aaf68c2a6df075ebe0fe7886/analysis/
CuuDxa1.exe

146.120.110.46: https://www.virustotal.com/en/ip-address/146.120.110.46/information/
> https://www.virustotal.com/en/url/5...b0af14ea984815ffaa376402781044d3b58/analysis/

46.183.165.45: https://www.virustotal.com/en/ip-address/46.183.165.45/information/
> https://www.virustotal.com/en/url/7...96ae67332c3bb3c3c7cc74aa8403aa05f58/analysis/
___

Fake 'E-invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake-apple-e-invoice-malspam-delivers-locky-ransomware/
30 Aug 2017 - "... Locky downloader... an email with the subject of 'E-invoice for your order #6377810026' [random numbers] pretending to come from do_not_reply@ random Apple email addresses.... the addresses I have seen include:
do_not_reply@ eu.apple .com
do_not_reply@ asia .apple.com
do_not_reply@us .apple .com ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/E-invoice-for-your-order-6377810026.png

9891613510.7z: Extracts to: 9891611187.vbs - Current Virus total detections 10/59*. Payload Security**.
Locky Binary (VirusTotal 17/65***). These droppers have gone back to the old way of downloading Locky from the remote server, by downloading an encrypted text file that needs to be decoded by the script... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...14e27a8da2641e53d943629c/analysis/1504086697/
9891611187.vbs

** https://www.hybrid-analysis.com/sam...fa714e27a8da2641e53d943629c?environmentId=100
Contacted Hosts
66.36.173.159
146.120.110.46

*** https://www.virustotal.com/en/file/...ee2977baa79e2bf3bb9eaa0e/analysis/1504087141/
hJBoTJ.exe
___

Fake 'Secure email message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/more-fake-natwest-emails-deliver-trickbot-banking-trojan/
30 Aug 2017 - "An email with the subject of 'Secure email message' pretending to come from NatWest bank but actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 501 and 599 - .ml domains are -free- domains administered by freenom .com... I am seeing domains ranging from servicemessage501 .ml to servicemessage599 .ml all being hosted on -different- IP numbers & ranges all appearing to be -compromised- ISP IP numbers from major ISPs in UK, Europe & USA...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/NatWest_servicemessage_ml.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/natwest1753465723087_352_doc.png

natwest1753465723087_352.doc - Current Virus total detections 6/58*. Payload Security**.
This malware file downloads from
http ://campuslinne .com/pages/kasaragarban.png which of course is -not- an image file but a renamed .exe file that gets renamed to Buqtjkk.exe (VirusTotal 12/64***). An alternative download location is
http ://campusassas .com/fonction/kasaragarban.png
This email attachment contains a genuine word doc with a macro script that when run will infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...0387293dac96b7840f7823af9b651f18d51/analysis/
natwest1753465723087_352.doc

** https://www.hybrid-analysis.com/sam...ac96b7840f7823af9b651f18d51?environmentId=100
Contacted Hosts
193.227.248.241
158.69.26.138
178.156.202.206

*** https://www.virustotal.com/en/file/...fff26d0ea369f8ad95d5f2c1d05464102c5/analysis/
kasaragarban.png

campuslinne .com: 193.227.248.241: https://www.virustotal.com/en/ip-address/193.227.248.241/information/
> https://www.virustotal.com/en/url/7...3a6b98ee065e082cd43751bca507f12740d/analysis/

campusassas .com: 193.227.248.241
> https://www.virustotal.com/en/url/e...eb8771be7938c976d7fe5c99bf8734ee05c/analysis/
___

Fake 'BT OneBill' SPAM - leads to Dridex
- https://myonlinesecurity.co.uk/fake...e-now-malspam-leads-to-dridex-banking-trojan/
30 Aug 2017 - "An email with the subject of 'Your latest BT OneBill is available now' pretending to come from BT but actually coming from a different domain ebilling4business@ btdnet .com that can just about be mistaken for a genuine BT email address is today’s latest spoof of a well-known company, bank or public authority delivering Dridex banking Trojan... Today’s example of the spoofed domains are, as usual, registered via eranet .com as registrar. This was registered on 29 August 2017 by the criminals:
btdnet .com hosted on 54.36.30.168 OVH
This particular email was sent from IP 54.36.30.230 but a quick look up of the domain details show that these criminals have also set a-whole-range of IP addresses to be able to send these emails and pass authentication checks:
91.121.174.196
54.36.30.0/24
94.23.212.72
54.36.30.0/24
188.165.227.13
54.36.30.0/24
94.23.208.20
54.36.30.0/24
176.31.240.50
54.36.30.0/24
37.59.50.201 ...

Screenshot: https://myonlinesecurity.co.uk/wp-c...8/Your-latest-BT-OneBill-is-available-now.png

The -link-in-the-email goes to a compromised or fraudulently set up SharePoint AKA onedrive for business address:
https ://mccabelawyers-my.sharepoint .com/personal/g_macneill_swslawyers_com_au/_layouts/15/guestaccess.aspx?docid=0cc833a8ff3b4411a986bfb04282f2ffb&authkey=AVpD74OXseK7zr4gaxr_UBE
which downloads the zip file containing the .js file that eventually delivers Dridex.

BT OneBill.zip extracts to: BT OneBill.js - Current Virus total detections 7/58*. Payload Security**.
This downloads Dridex banking Trojan but I am unable to determine the actual download site
(VirusTotal 17/64[3])... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c169c106c45ceb46616bd46c/analysis/1504105031/
BT_OneBill.js

** https://www.hybrid-analysis.com/sam...103c169c106c45ceb46616bd46c?environmentId=100
Contacted Hosts
13.107.6.151
185.203.118.198
31.31.77.229
178.62.199.166
144.76.62.10

3] https://www.virustotal.com/en/file/...9e6fb950ccecc8305acfef34223e4ee587c/analysis/
SdVoAfj.exe
___

Fake 'Sage' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-your-sage-subscription-invoice-is-due-delivers-malware/
30 Aug 2017 - "An email with the subject of 'Your Sage subscription invoice is Due' pretending to come from Sage but actually coming from a look-a-like domain SAGE UK <message@ sagemailsupport14 .top> with a malicious word doc attachment is another one of today’s spoofs of a well-known company, bank or public authority... I am being told is it a smokeloader[1] which downloads a variety of -other- malware...
1] https://twitter.com/James_inthe_box/status/902979668239761408
... Today’s example of the spoofed domains are:
sagemailsupport14 .top hosted on 82.202.233.14 AS49505 OOO Network of data-centers Selectel
I have discovered a-whole-range of -fake- sagemailsupport## .top domains on this network. So far I can find sagemailsupport10 .top -to- sagemailsupport110-.top hosted on the corresponding IP address -range- between 82.202.233.10 and 82.202.233.110 all having an rdns set properly and pass email authentication...
[ 82.202.233.* ]

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/Your-Sage-subscription-invoice-is-Due.png

INV0293083017.doc - Current Virus total detections 5/58*. Payload Security**. This malware file downloads from
http ://5.149.252.152 /r37.exe (VirusTotal 16/64[3]) (Payload Security[/4]). An alternative download location is
http ://200.7.98.51 /r37.exe
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/INV0293083017_doc.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...bc23f425b38e8d7176cdfba8/analysis/1504103297/
INV0293083017.doc

** https://www.hybrid-analysis.com/sam...4b6bc23f425b38e8d7176cdfba8?environmentId=100

3] https://www.virustotal.com/en/file/...45159fa5109a4fa45c5721e2/analysis/1504116823/

4] https://www.hybrid-analysis.com/sam...15445159fa5109a4fa45c5721e2?environmentId=100
Contacted Hosts
2.20.202.119
217.23.8.41

5.149.252.152: https://www.virustotal.com/en/ip-address/5.149.252.152/information/
> https://www.virustotal.com/en/url/8...351ba12d021542e3ef8fff1dc4e6a8ff56e/analysis/

200.7.98.51: https://www.virustotal.com/en/ip-address/200.7.98.51/information/
> https://www.virustotal.com/en/url/f...5b21fc99a00b3f99dba2d3c997517412409/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'Customer message', 'Important Documents' SPAM

FYI...

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/tric...-be-delivered-by-spoof-natwest-bank-messages/
31 Aug 2017 - "... imitating NatWest Bank and using the same look-a-like domain as yesterday’s version[1]... using a slightly different email message. They have even re-used the same domains to deliver the actual payload, but with different file names.
[1] https://myonlinesecurity.co.uk/more-fake-natwest-emails-deliver-trickbot-banking-trojan/
An email with the subject of 'Customer message' pretending to come from NatWest bank but actually coming from a look-a-like domain noreply@ servicemessage### .ml with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The ### is any number between 1 and 599...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/NatWest_customer-message.png

natwest112543798124_21454.doc - Current Virus total detections 5/58*. Payload Security**.
This malware file downloads from
http ://campuslinne .com/maquette2/nataresonodor.png which of course is -not- an image file but a renamed .exe file that gets renamed to Ubqwyc.exe (VirusTotal 15/65***). An alternative download location is
http ://campusassas .com/imagesv1/nataresonodor.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks identical to yesterday’s but with a different document name:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/natwest1753465723087_352_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/...97373168e60763e61ec97ea8/analysis/1504181231/
natwest112543798124_21454.doc

** https://www.hybrid-analysis.com/sam...5fe97373168e60763e61ec97ea8?environmentId=100
Contacted Hosts
193.227.248.241
216.239.32.21
67.21.84.23
216.58.209.228
216.58.209.238
66.85.27.170

*** https://www.virustotal.com/en/file/...fa0e43f0cad40fd4f24e1250d909ebb6ddd/analysis/
Ubqwyc.exe

campuslinne .com: 193.227.248.241: https://www.virustotal.com/en/ip-address/193.227.248.241/information/
> https://www.virustotal.com/en/url/2...ff69f2d3d96bff4b953e55864cbca67bf64/analysis/

campusassas .com: 193.227.248.241
> https://www.virustotal.com/en/url/3...4ce2b6e26ea06f2e1cc3486297e9440dd87/analysis/
___

Fake 'Important Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake...t-documents-delivers-trickbot-banking-trojan/
31 Aug 2017 - "An email with the subject of 'Important – New Account Documents' pretending to come from Santander Bank but actually coming from a look-a-like domain Santander <account.documents@ santanderdoc .co.uk> or Santander <account.documents@ santandersec .co.uk> with a malicious word doc attachment is another spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-c...santander-Important-New-Account-Documents.png

Account_Documents_31082017.doc - Current Virus total detections 10/58*. Payload Security**.
This malware file downloads from
http ://evaluator-expert .ro/sergio.png which of course is -not- an image file but a renamed .exe file that gets renamed to bicprcv.exe (VirusTotal 17/64***).
An alternative download location is
http ://www.events4u .cz/sergio.png
This email attachment contains a genuine word doc with a macro script that when run will infect you.
The word doc looks like:
> https://myonlinesecurity.co.uk/wp-c...-santander-Account_Documents_31082017_doc.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustotal.com/en/file/...2bafa801b078f25517546bd348e2e93a505/analysis/
Account_Documents_31082017.doc

** https://www.hybrid-analysis.com/sam...b078f25517546bd348e2e93a505?environmentId=100
Contacted Hosts
93.114.64.118
146.255.36.1
194.87.238.42
66.85.27.170
216.58.209.228
216.58.209.238

*** https://www.virustotal.com/en/file/...5085f37edc9d13e962000f05720e9465987/analysis/
bicprcv.exe

evaluator-expert .ro: 93.114.64.118: https://www.virustotal.com/en/ip-address/93.114.64.118/information/
> https://www.virustotal.com/en/url/2...56eaad20a0b2a29d521b374ce166a1099bb/analysis/

events4u .cz: 93.185.102.11: https://www.virustotal.com/en/ip-address/93.185.102.11/information/
> https://www.virustotal.com/en/url/5...2ff1003a880d0c52696aaef43b2a7f6d3f8/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'Dropbox' SPAM, RIG exploit kit > ransomware

FYI...

Fake 'Dropbox' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/fake...your-email-address-delivers-locky-ransomware/
31 Aug 2017 10:03 pm - "We are seeing a run of a very different Locky delivery email tonight. This only seems to work properly in Google Chrome, Firefox gives a simple download file box and Internet Explorer gives error messages on clicking the “click here” link. This means that Internet Explorer users will be safe from this attack, but Google Chrome and Firefox users could be infected if they aren’t careful. The email pretends to be from -Dropbox- asking you to 'verify your email address to continue' the sign up...

Screenshot: https://myonlinesecurity.co.uk/wp-c...-Dropbox-Please-verify-your-email-address.png

Win.JSFontlib09.js - Current Virus total detections 22/58*. Payload Security** |
Locky Binary (VirusTotal 17/65***)
There appear to be -hundreds- of different links-in-these-emails that go to -compromised- sites pretending to be Dropbox. They all however have the -same- few links to actually download the .js malware file...
The link in this particular example went to
http ://jakuboweb .com/dropbox.html but each email I received (so far 300+) has a multitude of different links.
Following the link in the email leads to a page looking like this, which is -different- in each commonly used browser. Lets start with Internet Explorer which gives an error on pressing “click here”:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/verify_dropbox_IE.png
... Firefox which gives a file download prompt:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/verify_dropbox_FF.png
... Google Chrome which displays the lure... telling you that The “HoeflerText” font was not found. The web page you are trying to load is displayed incorrectly, as it uses the “HoeflerText” font. To fix the error and display the next, you have to update the “Chrome Font Pack”:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/08/verify_dropbox_chrome.png
The link from chrome went to
http ://gclubrace .info/json.php whereas the links from the other 2 versions went to
http ://dippydado .net/json.php all of which downloaded the -same- Win.JSFontlib09.js ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...cbd624ca10734e1984f15cb77fcd23c4a37/analysis/
Win.JSFontlib09.js

** https://www.hybrid-analysis.com/sam...10734e1984f15cb77fcd23c4a37?environmentId=100
Contacted Hosts
202.169.44.143
46.183.165.45
216.58.209.228
216.58.209.238

*** https://www.virustotal.com/en/file/...5274ad862ca4cbb5772c621a/analysis/1504207421/
pGDIWEKDHD2.exe

jakuboweb .com: 149.7.99.14: https://www.virustotal.com/en/ip-address/149.7.99.14/information/
> https://www.virustotal.com/en/url/f...5530a38ab7af897d0ff9940ff7da44ebb0a/analysis/

gclubrace .info: Could not find an IP address for this domain name...

dippydado .net: Could not find an IP address for this domain name...
___

RIG exploit kit > 'Princess' ransomware
- https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/
Aug 31, 2017 - "We have identified a new drive-by-download campaign that distributes the Princess-ransomware (AKA PrincessLocker), leveraging -compromised-websites-and the RIG-exploit-kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads... We are not so accustomed to witnessing compromised websites pushing exploit kits... some campaigns have been replaced with tech support scams instead and overall most drive-by activity comes from -legitimate- publishers and -malvertising- ... we observed an -iframe-injection- which redirected from the -hacked- site to a temporary gate...
Indicators of compromise:
RIG EK gate: 185.198.164.152
RIG EK IP address: 188.225.84.28 ..."
(More detail at the malwarebytes URL above.)

:fear::fear: :mad:
 
Last edited:
You must log in or register to reply here.
Back
Top