SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake 'Bank payment' SPAM

FYI...

Fake 'Bank payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/bank-payment-hairandhealth-co-uk-pdf-malware/
8 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a pdf attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded scripts that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages...
Update: An automatic analysis by Payload security* gives the download location as hundeschulegoerg .de/15/10.exe ( VirusTotal**)... Adobe reader in -recent- versions has Protected view automatically -enabled- and unless you press-the-button to 'enable all features', you should be safe from this attack... make sure you -uncheck- -any- additional offerings of security scans/Google chrome or -toolbars- that it wants to include in the download:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/04/doc4-1024x423.png
The email (which has random amounts) looks like:
Dear client
Please find attached a bank payment for £3033.10 dated 10th June 2015
to pay invoice 1757. With thanks.
Kind regards
Sarah
Accounts

Todays Date: Bank payment 100615.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-analysis.com/sam...51ffe385432ab816b64024697a06e?environmentId=2

** https://www.virustotal.com/en-gb/fi...41a5e840fcda804631c01f40/analysis/1433753588/
... Behavioural information
TCP connections
146.185.128.226: https://www.virustotal.com/en-gb/ip-address/146.185.128.226/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/

*** https://www.virustotal.com/en-gb/fi...385432ab816b64024697a06e/analysis/1433751824/

hundeschulegoerg .de: 212.40.179.111: https://www.virustotal.com/en-gb/ip-address/212.40.179.111/information/

- http://blog.dynamoo.com/2015/06/malware-spam-bank-payment.html
8 June 2015
"... Recommended blocklist:
146.185.128.226
31.186.99.250
176.99.6.10
203.151.94.120
185.12.95.40 "

:fear::fear:

 

[AplusWebMaster]

Fake 'Invoice', 'Password Confirmation' SPAM, Emails Bearing Gifts

FYI...

Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecurity.co.uk/re-invoice-fake-pdf-malware/
9 June 2015 - "'Re: Invoice' coming from random senders and random email addresses with a semi random zip attachment the zip is always called 'invoice(random number).zip' is another one from the current bot runs... other emails today pretending to come from RBC Express <ISVAdmin@ rbc .com> with a subject of 'invoices', along with a 'Lloyds Bank – Pendeford Securities – Please Read Action Required/PI Documents/ Region code East 2/ 4084583/'. These 2 have a different malware payload (VirusTotal*)... The email looks like:

Check Invoice number

9 June 2015: Invoice (42).zip: Extracts to: Invoice_store.exe - Current Virus total detections: 2/57**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...79048e25fa3eb996a4e1b201/analysis/1433843143/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-address/64.182.208.183/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-address/188.120.194.101/information/
216.254.231.11: https://www.virustotal.com/en-gb/ip-address/216.254.231.11/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-address/188.120.194.101/information/

** https://www.virustotal.com/en-gb/fi...1b5f475c212cdbeb4ecce49c/analysis/1433843556/
___

Fake 'Password Confirmation' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/passw...82-word-doc-or-excel-xls-spreadsheet-malware/
9 June 2015 - "'Password Confirmation [742263403307] T82' pretending to come from steve.tasker81@ thomashiggins .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email (which has random numbers in the subject) looks like:

Full document is attached

09 June 2015: 1913.doc - Current Virus total detections: 2/57*
... which connects to and downloads a Dridex banking malware from speakhighly .com/42/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...ebefaaea78e9f46c6592e9e3/analysis/1433841783/

** https://www.virustotal.com/en-gb/fi...ca9b907bbf8bb7fd8f9fdce1/analysis/1433842088/
... Behavioural information
TCP connections
173.230.130.172: https://www.virustotal.com/en-gb/ip-address/173.230.130.172/information/
5.178.43.48: https://www.virustotal.com/en-gb/ip-address/5.178.43.48/information/

speakhighly .com: 77.73.6.74: https://www.virustotal.com/en-gb/ip-address/77.73.6.74/information/

- http://blog.dynamoo.com/2015/06/malware-spam-password-confirmation.html
9 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
31.186.99.250 "
___

Fake 'Unpaid invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/unpai...td-word-doc-or-excel-xls-spreadsheet-malware/
9 June 2015 - "'Unpaid invoice' pretending to come from Debbie Spencer <Debbie@ burgoynes-lyonshall .co .uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi
Could you let me know when the attached will be paid?
Many thanks
Debbie
Deborah Spencer
Company Accountant
Burgoynes (Lyonshall) Ltd
Lyonshall
Kington
Herefordshire HR5 3JR
01544 340283 ...

The malware in this email is exactly the -same- as described in today’s earlier malspam run with word docs 'Password Confirmation [742263403307] T82 – word doc or excel xls spreadsheet malware'*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecurity.co.uk/passw...82-word-doc-or-excel-xls-spreadsheet-malware/
___

The HTTPS-Only Standard
- https://https.cio.gov/
___

Beware of Emails Bearing Gifts
- http://www.darkreading.com/partner-perspectives/intel/beware-of-emails-bearing-gifts-/a/d-id/1320769
6/9/2015 - "Crime gangs are building very legitimate-looking emails as cover for phishing and ransomware, and they are having enough success that the attacks are escalating. In the first quarter of 2015, McAfee Labs registered a 165% increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, new ransomware families such as Teslacrypt and TOX, and the emergence of new versions of CryptoWall, TorrentLocker, and BandarChor. Dell Secureworks* believes the ransomware business truly pays, with CryptoWall reaching at least 1 million victims and collecting about $1.8 million in ransom. The growth of ransomware is likely to continue to surge given the rise of new “business models,” the growing availability and ease of operation of newer ransomware kits, and the general increase in tactical sophistication. For instance, CTB-Locker possesses clever techniques for evading security software, higher-quality phishing emails, and an “affiliate” program that offers accomplices a percentage of ransom payments in return for flooding cyberspace with CTB-Locker phishing messages. In the case of TOX, ransomware is going the way of other malware, delivered in turnkey ransomware packages, simplifying the development, launch, and ongoing operation of ransomware campaigns. And where fewer technical skills are required, you have an increase of less-skilled perpetrators getting into a cybercrime business... Phishing and ransomware attacks are hardly new, but the rapid changes in malware code and the legitimate-looking emails are making it harder for both users and antivirus programs to detect the surprise waiting at the other end of the link. No single security solution provides an adequate defense. When malware can sneak through a network firewall, lie low to trick a sandbox, and evade endpoint antivirus, a thorough defense requires the combined resources of a security-connected framework."
* http://www.secureworks.com/cyber-threat-intelligence/threats/teslacrypt-ransomware-threat-analysis/
___

Flash malware jumps over 300 percent - Q1-2015
- http://www.theinquirer.net/inquirer...mps-over-300-percent-in-first-quarter-of-2015
Jun 09 2015 - "MALWARE ATTACKS on the Adobe Flash platform rose by a horrifying 317 percent in the first quarter of 2015. New figures in the McAfee Labs Threats Report May 2015 (PDF*) show that the number of recorded Flash malware instances was almost 200,000 in Q1 2015, compared with 47,000 in Q4 2014...
* http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf
Spam continues ever onward with six trillion messages sent in Q1. A total of 1,118 spam domains were discovered in the UK alone, beating Russia (1,104) and Japan (1,035). Phishing domains hit 887 in the UK, compared with France (799) and the Netherlands (680). Overall, McAfee Labs observed 362 phishing attacks a minute, or six every second..."

:fear::fear:

 

[AplusWebMaster]

Fake 'phone bill' SPAM

FYI...

Fake 'BTT telephone bill' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/your-...ey-word-doc-or-excel-xls-spreadsheet-malware/
10 Jun 2015 - "'Your monthly BTT telephone bill' pretending to come from Hayley Sweeney <admins@ bttcomms .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

Please find attached your telephone bill for last month. This message was sent automatically.
For any queries relating to this bill, please contact Customer Services on 01536 211100.

10 June 2015 : Invoice_68362.doc - Current Virus total detections: 5/57*
... Which downloads a Dridex banking malware from www .jimaimracing .co.uk/64/11.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* https://www.virustotal.com/en/file/...941f2fa42015aea04f581168/analysis/1433931273/

** https://www.virustotal.com/en/file/...6936bfb02e010d19d008e3dc/analysis/1433932505/

jimaimracing .co.uk: 91.194.151.37: https://www.virustotal.com/en/ip-address/91.194.151.37/information/

- http://blog.dynamoo.com/2015/06/malware-spam-hayley-sweeney.html
10 June 2015
"... Recommended blocklist:
173.230.130.172
94.23.53.23
176.99.6.10 "

:fear::fear:

 

[AplusWebMaster]

Fake 'order reference' SPAM, 'New_Order' Phish ...

FYI...

Fake 'order reference' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-order-reference-is-05806-fake-pdf-malware/
11 Jun 2015 - "'Your order reference is 05806' pretending to come from inform <john.wade@ precisionclubs .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear client,
Thank you for the order,
your credit card will be charged for 312 dollars.
For more information, please visit our web site ...
Best regards, ticket service.
Tel./Fax.: (828) 012 88 840

11 June 2015: payment_n09837462_pdf.zip:
Extracts to: payment_n09837462_pdf_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _.exe
Current Virus total detections: 5/57*. Note the series of _ after the pdf. That is designed to try to fool you into thinking that the .exe file is a pdf so you open it. Most windows computers won’t show the .exe in windows explorer if enough spaces or _ are inserted. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...a6a4e4ae7f9c3518d33b9675/analysis/1434002812/
___

Fake 'New_Order' email / Phish...
- http://blog.dynamoo.com/2015/06/phish-neworder056253hfconstructions.html
11 Jun 2015 - "I've seen a few of these today, presumably they aren't quite spammy enough to get blocked by our mail filters.. The attachment is New_Order_#056253_Hf_Constructions.pdf which looks like a purchase order, but there is a blurred out section:
Screenshot: https://4.bp.blogspot.com/-4adKeKIur7k/VXlOx3_HqAI/AAAAAAAAGrE/hCE8BPkBVUY/s640/hf-1.jpg

An examination of the underlying PDF file shows two URLs... In turn these redirect... The second URL listed 404s, but the first one is active. According to the URLquery report*, it looks harmless, just leading to a phishing page. But when I tried it in a test environment, the behaviour was somewhat different and it also attempted to load a page... This page 404s, but was previously hosted on a bad server at 92.222.42.183 [VT report**]. That server has been offline for a few days, but the URL is suggestive of an exploit kit of some sort. The "megatrading .hol.es" (hosted on 31.220.16.16 by Hostinger - VT report***) landing page looks like a straightforward phish:
Screenshot: https://4.bp.blogspot.com/-lsN0K-Cu2lU/VXlQkDH1haI/AAAAAAAAGrQ/TZdb5jkiODk/s640/hf-2.png

Entering the username and password always seems to return an error, even if you are absolutely certain the combination are correct:
> https://2.bp.blogspot.com/-R9BG4uiZ_eQ/VXlQ92ukk-I/AAAAAAAAGrY/sSh3U4RhHjg/s320/hf-3.png
I suspect that all this portion is doing is collecting email addresses and passwords for use later. Webmail accounts have some value to the bad guys, and of course many people re-use passwords all over the place, so it could be used as a way to get access to other services. Take care.
Recommended blocklist:
31.220.16.16
92.222.42.183 "

* http://urlquery.net/report.php?id=1434011774093

** https://www.virustotal.com/en/ip-address/92.222.42.183/information/

*** https://www.virustotal.com/en/ip-address/31.220.16.16/information/
___

Mystery continues to surround the nude celebrity iCloud hack
- http://www.hotforsecurity.com/blog/...und-the-nude-celebrity-icloud-hack-11990.html
June 11, 2015 - "Sure, companies and governments get hacked all the time. But for the mainstream media to *really* take an interest, you need to add a twist of celebrity (preferable nude and female). That’s what happened last year when the so-called 'Fappening' saw the intimate and private photographs of scores of female celebrities and actresses, many of them topless or nude, leak onto 4Chan and the seedier corners of Reddit. Famous names who had their privacy violated by the leak included Jennifer Lawrence, Kate Upton, Victoria Justice, Kirsten Dunst, Hope Solo, Krysten Ritter, Yvonne Strahovski, Teresa Palmer, Ariana Grande, and Mary Elizabeth Winstead, amongst many others... According to Gawker has revealed a search warrant and affidavit, revealing that the FBI has seized computers belonging to a Chicago man in connection with the hack. And it appears that the documents back Apple’s claim that their iCloud service did -not- suffer a breach as such, but instead was the victim of a targeted attack after celebrities’ passwords and security questions were determined. In the affidavit, FBI cybercrime special agent Josh Sadowsky says that an IP address assigned to one Emilio Herrera was “used to access approximately 572 unique iCloud accounts” between May 13 2013 and August 31 2014. According to the statement, a number of the accounts accessed belonged to celebrities who had photos leaked online. In all, iCloud accounts were accessed -3,263- times from the IP address. In addition, the IP address was used from a computer running Windows 7 to reset -1,987- unique iCloud account passwords. Unsurprisingly, law enforcement officers visited Herrera’s house in Chicago and walked away with computers, phones, SD cards, and other devices that no doubt they planned to submit to forensic scrutiny. In particular they would be interested in uncovering any evidence of activity which might suggest phishing, the usage of hacking tools or email forwarding. But here’s where things get interesting. According to Gawker, Herrera has -not- been charged with any crime and is not even considered a suspect at this point. It would certainly be surprising if someone involved in such an industrial-scale account hijacking operation would not have taken elementary steps to hide their true IP address, so is it possible that Herersa’s computers were being used by the hackers of nude celeb’s iCloud accounts -without- Hererra’s knowledge or permission? If that is the case, then it’s yet another reason why all computer users need to learn the importance of proper computer security. Keeping your computer protected with a layered defence and patched against the latest vulnerabilities reduces the chance of a remote-hacker gaining control of your PC. Because the very last thing you want is to be implicated in a crime that you didn’t commit, because hackers have been able to commandeer your computer for their own evil ends."
- Graham Cluley

:fear::fear:

 

[AplusWebMaster]

Fake 'Confirmation transfer' SPAM, Malvertising 'Pop-under ads' lead to CryptoWall

FYI...

Fake 'Confirmation transfer' SPAM - PDF malware
- http://myonlinesecurity.co.uk/hsbc-confirmation-of-the-transfer-fake-pdf-malware/
12 June 2015 - "'Confirmation of the transfer' pretending to come from HSBC (random name@random email address) with a zip attachment is another one from the current bot runs... The email looks like:
Transfer:
Number of Transfer: 359880-67692630-94464
To: [redacted]
Bank sender: HSBS
Country Poster: England
City Poster: London

12 June 2015: transfer-England-359880-67692630-94464.zip(random numbers):
Extracts to: New_docs.exe - Current Virus total detections: 4/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...0fc70f10a161e1d176c919a0/analysis/1434111878/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-address/64.182.208.183/information/
188.120.194.101: https://www.virustotal.com/en-gb/ip-address/188.120.194.101/information/
24.19.25.40: https://www.virustotal.com/en-gb/ip-address/24.19.25.40/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-address/88.221.14.249/information/
___

Malvertising 'Pop-under ads' lead to CryptoWall
- https://blog.malwarebytes.org/malvertising-2/2015/06/popcash-malvertising-leads-to-cryptowall-3-0/
June 11, 2015 - "... malvertising leverages the infrastructure provided by ad networks to distribute malicious content to end users while they browse the Internet... a prolific ad network (over 180M hits/month according to SimilarWeb) being used by online fraudsters to distribute malware and other nuisances. 'Popcash' is a pop-under ad network that offers services for both publishers and advertisers: https://blog.malwarebytes.org/wp-content/uploads/2015/06/popcashlogo.png
'Pop-under ads are similar to pop-up ads, but the ad window appears -hidden- behind the main browser window rather than superimposed in front of it... They usually remain -unnoticed- until the main browser window is closed or minimized, leaving the user’s attention free for the advertisement... users therefore react 'better' to pop-under advertising than to pop-up advertising because of this different, delayed 'impression'. — Wikipedia**
** https://en.wikipedia.org/wiki/Pop-up_ad#Pop-under_ads
... In this case, we received a URL used as a gate to an exploit kit:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/redirection.png
The Magnitude EK starts with a simplified landing page that contains the code to launch a Flash exploit and an iframe to perform an Internet Explorer exploit... The Flash exploit (VT)[3] is CVE-2015-3090 as reported on malware.dontneedcoffee[4]:
3] https://www.virustotal.com/en/file/...331d45077e63ff8b6d789e7f/analysis/1434044838/
4] http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html
... The Internet Explorer exploit (CVE-2014-6332 or CVE-2013-2551 thanks @kafeine) is prepared via a heavily encoded piece of JavaScript... Several URLs are loaded but only a couple actually loaded the same binary (VT)[5] detected by Malwarebytes Anti-Malware as Trojan.Dropper.Necurs, which eventually loads CryptoWall 3.0... other slots are available and could be filled with different malware families by the exploit kit operator...
5] https://www.virustotal.com/en/file/...261638affcdfdbd0d931bf48/analysis/1434001814/
... CryptoWall 3.0: Magnitude EK, just like many other exploit kits recently, is pushing crypto ransomware, possibly one of the worst strains of malware because it uses genuine encryption to lock down a user’s personal files. Soon after the ransomware takes over the PC, it will prompt a message warning of what just happened and giving details on how to proceed:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/HELP_DECRYPT.png
In this case, one needs to pay $500 to get their files back within the deadline, otherwise that amounts doubles:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/BT.png
Conclusions: Because malvertising involves multiple players in order to work (publishers, ad networks, visitors) each has its own role to play in combatting this problem. Publishers (should) be wise in choosing their third-party advertisers by choosing reputable ones (although it is not a 100% guarantee (nothing is) that incidents will not happen). Ad networks can and should also ensure that the traffic they serve is clean. We contacted Popca$h on two separate occasions through their official “report malware” page, but -never- received a response... The campaign is still -ongoing- and not only serving exploits but -also- tech support scams[6] customized for your browser, ISP, city, etc:
6] https://blog.malwarebytes.org/wp-content/uploads/2015/06/warning.png "
(More detail at the malwarebytes URL at the top of this post.)

- http://windowssecrets.com/patch-watch/no-summer-break-from-ms-office-updates/
June 11, 2015 - "... Flash Player 18.0.0.160 addresses 13 vulnerabilities, some of which have already been used in ransomware attacks..."

:fear::fear::fear:

 

[AplusWebMaster]

Fake 'Payment Confirmation', 'Nyfast Payment', 'PI-ORDER', 'New Doc' SPAM, Bank PHISH

FYI...

Fake 'Payment Confirmation' SPAM - doc/xls malware
- http://blog.dynamoo.com/2015/06/malware-spam-payment-confirmation.html
15 Jun 2015 - "This fake financial spam does not come from Reed, but is instead a simple forgery with a malicious attachment:
From: reed .co.uk Credit Control [mailto:creditcontrol.rol@ reed .co.uk]
Sent: Monday, June 15, 2015 11:10 AM
Subject: Payment Confirmation 29172230
Dear Sirs,
Many thanks for your card payment. Please find payment confirmation attached below.
Should you have any queries, please do not hesitate to contact Credit Control Team on 0845 241 9293.
Kind Regards
Credit Control Team
T: 020 7067 4584
F: 020 7067 4628
Email: creditcontrol.rol@ reed .co.uk

The only sample I have seen so far has an attachment 29172230_15.06.15.doc [detection rate 3/57*] which contains this malicious macro... which downloads a component from the following location:
http ://www .freewebstuff .be/34/44.exe
This is saved as %TEMP%\ginkan86.exe and has a VirusTotal detection rate of 6/57**. There will probably be other download locations, but they should all lead to an identical binary. Automated analysis tools... show traffic to the following IPs:
136.243.14.142 (Hetzner, Germany)
71.14.1.139 (Charter Communications, US)
173.230.130.172 (Linode, US)
94.23.53.23 (OVH, France)
176.99.6.10 (Global Telecommunications Ltd, Russia)
According the this Malwr report[3], it also drops a Dridex DLL with a detection rate of 18/57[4].
Recommended blocklist:
136.243.14.142
71.14.1.139
173.230.130.172
94.23.53.23
176.99.6.10 "
* https://www.virustotal.com/en/file/...d43dc4b4ba68b0009de9df62/analysis/1434362701/

** https://www.virustotal.com/en/file/...ce7909a36d8c345d896fbfed/analysis/1434362861/

3] https://malwr.com/analysis/NDI1OGY0NTVjYTkxNGVjOWFiZjQ3MTA0YzFlMzk2MDA/

4] https://www.virustotal.com/en/file/...ce7909a36d8c345d896fbfed/analysis/1434362861/

freewebstuff .be: 46.21.172.135: https://www.virustotal.com/en-gb/ip-address/46.21.172.135/information/

- http://myonlinesecurity.co.uk/payme...ol-word-doc-or-excel-xls-spreadsheet-malware/
15 Jun 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/reed-payment-confirmation.png
> https://www.virustotal.com/en-gb/fi...d43dc4b4ba68b0009de9df62/analysis/1434364970/
___

Fake 'Nyfast Payment' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/nyfast-payment-accepted-word-doc-or-excel-xls-spreadsheet-malware/
15 Jun 2015 - "'[Nyfast] Payment accepted' pretending to come from Nyfast <sales@ nyfast .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/nyfast.png

15 June 2015: 101153.doc - Current Virus total detections: 3/57*
... Which connects to and downloads Dridex banking malware from http ://webbouw .be/34/44.exe ( VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...79f53ab7611d11f743e699cf/analysis/1434364039/

** https://www.virustotal.com/en-gb/fi...ce7909a36d8c345d896fbfed/analysis/1434362861/

webbouw .be: 46.21.172.135: https://www.virustotal.com/en/ip-address/46.21.172.135/information/
___

Fake 'PI-ORDER' SPAM – PDF malware
- http://myonlinesecurity.co.uk/pi-order-suiming-group-fake-pdf-malware/
15 Jun 2015 - "'PI-ORDER' with a zip attachment pretending to come from suiming <suiminggroup@ cs .ename .net> is another one from the current bot runs... The email looks like:
Dear Sir/madam,
Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment.kindly confirm the PO and send PI asap.
kind Regards
suiming Group

15 June 2015: PI-ORDER.zip: Extracts to: PI-ORDER.exe - Current Virus total detections: 9/57*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...2b3554ac5400ca6b2dbcd797/analysis/1434339886/
___

Fake 'New Doc' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/will-...oc-word-doc-or-excel-xls-spreadsheet-malware/
15 Jun 2015 - "'Will Kinghan henryhowardfinance .co .uk New Doc' pretending to come from Will Kinghan <WKinghan@hhf .uk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/new-doc-will-kinghan.png

15 June 2015 : New doc.doc ... which is the -same- malware as described in today’s other word doc malspam runs Payment Confirmation reed .co .uk Credit Control* – word doc or excel xls spreadsheet malware and [Nyfast] Payment accepted** – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
* http://myonlinesecurity.co.uk/payme...ol-word-doc-or-excel-xls-spreadsheet-malware/

** http://myonlinesecurity.co.uk/nyfast-payment-accepted-word-doc-or-excel-xls-spreadsheet-malware/
___

'Let us help you make your online banking with HSBC more secure' - PHISH
- http://myonlinesecurity.co.uk/let-u...nline-banking-with-hsbc-more-secure-phishing/
15 Jun 2015 - "An email saying 'Let us help you make your online banking with HSBC more secure' is one of today’s -phishing- attempts. There are a few major common subjects in a phishing attempt. The majority are either PayPal or your Bank or Credit Card, with a message saying some thing like:
- There have been unauthorised or suspicious attempts to log in to your account, please verify
- Your account has exceeded its limit and needs to be verified
- Your account will be suspended !
- You have received a secure message from < your bank>
- We are unable to verify your account information
- Update Personal Information
- Urgent Account Review Notification
- We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
- Confirmation of Order

... It will NEVER be a genuine email from PayPal or Your Bank so don’t ever fill in the html (webpage) form that comes attached to the email. Some versions of this phish will have a link to a website that looks at first glance like the genuine bank website. That is also false... The link in the email directs you to a -fake- site, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the Genuine PayPal site, when using Internet Explorer the entire address bar is in green (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):
>> http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/HSBC_phish_site.png
... luckily the phishing site has been deactivated by the webhosts, but be careful and remember that banks don’t send emails saying 'follow-the-link' to change anything..."
___

Fake 'Notice DHL' SPAM - PDF malware
- http://myonlinesecurity.co.uk/hsbc-notice-dhl-fake-pdf-malware/
15 Jun 2015 - "'Notice DHL' pretending to come from HSBC (random name @ random email address) with a zip attachment is another one from the current bot runs... The waybill number is random in each email but -matches- the attachment name. The email looks like:
Notice DHL
Courier our company was unable to deliver the goods.
CAUSE: was lost your number
Delivery Status: Active
Services: delivery in one day
Waybill number for your cargo: WL4OY-k5qvML-0136
Special sticker attached to the letter. Print sticker and show it in your post office.

15 June 2015: Sticker-WL4OY-k5qvML-0136.zip: Extracts to: New_docs.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...d89addb9911f0a9632147279/analysis/1434373340/

:fear::fear:

 

[AplusWebMaster]

Fake 'Travel order', 'Invoice', 'Internet Invoice' SPAM, More Malvertising

FYI...

Magnitude Exploit Kit uses Newly Patched Adobe Vuln ...
- http://blog.trendmicro.com/trendlab...nerability-us-canada-and-uk-are-most-at-risk/
Jun 16, 2015 - "Adobe may have already patched a Flash Player vulnerability last week, but several users — especially those in the US, Canada, and the UK — are still currently exposed and are at risk of getting infected with CryptoWall 3.0. The Magnitude Exploit Kit included an exploit, detected as SWF_EXPLOIT.MJTE, for the said vulnerability, allowing attackers to spread crypto-ransomware into their target systems. We first saw signs of this activity yesterday, June 15... Adobe’s regular June Update for Adobe Flash Player... upgraded the software to version 18.0.0.160*. However, many users are still running the previous version (17.0.0.188), which means that a lot of users are still at risk... cybercriminals rapidly take advantage of recently-patched vulnerabilities through exploit kits. We saw a similar incident in March, where exploits for an Adobe Flash Player vulnerability were added to the Nuclear Exploit Kit just a week after the patch was released. We also noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that shows no sign of changing soon..."
* https://www.adobe.com/products/flashplayer/distribution3.html
___

Fake 'Travel order' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/the-c...59-word-doc-or-excel-xls-spreadsheet-malware/
16 Jun 2015 - "'Travel order confirmation 0300202959' pretending to come from overseastravel@ caravanclub .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear customer,
Thank you for your travel order.
Please find attached your booking confirmation which you should take with you on your trip. Please note we no longer send tickets for overseas travel bookings.
Your booking confirmation document is stored as a DOC file which requires the use of Microsoft Word software to view it.
Yours sincerely
The Caravan Club
This email is sent from the offices of The Caravan Club, a company limited by guarantee (Company Number: 00646027). The registered office is East Grinstead House, London Road, East Grinstead, West Sussex, RH19 1UA.
Regulation The Caravan Club Ltd is authorised and regulated by the Financial Conduct Authority. FCA registration number is 311890
This email is sent from the offices of The Caravan Club Limited...

16 June 2015: Travel Order Confirmation – 0300202959.doc
Current Virus total detections: 4/57* ... downloads Dridex banking malware from aspectaceindia .in/90/72.exe (VirusTotal**). Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...6f3cc5b5dabae488356038e3/analysis/1434440780/

** https://www.virustotal.com/en-gb/fi...e7141bef30688fafcf92b938/analysis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-address/37.143.11.165/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/

aspectaceindia .in: 203.124.96.148: https://www.virustotal.com/en-gb/ip-address/203.124.96.148/information/
___

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/carol...ce-word-doc-or-excel-xls-spreadsheet-malware/
16 Jun 2016 - "'Invoice' pretending to come from Carol Young <carol@ baguette-express. co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Invoice Attached
Carol Young
Accounts Manager
Office:0845 070 4360
Email: carol@ baguette-express .co.uk
Web: www .baguette-express .co.uk
1 Cranston Crescent
Lauder
Borders
TD2 6UB

16 June 2015: A4 Inv_Crd Unit Price, With Discount.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from dubrovnik-marryme .com/90/72.exe (VirusTotal**) This is the -same- malware payload as described in today’s other malspam word macro malware 'The caravan Club Travel order confirmation 0300202959'*** – word doc or excel xls spreadsheet malware..."
* https://www.virustotal.com/en-gb/fi...927c4add4839966eaa53516a/analysis/1434441322/

** https://www.virustotal.com/en-gb/fi...e7141bef30688fafcf92b938/analysis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-address/37.143.11.165/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/

*** http://myonlinesecurity.co.uk/the-c...59-word-doc-or-excel-xls-spreadsheet-malware/

dubrovnik-marryme .com: 188.40.57.166: https://www.virustotal.com/en-gb/ip-address/188.40.57.166/information/
___

Fake 'Invoice copy' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/gary-...76-word-doc-or-excel-xls-spreadsheet-malware/
16 Jun 2015 - "'Invoice copy no. 252576' pretending to come from kathy@ almondscateringsupplies .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached DOC document with invoice copy no. 252576
Kind regards,
Gary Almond

16 June 2015 : DespatchNote_-_252576_160615_063107663.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from aspectaceindia .in/90/72.exe (VirusTotal**)
Note: there are normally 5 or 6 other download locations but all will lead to same Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...6f3cc5b5dabae488356038e3/analysis/1434440780/

** https://www.virustotal.com/en-gb/fi...e7141bef30688fafcf92b938/analysis/1434441238/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-address/37.143.11.165/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/

aspectaceindia .in: 203.124.96.148: https://www.virustotal.com/en-gb/ip-address/203.124.96.148/information/
___

Fake 'Internet Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/eclip...ec-word-doc-or-excel-xls-spreadsheet-malware/
16 Jun 2015 - "'Eclipse Internet Invoice is available online – 36889843EC' pretending to come from customer@ eclipse .net.uk with a malicious word doc called EC_36889843_88113463.doc is another one from the current bot runs... The email looks like:
Dear Customer,
Thank you for choosing to receive your invoice by email. Please find this attached.
If you would like to change any of your billing options, please log in to My Eclipse using your registration email and password... Alternatively, you can contact our Customer Service Team, Monday to Friday 8am – 6pm, on the telephone number published...
Kind regards
Eclipse Internet

The number in the subject which is random -matches- the word attachment name, so everybody gets a different named email and attachment. The malicious macro and the downloaded Dridex banking malware is exactly the -same- as described in today’s earlier other word macro malspam runs:

1]'Gary Almond almondscateringsupplies .co.uk Invoice copy no. 252576 – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/gary-...76-word-doc-or-excel-xls-spreadsheet-malware/

2]'Carol Young baguette-express Invoice – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/carol...ce-word-doc-or-excel-xls-spreadsheet-malware/

3]'The caravan Club Travel order confirmation 0300202959 – word doc or excel xls spreadsheet malware':
- http://myonlinesecurity.co.uk/the-c...59-word-doc-or-excel-xls-spreadsheet-malware/
The basic rule is NEVER open any attachment to an email, unless you are expecting it... Never just blindly click on the file in your email program..."
___

Trojan uses steganography to hide itself in image files
- http://net-security.org/malware_news.php?id=3058
16.06.2015 - "The Dell SecureWorks* CTU research team has recently analyzed a piece of malware that uses digital steganography to hide part of its malicious code. Stegoloader, as they dubbed it, is not technically new. Previous versions of the malware have been spotted in 2013 and 2014, bundled with tools used to crack or generate software keys... Stegoloader's main reason of being is to steal information from users, but it has a modular design, and the researchers themselves say that they might not have yet seen and analyzed all of its modules... Stegoloader is not the first malware to use steganography to hide malicious code or information such as the address of the malware's backup C&C, but the researchers note that it could represent an emerging trend in malware... researcher Saumil Shah recently demonstrated at the Hack in the Box conference**, it's possible to insert both malicious code and exploit code that will trigger it into an image, and this type of delivery mechanism is still undetectable by current defensive solutions."
* http://www.secureworks.com/cyber-th...s/stegoloader-a-stealthy-information-stealer/

** http://www.net-security.org/secworld.php?id=18443
___

Dutch Users: victims of Large Malvertising Campaign
- https://blog.malwarebytes.org/malve...-users-victim-of-large-malvertising-campaign/
June 15, 2015 - "Security firm Fox-IT* has identified a large malvertising campaign that began affecting Dutch users on June 11:
* http://blog.fox-it.com/2015/06/15/large-malvertising-campaign-targeting-the-netherlands/
In their blog post, they say that several major news sites were loading the -bogus- advertisement that ultimately lead to the Angler exploit kit. Looking at our telemetry we also noticed this attack, and in particular on Dutch news site Telegraaf[.]nl via an advert from otsmarketing .com, which according to Fox-IT is -more- than a suspicious ad network:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/diagram.png
The ad silently loaded a Google shortened URL used to -redirect- to the exploit kit... This latest malvertising case illustrates the efficacy of leveraging ad networks to selectively infect end users while also demonstrating that there is a clear problem with identifying rogue advertisers. As stated by Fox-IT, the company responsible for the malvertising was not 'loaded via advertisements until Thursday last week, the first day we’ve seen this malvertising campaign in action'. This leaves some serious questions about the additional scrutiny in place for new advertisers and how it made it through security checks."

107.181.187.81: https://www.virustotal.com/en-gb/ip-address/107.181.187.81/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'PayPal Receipt' SPAM, Tax Refund PHISH

FYI...

Fake 'PayPal Receipt' SPAM - PDF malware
- http://myonlinesecurity.co.uk/paypal-receipt-for-your-payment-to-omer-salim-fake-pdf-malware/
17 June 2015 - "'Receipt for Your Payment to OMER SALIM' pretending to come from service@ intl .paypal .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/Receipt-for-Your-Payment-to-OMER-SALIM.png

17 June 2015: Receipt99704.zip: Extracts to: Receipt99704.PDF.exe
Current Virus total detections: 10/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...393707eac8fdfc5cd356aaac/analysis/1434488522/
___

Fake 'Refunds for overpaid taxes' – Phish ...
- http://myonlinesecurity.co.uk/hmrc-refunds-for-overpaid-property-taxes-phishing/
17 June 2015 - "'Refunds for overpaid property taxes' pretending to come from HM Revenue & Customs <ecustomer.support@ hmrc .gateway .gov.uk> is an email pretending to come from HM Revenue & Customs... This one wants your personal details and your bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... This particular email has a zip attachment that when unzipped has html webpage that asks you to fill in bank details. If you open the html attachment you see a webpage looking like this where they want your bank details, name and birth date:

Phish Screenshot: http://myonlinesecurity.co.uk/wp-co.../HMRC-Refunds-for-overpaid-property-taxes.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details..."
___

Fake 'Document Service' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/docum...cc-word-doc-or-excel-xls-spreadsheet-malware/
17 June 2015 - "'Document Service, Order Id: 14262781 pretending to come from ICC <orders@ icc .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/Document-Service-Order-Id.png

17 June 2015: 14262781_FMM_751061928.doc - Current Virus total detections:4/57*
The malicious macro in this particular word doc downloads Dridex banking malware from http ://cheshiregunroom .com/23/07.exe. There are normally between 5 and 10 other download sites, all giving the same Dridex banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...030fa3cda7e56459da18f462/analysis/1434529913/

** https://www.virustotal.com/en-gb/fi...33422cb0f2d70eb4f04136d0/analysis/1434531876/
... Behavioural information
TCP connections
37.143.11.165: https://www.virustotal.com/en-gb/ip-address/37.143.11.165/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-address/88.221.14.249/information/

cheshiregunroom .com: 92.63.140.197: https://www.virustotal.com/en-gb/ip-address/92.63.140.197/information/
___

Fake 'Message from KMBT' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/message-from-kmbt_c280-word-doc-or-excel-xls-spreadsheet-malware/
17 Jun 2015 - "Message from KMBT_C280' pretending to come from scanner@ your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email comes in with a completely -empty- body and just the subject line of Message from KMBT_C280.

17 June 2015 : SKMBT_C28015061614410.doc - Current Virus total detections: 4/57*
This particular malicious macro downloads Dridex banking malware from http ://businesssupportsoutheastlondon .co.uk/23/07.exe which is the -same- as described in today’s other malspam word doc campaign Document Service, Order Id: 14262781** - LE BISTROT PIERRE LIMITED – ICC – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...23820ef78149a26176fc5852/analysis/1434531806/

** http://myonlinesecurity.co.uk/docum...cc-word-doc-or-excel-xls-spreadsheet-malware/

businesssupportsoutheastlondon .co.uk: 88.208.248.144: https://www.virustotal.com/en-gb/ip-address/88.208.248.144/information/
___

Botnet-based malicious SPAM seen this week
- https://isc.sans.edu/diary.html?storyid=19807
2015-06-17 - "Botnets continually send out malicious spam (malspam). As mentioned in previous diaries, we see botnet-based malspam delivering Dridex and Dyre malware almost every day [1, 2]. Recently, someone sent us a malicious Word document from what appeared to be Dridex malspam on Tuesday 2015-06-16... Unfortunately, while investigating the malware, I could not generate the full range of infection traffic. Otherwise, the traffic follows the same general patterns we've previously seen with Dridex [1]... Dridex has been using Microsoft Word documents and Excel spreadsheets designed to infect a computer if macros are enabled, which matches the infection vector used by this malspam... Macros are -not- enabled in the default installation for Microsoft Office. To infect a computer, most people will have to -enable- macros after the document is opened, as shown below:
> https://isc.sans.edu/diaryimages/images/2015-06-16-ISC-diary-image-04.jpg
...
> https://isc.sans.edu/diaryimages/images/2015-06-16-ISC-diary-image-05.jpg ..."

1] https://isc.sans.edu/diary/Recent+Dridex+activity/19687

2] https://isc.sans.edu/diary/UpatreDyre+the+daily+grind+of+botnetbased+malspam/19657

:fear::fear:

 

[AplusWebMaster]

Fake 'Bank query alert', 'CVD Insurance', 'Transfer', 'banking invoice' SPAM

FYI...

Fake email “Bank query alert” contains trojan
- http://blog.mxlab.eu/2015/06/18/fake-email-bank-query-alert-contains-trojan/
June 18, 2015 - "... intercepted a new trojan distribution campaign by email with the subject “Bank query alert”. This email is sent from spoofed email addresses and has the following body:
Good day!
Please note that we have received the bank query from Your bank regarding the current account.
You are asked to fill the appropriate bank form, which is enclosed below, until 20th day of
June in order to avoid the security hold of the account. Please also confirm the following
account No.: 9042 5736 6695 0412. After filling the document please send us the scan-copy
so that we could duly forward it to the bank manager. If you have any questions feel
free to contact us on: 677-77-90.
Thanks in advance.
Best regards, Michael Forester Managing Partner

The attached file Michael.zip contains the 46 kB large file Transfer_blocked.exe. The trojan is known as Trojan.Win32.Generic.pak!cobra, Gen:Variant.Graftor.198120, Trojan.Win32.YY.Gen.4, LooksLike.Win32.Upatre.g (v) or Downloader.Upatre!gen9. At the time of writing, 7 of the 57 AV engines did detect the trojan at Virus Total*..."
* https://www.virustotal.com/en/file/...8bd70d0ad990f0540f42bede07f945f11da/analysis/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en/ip-address/64.182.208.183/information/
93.93.194.202: https://www.virustotal.com/en/ip-address/93.93.194.202/information/
173.248.29.43: https://www.virustotal.com/en/ip-address/173.248.29.43/information/
88.221.15.80: https://www.virustotal.com/en/ip-address/88.221.15.80/information/
___

Fake 'CVD Insurance' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/cvd-i...uk-word-doc-or-excel-xls-spreadsheet-malware/
18 Jun 2015 - "'CVD Insurance – documents attached' pretending to come from Lowri Duffield <lowri.duffield@ brightsidegroup .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/CVD-Insurance-documents-attached.png

18 June2015: 3098_001.doc - Current Virus total detections: 4/57*
... downloads Dridex banking malware from http ://evolutionfoundationcollege .co.uk/66/71.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...56aa00b435f5fdb3645c7736/analysis/1434619773/

** https://www.virustotal.com/en/file/...71278e498d0dadbb29182675/analysis/1434619280/

evolutionfoundationcollege .co.uk: 188.121.55.128: https://www.virustotal.com/en/ip-address/188.121.55.128/information/
___

Fake 'Transfer to your account blocked' SPAM – PDF malware
- http://myonlinesecurity.co.uk/transfer-to-your-account-blocked-fake-pdf-malware/
18 Jun 2015 - "'Transfer to your account blocked' coming from random names at random email addresses with a zip attachment is another one from the current bot runs... The email which has random ID numbers that -match- the attachment name looks like:

Transfer has been blocked, details in an attachment.
ID Transfer: 96907740967
Date of formation: Thu, 18 Jun 2015 13:35:45 +0100

18 June 2015: id96907740967_Transfer_details.zip: Extracts to: Transfer_blocked.exe
Current Virus total detections: 3/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...27ce2c2672a509b87d6f848f/analysis/1434629016/
___

Fake 'banking invoice' SPAM - leads to malware
- http://blog.dynamoo.com/2015/06/malware-spam-nota-fiscal-eletronica-cod.html
18 Jun 2015 - "These Portuguese-language spam pretends to be some sort of banking invoice aim, but instead leads to malware hosted on Google Drive. The target appears to be users in Brazil.

From: sac.contact4e74974737@ bol .com.br
To: mariomarinho@ uol .com.br
Date: 18 June 2015 at 08:46
Subject: NOTA FISCAL ELETRÔNICA COD. 6Uhrae.088693
Signed by: bol .com.br ...

The reference numbers and sender change slightly in each version. I've seen three samples before, each one with a different download location... which leads to a ZIP file named NFe_0185189710250029301785.zip which in turn contains a malicious executable NFe_0185189710250029301785.exe which has a VirusTotal detection rate of 8/57*. Comments in that report indicate that this may be the Spy.Banker trojan. The Malwr report indicates that it downloads components from the following locations:
http ://donwup2015 .com.br/arq/point.php
http ://tynly2015 .com.br/upt/ext.zlib
... These sites are hosted on:
108.167.188.249 (WebsiteWelcome, US)
187.17.111.104 (Universo Online, Brazil)
The VirusTotal report for both these IPs [1] [2] indicates a high level of badness, indicating that they should be -blocked-. Furthermore, Malwr shows that it drops a file with a detection rate of 2/57**...
Recommended blocklist:
108.167.188.249
187.17.111.104 ..."
* https://www.virustotal.com/en/file/...5606498f46590e0b3241b046/analysis/1434618710/
... Behavioural information
TCP connections
1] 108.167.188.249: https://www.virustotal.com/en/ip-address/108.167.188.249/information/

2] 187.17.111.104: https://www.virustotal.com/en/ip-address/187.17.111.104/information/

** https://www.virustotal.com/en/file/...d847238ad2547589f7d5a32c/analysis/1434619879/

:fear:

 

[AplusWebMaster]

Fake 'New instructions' SPAM

FYI...

Fake 'New instructions' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malware-spam-new-instructions.html
19 June 2015 - "This rather terse spam comes with a malicious payload:
From: tim [tim@ thramb .com]
Date: 19 June 2015 at 16:40
Subject: New instructions
New instructions payment of US banks, ask to read

Attached is an archive file with the somewhat unusual name of instructions.zip size=19811 which contains a malicious executable named instructions_document.exe. The VirusTotal analysis indicates that this is the Upatre download [detection rate 3/57*]. Automated analysis tools... show traffic to: 93.93.194.202 :13222/C21/UEQUILABOOMBOOM/0/51-SP3/0/MEBEFEBLGBEID ... which is an IP operated by Orion Telekom in Serbia, and also 66.196.63.33 :443 which is Hamilton Telecommunications in the US. A characteristic of this generation of Upatre is that it sends traffic to icanhazip.com which while not malicious in itself is quite a good indicator of infection. In all cases I have seen, Upatre drops the Dyre banking trojan, but I have been unable to obtain a sample.
Recommended blocklist:
93.93.194.202
66.196.63.33 "
* https://www.virustotal.com/en/file/...45f75a241fef4e194d5bde85/analysis/1434725207/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en/ip-address/104.238.141.75/information/
93.93.194.202: https://www.virustotal.com/en/ip-address/93.93.194.202/information/
66.196.63.33: https://www.virustotal.com/en/ip-address/66.196.63.33/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Shareholder alert', 'Tax inspection' SPAM, Password recovery SCAM

FYI...

Fake 'Shareholder alert' SPAM – PDF malware
- http://myonlinesecurity.co.uk/shareholder-alert-glen-mccoy-fake-pdf-malware/
22 Jun 2015 - "'Shareholder alert' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

Hope this e-mail finds You well. Please note that in 2015 no dividends will be paid due to
resolution of the Board of Directors. Please see attached. Glen McCoy, Partner

22 June 2015: instructions.zip size=21120.zip : Extracts to: instructions_document.exe
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...4dcf5067286cca2b388d596e/analysis/1434971131/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustotal.com/en-gb/ip-address/64.182.208.183/information/
93.93.194.202: https://www.virustotal.com/en-gb/ip-address/93.93.194.202/information/
109.86.226.85: https://www.virustotal.com/en-gb/ip-address/109.86.226.85/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/

- http://blog.dynamoo.com/2015/06/malware-spam-shareholder-alert.html
22 June 2015
"... Recommended blocklist:
64.111.36.35
93.93.194.202 "
___

Fake 'Tax inspection notification' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malware-spam-tax-inspection.html
22 June 2015 - "This -fake- tax notification comes with a malicious payload.
Date: 22 June 2015 at 19:10
Subject: Tax inspection notification
Good day!
Trust this e-mail finds You well.
Please be notified that next week the revenue service is going to organize tax inspections.
That is why we highly recommend You to file the attached form in order to be prepared.
Inspectors are to determine whether You as a taxpayer have settled the correct amount of taxes.
According to our records, the inspectors license No. is 090-96919-5886-935. Please check as it is an important procedure rule.
We may discuss all the related matters by phone: +1 998-497-85. Feel free to contact us.
Bruce Climt,
Tax Advisor

Attached is a file with a malformed ZIP filename of tax_663-20845-0479-435.zip size=18288.zipsize=18288 which contains a malicious executable info_bank_pdf.exe which has a VirusTotal detection rate of 4/57*... Malwr analysis indicates a traffic pattern consistent with the Upatre downloader:
http ://93.93.194.202 :13234/203/HOME/0/51-SP3/0/ELHBEDIBEHGBEHK
http ://93.93.194.202 :13234/203/HOME/41/5/4/ELHBEDIBEHGBEHK
That IP address is the same as seen in this attack earlier today[1] and it belongs to Orion Telekom in Serbia. This VirusTotal report*** also shows traffic to 178.214.221.89 (Optical Systems LLC, Ukraine), and this Hybrid Analysis report[2] also shows traffic to 37.57.144.177 (Triolan, Ukraine). Furthermore, this other Malwr report shows two dropped executables, karetfob.exe [VT 4/57***] and sveezback.exe [VT 15/57****]. The dropped payload will be the Dyre banking trojan.
Recommended blocklist:
93.93.194.202
178.214.221.89
37.57.144.177 "
* https://www.virustotal.com/en/file/...934a21cdcd952f82aff02e8692f67e92f40/analysis/

** https://www.virustotal.com/en/file/...934a21cdcd952f82aff02e8692f67e92f40/analysis/

*** https://www.virustotal.com/en/file/...e21f97931117c4b8b512c426/analysis/1434994679/

**** https://www.virustotal.com/en/file/...51fe459ca6927b540f957f43/analysis/1434994696/

1] http://blog.dynamoo.com/2015/06/malware-spam-shareholder-alert.html

2] https://www.hybrid-analysis.com/sam...cdcd952f82aff02e8692f67e92f40?environmentId=1
___

'Password recovery' SCAM hitting Gmail, Outlook and Yahoo Mail users
- http://net-security.org/secworld.php?id=18537
22 June 2015 - "A simple yet ingenious scam is being used by scammers to compromise accounts of Gmail, Outlook and Yahoo Mail users, Symantec researcher Slawomir Grzonkowski warns*. 'To pull off the attack, the bad guys need to know the target’s email address and mobile number; however, these can be obtained without much effort... The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their -mobile- phone.' Once the verification code is sent to the legitimate user's mobile phone, it's followed by a message by the scammer, saying something like: 'Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.' The victim sends the verification code to the scammers, and they use it to access the email account.
Occasionally, the code is sent too late and doesn't work anymore, so the scammers -reiterate- the need for the code to be sent in. When they finally get access to the email account, they don't shut the real owner out. Instead, they usually add an -alternate- email to the account and set it up so that copies of all messages are forwarded to it. Then they change the password, and send it to victim via SMS ('Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]') in order to complete the illusion of legitimacy. 'The cybercriminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals. The way they operate is similar to the methods used by APT groups'... It's likely that they use those email accounts to gain access to other online accounts tied to them. Users are advised to be suspicious of SMS messages asking about verification codes, especially if they did -not- request one, and check their authenticity directly with their email provider."
* https://www.youtube.com/watch?v=_dj_90TnVbo&feature=youtu.be
Video 2:17

:fear::fear:

 

[AplusWebMaster]

Fake 'list of missing documents', 'Agreement' SPAM

FYI...

Fake 'list of missing documents' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/06/malware-spam-hope-this-e-mail-finds-you.html
23 June 2015 - "This spam comes with a malicious attachment:
Date: 23 June 2015 at 14:14
Subject: Hope this e-mail finds You well
Good day!
Hope this e-mail finds You well.
Please be informed that we received the documents regarding the agreement No. 7232-003 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 838-72-99. Feel free to give a call at any time.
Stacey Grimly,
Project Manager

Some of the details vary in each email, but the overall format is the same. So far I have seen two different mis-named attachments:
check.zip size=57747.zipsize=57747
check.zip size=57717.zipsize=57717
The file sizes actually -match- the one listed in the file's name. Because the attachment is not properly named, some ZIP file handlers may fail to deal with them. Equally, the technique may be designed to get the spam past mail filters. Each archive contains a file info_bank_pdf.exe with different checksums and a detection rate of 3/52* or 3/54**. Automated analysis tools... indicate traffic to the following locations:
93.93.194.202 (Orion Telekom, Serbia)
173.216.240.56 (Suddenlink Communications, US)
188.255.169.176 (Orion Telekom, Serbia)
68.190.246.142 (Charter Communications, US)
... Malwr reports... show dropped files named yaxkodila.exe (two versions, VT 5/54*** and 5/55****) plus a file jieduk.exe (VT 8/54)[5].... the VirusTotal analysis also throws up another IP address of: 104.174.123.66 (Time Warner Cable, US). The malware is a common combination of the Upatre downloader and Dyre banking trojan, targeting Windows systems.
Recommended blocklist:
93.93.194.202
173.216.240.56
188.255.169.176
68.190.246.142
104.174.123.66 "
* https://www.virustotal.com/en/file/...8254f461b48fcfeacf7628d9/analysis/1435063484/

** https://www.virustotal.com/en/file/...9242589cabd57b06a39ecb71/analysis/1435063502/

*** https://www.virustotal.com/en/file/...73b760f284a5f42cbcf5ed49/analysis/1435064473/

**** https://www.virustotal.com/en/file/...1a664472a0cb2e77ed424ccb/analysis/1435064478/

5] https://www.virustotal.com/en/file/...24c4afefa53f4d09175453d5/analysis/1435064476/

- http://myonlinesecurity.co.uk/hope-this-e-mail-finds-you-well-stacey-grimly-fake-pdf-malware/#
23 June 2015
- https://www.virustotal.com/en-gb/fi...5f4e821714dc0885ac4dd8cd/analysis/1435062320/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustotal.com/en-gb/ip-address/104.238.136.31/information/
93.93.194.202: https://www.virustotal.com/en-gb/ip-address/93.93.194.202/information/
72.230.82.80: https://www.virustotal.com/en-gb/ip-address/72.230.82.80/information/
___

Fake 'Agreement' SPAM – PDF malware
- http://myonlinesecurity.co.uk/agreement-fake-pdf-malware/
23 June 2015 - "'Agreement' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Hello,
As per your question please find attached the application form.
Please fill out each detail and returnit back to us via emailsoon as possibleWith this information we will be able to help you resolve this issue.
Thank you.

23 June 2015: new_filling_form.zip: Extracts to: new_application_form.exe
Current Virus total detections: 10/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...9a424c7e83e4c37c84dbe83c/analysis/1435078814/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustotal.com/en-gb/ip-address/104.238.141.75/information/
93.93.194.202: https://www.virustotal.com/en-gb/ip-address/93.93.194.202/information/
216.254.231.11: https://www.virustotal.com/en-gb/ip-address/216.254.231.11/information/

:fear:

 

[AplusWebMaster]

Fake 'Hilton Hotels', 'Considerable law alternations' SPAM, Twitter BoA PHISH

FYI...

Fake 'Hilton Hotels' SPAM – PDF malware
- http://myonlinesecurity.co.uk/a-for-guest-warde-said-hilton-hotels-fake-pdf-malware/
24 June 2015 - "'A for guest WARDE SAID' pretending to come from CTAC_DT_Hotel@ Hilton .com with a zip attachment is another one from the current bot runs... The email looks like:
Thank you for choosing our hotel and we very much hope that you enjoyed your stay with us.
Enclosed is a copy of your receipt(FOLIODETE_9601395.pdf). Should you require any further assistance please do not hesitate to contact us directly.
We look forward to welcoming you back in the near future.
This is an automatically generated message. Please do not reply to this email address...

24June 2015: FOLIODETE_9601395.zip: Extracts to: FOLIODETE_2015_0006_0024.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en-gb/fi...332bc67df87a2c5fdc55b848/analysis/1435142883/
___

Fake 'Considerable law alternations' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malware-spam-considerable-law.html
24 June 2015 - "This -fake- legal spam comes with a malicious payload:
Date: Wed, 24 Jun 2015 22:04:09 +0900
Subject: Considerable law alternations
Pursuant to alternations made to the Criminal Code securities have to be reestimated.
Described proceeding is to finish until April 2016.
However shown levy values to be settled last in this year.
Please see the documents above .
Pamela Adams
Chief accountant

In the sample I saw there was an attachment named excerptum_from_the_implemented_rule.zip containing a malicious executable excerptum_from_the_implemented_act.exe which has a VirusTotal detection rate of 2/55*. Automated analysis tools... show malicious traffic to the following IPs:
93.185.4.90 (C2NET Przno, Czech Republic)
216.16.93.250 (Clarity Telecom LLC / PrairieWave, US)
195.34.206.204 (Radionet, Ukraine)
75.98.158.55 (Safelink Internet , US)
185.47.89.141 (Orion Telekom, Serbia)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
85.192.165.229 (Rostelecom / VolgaTelecom, Russia)
178.222.250.35 (Telekom Srbija, Serbia)
The Malwr report and Hybrid Analysis report indicate a couple of dropped files, gebadof.exe (VT 2/55**) and qppwkce.exe (VT 3/55***). This malware appears to be a combination of the Upatre downloader and Dyre banking trojan.
Recommended blocklist:
93.185.4.90
216.16.93.250
195.34.206.204
75.98.158.55
185.47.89.141
83.168.164.18
85.192.165.229
178.222.250.35 "
* https://www.virustotal.com/en/file/...95742cdbf8d63a8e91f490e6/analysis/1435151345/

** https://www.virustotal.com/en/file/...95742cdbf8d63a8e91f490e6/analysis/1435153236/

*** https://www.virustotal.com/en/file/...01dd2018dc7f94577b86c13f/analysis/1435153268/
___

Fake Bank of America Twitter Feed Leads to Phish ...
- https://blog.malwarebytes.org/fraud...-america-twitter-feed-leads-to-phishing-page/
June 24, 2015 - "Over the last day or so, a Twitter feed claiming to be a support channel for Bank of America has been sending links and messages to anybody having issues with their accounts. Here’s the dubious BoA Twitter account in question:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed1.jpg
... In most cases, they direct people to a URL where they can supposedly fix their problems, which is
sclgchl1(dot)eu(dot)pn/index(dot)html
They’ve also been seen asking for credentials directly via DM (Direct Message). They appear to be using that classic Twitter -phishing- technique: look for people sending help messages to an official account, then inject themselves into the conversation:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed2.jpg
Here’s a sample list of messages they’ve been sending to BoA customers:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitterstorm.jpg
Some things to note: the Twitter account is -not- verified, and the page collecting personal information is not HTTPS secured which is never a good sign where sending banking credentials to someone is concerned. If you land on their page with JavaScript disabled, you’ll be asked to switch it on again:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed3.jpg
The site asks for the following information: Online ID, Passcode, Account Number, Complete SSN or Tax Identification Number and Passcode. Once all of this information is entered, the victim is redirected to the real Bank of America website... At time of writing, the site is being flagged by Chrome for phishing:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed7.jpg
We’ve also spotted another page on the same domain which looks like a half-finished Wells Fargo “Security Sign On” page:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/boatwitfeed8.jpg
We advise customers of BoA to be very careful where they’re sending account credentials – note that the official BoA Twitter feed has a -Verified- icon, and that small but crucial detail could make all the difference where keeping your account secure is concerned."

sclgchl1(dot)eu(dot)pn: 83.125.22.211: https://www.virustotal.com/en-gb/ip-address/83.125.22.211/information/
___

Samsung laptops deliberately disable Windows Update with bloatware
- http://www.theinquirer.net/inquirer...erately-disable-windows-update-with-bloatware
Jun 24 2015 - "... Samsung, in common with a number of manufacturers, has an app for finding the latest drivers and updates to, well, frankly, bloatware. In Samsung's case the app is called SW Updater. Samsung describes it thus: 'Find easy ways to install and maintain the latest software, protect your computer, and back up your music, movies, photos and files'... a teardown from Microsoft MVP Patrick Barker* has revealed that Samsung laptops -include- an executable file called Disable_Windowsupdate.exe which kind of explains itself really. What's really disturbing about this, as if it wasn't enough already, is that if you turn Windows Update back on, SW Updater goes back and turns it back -off- again..."
* http://bsodanalysis.blogspot.in/2015/06/samsung-deliberately-disabling-windows.html

- http://www.neowin.net/news/samsung-cripples-windows-update-to-help-your-settings
Jun 24, 2015
___

Instapaper App vulnerable to Man-in-the-Middle Attacks
- http://labs.bitdefender.com/2015/06/android-instapaper-app-vulnerable-to-man-in-the-middle-attacks/
June 23, 2015 - "... analyzed popular Android app Instapaper and found it can be vulnerable to man-in-the-middle attacks that could expose users’ signup/login credentials when they try to log in into their accounts. The vulnerability may have serious consequences, especially if users have the same password for more than one account, leaving them potentially vulnerable to intrusions.
The Problem: Instapaper allows users to save and store articles for reading, particularly for when they’re offline, on the go, or simply don’t have access to the Internet. The application works by saving most web pages as text only and formatting their layout for tablets or phone screens. Everyone who wants to use the application is required to sign-up and create an account to check out notes, liked articles or access other options. However, the vulnerability lies not in the way the application fetches content, but in the way it implements (or in this case, doesn’t implement) certificate validation. Although the entire communication is handled via HTTPS, the app performs no certificate validation. If someone were to perform a man-in-the-middle attack, he could use a self-signed certificate and start “communicating” with the application...
The Attack: If a user were to sign into his account while connected to a Wi-Fi network that’s being monitored by an attacker, his authentication credentials (both username and password) could easily be intercepted using any fake certificate and a traffic-intercepting tool...
Implications: While the attacker might seem to only gain access to your Instapaper account, most people use the same password for multiple accounts. A cybercriminal could try and use your Instapaper password to access your social media or email accounts. Studies have shown that more than 50% of users reuse the same password, so the chances are -better- than even that more than one account could be vulnerable if your Instapaper credentials have been stolen. We have notified the development team behind the Android Instapaper app about the found vulnerability, but they have yet to confirm when a fix will become available..."
___

SEC hunts hacks who stole corp emails to trade stocks
- http://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623
Jun 23, 2015 - "U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter. The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies. It is an "absolute first" for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the SEC. "The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading," said Stark, now a private cybersecurity consultant. According to people familiar with the matter, the SEC's inquiry and a parallel probe by the U.S. Secret Service - which investigates cyber crimes and financial fraud - were spurred by a December report by security company FireEye Inc about a sophisticated hacking group that it dubbed 'FIN4'. Since mid-2013, FIN4 has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs, according to the FireEye report*..."
* https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html
Nov 30, 2014

- http://www.reuters.com/video/2015/0...ers?videoId=364704066&newsChannel=cyber-crime
Video 2:08

:fear::fear:

 

[AplusWebMaster]

Dyre is main financial Trojan threat

FYI...

Dyre emerges as main financial Trojan threat
- http://www.theregister.co.uk/2015/06/25/dyre_banking_vxers_love_mondays_symantec_says/
25 Jun 2015 - "... the masterminds behind the Dyre banking malware are putting in full five-day working weeks to maintain some -285- command and control servers handling stolen banking credentials. The malware is one of the worst in circulation using its fleet of command and control servers to handle the reams of bank account data blackhats steal using phishing websites. Symantec says* the attacks are confined largely to Europe outside of Russia and Ukraine where most of the command and control servers are located..."
* http://www.symantec.com/connect/app#!/blogs/dyre-emerges-main-financial-trojan-threat
23 Jun 2015 - "... After a number of recent takedowns against major financial threats such as Gameover Zeus, Shylock, and Ramnit, the threat posed by these groups has receded but Dyre has taken their place as one of the main threats to ordinary consumers. Detected by Symantec as Infostealer.Dyre, Dyre targets Windows computers and can steal banking and other credentials by attacking all three major web browsers (Internet Explorer, Chrome, and Firefox). Dyre is a two-pronged threat. Aside from stealing credentials, it can also be used to infect victims with other types of malware, such as adding them to -spam- botnets... the number of Dyre infections began to surge a year ago and the attackers behind this malware have steadily improved its capabilities and continued to build out supporting infrastructure:
Dyre detections over time:
> http://www.symantec.com/connect/sites/default/files/users/user-2598031/Fig1_24.png
... Dyre is mainly spread using spam emails. In most cases the emails masquerade as businesses documents, voicemail, or fax messages. If the victim clicks-on-an-email’s-attachment, they are -redirected- to a malicious website which will install the Upatre downloader on their computer... In many cases, the victim is added to a -botnet- which is then used to power further spam campaigns and infect more victims..."

>> https://www.symantec.com/connect/sites/default/files/users/user-2598031/dyre-infographic_1.jpg
___

Web security subtleties and exploitation of combined vulnerabilities
- https://isc.sans.edu/diary.html?storyid=19837
2015-06-25 - "The goal of a penetration test is to report all identified vulnerabilities to the customer. Of course, every penetration tester puts most of his effort into finding critical security vulnerabilities: SQL injection, XSS and similar, which have the most impact for the tested web application... what we exploit with the XSS vulnerability in the first place: typically the attacker tries to steal cookies in order to gain access to the victim’s session. Since here sessions are irrelevant, the attacker will not use XSS to steal cookies but instead to change what the web page displays to the victim. This can be used for all sorts of -phishing- exploits and, depending on the URL and context of the attack, can be even more devastating than stealing the sessions."
(More detail at the isc URL above.)
___

Fraud Alert Issued on Business Email Compromise Scam
- https://www.us-cert.gov/ncas/curren...d-Alert-Issued-Business-Email-Compromise-Scam
June 24, 2015 - " The Financial Services Information Sharing and Analysis Center (FS-ISAC) and federal law enforcement agencies have released a joint alert warning companies of a sophisticated wire payment scam referred to as business email compromise (BEC). Scammers use fraudulent information to trick companies into directing financial transactions into accounts scammers control. Users and administrators are encouraged to review the BEC Joint Report (link is external*) for details and refer to the US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* https://www.fsisac.com/sites/default/files/news/BEC_Joint_Product_Final.pdf

** https://www.us-cert.gov/ncas/tips/ST04-014
"... Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information..."

- http://blogs.cisco.com/security/talos/hook-line-sinker#more-172509
June 24, 2015 - "... Attackers are constantly targeting user data and attempting to trick users into leaking sensitive information through phishing campaigns. These phishing attempts are targeting normal users who represent the customers of the various businesses being targeted. If the emails come through a work email, the user can take advantage of a layered approach to security that will usually indicate these attacks as spam or even malicious. Most home users, however, do not have the same layered security configuration on their home networks. Many of these phish also attempt to try to place time pressure on the user to get them to act quickly and without taking the time to think about what they are doing. Therefore, it is important for users to be constantly vigilant, and to remain -calm- when they receive that cleverly crafted phishing email. Users should always take time to think -before- revealing any sensitive information, whether it is on the phone, via email, or through the web..."

:fear::fear:

 

[AplusWebMaster]

Fake 'Xerox Scan', 'Vehicle Tax', 'Order Confirmation', 'Transport' SPAM

FYI...

Fake 'Xerox Scan' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/scann...er-word-doc-or-excel-xls-spreadsheet-malware/
26 June 2015 - "'Scanned from a Xerox Multifunction Printer' pretending to come from Xerox (random number) @ your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please open the attached document. It was scanned and sent to you using a Xerox Multifunction Printer.
Attachment File Type: DOC, Multi-Page
Multifunction Printer Location:
Device Name: XRX9C934E5EEC46 ...

26 June 2015: Scanned from a Xerox Multifunction Printer.doc
Current Virus total detections: 4/56* ... downloads Dridex banking malware from http ://sudburyhive .org/708/346.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...50c0180fd881f75d1577fe66/analysis/1435301557/

** https://www.virustotal.com/en-gb/fi...3f9e3ec0af62f7e36e6f835d57e327a4b93/analysis/
... Behavioural information
TCP connections
68.169.49.213: https://www.virustotal.com/en-gb/ip-address/68.169.49.213/information/
88.221.15.80: https://www.virustotal.com/en-gb/ip-address/88.221.15.80/information/

sudburyhive .org: 104.27.172.61: https://www.virustotal.com/en-gb/ip-address/104.27.172.61/information/
104.27.173.61: https://www.virustotal.com/en-gb/ip-address/104.27.173.61/information/
___

Fake 'Vehicle Tax' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/notif...01-word-doc-or-excel-xls-spreadsheet-malware/
26 June 2016 - "'Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)' pretending to come from directdebit@ taxdisc.service .gov .uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Important: Confirmation of your successful
Direct Debit instruction
Dear customer
Vehicle registration number: FG08OEE
Thank you for arranging to pay the vehicle tax by Direct Debit.
Please can you check that the details attached below, and your payment schedule are correct.
If any of the above financial details are incorrect please contact your bank as soon as possible.
However, if your details are correct you don’t need to do anything and your Direct Debit will be
processed as normal. You have the right to cancel your Direct Debit at any time. A copy of the
Direct Debit Guarantee is included with this letter.
For your information, the collection will be made using this reference, and this is how your
payment will be detailed on your bank statements:
DVLA Identifier: 295402
Reference: FG08OEE
Your vehicle tax will automatically renew unless you notify us of any changes. We will send a new
payment schedule at the time of renewal.
Yours sincerely
Rohan Gye
Vehicles Service Manager
Driver a& Vehicle Licencing Agency logo

26 June 2015 : FG08OEE.doc - Current Virus total detections: 4/55* . This downloads the same Dridex banking malware in exactly the -same- way as today’s other malspam word macro downloader 'Scanned from a Xerox Multifunction Printer' – word doc or excel xls spreadsheet malware** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...4eedf50c77db2c299bf70f24/analysis/1435304855/

** http://myonlinesecurity.co.uk/scann...er-word-doc-or-excel-xls-spreadsheet-malware/

- http://blog.dynamoo.com/2015/06/malware-spam-notification-of-vehicle.html
26 June 2015
werktuigmachines .be: 46.30.212.5: https://www.virustotal.com/en-gb/ip-address/46.30.212.5/information/
___

Fake 'Order Confirmation' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/order...in-word-doc-or-excel-xls-spreadsheet-malware/
26 June 2015 - "'Order Confirmation RET-385236 250615' pretending to come from [1NAV PROD RCS] <donotreply@ royal-canin .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

[Garbled text in body]... When it is repaired it then reads:

Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.

This has an attachment as described below:
25 February 2015: Order Confirmation RET-385236 250615.doc - Current Virus total detections: 4/56*
... which is a macro downloader that downloads Dridex banking malware in exactly the -same- way and from the same series of locations as today’s other malspam runs 'Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)' - word doc or excel xls spreadsheet malware -and- 'Scanned from a Xerox Multifunction Printer' – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...6ac10c36a04b9e3ff52f8b4d/analysis/1435313019/

- http://blog.dynamoo.com/2015/06/malware-spam-order-confirmation-ret.html
26 June 2015
"... Recommended blocklist:
68.169.49.213
87.236.215.151
2.185.181.155 "

colchester-institute .com: 213.171.218.136: https://www.virustotal.com/en-gb/ip-address/213.171.218.136/information/
___

Fake 'Transport' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/email...-word-doc-or-excel-xls-spreadsheet-malware-2/
26 June 2015 - "Email from 'Transport for London' pretending to come from noresponse@ cclondon .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please open the attached file to view correspondence from Transport for
London.
If the attachment is in DOC format you may need Adobe Acrobat Reader to
read or download this attachment.
Thank you for contacting Transport for London.
Business Operations
Customer Service Representative
This email has been scanned by the Symantec Email Security.cloud service...

26 June 2015: AP0210932630.doc - Current Virus total detections: 5/54*
... which is yet another in today’s -malspam- series of macro malware downloaders that deliver Dridex banking malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...3c19d7569b82995b957616ec/analysis/1435315714/
___

Samsung's bundled SW Update tool actively -disables- Windows Update on reboot
- http://arstechnica.com/information-...y-disabling-windows-update-on-some-computers/
Updated, June 25... "... We have reached out to both Samsung and Microsoft for comment, but they hadn't replied at the time of publishing... SW Update is included on many Samsung PCs, but it's possible that Disable_Windowsupdate.exe is only being executed on a subset of devices that are "incompatible" with Windows Update. If you have a Samsung laptop, perhaps go and check if Windows Update is still enabled..."
> Unresolved.

- http://www.neowin.net/news/samsung-cripples-windows-update-to-help-your-settings
Jun 24, 2015
___

Critical flaw in ESET products...
- http://www.infoworld.com/article/29...ups-are-interested-in-antivirus-programs.html
Jun 24, 2015 - "Several antivirus products from security firm ESET had a critical vulnerability that was easy to exploit and could lead to a full system compromise. The discovery of the flaw, which has now been patched*, comes on the heels of a report that intelligence agencies from the U.K. and the U.S. are reverse engineering antivirus products in search for vulnerabilities and methods to bypass detection..."
* http://www.virusradar.com/en/update/info/11824
2015-06-22 - "A security vulnerability has been -fixed- in the scanning engine..."
___

Memo Spam
- http://threattrack.tumblr.com/post/122516583493/memo-spam
26 June 2015 - "Subjects Seen:
Memo dated 9th June
Memo dated 13th March

Screenshot: https://36.media.tumblr.com/f0a1d3289633d50e98c984669d0bef6f/tumblr_inline_nqkat2Drzx1r6pupn_500.png

Typical e-mail details:
Be acknowledged that on Monday the 6th of May a letter was forwarded to chief accountant The indicated act has important information considering the levy refund procedure
We ask you to verify the proper receiving of the facsimile .
For Your convenience this document had been attached.
Helen Smith
Tax Officer

Malicious File Name and MD5:
fragment_of_the_forwarded_prescript.exe (d8885ab98d6e60295a4354050827955e)

Tagged: Memo, Upatre
___

Stop Spamming Me Spam
- http://threattrack.tumblr.com/post/122423543503/stop-spamming-me-spam
25 June 2015 - Subjects Seen
stop spamming me

Screenshot: https://40.media.tumblr.com/754a6563af064dc0d95dbe704bbbaa77/tumblr_inline_nqi9o9eMIU1r6pupn_500.png

Typical e-mail details:
stop sending me offers from towcaps.com
i am not interested.
i have attached the email i received from jmcfarland@ towcaps .com.
please stop

Malicious File Name and MD5:
email_message.doc (26185bf0c06d8419c09c76a0959d2b85)

Tagged: Word Macro Exploit, Fareit, Stop Spamming
___

Signed CryptoWall 3.0 variant delivered via MediaFire
- http://research.zscaler.com/2015/06/signed-cryptowall-30-variant-delivered.html
June 4, 2015 - "... search lead us to this e-mail campaign* where the attachment contains a Microsoft Compiled HTML help (CHM) file that leads to the download and execution of the the latest CryptoWall 3.0 variant hosted on MediaFire..."
* https://techhelplist.com/index.php/...rypted-message-from-jpmorgan-chase-co-malware
>> https://malwr.com/analysis/MTBhNWQ5NjRiZGMzNDIyNGE3Y2VmMGIyOWZjM2I3YTU/
"... Hosts..."
[CryptoWall 3.0] / -Still- -all- pumping badness 6.26.2015 !!
IP
188.165.164.184: https://www.virustotal.com/en/ip-address/188.165.164.184/information/
184.168.47.225: https://www.virustotal.com/en/ip-address/184.168.47.225/information/
62.221.204.114: https://www.virustotal.com/en/ip-address/62.221.204.114/information/
80.93.54.18: https://www.virustotal.com/en/ip-address/80.93.54.18/information/
50.62.160.229: https://www.virustotal.com/en/ip-address/50.62.160.229/information/
217.70.180.154: https://www.virustotal.com/en/ip-address/217.70.180.154/information/
184.168.174.1: https://www.virustotal.com/en/ip-address/184.168.174.1/information/
64.202.165.42: https://www.virustotal.com/en/ip-address/64.202.165.42/information/
46.235.40.4: https://www.virustotal.com/en/ip-address/46.235.40.4/information/
194.6.233.7: https://www.virustotal.com/en/ip-address/194.6.233.7/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Hello', 'WhatsApp Chat' SPAM, 'Paypal' PHISH

FYI...

Multiple Exploit kits abuse CVE-2015-3113
- http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html
June 29, 2015 - "Patched... (2015-06-23) with Flash 18.0.0.194*, the CVE-2015-3113 has been spotted as a 0day by FireEye, exploited in limited targeted attacks. It's now making its path to Exploit Kits...
Magnitude: 2015-06-27 ... IE11 in Windows 7... 2015-06-27
Angler EK: 2015-06-29 ... IE11 in Windows 7... 2015-06-29
* https://helpx.adobe.com/security/products/flash-player/apsb15-14.html

> https://technet.microsoft.com/en-us/library/security/2755801
June 23, 2015
___

Fake 'Hello' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/hello-word-doc-or-excel-xls-spreadsheet-malware/
29 June 2015 - "'Hello' pretending to come from Willa <swaffs@ tiscali .co.uk> with a malicious word doc rtf attachment is another one from the current bot runs... The email looks like:
I reserved for myself and friends three double rooms with 30.06 to 14:06.
I wanted to change a reservation!
Because some friends canceled, I would like to change reservation to two double room!
Thanks!
Therese.

28 June 2015: document.rtf - Current Virus total detections: 8/56*
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...7fa8e9cf59a1db4f59bc9adf/analysis/1435533593/
___

Fake 'WhatsApp Chat' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/whats...on-word-doc-or-excel-xls-spreadsheet-malware/
29 June 2015 - "'WhatsApp Chat with Jay Stephenson' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

Chat history is attached as “‪WhatsApp Chat: Jay Stephenson.txt” file to this email.

29 June 2015 : WhatsApp Chat_ Jay Stephenson.doc Current Virus total detections: 4/55*
... Which downloads Dridex banking malware from http ://dev.seasonsbounty .com/543/786.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...49ff5fdb3d538a79dccea157/analysis/1435562464/

** https://www.virustotal.com/en-gb/fi...9beabe08d79179ddd7d5209e/analysis/1435564213/
... Behavioural information
TCP connections
78.47.139.58: https://www.virustotal.com/en-gb/ip-address/78.47.139.58/information/
88.221.14.249: https://www.virustotal.com/en-gb/ip-address/88.221.14.249/information/

seasonsbounty .com: 104.28.28.38: https://www.virustotal.com/en-gb/ip-address/104.28.28.38/information/
104.28.29.38: https://www.virustotal.com/en-gb/ip-address/104.28.29.38/information/
___

Fake 'CEF Documents' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/cef-documents-dawn-sandel-word-doc-or-excel-xls-spreadsheet-malware/
29 June 2015 - "'CEF Documents pretending to come from Dawn.Sandel@ cef .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached the following documents issued by City Electrical Factors:
Invoice – BLA/176035 – DUCHMAID
If you have any problems or questions about these documents then please do not hesitate to contact us.
Regards,
Dawn Sandel ...

29 June 2015 : BLA176035.doc - Current Virus total detections: 5/56*
... Downloads the same Dridex banking malware as described in today’s earlier malspam run of malicious word docs 'WhatsApp Chat with Jay Stephenson' – word doc or excel xls spreadsheet malware** ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...aaaef1674924602ead39b1ef/analysis/1435572586/

** http://myonlinesecurity.co.uk/whats...on-word-doc-or-excel-xls-spreadsheet-malware/

- http://blog.dynamoo.com/2015/06/malware-spam-cef-documents.html
29 June 2015
"... Recommended blocklist:
78.47.139.58
87.236.215.151
91.121.173.193
183.81.166.5 "
___

Fake 'Payslip' SPAM - malicious payload
- http://blog.dynamoo.com/2015/06/malware-spam-payslip-for-period-end.html
29 June 2015 - "This -fake- financial spam comes with a malicious payload:
From: noreply@ fermanagh .gov.uk [noreply@ fermanagh .gov.uk]
Date: 29 June 2015 at 11:46
Subject: Payslip for period end date 29/06/2015
Dear [redacted]
Please find attached your payslip for period end 29/06/2015
Payroll Section

Attached is a file payslip.zip which contains the malicious executable payslip.exe which has a VirusTotal detection rate of 8/55*. Automated analysis... shows a file being downloaded from:
http :// audileon .com.mx/css/proxy_v29.exe . That binary has a detection rate of just 2/55 [Malwr analysis**] Also, Hybrid Analysis... shows the following IPs are contact for what looks to be malicious purposes:
69.73.179.87 (Landis Holdings Inc, US)
67.219.166.113 (Panhandle Telecommunications Systems Inc., US)
212.37.81.96 (ENERGOTEL a.s./ Skylan s.r.o, Slovakia)
209.193.83.218 (Visionary Communications Inc., US)
67.206.96.30 (Chickasaw Telephone, US)
208.123.129.153 (Secom Inc , US)
91.187.75.75 (Servei De Telecomunicacions D'Andorra, Andorra)
84.16.55.122 (ISP Slovanet (MNET) Brezno, Czech Republic)
178.219.10.23 (Orion Telekom, Serbia)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
83.168.164.18 (SWAN, a.s. TRIO network, Slovakia)
178.54.231.147 (PP Merezha, Ukraine)
75.98.158.55 (Safelink Internet, US)
67.206.97.238 (Chickasaw Telephone, US)
176.197.100.182 (E-Light-Telecom, Russia)
31.134.73.151 (Trk Efir Ltd., Ukraine)
188.255.241.22 (Orion Telekom, Serbia)
31.42.172.36 (FLP Pirozhok Elena Anatolevna, Ukraine)
67.207.228.144 (Southwest Oklahoma Internet, US)
176.120.201.9 (Subnet LLC, Russia)
109.87.63.98 (TRIOLAN / Content Delivery Network Ltd, Ukraine)
38.124.169.148 (PSINet, US)
80.87.219.35 (DSi DATA s.r.o., Slovakia)
195.34.206.204 (Private Enterprise Radionet, Ukraine)
93.119.102.70 (Moldtelecom LIR, Moldova)
184.164.97.242 (Visionary Communications Inc., US)

I am unable to determine exactly what the payload is..."
Recommended blocklist:
69.73.179.87
67.219.166.113
212.37.81.96
209.193.83.218
67.206.96.30
208.123.129.153
91.187.75.75
84.16.55.122
178.219.10.23
194.28.190.84
83.168.164.18
178.54.231.147
75.98.158.55
67.206.97.238
176.197.100.182
31.134.73.151
188.255.241.22
31.42.172.36
67.207.228.144
176.120.201.9
109.87.63.98
38.124.169.148
80.87.219.35
195.34.206.204
93.119.102.70
184.164.97.242 "
* https://www.virustotal.com/en/file/...f8ec202fbe1ce150c45c6f8d/analysis/1435584105/

** https://malwr.com/analysis/M2FkNDQyNGY0YjdkNDdiN2E3ZjQ3MWE1Y2RkYTg2Mzc/

audileon .com.mx: 69.73.179.87: https://www.virustotal.com/en/ip-address/69.73.179.87/information/
___

Fake 'Paypal' PHISH...
- http://myonlinesecurity.co.uk/receipt-for-your-paypal-payment-to-zynga-gamesfacebook-com-phishing/
28 June 2015 - "'Receipt for your PayPal payment to Zynga Games@ facebook .com' pretending to come from service@ paypal .com.au <payment.refunds@ netcabo .pt> is one of the latest -phish- attempts to steal your Paypal account and your Bank, credit card and personal details...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/paypal_save-the-whales-phish_email.png

The link in the email when you hover over it sends you to http ://guyit64d43tyw45uaer .saves-the-whales .com/ATERJT 8OYG8 JHG5R8 YRDTDY JYUGH DRYCJ/
If you follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/AFRIKA_Paypal-login-1.png
After entering email and password, you get sent to a page saying your account has been -frozen- due to fraud, continue to resolution centre to sort it out.
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/06/paypal_save-the-whales-phish.png
Following that link gets you to the nitty-gritty of the phishing scam and you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format.
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/03/AFRIKA_Paypal-login-2.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

saves-the-whales .com: 204.13.248.119: https://www.virustotal.com/en-gb/ip-address/204.13.248.119/information/

afrikids .com.mx: 192.185.140.214: https://www.virustotal.com/en-gb/ip-address/192.185.140.214/information/

:fear::fear:

 

[AplusWebMaster]

Twitter Phish, Fake 'Bank payment', 'Payment due' SPAM

FYI...

Fake Twitter Verification Profile leads to Phishing, Credit Card Theft
- https://blog.malwarebytes.org/fraud...-profile-leads-to-phishing-credit-card-theft/
June 30, 2015 - "... we’ve come across a -bogus- Twitter account harbouring a nasty surprise for anybody taken in by their fakery. Twitter Feed “Verified6379″ claims to be an “Official Verification Page” with a link to a shortened Goo.gl URL. The site it directs visitors to is:
verifiedaccounts(dot)byethost9(dot)com/go(dot)html
Here’s the Twitter feed in question:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/faketwtverif0.jpg
... This week has seen 3,000+ click the link so far, with the majority of visitors coming from the US and UK. What do those with a thirst for verification see upon hitting the page? A rather nasty double whammy of phishing and payment information theft. First up, the -phish- which aks for Username, Password and Email along with questions about why the victim thinks they should be verified, if they’ve ever been suspended and how many followers they have. Note that once the accounts have been compromised, information such as follower count makes it easy for the phisher to work out which are the best ones to use to spread more malicious links:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/faketwtverif1.jpg
After this, the verification hunter will be presented with the below screen:
> https://blog.malwarebytes.org/wp-content/uploads/2015/06/faketwtverif2.jpg
The page reads as follows:
Congratulations! You are one step away from being verified, please understand we require each user to pay the $4.99 verification fee. Processing this fee allows us to verify your identity much faster.
Uh oh. They then go on to ask for card number, expiration date, CVV, name, address, phone number, state, country and zip code along with a confirmation email. There’s no way to know how many people completed all of the steps, but there’s potential here for the scammers to have made off with quite the haul of stolen accounts and pilfered payment credentials. Note that the so-called payment page doesn’t have a secured connection either, so if a third party happened to be snooping traffic and you were on an insecure connection there’d now be two people running around with your information instead of just one. We’ve seen a number of possibly related accounts pushing out similar links, all offline / suspended at time of writing. There’s sure to be others floating around, so please be careful with your logins... more information on Twitter Verification, you should read their FAQ page. From a related article:
'Twitter currently does -not- accept applications for verification. If we identify your account as being eligible, we will reach out to you to start the verification process'.
The only Twitter feed you should pay any attention to with regards the little blue tick is the Official Verification account – anybody else should be treated with caution, especially if asking for logins via Direct Message or websites asking for -credentials- and / or -payment- information..."

verifiedaccounts(dot)byethost9(dot)com: 185.27.134.210: https://www.virustotal.com/en/ip-address/185.27.134.210/information/
___

Fake 'Bank payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/bank-...uk-word-doc-or-excel-xls-spreadsheet-malware/
30 June 2015 - "'Bank payment' pretending to come from sarah@ hairandhealth .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Please find attached a bank payment for 28th June 2015 for £288.00
to pay inv 1631 less cr 1129. With thanks.
Kind regards
Sarah
Accounts
SBP Beauty & Lifestyle

30 June 2015: Bank payment 281014.doc - Current Virus total detections: 3/56*
... Downloads Dridex banking malware from:
http ://www .medisinskyogaterapi .no/59/56.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...953ce48c387ecc1bdb13c270/analysis/1435652743/

** https://www.virustotal.com/en/file/...eb8983d695dc4b93a32f02d4/analysis/1435653462/
... Behavioural information
TCP connections
78.47.139.58: https://www.virustotal.com/en/ip-address/78.47.139.58/information/
88.221.14.249: https://www.virustotal.com/en/ip-address/88.221.14.249/information/
___

Fake 'Payment due' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/06/malware-spam-donna-vipond-donnavipondev.html
30 June 2015 - "This -fake- invoice does not come from Event Furniture Ltd but is instead a simple forgery with a malicious attachment:
From "Donna Vipond" [donna.vipond@ ev-ent .co.uk]
Date Tue, 30 Jun 2015 13:13:28 +0100
Subject Payment due - 75805
Please advise when we can expect to receive payment of the attached
invoice now due? I await to hear from you.
Kind Regards
Donna Vipond
Accounts
Event Furniture Ltd T/A Event Hire
Tel: 01922 628961 x 201

Attached is a file 75805.doc which comes in two (or more) different versions (Hybrid Analysis report). The samples I saw downloaded a file from either:
www .medisinskyogaterapi .no/59/56.exe
www .carpstory .de/59/56.exe
This is saved as %TEMP%\silvuple.exe and it has a VirusTotal detection rate of 6/55*. The various analyses including Malwr report and Hybrid Analysis indicate malicious traffic to 78.47.139.58 (Hetzner, Germany). The payload is probably the Dridex banking trojan.
Recommended blocklist:
78.47.139.58 "
* https://www.virustotal.com/en/file/...f5fe00fe0ffbb41ccaedeabc/analysis/1435667157/

medisinskyogaterapi .no: 178.164.11.101: https://www.virustotal.com/en/ip-address/178.164.11.101/information/

carpstory .de: 81.169.145.164: https://www.virustotal.com/en/ip-address/81.169.145.164/information/

- http://myonlinesecurity.co.uk/payme...re-word-doc-or-excel-xls-spreadsheet-malware/
30 June 2015 - "... -same- Dridex banking malware as today’s other malspam run of macro enabled word docs Bank payment SBP Beauty & Lifestyle hairandhealth .co.uk* – word doc or excel xls spreadsheet malware..."
> https://www.virustotal.com/en/file/...cb22f2e2cbd0276bd743a815/analysis/1435667097/

* http://myonlinesecurity.co.uk/bank-...uk-word-doc-or-excel-xls-spreadsheet-malware/
___

RFC 7568 Deprecates SSLv3 As Insecure
- http://tech.slashdot.org/story/15/06/30/1457204/rfc-7568-deprecates-sslv3-as-insecure
June 30, 2015 - "SSLv3 should -not- be used*, according to the IETF's RFC 7568. Despite being replaced by three versions of TLS, SSLv3 is still in use. Clients and servers are now recommended to reject requests to use SSLv3 for secure communication. "SSLv3 Is Comprehensively Broken" ** say the authors, and lay out its flaws in detail."
* http://tools.ietf.org/html/rfc7568

** http://tools.ietf.org/html/rfc7568#section-4
___

Malvertising targeting the Netherlands
- http://blog.fox-it.com/2015/06/15/large-malvertising-campaign-targeting-the-netherlands/
Update 16-06-2015: "After coordinating with the advertisers the malicious host was -blocked- and removed from their advertisement platforms. Indicators of Compromise:
The following IP and domain should be -blocked- in order to avoid the current campaign:
otsmarketing[.]com / 107[.]181[.]187[.]81
The Angler Exploit kit typically installs the Bedep Trojan, which installs -additional- malware. Bedep can typically be found by looking at consecutive POST requests to the following two websites:
earthtools .org/timezone/0/0
ecb.europa .eu/stats/eurofxref/eurofxref-hist-90d.xml
We have yet to identify the final payload."

107.181.187.81: https://www.virustotal.com/en/ip-address/107.181.187.81/information/

earthtools .org: Could not find an IP address for this domain name.

ecb.europa .eu: 208.113.226.171: https://www.virustotal.com/en/ip-address/208.113.226.171/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'swift bank transfers', 'taxes application' SPAM

FYI...

Fake 'swift bank transfers' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/a-ser...rs-word-doc-or-excel-xls-spreadsheet-malware/
1 July 2015 - "A series of emails on the theme of swift bank transfers pretending to come from random email addresses and random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Some subjects seen are:
Fw: Automated Clearing House VRD4OB
Fw: Notification 9XLM1B
Fwd Invoice A6MV0KAOT ... The email looks like these:
The RecentJ transfer, just initiated from your company’s online banking account, was rejected by the Electronic Payments Association2.
DeniedZ SWIFT transfer
Transaction4 Case ID 8L515KJY
Total Amount 3526.76 USD ...
Reason of abort See attached statement
Please click the file given with this email to get more information about this issue.
-Or-
The SWIFTD transfer, recently sent from your company’s online bank account, was aborted by the Electronic Payments AssociationV.
Denied2 transaction
TransferB Case ID CUV0RUF
Total Amount 1953.61 US Dollars ...
Reason of abort See attached word document
Please click the doc file attached below to get more info about this issue.
-Or-
The RecentJ transfer, just initiated from your company’s online banking account, was rejected by the Electronic Payments Association2.
DeniedZ SWIFT transfer
Transaction4 Case ID 8L515KJY
Total Amount 3526.76 USD ...
Reason of abort See attached statement
Please click the file given with this email to get more information about this issue.

1 July 2015: EBRSONOU.doc | JIZES.doc | XWUDNJK.doc
Current Virus total detections: 4/56* | 4/56** | 4/56*** |
... All of which try to connect to these 2 sites and download a base64 encoded text file from first location and a simple test text from second location.
www .fresh-start-shopping .com/wp-content/uploads/2015/06/167362833333.txt
www .gode-film .dk/wp-content/uploads/2015/06/kaka.txt
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en-gb/fi...399ec9a8ceeb0bb195cec2bf/analysis/1435729795/

** https://www.virustotal.com/en-gb/fi...ef7044263063feb0ddd66a52/analysis/1435729826/

*** https://www.virustotal.com/en-gb/fi...d16f6efb13f30eafaefb2381/analysis/1435729851/

fresh-start-shopping .com: 192.186.246.136: https://www.virustotal.com/en/ip-address/192.186.246.136/information/

gode-film .dk: 81.19.232.168: https://www.virustotal.com/en/ip-address/81.19.232.168/information/
___

Fake 'HMRC taxes application' SPAM - leads to malware
- http://blog.dynamoo.com/2015/07/malware-spam-hmrc-taxes-application.html
1 July 2015 - "This -fake- tax spam leads to malware:
From "noreply@ taxreg.hmrc .gov.uk" [noreply@ taxreg .hmrc .gov.uk]
Date Wed, 1 Jul 2015 11:20:37 +0000
Subject HMRC taxes application with reference L4TI 2A0A UWSV WASP received
The application with reference number L4TI 2A0A UWSV WASP submitted by you or your
agent to register for HM Revenue & Customs (HMRC) taxes has been received and will
now be verified. HMRC will contact you if further information is needed.
Please download/view your HMRC documents here: http ://quadroft .com/secure_storage/get_document.html
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate
Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded
for legal purposes.d

If you have the correct browser agent (e.g. Internet Explorer 8 on Windows) you will see a "Your document will download shortly.." notice. If you have something else, a fake -404- page will be generated:
> https://1.bp.blogspot.com/-8-KFWqr7bvc/VZPQVakQH7I/AAAAAAAAGvY/UPY9foHUjEw/s1600/document.png
The page then forwards to the real HMRC login page but attempts to dump a -malicious- ZIP from another source at the same time:
> https://2.bp.blogspot.com/-Nuz7HP-XSSs/VZPQwIyZjOI/AAAAAAAAGvg/aXHCFba_yMw/s400/fake-hmrc.png
In this case, the ZIP file was Document_HM901417.zip which contains a -malicious- executable Document_HM901417.exe. This has a VirusTotal detection rate of 3/55* (identified as the Upatre downloader). Automated analysis... shows attempted traffic to 93.185.4.90 (C2NET, Czech Republic) and a dropped executable with a random name and an MD5 of ba841ac5f7500b6ea59fcbbfd4d8da32 with a detection rate of 2/55**. The payload is almost definitely the Dyre banking trojan.
* https://www.virustotal.com/en/file/...b7db3dd5f95dafa1054b96c0/analysis/1435748839/

** https://www.virustotal.com/en/file/...8120d8022bbe9cd359b55146/analysis/1435750980/

93.185.4.90: https://www.virustotal.com/en/ip-address/93.185.4.90/information/
___

Fake 'Document Order' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/docum...ng-word-doc-or-excel-xls-spreadsheet-malware/
1 July 2015 - "'Document Order 555-073766-24707377/1' (random numbers) pretending to come from web-filing@ companies-house .gov.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Order: 555-073766-24707377 29/06/2015 09:35:46
Companies House WebFiling order 555-073766-24707377/1 is attached.
Thank you for using the Companies House WebFiling service.
Email: enquiries@ companies-house .gov.uk Telephone +44 (0)303 1234 500
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

1 July 2015: compinfo_555-073766-24707377_1.doc - Current Virus total detections: 4/56*
... Downloads Dridex banking malware from:
http ://ferringvillage .co.uk/75/85.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a8ae985acbab90f119d0407d/analysis/1435735503/

** https://www.virustotal.com/en/file/...4f44846a002af98cfc9d3e06/analysis/1435735797/

ferringvillage .co.uk: 217.72.186.4: https://www.virustotal.com/en/ip-address/217.72.186.4/information/
___

Fake 'Underreported Income' SPAM - links to malware
- http://blog.dynamoo.com/2015/07/malware-spam-notice-of-underreported.html
1 July 2015 - "The second HMRC spam run of the day..
From: HM Revenue and Customs [noreply@ hmrc .gov.uk]
Date: 1 July 2015 at 11:36
Subject: Notice of Underreported Income
Taxpayer ID: ufwsd-000004152670UK
Tax Type: Income Tax
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax income statement on HM Revenue and Customs ( HMRC ).Download your HMRC statement.
Please complete the form. You can download HMRC Form herc

In this case, the link goes to bahiasteel .com/secure_storage/get_document.html however, the payload is Upatre leading to the Dyre banking trojan, as seen in this other spam run* today."
* http://blog.dynamoo.com/2015/07/malware-spam-hmrc-taxes-application.html

bahiasteel .com: 213.186.33.16: https://www.virustotal.com/en/ip-address/213.186.33.16/information/
___

Fake 'Statement' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/state...om-word-doc-or-excel-xls-spreadsheet-malware/
1 July 2015 - "'Statement JUL-2015' pretending to come from Phil <phil@ twococksbrewery .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...ur-LogMeIn-Pro-payment-has-been-processed.png

25 February 2015: logmein_pro_receipt.xls - Current Virus total detections: 7/55*
... Which downloads the -same- Dridex banking malware as today’s earlier examples 'Document Order 555-073766-24707377/1- Companies House WebFiling** – word doc or excel xls spreadsheet malware and 'Document Order 555-073766-24707377/1- Companies House WebFiling*** – word doc or excel xls spreadsheet malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...0f1d936e5a6ec46360125f34/analysis/1435755731/

** http://myonlinesecurity.co.uk/docum...ng-word-doc-or-excel-xls-spreadsheet-malware/

*** http://myonlinesecurity.co.uk/docum...ng-word-doc-or-excel-xls-spreadsheet-malware/

:fear::fear:

 

[AplusWebMaster]

Angler Exploit Kit pushing CryptoWal, 'Grey Side' of Ads ...

FYI...

Angler Exploit Kit pushing CryptoWall 3.0
- https://isc.sans.edu/diary.html?storyid=19863
2015-07-02 - "... Recently, this EK has been altering its URL patterns on a near-daily basis. The changes accumulate, and you might not recognize current traffic generated by Angler... Angler pushes different payloads, but we're still seeing a lot of CryptoWall 3.0 from this EK. We first noticed CryptoWall 3.0 from Angler near the end of May 2015:
> https://isc.sans.edu/diaryimages/images/2015-07-02-ISC-diary-image-01.jpg
Traffic from Tuesday, 2015-07-01 shows Angler EK from 148.251.167.57 and 148.251.167.107 at different times during the day..."
(More detail at the isc URL above.)

148.251.167.57: https://www.virustotal.com/en/ip-address/148.251.167.57/information/

148.251.167.107: https://www.virustotal.com/en/ip-address/148.251.167.107/information/
___

The 'Grey Side' of Mobile Advertising
- https://blog.malwarebytes.org/mobile-2/2015/07/the-grey-side-of-mobile-advertising/
July 2, 2015 - "... Mobile advertising is a headache because of its intrusiveness, the amount of bandwidth used, and other unexpected nefarious behaviors. I get it, there’s money to be made–the good guys are trying to sell us something, the bad guys are trying to steal something, and the grey guys are doing a little of both. Grey hats do their work in between the good and the malicious sides of computing and often push the limits of maliciousness when it comes to making a quick buck. Some advertisers have been pushing this grey line by using shady tactics in order to get app installs for some time now. These pay-per-install ad campaigns use the same scarevertising* messaging we see from malware authors like; “You are infected” or “System Alert.” Unlike -fake- alerts that lead to malware, these alerts often -redirect- to legitimate apps residing in Google’s Play Store, like battery saving and security type apps... Most of these ad campaigns use the same wording, images, and fake scans used by malware authors. Because of this, we wanted to spread the word to ignore these ads and hopefully take away some of their impact. Shutting them down and tracking their creators have been difficult. The ads don’t stick around long and Ad Networks have a difficult time preventing because of their small footprint compared to all the ‘good’ ad traffic–they get lost in the chaos.
Don’t fall for the bait. If you come across any of these -fake- messages you can back out of the page or close the tab to dismiss. If they persist it might be necessary to clear out browser history and cookies..."
* https://en.wikipedia.org/wiki/Scareware

:fear::fear:

 

[AplusWebMaster]

Fake 'Statement', 'reference' SPAM, Nuclear EK, RIG EK...

FYI...

Fake 'Statement' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/07/malware-spam-statement-as-at-30062015.html
6 July 2015 - "This -fake- financial spam does not come from Hobs Reprographics plc but instead is a simple forgery with a malicious attachment...
From: Manchester Accounts [manchester.accounts@ hobsrepro .com]
Date: 6 July 2015 at 07:10
Subject: Statement as at 30/06/2015
Please find attached statement from HOBS REPROGRAPHICS PLC as at
30/06/2015.
Please note that our payment terms are 30 days.

So far I have only seen one sample, with an attachment named ELLE013006.doc [VT 4/54*] which contains this malicious macro... which downloads a malicious executable from:
ozelduzensurucukursu .com/253/632.exe
... There are usually several versions of the document... The executable is saved as %TEMP%\blogdynamoocom.exe (see what they did there?) and has a VirusTotal detection rate of 1/50**. Automated analysis tools... indicates that the malware phones home to:
62.210.214.106 (OVH, France)
93.89.224.97 (Isimtescil, Cyprus)
87.236.215.151 (OneGbits, Lithuania)
The payload to this is almost definitely the Dridex banking trojan.
Recommended blocklist:
62.210.214.106
93.89.224.97
87.236.215.151 "
* https://www.virustotal.com/en/file/...44ce1b638b9cd826434f6cd2/analysis/1436170412/

** https://www.virustotal.com/en/file/...80f1f30ee7b9ebf7f26b4af4/analysis/1436169984/

ozelduzensurucukursu .com: 93.89.224.97: https://www.virustotal.com/en/ip-address/93.89.224.97/information/

- http://myonlinesecurity.co.uk/state...lc-word-doc-or-excel-xls-spreadsheet-malware/
6 July 2015: ELLE013006.DOC - Current Virus total detections: 4/54*
... There are multiple different versions all of which will download a Dridex banking malware**"
* https://www.virustotal.com/en-gb/fi...b45255e955ce30b494c6562e/analysis/1436175110/

** https://www.virustotal.com/en-gb/fi...07ab23ed921f542d1a4a983a/analysis/1436173972/
___

Fake 'reference' SPAM - PDF malware
- http://myonlinesecurity.co.uk/with-...nior-consultant-tax-officer-fake-pdf-malware/
6 July 2015 - "'With reference to telephone conversation' coming from random names and email addresses with a zip attachment is another one from the current bot runs... Some subjects seen in this series of emails which have been coming in almost every day for the last week or so include:
With reference to telephone conversation
Further to telephone communication
With reference to Skype discussion
Further to Skype communication
In In the course of telephone conversation
In In the course of telephone consultation

The email looks like:
With reference to yesterday telephone conversation could You send us the kits of books for affixed 2013 original of which is enclosed below.
Please be notified that mail information must contain following tracking No. 159724 for our convenience.
Please also send us a fragment of passport.
If You have any issues regarding provision of mentioned details as soon as possible please contact our legal department colleagues.
Pamela Nelson
Tax authority
-Or-
Further to earlier telephone discussion please dispatch us the packages of financial statements form-sheets years 2015 transcript of which has been enclosed below.
Please be notified that mail details must contain following tracking Numbers 740524 for our ease.
Be so kind to additionally send us an extract of ID.
In case You have any issues with regard to provision of mentioned information at the earliest convenience kindly call our legal office colleagues.
Anna Nelson
Tax authority
-Or-
Further to Tuesday telephone communication please forward to our address the kits of returns for affixed 2013 fragment of which has been attached above.
Please note that mail information ought to include following tracking Numbers 160428 for our convenience.
Be so kind to additionally forward us an transcript of identification.
If You have any problems regarding sending of mentioned information as soon as possible please call our legal office colleagues.
Diane Nelson
Senior Consultant
-Or-
With reference to our Skype discussion please forward us the kits of financial reports form-sheets affixed 2014 fragment of which has been attached to this e-mail.
Please be notified that dispatch information ought to include following tracking No. 887803 for our ease.
Be so kind to additionally send us a copy of identification.
Provided that Your colleagues have several issues regarding dispatch of requested information as early as can please call our contract office staff.
Jane Adams
Tax Officer

And hundreds of other similar worded emails with different numbers, people and positions.
06 July 2015: pattern_of_the_returns.zip: Extracts to: scan-copy_of_the_books.exe
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...dc7f08e96c36e64580ef972f/analysis/1436180365/
___

BizCN gate actor changes from Fiesta to Nuclear exploit kit
- https://isc.sans.edu/diary.html?storyid=19875
Last Updated: 2015-07-06 - "An 'actor' using gates registered through BizCN recently switched from Fiesta to Nuclear exploit kit (EK)... domains used for the gate have all been registered through the Chinese registrar BizCN. We collected traffic and malware samples related to this actor from Friday 2015-07-03 through Sunday 2015-07-05. This traffic has the following characteristics:
• Compromised servers are usually (but not limited to) forum-style websites.
• Gate domains have all been registered through the Chinese registrar BizCN using privacy protection.
• The domains for Nuclear EK change every few hours and were registered through freenom .com.
Nuclear EK for this actor is on 107.191.63.163, which is an IP registered to Vultr, a hosting provider specializing in SSD cloud servers... The payload occasionally changes and includes malware identified as Yakes [1], Boaxxe [2], and Kovter. NOTE: For now, Kovter is relatively easy to spot, since it's the only malware I've noticed that updates the infected host's Flash player [3].
Chain of events: During a full infection chain, the traffic follows a specific chain of events. The compromised website has malicious javascript injected into the page that points to a URL hosted on a BizCN-registered gate domain. The gate domain redirects traffic to Nuclear EK on 107.191.63.163. If a Windows host running the web browser is vulnerable, Nuclear EK will infect it. Simply put, the chain of events is:
• Compromised website
• BizCN-registered gate domain
• Nuclear EK ..."
(More detail at the isc URL above.)
1] https://www.virustotal.com/en/file/...63a6d635f968b4dc7b932482d7901691326/analysis/

2] https://www.virustotal.com/en/file/...cd93d3b041589b0422f8519cb68a4efb995/analysis/

3] http://malware.dontneedcoffee.com/2015/07/kovter-adfraud-is-updating-flash-for-you.html

107.191.63.163: https://www.virustotal.com/en/ip-address/107.191.63.163/information/

> http://malware-traffic-analysis.net/2015/07/05/index2.html
___

RIG exploit kit: Ransomware delivered through Google Drive...
- https://heimdalsecurity.com/blog/security-alert-ransonmware-google-drive-cryptowall-campaign/
July 2nd, 2015 - "... Heimdal Security has recently collected and analyzed a new drive-by campaign abusing vulnerabilities in various popular third-party products. In this campaign, the payload is delivered through the popular Google Drive platform. In the next stage, the payload downloads and runs CryptoWall from a long list of compromised webpages... On these compromised web pages, several malicious scripts force the user to a narrow selection of dedicated domains used in the campaign (more than 80 active domains). These domains makes use of a commercial exploit kit known as RIG, which will try to abuse vulnerabilities in JavaJRE, Adobe Reader, IE and Flash Player. If the victim’s system is not fully updated with the latest version of the software mentioned above, the RIG exploit kit will drop a file that contacts a series of predefined Google drive URLs..."
___

Hacking Team hacked, attackers claim 400GB in dumped data
- http://www.csoonline.com/article/29...ked-attackers-claim-400gb-in-dumped-data.html
Jul 5, 2015 - "... Specializing in surveillance technology, 'Hacking Team' is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense. Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies... Reporters Without Borders has listed the company on its Enemies of the Internet index* due largely to Hacking Teams' business practices and their primary surveillance tool Da Vinci... It isn't known who hacked Hacking Team; however, the attackers have published a Torrent file with 400GB of internal documents, source code, and email communications to the public at large. In addition, the attackers have taken to Twitter, defacing the Hacking Team account with a new logo, biography, and published messages with images of the compromised data..."
* https://surveillance.rsf.org/en/hacking-team/

- http://www.theinquirer.net/inquirer...d-as-attackers-expose-400gb-of-corporate-data
Jul 06 2015

:fear::fear: