SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake 'Your order', 'MI Package', 'Resume' SPAM, Malicious Typo-Squatting

FYI...

Fake 'Your order' SPAM – doc malware
- http://myonlinesecurity.co.uk/your-order-10232-from-create-blinds-online-paid-word-doc-malware/
10 Aug 2015 - "'Your order 10232 from Create Blinds Online: Paid' pretending to come from orders@ createblindsonline .co.uk with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
... The email looks like:
We would like to thank you for your recent order. Order Status updated on: 10/08/2015 Your Customer ID: 1761 Your Order ID: 10232
Invoice Number: 10232
Delivery Note: We received your order and payment on Aug/102015 Your order details are attached:
Kind regards
Create Blinds Online Team ...

Screenshot: http://myonlinesecurity.co.uk/wp-co...our-order-10232-from-Create-Blinds-Online.png

10 August 2015: invoice-10232.doc Current Virus total detections: 5/55* Downloads Dridex banking malware from http ://mbmomti .com.br/435rg4/3245rd2.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2c7832e36c8516292e5f1165/analysis/1439189964/

** https://www.virustotal.com/en/file/...301962f6f03484b26ddccdd8/analysis/1439190149/
... Behavioural information
TCP connections
78.47.119.85: https://www.virustotal.com/en/ip-address/78.47.119.85/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

mbmomti .com.br: 187.17.111.99: https://www.virustotal.com/en/ip-address/187.17.111.99/information/

- http://blog.dynamoo.com/2015/08/malware-spam-your-order-10232-from.html
10 Aug 2015 - "... attempts to download a -malicious- binary from one of the following locations:
mbmomti .com.br/435rg4/3245rd2.exe
j-choi .asia/435rg4/3245rd2.exe
... generates traffic to 78.47.119.85 (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan."
j-choi .asia: 153.122.0.184: https://www.virustotal.com/en/ip-address/153.122.0.184/information/
___

Fake 'MI Package' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/premi...13-word-doc-or-excel-xls-spreadsheet-malware/
10 Aug 2015 - "'Premium Charging MI Package for Merchant 17143013' pretending to come from GEMS@ Worldpay .com with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
... The email looks like:
*** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.

10 August 2015: 17143013 01.docm - Current Virus total detections: 5/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...88117cdc3a05616bc5cb6f8d/analysis/1439196186/

- http://blog.dynamoo.com/2015/08/malware-spam-premium-charging-mi.html
10 Aug 2015 - "... one sample with named 17143013 01.docm ... detection rate of 5/55* and it contains this malicious macro... which then downloads a component from:
gardinfo .net/435rg4/3245rd2.exe
This is exactly the -same- payload as seen in this spam run** also from this morning."
* https://www.virustotal.com/en/file/...be15459999af85493f31b349/analysis/1439198630/

** http://blog.dynamoo.com/2015/08/malware-spam-your-order-10232-from.html

gardinfo .net: 62.210.16.61: https://www.virustotal.com/en/ip-address/62.210.16.61/information/
___

Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-gabriel-daniel-resume.html
10 Aug 2015 "This fake résumé comes with a malicious attachment:
From: alvertakarpinskykcc@ yahoo .com
Date: 10 August 2015 at 19:40
Subject: Resume
Signed by: yahoo .com
Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter
Kind regards
Gabriel Daniel

Interestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro... which has a VirusTotal detection rate of 2/56*. As far as I can tell, it appears to download a disguised JPG file from 46.30.43.179/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on:
> https://1.bp.blogspot.com/-pVLYG1iCchQ/VcjC9aEOGPI/AAAAAAAAG4I/WNCsjruC-UA/s1600/cryptowall.png
So, it is pretty clear that the payload here is -Cryptowall- (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?v=c91jzn46yr
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?b=86v97tziud5m
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?o=ups5xom3u2sb01
It also directs the visitor to various personalised ransom pages hosted on 80.78.251.170 (Agava, Russia).
Recommended blocklist:
46.30.43.179
80.78.251.170
conopizzauruguay .com "
*https://www.virustotal.com/en/file/...d854296b73c2dce99aff50d8/analysis/1439219044/

conopizzauruguay .com: 208.113.240.70: https://www.virustotal.com/en/ip-address/208.113.240.70/information/
___

.COM.COM Used For Malicious Typo Squatting
- https://isc.sans.edu/diary.html?storyid=20019
2015-08-10 - "... domains ending in ".com.com" are being -redirected- to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous "com.com" domain name was sold by CNET to known typo squatter dsparking .com [1]. Apparently, dsparking .com paid $1.5 million for this particular domain. Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazon's cloud. All .com.com hostnames appear to resolve to 54.201.82.69, also hosted by Amazon (amazon .com .com is also directed to the same IP, but right now results in more of a "Parked" page, not the -fake- anti-malware as other domains). The content you receive varies. For example, on my first hit from my Mac to facebook .com .com , I received the following page:
> https://isc.sans.edu/diaryimages/images/Screen Shot 2015-08-10 at 2_34_58 PM.png
And of course the -fake- scan it runs claims that I have a virus . As a "solution", I was offered the well known scam-app "Mackeeper". Probably best to -block- DNS lookups for any .com.com domains. The IP address is likely going to change soon, but I don't think there is any valid content at any ".com.com" host name. The Whitehat article does speak to the danger of e-mail going to these systems... Amazon EC2 abuse was notified."
1] https://blog.whitehatsec.com/why-com-com-should-scare-you/

54.201.82.69: https://www.virustotal.com/en/ip-address/54.201.82.69/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Website Invoice', 'Interparcel Documents', 'Win10 Invoice' SPAM

FYI...

Fake 'Website Invoice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/here-is-your-bt-website-invoice-pdf-malware/
11 Aug 2015 - "'Here is your BT Website Invoice. pretending to come from btd.billing.noreply@ bt .com with a PDF attachment is another one from the current bot runs... The email comes in corrupt... There is an HTML attachment which contains what the actual email should read:
***Please do not reply to this automated e-mail as responses are not read***
Hello
Here is your latest billing information from BT Directories – please check the details carefully.
If you need to contact us then you’ll find the numbers in the attachment.
Kind Regards
BT Directories Billing & Credit Management ...

And there is a PDF attachment which contains the malware:
11 August 2015 : DirectDebit Invoice_5262307_011220140151449702826.pdf
Current Virus total detections: 4/56* which is a PDF containing a word doc with embedded macros in the same way as described in today’s earlier malspam run**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...8f8d7a8c98a43f087cb7a97a/analysis/1439286155/

** http://myonlinesecurity.co.uk/interparcel-documents-pdf-malware/
11 Aug 2015 - "'Interparcel Documents' pretending to come from Interparcel <bounce@ interparcel .com> with a PDF attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Interparcel-Documents.png

11 August 2015: Shipping Labels (938854744923).pdf - Current Virus total detections: 4/57*
... downloads Dridex from http ://sonicadmedia .com/334f3d/096uh5b.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...e0b8a8bdfbf11908840917e4/analysis/1439281100/

** https://www.virustotal.com/en/file/...6abafbc03d6f38105f7d5db1/analysis/1439284911/

sonicadmedia .com: 192.185.5.3: https://www.virustotal.com/en/ip-address/192.185.5.3/information/
___

Fake 'Congratulations on your purchase Windows' SPAM – fake PDF malware
- http://myonlinesecurity.co.uk/congratulations-on-your-purchase-windows-fake-pdf-malware/
11 Aug 2015 - "'Congratulations on your purchase Windows' with a zip attachment is another one from the current bot runs... The email looks like:
The invoice for the license windows 10.
Invoice id: 5661255582
License number: 211883074666
License serial number: XXXXXX-XXXXXX-XXXXXX-QF7303-DG7S86
Details of the attachment.
THANKS A LOT FOR BEING WITH US.

Todays Date: Invoice Windows10 1648726511-en.zip:
Extracts to: Invoice Windows10 7848342350-en.exe
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...f526de210c964084460fcabf/analysis/1439303996/
___

Asprox botnet... disappears
- http://www.infoworld.com/article/29...botnet-a-longrunning-nuisance-disappears.html
Aug 11, 2015 - "The Asprox botnet, whose malware-spamming activities have been followed for years by security researchers, appears to be gone... the botnet seemed to be shut down, wrote Ryan Olson, intelligence director for Palo Alto Networks, in a blog post:
> http://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/
Olson wrote that Palo Alto thought the botnet's operators may have changed their tactics, and Palo Alto missed the shift. But they verified that Asprox's command-and-control structure shut down - at least for now... Earlier this year, Brad Duncan, a security researcher at Rackspace, also noticed a change:
> https://isc.sans.edu/forums/diary/What+Happened+to+You+Asprox+Botnet/19435/
... Spam that appeared stylistically close to that sent by Asprox had -different- malware. Asprox has taken a hit before. In November 2008, it was one of several botnets affected by the shutdown of McColo, a notorious California-based ISP that was providing network connectivity for cybercriminals. The shutdown of McColo dramatically cut the amount of spam, but Asprox as well as other botnets came back. The most frequent malware now seen by Palo Alto is Upatre. That malware downloads other harmful programs to a computer, and Palo Alto has seen it involved in installing a banking trojan called Dyre and the Cryptowall ransomware..."
>> http://researchcenter.paloaltonetworks.com/wp-content/uploads/2015/08/kuluoz-2.png

:fear::fear:

 

[AplusWebMaster]

Fake 'Invoices payable', 'list attached', 'HSBC transfers', 'Important BoA docs' SPAM

FYI...

Fake 'Invoices payable' SPAM – JAVA malware
- http://myonlinesecurity.co.uk/re-re-invoices-payable-java-malware/
12 Aug 2015 - "'RE: Re: Invoices payable' with a jar attachment pretending to come from info@ fulplanet .com is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Invoices-payable.png

12 August 2015: Invoice.jar - Current Virus total detections: 4/57*
Luckily, Outlook (as you can see from the screenshot above) and many other email clients automatically -block- java jar files from being accessed or opened in the email client. Webmail clients are more at risk as most allow any attachment. Java is a crossbrowser and cross OS program and that is why it is so dangerous. Malicious Java files can infect and compromise ANY computer whether it is windows or Apple or Android or Linux. You will not be infected and cannot be harmed if you do -not- have Java installed on the computer.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown instead of the java executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...4b1c0843fda00771ac72272d/analysis/1439362101/
___

Fake 'list attached' SPAM – PDF drops word doc – malware
- http://myonlinesecurity.co.uk/list-...elle-cc-signs-ltd-pdf-drops-word-doc-malware/
12 Aug 2015 - "'list attached as requested' pretending to come from Danielle | CC Signs Ltd. <orders@ ccsigns .co.uk> with a malicious PDF attachment that drops a word doc is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email has a -blank- body with just this image inside it and looks like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/CC-Signs-Ltd.jpg

12 August 2015: smo.pdf - Current Virus total detections: 5/56*
... which drops/creates 4.docm (VirusTotal**) which contains a macro that connects to http ://konspektau.republika .pl/07jhnb4/0kn7b6gf.exe and downloads Dridex banking malware (VirusTotal***). Other download locations include http ://madrigalchor-schloss-benrath .de/07jhnb4/0kn7b6gf.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...f13ab917b6db3433dea28d7a/analysis/1439370949/

** https://www.virustotal.com/en/file/...11cd29ae6b1ca4544417dbb2/analysis/1439371138/

*** https://www.virustotal.com/en/file/...e7533383fd42e4cc6a1cdf70/analysis/1439372114/
... Behavioural information
TCP connections
74.119.194.18: https://www.virustotal.com/en/ip-address/74.119.194.18/information/
95.101.128.113: https://www.virustotal.com/en/ip-address/95.101.128.113/information/

konspektau.republika .pl: 213.180.150.17: https://www.virustotal.com/en/ip-address/213.180.150.17/information/

madrigalchor-schloss-benrath .de: 81.169.145.158: https://www.virustotal.com/en/ip-address/81.169.145.158/information/
___

Fake 'Invoice for 415 Litmus' SPAM – doc malware
- http://myonlinesecurity.co.uk/invoice-for-415-litmus-word-doc/
12 Aug 2015 - "'Invoice for 415 Litmus' pretending to come from angela_lrc088128@ btinternet .com (the lrc088128 is random and I am seeing -hundreds- of lrc******@ btinternet .com being -spoofed- as the from addresses) with a malicious word doc attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Invoice-for-415-Litmus.png

12 August 2015: 415 Litmus Cleaning invoice.docm - Current Virus total detections: 6/56*
The -malicious- macro inside this version of the word doc connects to and downloads Dridex banking malware from http ://madrigalchor-schloss-benrath .de/07jhnb4/0kn7b6gf.exe (Virus Total**) Which is the -same- malware as described in today’s other Malspam run[1] containing malicious PDF dropping word docs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7e3e52377ad2c9feb1ee1484/analysis/1439371782/

** https://www.virustotal.com/en/file/...e7533383fd42e4cc6a1cdf70/analysis/1439372114/
... Behavioural information
TCP connections
74.119.194.18: https://www.virustotal.com/en/ip-address/74.119.194.18/information/
95.101.128.113: https://www.virustotal.com/en/ip-address/95.101.128.113/information/

madrigalchor-schloss-benrath .de: 81.169.145.158: https://www.virustotal.com/en/ip-address/81.169.145.158/information/

1] http://myonlinesecurity.co.uk/list-...elle-cc-signs-ltd-pdf-drops-word-doc-malware/
___

Fake 'transferred into Your account HSBC' SPAM – PDF malware
- http://myonlinesecurity.co.uk/this-...rred-into-your-account-hsbc-fake-pdf-malware/
12 Aug 2015 - "A series of emails on the theme of 'This is to confirm that amounts were transferred into Your account' with subjects like 'Payment affirmation' or 'Conducted transaction information' with an email -link- to entice you into downloading a zip attachment is another one from the current bot runs... Some of the subjects include:
Conducted transaction information
Deposited funds receipt
Fund transfer receipt
Deposited funds acknowledgment
Transaction statement
Transfer verification
Deposited funds affirmation
Deposited funds statement
Balance change receipt
The senders pretend to be bank employees from HSBC and include such titles as:
Forward Applications Strategist
Principal Assurance Developer
Corporate Web Architect™
Principal Factors Director
And hundreds of other similar style of seemingly important sounding titles. The sender matches the job title in the body of the email although the names are totally random...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Payment-affirmation.png

12 August 2015: invoice.pdf.zip: Extracts to: invoice.pdf.exe*
Current Virus total detections: 3/56*. These -Upatre- downloaders normally download either Dridex or Dyreza banking malware. So far the automatic tools haven’t managed to get any actual download. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...5f2c4b267442b07f876bc64c/analysis/1439376577/
___

Fake 'Important documents BoA' SPAM – PDF malware
- http://myonlinesecurity.co.uk/fw-important-documents-bankofamerica-com-fake-pdf-malware/
12 Aug 2015 - "'FW: Important documents' pretending to come from Guadalupe Aldridge <Guadalupe.Aldridge@ bankofamerica .com> or Mariano Cotton <Mariano.Cotton@ bankofamerica .com> (and probably loads of other random names @ bankofamerica .com) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/B-of-A-Important-documents.png

12 August 2015: AccountDocuments.zip: Extracts to: AccountDocuments.scr
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...fc1777adcc75ea9fe5489f0a/analysis/1439398277/
___

Win10 Store, Mail client down for some
- http://www.zdnet.com/article/microsofts-windows-10-store-mail-client-down-for-some/
Updated Aug 10, 11 - "... having problems accessing the Windows 10 Store and a number of Store apps, including Microsoft's new Mail client, for more than a day:
> http://zdnet2.cbsistatic.com/hub/i/...7cee48206e18f434fbefba03f4/win10storedown.jpg "

:fear::fear:

 

[AplusWebMaster]

Fake 'Invoice Bristan', 'Incident' RBS, 'Notice of payment' SPAM

FYI...

Fake 'Invoice Bristan' SPAM – PDF malware
- http://myonlinesecurity.co.uk/invoice-i623792760-bristan-fake-pdf-invoice-malware/
13 Aug 2015 - "'Invoice I623792760' (Random characters and numbers) pretending to come from Bristan Documents <Prism@ bristan .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Invoice-I623792760.png

13 August 2015: INVOICE_I623792760.zip: Extracts to: INVOICE_I9288320.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...a62555871d8b8ed395517c79/analysis/1439455676/
___

Fake 'Incident' RBS SPAM – doc malware
- http://myonlinesecurity.co.uk/re-incident-im07298646-word-doc-malware/
13 Aug 2015 - "'RE: Incident IM07298646' (random numbers) pretending to come from RBS <secure.message@ rbs .co.uk> with a malicious word doc attachment is another one from the current bot runs... This particular version pretends to be signed with an RSA secure key and you need to enable editing and macros to see the content... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/RSA-key-protected-view.png

13 August 2015: AccountDocuments.doc - Current Virus total detections: 5/56*
This goes through a convoluted download procedure linking to: http ://hutsul .biz/administrator/components/com_joomlaupdate/rara.txt which is just a simple instruction to download what looks like -Upatre- downloader which will eventually download Dridex banking malware from http ://klosetaffair .com/scripts/jquery-1.8.3.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...12bc9730596e69ee54807b57/analysis/1439461278/

** https://www.virustotal.com/en/file/...c5d6795723555ee7333ce7ca/analysis/1439461900/

hutsul .biz: 144.76.80.78: https://www.virustotal.com/en/ip-address/144.76.80.78/information/

klosetaffair .com: 192.185.48.205: https://www.virustotal.com/en/ip-address/192.185.48.205/information/

- http://threattrack.tumblr.com/post/126606969628/rbc-secure-webmail-spam
Aug 13, 2015 - Subjects Seen:
RBC Secure Webmail/Courriel secure
Typical e-mail details:
Hello
You have received a secure e-mail, which may contain personal/confidential information.
To read and/or reply to the secure e-mail, please follow the simple steps below:
· Double click on the attached Click2View.zip
IMPORTANT:
1.) You must be connected to the Internet to view the secure e-mail.
2.) Please ONLY reply from the above link. DO NOT reply by clicking the “reply” option as this will not be secured.

Malicious File Name and MD5:
Click2View.scr (51cabd5eb93920043db1b18cf163b108)

Tagged: RBC, Upatre
___

Fake 'Notice of payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/notice-of-payment-national-bank-of-canada-fake-pdf-malware/
13 Aug 2015 - "'Notice of payment' pretending to come from sac.sbi@ sibn .bnc.ca with a zip attachment is another one from the current bot runs... The email looks like:
You can view and print the notice of payment using the Netscape or Microsoft
Explorer browsers, versions 6.2 and 5.5. You can export and store the
notice of payment data in your spreadsheet by choosing the attached file in
pdf format “.pdf”.
If you have received this document by mistake, please advise us immediately
and return it to us at the following E-mail address: “sac.sbi@ sibn .bnc .ca“.
Thank you.
National Bank of Canada
600 de La Gauchetire West, 13th Floor
Montreal, Quebec H3B 4L2 ...

13 August 2015: PaymentNotice.zip: Extracts to: PaymentNotice.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...27b98be120f1df46bf80f202/analysis/1439483960/
___

SSL Malvertising Campaign Continues
- https://blog.malwarebytes.org/malvertising-2/2015/08/ssl-malvertising-campaign-continues/
Aug 13, 2015 - "The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites. We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers:
- drudgereport .com 61.8M visits per month
- wunderground .com 49.9M visits per month
- findagrave .com 6M visits per month
- webmaila.juno .com 3.6M visits per month
- my.netzero .net 3.2M visits per month
- sltrib .com 1.8M visits per month
The malvertising is loaded via AdSpirit .de and includes a -redirection- to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/malvertising.png
Redirection chain
Publisher’s website
https ://pub.adspirit .de/adframe.php?pid=[redacted]
https ://pr2-35s.azurewebsites .net/?=pr2-35s-981ef52345
abcmenorca .net/?xvQtdNvLGcvSehsbLCdz
Angler Exploit Kit...
We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down."

Update 08/14: The campaign has -moved- to another advertiser (AOL) and new Azure domain:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/ebayadvertisement.png

abcmenorca .net: 88.198.188.158:
- https://www.virustotal.com/en/ip-address/88.198.188.158/information/
Country: DE
Autonomous System: 24940 (Hetzner Online AG)
Diagnostic page for AS24940 (HETZNER-AS)
- https://www.google.com/safebrowsing/diagnostic?site=AS:24940
"... over the past 90 days, 2335 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2015-08-13, and the last time suspicious content was found was on 2015-08-13... this network has hosted sites that have distributed malicious software in the past 90 days. We found 224 site(s)... that infected 837 other site(s)..."

:fear:

 

[AplusWebMaster]

Fake 'Invoice', 'Account management' SPAM

FYI...

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/invoi...co-word-doc-or-excel-xls-spreadsheet-malware/
14 Aug 2015 - "'Invoice Bristol Rope & Twine Co' pretending to come from Roger Luke <rogerluke@ bristolrope .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email looks like:
Thank you for your order. Your Invoice – 14/0238 – from Bristol Rope &
Twine Co is attached.

14 August 2015: 140238.XLS - Current Virus total detections: 6/57*
... Downloads Dridex banking malware from http ://buero-kontierservice .de/7656/4563.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...be2332f8fcbcbb8588be41d7/analysis/1439545269/

** https://www.virustotal.com/en/file/...f8e11f5c5c37d41a433cf20b/analysis/1439545437/
... Behavioural information
TCP connections
62.152.36.25: https://www.virustotal.com/en/ip-address/62.152.36.25/information/
2.18.213.90: https://www.virustotal.com/en/ip-address/2.18.213.90/information/

buero-kontierservice .de: 81.169.145.157: https://www.virustotal.com/en/ip-address/81.169.145.157/information/
___

Fake 'Account management' SPAM – PDF malware
- http://myonlinesecurity.co.uk/account-management-was-limited-jpmorgan-chase-bank-fake-pdf-malware/
14 Aug 2015 - "'Account management was limited' pretending to be a message from JPMorgan Chase Bank with a zip attachment is another one from the current bot runs... Other subjects in this malware run include:
Personal account access has been minimized
Bank account control has been minimized
Personal account management had been restricted
Bank account access was blocked ...
The email looks like:
Dear Bank member,
Please consider this e-mail alert highly urgent. Kindly note that our
security department has detected the attempt to withdraw money from Your
account without confirmation.
As a security measure the bank had to restrict access to the account
until we get relevant request from the signatory. Please see attached
the document to be filled in order to get full access to the account.
Peter Malcolm,
Security Department Specialist
JPMorgan Chase Bank PLC

14 August 2015: Formsheet_to_be_filled in_.zip: Extracts to: Formsheet_to_be_executed_.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7353310eb30d959986565e31/analysis/1439572799/

:fear::fear:

 

[AplusWebMaster]

Multi-language Tech Support Scams

FYI...

Multi-language Tech Support Scams
- https://blog.malwarebytes.org/fraud-scam/2015/08/the-multi-language-tech-support-scam-is-here/
Aug 17, 2015 - "The Microsoft tech support scam has been going on for -years- starting with cold calls originating from India. Over time fake websites and pop ups warning of infections for Windows, Mac, Android and even iOS users were created. The vast majority of victims are from the U.S., Canada, the U.K., Australia, South Africa and New Zealand; in essence countries where English is the primary language spoken. This is about to change though, as tech support scammers are tapping into brand new markets in Europe but also Japan... The latest iteration we uncovered is targeting -multiple- new countries and considerable efforts were spent to make the templates look professional and authentic.
New targets:
France (population 66 M)
Spain (population 46 M)
Germany (population: 81 M)
Japan (population: 126 M)
... fraudulent pages typically show up via -malvertising- campaigns or as part of a bundle within Potentially Unwanted Programs... Translation to English:
' Warning! A virus has been detected on your computer. Please call the number provided immediately to remove adware, spyware and viruses from your computer. Seeing this message means that all your personal information, pictures, passwords and credit card details are at risk and vulnerable to attacks. Do not use the Internet, do not connect to any website or make any purchase until you call the phone number provided.'
Actual native speakers: We called one of the numbers for the French campaign and talked with an agent that spoke fluent French. He turned out to be working from Québec, Canada...
Avoiding the scam: The best protection against these scams is awareness. Please pass the word around to family and friends, especially older ones or those not computer savvy. We also have a resource page* with plenty of information that is well worth a read. What we can say looking back at all these years since the tech support scams started is that crooks have been able to adapt the con, often times getting inspired by actual malware authors and their practices (i.e. Browlock, fake BSOD, etc…). This latest twist is without a doubt going to have a serious impact on countries that have never really experienced tech support scams before. Not only are people not prepared for it, but also the fraudster will appear genuine by speaking the local tongue..."
* https://blog.malwarebytes.org/tech-support-scams/

:fear::fear:

 

[AplusWebMaster]

Fake 'SHIPMENT NOTICE', 'lawsuit' SPAM, I/E patch

FYI...

Fake 'SHIPMENT NOTICE' SPAM – PDF malware
- http://myonlinesecurity.co.uk/shipment-notice-safilo-com-fake-pdf-malware/
19 Aug 2015 - "'SHIPMENT NOTICE' pretending to come from serviceuk@ safilo .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/safilo-SHIPMENT-NOTICE.png

19 August 2015: ship20150817.zip: Extracts to: ship20150817.exe
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...46a5820d7955f55c1ef7d6d0/analysis/1439977857/

- http://blog.dynamoo.com/2015/08/malware-spam-shipment-notice.html
19 Aug 2015 - "... the malware attempts to phone home to:
megapolisss006 .su/go/gate.php
.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to -all- of them. This domain is hosted on the following IPs:
195.2.88.196 (Zenon N.S.P., Russia)
94.229.22.39 (Bashrtcomm LIR, Russia)
94.229.22.42 (Bashrtcomm LIR, Russia)
You might want to consider blocking:
195.2.88.0/24
94.229.16.0/21
This though is the recommended minimum blocklist:
195.2.88.196
94.229.22.39
94.229.22.42 ..."
___

Fake 'lawsuit' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/wtf-is-thislawsuit-word-doc-or-excel-xls-spreadsheet-malware/
19 Aug 2015 - "'wtf is this?lawsuit?' coming from random names and random email addresses with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email looks like:
why have you sued me? wtf is this?
i am attaching the subpoena

19 August 2015: subpoena.doc - Current Virus total detections: 5/54*
Connects to http ://bigdiscountsonline .info/css/_notes/rara.txt which is a simple text instruction to download Dridex banking malware from http ://allthatandmore .info/css/_notes/pa.exe (VirusTotal**). It also connects to http ://bigdiscountsonline .info/css/_notes/8179826378126.txt which is a VBS downloader (VirusTotal***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fe8900543014177c9bf484b9/analysis/1439998392/

** https://www.virustotal.com/en/file/...1c27659cd60bee73ba36d6f9/analysis/1439996382/
... Behavioural information
TCP connections
148.251.34.82: https://www.virustotal.com/en/ip-address/148.251.34.82/information/
62.149.142.168: https://www.virustotal.com/en/ip-address/62.149.142.168/information/

*** https://www.virustotal.com/en/file/...2debd6c9e47758b1fff5e43e/analysis/1439995932/

bigdiscountsonline .info: 97.74.4.87: https://www.virustotal.com/en/ip-address/97.74.4.87/information/
allthatandmore .info: 97.74.4.87
___

Out of band I/E patch - all versions...
- http://myonlinesecurity.co.uk/out-o...-internet-explorer-on-windows-18-august-2015/
18 Aug 2015

>> https://forums.spybot.info/showthread.php?862-Microsoft-Alerts&p=465708#post465708

:fear::fear:

 

[AplusWebMaster]

Fake 'Shared from Docs app', 'new ID and pwd', 'order' SPAM

FYI...

Fake 'Shared from Docs app' SPAM – xls Malware
- http://myonlinesecurity.co.uk/shared-from-docs-app-excel-xls-spreadsheet-malware/
20 Aug 2015 - "'Shared from Docs app' coming from Admin at random email addresses with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The Excel spreadsheet in this one looks like this... DO NOT follow their suggestion and enable editing or macros:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/LIST_141114_jpg-2.xls.png
The email is very plain and terse and simply says :

Sent from Mail for Windows 10

20 August 2015: LIST_141114_jpg (2).xls - Current Virus total detections: 4/56*
So far automatic analysis hasn’t retrieved any payload so we are waiting for a manual analysis to be performed. These normally download Dridex banking malware...
Update: we now have managed to get an automatic analysis[2] which gave us: ceece.exe that looks like Dridex but no download location for it (VirusTotal)[3]... We always have problems with automatic analysis when the Doc or LS file is in Russian language and character set... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fe306f6d333295a5cbac9467/analysis/1440065594/

2] https://malwr.com/analysis/YzdlYjBjMDFmMTM1NGMwZGE4MjE2ZThlNGU0MTcwMzQ/

3] https://www.virustotal.com/en/file/...523748370a2c000ce4897d4a/analysis/1440066467/
... Behavioural information
TCP connections
62.152.36.25: https://www.virustotal.com/en/ip-address/62.152.36.25/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/
___

Fake 'new ID and password' SPAM – PDF malware
- http://myonlinesecurity.co.uk/your-new-id-and-password-fake-pdf-malware/
20 Aug 2015 - "'Your new ID and password' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

Your ID name and password has been changed according to your request dated August 19, 2015. Check attachment to view the renewed information.

20 August 2015: doc_ad78120.zip : Extracts to: doc_in30541.exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...e63579ae40e2d0597692a427/analysis/1440069970/
___

Fake 'order not avaliable' SPAM – doc malware
- http://myonlinesecurity.co.uk/we-ar...d-is-not-avaliable-now-fake-word-doc-malware/
20 Aug 2015 - "An email saying 'We are sorry but the product you’ve ordered is not avaliable now' with a subject of Order #y0CD3mxQizcBk88ovaw [random characters] coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
Good afternoon,
We are sorry but the product you’ve ordered is not avaliable now.
Please fill up the attached form of refund and choose a gift as a token
of our apology for the inconvenience.
Order #fNcszeK2PW9J1rjN
Date sent: Thu, 20 Aug 2015 11:42:51 +0100
Mariam Olson Sr...
-Or-
Good afternoon,
We are sorry but the product you’ve ordered is not avaliable now.
Please fill up the attached form of refund and choose a gift as a token
of our apology for the inconvenience.
Order #4y3Rs24VDxJ8BBW8
Date sent: Thu, 20 Aug 2015 11:45:02 +0100
Carolyn Raynor...

20 August 2015: Order Beier-Swaniawski_fNcszeK2PW9J1rjN.zip: Extracts to: order id283694136_Angus Ferry.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word document instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...f3b371f236c806d97328f4bf/analysis/1440070000/
___

Fake 'Transport for London' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-email-from-transport-for.html
20 Aug 2015 - "This -fake- TfL spam comes with a malicious attachment:
From "Transport for London" [noresponse@ cclondon .com]
Date Thu, 20 Aug 2015 17:04:26 +0530
Subject Email from Transport for London
Dear Customer
Please open the attached file(7887775.zip) to view correspondence from Transport
for London.
If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
this attachment. If you require Adobe Acrobat Reader this is available at no cost...
Thank you for contacting Transport for London.
Business Operations
Customer Service Representative...

The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56* and 1/57**... Hybrid Analysis reports... show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:
93.185.4.90 :12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90 :12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM
These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you -block- it."
* https://www.virustotal.com/en/file/...7f1a251cc6ad501df7e1acff/analysis/1440071767/

** https://www.virustotal.com/en/file/...8b7771bca52f05744af811f1/analysis/1440071784/
___

Fake 'ACH failed' SPAM – doc malware
- http://myonlinesecurity.co.uk/ach-f...tronic-payments-association-word-doc-malware/
20 Aug 2015 - "'ACH failed due to technical error' pretending to come from The Electronic Payments Association with a malicious word doc attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
This malicious word doc has what pretends to be a RSA encrypted security key and it wants you to enable editing to see the content. This is almost identical to this slightly older version with a different date. Once again DO NOT not enable editing or macros:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/RSA-key-protected-view.png
The email looks like:
ACH PAYMENT REJECTED
The ACH Payment (ID: 49583071624518), recently initiated from your savings account (by you or any other person), was REJECTED by other financial institution.
Rejection Reason: See details in the attached report.
Payment Report: report_49583071624518.doc (Microsoft Word)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association

20 August 2015 : report_49583071624518.doc - Current Virus total detections 16/57*
... connects to http ://luckytravelshop .info/wp-content/uploads/2015/05/sasa.txt which tells it to download a Dridex banking malware from http: //tadarokab .com/temp/recent.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a958aa38629503c6f51fca48/analysis/1440087068/

** https://www.virustotal.com/en/file/...6f9b8c4165d93a3307e0ff02/analysis/1440081269/

luckytravelshop .info: 23.229.232.199: https://www.virustotal.com/en/ip-address/23.229.232.199/information/

tadarokab .com: 38.110.76.140: https://www.virustotal.com/en/ip-address/38.110.76.140/information/
___

Fake 'ACH Payment' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ach-payment-notification-logicease-solutions-inc-fake-pdf-malware/
20 Aug 2015 - "'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a zip attachment is another one from the current bot runs...
The email looks like:
LOGICEASE SOLUTIONS INC Vendor:10288253 Pay Dt: 20150820 Pay Ref Num: 2000542353
Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
The net amount deposited to account number ending XXXX8014 designated by you is $1843.73
IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.6174...

20 August 2015: Pay_Advice.zip: Extracts to: Pay_Advice.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...15d780e7f5cc9be6b964dc3d/analysis/1440085153/

:fear::fear:

 

[AplusWebMaster]

Fake 'bank birthday bonus', 'invoice 2018' SPAM, 'translator job' SCAM, Fake MB...

FYI...

Fake 'bank birthday bonus' SPAM - PDF malware
- http://myonlinesecurity.co.uk/our-b...ost-valuable-client-of-ours-fake-pdf-malware/
21 Aug 2015 - "A series of emails saying 'Our bank have a birthday today so we would like to give you some bonuses as you’re the most valuable client of ours' with a subject of 'You are our most valued customer. Your ID 23428458 [random numbers]' coming from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...our-most-valued-customer-Your-ID-23428458.png

All these emails have random senders & companies, random phone numbers but the alleged sender matches the name in the body of the email and the name of the attachment.
21 August 2015: Bank-Reagan Bashirian DDS_(278) 789-4975_client-268119023428458.zip:
Extracts to: Bank Client992322638_West Jermainemouth.exe - Current Virus total detections: 2/57*.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...d20ab8123a2369590ab58f06/analysis/1440154416/
___

Fake 'translator job' SCAMs
- http://myonlinesecurity.co.uk/real-translator-jobs-scam/
21 Aug 2015 - "We all see thousands of adverts and get loads of emails offering us jobs. This one caught my eye earlier:
'Earn Up To $315 A Day Translating Words'. Sent by Real Translator Jobs <realtranslatorjobs@ freonjob .org>
The email reads like a godsend for somebody who speaks an extra language and needs a few $$ or ££ but has all the hallmarks of a scam/multi level marketing/pyramid scheme.

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/translator-job-scam.png

... If you follow the links to the website you see http ://www.realtranslatorjobs .com/ and a referrer link at the end of the url. I have blanked out the referrer link so he/she doesn’t get any income from the scam by following links from here:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/translator-jobs-website.png
... The first thing that jumps out at you is:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/home-sidebar-checklist2.jpg
... The only people who get rich and make a lot of money are the originators for this scam and the “affiliates” who promote it and get a commission on every sign up or click through to the website... it will cost you $68 to sign up but there is a special offer for today only for $34 dollars (save 50%!)... don’t fall for it and don’t waste your money. You won’t earn a thing..."
___

Fake 'invoice 2018' SPAM – PDF malware
- http://myonlinesecurity.co.uk/invoice-2018-garry-white-whitechappell-co-uk-fake-pdf-malware/
21 Aug 2015 - "'invoice 2018' pretending to come from Garry White <garry@ whitechappell .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/invoice-2018.png

21 August 2015 : CRFC, Invoice 2018.pdf.zip: Extracts to: CRFC, Invoice 2018.pdf.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...25c0d5205f382cb2ab57aa83/analysis/1440155507/
___

What is event.swupdateservice .net?
- http://blog.dynamoo.com/2015/08/what-hell-is-eventswupdateservicenet.html
21 Aug 2015 - "... I saw some mysterious outbound traffic to event.swupdateservice .net/event (138.91.189.124 / Microsoft, US). Googling around for the domain came up with some references to malware, but nothing very conclusive. The WHOIS details for the domain are -anonymised- (never a good sign), and the IP address is also used by event.ezwebservices .net which uses similarly -hidden- details. Team Cymru have an analysis* of what is being phoned home to this mystery server, and I found an existing Malwr analysis** referencing the alternate domain. I eventually found the mystery executable in C:\Users\[username]\AppData\Local\SoftUpdate\SoftUpdate.exe on the afflicted machine... The binary itself does not identify its creator. I found various references (such as in this report***) linking this software and the domains to Emaze .com (a "free" presentation tool)... Neither domain identifies itself through the WHOIS details, nor can I find any contact details on either site... I don't like sharing data with commercial operations who are not prepared to fully reveal their identity, and I personally recommend -blocking- traffic to:
visualbee .com: 168.62.20.37: https://www.virustotal.com/en/ip-address/168.62.20.37/information/
emaze .com: 54.83.51.169: https://www.virustotal.com/en/ip-address/54.83.51.169/information/
swupdateservice .net
ezwebservices .net "
* https://totalhash.cymru.com/analysis/?a10211e1a1549147630704aa6cfd89b27bc51970

** https://malwr.com/analysis/MWUzZmM5M2UyN2Q5NGU0M2E4M2U3NTE3MWUzNWNhZjE/

*** https://www.hybrid-analysis.com/sam...86f3101cd923128c764810604092f?environmentId=1

138.91.189.124: https://www.virustotal.com/en/ip-address/138.91.189.124/information/
___

Fake Malwarebytes?...
- https://blog.malwarebytes.org/online-security/2015/08/exploring-an-mbam-for-windows-10-website/
Aug 21, 2015 - "Here at Malwarebytes, we offer support for a wide variety of Windows Operating Systems – from XP right up to Windows 10. The latter OS is the starting point for this blog post, with a website located at: malwarebytes-windows10(dot)com which seemed to offer up a “Windows 10 ready” version of Malwarebytes Anti-Malware:

Screenshot: https://blog.malwarebytes.org/wp-content/uploads/2015/08/mbam101.jpg

This installer is -not- ours, so it’s clear that this is a download manager of some sort, and – one would hope – gave the downloader a copy of MBAM at the end of the process. However, the download kept breaking, so we couldn’t get any further than the initial installer splash...
Since we started looking into this, the site has also now apparently rolled down the shutters:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/mbam104.jpg
However, the EULA / Privacy Policy on the installer took us to a site located at
qpdownload(dot)com which also offered up a variety of programs including Adblock Plus and yet another MBAM:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/mbam105.jpg
... Users of Malwarebytes Anti-Malware will find we detect the “Download Manager” as PUP.Optional.InstallCore.A. Download sites can be cool, but it seems counter-intuitive to offer products designed to reduce advertisements / advertising software on your desktop alongside... adverts..."

malwarebytes-windows10(dot)com: 107.180.24.239: https://www.virustotal.com/en/ip-address/107.180.24.239/information/

qpdownload(dot)com: 96.43.136.163: https://www.virustotal.com/en/ip-address/96.43.136.163/information/
___

Malvertising on Telstra Media Homepage ...
- https://blog.malwarebytes.org/news/2015/08/telstra-medias-homepage-pushes-malvertising/
Aug 21, 2015 - "The media home page of Australia’s -largest- telecommunications company, Telstra, was pushing some malvertising similar to the attack we just documented*...
* https://blog.malwarebytes.org/malve...rtising-hits-online-dating-site-plentyoffish/
The infection chain goes like this:
media.telstra .com.au/home.html (Publisher)
frexw .co.uk/public/id-55048502/300×250.php (Malvertising)
gp-urti .info/bard-vb4735/vcyz-46820t.js (Malicious redirector)
goo .gl/s3LrVw (Abuse of Google URL shortener to load an exploit kit)
augpdoiof .info/document.shtml?AfWlx={redacted} (Nuclear Exploit Kit)
>> https://blog.malwarebytes.org/wp-content/uploads/2015/08/telstra_graph.png
While we did not collect the particular sample dropped in this campaign, it is quite likely to be the Tinba banking Trojan... The Google link has now been disabled:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/google.png
The malvertising attack lasted for a few days and was last seen on the 17th."

augpdoiof .info: 45.32.238.228: https://www.virustotal.com/en/ip-address/45.32.238.228/information/

gp-urti .info:
104.24.120.10: https://www.virustotal.com/en/ip-address/104.24.120.10/information/
104.24.121.10: https://www.virustotal.com/en/ip-address/104.24.121.10/information/

:fear::fear:

 

[AplusWebMaster]

Neutrino Campaign leveraging WordPress, Flash for CryptoWall

FYI...

Neutrino Campaign leveraging WordPress, Flash for CryptoWall
- http://research.zscaler.com/2015/08/neutrino-campaign-leveraging-wordpress.html
Aug 20, 2015 - "Neutrino Exploit Kit... in the past few days we've seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises... the image below illustrates the components involved in this campaign:
> https://4.bp.blogspot.com/-f2_q0ogB...7NvxOgAHZs/s1600/WordPress_Neutrino_nexus.PNG
... there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino... The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page... the primary IP for the observed Neutrino landing pages is '185.44.105.7' which is owned by VPS2DAY .com. Many of the domains pointing to that IP utilize 'xyz', 'ga', 'gq', and 'ml' TLDs. Taking a look at the whois data for some of these domains, a common attribute seems to be the name 'Max Vlapet' for .XYZ domains... This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena..."
- http://it.slashdot.org/story/15/08/22/030246/wordpress-hacks-behind-surging-neutrino-ek-traffic
Aug 22, 2015

185.44.105.7: https://www.virustotal.com/en/ip-address/185.44.105.7/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Message from scanner' SPAM, dwdl .de -hacked- serving malware

FYI...

Fake 'Message from scanner' SPAM – PDF malware
- http://myonlinesecurity.co.uk/message-from-scanner-fake-pdf-malware/
24 Aug 2015 - "'Message from scanner' pretending to come from scanner.coventrycitycentre@ brianholt .co.uk with a zip attachment but a completely -empty/blank- body of the email is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Message-from-scanner.png

24 August 2015: Sscanner15081208190.zip: Extracts to: Sscanner15081208190.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...2bce81229fbc8b8930992e38/analysis/1440408248/

- http://blog.dynamoo.com/2015/08/malware-spam-message-from-scanner.html
24 Aug 2015 - "... malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54*. The Hybrid Analysis report** shows the malware POSTing to:
smboy .su/mu/tasks.php
.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to -block- the whole range to be on the safe side. The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware."
* https://www.virustotal.com/en/file/...2bce81229fbc8b8930992e38/analysis/1440414098/

** https://www.hybrid-analysis.com/sam...00a862bce81229fbc8b8930992e38?environmentId=1

95.172.146.73: https://www.virustotal.com/en/ip-address/95.172.146.73/information/
___

German site dwdl .de -hacked- serving malware via 94.142.140.222
- http://blog.dynamoo.com/2015/08/popular-german-wesite-dwdlde-hacked.html
24 Aug 2015 - "... German media website dwdl .de has been -hacked- and is serving up malware, according to this URLquery report*. URLquery's IDS function detects what looks like the RIG Exploit kit:
> https://3.bp.blogspot.com/-pFLpyrW75e8/VdslyFeXKgI/AAAAAAAAG50/onTPoRZf0So/s1600/dwdl-de.png
The exploit is injected code pointing to a server at 94.142.140.222 (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops .com which is a -hijacked- GoDaddy domain. The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:
> https://3.bp.blogspot.com/-XrAJ6DxnJcM/VdsoSNqVIdI/AAAAAAAAG6A/meF5SsbUOeA/s640/domain_graph.php.gif
VirusTotal** gives an overview of other malicious domains on this server. It indicates that the following domains have been -hijacked- and malicious subdomains set up..."
(Long list at the dynamoo URL - top of this post.)
* http://urlquery.net/report.php?id=1440424952903

** 94.142.140.222: https://www.virustotal.com/en/ip-address/94.142.140.222/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Visa Card', 'Dropbox', 'Invoice 26949' SPAM, Browser hijackers

FYI...

Fake 'Visa Card' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-visa-card-aug-2015.html
25 Aug 2015 - "This -fake- financial spam does not come from Ellesemere Engineering but is in fact a simple forgery with a malicious attachment:
From [david@ ellesmere .engineering]
To "'Sharon Howarth'" [sharon@ ellesmere .engineering]
Date Tue, 25 Aug 2015 09:52:47 +0200
Subject Visa Card Aug 2015
Visa Card payments this month
---
This email has been checked for viruses...

Attached is a document Visa Card Aug 2015.docm which I have seen in three different versions, containing one of -three- malicious macros... that then attempt to download a malicious binary from one of the following locations:
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
This executable has a detection rate of just 1/55* and the Malwr report** shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- that IP address. The payload to this is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/...3dedf59926672b0207fc0f78/analysis/1440489790/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustotal.com/en/ip-address/91.239.232.9/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

** https://malwr.com/analysis/YzFkMGQyNTdjYzdmNGFjNjk1NTc4ZjdjMjRjODg5NDY/

internetdsl .pl: 80.48.169.1: https://www.virustotal.com/en/ip-address/80.48.169.1/information/

free .fr: 212.27.48.10: https://www.virustotal.com/en/ip-address/212.27.48.10/information/

- http://myonlinesecurity.co.uk/visa-card-aug-2015-ellesmere-engineering-word-doc-macro-malware/
25 Aug 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/Visa-Card-Aug-2015.png
25 August 2015: Visa Card Aug 2015.docm - Current Virus total detections 7/55*
Downloads Dridex banking malware.
* https://www.virustotal.com/en/file/...7147ba60fa2775f4f6b22b80/analysis/1440499540/
___

Fake 'Dropbox' SPAM - leads to malware
- http://blog.dynamoo.com/2015/08/malware-spam-updatevacationsschedule092.html
25 Aug 2015 - "This -fake- Dropbox email leads to malware, hosted on the sharing service sugarsync .com.
From: June Abel via Dropbox [no-reply@ dropbox .com]
Date: 25 August 2015 at 12:59
Subject: June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you
June used Dropbox to share a file with you!
Click here to download.
© 2015 Dropbox

I have seen three different samples with different download locations:
https ://www.sugarsync .com/pf/D3941255_827_052066225?directDownload=true
https ://www.sugarsync .com/pf/D160756_82_6104120627?directDownload=true
https ://www.sugarsync .com/pf/D2694666_265_638165437?directDownload=true
In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55*. Analysis is pending, but the payload appears to be the Dyre banking trojan.
UPDATE: The Hybrid Analysis report** shows traffic to 197.149.90.166 (Cobranet, Nigeria) which I recommend you block."
* https://www.virustotal.com/en/file/...c9d8a7e64366343d9e384a4f/analysis/1440506327/

** https://www.hybrid-analysis.com/sam...a8af5c9d8a7e64366343d9e384a4f?environmentId=1

sugarsync .com: 74.201.86.21: https://www.virustotal.com/en/ip-address/74.201.86.21/information/

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'Invoice 26949' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/08/malware-spam-invoice-26949-from-i-spi.html
25 Aug 2015 - "My spam traps did not collect the body text from this message, so all I have is headers. However, this -fake- financial email is not from i-Spi Ltd and is instead a simple forgery with a malicious attachment:
From [sales@ ispitrade .com]
Date Tue, 25 Aug 2015 20:37:09 +0800
Subject Invoice 26949 from I - SPI Ltd

Attached is a file Inv_26949_from_I__SPI_Ltd_7888.doc which actually comes in several different versions... which contains a malicious macro... that downloads an executable from one of the following locations:
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://claudio.locatelli .free .fr/45gf3/7uf3ref.exe
http ://spitlame.free .fr/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
This Hybrid Analysis report* shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
This is the same bad IP as found in this earlier spam run**, I recommend that you block it. The payload here is almost definitely the Dridex banking trojan."
* https://www.hybrid-analysis.com/sam...39b7616f81744b656b7228a63a065?environmentId=1

** http://blog.dynamoo.com/2015/08/malware-spam-visa-card-aug-2015.html

- http://myonlinesecurity.co.uk/invoice-26949-from-i-spi-ltd-word-doc-macro-malware/
25 August 2015: Inv_26949_from_I__SPI_Ltd_7888.doc "... Downloads the -same- Dridex banking malware as described in today’s earlier malspam run of malicious word docs*..."
* http://myonlinesecurity.co.uk/visa-card-aug-2015-ellesmere-engineering-word-doc-macro-malware/
___

Browsefox variant High Stairs - browser hijackers
- https://blog.malwarebytes.org/security-threat/2015/08/browsefox-variant-high-stairs/
Aug 25, 2015 - "Browsefox aka Sambreel aka Yontoo is a family of browser hijackers. When advertised they promise to “customize and enhance your interaction with the websites you visit”, but in reality they are almost never a users choice install. They come -bundled- with other software at many major download sites and at best you will see this screen when the installation starts:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/main1.png
High Stairs is one of the latest additions to this family. It is being offered as a browser extension -without- making clear what it does for the user. If you want to have a look at the EULA and Privacy Policy you will have to visit their website:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/EULA.png
... The EULA clearly states that it allows the “Software” to use -any- means imaginable to deliver advertisements and that it will collect your data. The Privacy Policy lets you know that they will use, share and sell those data to any and all parent, subsidiary or affiliate companies. Bottom line, as long as it brings in cash. Browser hijackers of this family are VM aware, meaning they will not do a full install if they detect they are run on a Virtual Machine. Sometimes the files are downloaded and put in place, but the extensions are not installed and enabled. The -hijackers- from this family do provide browser extensions for IE, Firefox, Chrome and Opera (and probably more)... invisible iframes can be used to deliver anything and everything to your computer, ranging from advertisements (which is very likely in this case) to (in theory) exploit kits. In theory in this case means, that we haven’t seen any exploit kits being delivered through the advertisements these PUPs deliver, but if the PUP has a vulnerability or their network is compromised a third party could use this in the same manner as has been done with malvertisements on legitimate sites. This browser hijacker is relatively easy to remove. Other variants have been known to install services as well, making them a bit harder to tackle. Unfortunately “High Stairs” is not alone. We see a new Sanbreel variant at least a few times every week. The installer and the installed files are all detected as 'PUP.Optional.HighStairs.A'. Logs, more screenshots and removal instructions for “High Stairs” can be found on our forums*..."
* https://forums.malwarebytes.org/index.php?/topic/171926-removal-instructions-for-high-stairs/

:fear::fear:

 

[AplusWebMaster]

Fake 'Scanned image - MX-2600N', 'invoice A4545945', 'Invoices from UBM', 'Fax' SPAM

FYI...

Fake 'Scanned image - MX-2600N' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-word-doc-macro-malware/
26 Aug 2015 - "'Scanned image from MX-2600N' pretending to come from noreply@ your email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email looks like:
Reply to: noreply@ securityandprivacy .co.uk <noreply@ securityandprivacy .co.uk>
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated to view the document.

26 August 2015: noreply@ securityandprivacy.co.uk_20150826_181106.doc
Current Virus total detections 7/57*:
Downloads Dridex banking malware from one of these locations:
detocoffee.ojiji .net/45ygege/097uj.exe (virus Total**)
students.johnbryce .co.il/nagare/45ygege/097uj.exe
groupedanso .fr/45ygege/097uj.exe
asterixpr.republika .pl/45ygege/097uj.exe
fotolagi .com/45ygege/097uj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...996f9fb91a6586108333c17d/analysis/1440582748/

** https://www.virustotal.com/en/file/...2d3eb20ed2e74d9fe8c7102a/analysis/1440583201/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustotal.com/en/ip-address/91.239.232.9/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

- http://blog.dynamoo.com/2015/08/malware-spam-scanned-image-from-mx.html
26 Aug 2015 - "... The email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@ victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros... which attempt to download a malicious component from one of the following locations:
http ://fotolagi .com/45ygege/097uj.exe
http ://asterixpr.republika .pl/45ygege/097uj.exe
http ://detocoffee.ojiji .net/45ygege/097uj.exe
This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis... shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan."
1] https://www.virustotal.com/en/file/...e8200b86a10bfbe81e193b9d/analysis/1440583485/

2] https://www.virustotal.com/en/file/...1a3e23a0359cd1f21ddce90e/analysis/1440583498/

3] https://www.virustotal.com/en/file/...9d62b9dfdf89bbffb0c237bc/analysis/1440583515/
___

Fake 'invoice A4545945' SPAM - PDF malware
- http://myonlinesecurity.co.uk/screw...-find-your-invoice-attached-fake-pdf-malware/
26 Aug 2015 - "'Copy of invoice A4545945. Please find your invoice attached' pretending to come from Screwfix Direct <online@ screwfix .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer
Thank you for shopping at Screwfix.
As requested please find attached a copy of invoice: A4545945.
You will require a PDF file reader in order to view and print the invoice. Should your invoice not be attached please email invoice@ screwfix .com ensuring that you quote your order reference.
Please do not reply to this e-mail.
If you have any queries, please quote the Invoice Number: A4545945, when contacting us:
Phone: 0500 41 41 41 (03330 112 320 from a mobile) UK based Contact Centre
E-mail: online@ screwfix .com
Write to: Screwfix, Trade House, Mead Avenue, Yeovil, BA88 8RT ...

26 August 2015: Invoice_A3176864.zip: Extracts to: Invoice.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...08755528ecc7eeab13eee30a/analysis/1440580919/
___

Fake 'Invoices from UBM' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-invoices-from-ubm-fake-pdf-malware-2/
26 Aug 2015 - "'Your Invoices from UBM' pretending to come form UBM (UK) Limited <ubm@ ubm .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please find attached your invoice(s) from UBM. If you have any queries regarding the invoice, payment or service delivered please don’t hesitate to contact us on the details below.
Regards,
UBM Receivables Team.
Tel : +44 207 921 8506 (21627)
Email : bogumila.murzyn@ ubm .com
Fax :
****PLEASE DO NOT REPLY TO THE EMAIL ADDRESS ubm@ ubm .com AS IT IS NOT MONITORED**** ...

26 August 2015:65550757_Invoices_26-AUG-2015.zip:
Extracts to: 65550757_Invoices_26-AUG-2015.scr ... which is the -same- Upatre malware that is described in today’s other malspam run with Zip attachments*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecurity.co.uk/screw...-find-your-invoice-attached-fake-pdf-malware/
___

Fake 'new fax delivery svc' – PDF malware
- http://myonlinesecurity.co.uk/we-are-a-new-fax-delivery-service-fake-pdf-malware/
26 Aug 2015 - "A series of emails saying 'We are a new fax delivery service' with the subject reading Fax #[ random characters] from [random name] with a zip attachment is another one from the current bot runs... The email looks like:
You have a fax.
Data sent: Wed, 26 Aug 2015 14:08:41 +0000
TO: [redacted]
*********************************
We are a new fax delivery service – Walker-Gerlach.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: “Fast. Cheap. Best quality.”
*********************************
-Or-
You have a fax.
Data sent: Wed, 26 Aug 2015 14:06:21 +0000
TO: [REDACTED]
*********************************
We are a new fax delivery service – Hirthe-Bayer.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: “Fast. Cheap. Best quality.”
*********************************

26 August 2015: fax_jxJ3O9_Walker-Gerlach_Colton Leffler.zip
Extracts to: Invoice East Marta.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...9609d290776773e9f8f0d62e/analysis/1440598735/

- http://blog.dynamoo.com/2015/08/fake-fax-spam-spoofs-multiple-senders.html
26 Aug 2015 - "... - fake- fax spam comes from random senders - company names and attachment names vary from spam to spam... Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56* detection rate at VirusTotal. The Hybrid Analysis report** shows it phoning home to:
197.149.90.166 /260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166 /260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.*** "
* https://www.virustotal.com/en/file/...180ec3c172f037342f00a4d1/analysis/1440599515/

** https://www.hybrid-analysis.com/sam...0f924180ec3c172f037342f00a4d1?environmentId=1

*** http://blog.dynamoo.com/2015/08/malware-spam-updatevacationsschedule092.html
___

Bank of America Invoice Spam
- http://threattrack.tumblr.com/post/127641667433/bank-of-america-invoice-spam
Aug 26, 2015 - "Subjects Seen
Invoice Annabell Yost
Typical e-mail details:
Dear Customer,
Invoice14768170 from Annabell Yost.
Sincerely,
Ellsworth Abbott
1-100-532-7314
Bank of America PLC.

Screenshot: https://40.media.tumblr.com/b3655d7b077d99d0da5d88c9fce8ba49/tumblr_inline_ntp5auEovG1r6pupn_500.png

Malicious File Name and MD5:
InvoiceFaker__Number.number(5)info_324986219861.exe (276646dc44bb3a2e4bf7ba21f207b5be)

Tagged: bank of america, Upatre

:fear::fear:

 

[AplusWebMaster]

Malvertising on MSN .com, Fake 'resume', 'Attachement', 'Payslip' SPAM

FYI...

Angler Exploit Kit strikes MSN.com via Malvertising Campaign
- https://blog.malwarebytes.org/malve...strikes-on-msn-com-via-malvertising-campaign/
Aug 27, 2015 - "The same ad network – AdSpirit .de – which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN .com. This is the work of the -same- threat actors that were behind the Yahoo! malvertising. The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers. The ad request came from AppNexus, which loaded the booby-trapped advert from AdSpirit and the subsequent malvertising chain.
Infection chain:
msn .com/en-us/news/politics/dozens-of-clinton-emails-were-classified-from-the-start-us-rules-suggest/ar-BBlXPkl?ocid=iehp (publisher)
lax1.ib.adnxs .com/{redacted} (AppNexus Ad network)
pub.adspirit .de/adframe.php?pid=7&ord=[timestamp]prdclick_0 (AdSpirit Ad network)
trkp-a1009.rhcloud .com/?tr28-0a22 (OpenShift redhat Redirection)
fox23tv .com/?cn67CuYcDcbvV (Same ad but with redirection to malicious URL)
abbezcqerrd.irica.wieshrealclimate .com (iframe to exploit kit)
hapme.viwahcvonline .com (Angler EK landing page)
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/redir_flow.png
This time, rogue actors are leveraging RedHat’s cloud platform, rhcloud .com to perform multiple -redirections- to the Angler exploit kit (in the previous attack they were using Microsoft’s Azure). While we did not collect the malware payload associated with this campaign, we believe it is either Ad fraud or ransomware, Angler’s trademark. Angler has been acting up strange lately, for instance last week it fell out of favour briefly for the Neutrino EK when compromised sites decided to redirect to the latter. Following our report, AppNexus -deactivated- the creative in question and said they were investigating this issue in greater depth..."

viwahcvonline .com: 141.8.224.93: https://www.virustotal.com/en/ip-address/141.8.224.93/information/

> https://www.virustotal.com/en/url/a...3092d8f4d9644eb20558e0baeb8257f2078/analysis/
___

Fake 'resume' SPAM leads to Cryptowall
- http://blog.dynamoo.com/2015/08/malware-spam-reresume-leads-to.html
26 Aug 2015 at 22:48 - "This -fake- resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware. In the only sample I saw, the spam looks like this:
From: emmetrutzmoser@ yahoo .com
To:
Date: 26 August 2015 at 23:29
Subject: RE:resume
Signed by: yahoo .com
Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply
Best regards
Janet Ronald

Attached was a file Janet_Ronald_resume.doc [VT 5/56*] which contains a malicious macro... The format of this message is very similar to this other fake resume spam seen recently[1], and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
1] http://blog.dynamoo.com/2015/08/malware-spam-gabriel-daniel-resume.html
Deobfuscating the macro shows that a file is downloaded from http :// 46.30.46.60 /444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report** shows some of this in action, but Techhelplist[2] did the hard work of decrypting it..
> https://4.bp.blogspot.com/-gMHNsx2OEeE/Vd4xLWvpCAI/AAAAAAAAG6U/R7cFcGN5BGE/s1600/cryptowall.png
...
2] https://twitter.com/Techhelplistcom/status/636633492441268224
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report*** on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report[3] which has some nice screenshots.
3] https://www.hybrid-analysis.com/sam...0e06cb0c393fc3d32d311accbcf3c?environmentId=2
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
46.30.46.60 (Eurobyte, Russia)
linecellardemo .net / 23.229.194.224 (GoDaddy, US)
You might want to block the entire 46.30.46.0/24 range because.. well, Russia really."
* https://www.virustotal.com/en/file/...707cd96011733b98ddf99402/analysis/1440622900/

** https://www.hybrid-analysis.com/sam...366d3707cd96011733b98ddf99402?environmentId=1

*** https://www.virustotal.com/en/file/...1af21c42f732b93/analysis/1440622920/#comments
___

Fake 'Attachement' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/attachement-word-doc-or-excel-xls-spreadsheet-malware/
27 Aug 2015 - "A -blank- email with the subject of 'Attachement' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png
The email has a totally empty-blank body and just an XLS Excel spreadsheet attachment:

27 August 2015 : 20131030164403.xls - Current Virus total detections 4/57*
Downloads Dridex banking malware from http ://pintart .pt/43t3f/45y4g.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...94d47aadc7e14514340bd78b/analysis/1440669673/

** https://www.virustotal.com/en/file/...fa0c685920d64c3c7297fb0e/analysis/1440670039/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-address/91.239.232.145/information/
23.14.92.27: https://www.virustotal.com/en/ip-address/23.14.92.27/information/

pintart .pt: 80.172.241.24: https://www.virustotal.com/en/ip-address/80.172.241.24/information/
___

Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecurity.co.uk/payslip-for-period-end-date-27082015-fake-pdf-malware/
27 Aug 2015 - "'Payslip for period end date 27/08/2015' pretending to come from noreply@ fermanagh. gov.uk with a zip attachment is another one from the current bot runs... The email looks like:
Dear administrator
Please find attached your payslip for period end 27/08/2015
Payroll Section ...

Some emails have arrived malformed-and-damaged and look like:
This is a multi-part message in MIME format.
——————=_Next_25232_7367279505.4684370133215
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Dear ae48852507a
Please find attached your payslip for period end 27/08/2015
Payroll Section ...

27 August 2015: payslip.zip: Extracts to: payslip.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...6c968b3bc36d5fd07d2557f517b79465298/analysis/

- http://blog.dynamoo.com/2015/08/malware-spam-payslip-for-period-end.html
27 Aug 2015 - "... Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly. This executable has a detection rate of 3/56* and the Hybrid Analysis report** indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking."
* https://www.virustotal.com/en/file/...d5fd07d2557f517b79465298/analysis/1440677452/

** https://www.hybrid-analysis.com/sam...3bc36d5fd07d2557f517b79465298?environmentId=1

197.149.90.166: https://www.virustotal.com/en/ip-address/197.149.90.166/information/
___

Fake 'Girls List' Spam ...
- https://blog.malwarebytes.org/online-security/2015/08/girls-list-spam-landing-in-mailboxes/
Aug 27, 2015 - "... spammers are changing up their dating site spam tactics a little bit in the wake of the continued Ashley Madison fallout, with the below curious missives landing in spamtraps over the last day or so:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/crowdspam1.jpg
... emails are identical, and read as follows:
> https://blog.malwarebytes.org/wp-content/uploads/2015/08/crowdspam2.jpg
... well, they -would- read as follows if they had any text in them to read. The emails are entirely -blank- instead offering up two attachments called “girls_list”. A “girl list” would seem to conjure up visions of swiped data and things you’re not supposed to have access to; as it turns out, opening up the .HTML attachment -redirects- you in a browser to a -porn- dating site which splashes... many nude photos around the screen... These emails are already caught by Gmail as spam, but other providers may -not- be flagging them yet. While I’m sure there are lots of fun things you can do with a list, allowing yourself to be redirected-to-porno-spam is probably not one of them and you should avoid these mails. With websites and services jumping on the AM data bandwagon*, it’s clear that anything involving dating and lists is going to be a hot topic for some time to come. Don’t fall for it."
* http://www.troyhunt.com/2015/08/ashley-madison-search-sites-like.html
24 Aug 2015 - "... harvesting email addresses and spamming searched victims..."
___

Malvertising campaigns increase 325%
- http://net-security.org/malware_news.php?id=3088
26.08.2015 - "Cyphort* investigated the practices used by cyber criminals to inject malicious advertisements into legitimate online advertising networks. Researchers found that malvertising campaigns carried out by hackers increased 325 percent in the past year... The problem of malvertising isn’t going away and cyber criminals will continue finding ways to monetize their attacks. According to the Association of National Advertisers, ad-fraud will cost global advertisers more than $6 billion in 2015..."
* http://www.cyphort.com/category/malvertising/

:fear::fear:

 

[AplusWebMaster]

Fake 'Payment Receipt', 'Dropbox' SPAM

FYI...

Fake 'Payment Receipt' SPAM – xls malware
- http://myonlinesecurity.co.uk/dartford-crossing-payment-receipt-excel-xls-spreadsheet-malware/
28 Aug 2015 - "'Payment Receipt' pretending to come from donotreply@ dartford-crossing-charge.service .gov.uk with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21.png

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/daerford-crossing-Payment-Receipt.png

28 August 2015: PaymentReceipt.xls - Current Virus total detections 5/56*:
Downloads Dridex banking malware from http ://cheaplaptops.pixub .com/3453/5fg44.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...b7f45dc7f178841d4b41bf8c/analysis/1440757199/

** https://www.virustotal.com/en/file/...026faea98bfa1298c3d0b8fc/analysis/1440756592/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustotal.com/en/ip-address/91.239.232.145/information/
23.14.92.35: https://www.virustotal.com/en/ip-address/23.14.92.35/information/
91.239.232.9: https://www.virustotal.com/en/ip-address/91.239.232.9/information/
31.131.251.33: https://www.virustotal.com/en/ip-address/31.131.251.33/information/

pixub .com: 93.188.160.103: https://www.virustotal.com/en/ip-address/93.188.160.103/information/
___

Dropbox Spam
- http://threattrack.tumblr.com/post/127784805983/dropbox-spam
Aug 28, 2015 - "Subjects Seen:
Brad Waters shared “TP Resignation Letter 2.pdf” with you
Reed Contreras shared “TP Resignation Letter 2.pdf” with you
Typical e-mail details:
Brad used Dropbox to share a file with you!
Click here to view.

Screenshot: https://40.media.tumblr.com/5e54ebbf60e08681eabf792e77c83982/tumblr_inline_ntslh2x8Os1r6pupn_500.png

Malicious URLs:
newyearpartyistanbul .com/securestorage/getdocument.html
Malicious File Name and MD5:
TP Resignation Letter 2.scr (90a60d95b2f0db6722755e535e854e82)

Tagged: Dropbox, Upatre

newyearpartyistanbul .com: 93.89.224.6: https://www.virustotal.com/en/ip-address/93.89.224.6/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'FedEx delivery problem' SPAM

FYI...

Fake 'FedEx delivery problem' SPAM – JS malware
- http://myonlinesecurity.co.uk/fedex-shipment-delivery-problem-0000639746-js-malware/
31 Aug 2015 - "An email with the subject of 'Shipment delivery problem #0000639746' pretending to come from FedEx... with a zip attachment that extracts to a JS file is another one from the current bot runs...The content of the email says :
Dear Customer,
Your parcel has arrived at August 28. Courier was unable to deliver the parcel to you.
Please, open email attachment to print shipment label.
Yours faithfully,
Jeffrey Kendall,
Operation Agent.

31 August 2015: FedEx_ID_0000639746.zip: Extracts to: FedEx_ID_0000639746.doc.js
Current Virus total detections 17/57*. I am not getting any payload via the automatic analysers so far although Wepawet indicates it connects to one of these sites:
selmaryachtmarket .com
riggst .com
harmacrebar .com ...

Update: managed to get the malware 92305548.exe (VirusTotal**) and ba892f004ed[1].gif (VirusTotal***)

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...382038127ebf763610e7b5c5/analysis/1441042826/

selmaryachtmarket .com: 174.137.191.22: https://www.virustotal.com/en/ip-address/174.137.191.22/information/
riggst .com: 108.175.152.86: https://www.virustotal.com/en/ip-address/108.175.152.86/information/
harmacrebar .com: 96.31.35.62: https://www.virustotal.com/en/ip-address/96.31.35.62/information/

** https://www.virustotal.com/en/file/...284fa7cb923350e523c39f7e/analysis/1441044798/
0/57

*** https://www.virustotal.com/en/file/...d0f3e89b232b199a7f613fe0/analysis/1441029511/
1/56

:fear::fear:

 

[AplusWebMaster]

Fake 'Private message', 'Complaint notice', 'ACH rejection' SPAM

FYI...

Fake 'Private message' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/09/malware-spam-private-message.html
1 Sep 2015 - "This spam comes with a malicious attachment:
From: Adrien Abbott
Date: 1 September 2015 at 12:34
Subject: Private message notification 41447
You've received a private message. Please open the attached to view it.
Adrien Abbott
Chief Tactics Executive
home: 1-583-761-3793
work: 380.022.2492
twitter: @nicole
skype: nicole
messenger: nicole

I have only seen a single sample of this spam, and the attachment was not formatted properly making it harmless, however other -variants- could be more dangerous. If properly decoded, the attachment should have been named 89867740_Torphy and Sons_Adrien Abbott.zip containing a malicious executable jodie_okonofficia-quo.exe. This executable has a VirusTotal detection rate of just 2/56*, the Hybrid Analysis report** shows network activity consistent with this being Upatre dropping the Dyre banking trojan, with communications made to:
197.149.90.166 (Cobranet, Nigeria)
..which is an IP that has been used several times for this sort of attack recently and is worth blocking. The report details other IP addresses too, but this seems to be the key one to block or monitor."
* https://www.virustotal.com/en/file/...750e83ba944e0adfe7d51bc5/analysis/1441111004/

** https://www.hybrid-analysis.com/sam...f22fe750e83ba944e0adfe7d51bc5?environmentId=1

- http://myonlinesecurity.co.uk/private-message-notification-fake-pdf-malware/
1 Sep 2015 - "... random names and email addresses from with a zip attachment is another one from the current bot runs... -hundreds- of other names. All details in the body of the email are random. The alleged sender matches the name in the body of the email and the attachment contains those names as well...
1 September 2015: 27121259_Zemlak-Rodriguez_Hans Mohr.zip: Extracts to: velmasuscipit.incidunt.exe
Current Virus total detections 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b45932d1dad77ebe6701a73b/analysis/1441109597/
___

Fake 'Complaint notice' SPAM – PDF malware
- http://myonlinesecurity.co.uk/complaint-notice-fake-pdf-malware/
1 Sep 2015 - "Following on from the earlier malspam run* we now have a series of emails with the subject of 'Complaint notice' [random numbers] also coming from random names and email addresses with a zip attachment is another one from the current bot runs...
* http://myonlinesecurity.co.uk/private-message-notification-fake-pdf-malware/
The content of the email says :
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Martine McDermott
Lead Metrics Designer
T: (104) 644-7068
F: 174.118.9422
-Or-
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Jordane Emard
Internal Intranet Designer
T: 576-698-2292
F: 1-167-549-0752

And -hundreds- of other names. All details in the body of the email are random. The alleged sender matches the name in the body of the email and the attachment contains those names as well...
1 September 2015: 8961683689_Bahringer-Jacobs_Martine McDermott.zip:
Extracts to: alekvoluptatibus-at.exe
Current Virus total detections 2/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...371607251923fe0f7c5b17e5/analysis/1441122287/

- http://blog.dynamoo.com/2015/09/malware-spam-complaint-of-your-internet.html
1 Sep 2015 - "This spam comes with a malicious attachment:
From: Margret Kuhic
Date: 1 September 2015 at 16:10
Subject: Complaint of your Internet activity
This is a complaint notification. Full details attached. Please notify us within 24 hours with taken actions.
Margret Kuhic
Dynamic Communications Agent
T: 1-679-732-5379
F: 100.173.9045

All the sames I have seen have a corrupt attachment which is Base 64 encoded, it is possible that other people might receive a -valid- attachment though. The attachment was meant to be 723296788_Marquardt-Bailey_Margret Kuhic.zip containing the malicious executable june_stiedemannmolestiae.et.exe which has a VirusTotal detection rate of 2/56*. This Hybrid Analysis report** shows it to be just another variant of Update/Dyre with the same characteristics as the malspam seen earlier today***, sending traffic to an IP that I suggest you -block- or monitor:
197.149.90.166 (Cobranet, Nigeria)
Some other subjects spotted include:
Complaint notification 50646
Infringement of your Internet activity
Infringement notification 51494 "
* https://www.virustotal.com/en/file/...d0e90d3242573f16e4e52e17/analysis/1441121661/

** https://www.hybrid-analysis.com/sam...b5bbad0e90d3242573f16e4e52e17?environmentId=1

*** http://blog.dynamoo.com/2015/09/malware-spam-private-message.html
___

Fake 'ACH rejection' SPAM – PDF malware
- http://myonlinesecurity.co.uk/ach-rejection-due-to-system-malfunctioning-fake-pdf-malware/
1 Sep 2015 - "An email with the subject of 'ACH rejection due to system malfunctioning' pretending to come from The ACH Network <Stevie.Espinoza@ nacha .org> with a link to download a zip attachment is another one from the current bot runs... The content of the email says :
ACH PAYMENT CANCELLED
The ACH Transaction (ID: 86440585067071), recently sent from your savings account (by you or any other person), was CANCELLED by other financial institution.
Rejection Reason: See details in the report below
Transaction Report: New Banking Details.pdf (Adobe Reader PDF)
13450 Sunrise Valley Drive, Suite 100
Herndon, VA 20171
2014 NACHA – The Electronic Payments Association

The link in the email sends you to http ://cheenichetty .com/securestorage/get_document.html where a zip file is downloaded automatically and you are -bounced- immediately to Dropbox and you think you were on Dropbox the whole time. These 'NACHA/ACH/The Electronic Payments Association payment cancelled' or 'payment rejected' emails are a persistent method of trying to deliver malware to your computer...
1 September 2015: New Banking Details.zip: Extracts to: New Banking Details.scr
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...078ca2c9130e3a8d1926439f/analysis/1441127390/

cheenichetty .com: 160.153.50.129: https://www.virustotal.com/en/ip-address/160.153.50.129/information/
___

Your Worst Day In IT
- http://www.darkreading.com/partner-perspectives/tenable/your-worst-day-in-it/a/d-id/1321999
9/1/2015 - "At VMworld 2015 in San Francisco, I roamed the floor with a camera asking attendees, "What was your worst day in IT?" When we initially came up with this question, we thought everyone's worst day would have something to do with a security breach or malware. Turns out that hardware failures and human error are far more common. As much as we talk about threat protection, what we really need to watch out for is our equipment and ourselves."

:fear::fear:

 

[AplusWebMaster]

Fake 'toll road invoice', 'order cancelled', 'Companies House' SPAM

FYI...

Fake 'toll road invoice' SPAM – JS malware
- http://myonlinesecurity.co.uk/pay-for-driving-on-toll-road-invoice-00212297-js-malware/
2 Sep 2015 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [ random numbered] pretending to come from E-ZPass Agent with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...ng-on-toll-road-invoice-00212297-1024x476.png

2 September 2015: E-ZPass_00212297.zip: Extracts to: E-ZPass_00212297.doc.js
Current Virus total detections 2/57* which downloads 2 files 51053011.exe (virus total**) and 9360abf00281f3aa[1].gif (VirusTotal***) from a combination of these 3 sites
ihaveavoice2 .com
leikkihuone .com
etqy .com
... the 51053011.exe has a stolen digital signature from ESET Antivirus, which has been blocked and at least in Internet Explorer, Smart Filter warns about an invalid digital signature and blocks the file. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7d7281a162181c8b430078d1/analysis/1441173827/

** https://www.virustotal.com/en/file/...ad008e51bc6a1770e693915b/analysis/1441160077/

*** https://www.virustotal.com/en/file/...7c808339a52ac2698dd608e7/analysis/1441173275/

ihaveavoice2 .com: 50.116.104.205: https://www.virustotal.com/en/ip-address/50.116.104.205/information/
leikkihuone .com: 23.91.123.160: https://www.virustotal.com/en/ip-address/23.91.123.160/information/
etqy .com: "... query for etqy .com failed"
___

Fake 'order cancelled' SPAM - PDF malware
- http://myonlinesecurity.co.uk/the-shipment-of-your-ordered-goods-is-impossible-fake-pdf-malware/
2 Sep 2015 - "An email with the subject of 'The shipment of your ordered goods is impossible' pretending to come from random companies with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Unfortunately, the delivery of you order # 003313 was cancelled since
the specified address of the recipient was not correct. You’re recommended to
complete the attached form and send it back or print it and get this package
on your own at our office.
Alf Gottlieb, Corporate Intranet Director ...
-Or-
Hello!
Unfortunately, the delivery of you order # 4534481 was cancelled since
the specified address of the recipient was not correct. You’re recommended to
complete the attached form and send it back or print it and get this package
on your own at our office.
Arnoldo Strosin, Dynamic Markets Producer

And hundreds of other random names and job titles and companies. Some of the subjects in this series of emails include:
The shipment of your ordered goods is impossible
The delivery of your ordered goods isn’t finished
The shipment of your parcel is impossible
The shipping of your parcel is impossible to complete
The shipping of your items has failed
The shipping of your items isn’t finished
The delivery of your items was cancelled
The shipping of your goods is impossible
The delivery of your parcel has failed ...
2 September 2015: orderHayes Flat.zip: Extracts to: orderYost Dale.exe
Current Virus total detections 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...00fa29051e234e6e2a614831/analysis/1441191343/
___

Fake 'Companies House' SPAM – PDF malware
- http://myonlinesecurity.co.uk/companies-house-webfiling-service-fake-pdf-malware/
2 Sep 2015 - "Another perennial email that constantly does the rounds has a subject matter about 'Companies House WebFiling service' and pretends to be either a complaint or a filing acknowledgement. They come with a zip attachment which is another one from the current bot runs... The content of the email says :
This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
(CC01) Company Complaint for the above company was accepted on 02/09/2015.
The submission number is 1GS31QZLMK1BCRG
Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
Not yet filing your accounts online? See how easy it is…
Note: reference to company may also include Limited Liability Partnership(s).
Thank you for using the Companies House WebFiling service.
Service Desk tel +44 (0)303 1234 500 or email...
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

2 September 2015: Case_1GS31QZLMK1BCRG.zip: Extracts to: Case_081415.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...e454a297b159655f3796de7b/analysis/1441193027/

:fear::fear:

 

[AplusWebMaster]

Fake 'chat history', 'Invoice/credit note', 'Lloyds Bank', 'overdue balance' SPAM

FYI...

Malvertising found on Dating Site Match[dot]com
- https://blog.malwarebytes.org/malvertising-2/2015/09/malvertising-found-on-dating-site-matchdotcom/
Sep 3, 2015 - "In an attack similar to the one that happened last month on PlentyOfFish, the UK version of online dating site Match .com was caught serving malvertising. Both companies are actually related since the Match Group bought out POF.com last summer. This latest malvertising incident is the work of the same gang using Google shortened URLs leading to the Angler exploit kit.
Infection flow:
Initial URL: uk.match .com/search/advanced_search.php
Malvertising: tags.mathtag .com/notify/js?exch={redacted}&price=0.361
Malvertising: newimageschool .com/adframe/banners/serv.php?uid=215&bid=14&t=image&w=728&h=90
Malicious Redirector: goo .gl/QU2x0w
Exploit Kit (Angler): med.chiro582help .com/carry.shtm?{redacted}
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/math.png
The malvertising goes through a Goo.gl shortened URL (already blacklisted) that loads the Angler exploit kit:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/google.png
Angler EK is known to serve the Bedep ad fraud Trojan as well as CryptoWall ransomware. The cost per thousand impressions (CPM) for the booby trapped ad was only 36 cents, which is nothing compared to how much infected computers can bring in terms of revenues. For instance, CryptoWall demands $5oo per victim. We alerted Match .com and the related advertisers but the malvertising campaign is still-ongoing via other routes."

chiro582help .com: 74.207.227.69: https://www.virustotal.com/en/ip-address/74.207.227.69/information/
___

Fake 'chat history' SPAM – PDF malware
- http://myonlinesecurity.co.uk/you-need-to-read-this-chat-history-fake-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You need to read this chat history' coming from random senders and email addresses from with a zip attachment is another one from the current bot runs... The content of the email says :
Good day!
You should know this. View the chat history that I’ve attached. Remember
it’s strongly confidential, so please don’t show it to anyone.
Mrs. Edmund Schultz | (859) 913-2400
Toys | Hackett-Kiehn

And hundreds of other random names, email addresses, phone numbers and companies. Other subjects in this series include:
You should view this correspondence
Please view this correspondence
You need to view it
Please see it
You need to review this information
You need to review this chat history
Please see this messages
You need to read this chat history
You should read this messages
You should view this correspondence
And hundreds of other similar variations on the theme of messages and chat history...
3 September 2015: history Ward LockUG.zip: Extracts to: history Chelsea VillagePY.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...675065ddff985d92ee8ace33/analysis/1441271691/
___

Fake 'Invoice / credit note' SPAM - PDF malware
- http://myonlinesecurity.co.uk/invoice-or-credit-note-from-random-companies-fake-pdf-malware/
3 Sep 2015 - "The latest set of -Upatre- downloader emails are 'Invoice' or 'credit note' from random companies. An email with the subject of 'Invoice INV-91659 from [random company]' for [Your web domain] (random numbers) or 'Credit Note CN-85402 from [random company]' for [Your web domain] (random numbers) pretending to come from Accounts with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...orp-for-thespykiller.co_.uk-0394-1024x493.png

3 September 2015: Invoice INV-91659.zip: Extracts to: Invoice.scr
Current Virus total detections 1/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...042a9f56dd79098ca334e5f8/analysis/1441279729/
___

Fake 'Lloyds Bank' SPAM – PDF malware
- http://myonlinesecurity.co.uk/custo...yds-bank-commercial-finance-fake-pdf-malware/
3 Sep 2015 - "An email with the subject of 'Customer Account Correspondence' pretending to come from Lloyds Bank Commercial Finance <customermail@ lloydsbankcommercialfinance .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co.../Customer-Account-Correspondence-1024x490.png

3 September 2015: Lloyds-Commercial_Documents.zip: Extracts to: Lloyds-Commercial_Documents.scr
Current Virus total detections 3/56 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...042a9f56dd79098ca334e5f8/analysis/1441281692/
___

Fake 'overdue balance' SPAM – PDF malware
- http://myonlinesecurity.co.uk/overdue-balance-from-random-companies-fake-pdf-malware/
3 Sep 2015 - "Following on from the earlier -Upatre- downloaders, the latest set of emails are about an overdue balance from random companies. An email with the subject of 'Urgent' e-mail letter of 'overdue balance' or 'Important reminder notice about outstanding balance' or very similar wording with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...er-about-outstanding-remittances-1024x314.png

Some of the subjects so far seen include:
Important reminder letter about outstanding remittances
Urgent e-mail letter of overdue balance
Important reminder letter about outstanding remittances
Urgent letter of past due balance
Urgent reminder about your delinquent balance
Important reminder notice of delinquent remittances
Urgent reminder about outstanding balance ...
3 September 2015: documents Heidenreich MillsDE.zip: Extracts to: documents Stark LodgeFR.exe
Current Virus total detections 2/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...26ee0f00aaf076896ffc23eb/analysis/1441291670/
___

Fake 'Canadian Bank' SPAM - PDF malware
- http://myonlinesecurity.co.uk/you-h...n-imperial-bank-of-commerce-fake-pdf-malware/
3 Sep 2015 - "An email with the subject of 'You have received a secure e-mail / Vous avez reu un courriel protégé' pretending to come from Canadian Imperial Bank of Commerce <noreply@ cibc .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...ou-have-received-a-secure-e-mail-1024x580.png

3 September 2015: SecureMail.zip: Extracts to: SecureMail.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...3584d7faa6803b70ac47f4d9/analysis/1441298777/
___

Skype Spam...
- https://blog.malwarebytes.org/fraud-scam/2015/09/steer-clear-of-this-skype-spam/
Sep 3, 2015 - "Over the last few weeks, there’s been a spam campaign taking place on Skype which involves the following steps:
> Scammers use an automated technique to break old/weak Skype passwords (this has been contested by Skype users in that forum thread*).
* http://community.skype.com/t5/Secur...oofed-message-from-contact/m-p/4038620#M47813
> They then use these accounts to send spam messages to contacts.
> The spam frequently hides the “real” destination by providing (say) a Baidu search engine link instead – along with the Skype Username of the person who clicked the link in the URL.
> The websites the “masked” URls lead to tend to use redirects – it’s possible they’ve been compromised – before dumping the end-user on a diet spam page.
Here’s an example of the spam currently going around:
>> https://blog.malwarebytes.org/wp-content/uploads/2015/09/skypespam0.jpg
“Hi [username] | baidu(dot)com/[URL string] advise”
Below you can see the initial landing page, the final destination and a screenshot of a Fiddler log:
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/skypespam3.jpg
...
> https://blog.malwarebytes.org/wp-content/uploads/2015/09/skypespam2.jpg?w=564
If your Skype password is in need of a spring clean... feel free to check out the list of hints and tips on the Skype Security page**."
** https://www.skype.com/en/security/

:fear::fear:

 

[AplusWebMaster]

Fake 'RE:resume', 'reservation confirmed', 'Order' SPAM

FYI...

Fake 'RE:resume' SPAM / Cryptowall
- http://blog.dynamoo.com/2015/09/malware-spam-reresume-aka-what-happened.html
4 Sep 2015 - "This -fake- résumé spam leads to ransomware:
From: fredrickkroncke@ yahoo .com
Date: 5 September 2015 at 03:50
Subject: RE:resume
Signed by: yahoo.com
Hi my name is Teresa Alexander attach is my resume
Awaiting your prompt reply
Kind regards
Teresa Alexander

The attached document in this case is Teresa_Alexander_resume.doc, which upon opening asks you to enable active content:
> https://1.bp.blogspot.com/-f1xY7yod...AG88/qDKaCyJKegs/s1600/protected-document.png
Following these steps would be a Very-Bad-Idea as the malware would encrypt all your files on the disk. This malicious DOC file itself has a VirusTotal detection rate of 4/56*.
The Hybrid Analysis report** shows pretty clearly what is going on. An infection sequence begins, with the following domains and IPs contacted:
46.30.46.117 [Eurobyte LLC, Russia)
186.202.153.84 (gaiga .net)
192.186.235.39 (satisgoswamicollege .org)
52.88.9.255 (entriflex .com)
23.229.143.32 (eliasgreencondo .com)
-Blocking- those domains and IPs may be enough to stop the ransomware working. The malicious macro in the document drops a file carved_0.exe which has a detection rate of 4/56***.
Once the machine is infected, various "What happened to your files?" messages pop up, such as this one (from the Hybrid Analysis report):
> https://3.bp.blogspot.com/-KrTiQq4qfks/Ven8lPdB9_I/AAAAAAAAG9I/F61pWEz3pDM/s1600/cryptowall2.png
This further references another bunch of domains that you might want to -block- especially in a corporate environment:
namepospay .com
optiontosolutionbbs .com
optionpay2all .com
democraticash .com
This further Hybrid Analysis report**** on the dropped binary also identifies the following malicious site:
68.178.254.208 (erointernet .com)
... it is worth noting that the malware attempts to identify the IP address of the infected system by visiting ip-addr .es - although this is -not- a malcious site, you can consider it to be a potential indicator of compromise. The payload here is Cryptowall 3.0 and as is typical, removing the malware is easy.. but decrypting the files without paying the ransom is fearsomely difficult.
Recommended blocklist:
46.30.46.0/24
gaiga .net
satisgoswamicollege .org
entriflex .com
eliasgreencondo .com
erointernet .com
namepospay .com
optiontosolutionbbs .com
optionpay2all .com
democraticash .com "
* https://www.virustotal.com/en/file/...56385cda8a87a15d09f3897f/analysis/1441396906/

** https://www.hybrid-analysis.com/sam...cad527915b1a807c289e6ceb0c06c?environmentId=1

*** https://www.virustotal.com/en/file/...56385cda8a87a15d09f3897f/analysis/1441396906/

**** https://www.hybrid-analysis.com/sam...b62d156385cda8a87a15d09f3897f?environmentId=1
___

Fake 'reservation confirmed' SPAM - PDF malware
- http://myonlinesecurity.co.uk/your-reservation-is-now-confirmed-booking-com-fake-pdf-malware/
4 Sep 2015 - "An email with the subject of 'Your reservation is now confirmed!' pretending to come from Booking .com with a zip attachment is another one from the current bot runs... The content of the email says:
Thanks! Your reservation is now confirmed.
To view additional information about your reservation, please open the attachment.
Booking number: 376627092
PIN Code: 6524
Email: [Redacted]
Your reservation: 1 night, 1 room
Check in: Saturday, September 05, 2015
(2:00 pm – 00:00 am)
Check out: Sunday, September 06, 2015
(until 12:00 pm)
Superior Double Room £1,799.68
VAT (20%) included £449.92
Total Price £2,249.60
Please note: additional supplements (e.g. extra bed) are not added to this total.
The total price shown is the amount you will pay to the property. Booking.com does not charge any reservation, administration or other fees.
You can easily change or cancel this booking for free before September 05 – 2015, to cancel or modify your reservation please complete the attached form and fax it to:
+1 888 850 5250
Have a great trip!
– The Booking.com Team
Copyright 1996 – 2013 Booking .com. All rights reserved.
This email was sent by Booking .com, Herengracht 597, 1017 CE Amsterdam, Netherlands

4 September 2015: Booking number 376627092.zip: Extracts to: Booking.scr
Current Virus total detections 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...64a2eeb2575423f7c97b9e26/analysis/1441343056/
___

Fake 'account security' SPAM
- http://myonlinesecurity.co.uk/important-system-notification-about-account-security/
4 Sep 2015 - "An email with the subject of 'Important system notification about account security' coming from random companies and random email addresses with a zip attachment is another one from the current bot runs... However the attachment is defective and corrupt. If previous experience is anything to go by, the bad guys controlling the botnet will soon realise their mistake and send out a new batch of -working- emails and attachments. The content of the email says:
This is an automatically generated security system alert. It happens when something goes wrong with your account.
To view full details, please open the attached report.
Mrs. Myriam Dach
tel: 1-606-773-7379
Email : cyineosoy5964lqw@ allpromoprint .com

... other subjects include:
Notice concerning your account
Important system notification about your account protection ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake 'Order' SPAM - PDF malware
- http://myonlinesecurity.co.uk/order-is-finished-fake-pdf-malware/
4 Sep 2015 - "An email with the subject of 'Order is finished' coming from random companies and random email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Hello!
Many thanks for purchasing! Please retain attached transaction summary for your records.
Please do not respond to this e-mail message. It’s automatically generated.
Terence Kilback
tel: 936.953.8037
Lehner LLC
Email: ...

Other subjects in this series of emails include:
Your purchase is finished
Your order is finished
Your purchase is confirmed ...
4 September 2015: Krystel StreetMT_report.zip: Extracts to: Tristin LandBL_report.exe
Current Virus total detections 5/57 . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...fd9d7f2c3ada67ecaa48c50d/analysis/1441384453/

:fear::fear: