SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

relode .com - SPAM ...

FYI...

relode .com - SPAM...
- http://blog.dynamoo.com/2015/11/spam-relodecom-and-matt-tant-part-ii.html
21 Nov 2015 - "Matt Tant and the moron spammers from relode .com are at it again.
From: Matt Tant [matthew@ relode .com]
To: "donotemail@ wearespammers .com" [donotemail@ wearespammers .com]
Date: 21 November 2015 at 22:40
Subject: Snagajob integration added
This just in! In addition to our Craigslist and Indeed integrations, we have just pushed an integration with Snagajob! Do you post only on Craigslist, or do you post on multiple job posting sites?...

I've covered these CAN-SPAM busting idiots before*..."
* http://blog.dynamoo.com/2015/11/spam-relodecom-and-matt-tant.html
17 Nov 2015
___

- http://centralops.net/co/DomainDossier.aspx
relode .com
aliases
addresses
198.185.159.144: https://www.virustotal.com/en/ip-address/198.185.159.144/information/
198.185.159.145: https://www.virustotal.com/en/ip-address/198.185.159.145/information/
198.49.23.144: https://www.virustotal.com/en/ip-address/198.49.23.144/information/
198.49.23.145: https://www.virustotal.com/en/ip-address/198.49.23.145/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Employee Documents', 'UKMail tracking' SPAM, Cybercriminal Underground

FYI...

WordPress + Angler EK = compromise for some...
- https://blog.malwarebytes.org/hacking-2/2015/11/catching-up-with-the-eitest-compromise-a-year-later/
Nov 23, 2015 - "We are seeing -dozens- of WordPress sites compromised recently with the same malicious code -redirecting- to the Angler exploit kit. The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page. It is important to stress this is a conditional injection because webmasters trying to identify the issue may -not- see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit)... The -rogue- code loads a Flash video file from a -suspicious- top-level domain name such as .ga, .tk or .ml which is used to -redirect- visitors to the Angler exploit kit. This is the same attack pattern we documented over a year ago (Exposing the Flash ‘EITest’ malware campaign*)... The latest WordPress version is 4.3.1. This particular ‘EITest campaign’ never actually stopped and saw an increase in the last few months which has been sustained up until now... Angler EK exploits Flash Player... If your WordPress site has been affected, keep in mind that the malicious injected code is just part of the symptoms from having your site hacked. It’s important to identify backdoors, .htaccess modifications as well as the original entry point, by looking at your access and error logs..."
* https://blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/

Latest Wordpress: https://wordpress.org/news/2015/09/wordpress-4-3-1/

Latest Flash: https://helpx.adobe.com/security/products/flash-player/apsb15-28.html
___

Fake 'Employee Documents' SPAM - xls malware
- http://myonlinesecurity.co.uk/emplo...n-email-domain-excel-xls-spreadsheet-malware/
23 Nov 2015 - "An email with the subject of 'Employee Documents Internal Use' pretending to come from HR at your own email domain or company with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
DOCUMENT NOTIFICATION, Powered by NetDocuments
DOCUMENT NAME: Employee Documents
DOCUMENT LINK: [Link removed]
This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

23 November 2015: Employee Documents(1928).xls - Current Virus total detections 4/54*
... Connects to and downloads kunie .it/u654g/76j5h4g.exe. It is very likely that the downloaded malware will be Dridex banking malware, although some antiviruses are indicating a -cryptowall- ransomware (VirusTotal 6/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...94eaecf06a9b882f60967102/analysis/1448270398/

** https://www.virustotal.com/en/file/...34f62a0b2b44be4055686bfb/analysis/1448270247/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
90.84.59.51: https://www.virustotal.com/en/ip-address/90.84.59.51/information/

- http://blog.dynamoo.com/2015/11/malware-spam-employee-documents.html
23 Nov 2014 - "... Attached is a file Employee Documents(1928).xls ... sources tell me that there are -three- different versions downloading from the following locations:
kunie .it/u654g/76j5h4g.exe
oraveo .com/u654g/76j5h4g.exe
www .t-tosen .com/u654g/76j5h4g.exe
The downloaded binary has a detection rate of just 1/54*. That VirusTotal report and this Hybrid Analysis report** show network connections to the following IPs:
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
157.252.245.32 (Trinity College Hartford, US)
The payload is probably the Dridex banking trojan...
Recommended blocklist:
89.108.71.148
89.32.145.12
157.252.245.32 "
* https://www.virustotal.com/en/file/...4a63b895a0de1f5e61272560/analysis/1448276542/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
8.254.218.126: https://www.virustotal.com/en/ip-address/8.254.218.126/information/

** https://www.hybrid-analysis.com/sam...74b3b4a63b895a0de1f5e61272560?environmentId=1
___

Fake 'UKMail tracking' SPAM - doc malware
- http://myonlinesecurity.co.uk/ukmail-988271023-tracking-information-word-doc-malware/
23 Nov 2015 - "An email with the subject of 'UKMail 988271023 tracking information' pretending to come from no-reply@ ukmail .com with a malicious word doc attachment is another one from the current bot runs... The email looks like:
UKMail Info!
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
Warranties
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service...

23 November 2015: 988271023-PRCL.doc - Current Virus total detections 4/54*
... Connects to & downloads an updated Dridex banking malware from
xsnoiseccs .bigpondhosting .com/u654g/76j5h4g.exe (VirusTotal 3/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...347211c6e43f52b5236a914e/analysis/1448280511/

** https://www.virustotal.com/en/file/...4eba0bcfcf7b458a740dc03c/analysis/1448282238/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
23.62.99.136: https://www.virustotal.com/en/ip-address/23.62.99.136/information/

- http://blog.dynamoo.com/2015/11/malware-spam-ukmail-988271023-tracking.html
23 Nov 2015 - "... The attachment is named 988271023-PRCL.doc ... This binary has a VirusTotal detection rate of 5/54*. That VirusTotal report plus this Hybrid Analysis report** and Malwr report*** indicate malicious traffic... The payload is likely to be the Dridex banking trojan...
Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79 "
* https://www.virustotal.com/en/file/...4eba0bcfcf7b458a740dc03c/analysis/1448285502/

** https://www.hybrid-analysis.com/sam...1d6f74eba0bcfcf7b458a740dc03c?environmentId=1

*** https://malwr.com/analysis/ODJhYmE3NGY1ZDI4NDg3NzlmZjQ1NjM0ZDM2NmFhM2I/
___

Dyreza trojan evolves for Win10
- http://www.itnews.com.au/news/dyreza-trojan-evolves-for-windows-10-412101
Nov 23 2015 - "Notorious banking trojan Dyreza has evolved to target the Windows 10 operating system, according to cyber-security firm Heimdal*. The new feature of this pernicious strain of malware includes support for Windows 10, so cyber-criminals can stay up to date with the developments of their prey as well as the ability to latch on to Microsoft Edge, Window's 10's replacement for the much-maligned internet explorer. Heimdall also noted that this new version of Dyreza “kills a series of processes linked to endpoint security software, in order to make its infiltration in the system faster and more effective”. Nearly 100,000 machines have apparently infected by Dyreza worldwide and Dyreza strains have been developed for just about every kind of Windows operating system in recent memory including Windows 7 through 10 as well as Winserver 2003 and Vista... Occasionally known as -Dyre- this particular trojan digs itself right into a users' browser. From there, it directs users to modified versions of otherwise legitimate webpages. If Dyreza is installed on a computer, it might steal online banking details as a user logs into what they think is a normal online -banking- webpage. It commonly spreads itself in large swathes of phishing emails in a tactic is known as 'spray and pray'. But once Dyreza does hits a target, it collects users data and becomes part of a botnet, allowing the attacker to receive the critical information from many users... The research also notes that this new strain arrives just in time for the holidays, with Christmas, Thanksgiving and more importantly, Black Friday, the US's post-thanksgiving shopping event, just around the corner..."
* https://heimdalsecurity.com/blog/security-alert-new-dyreza-variant-supports-windows-10-edge/
___

Cybercriminal Underground - 2015
- https://www.trendmicro.com/vinfo/us...he-chinese-cybercriminal-underground-in-2015/
Nov 23, 2015 - "... Data leaked in the underground allows cybercriminals to commit various crimes like financial fraud, identity and intellectual property theft, espionage, and extortion. Chinese cybercriminals have managed to enhance the way they share data as seen in the case of SheYun, a search engine created specifically to make leaked data to users available. Over the last few years, we have been keeping track of the shift of prices of goods and services traded in the Chinese underground. Previously, we saw compromised hosts, DDoS attack tools services, and remote access Trojans (RATs) being sold. Today, social engineering tools have been added to the market.
Carding devices: Cash transactions are slowly becoming a thing of the past, as evidenced by the adoption of electronic and mobile payment means.
• PoS skimmers - Tampered PoS devices are sold to resellers who may or may not know that these devices are rigged. Some PoS skimmers come with an SMS-notification feature that allows the cybercriminal to access the stolen data remotely every time the device is used.
• ATM skimmers – Commonly sold on B2B websites, these fraud-enabling devices allowed fraudsters to carry out bank fraud and actual theft. The devices have keypad overlays that are used to steal victims’ PINs.
• Pocket skimmers – These small, unnoticeable magnetic card readers can store track data of up to 2,048 payment cards. They do not need to be physically connected to a computer or a power supply to work. All captured data can be downloaded onto a connected computer..."
___

21% of Brits have been hit by cyber gits
- http://www.theinquirer.net/inquirer/news/2436052/21-percent-of-brits-have-been-hit-by-cyber-gits
Nov 23 2015 - "ACCORDING TO A REPORT from Deloitte*, one in five British people has been the victim of a security breach... The report says that the ongoing explosion in business and consumer data presents an increasingly tempting target for those with evil intent. It warns companies that most consumers expect them to take responsibility for protecting their data. However, it adds that most consumers do not have a clue what that means... 'Our 2015 report found that 84 percent of consumers expect companies to be held responsible for ensuring the security of user data and personal information online'... Deloitte found that two-thirds of punters would pull their personal data out of firms if they could do so easily, while 52 percent are -not- happy with the way their data is used. Only about a third said that they are aware of the fact that their data is taken and used. Thirteen percent were completely clueless on collection. These people are reading the wrong websites..."
* http://www2.deloitte.com/uk/en/pages/consumer-business/articles/consumer-data-under-attack.html

:fear::fear:

 

[AplusWebMaster]

Fake 'Billing', 'Scan', 'FED Wire', 'Abcam Despatch' SPAM

FYI...

Fake 'Billing' SPAM - Cryptowall
- http://blog.dynamoo.com/2015/11/malware-spam-serafinibillingstatement.html
24 Nov 2014 - "This -fake- financial spam leads to ransomware:
From: Scrimpsher [mumao82462308wd@ 163 .com]
Date: 24 November 2015 at 16:57
Subject: Serafini_Billing_Statement 2003
Signed by: 163 .com
Hi Please see attached a copy of your statement for the month of Nov 2015
Sincerely
Lynda Ang

As with many recent ransomware attacks, this appears to have been sent through webmail (it really is from 163 .com, it is -not- being spoofed). Attached is a file Statement.zip which contains a malicious javascript statement.js ... [vT 7/53*] which then downloads a component from:
46.30.45.73 /mert.exe
That IP belongs to Eurobyte LLC in Russia. I recommend that you -block- it. This is saved as %TEMP%\122487254.exe and it has a VirusTotal detection rate of 5/55**... The application's icon and metadata is designed to make it look like a copy of VNC, but instead the VirusTotal detection indicates that it is Cryptowall. This Hybrid Analysis report*** demonstrates the ransomware in action most clearly..."
> https://2.bp.blogspot.com/-JVJIL7NuZPE/VlS3xQHC9cI/AAAAAAAAHaY/zOys_bRHNDw/s640/cryptowall.png
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/file/...5696815a2c2d02a18f1c5872/analysis/1448391057/

** https://www.virustotal.com/en/file/...6ab8e4e0ff883628d4c6b3ae/analysis/1448390921/

*** https://www.hybrid-analysis.com/sam...092f56ab8e4e0ff883628d4c6b3ae?environmentId=1

46.30.45.73: https://www.virustotal.com/en/ip-address/46.30.45.73/information/

- http://centralops.net/co/DomainDossier.aspx
163 .com
aliases
addresses
123.58.180.8: https://www.virustotal.com/en/ip-address/123.58.180.8/information/
123.58.180.7: https://www.virustotal.com/en/ip-address/123.58.180.7/information/
___

Fake 'Scan' SPAM - doc malware
- http://myonlinesecurity.co.uk/scan-...pecare-co-uk-melissa-oneill-word-doc-malware/
24 Nov 2015 - "An email with the subject of 'Scan as requested' pretending to come from Melissa O’Neill <adminoldbury@ newhopecare .co.uk> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Scan-as-requested-1024x718.png

24 November 2015: 20151009144829748.doc - Current Virus total detections 5/53*
... Downloads Dridex banking malware from
http ://afrodisias .com .tr/7745gd/4dgrgdg.exe (VirusTotal 4/55**)
Update: other download locations discovered include
www .costa-rica-hoteles-viajes .com/~web/7745gd/4dgrgdg.exe and janaduchanova .wz .cz/7745gd/4dgrgdg.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...bc09533707916b5c09c36df1/analysis/1448358595/

** https://www.virustotal.com/en/file/...05f134a32d21e5e62fc5f43a/analysis/1448359094/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
88.221.14.130: https://www.virustotal.com/en/ip-address/88.221.14.130/information/

- http://blog.dynamoo.com/2015/11/malware-spam-scan-as-requested-melissa.html
24 Nov 2015 - "... This has a VirusTotal detection rate of 4/55*. That VT analysis and this Malwr analysis** and these two Hybrid Analysis reports [1] [2] show network traffic to:
157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
88.86.117.153 (SuperNetwork, Czech Republic) ...
Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12
88.86.117.153 "
* https://www.virustotal.com/en/file/...05f134a32d21e5e62fc5f43a/analysis/1448361171/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
88.221.14.130: https://www.virustotal.com/en/ip-address/88.221.14.130/information/

** https://malwr.com/analysis/ZDU2YWU5YWQxZDg4NDY0ZDkyYjQ0ODA5NGFiYzQzYTE/

1] https://www.hybrid-analysis.com/sam...6a526e968af940bbf2ace57a7bce3?environmentId=1

2] https://www.hybrid-analysis.com/sam...2669005f134a32d21e5e62fc5f43a?environmentId=1
___

Fake 'FED Wire' SPAM - xls malware
- http://myonlinesecurity.co.uk/impor...h-restrictions-excel-xls-spreadsheet-malware/
24 Nov 2015 - "The second batch of malspam today using malicious office docs with macros is an email with the subject of 'IMPORTANT. FDIC. FED Wire and ACH Restrictions" pretending to come from FDIC, Federal Reserve Bank <administration@ usfederalreservebank .com> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/FED-Wire-and-ACH-Restrictions.png

24 November 2015: aes_E851174777E.xls - Current Virus total detections 3/56*
The MALWR analysis shows us that it downloads various files from a combination of http ://rmansys .ru/utils/inet_id_notify.php and http ://s01.yapfiles .ru/files/1323961/435323.jpg .
The only file I get that is malicious is test.exe that looks like it was -renamed- from the 435323.jpg on download by the macro inside this office doc. (VirusTotal 5/56**). I am unsure what malware this actually is, but is doesn’t look like it is Dridex... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...601f1c0dba94c1c1969a4462/analysis/1448364813/

** https://www.virustotal.com/en/file/...67761cfdad3f14f1d1f6cd54/analysis/1448365505/
TCP connections
89.108.101.61: https://www.virustotal.com/en/ip-address/89.108.101.61/information/
90.156.241.111: https://www.virustotal.com/en/ip-address/90.156.241.111/information/
217.197.126.52: https://www.virustotal.com/en/ip-address/217.197.126.52/information/

- http://blog.dynamoo.com/2015/11/malware-spam-federal-reserve-bank.html
24 Nov 2015 - "This spam does -not- come from the Federal Reserve Bank, but is instead a simple -forgery- with a malicious attachment... According to this Malwr report[1] it drops all sorts of files including _iscrypt.dll [VT 0/54*] and 2.exe [VT 2/54**] which is analysed in this Malwr report[2] and this Hybrid Analysis report[3]. It is unclear as to what it does (ransomware? remote access trojan?), but it appears that the installation may be password protected...
Recommended blocklist:
185.26.97.120
90.156.241.111
89.108.101.61
95.27.132.170
217.197.126.52
88.147.168.112
217.19.105.3
UPDATE: This Hybrid Analysis report[4] shows various web pages popping up from the Excel spreadsheet, including MSN and Lidl. The purpose of this is unknown."
* https://www.virustotal.com/en/file/...84f3d5658cda44950fa0f8fc/analysis/1448378403/

** https://www.virustotal.com/en/file/...edd31c733cd20e0400460d3d/analysis/1448378422/

1] https://malwr.com/analysis/NWMzNjQwMWQ3MDk5NGI3NmIyY2MyOWU5NmM1NTk3MzQ/

2] https://malwr.com/analysis/MGQ3NjdkYmMyMmI3NDVlNDljYWRhOTA2MWE0MTAwM2Y/

3] https://www.hybrid-analysis.com/sam...b6bbfedd31c733cd20e0400460d3d?environmentId=1

4] https://www.hybrid-analysis.com/sam...24858e63e98114bc39d3e6298cbe?environmentId=1]
___

Fake 'Abcam Despatch' SPAM - xls malware
- http://myonlinesecurity.co.uk/abcam...rdersabcam-com-excel-xls-spreadsheet-malware/
24 Nov 2015 - "The 3rd set today of malspam emails using malicious office docs is an email with the subject of 'Abcam Despatch [CCE5303255]' pretending to come from orders@ abcam .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Abcam-Despatch-1024x550.png

24 November 2015: invoice_1366976_08-01-13.xls - Current Virus total detections 6/56*
... which is actually a zip file that when extracted gives you -several- docs or xls files [1] [2] [3] [4] [5] [6]. MALWR analysis of some of them show that they contact & download a Dridex banking malware from these locations amongst others:
http ://janaduchanova .wz.cz/7745gd/4dgrgdg.exe (VirusTotal 1/55**)
http ://afrodisias.com .tr/7745gd/4dgrgdg.exe
http ://www.costa-rica-hoteles-viajes .com/~web/7745gd/4dgrgdg.exe
http ://biennalecasablanca .ma/7745gd/4dgrgdg.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fe507c95a031c6ee3ee58d81/analysis/1448365689/

1] https://www.virustotal.com/en/file/...d5d0bcbae0ba8e025cc38b24/analysis/1448365924/

2] https://www.virustotal.com/en/file/...dcbf2bec2de96fe9a9f2cc80/analysis/1448366059/

3] https://www.virustotal.com/en/file/...fe4ac5bda22e80929eba9192/analysis/1448366422/

4] https://www.virustotal.com/en/file/...954bfa0074d8da2d91d793af/analysis/1448366042/

5] https://www.virustotal.com/en/file/...954bfa0074d8da2d91d793af/analysis/1448366042/

6] https://www.virustotal.com/file/1e4...b3eed40f1368d48d1ebba7cf/analysis/1448361214/

** https://www.virustotal.com/en/file/...701cc06cfdd762feb3bafe01/analysis/1448365319/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

- http://blog.dynamoo.com/2015/11/malware-spam-abcam-despatch-cce5303255.html
24 Nov 2015 - "... The attachment name is invoice_1366976_08-01-13.xls ... This binary has a detection rate of 2/55* and phones home to the following IPs (according to this**):
157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)..
Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12 "
* https://www.virustotal.com/en/file/...701cc06cfdd762feb3bafe01/analysis/1448369154/
TCP connections
89.108.71.148: https://www.virustotal.com/en/ip-address/89.108.71.148/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

** https://www.hybrid-analysis.com/sam...31b74dcbf2bec2de96fe9a9f2cc80?environmentId=1

:fear::fear:

 

[AplusWebMaster]

Fake 'Paypal', 'NatWest' PHISH, eDellRoot, 1.2B stolen Web credentials

FYI...

Fake Paypal PHISH
- http://myonlinesecurity.co.uk/paypal-urgent-your-card-has-been-stopped-phishing/
25 Nov 2015 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
• Urgent: Your card has been stopped !
• There have been unauthorised or suspicious attempts to log in to your account, please verify
• Your account has exceeded its limit and needs to be verified
• Your account will be suspended !
• You have received a secure message from < your bank>
• We are unable to verify your account information
• Update Personal Information
• Urgent Account Review Notification
• We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
• Confirmation of Order
The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links or fill in the html ( webpage) form that comes attached to the email.

Screenshot1: http://myonlinesecurity.co.uk/wp-co...rgent-Your-card-has-been-stopped-1024x675.png

Screenshot2: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/fake_paypal-site-1024x531.png

If you fill in the email address and password you get:
Screenshot3: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/fake_paypal-site_2-1024x519.png
... Which is a typical phishing page that looks very similar to a genuine PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."
___

Fake 'NatWest' phish
- http://myonlinesecurity.co.uk/service-status-natwest-phishing/
25 Nov 2015 - "An email with the subject of 'Service status – NatWest' pretending to come from NatWest <natwest@ bt .net> is one of the phishing scams I have seen today... it is worth mentioning because it combines 2 different approaches. 1st it has a link in the body of the email and 2nd it attaches a html page inviting you to open it... Any Natwest customer would or should know that emails would -never- come from natwest@ bt .net but hundreds of recipients will still click-on-the-link or open the html page because it is there & they ain’t thinking right and they -always- click on every email they get...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Service-status-NatWest-1024x631.png
The link in this case goes to http ://www .voyageitalie .com/N/n.html which -redirects- to: http ://www .paragonpakistan .pk/site/home/
The attached html file simply says <META HTTP-EQUIV=”Refresh” CONTENT=”0; url= http ://www .voyageitalie .com/N/n.html”> so sending you to the site which looks like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/fake-Nat-West-Site-1024x1014.png
... All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email or click-the-link in the email..."
___

DRIDEX SPAM ...
- http://blog.trendmicro.com/trendlab...ridex-spam-runs-resurface-against-us-targets/
Nov 25, 2015
Distribution of victims, October 13 to November 23
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/11/dridex-chart-2.jpg
Spam used to spread DRIDEX - 1
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/11/DRIDEX_resurrects_06.jpg
Spam used to spread DRIDEX - 2
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/11/DRIDEX_resurrects_07.jpg
"... DRIDEX botnets that have been around as early as August 2014... development further validates previous findings that the DRIDEX botnet was -not- totally taken down..."
___

Security Bug in Dell PCs shipped since August 2015
- http://krebsonsecurity.com/2015/11/security-bug-in-dell-pcs-shipped-since-815/
Nov 24, 2015 - "All new Dell laptops and desktops shipped since August 2015 contain a serious security vulnerability that exposes users to online eavesdropping and malware attacks. Dell says it is prepping a fix for the issue... Dell says the eDellRoot certificate was installed on all new desktop and laptops shipped from August 2015 to the present day. According to the company, the certificate was intended to make it easier for Dell customer support to assist customers in troubleshooting technical issues with their computers..."

malware samples signed by eDellRoot
- http://myonlinesecurity.co.uk/malware-samples-signed-by-edellroot/
25 Nov 2015

Dell Windows Systems Pre-Installed TLS Root CA
- https://isc.sans.edu/diary.html?storyid=20411
Last Updated: 2015-11-24

Response - eDellroot Certificate / Dell Corporate blog
- http://en.community.dell.com/dell-b...e-to-concerns-regarding-edellroot-certificate
23 Nov 2015

Dell Computers Contain CA Root Certificate Vulnerability
- https://www.us-cert.gov/ncas/curren...ers-Contain-CA-Root-Certificate-Vulnerability
Nov 24, 2015

>> http://arstechnica.com/security/201...tps-certificate-fiasco-provides-removal-tool/
Nov 24, 2015
___

Ransomware safety tips - online retailers
- http://net-security.org/malware_news.php?id=3162
25.11.2015 - "Cybercriminals have developed a destructive new form of ransomware that targets online retailers. They scan websites for common vulnerabilities and use them to install malware that encrypts key files, images, pages and libraries, as well as their backups. The criminals behind these attacks then hold them hostage, and website operators must pay a ransom in anonymous cryptocurrency to unlock the files..."
(More at the URL above.)
___

FBI has lead in probe of 1.2 billion stolen Web credentials: documents
- http://www.reuters.com/article/2015/11/24/us-usa-cyberattack-russia-idUSKBN0TD2YN20151124
Nov 24, 2015 - "A hacker who once advertised having access to user account information for websites like Facebook (FB.O) and Twitter (TWTR.N) has been linked through a Russian email address to the theft of a record 1.2 billion Internet credentials, the FBI said in court documents. That hacker, known as "mr.grey," was identified based on data from a cybsecurity firm that announced in August 2014 that it had determined an alleged Russian crime ring was responsible for stealing information from more than 420,000 websites, the documents said. The papers, made public last week by a federal court in Milwaukee, Wisconsin, provide a window into the Federal Bureau of Investigation's probe of what would amount to the largest collection of stolen user names and passwords. The court papers were filed in support of a search warrant the FBI sought in December 2014 and that was executed a month later related to email records. The FBI investigation was prompted by last year's announcement by Milwaukee-based cybersecurity firm Hold Security that it obtained information that a Russian hacker group it dubbed -CyberVor- had stolen the 1.2 billion credentials and more than 500 million email addresses. The FBI subsequently found lists of domain names and utilities that investigators believe were used to send spam, the documents said. The FBI also discovered an email address registered in 2010 contained in the spam utilities for a "mistergrey," documents show. A search of Russian hacking forums by the FBI found posts by a "mr.grey," who in November 2011 wrote that if anyone wanted account information for users of Facebook, Twitter and Russian-based social network VK, he could locate the records. Alex Holden, Hold Security's chief information security officer, told Reuters this message indicated mr.grey likely operated or had access to a database that amassed stolen data from computers via malware and viruses.
Facebook and Twitter declined comment. The FBI declined to comment, and U.S. Justice Department had no immediate comment. The probe appears to be distinct from another investigation linked to Hold Security's reported discovery that 420,000 websites, including one for a JPMorgan Chase & Co (JPM.N) corporate event, were -targeted- by the Russian hackers. In a case spilling out of the discovery of the JPMorgan breach, U.S. prosecutors this month charged three men with engaging in a cyber-criminal enterprise that stole personal information from more than 100 million people. Prosecutors accused two Israelis, Gery Shalon and Ziv Orenstein, and one American, Joshua Samuel Aaron, of being involved in a variety of schemes fueled by hacking JPMorgan and 11 other companies. An indictment in Atlanta federal court against Shalon and Aaron names as a defendant an unidentified hacker believed to be in Russia."
> http://www.nytimes.com/2014/08/06/t...an-a-billion-stolen-internet-credentials.html

:fear::fear:

 

[AplusWebMaster]

Fake 'Payment', 'Invoice' SPAM

FYI...

Fake 'Payment' SPAM - leads to Dridex
- http://blog.dynamoo.com/2015/11/random-payment-spam-leads-to-dridex.html
26 Nov 2015 - "I have only seen one version of this -spam- message so far:
From: Basia Slater [provequipmex@ provequip .com .mx]
Date: 26 November 2015 at 12:00
Subject: GVH Payment
I hope you had a good weekend.
Please check the payment confirmation attached to this email. The Transaction should appear on your bank in 2 days.
Basia Slater
Accountant
Comerica Incorporated

This sample had a document name of I654WWFR3C6.doc which has a VirusTotal detection rate of 6/55*, containing this malicious macro... The Malwr report** for this version indicates a download from:
harbourviewnl .ca/jo.jpg?6625
According to that Malwr report, it drops a file YSpq2bkGVIi5yaPcv6667.exe (MD5 6c14578c2b77b1917b3dee9da6efcd56) which has a detection rate of 1/53***. The Hybrid Analysis report[4] and Malwr report[5] for that indicates malicious traffic to:
94.73.155.10 (Telekomunikasyon Anonim Sirketi, Turkey)
199.175.55.116 (VPS Cheap INC, US)
Note that 94.73.155.12 is mentioned in this other Dridex report today[6], both IPs form part of a small subnet of 94.73.155.8/29 suballocated to one "Geray Timur Akkurt"... an additional download location of:
gofishretail .com/jo.jpg?[4-digit-random-number]
with an additional C2 location of:
113.30.152.170 (Net4india , India)
Recommended blocklist:
94.73.155.8/29
199.175.55.116
113.30.152.170 "
* https://www.virustotal.com/en/file/...a420cf533c1d12ab8397d054/analysis/1448541871/

** https://malwr.com/analysis/YjQ4ZDM3ODU0YmZlNGJhZWI1NDlkYjY2MzgyYjhhMWY/

*** https://www.virustotal.com/en/file/...82de1cd2b64bd414e84fe2ef/analysis/1448543018/

4] https://www.hybrid-analysis.com/sam...7a6a982de1cd2b64bd414e84fe2ef?environmentId=1

5] https://malwr.com/analysis/ZjU5NzYyYmE2NzZlNDA3MDk1YjdkNWY0YTQwZTJhYzM/

6] http://blog.dynamoo.com/2015/11/malware-spam-invoice-document-si528880.html
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-invoice-document-si528880.html
26 Nov 2015 - "This -fake- invoice does not come from Hider Food Imports Ltd but is instead a simple -forgery- with a malicious attachment.
From Lucie Newlove [lucie@ hiderfoods .co.uk]
Date Thu, 26 Nov 2015 16:03:04 +0500
Subject Invoice Document SI528880
Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.
ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
Please contact our Sales Department for details.
Hider Food Imports Ltd
REGISTERED HEAD OFFICE
Wiltshire Road,
Hull
East Yorkshire
HU4 6PA
Registered in England Number : 842813 ...

The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54*, and it contains this malicious macro... which according to this Hybrid Analysis report** downloads a malicious component from:
naceste2.czechian .net/76t89/32898u.exe
This executable has a detection rate of just 1/54*** and... shows network traffic to the following IPs:
94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
8.253.44.158 (Level 3, US)
37.128.132.96 (Memset, UK)
91.212.89.239 (Uzinfocom, Uzbekistan)
185.87.51.41 (Marosnet, Russia)
42.117.2.85 (FPT Telecom Company, Vietnam)
192.130.75.146 (Jyvaskylan Yliopisto, Finland)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
5.63.88.100 (Centr, Kazahkstan)
The payload is probably the Dridex banking trojan...
Recommended blocklist:
94.73.155.12
191.234.4.50
8.253.44.158
37.128.132.96
91.212.89.239
185.87.51.41
42.117.2.85
192.130.75.146
195.187.111.11
5.63.88.100 "
* https://www.virustotal.com/en/file/...2853dfb3b5dc38fa04d2cc57/analysis/1448535919/

** https://www.hybrid-analysis.com/sam...efb2e2853dfb3b5dc38fa04d2cc57?environmentId=1

*** https://www.virustotal.com/en/file/...799e1cad16013cd7c56edf94/analysis/1448537540/

:fear::fear:

 

[AplusWebMaster]

Fake 'Tax Invoice', 'Invoice', 'Transfer' SPAM

FYI...

Fake 'Tax Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/aline...-sharpe-brucealinepumps-com-word-doc-malware/
27 Nov 2015 - "An email with the subject of 'Aline: Tax Invoice #40525' pretending to come from Bruce Sharpe <bruce@ alinepumps .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:

Good day, Please find attached Tax Invoice as requested. Many thanks for your call. Bruce Sharpe.

27 November 2015 : Tax Invoice_40525_1354763307792.doc - Current Virus total detections 0/55*
Malwr Analysis** show us it downloads Dridex banking malware from
http ://www .alpenblick-beyharting .de/76f6d5/54sdfg7h8j.exe (VirusTotal 1/55***). Other download sites so far discovered include
hostingunlimited .co.uk/76f6d5/54sdfg7h8j.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...be48a5e8cf89eddd5c030ff7/analysis/1448615839/

** https://malwr.com/analysis/NDhmMDBhNWQ0ZGM0NDg1Nzg5MWM1NTM1ZDU0NjRiYTk/

kidsmatter2us .org: 198.57.243.108: https://www.virustotal.com/en/ip-address/198.57.243.108/information/
> https://www.virustotal.com/en/url/f...5ec5b7179e6d5ed32ae12e1beda750e1683/analysis/

*** https://www.virustotal.com/en/file/...09cfa3de0321fa86bb8df4f8/analysis/1448615736/
TCP connections
94.73.155.12: https://www.virustotal.com/en/ip-address/94.73.155.12/information/
8.254.218.126: https://www.virustotal.com/en/ip-address/8.254.218.126/information/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-invoice-ivan-jarman.html
27 Nov 2015 - "This -fake- invoice does not come from Sportsafe UK Ltd but is instead a simple -forgery- with a malicious attachment.
From Ivan Jarman [IJarman@ sportsafeuk .com]
Date Fri, 27 Nov 2015 17:21:27 +0530
Subject Invoice
Sent 27 NOV 15 09:35
Sportsafe UK Ltd
Unit 2 Moorside
Eastgates
Colchester
Essex
CO1 2TJ
Telephone 01206 795265
Fax 01206 795284

I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54* and which contains this malicious macro... This Malwr report** shows the macro downloads from:
kidsmatter2us .org/~parentsm/76f6d5/54sdfg7h8j.exe
The executable has a detection rate of 3/55**. The Hybrid Analysis report*** shows network traffic to:
198.57.243.108 (Unified Layer, US)
94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
77.221.140.99 (ZAO National Communications / Infobox.ru, Russia)
37.128.132.96 (Memset, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
217.160.110.232 (1&1, Germany)
202.137.31.219 (Linknet, Indonesia)
91.212.89.239 (Uzinfocom, Uzbekistan)
The payload is probably the Dridex banking trojan.
Recommended blocklist:
198.57.243.108
94.73.155.8/29
77.221.140.99
37.128.132.96
37.99.146.27
217.160.110.232
202.137.31.219
91.212.89.239 "

> https://malwr.com/analysis/ZDhkOTA1ZjA0ZTNkNDNkYWI1NTA2NzkwNmFkNzkxOGE/

- http://myonlinesecurity.co.uk/invoice-ivan-jarman-ijarmansportsafeuk-com-word-doc-malware/
27 Nov 2015
"... 27 November 2015: S-INV-BROOKSTRO1-476006.doc - Current Virus total detections *
... Downloads the 3rd different -Dridex- version that I have seen today from
http ://kidsmatter2us .org/~parentsm/76f6d5/54sdfg7h8j.exe (VirusTotal **)..."
* https://www.virustotal.com/en/file/...045b26f2c89ad5e5fa10626f/analysis/1448627008/

** https://www.virustotal.com/en/file/...a6ab375c3b96e17af562f5fc/analysis/1448627380/
___

Fake 'Transfer' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/spam-integrated-petroleum-services.html
27 Nov 2015 - "This malicious email sample was sent in by a contact (thank you), and contains a malicious attachment:
From: Integrated Petroleum Services
Sent: Friday, November 27, 2015 10:24 AM
Subject: Transfer
Hello,
Please find attached the transfer order sent on Friday 27.
Best Regards
Hugo

Attached is a file 20151126-291-transfer.xls (VT 1/53*) containing this malicious macro... which (according to this Malwr report**) downloads from:
pathenryiluminacion.i8 .com/76f6d5/54sdfg7h8j.exe
This binary has a VirusTotal detection rate of 3/55***. The payload is the same as found in this spam run[4]."
* https://www.virustotal.com/en/file/...bebcd4cd67dd18947b8bfec1/analysis/1448630394/

** https://malwr.com/analysis/ZDhkOTA1ZjA0ZTNkNDNkYWI1NTA2NzkwNmFkNzkxOGE/

*** https://www.virustotal.com/en/file/...a6ab375c3b96e17af562f5fc/analysis/1448630483/

4] http://blog.dynamoo.com/2015/11/malware-spam-invoice-ivan-jarman.html

64.136.20.56: https://www.virustotal.com/en/ip-address/64.136.20.56/information/
> https://www.virustotal.com/en/url/c...68c769087233206a35400aa132bdc5d47cc/analysis/
___

Older Dell devices affected by eDellRoot ...
- http://www.computerworld.com/articl...ected-by-dangerous-edellroot-certificate.html
Nov 26, 2015 - "... Tests performed inside a Windows 10 virtual machine revealed that the DSDTestProvider certificate gets left behind on the system when the Dell System Detect tool is uninstalled... users who want to remove it from their system must do so -manually- after they uninstall DSD. This can be done by pressing the Windows key + r, typing certlm.msc and hitting Run. After allowing the Microsoft Management Console to execute, users can browse to Trusted Root Certification Authorities > Certificates, locate the DSDTestProvider certificate in the list, right click on it and delete it..."

> http://www.dell.com/support/article/us/en/19/SLN300321

>> https://dellupdater.dell.com/Downloads/APP009/DellCertFix.exe
___

Holiday Phishing Scams and Malware Campaigns
- https://www.us-cert.gov/ncas/curren...-Holiday-Phishing-Scams-and-Malware-Campaigns
Nov 26, 2015 - "... Ecards from unknown senders may contain -malicious- links. Fake advertisements or shipping notifications may deliver -infected- attachments. Spoofed email messages and fraudulent posts on social networking sites may request support for phony causes..."
(More at the us-cert URL above.)

- http://research.zscaler.com/2015/11/black-friday-deals-on-malware-scams.html
Nov 27, 2015 - "... the trend in phishing activity tends to rise with the amount of online shopping traffic, which comes with the added risk of -scammers- taking advantage of a consumers better judgement..."

Beware the holiday scams coming to your email inbox
- http://www.infoworld.com/article/30...holiday-scams-coming-to-your-email-inbox.html
Nov 28, 2015

:fear::fear:

 

[AplusWebMaster]

Fake 'Order Accepted', 'Message', 'QUICKBOOKS', 'Message' SPAM, 'Paypal' phish

FYI...

Fake 'Order Accepted' SPAM - doc malware
- http://myonlinesecurity.co.uk/order-pc299139pps-accepted-contractvehicles-co-uk-word-doc-malware/
30 Nov 2015 - "An email with the subject of 'Order PC299139PPS Accepted' pretending to come from CVLink <noreply@ contractvehicles .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/Order-PC299139PPS-Accepted-1024x561.png

30 November 2015: PC299139PPS.doc - Current Virus total detections 1/55*
MALWR analysis** shows us it downloads what looks like a Dridex banking malware from
http ://members.chello .at/~antitrack_legend/89u87/454sd.exe (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7d25366332200e97edda81c4/analysis/1448873990/

** https://malwr.com/analysis/NWE5YWEzNTdiNzEzNGNjZjgyNjlkYWQzMTc2ODExZmI/

*** https://www.virustotal.com/en/file/...a968700da1bcd1622a6caf2f/analysis/1448873756/
___

Fake 'Message' SPAM - malware attachment
- http://blog.dynamoo.com/2015/11/malware-spam-message-from.html
30 Nov 2015 - "I have only one sample of this rather terse email with -no- body text:
From: scan@ victimdomain
Reply-To: scan@ victimdomain
To: hiett@ victimdomain
Date: 30 November 2015 at 09:22
Subject: Message from mibser_00919013013

The spam appears to originate from within the victim's own domain, but it does not. In the sample I saw, the attachment was named Smibser_00915110211090.xls, had a VirusTotal detection rate of 3/54* and contained this malicious macro... According to this Hybrid Analysis report** and this Malwr report*** the macro downloads a malicious executable from:
velitolu .com/89u87/454sd.exe
This binary has a detection rate of 3/55****. Automated report tools [1] [2] show network traffic to:
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
42.117.2.85 (FPT Telecom Company, Russia)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
5.63.88.100 (Centr, Kazakhstan)
The payload is likely to be the Dridex banking trojan...
Recommended blocklist:
94.73.155.12
42.117.2.85
89.189.174.19
5.63.88.100 "
* https://www.virustotal.com/en/file/...431037149e5d5f68518206fe/analysis/1448880036/

** https://www.hybrid-analysis.com/sam...edcc8431037149e5d5f68518206fe?environmentId=2

*** https://malwr.com/analysis/YjgwNGJkYzc0ZTY4NGUxODg3MzliOWUzODBiODNhNTk/

**** https://www.virustotal.com/en/file/...659bcfbc034998e62688b8f9/analysis/1448880465/

1] https://malwr.com/analysis/ZTk4OWY0OWFjOGQ2NDZiMWEwOGFlNWY4ZDU5MDIzOTk/

2] https://www.hybrid-analysis.com/sam...f2095659bcfbc034998e62688b8f9?environmentId=1
___

Fake 'QUICKBOOKS' SPAM - leads to malware
- http://blog.dynamoo.com/2015/11/malware-spam-intuit-qb-quickbooks.html
Nov 30, 2015 - "This -fake- Intuit QuickBooks spam leads to malware:
From: QUICKBOOKS ONLINE [qbservices@ customersupport .intuit .com]
Date: 30 November 2015 at 10:42
Subject: INTUIT QB
As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!
InTuIT. | simplify the business of life
© 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice.

Screenshot: https://3.bp.blogspot.com/-jqzrc2_aW3Y/Vkyln1SIkyI/AAAAAAAAHYo/GOHMdVkAYWg/s400/intuit.png

The spam is almost identical to this one[1] which led to Nymaim ransomware:
> http://www.welivesecurity.com/2013/07/02/the-home-campaign-overstaying-its-welcome/
In this particular spam, the email went to a landing page at updates .intuitdataserver-1 .com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a -fake- Firefox update*. This executable has a VirusTotal detection rate of 3/55**... The Hybrid Analysis report*** shows the malware attempting to POST to mlewipzrm .in which is multihomed on:
89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)
The nameservers for mlewipzrm .in are NS1 .REBELLECLUB .NET and NS2 .REBELLECLUB .NET which are hosted on the following IPs:
210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US) ...
As far as I can tell, these domains are hosted on the following IPs:
52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)
I recommend that you -block- the following IPs and/or domains:
52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212 ..."
(More listed at the dynamoo URL above.)
* https://urlquery.net/report.php?id=1448887234353

** https://www.virustotal.com/en/file/...78b5c6bd556fa37d7ca0a7b0/analysis/1448887362/
flashplayer19_ga_update.exe - 3/55

*** https://www.hybrid-analysis.com/sam...544fd78b5c6bd556fa37d7ca0a7b0?environmentId=1

1] http://blog.dynamoo.com/2015/11/mystery-intuit-quickbooks-spam-leads-to.html
___

Fake 'Message' SPAM - xls malware
- http://myonlinesecurity.co.uk/messa...n-email-domain-excel-xls-spreadsheet-malware/
30 Nov 2015 - "An email with the subject of 'Message from mibser_00919013013' pretending to come from scan@ your own email domain with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally -blank- body and just an XLS (Excel spreadsheet) attachment...

30 November 2015: Smibser_00915110211090.xls - Current Virus total detections 4/55*
... Download’s Dridex banking malware from
dalamantransferservicesrentacar .com/89u87/454sd.exe (VirusTotal 1/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...8de7b4cc9584bb5c65106603/analysis/1448888284/

** https://www.virustotal.com/en/file/...ef83c4af81e249ef67da91f4/analysis/1448889035/
TCP connections
94.73.155.12: https://www.virustotal.com/en/ip-address/94.73.155.12/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/
___

Fake 'Invoice Attached' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/invoi...td-word-doc-or-excel-xls-spreadsheet-malware/
30 Nov 2015 - "An email with the subject of 'Invoice Attached' pretending to come from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Thank you!
Mr. Susie Weber
Accounting Specialist| USBank, GH Industrial Co., Ltd

30 November 2015: invoice_details_68171045.xls - Current Virus total detections 1/55*
MALWR analysis** shows us that it downloads http ://gallinda28trudi .com/v12/free17ld.exe (VirusTotal 3/55***) which is a Nymain Ransomware as described by Dynamoo****... The XLS macro drops/creates a UpdateWinrar.js that instructs the victim’s computer to download the file & rename it as %temp%\UpdOffice.exe then automatically run it, so making you think that it is an Office update if you see any alerts about the file running... DO NOT enable macros or editing, no matter how plausible the instructions appear to be:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/invoice_details_68171045_xls-1024x602.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...db7cef79352ff940e245b6d7/analysis/1448892567/

** https://malwr.com/analysis/YTkzYjYxZGJiOTRhNDZjYjg2NGQ4ZDhiOGIxZjAyZjI/
Hosts: 31.184.234.5: https://www.virustotal.com/en/ip-address/31.184.234.5/information/

*** https://www.virustotal.com/en/file/...78b5c6bd556fa37d7ca0a7b0/analysis/1448887816/
FlashPlayerUpdate.exe

**** http://blog.dynamoo.com/2015/11/malware-spam-intuit-qb-quickbooks.html
___

Fake 'Sales Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/11/malware-spam-sales-invoice-opi599241.html
30 Nov 2015 - "This -fake- financial spam is not from James F Kidd, but is instead a simple -forgery- with a malicious attachment:
From: orders@ kidd-uk .com
Date: 30 November 2015 at 13:42
Subject: Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD
Please see enclosed Sales Invoice for your attention.
Regards from Accounts at James F Kidd
( email: accounts@ kidd-uk .com )

I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55*. This Malwr report** indicates that in this case there may be an error in the malicious macro. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan...
UPDATE: I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54[3] and 4/55[4]. One of these two also produces an error when run. The working attachment (according to this Malwr report[5] and Hybrid Analysis report[6]) downloads a malicious binary from:
bjdennehy .ie/~upload/89u87/454sd.exe
This has a VirusTotal detection rate of 3/54[6]... Automated analysis tools... show malicious traffic to:
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)...
Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239 "
(More detail at the dynamoo URL above.)
* https://www.virustotal.com/en/file/...169125bee5f6a31ccdef2a15/analysis/1448893229/

** https://malwr.com/analysis/N2YwM2Q0YzU1OTk0NDRiN2FjNWVmNjUzNjQzYzc5ZTQ/

3] https://www.virustotal.com/en/file/...b16d787914b5eacd994c2831/analysis/1448894274/

4] https://www.virustotal.com/en/file/...f9d8104d3361c572dd85f541/analysis/1448894280/

5] https://malwr.com/analysis/ZjMwYTdmMzBiMTVlNDM0ODg2ZWI2NmRlMDg5NWUyMzE/

6] https://www.hybrid-analysis.com/sam...12409ef83c4af81e249ef67da91f4?environmentId=1
___

Fake 'Paypal' phish...
- http://myonlinesecurity.co.uk/your-access-is-limited-modainpelle-com-paypal-phishing/
30 Nov 2015 - "An email saying 'Your Access Is Limited' coming from PayPal Team <scanner@ modainpelle .com>
While at first glance this appears to be a typical PayPal phish, there are a few differences... There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
• Your Access Is Limited
• Urgent: Your card has been stopped !
• There have been unauthorised or suspicious attempts to log in to your account, please verify
• Your account has exceeded its limit and needs to be verified
• Your account will be suspended !
• You have received a secure message from < your bank>
• We are unable to verify your account information
• Update Personal Information
• Urgent Account Review Notification
• We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
• Confirmation of Order
The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links or fill in the html (webpage) form that comes attached to the email.
The link in this case goes to http ://www .hocine1990.ehost-services239 .com/index/ ... This particular phishing campaign starts with an email with a link...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/modain_pelle_payapal_phish-1024x740.png
The website looks similar to this typical example of a PayPal phishing site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/fake_paypal-site-1024x531.png
If you fill in the email address and password you get an intermediate page apologising for any inconvenience looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/e_host_paypal_phish-1024x524.png
Then get sent on to a page looking like this one from an earlier PayPal Phish:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/11/fake_paypal-site_2-1024x519.png
Which is a typical phishing page that looks very similar to a genuine PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."

:fear::fear:

 

[AplusWebMaster]

Fake 'Card Receipt', 'Request for payment', 'Invoice' SPAM

FYI...

Fake 'Card Receipt' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-card-receipt-tracey-smith.html
1 Dec 2015 - "This -fake- financial spam does not come from AquAid, but is instead a simple -forgery- with a malicious attachment. Poor AquAid were hit by the same thing several time earlier this year.
From "Tracey Smith" [tracey.smith@ aquaid .co.uk]
Date Tue, 01 Dec 2015 10:54:15 +0200
Subject Card Receipt
Hi
Please find attached receipt of payment made to us today
Regards
Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone: 0121 525 4533
Fax: 0121 525 3502
Mobile: 07795328895
Email: tracey.smith@ aquaid .co.uk ...

Attached is a file CAR014 151238.doc which comes in at least two different versions with a VirusTotal detection rate of 3/55 for both [1] [2]. According to these Malwr reports [3] [4] the macro in the document downloads a file from one of the following locations:
rotulosvillarreal .com/~clientes/6543f/9o8jhdw.exe
data.axima .cz/~krejcir/6543f/9o8jhdw.exe
This binary has a detection rate of 3/54*. The Malwr report** for that file shows that it phones home to:
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
There are other bad IPs in the 94.73.155.8 - 94.73.155.15 range, so I strongly recommend that you -block- all traffic to 94.73.155.8/29. These two Hybrid Analysis reports [5] [6] also show malicious traffic to the following IPs:
89.248.99.231 (Interdominios S.A., Spain)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
221.132.35.56 (Post and Telecom Company, Vietnam)
78.24.14.20 (VSHosting s.r.o., Czech Republic)
The payload here is probably the Dridex banking trojan...
Recommended blocklist:
94.73.155.8/29
89.248.99.231
103.252.100.44
89.108.71.148
221.132.35.56
78.24.14.20 "
1] https://www.virustotal.com/en/file/...3e74d98993dca34d82a6579a/analysis/1448964063/

2] https://www.virustotal.com/en/file/...5b2d1c98265a4bef2e7ea334/analysis/1448964077/

3] https://malwr.com/analysis/YTY5ZmVkYzg4ZDgzNDhjNWFlOTcyZGUyOGQ0MWQ0ZWE/

4] https://malwr.com/analysis/MWRhNzE0N2NhN2RlNGE4NjllYTk2NGE5NzMxMWUxY2Y/

* https://www.virustotal.com/en/file/...fbbd4f8a6b37f1b211039c79/analysis/1448964517/

** https://malwr.com/analysis/ZWNkZTQ4NWQ1ODU0NGFlMzhmOGM4NTFiMDU3MDE3Zjk/

5] https://www.hybrid-analysis.com/sam...d7e523e74d98993dca34d82a6579a?environmentId=1

6] https://www.hybrid-analysis.com/sam...3c7835b2d1c98265a4bef2e7ea334?environmentId=1
___

Fake 'Request for payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/reque...es-word-doc-or-excel-xls-spreadsheet-malware/
1 Dec 2015 - "An email with the subject of 'Request for payment (PGS/73329)' pretending to come from PGS Services Limited <rebecca@ pgs-services .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/Request-for-payment-PGS73329-1024x541.png

1 December 2015: 3-6555-73329-1435806061-3.doc - Current Virus total detections 4/55*
MALWR** shows me that it downloads http ://cru3lblow.xf .cz/6543f/9o8jhdw.exe (VirusTotal 1/52***) which looks like a revised/updated Dridex binary... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...afa4d6107cb2b947f2e34d88/analysis/1448972343/

** https://malwr.com/analysis/YjRiNGYwOWM2OTY5NGE3OGEzYzdkMWQ1MjgxOGYyODk/
88.86.117.154: https://www.virustotal.com/en/ip-address/88.86.117.154/information/

*** https://www.virustotal.com/en/file/...e71164979d23d7254a446d1b/analysis/1448972854/
TCP connections
157.252.245.29: https://www.virustotal.com/en/ip-address/157.252.245.29/information/
23.14.92.19: https://www.virustotal.com/en/ip-address/23.14.92.19/information/
94.73.155.12: https://www.virustotal.com/en/ip-address/94.73.155.12/information/
> https://www.virustotal.com/en/url/1...0cc5419731eaaeeac7e51107e81c927d2fd/analysis/

- http://blog.dynamoo.com/2015/12/malware-spam-request-for-payment.html
1 Dec 2015 - "This spam email is confused. It's either about a watch repair or property maintenance. In any case, it has a malicious attachment...
From: PGS Services Limited [rebecca@ pgs-services .co.uk]
Date: 1 December 2015 at 12:06
Subject: Request for payment (PGS/73329)...
RST Support Services Limited
Rotary Watches Ltd...
Full details are attached to this email in DOC format...

Attached is a file 3-6555-73329-1435806061-3.doc which comes in at least three different versions... The payload is probably the Dridex banking trojan...
Recommended blocklist:
94.73.155.8/29
89.32.145.12
221.132.35.56
157.252.245.29 "
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoi...ne-lambert-superman-malware-word-doc-malware/
1 Dec 2015 - "An email with the subject of 'Invoice #96914158 – Fastco' coming from Antoine Lambert <LambertAntoine85@ tellas .gr> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
Here is the Fastco Corp. Invoice we talked about earlier today. Please cost code and get it back to me.
Thanks, Antoine Lambert

... coming from random compromised email accounts and have random invoice numbers...
1 December 2015: INVOICE_96914158.doc - Current Virus total detections 2/56*
This word doc contains a base64 encoded ole object which MALWR** shows us contacts
http ://31.210.119.169 /superman/kryptonite.php and downloads clarkent.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...9652715e6acb6c2c88aa0227/analysis/1448981594/

** https://malwr.com/analysis/YTRjMzMyZjgxNjZkNGY5OTk3YTZlODA3MjQ4ODU0ZmI/

*** https://www.virustotal.com/en/file/...a6eeb891364407318e1684c1/analysis/1448982333/
TCP connections
157.252.245.27: https://www.virustotal.com/en/ip-address/157.252.245.27/information/
191.234.4.50: https://www.virustotal.com/en/ip-address/191.234.4.50/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Purchase Order', 'Payment Request', 'November Invoice' SPAM, 'Paypal' phish

FYI...

Fake 'Purchase Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-purchase-order-124658-gina.html
2 Dec 2015 - "This -fake- financial spam is not from CliniMed Limited but is instead a simple -forgery- with a malicious attachment:
From Gina Harrowell [gina.harrowell@ clinimed .co.uk]
Date Wed, 02 Dec 2015 01:53:41 -0700
Subject Purchase Order 124658
Sent 2 DEC 15 09:18
CliniMed Ltd
Cavell House
Knaves Beech Way
Loudwater
High Wycombe
Bucks
HP10 9QY ...

Attached is a file P-ORD-C-10156-124658.xls which I have seen two versions of (VirusTotal results [1] [2]) which contain a malicious macro... which according to these automated analysis reports [3] [4] [5] [6] pulls down an evil binary from:
det-sad-89 .ru/4367yt/p0o6543f.exe
vanoha.webzdarma .cz/4367yt/p0o6543f.exe
There may be other versions of the Excel document with different download locations, but the payload will be the same. This has a VirusTotal detection rate of 1/55* and those previous reports plus this Malwr report** indicate malicious network traffic to the following IPs:
193.238.97.98 (PJSC Datagroup, Ukraine)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
The payload is probably the Dridex banking trojan...
Recommended blocklist:
193.238.97.98
94.73.155.8/29
89.32.145.12 "
1] https://www.virustotal.com/en/file/...f76dac4e6ccf30ce2d3bc8ea/analysis/1449050700/

2] https://www.virustotal.com/en/file/...ae60104b82d5a2ec518fafb6/analysis/1449050710/

3] https://malwr.com/analysis/OGRiYjI0MGUxZDNmNDVlMDg3MGE5OGMzNTFmNThjMDk/

4] https://malwr.com/analysis/ZWYyZjQ5MTRjNGRkNDdkNjg0NDczM2RlODVmNTcxNjg/

5] https://www.hybrid-analysis.com/sam...d0ef5f76dac4e6ccf30ce2d3bc8ea?environmentId=1

6] https://www.hybrid-analysis.com/sam...6201fae60104b82d5a2ec518fafb6?environmentId=1

* https://www.virustotal.com/en/file/...fa9c9faa73b7277886f1e210/analysis/1449050819/
TCP connections
193.238.97.98: https://www.virustotal.com/en/ip-address/193.238.97.98/information/
90.84.59.27: https://www.virustotal.com/en/ip-address/90.84.59.27/information/

** https://malwr.com/analysis/OTBlMTJjZDYzNDYzNDFjZTlmMmY1NWQ0OTBkMDhlZjA/

- http://myonlinesecurity.co.uk/purch...ed-word-doc-or-excel-xls-spreadsheet-malware/
2 Dec 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/Purchase-Order-124658-1024x686.png

25 February 2015: P-ORD-C-10156-124658.xls - Current Virus total detections 5/55*
MALWR analysis** shows us that it downloads what looks like Dridex Banking malware from
http ://vanoha.webzdarma .cz/4367yt/p0o6543f.exe (VirusTotal 1/55***)...
* https://www.virustotal.com/en/file/...ae60104b82d5a2ec518fafb6/analysis/1449050502/

** https://malwr.com/analysis/OGRiYjI0MGUxZDNmNDVlMDg3MGE5OGMzNTFmNThjMDk/

*** https://www.virustotal.com/en/file/...fa9c9faa73b7277886f1e210/analysis/1449051414/
TCP connections
193.238.97.98: https://www.virustotal.com/en/ip-address/193.238.97.98/information/
90.84.59.27: https://www.virustotal.com/en/ip-address/90.84.59.27/information/
___

Fake 'Payment Request' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-aline-payment-request.html
2 Dec 2015 - "This -fake- financial spam is not from Aline Pumps but is instead a simple -forgery- with a malicious attachment. In any cases Aline are an Australian company, they would -not- be sending out invoices in UK pounds.
From: Bruce Sharpe [bruce@ alinepumps .com]
Date: 2 December 2015 at 09:44
Subject: Aline Payment Request
ATTENTION: ACCOUNTS PAYABLE
Dear Sir/Madam,
Overdue Alert
Our records show that your current balance with us is £2795.50 of which £2795.50 is still overdue.
Your urgent attention and earliest remittance of this amount would be appreciated.
We value your business and we would like to resolves any issues as quickly as possible. I am personally available on (02) 8508 4900 or bruce@ alinepumps .com
Sincerely,
Bruce Sharpe - Accounts Receivable ...

Attached is a file Statement_1973_1357257122414.doc which comes in at least three versions (although I have only seen two), with VirusTotal results of 4/55 [1] [2] and automated analysis [3] [4] shows download locations of:
pivarimb .wz.cz/4367yt/p0o6543f.exe
allfirdawhippet .com/4367yt/p0o6543f.exe
apparently there is another download location of
sebel .fr/4367yt/p0o6543f.exe
In any case, the downloaded binary is the same and has a detection rate of 3/55*. The Malwr analysis** and this Hybrid Analyis*** shows it phoning home to:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you -block- traffic to that IP."
1] https://www.virustotal.com/en/file/...6e0684df57338390e87fc6d6/analysis/1449054590/

2] https://www.virustotal.com/en/file/...3492bb4f0769ced6a2cee66d/analysis/1449054600/

3] https://malwr.com/analysis/MDkzNDFlZjAyYTQ5NGUyYmJjNGZkODM4YWNmNDA1OWU/

4] https://malwr.com/analysis/Mjc5MjdkZDI5ODI2NDdmYmEwODU2YjFkMjI0NjViNjY/

* https://www.virustotal.com/en/file/...fbb5bba7419d5a26d6b03f0c/analysis/1449054750/

** https://malwr.com/analysis/NTE3Nzg2NjU1MmQ2NGVjZGEzZDgyZWZjYmViMGQwMjc/

*** https://www.hybrid-analysis.com/sam...a60b43492bb4f0769ced6a2cee66d?environmentId=1

- http://myonlinesecurity.co.uk/aline...pe-word-doc-or-excel-xls-spreadsheet-malware/
2 Dec 2015 - "Following on from last week’s Malspam run* pretending to come from Aline pumps is today’s email with the subject of 'Aline Payment Request' pretending to come from Bruce Sharpe <bruce@ alinepumps .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
* http://myonlinesecurity.co.uk/aline...-sharpe-brucealinepumps-com-word-doc-malware/

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/Aline-Payment-Request-1024x575.png

2 December 2015: Statement_1973_1357257122414.doc - Current Virus total detections 4/56*
MALWR analysis** shows us that it downloads Dridex Banking malware from
http ://pivarimb.wz .cz/4367yt/p0o6543f.exe (VirusTotal ***). This is an updated version from today’s earlier malspam run[1] of malicious office docs with macros..."
* https://www.virustotal.com/en/file/...3492bb4f0769ced6a2cee66d/analysis/1449053035/

** https://malwr.com/analysis/Mjc5MjdkZDI5ODI2NDdmYmEwODU2YjFkMjI0NjViNjY/
88.86.117.153
193.238.97.98
191.234.4.50

*** https://www.virustotal.com/en/file/...fbb5bba7419d5a26d6b03f0c/analysis/1449053672/
TCP connections
193.238.97.98
8.254.218.62

1] http://myonlinesecurity.co.uk/purch...ed-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'November Invoice' SPAM - JS malware
- http://myonlinesecurity.co.uk/november-invoice-37330118-js-malware-teslacrypt/
2 Dec 2015 - "An email with the subject of 'November Invoice' #37330118 [random numbered] pretending to come from random names and senders with a zip attachment is another one from the current bot runs... The content of the email says:
Hello ,
Please review the attached copy of your Electronic document.
A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
Thank you for your business.

2 December 2015: invoice_37330118.zip: Extracts to: INVOICE_main_BD3847636213.js
Current Virus total detections 2/54* which downloads a Teslacrypt ransomware from
http ://74.117.183.84 /76 .exe (VirusTotal 3/55**) and tries to contact a combination of these sites
ccfinance .it | ecaequeeessa .com | schonemaas .nl | cic-la-banque .org and either download additional malware or upload stolen data from your computer (MALWR***). Our friends over at Techhelplist[1] have posted a fuller breakdown of this one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...adff38886d03277688e8cb66/analysis/1449062157/

** https://www.virustotal.com/en/file/...284d87e51ca09204dfe12bd7/analysis/1449062699/

*** https://malwr.com/analysis/ZmYzOTUzMjY1YWJmNDA2Njk3MmVmMDUwNmMxZmFhZTg/

74.117.183.84: https://www.virustotal.com/en/ip-address/74.117.183.84/information/
> https://www.virustotal.com/en/url/f...c019e4afcfff4f753fa550f48a1bf596395/analysis/

1] https://techhelplist.com/spam-list/987-november-invoice-malware

- http://blog.dynamoo.com/2015/12/malware-spam-november-invoice-60132748.html
2 Dec 2015 - "... Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js... and this downloads a malicious file from:
74.117.183.84 /76.exe?1
... The Malwr report* and Hybrid Analysis** indicates that this communicates with the following compromised domains:
ccfinance .it
ecaequeeessa .com
schonemaas .nl
cic-la-banque .org
Both those reports indicate that this is the Teslacrypt ransomware:
> http://1.bp.blogspot.com/-b_75tajtmR8/Vl8Clj-vY8I/AAAAAAAAHbk/PuYBCSWsYOI/s1600/teslacrypt.png
Furthermore, the Hybrid Analysis report** also shows other traffic to:
tsbfdsv.extr6mchf .com
alcov44uvcwkrend .onion .to
rbtc23drs.7hdg13udd .com ...
Recommended blocklist:
74.117.183.84
5.39.222.193
ccfinance .it
ecaequeeessa .com
schonemaas .nl
cic-la-banque .org
extr6mchf .com
alcov44uvcwkrend .onion .to
7hdg13udd .com "
* https://malwr.com/analysis/OWM5NWIxYTQ4OTkyNGQ0ZmFjMGNhOGQ2MTYxOWQ5ZjI/

** https://www.hybrid-analysis.com/sam...6efc8284d87e51ca09204dfe12bd7?environmentId=1
___

Fake 'Adler Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-your-adler-invoice-no-uk.html
2 Dec 2015 - "This -fake- financial spam does not come from Adler Manufacturing Limited but is instead a simple forgery. It is meant to have a malicious attachment, but all of the samples I have seen are malformed.
From: service@ adlerglobal .com
Date: 2 December 2015 at 11:36
Subject: Your Adler Invoice No. UK 314433178 IN
Dear Customer,
Thank you very much for having placed your order with Adler.
Your goods have been shipped. Please see attached invoice for payment of
your order.
For your convenience, you will find several payment methods described on the
attached invoice (please be sure to include your Adler Order #).
If you have any questions, feel free to contact us.
Best Regards,
Your Adler Customer Service Team...

Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from:
vanoha.webzdarma .cz/4367yt/p0o6543f.exe
det-sad-89 .ru/4367yt/p0o6543f.exe
These download locations were seen earlier, but the payload has -changed- to one with a detection rate of 4/55*. Those earlier Malwr reports indicate malicious traffic to:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you -block- traffic to that IP. The payload is likely to be the Dridex banking trojan."
1] https://www.virustotal.com/en/file/...275f30e449bf14aa9ecef527/analysis/1449064630/

2] https://www.virustotal.com/en/file/...2d97a30a35f9b975031d90e5/analysis/1449064641/

3] https://malwr.com/analysis/NzRmOGExNTNkYzg1NDA5NTljMzQ5M2NiYWVkYTZkNDY/

4] https://malwr.com/analysis/MTk0YWQ0ODRkM2ZhNGRmYTkxMGZiYWNlYTgwOTBjZWQ/

* https://www.virustotal.com/en/file/...dd22d2f78e43003a11ae496f/analysis/1449064895/
___

Fake 'Shell E-bill' SPAM - doc malware
- http://myonlinesecurity.co.uk/shell...or-account-b500101-31122014-word-doc-malware/
2 Dec 2015 - "The bad actors are either getting lazy or concentrating their efforts on old email templates that have attracted good returns previously. There seems to be a theme of reusing old email templates this week but this one from last year without even bothering to change the date is sheer idleness by the bad actor sending them. An email with the subject of 'Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014' pretending to come from Fuel Card Services <adminbur@ fuelcardgroup .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
Please note that this message was sent from an unmonitored mailbox which is unable to accept replies. If you reply to this e-mail your request will not be actioned. If you require copy invoices, copy statements, card ordering or card stopping please e-mail support@ fuelcardservices .com quoting your account number which can be found in the e-mail below...
E-billing
From: adminbur@ fuelcardservices .com
Sent: Wed, 02 Dec 2015 19:25:57 +0530
To: [REDACTED]
Subject: Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014
Account: B500101
Please find your e-bill 0765017 for 30/10/2015 attached.
To manage you account online please click xxxxx
If you would like to order more fuel cards please click xxxxx
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin.
Fuel Card Services Ltd
T 01282 410704
F 0844 870 9837 ...

2 December 2015: ebill0765017.doc - Current Virus total detections 6/55*
MALWR** The word docs are the same as described in todays earlier malspam runs... however the Dridex malware downloaded from http ://sebel .fr/4367yt/p0o6543f.exe is an -updated- variant (VirusTotal 4/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...9a67da9a60fad4544092ee6c/analysis/1449064154/

** https://malwr.com/analysis/N2U3N2UzNzI1NTI2NDgzMjhmYjJhODAyOGRiYWI2NWU/

*** https://www.virustotal.com/en/file/...dd22d2f78e43003a11ae496f/analysis/1449064895/

sebel .fr: 213.186.33.19: https://www.virustotal.com/en/ip-address/213.186.33.19/information/
> https://www.virustotal.com/en/url/4...d95625aceb15bb7845159a008edf4767cdd/analysis/

- http://blog.dynamoo.com/2015/12/malware-spam-shell-fuel-card-e-bill.html
2 Dec 2015 - "... The attachment is name ebill0765017.doc and it comes in two different versions. The payload appears to be -identical- to this spam run* earlier today. The payload is the Dridex banking trojan."
* http://blog.dynamoo.com/2015/12/malware-spam-aline-payment-request.html
___

Fake 'Paypal' phish...
- http://myonlinesecurity.co.uk/dear-paypal-customer-paypal-phishing/
2 Dec 2015 - "The phishing bots have got a bit confused today and can’t decide if they are imitating PayPal or HMRC to steal your money and identity. An email saying 'Dear Paypal Customer' pretending to come from online-service @hmrc .gov .uk ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/Dear-Paypal-Customer-1024x550.png
The link in this case goes to http ://blood4u .org/apple .com which has an -old- style PayPal log-in page:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/blood4u_paypal_phish-1024x519.png
The red warning in the URL bar shows that Internet Explorer smart filter knows about it & alerts to it being -fake- and dangerous, which is a typical phishing page that looks very similar to a genuine old style PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."

blood4u .org: 108.179.232.158: https://www.virustotal.com/en/ip-address/108.179.232.158/information/
> https://www.virustotal.com/en/url/b...d1505161981f1ffc0e8de670d778fd734e7/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Scanned image', 'Invoice', 'ICM - Invoice' SPAM, Apple, Facebook Phish

FYI...

Fake 'Scanned image' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-scanned-image-from-mx-2600n.html
3 Dec 2015 - "This -fake- scanned image document appears to come from within the victim's own domain, but it is in fact just a simple -forgery- with a malicious attachment.
From: no-reply@ victimdomain .tld
Date: 3 December 2015 at 08:12
Subject: Scanned image from MX-2600N
Reply to: no-reply@ victimdomain .tld [no-reply@ victimdomain .tld]
Device Name: Not Set
Device Model: MX-2600N
Location: Not Set
File Format: DOC MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in DOC format.
Use Microsoft(R)Word(R) of Microsoft Systems Incorporated
to view the document.

Attached is a file named no-reply@victimdomain.tld_20151203_3248[COLOR="#800000"].doc[/COLOR] which I have seen just a single sample of so far with a VirusTotal detection rate of 2/55*, and which contains this malicious macro... Automated analysis tools [1] [2] show that the macro downloads a component from the following location:
vinsdelcomtat .com/u5y432/h54f3.exe
There will probably be other versions of the document downloading from other locations, but for the moment the binary will be the same. This has a detection rate of 3/55** and this Malwr report*** shows that it communicates with a known bad IP of:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you -block- traffic to that IP. The payload is most likely to be the Dridex banking trojan."
* https://www.virustotal.com/en/file/...fb155f1e3fc601dacb9f7853/analysis/1449134658/

1] https://malwr.com/analysis/MDUzNDZiY2ExNDgyNGQyM2EzNjAzYTdmMzI4YmEzM2Y/

2] https://www.hybrid-analysis.com/sam...25852fb155f1e3fc601dacb9f7853?environmentId=1

** https://www.virustotal.com/en/file/...81e2d378dee1b08c04f624e6/analysis/1449135336/

*** https://malwr.com/analysis/NWVlYmQ2NzYwYjA4NDdiZGIzZjU4ZGI0NmFiODA1ZDI/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-invoice-from-datanet.html
3 Dec 2015 - "This -fake- financial email does not come from Datanet but is instead a simple -forgery- with a malicious attachment:
From: Holly Humphreys [Holly.Humphreys@ datanet .co.uk]
Date: 3 December 2015 at 08:57
Subject: Invoice from DATANET the Private Cloud Solutions Company
Dear Accounts Dept :
Your invoice is attached, thank you for your business.
If you have any queries please do not hesitate to contact us.
Regards ...
Holly Humphreys
Operations
Datanet - Hosting & Connectivity...

I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro... and has a VirusTotal detection rate of 3/55*. According to this Malwr report** and this Hybrid Analysis*** the XLS file downloads a malicious binary from:
encre .ie/u5y432/h54f3.exe
There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55**** and that report plus this Malwr report[5] indicate malicious network traffic to:
162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)
The payload is almost definitely the Dridex banking trojan.
Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169
UPDATE: I have seen another version of the document... and a VirusTotal result of 3/54[6]. According to this Malwr report[7] it downloads from:
parentsmattertoo .org/u5y432/h54f3.exe "
* https://www.virustotal.com/en/file/...aea7e70e78bed0ccd4b8b4e7/analysis/1449136696/

** https://malwr.com/analysis/N2Q4MGIyMmY4YjU3NDVkY2JiZmVkMGRjNTVkYzA0ZTM/

*** https://www.hybrid-analysis.com/sam...77dacaea7e70e78bed0ccd4b8b4e7?environmentId=2

**** https://www.virustotal.com/en/file/...aea7e70e78bed0ccd4b8b4e7/analysis/1449136696/

5] https://www.hybrid-analysis.com/sam...77dacaea7e70e78bed0ccd4b8b4e7?environmentId=2

6] https://www.virustotal.com/en/file/...c6fd8e3b2622f2e1546c9bb7/analysis/1449137162/

7] https://malwr.com/analysis/MGE3YTQ1YThlM2M2NDFjNzgyZjVkOGI0ZDYxOWNjNzg/

- http://myonlinesecurity.co.uk/invoi...olly-humphreys-excel-xls-spreadsheet-malware/
3 Dec 2015
"... one from the current bot runs...:
3 December 2015: C___Users__HOLLY~1.HUM__AppData__Local__Temp__Inv_107666_from_DATANET.CO..xls
Current Virus total detections 3/55* - MALWR** tells us that it downloads http ://encre .ie/u5y432/h54f3.exe (VirusTotal 1/55***) which is likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...aea7e70e78bed0ccd4b8b4e7/analysis/1449138312/

** https://malwr.com/analysis/N2Q4MGIyMmY4YjU3NDVkY2JiZmVkMGRjNTVkYzA0ZTM/

*** https://www.virustotal.com/en/file/...c6fd8e3b2622f2e1546c9bb7/analysis/1449137162/
TCP connections
94.73.155.12: https://www.virustotal.com/en/ip-address/94.73.155.12/information/
8.254.218.14: https://www.virustotal.com/en/ip-address/8.254.218.14/information/
78.47.66.169: https://www.virustotal.com/en/ip-address/78.47.66.169/information/
___

Fake 'ICM - Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-icm-invoice-2393.html
3 Dec 2015 - "This -fake- financial spam does not come from Industrial Cleaning Materials but is instead a simple -forgery- with a malicious attachment:
From "Industrial Cleaning Materials (ICM)" [sales@ icmsupplies .co.uk]
Date Thu, 03 Dec 2015 18:22:34 +0700
Subject ICM - Invoice #2393
Dear Customer,
Please find invoice 2393 attached.
Kind Regards,
ICM
Industrial Cleaning Materials ...

I have seen two version of the attachment order_2393.doc with VirusTotal results of 2/54 [1] [2] and the Malwr reports [3] [4] show that they download a component from:
www .ofenrohr-thermometer .de/u5y432/h54f3.exe
ante-prima .com/u5y432/h54f3.exe
This has a VirusTotal detection rate of 1/53*. The payload appears to be the -same- as the one in this spam run earlier today** and looks like the Dridex banking trojan."
1] https://www.virustotal.com/en/file/...ab6f070f157ec9c2d7f03a51/analysis/1449142268/

2] https://www.virustotal.com/en/file/...f67048bb0b932eca61357935/analysis/1449142290/

3] https://malwr.com/analysis/ZjY1YWQ3NmQ3MzI4NDFhY2EzYzU4OTAwNGViNjBmYjc/

4] https://malwr.com/analysis/NDIyYzY5YjZjZGYwNDdjNWI3NDBhMDJhYWU0MWU0NDY/

* https://www.virustotal.com/en/file/...c6fd8e3b2622f2e1546c9bb7/analysis/1449142424/
TCP connections
94.73.155.12: https://www.virustotal.com/en/ip-address/94.73.155.12/information/
8.254.218.14: https://www.virustotal.com/en/ip-address/8.254.218.14/information/
78.47.66.169: https://www.virustotal.com/en/ip-address/78.47.66.169/information/

** http://blog.dynamoo.com/2015/12/malware-spam-invoice-from-datanet.html

- http://myonlinesecurity.co.uk/icm-invoice-2393-industrial-cleaning-materials-word-doc-malware/
3 Dec 2015 - "... another one from the current bot runs...
3 December 2015 : order_2393.doc - Current Virus total detections 2/52*
MALWR** shows a download from http ://www.ofenrohr-thermometer .de/u5y432/h54f3.exe (VirusTotal 0/47**) which is the same Dridex banking Trojan from today’s other malspam runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ab6f070f157ec9c2d7f03a51/analysis/1449141906/

** https://www.virustotal.com/en/file/...c6fd8e3b2622f2e1546c9bb7/analysis/1449142424/
TCP connections
94.73.155.12: https://www.virustotal.com/en/ip-address/94.73.155.12/information/
8.254.218.14: https://www.virustotal.com/en/ip-address/8.254.218.14/information/
78.47.66.169: https://www.virustotal.com/en/ip-address/78.47.66.169/information/
___

Apple Account Audit – Phish...
- http://myonlinesecurity.co.uk/apple-account-audit-phishing/
3 Dec 2015 - "An email saying 'Apple Account Audit' coming from Apple <secure@ icloudresources .co.uk> is a -phishing- email that is designed to steal your Apple/ITunes account details as well as your credit card & other bank details. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/Apple-Account-Audit-1024x722.png

The link in the email goes to http ://itunesconsumerhelp .com/myicloud/?email=victim@ victimdomain .com
-If- you -open- the attached html file you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/Applephish1-1024x579.png
... the phisher has set up the website so that unless you either click through from the email or insert a email address in the format they require, you get a -fake- domain ['Account'] suspended notice..."
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/apple_fake_suspended-1024x453.png
The emails come from real newly created domains that sound and look like genuine Apple domains. The emails all have proper SPF and DKIM headers to help them get-past-spam-filters... All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email..."
___

Facebook Phish...
- https://blog.malwarebytes.org/fraud-scam/2015/12/facebook-phishers-lure-users-with-free-video-app/
Dec 3, 2015 - "... Recently, we’ve seen a campaign... -baiting- users with a -free- “Facebook video application”:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/sp-original.png
... It asks for the user’s account credentials in order to access this so-called app. Once they are provided, the fake Facebook page saves the data onto a PHP page on its domain. We’ve seen a similar campaign hosted on another fake Facebook page, facebookstls[DOT]com:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/stls.png
... Should you encounter the above pages, or something similar, steer clear. We also advise our readers who are unfamiliar with -phishing- campaigns on Facebook and what to do if they realized that their credentials have been -stolen- to refer to this page* on the Help Center section**..."
* https://www.facebook.com/help/217910864998172/

** https://www.facebook.com/help/

facebookstls[DOT]com: 185.86.210.113: https://www.virustotal.com/en/ip-address/185.86.210.113/information/

Close named site: http://trafficlight.bitdefender.com/info?url=http://facebooksk.info
"... Scammers can set up -fake- escrow websites and -fake- shipping companies. While promising to provide escrow services, once payment is made, the -fake- escrow website will take the money and disappear. These -scams- work hand in hand with fake shipping companies and target small businesses, such as restaurants, catering companies, etc. While purchasing large quantities of products, the scammers use stolen credit card numbers or counterfeit checks to complete the sale, and request that the items be shipped with a private third party shipping company, which only accepts payments through some wire transfer service..."

:fear::fear:

 

[AplusWebMaster]

Fake 'receipt' SPAM

FYI...

Fake 'receipt' SPAM - xls malware
- http://myonlinesecurity.co.uk/pws-l...nt-word-doc-or-excel-xls-spreadsheet-malware/
4 Dec 2015 - "An email with the subject of 'receipt of payment' pretending to come from Perpetual Watchservices <perpetualwatchservices@ yahoo .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi ,
thank you for payment , please find attachment with receipt.
Best regards,
Irina
PWS LTD
41-A Great Underbank
Stockport
SK1 1NE
Opening Times: Monday- Friday 8:30-4:30
0161-480-90880161-480-9088

4 December 2015: Receipt-13764(1).doc - Current Virus total detections 4/54*
... hybrid analysis** shows us that it downloads what looks like a Dridex banking Trojan from
gwsadmin.globalwinestocks .com/325r3e32/845t43f.exe (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...4491f2ef6f72c0ab8cc469b9/analysis/1449224485/

** https://www.hybrid-analysis.com/sam...88cdc4491f2ef6f72c0ab8cc469b9?environmentId=2

*** https://www.virustotal.com/en/file/...a80d62297a11e78fd6918b7f/analysis/1449224741/

:fear::fear:

 

[AplusWebMaster]

Fake 'Shipping Doc', 'Apple receipt', 'Payment Advice' SPAM, Angler EK attacks

FYI...

Fake 'Shipping Doc' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/trans...11-word-doc-or-excel-xls-spreadsheet-malware/
7 Dec 2015 - "An email that appears to come form Transglobal Express with the subject of 'Transglobal Express – Shipping Documentation (TG-1569311)' pretending to come from sales@ transglobalexpress .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...hipping-Documentation-TG-1569311-1024x599.png

7 December 2015: 1569311-1Z2X12A50495162278.doc - Current Virus total detections 7/55*
MALWR** tells us it downloads http ://www.lama .rs/87tr65/43wedf.exe Which is likely to be the Dridex banking Trojan (VirusTotal 1/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...4171570ff720d569f3b9532f/analysis/1449481851/

** https://malwr.com/analysis/Mzk2ZTkxMjUxZGM2NGQwZGIwZGYwOTIyOWQ5MDEzMjU/

*** https://www.virustotal.com/en/file/...371e1d6fa865199710881d8d/analysis/1449482026/
TCP connections
23.113.113.105: https://www.virustotal.com/en/ip-address/23.113.113.105/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/

- http://blog.dynamoo.com/2015/12/malware-spam-transglobal-express.html
7 Dec 2015 - "... -fake- shipping spam does not come from Transglobal Express but is instead a simple -forgery- with a malicious attachment...
Attached is a file 1569311-1Z2X12A50495162278.doc which in the samples I have seen has a detection rate of 7/55* and which contains this malicious macro... According to this Malwr report**, the macro downloads a binary from:
www .lama .rs/87tr65/43wedf.exe
This has a VirusTotal detection rate of just 1/54***. Those two reports plus this Hybrid Analysis[4] indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
I strongly recommend that you -block- traffic to that IP. The payload here is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/...4171570ff720d569f3b9532f/analysis/1449482367/

** https://malwr.com/analysis/Mzk2ZTkxMjUxZGM2NGQwZGIwZGYwOTIyOWQ5MDEzMjU/

*** https://www.virustotal.com/en/file/...371e1d6fa865199710881d8d/analysis/1449482582/
TCP connections
23.113.113.105: https://www.virustotal.com/en/ip-address/23.113.113.105/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/

4] https://www.hybrid-analysis.com/sam...36a71371e1d6fa865199710881d8d?environmentId=1
___

Fake 'Apple receipt' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-your-receipt-from-apple.html
7 Dec 2015 - "This -fake- receipt does not come from an Apple Store, but is instead a simple -forgery- with a malicious attachment:
From: manchesterarndale@ apple .com
Date: 7 December 2015 at 09:43
Subject: Your receipt from Apple Store, Manchester Arndale
Thank you for shopping at the Apple Store.
To tell us about your experience, click here.

Attached is a file emailreceipt_20150130R2155644709.xls which in the sample I analysed has a VirusTotal detection rate of 6/53*. According to this Malwr report**, the attachment downloads a malicious binary from:
steveyuhas .com/~steveyuhas/87tr65/43wedf.exe
This has a VirusTotal detection rate of precisely zero***. Those reports indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
This is the -same- IP as seen in this earlier spam run[4], and I strongly recommend that you -block- it. The payload is likely to be the Dridex banking trojan."
* https://www.virustotal.com/en/file/...e4a67781878e61dace42351c/analysis/1449485846/

** https://malwr.com/analysis/ZmEzNTI1NmVlNDJkNDM0ODgyNzRlZDA1YzQyZDE2YjY/

*** https://www.virustotal.com/en/file/...96a791a0c0ac9869ca9c49d9/analysis/1449486079/
TCP connections
23.113.113.105: https://www.virustotal.com/en/ip-address/23.113.113.105/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/

4] http://blog.dynamoo.com/2015/12/malware-spam-transglobal-express.html

- http://myonlinesecurity.co.uk/your-...le-word-doc-or-excel-xls-spreadsheet-malware/
7 Dec 2015 - "An email with the subject of 'Your receipt from Apple Store, Manchester Arndale' pretending to come from manchesterarndale@ apple .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...m-Apple-Store-Manchester-Arndale-1024x381.png

7 December 2015: emailreceipt_20150130R2155644709.xls - Current Virus total detections 6/55*
MALWR shows us that it downloads from http ://steveyuhas .com/~steveyuhas/87tr65/43wedf.exe which looks to be an -updated- version of what is probably the Dridex banking Trojan (VirusTotal **)..."
* https://www.virustotal.com/en/file/...e4a67781878e61dace42351c/analysis/1449485130/

** https://www.virustotal.com/en/file/...96a791a0c0ac9869ca9c49d9/analysis/1449486079/
TCP connections
23.113.113.105: https://www.virustotal.com/en/ip-address/23.113.113.105/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/
___

Fake 'Payment Advice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/payme...nd-word-doc-or-excel-xls-spreadsheet-malware/
7 Dec 2015 - "An email with the subject of 'Payment Advice For Vendor0000113915' pretending to come from LBRichmondRemittance@ richmond .gov.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
The London Borough of Richmond upon Thames Accounts Payable team, are pleased to announce we can now e-mail your remittance advice.
Please find attached a remittance advice for a payment you will receive in the next 2 working days.
If this is not the preferred email address you wish to receive remittance advises, please could you
email accounts.payable@ richmond .gov.uk quoting your vendor number (found on remittance
attached) and details of your preferred email address so we can update our records.
Please Note
Remittances sent from LB Richmond Remittance will include payments made on behalf of:
Achieving for Children
LBRuT Local Authority
LBRuT Pension Fund
SW Middlesex Crematorium Board ...

7 December 2015: Payment Advice For Vendor0000113915.DOC London Borough of Richmond
Current Virus total detections 7/55* which is the -same- downloader (although renamed) which downloads the -same- Dridex banking Trojan from the -same- locations as previously described in this earlier post**..."
* https://www.virustotal.com/en/file/...4171570ff720d569f3b9532f/analysis/1449489721/
Latest: 1569311-1Z2X12A50495162278.doc

** http://myonlinesecurity.co.uk/trans...11-word-doc-or-excel-xls-spreadsheet-malware/
___

Reader’s Digest... other WP Sites Compromised, Push Angler EK
- https://blog.malwarebytes.org/onlin...r-wordpress-sites-compromised-push-angler-ek/
Nov 26, 2015 - "Update 12/01: Reader’s Digest contacted us and said they are working on the site’s security.
We’re seeing another uptick in WordPress compromises, using a slightly different modus operandi than the EITest campaign we recently blogged about, being responsible for a large number of infections via the Angler exploit kit. The attack consists of a -malicious- script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit. Site owners that have been affected should keep in mind that those -injected- scripts/URLs will vary over time, although they are all using the same pattern...The website of popular magazine Reader’s Digest is one of the victims of this campaign and people who have visited the portal recently should make sure they have not been infected. The payload we observed at the time of capture was Bedep which loaded Necurs a backdoor Trojan, but that of course can change from day to day...
> https://blog.malwarebytes.org/wp-content/uploads/2015/11/rd.png
... IOCs: Redirectors (non exhaustive list)..."
(More detail at the malwarebytes URL above.)

Also: http://arstechnica.com/security/201...ur-site-has-been-attacking-visitors-for-days/
Nov 30, 2015 - "... people can be exposed to drive-by malware attacks even when visiting sites they know and trust. It's always a good idea to install security updates as soon as they become available. Readers are also advised to consider uninstalling Flash, Java, and other browser extensions from their computers, or alternatively to use them only on a handful of important sites that require it. For the time being, people should assume Reader's Digest -isn't- safe to visit. This post will be updated if that status changes."

:fear::fear:

 

[AplusWebMaster]

Fake 'Updated Statement', 'Invoice', 'JS ransomware' SPAM

FYI...

Fake 'Updated Statement' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-updated-statement-2323191.html
8 Dec 2015 - "This -fake- financial spam does not come from Buildbase but is instead a simple -forgery- with a malicious attachment.
From: David Lawale [David.Lawale@ buildbase .co.uk]
Date: 8 December 2015 at 10:58
Subject: Updated Statement - 2323191
Hi,
Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?
Kind Regards
David
David Lawale | Credit Controller | Buildbase ...

Attached is a file 151124142451_0001.xls which I have seen come in -two- versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan."
1] https://www.virustotal.com/en/file/...9283e6570e6d2c470fb44113/analysis/1449572556/

2] https://www.virustotal.com/en/file/...f920245c7ba610787bbe0e33/analysis/1449572877/
UPDATE 2: According to the comments in this post and also some other sources, the the macros download from:
gulteknoofis .com/76re459/98uy76t.exe
kinderdeszorns .de/76re459/98uy76t.exe
agencjareklamowalodz .com/76re459/98uy76t.exe
This has a detection rate of 4/55*... the malware phones home to:
216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)
Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169 "
* https://www.virustotal.com/en/file/...be4beb1d90e43438c7296030/analysis/1449578058/

- http://myonlinesecurity.co.uk/updat...uk-word-doc-or-excel-xls-spreadsheet-malware/
8 Dec 2015 - "An email with the subject of 'Updated Statement – 2323191' pretending to come from David Lawale <David.Lawale@ buildbase .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

8 December 2015 : 151124142451_0001.xls - Current Virus total detections 6/54* (VT2 - 6/54**)
Updated: This downloads http ://gulteknoofis .com/76re459/98uy76t.exe -or-
http ://agencjareklamowalodz .com/76re459/98uy76t.exe (VirusTotal 3/55***) Which is almost certainly Dridex banking Trojan..."
* https://www.virustotal.com/en/file/...eb2a06c9fe79283e6570e6d2c470fb44113/analysis/

** https://www.virustotal.com/en/file/...f920245c7ba610787bbe0e33/analysis/1449572877/

*** https://www.virustotal.com/en/file/...be4beb1d90e43438c7296030/analysis/1449575422/
TCP connections
216.189.52.147: https://www.virustotal.com/en/ip-address/216.189.52.147/information/
104.86.111.136: https://www.virustotal.com/en/ip-address/104.86.111.136/information/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-exb-uk-ltd-invoice-sales.html
8 Dec 2015 - "This -fake- financial spam does not come from EXB (UK) Ltd but is instead a simple -forgery- with a malicious attachment.
From: Sales [sales@ exbuk .co.uk]
Date: 8 December 2015 at 12:03
Subject: EXB (UK) Ltd Invoice
Dear Sirs,
Please find attached our invoice, Thank you for your order
Best Wishes
EXB (UK) Ltd

Attached is a Word document named Invoice 1195288 from EXB (UK) Limited.doc which comes in at least -three- different versions (VirusTotal results [1] [2] [3]) and which contain a complex macro... that fails to run in automated analysis tools... The payload (if it works) is likely to be the Dridex banking trojan."
1] https://www.virustotal.com/en/file/...d1d51132a9a38ffc5b9f2318/analysis/1449576023/

2] https://www.virustotal.com/en/file/...bd66643f17c5e27198f14c3b/analysis/1449576032/

3] https://www.virustotal.com/en/file/...42c1da00edde82dfdb729c2e/analysis/1449576039/

- http://myonlinesecurity.co.uk/exb-uk-ltd-invoice-word-doc-or-excel-xls-spreadsheet-malware/
8 Dec 2015 - "An email with the subject of 'EXB (UK) Ltd Invoice' pretending to come from Sales <sales@ exbuk .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

8 December 2015: Invoice 1195288 from EXB (UK) Limited.doc - Current Virus total detections 6/55*
... It is highly likely that it will download the -same- Dridex banking malware from the same locations as today’s earlier malspam**..."
* https://www.virustotal.com/en/file/...d1d51132a9a38ffc5b9f2318/analysis/1449576427/

** http://myonlinesecurity.co.uk/updat...uk-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'Invoice' SPAM – JS malware Teslacrypt
- http://myonlinesecurity.co.uk/invoice-from-cimquest-ingear-js-malware-teslacrypt/
8 Dec 2015 - "An email with the subject of 'Invoice from CimQuest INGEAR' coming from random senders and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Dear Customer ,
Please review the attached copy of your Invoice (number: NI16157660) for an amount of $400.46.
Thank you for your business

2 September 2015: invoice_copy_16157660.zip: Extracts to: doc_H4QPKCVlWBE.js
Current Virus total detections 2/56* - MALWR** tells us it downloads 840135.exe teslacrypt malware (VirusTotal 3/55***) and the associated txt and html files telling you how to pay-the-ransom to recover your files.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...75b3325071750718c5c666d5/analysis/1449577730/

** https://malwr.com/analysis/ZTg0ZDM2NzU0OTJkNDBjZWI2YmM3MzY4Zjk1Yjg1OWI/
50.63.210.1: https://www.virustotal.com/en/ip-address/50.63.210.1/information/
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
173.201.96.1: https://www.virustotal.com/en/ip-address/173.201.96.1/information/

*** https://www.virustotal.com/en/file/...a394076bf5016d467ada5d2b/analysis/1449576976/
___

Fake 'Courier Service invoice' SPAM - JS malware
- http://myonlinesecurity.co.uk/random-courier-service-invoice-leads-to-possible-malware-js-malware/
8 Dec 2015 - "An email with the subject of 'Invoice #CS-34169266' [random numbered] pretending to come from a random named Courier Service with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Customer
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business – we appreciate it very much.
Sincerely,
Louie Gomez Courier Service

All the names of the alleged senders matches the name in the body of the email although none are courier services. All the sender email addresses are random...
8 December 2015: invoice_copy_34169266.zip: Extracts to: invoice_SCAN_InT9b.js
Current Virus total detections 4/55*. MALWR analysis** shows it downloads what looks like a genuine Avira installation from one of these sites prestakitchen .com and acsbrokerage .com...
Update: Some -other- versions of these JavaScript downloaders attached to similar emails pretending to be courier invoices are downloading what looks like a teslacrypt malware. One location is 46.151.52.197 /85.exe [VirusTotal 3/55***for js downloader] [MALWR[4]] [VirusTotal for 85.exe 2/55[5]]
[malwr[6] for 85.exe].. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...ab50a9f1a06a9b94cd2a8b86/analysis/1449601718/

** https://malwr.com/analysis/YjkwYzIyMmQ4YzI5NGJiOWE5ZjI1Yjc0ZjlhYTM0NGU/
63.247.90.80
185.93.187.90
184.168.138.1
169.54.129.13
8.254.249.94
23.5.245.163
23.222.171.250
23.222.166.108

*** https://www.virustotal.com/en/file/...c94730ec88617b528a64f9b7/analysis/1449601551/

4] https://malwr.com/analysis/N2FhZjg5NzNiNjE2NDUyOWFjNmQ1MGNkYmM4NGVjZDg/
46.151.52.197
78.47.139.102
89.161.139.233
83.143.81.14
50.62.123.1
50.63.71.1
192.163.250.195

5] https://www.virustotal.com/en/file/...05a75ae9c09633300fea55de/analysis/1449605987/

6] https://malwr.com/analysis/MTdiMzUwNjc3MDY0NGU1NGE0NzZiYmYzZmU1ODhmODM/
78.47.139.102
89.161.139.233
83.143.81.14
50.62.123.1
50.63.71.1
192.163.250.195

:fear::fear:

 

[AplusWebMaster]

Fake 'Invoice', 'order' SPAM - Teslacrypt ransomware

FYI...

Fake 'Invoice' SPAM - js malware teslacrypt
- http://myonlinesecurity.co.uk/your-...rtment-manager-fretter-js-malware-teslacrypt/
9 Dec 2015 - "An email with the subject of 'Your order #89518498 – Corresponding Invoice #42E64A46' [random numbered] pretending to come from a random named Sales Department Manager at Fretter Inc. with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Valued Customer,
We are pleased to inform you that your order #89518498 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don’t hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.
We look forward to your remittance and will the dispatch the goods.
Thank you for choosing our services we sincerely hope to continue doing business with you again.
Sincerely,
Evan Hampton
Sales Department Manager
Fretter Inc. ...

All the names of the alleged senders matches the name in the body of the email although -none- are genuine sales department mangers. All the sender email addresses are random...
9 December 2015: copy_invoice_89518498.zip: Extracts to: invoice_copy_XEmx4n.js
Current Virus total detections 2/53*. MALWR analysis** shows it downloads and automatically runs http ://softextrain64 .com/86.exe (virustotal 3/55***) a Teslacrypt ransomware Trojan that encrypts your files. If you look at the malwr analysis it shows the virtual machine being encrypted which shows how dangerous these ransomware Trojans are. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...3cbabffc9262c03f3cf48f2f/analysis/1449666881/

** https://malwr.com/analysis/YjgyNmU3ZmQ5NThmNDBmZmE3YmMzOWNhYTMxMjU1NWE/
192.227.158.229
78.47.139.102
83.143.81.14
50.62.123.1
50.63.71.1
192.163.250.195
173.201.96.1
89.161.139.233

*** https://www.virustotal.com/en/file/...aaebb7ff3b92a11e2ec3c7d5/analysis/1449666957/

softextrain64 .com: 194.135.83.55: https://www.virustotal.com/en/ip-address/194.135.83.55/information/
192.227.158.229: https://www.virustotal.com/en/ip-address/192.227.158.229/information/
>> https://www.virustotal.com/en/url/d...e816fbef2d3396bdf4a854b5c0df0eba301/analysis/

>> https://en.wikipedia.org/wiki/TeslaCrypt

>>> http://blogs.cisco.com/security/talos/teslacrypt
___

- http://myonlinesecurity.co.uk/invoice-62579723-from-datacorp-inc-js-malware-teslacrypt/
9 Dec 2015 - "An email with the subject of 'Invoice #62579723 from DataCorp Inc' [random numbered] pretending to come from a random named Junior accountant at DataCorp Inc with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Customer,
Reference nr. 62579723-2801
Our internal records show that you have an outstanding balance dating on your account. Previous invoice was for $987.34 and have yet to receive your payment.
You can find the copy of the invoice enclosed to this letter.
In case if you have already transferred the payment you can disregards this payment notice. In all other case, please be so kind and forward us the amount stated in full until the end of the month.
As our agreement indicates, all outstanding balances after 30 days are subject to the 7% interest fee.
Thank you in advance for your cooperation.
Sincerely,
Leif Valentine
Junior Accountant
DataCorp Inc. ...

All the names of the alleged senders matches the name in the body of the email although -none- are genuine junior accountants. All the sender email addresses are random...
9 December 2015: copy_invoice_62579723.zip: Extracts to: invoice_copy_KEoHWB.js
Current Virus total detections 5/54*. MALWR analysis** shows it downloads and automatically runs
http ://softextrain64 .com/86.exe (virustotal 3/55***) a Teslacrypt ransomware Trojan that encrypts your files. This 86.exe is -different- to today’s earlier version[4] although the -same- download locations. This is another one of the spoofed icon files..."
* https://www.virustotal.com/en/file/...7e2ec86ab6d4ac9f32a3ab47/analysis/1449691313/

** https://malwr.com/analysis/ZGM2MDNkYmUzOGU3NDQ0OGI2ZmE3ZGQzYjg5ZGI4MzY/
192.3.52.235
78.47.139.102
83.143.81.14

*** https://www.virustotal.com/en/file/...36d3529169340e4893c08c37/analysis/1449689393/

4] http://myonlinesecurity.co.uk/your-...rtment-manager-fretter-js-malware-teslacrypt/
___

Fake 'order' SPAM - leads to Teslacrypt ransomware
- http://blog.dynamoo.com/2015/12/fake-fretter-inc-leads-to-teslacrypt.html
9 Dec 2015 - "This email claims to be from the long-dead retailer Fretter Inc, but it is not. Instead it comes with a -malicious- attachment leading to Teslacrypt ransomware.
From: Tonia Graves [GravesTonia8279@ ikom .rs]
Date: 9 December 2015 at 14:50
Subject: Your order #11004118 - Corresponding Invoice #B478192D
Dear Valued Customer,
We are pleased to inform you that your order #11004118 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
We would highly appreciate if you sent your payment promptly. For your information, don't hesitate to check the invoice enclosed to this letter or contact us directly.
In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.
We look forward to your remittance and will the dispatch the goods.
Thank you for choosing our services we sincerely hope to continue doing business with you again.
Sincerely,
Tonia Graves
Sales Department Manager
Fretter Inc. ...

There sender's name and the reference numbers change in each version. Attached is a file copy_invoice_11004118.zip which in turn contains a malicious script [VT 5/54*] which in the sample I investigated was named invoice_iU9A2Y.js... The Malwr report** for that script shows it downloading from:
softextrain64 .com/86.exe?1
The script itself shows an alternate location of:
46.151.52.197 /86.exe?1
This has a VirusTotal detection rate of 3/55***. A Malwr report[4] on just the executable plus this Hybrid Analysis report[5] shows it connecting to:
gjesdalbrass .no
It also tries to identify the IP address of the host by connecting to http ://myexternalip .com/raw which is a benign service that you might consider to be a good indicator of compromise. You can see in the screenshots of that Malwr report that this is ransomware - specifically Teslacrypt.
Recommended blocklist:
gjesdalbrass .no
softextrain64 .com
46.151.52.197 "
* https://www.virustotal.com/en/file/...cf39a1e6e6c45a6e7fdbbb69/analysis/1449689090/

** https://malwr.com/analysis/NzgyYmEyZmM2MjkxNDAyMzlhNWU5YjRiMGQyMzhhOTM/

*** https://www.virustotal.com/en/file/...36d3529169340e4893c08c37/analysis/1449689393/

4] https://malwr.com/analysis/NzgyYmEyZmM2MjkxNDAyMzlhNWU5YjRiMGQyMzhhOTM/

5] https://www.hybrid-analysis.com/sam...9d4f836d3529169340e4893c08c37?environmentId=1
___

News Site “The Independent” Hacked, Leads to TeslaCrypt Ransomware
- http://blog.trendmicro.com/trendlab...ndent-hacked-leads-to-teslacrypto-ransomware/
Dec 8, 2015 - "The blog page of one of the leading media sites in the United Kingdom, The Independent has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed 'The Independent' about this security incident. However, the site is still currently compromised and users are -still- at risk. It should be noted that only the blog part of the website – which uses WordPress – is impacted; the rest of The Independent’s online presence seem unaffected. WordPress is a very popular blogging platform that has seen more than its fair share of attacks and compromises from threat actors and cybercriminals looking to infect users... Angler Exploit Kit is the most active exploit kit to date that integrated Abobe Flash zero-day vulnerabilities related to the Hacking Team leak... tracked the number of hits to the TDS between compromised sites leading to Angler EK (not just The Independent blog) and have seen as many as -4,000- hits a day. The real number could be bigger...
Number of users redirected from compromised sites leading to Angler EK
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2015/12/new_independent_graph.png
Updated on December 8, 2015, 7:15 PM PST (UTC -8): We have edited this entry to reflect the current status of communications with The Independent and the current threat. As of this writing, the site is -still- compromised and serving various malware threats to users."

:fear::fear:

 

[AplusWebMaster]

Fake 'Payment Notice', 'STMT', 'Order', 'Scanned doc', 'Last Payment' SPAM

FYI...

Fake 'Payment Notice' SPAM - leads to ransomware
- http://blog.dynamoo.com/2015/12/malware-spam-foreman-ltd-last-payment.html
10 Dec 2015 - "This -fake- financial spam does not come from the long-defunct Foreman & Clark, but instead it comes with a malicious attachment that leads to ransomware.
From: Harlan Gardner
Date: 10 December 2015 at 08:48
Subject: Reference Number #20419955, Last Payment Notice
Dear Client,
This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $8,151.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.
Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.
Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.
Sincerely,
Harlan Gardner
Sales Manager
Foreman&Clark Ltd...

In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55*. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:
46.151.52.196 /86.exe?1
softextrain64 .com/86.exe?1
This pattern is the same as the spam run yesterday**. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55*** and the Malwr report[4] indicates that it pulls data from the following domains:
graysonacademy .com
grassitup .com
grupograndes .com
crown.essaudio .pl
garrityasphalt .com
gjesdalbrass .no
The characteristics of this malware indicate the Teslacrypt ransomware.
Recommended blocklist:
46.151.52.196
softextrain64 .com
gjesdalbrass .no
graysonacademy .com
grassitup .com
grupograndes .com
crown.essaudio .pl
garrityasphalt .com "
* https://www.virustotal.com/en/file/...34fc4fbb1154923673020608/analysis/1449741728/

** http://blog.dynamoo.com/2015/12/fake-fretter-inc-leads-to-teslacrypt.html

*** https://www.virustotal.com/en/file/...b2fa85ac0264923ffd2f1ad1/analysis/1449742342/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
83.143.81.14: https://www.virustotal.com/en/ip-address/83.143.81.14/information/

4] https://malwr.com/analysis/YjA5OGFlZjJiZWZlNDk0MmJiMjAzYjVjYTI0YThhNjI/
___

Fake 'STMT' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-stmt-acwl-15dec12-120106.html
10 Dec 2015 - "This -fake- financial email does not come from MAM Software but is instead a simple forgery with a malicious attachment.
From: accounts@ mamsoft .co.uk [statements@ mamsoft .co.uk]
Date: 10 December 2015 at 11:35
Subject: STMT ACWL-15DEC12-120106
The following are attached to this email:
XACWL-15DEC12-120106.DOC

Attached is a file XACWL-15DEC12-120106.DOC which I have only seen one variant of so far, with a VirusTotal detection rate of 6/54*. According to the Malwr analysis**, it downloads a file from:
life.1pworks .com/76t7h/76gjk.exe
There will probably be other versions of the document with different download locations. This executable has a detection rate of 2/54*** and according to this Malwr report[4] it contacts:
136.145.86.27 (University Of Puerto Rico, Puerto Rico)
Other analysis is pending, in the meantime I recommend that you -block- traffic to that IP. The payload is probably the Dridex banking trojan."
* https://www.virustotal.com/en/file/...446fa6ad25ddf3cab252fec0/analysis/1449747380/

** https://malwr.com/analysis/ZWI1NjA3Y2U5OTU3NDMxOTlhZTA4M2I2ZTU5MzU3ZDI/

*** https://www.virustotal.com/en/file/...20b0aea4f6a8d855aa048dc8/analysis/1449747675/

4] https://malwr.com/analysis/N2U2ZjNhN2E1ZWIzNDI2YmEwYTEzZWQwNDIwN2RmYWQ/
136.145.86.27
13.107.4.50
___

Fake 'Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-order-311286-acknowledged.html
10 Dec 2015 - "This -fake- financial spam does not come from Touchstone Lighting but is instead a simple -forgery- with a malicious attachment.
From: sales@ touchstonelighting .co.uk
Date: 10 December 2015 at 12:02
Subject: Order 311286 Acknowledged

There is -no- body text. Attached is a malicious Word document 'Order Acknowledgement.doc' which appears to be exactly the -same- as the payload used for this spam run*."
* http://blog.dynamoo.com/2015/12/malware-spam-stmt-acwl-15dec12-120106.html
___

Fake 'Scanned doc' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/scann...in-word-doc-or-excel-xls-spreadsheet-malware/
10 Dec 2015 - "An email with the subject of 'Scanned document from MX-4100N' pretending to come from MX-4100N <mx-4100n@'your email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Reply to: “MX-4100N” <mx-4100n@ victimcompany>
Device Name: Not Set
Device Model: MX-4100N
Location: Not Set
File Format: XLS MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned document in XLS format.

... these are -not- coming from your own company or email domain.
10 December 2015: mx-4100n@[redacted]_20151210_141946[COLOR="#800000"].xls[/COLOR] - Current Virus total detections 3/55*
Downloads Dridex banking Trojan from jin.1pworks .com/76t7h/76gjk.exe (VirusTotal 6/55**). There appear to be -several- different subdomains of 1pworks .com delivering this malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ac5b88e56447d18c6305264e/analysis/1449764254/

** https://www.virustotal.com/en/file/...65b49627e099dc126b661d8c/analysis/1449764179/

1pworks .com: 120.136.10.15: https://www.virustotal.com/en/ip-address/120.136.10.15/information/
___

Fake 'Last Payment' SPAM - teslacrypt ransomware
- http://myonlinesecurity.co.uk/refer...t-notice-foremanclark-ltd-teslacrypt-malware/
10 Dec 2015 - "An email with the subject of 'Reference Number #45285286, Last Payment Notice' [random numbered] pretending to come from a random named Junior accountant at Foreman&Clark Ltd. with a zip attachment is another one from the current bot runs... The content of the email says :
Dear Client,
This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $2,396.
Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.
Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.
Thank you beforehand for your attention to this case.
Looking forward to hearing back from you.
Sincerely,
Karen Wood
Sales Manager
Foreman&Clark Ltd...

10 December 2015: copy_invoice_45285286.zip: Extracts to: invoice_gnEDzT.js
Current Virus total detections 2/55*. MALWR analysis** shows it downloads and automatically runs http ://softextrain64 .com/80.exe (virustotal ***) a Teslacrypt ransomware Trojan that encrypts your files. This domain was involved in a similar attack yesterday but at time of posting appears to be down. Alternative download locations from yesterday are still -live- and issuing malware so some versions of the javascript file -will- download a working teslacrypt. So far I got 46.151.52.196 /86.exe (virustotal5/55[4]) 80.exe (virustotal4/54[5])... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...34fc4fbb1154923673020608/analysis/1449741728/

** https://malwr.com/analysis/MTQ3MTFlNGY3YjU0NDIzNWE4NTUyYWE5OTgxMDY5Nzc/
185.117.72.65
78.47.139.102
83.143.81.14

*** https://www.virustotal.com/en/file/...b2fa85ac0264923ffd2f1ad1/analysis/1449742342/

4] https://www.virustotal.com/en/file/...b2fa85ac0264923ffd2f1ad1/analysis/1449742342/

5] https://www.virustotal.com/en/file/...df81f4a354a591fb2dac3b5d/analysis/1449765933/
___

Fake 'Payment Request' SPAM - teslacrypt ransomware
- http://myonlinesecurity.co.uk/payme...partment-realty-solutions-teslacrypt-malware/
10 Dec 2015 - "An email with the subject of 'Payment Request, Ref. nr: 12826828/2015' [random numbered] pretending to come from William Perkins Customer Service Department at Realty Solutions with a zip attachment is another one from the current bot runs... The content of the email says :
Dear Valued Client,
The purpose of this e-mail is to follow up with you on a matter of your payment of invoice #3A5AB8AF with a Ref. nr: 12826828/2015.
As of today, your outstanding past due balance is -$9,458, as detailed on the statement and account report attached to this e-mail.
To keep your account active and avoid any additional charges for the late payment, please remit payment in full immediately.
In case you have already transferred the amount or feel that there can be any kind of error, don’t hesitate to let us know.
Thank you for your time and attention. We are looking forward to hearing back from you on this urgent matter.
Regards,
William Perkins
Customer Service Department
Realty Solutions ...

10 December 2015: SCAN_invoice_12826828.zip: Extracts to: invoice_FIrFhy.js
Current Virus total detections 6/54* MALWR analysis** shows it downloads and automatically runs http ://46.151.52.231 /87.exe (virustotal 7/55***) a Teslacrypt ransomware Trojan that encrypts your files. This domain was involved in a similar attack yesterday and earlier today. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b33b34f6d89e575228abb090/analysis/1449768665/

** https://malwr.com/analysis/ODIzMzYxYzUzYzc2NDAwMTkwZWFjMjVkYTUwYTkzYTU/
46.151.52.231
78.47.139.102
213.185.88.133

*** https://www.virustotal.com/en/file/...49a997de68dcf112e9fb8945/analysis/1449769533/

:fear::fear:

 

[AplusWebMaster]

Fake 'Payment' SPAM - ransomware, LLoyd’s Bank - Phish, Malvertising

FYI...

Fake 'Payment' SPAM - teslacrypt ransomware
- http://myonlinesecurity.co.uk/gener...-your-payment-leads-to-teslacrypt-ransomware/
11 Dec 2015 - "An email with the subject of 'Payment Nr: 63679716/E219EC3C' [random numbered] pretending to come from random names at random companies with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Client,
Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.
Thank you for understanding.

All the sender email addresses are random...
11 December 2015: SCAN_invoice_06630453.zip: Extracts to: invoice_6bOnJR.js
Current Virus total detections 1/51*. MALWR analysis*** shows it downloads and automatically runs http ://46.151.52.231 /87.exe (virustotal 7/53***) a Teslacrypt ransomware Trojan that encrypts your files. This domain was involved in a similar attack previously and earlier yesterday. This current series of teslacrypt droppers try to contact soft2webextrain .com for the malware...
Update: soft2webextrain .com is -live- again and currently downloading soft2webextrain .com/87.exe ... Be aware the bad actors controlling these domains regularly update this malware at random periods throughout the day and night to try to bypass antivirus detections. They are using varying 2 digit numbers between 80 and 89 and each different number delivers a different file#. The 3 sites delivering this series of Teslacrypt currently are:
soft2webextrain .com/87.exe
softextrain64 .com/86.exe
46.151.52.231 /87.exe
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...9b7b9bbb0925b0256f60c119/analysis/1449787904/

** https://malwr.com/analysis/Y2I1Y2E5YjY1MTg4NGU1NjkyNjVhNDdjNDMxMjQ3M2I/
46.151.52.231
78.47.139.102
213.185.88.133

*** https://www.virustotal.com/en/file/...eadd53538695b12f5f70c51c/analysis/1449814119/

- http://blog.dynamoo.com/2015/12/malware-spam-invoice-66626337ba2deb0f.html
11 Dec 2015 - "I have only seen one sample of this -fake- invoice spam, so it is possible that the invoice references and sender names are randomly generated.
From: Jarvis Miranda
Date: 11 December 2015 at 08:25
Subject: Invoice #66626337/BA2DEB0F
Dear Client,
Our finance department has processed your payment, unfortunately it has been declined.
Please, double check the information provided in the invoice down below and confirm your details.
Thank you for understanding.

In the sample I saw, the attached file was named SCAN_invoice_66626337.zip which contained a malicious javascript... with a VirusTotal detection rate of 5/54*... it is trying to download a binary from:
soft2webextrain .com/87.exe?1
46.151.52.231 /87.exe?1
This behaviour can be seen in these automated reports [1] [2]. The downloaded executable has a detection rate of 6/55**... This Malwr report[3] gives a clearer indication of what the binary is doing, attempting to pull information from:
kochstudiomaashof .de
The screenshots[3] indicate clearly that this is ransomware, specifically Teslacrypt.
Note that the soft2webextrain .com domain is on the -same- server as softextrain64 .com seen yesterday, so 185.118.64.183 (CloudSol LLC, Russia) can be considered to be malicious.
UPDATE: I didn't spot originally that the "soft2webextrain .com" website is -multhomed- with another IP address on 149.202.234.190 which is an OVH IP allocated to a customer "Dmitry Shestakov" an which forms a small block of 149.202.234.188/30 which is probably also worth blocking.
UPDATE 2: I made an error with one of the IP addresses and specified 185.118.64.183 and it should have been 185.118.64.182.
Recommended blocklist:
185.118.64.182
149.202.234.188/30
46.151.52.231
kochstudiomaashof .de "
* https://www.virustotal.com/en/file/...40d1d2d2e593caecb2f4b048/analysis/1449828974/

1] https://malwr.com/analysis/ZGE3YmQxZjNiNDJmNGRkNWJmMjYyYzhhZGRkNTc1OTk/
46.151.52.231
78.47.139.102
213.185.88.133

2] https://www.hybrid-analysis.com/sam...f6c1840d1d2d2e593caecb2f4b048?environmentId=1

3] https://malwr.com/analysis/MGE5NWViZjU2MjM3NDg3NDhjMmQyMDE3ZmQxNzFjM2Y/
78.47.139.102
213.185.88.133

** https://www.virustotal.com/en/file/...bdb7cbdab6110997808c4061/analysis/1449829134/
___

Malvertising Attacks via Nuclear EK Pushes Ransomware
- https://blog.malwarebytes.org/malve...ing-attacks-via-nuclear-ek-pushes-ransomware/
Dec 11, 2015 - "We’ve been monitoring a malvertising campaign very closely as it really soared during the past week. The actors involved seem to be the same as the ones behind the self-sufficient Flash malverts/exploits we’ve documented before and reported by security researcher Kafeine* (Spartan EK).
* http://malware.dontneedcoffee.com/2015/10/cve-2015-7645.html
One single domain (easy-trading.biz) is relaying all traffic to other ‘ad networks’ and ultimately to the Nuclear exploit kit. That domain still hosts the malicious Flash file (CVE-2015-7645) that it previously used in standalone attacks. Now instead, it points its traffic directly to Nuclear EK, which also attempts to exploit CVE-2015-7645 as seen in the picture below:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/MBAE1.png
This malvertising campaign receives traffic from multiple sources, including the AdCash ad network which we promptly informed. According to our telemetry, this attack is accounting for about -half- of -all- malvertising activity we are seeing now. Interestingly, most victims from this campaign are outside of the US and UK and mainly in certain parts of Europe and South America. The payload distributed by the exploit kit is a downloader which retrieves several over pieces of malware including ransomware..."
(More detail at the malwarebytes URL above.)

45.63.13.175: https://www.virustotal.com/en/ip-address/45.63.13.175/information/
>> https://www.virustotal.com/en/url/8...14de8f26ce17ace7e2aa0629b12f71e2475/analysis/

104.131.212.117: https://www.virustotal.com/en/ip-address/104.131.212.117/information/
___

LATENTBOT...
- https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
Dec 11, 2015 - "... recently uncovered LATENTBOT, a new, highly-obfuscated BOT that has been in-the-wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless. Through our Dynamic Threat Intelligence (DTI), we have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which we named LATENTBOT – caught our attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations..."
(More detail at the fireeye URL above.)
___

LLoyd’s Bank - Phish...
- https://blog.malwarebytes.org/fraud-scam/2015/12/avoid-this-lloyds-bank-phish-attempt/
Dec 11, 2015 - "... steer clear of the following phishing email, which plays on the “We noticed you’re logged in from different locations, and now you have to do something about it” trick to entice potential victims into logging in on a site they should avoid:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/lloydphish1.jpg
... Clicking-the-link will take them to
mok-tr(dot)com/why/new/index(dot)html phishing page:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/lloydphish2.jpg
Despite showing a copy of a LLoyd’s login page and displaying numerous clickable links, -none- of them work save for the part asking for credentials – what you’re looking at is essentially one large .png file with a login box jammed in the middle. The page asks for User ID, Password and Memorable Word before -redirecting- them to the real Lloyd’s website... they don’t go down the route of so many other similar phishes and ask for bank details or other personal information... One other potentially related thing to note: a common piece of advice to ensure you’re on the correct banking website is to look for the green padlock*, which will let you know if the connection to the site is encrypted (and often give additional information about site ownership). In this case, the Lloyd’s Banking Group website – lloydsbankinggroup(dot)com – has -no- HTTPs, because there’s nowhere on the site where you’d need to do any logging in / sending of personal information. It’s there to give general information about the financial services group, their brands and other relevant information...
* https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure
... the LLoyd’s Bank website (where you’d actually login and do bank related activities) located at lloydsbank(dot)com -does- ...
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/lloydcert2.jpg
... please ensure that you navigate to your banking portal of choice directly and -always- treat a supposed bank login page missing a HTTPs padlock with suspicion..."
___

Basic ASLR - not in 3 A-V's...
- http://it.slashdot.org/story/15/12/10/1853225/avg-mcafee-kaspersky-antiviruses-all-had-a-common-bug
Dec 10, 2015 - "Basic ASLR was -not- implemented in 3 major antivirus makers, allowing attackers to use the antivirus itself towards attacking Windows PCs. The bug, in layman terms, is: the antivirus would select the same memory address space every time it would run. If attackers found out the memory space's address, they could tell their malicious code to execute in the same space, at the same time, and have it execute with root privileges, which most antivirus have on Windows PCs. It's a basic requirement these days for software programmers to -use- ASLR (Address Space Layout Randomization) to -prevent- their code from executing in predictable locations. Affected products: AVG, McAfee, Kaspersky. All "quietly" issued fixes."
___

Spy Banker Trojan Telax abusing Google Cloud Servers
- http://research.zscaler.com/2015/12/new-spy-banker-trojan-telax-abusing.html
Dec 10, 2015 - "... malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which is responsible for downloading and installing Spy Banker Trojan Telax. The attackers are using social engineering tactics, such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus, to lure the end user into downloading and installing the malicious payload. Social networking sites Facebook and Twitter are primarily being used to spread a shortened URL (using bit.ly service) that points to a Google Cloud Server hosting the malicious payload with .COM or .EXE file extensions... The malware authors are actively pushing out new versions of Telax (latest version 4.7) binaries and are abusing Google Cloud Servers to host the payload for infection. There is no vulnerability exploit being used in this campaign and the attackers are solely relying on social engineering to infect the end users..."
(More detail at the URL above.)

:fear::fear:

 

[AplusWebMaster]

Fake 'Scan', 'resume', 'Invoice' SPAM, cryptowall, MS PHISH

FYI...

Fake 'Scan' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-scan-from-samsung-mfp.html
14 Dec 2015 - "This -fake- scanned document does not come from Cardiff Galvanizers but is instead a simple -forgery- with a malicious attachment.
From: Gareth Evans [gareth@ cardiffgalvanizers .co.uk]
Date: 14 December 2015 at 10:43
Subject: FW: Scan from a Samsung MFP
Regards
Gareth
-----Original Message-----
Please open the attached document. It was scanned and sent to you using a
Samsung MFP. For more information on Samsung products and solutions, please
visit http ://www .samsungprinter .com.
This message has been scanned for malware...

I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54*. It contains a malicious macro... which according to this Malwr report** downloads a malicious binary from:
test1.darmo .biz/437g8/43s5d6f7g.exe
There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54***. Those two reports plus this Hybrid Analysis[4] indicate network traffic to the following malicious IPs:
199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is likely to be the Dridex banking trojan...
Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169 "
* https://www.virustotal.com/en/file/...254a2ec5ec89196015f6380a/analysis/1450090998/

** https://malwr.com/analysis/MzIzODE0ZjBjYjhlNGE0Nzk5NzExOGNmMGMwYWQwZWM/

*** https://www.virustotal.com/en/file/...5b7b29033ffb45ace6e2c716/analysis/1450091531/

4] https://www.hybrid-analysis.com/sam...142d9254a2ec5ec89196015f6380a?environmentId=1

- http://myonlinesecurity.co.uk/fw-sc...uk-word-doc-or-excel-xls-spreadsheet-malware/
14 Dec 2015
14 December 2015: Untitled_14102015_154510.doc - Current Virus total detections 7/54*
"MALWR** tells us that it downloads what looks like Dridex banking Trojan from
test1 .darmo .biz/437g8/43s5d6f7g.exe (VirusTotal 1/53***)..."
* https://www.virustotal.com/en/file/...254a2ec5ec89196015f6380a/analysis/1450090998/

** https://malwr.com/analysis/MzIzODE0ZjBjYjhlNGE0Nzk5NzExOGNmMGMwYWQwZWM/

*** https://www.virustotal.com/en/file/...5b7b29033ffb45ace6e2c716/analysis/1450092293/
___

Fake 'resume' SPAM - JS malware cryptowall
- http://myonlinesecurity.co.uk/resume-js-malware/
14 Dec 2014 - "An email coming from random names and random email addresses pretending to be a resume with a zip attachment is another one from the current bot runs... The content of the email says :
Hi, my name is Kent Mckay
Please find my resume in the attachment
Thank you,
Kent Mckay

14 December 2015: Kent Mckay.zip: Extracts to: Kent Mckay.js
Current Virus total detections 0/54* which MALWR** shows us downloads -3- files from
http ://updatemicrosoft2015 .ru/exe/ 1.jpg (virus total 3/54***) and 2.jpg (VirusTotal 2/55[4]) 3.jpg (virustotal 4/55[5]) and posts to http ://updateserviceavast .ru/p/gate.php and http ://bademlik .com/4XQIPH.php?g=lzm39hr73u5jiah. The js downloader -renames- the downloaded jpg files to .exe and auto runs them.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...158c09a968abcb004ef41077/analysis/1450092597/

** https://malwr.com/analysis/ZmQ3NmUxY2QwNzllNDRiZmIyOTE5YmE3N2EwNjI3NDY/
89.252.41.9
213.238.171.181
91.209.96.118

*** https://www.virustotal.com/en/file/...2c555badd94796f4146a342d/analysis/1450083835/

4] https://www.virustotal.com/en/file/...5bac2a44f53b990e1d16ce73/analysis/1450083847/

5] https://www.virustotal.com/en/file/...3afb6f15e00cc99b0a988f82/analysis/1450083824/
___

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/invoi...uk-word-doc-or-excel-xls-spreadsheet-malware/
14 Dec 2015 - "An email with the subject of 'Invoice 14 12 15' pretending to come from THUNDERBOLTS LIMITED <enquiries@ thunderbolts .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email which must be confused because the attachment is an XLS ( Excel) spreadsheet simply says:

This message contains 2 pages in PDF format.

14 December 2015: fax00163721.xls - Current Virus total detections 5/54*
MALWR** shows us it downloads http ://exfabrica .org/437g8/43s5d6f7g.exe which is the -same- Dridex banking malware as described in today’s other malspam run*** involving malicious office docs with macros... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...98dd421ed72a5fd3110a5296/analysis/1450093861/

** https://malwr.com/analysis/MDliNWRhN2NkZTRhNDJkODkyMjUwNGEzYTRjNzAxM2Q/
46.165.204.143
199.7.136.84
184.28.188.186

*** http://myonlinesecurity.co.uk/fw-sc...uk-word-doc-or-excel-xls-spreadsheet-malware/

- http://blog.dynamoo.com/2015/12/malware-spam-invoice-14-12-15.html
14 Dec 2015 - "This terse fake financial spam is -not- from the awesomely-named Thunderbolts Limited but is instead a simple forgery with a malicious attachment:
From: THUNDERBOLTS LIMITED [enquiries@ thunderbolts .co.uk]
Date: 14 December 2015 at 11:15
Subject: Invoice 14 12 15
This message contains 2 pages in PDF format.

Curiously, the bad guys have gone as far as to include a -fake- header to make it look like a fax:
X-Mailer: ActiveFax 3.92
Attached is a file fax00163721.xls which is fairly obviously -not- a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:
exfabrica .org/437g8/43s5d6f7g.exe
test-cms.reactive .by/437g8/43s5d6f7g.exe
This binary has a detection rate of 0/54*. That VirusTotal report and this Hybrid Analysis** both show traffic to:
199.7.136.84 (Megawire, Canada)
This malware is likely to be Dridex. Given that it is similar to the one found here***, I would recommend blocking network traffic to:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169 "
1] https://www.virustotal.com/en/file/...98dd421ed72a5fd3110a5296/analysis/1450099936/

2] https://www.virustotal.com/en/file/...1acb5c8eb7210a27f679751f/analysis/1450099949/

3] https://malwr.com/analysis/MDliNWRhN2NkZTRhNDJkODkyMjUwNGEzYTRjNzAxM2Q/

4] https://malwr.com/analysis/MjgzY2MxMjJlZTA4NDFlNGE4NjBhNjgzYzdhOGRlMDg/

* https://www.virustotal.com/en/file/...86de06052630a53a4f2f4ade/analysis/1450100026/

** https://www.hybrid-analysis.com/sam...34fe986de06052630a53a4f2f4ade?environmentId=1

*** http://blog.dynamoo.com/2015/12/malware-spam-scan-from-samsung-mfp.html
___

Fake 'Invoice 15069447' SPAM - macro malware
- http://myonlinesecurity.co.uk/invoice-15069447-from-cleansing-service-group-macro-malware/
14 Dec 2015 - "An email with the subject of 'Invoice 15069447' from Cleansing Service Group pretending to come from CSG <accounts@ csg .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/csg-1-1024x330.png

14 December 2015: 15069447.doc - Current Virus total detections 8/54*
MALWR is timing out so I am unable to fully determine the payload, but the VirusTotal report indicates that it is the -same- downloader that was spammed out earlier under different names, so it is a high probability that it is the -same- Dridex banking Trojan as described in today’s earlier malspam run**
Note: the Dridex malware -does- get regularly updated on the compromised delivery servers and it is very common to see 8 or 10 slightly different versions throughout the day... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d74d1d1c4aee71288b341192/analysis/1450097979/

** http://myonlinesecurity.co.uk/fw-sc...uk-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'invoice_scan' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-israel-burke-bcp.html
14 Dec 2015 - "This -fake- invoice comes with a malicious attachment:
From: Israel Burke [BurkeIsrael850@ business .telecomitalia .it]
Date: 14 December 2015 at 15:00
Subject: Israel Burke
Dear Customer:
Attached please find an invoice(s) for payment. Please let us know if you have any questions.
We greatly appreciate your business!
Israel Burke
BCP Transportation, Inc.

I have only seen one sample of this, it is possible that the company name and sender names are randomly generated. The attachment in this case was named invoice_scan_76926455.doc and has a detection rate of 3/55*. Despite the name, this is -not- a Word document but is an XML document... containing ActiveMIME data. The Malwr report** for this indicates network traffic to:
109.234.34.224 (McHost.Ru, Russia)
80.96.150.201 (SC-Nextra Telecom SRL, Romania)
That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55***. I am not certain of the payload, but I suspect that this Word document is dropping -Upatre- leading to the Dyre banking trojan...
Recommended blocklist:
109.234.34.224
80.96.150.201 "
* https://www.virustotal.com/en/file/...061d40902393bd0684768c95/analysis/1450109838/

** https://malwr.com/analysis/MDRiYjI0OTlmNTFlNDhlNTk0MGQ5MTRlZWYyODNjMjQ/
109.234.34.224
80.96.150.201
184.28.188.192

*** https://www.virustotal.com/en/file/...d63f0b010f6dfe313e9f51cf/analysis/1450110752/
___

Fake 'Customer Invoice' SPAM - macro malware
- http://myonlinesecurity.co.uk/cargill-customer-invoice-04498752-macro-malware/
14 Dec 2015 - "An email with the subject of 'Cargill Customer Invoice 04498752' [random numbers] coming from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Attached is the invoice for the product(s) and/or service(s) you recently purchased.
We appreciate doing business with you!
Regards,
Cargill Animal Nutrition ...

14 December 2015: invoice_scan_04498752.doc - Current Virus total detections 3/53*
MALWR** shows us it connects to http ://193.111.63.142 /jamaica/kingston.php where it downloads juniorgong.exe (VirusTotal 5/55***). According to Dynamoo[4] (Who had similar docs with different email subjects) this binary seems to be -upatre- which will download and run Dyre/Dyreze banking Trojan. (MALWR[5]) Although MALWR doesn’t actually show any download. I am also seeing the same email mentioned by Dynamoo which pretends to be an invoice from BCP Transportation, Inc and is also coming from random senders with random invoice numbers in the attachment. My copies all had 'Invoice December 2015' as the subject and the bodies looked like:
Dear Customer:
Attached please find an invoice(s) for payment. Please let us know if you have any questions.
We greatly appreciate your business!
Lula Craft
BCP Transportation, Inc.

All of these had the name in the body matching the alleged sender and the attachment delivered the -same- Upatre/Dyreze payload as mentioned above... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...8f944a4a2665c45ebedacbd8/analysis/1450110683/

** https://malwr.com/analysis/ZWNiMmEwZGJhNTBmNGU5Njg0NThkYTc3MzY5NDg0Y2Y/
193.111.63.142
80.96.150.201
13.107.4.50

4] http://blog.dynamoo.com/2015/12/malware-spam-israel-burke-bcp.html

5] https://malwr.com/analysis/MTJjYWIxYzRjMmQ5NGFjNjg1NjUzZWQzOGZkYzE0OTQ/
80.96.150.201
184.28.188.192
___

Fake 'order #83472521' SPAM - JS malware Teslacrypt
- http://myonlinesecurity.co.uk/your-...ay-pittsburgh-pa-15226-js-malware-teslacrypt/
14 Dec 2015 - "An email with the subject of 'Your order #83472521' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Valued Customer,
This letter was sent to you as a formal notice that you are obligated to repay our company the sum of 2,932$ which was advanced to you from our company on October 16, 2015.
Please, find the invoice enclosed down below.
This amount must be repaid until the date of maturity to payment obligation, December 28, 2015 and you have failed to repay our company the same despite repeated requests for this payment.
Thank you in advance for your prompt attention to this matter. We look forward to your remittance. If you have any questions, please do not hesitate to contact us.
Sincerely,
Emanuel Lyons
11 Money Way
Pittsburgh, PA 15226

14 December 2015: invoice_83472521_scan.zip: Extracts to: invoice_copy_KRe6PE.js
Current Virus total detections 2/54* which downloads Teslacrypt ransomware from
miracleworld1 .com/91.exe (VirusTotal 5/54**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...88153a3e01571bbcddf97470/analysis/1450106174/

** https://www.virustotal.com/en/file/...3835f17d34017642f39b5f7015f6a926372/analysis/

miracleworld1 .com: 5.178.71.5: https://www.virustotal.com/en/ip-address/5.178.71.5/information/
> https://www.virustotal.com/en/url/5...f11b3ff1342b6f48e4dcb366bc813ef582a/analysis/
83.69.233.102: https://www.virustotal.com/en/ip-address/83.69.233.102/information/
___

Fake 'Last Payment Notice' SPAM - JS malware teslacrypt
- http://myonlinesecurity.co.uk/refer...ment-notice-sandor-inc-js-malware-teslacrypt/
14 Dec 2015 - "An email with the subject of 'Reference Number #63481002, Last Payment Notice' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
Dear Customer,
We regret to inform you that due to your unpaid debt amount of $745.47 to Sandor Inc., from November 31, 2015 we have passed your case to the court.
Your prompt attention is required to resolve this issue.
Attached you can find your invoice and case information to review.

14 December 2015: invoice_63481002_scan.zip: Extracts to: invoice_ss4vYy.js
Current Virus total detections 3/54* which downloads Teslacrypt ransomware from either firstwetakemanhat .com/91.exe or miracleworld1 .com/91.exe (VirusTotal 5/54**) Which is the -same- teslacrypt ransomware as described in this slightly earlier run today***. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...e692d470ad0c554a664a9add/analysis/1450113436/

** https://www.virustotal.com/en/file/...3835f17d34017642f39b5f7015f6a926372/analysis/

*** http://myonlinesecurity.co.uk/your-...ay-pittsburgh-pa-15226-js-malware-teslacrypt/

firstwetakemanhat .com: 84.200.69.60: https://www.virustotal.com/en/ip-address/84.200.69.60/information/
> https://www.virustotal.com/en/url/6...40717581fece3ee0fcd8d1858012d98b5df/analysis/
193.150.0.78: https://www.virustotal.com/en/ip-address/193.150.0.78/information/
> https://www.virustotal.com/en/url/e...9c67d5600e18d0c2c77fe7814fee2846cf6/analysis/
___

Fake 'invoice #92277208' SPAM - JS malware Teslacrypt
- http://myonlinesecurity.co.uk/agri-...golden-shore-suite-350-js-malware-teslacrypt/
14 Dec 2015 - "An email with the subject of 'Agri Basics invoice #92277208 and 92277209' [random numbered] coming from random email addresses and names with a zip attachment is another one from the current bot runs... The content of the email says :
Please find attached invoice #92277208.
Have a nice day
Matthew Daniels
Accounts Receivable
320 Golden Shore, Suite 350
Long Beach, CA 90802

The name of the Accounts receivable matches the alleged sender...
14 December 2015: invoice_92277208_scan.zip: Extracts to: invoice_SCAN_kHps3.js
Current Virus total detections 4/56* which downloads teslacrypt ransomware from either firstwetakemanhat .com/91.exe or miracleworld1 .com/91.exe (VirusTotal 1/56**) this is an -updated- teslacrypt from today’s earlier runs***. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...42223869dd17390f4dde9f93/analysis/1450119089/

** https://www.virustotal.com/en/file/...754d3da4260632fe2fe377b8/analysis/1450124215/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
69.175.2.106: https://www.virustotal.com/en/ip-address/69.175.2.106/information/

*** http://myonlinesecurity.co.uk/refer...ment-notice-sandor-inc-js-malware-teslacrypt/
___

'Outlook account has been disabled' - MS PHISH ...
- http://myonlinesecurity.co.uk/microsoft-outlook-account-has-been-disabled-phishing/
14 Dec 2015 - "We are seeing a lot of phishing attempts against Microsoft office and outlook accounts. This one starts with an email with the subject 'Microsoft outlook account has been disabled' pretending to come from Contact <admin@ 'microsoftexchangee'.com>. One of the major common subjects in this sort of phishing attempt is 'Your password will expire soon' or 'update your email' or something very similar. This one wants only wants your email / Microsoft account login details... The original email simply says:

Your Microsoft outlook account has been disabled
Please reactive it : Click here

The link behind the click here starts with a Google short URL link https ://goo .gl/hFbJ9K which sends you invisibly to http ://clameurs.dijon .fr/wp-content/plugins/wp-calameo/net.html which then automatically sends you without anybody realising you even went via a -hidden- link to http ://www.microsoft-outlook .link/network/login_/ which can very easily be mistaken for a genuine Microsoft site. The domain the emails come from also can be easily mistaken for a genuine Microsoft domain... you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/fake-microsoft365-log-in-1024x542.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it is a straight forward attempt, like this one, to -steal- your personal, bank, credit card or email and social networking login details..."

:fear::fear:

 

[AplusWebMaster]

Fake 'Unpaid Invoice', 'Order', 'Voucher' SPAM, vds24 .net on OVH

FYI...

Fake 'Unpaid Invoice' SPAM - leads to Teslacrypt
- http://blog.dynamoo.com/2015/12/malware-spam-reference-number-89044096.html
15 Dec 2015 - "This -fake- financial spam comes with a malicious attachment.
From: Carol Mcgowan
Date: 15 December 2015 at 09:09
Subject: Reference Number #89044096, Notice of Unpaid Invoice
Dear Valued Customer,
It seems that your account has a past due balance of $263,49. Previous attempts to collect the outstanding amount have failed.
Please remit $263,49 from invoice #89044096 within three days or your account will be closed, any outstanding orders will be cancelled and this matter will be referred to a collection agency.
The payment notice is enclosed to the letter down below.

Attached is a file invoice_89044096_scan.doc which has a VirusTotal detection rate of 2/54*, and which contains this malicious macro... which attempts to download a binary from the following location:
thewelltakeberlin .com/92.exe
This domain was registered only today, and at the moment is not resolving properly. The payload here is likely to be Teslacrypt... Nameservers are dns1.saymylandgoodbye .in and dns2.saymylandgoodbye .in hosted on 5.178.71.5 (Serverius, Netherlands) and 83.69.233.102 (Awax Telecom, Russia)...
Recommended minimum blocklist:
thewelltakeberlin .com
83.69.233.102
5.178.71.5
UPDATE: There is a good analysis of this malware at TechHelpList** including the C2 domains involved."
* https://www.virustotal.com/en/file/...45b7f6a287adf05fd75981ea/analysis/1450174494/

** https://techhelplist.com/spam-list/1007-reference-number-notice-of-unpaid-invoice-malware
___

Fake 'Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-order-ps007xx20000584.html
15 Dec 2015 - "This rather brief spam does -not- come from Petty Wood but is instead a simple -forgery- with a malicious attachment:
From: Nicola Hogg [NHogg@ pettywood .co.uk]
Date: 15 December 2015 at 10:14
Subject: Order PS007XX20000584

There is -no- body text, but instead there is an attachment PS007XX20000584 - Confirmation with Photos.DOC which has a VirusTotal detection rate of 5/55* and it contains a malicious macro... which (according to this Malwr report**) downloads a binary from:
kutschfahrten-friesenexpress .de/8iy45323f/i87645y3t23.exe
There are probably other versions of the document with different download locations. This malicious executable has a detection rate of 2/54*** and between them these three reports [1] [2] [3] indicate malicious traffic to:
199.7.136.84 (Megawire Inc, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
The payload here is likely to be the Dridex banking trojan...
Recommended blocklist:
199.7.136.84
221.132.35.56 "
* https://www.virustotal.com/en/file/...046c049d3f90b0884d626e77/analysis/1450176653/

** https://malwr.com/analysis/OWUxMzViM2ExZGE0NDhhYmExODVkYmFkZGUwOWZjMTc/

*** https://www.virustotal.com/en/file/...f86f191489b730b8eb22e217/analysis/1450176769/

1] https://www.virustotal.com/en/file/...f86f191489b730b8eb22e217/analysis/1450176769/

2] https://malwr.com/analysis/ZmNkNjEzNTM0ZDQ1NDU2NTg0ZjA2ZDI2MjZjYzc3MTI/

3] https://www.hybrid-analysis.com/sam...fea9cf86f191489b730b8eb22e217?environmentId=1
___

Fake 'Voucher' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-invoice-for-voucher-ach-2.html
15 Dec 2015 - "This -fake- financial spam does not come from Affordable Car Hire but is instead a simple -forgery- with a malicious attachment.
From: Reservations [res@ affordablecarhire .com]
Date: 15 December 2015 at 11:50
Subject: Invoice for Voucher ACH-2-197701-35
Affordable Car Hire
Payment Link For BookingACH-2-197701-35
Please find attached your invoice for reservation number ACH-2-197701-35 ...

I have only seen a single sample, with an attachment ACH-2-197701-35-invoice.xls which has a VirusTotal detection rate of 3/54*. According to this Malwr report, it downloads a malicious binary from:
usahamanfaat .com/8iy45323f/i87645y3t23.exe
The payload here is the Dridex banking trojan, and it is identical to the one found in this spam run**."
* https://www.virustotal.com/en/file/...76f45f7599c9ab8b9f533af7/analysis/1450182473/

** http://blog.dynamoo.com/2015/12/malware-spam-order-ps007xx20000584.html
___

Fake 'Invoice Attached' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-invoice-attached.html
15 Dec 2015 - "This -fake- financial spam has a malicious attachment:
From: Ernestine Harvey
Date: 15 December 2015 at 11:34
Subject: Invoice Attached
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
Thank you!
Mr. Ernestine Harvey
Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.

The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names... The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54*... attempted downloads from:
modern7technologiesx0 .tk/x1656/dfiubgh5.exe
forbiddentextmate58 .tk/x1656/ctruiovy.exe
temporary777winner777 .tk/x1656/fdgbh44b.exe
former12futuristik888 .tk/x1656/fdgjbhis75.exe
Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP* gives another malicious domain of:
servicexmonitoring899 .tk
I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.
Anyway, the downloaded binary has a VirusTotal detection rate of 4/55** and the comments indicate that rather surprisingly this is the Nymaim ransomware [5]. The Hybrid Analysis*** indicates network traffic to xnkhfbc .in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:
41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)
There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.
Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in
UPDATE: A source tells me (thank you) that servicexmonitoring899 .tk is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:
google-apsm .in
specre .com
ganduxerdesign .com
www .ganduxerdesign .com
upmisterfliremsnk .net
tornishineynarkkek .org
tornishineynarkkek2 .org
Some of these domains are associated with Rovnix[4]."

* https://www.virustotal.com/en/ip-address/31.184.234.5/information/

** https://www.virustotal.com/en/file/...f570cc74e991d2d591d5e08f/analysis/1450185850/

*** https://www.hybrid-analysis.com/sam...9f739f570cc74e991d2d591d5e08f?environmentId=1

4] https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/

5] http://www.welivesecurity.com/2013/10/23/nymaim-browsing-for-trouble/
___

Tainted network: vds24 .net on OVH
- http://blog.dynamoo.com/2015/12/tainted-network-dmitry-shestakov.html
15 Dec 2015 - "vds24 .net (apparently belonging to "Dmitry Shestakov ") is a Russian reseller of OVH servers that has come up on my radar a few times in the past few days [1] [2] [3] in connection with domains supporting Teslacrypt malware and acting as landing pages for the Angler exploit kit. Curious as to what was hosted on the vds24 .net I set about trying to find out their IP address ranges. This proved to be somewhat difficult as they are spread in little chunks throughout OVH's IP space. I managed to identify:
5.135.58.216/29
5.135.254.224/29
51.254.10.128/29
51.254.162.80/30
51.255.131.64/30
149.202.234.116/30
149.202.234.144/30
149.202.234.188/30
149.202.237.68/30
176.31.24.28/30
178.32.95.152/29
178.33.200.128/26
Then using a reverse DNS function, I looked up all the domains associated with those ranges (there were a LOT) and then looked the see which were active plus their SURBL and Google ratings... There may well be legitimate domains in this range, but out of 1658 domains identified, 1287 (77.6%) are flagged by SURBL as being spammy. Only 11 (0.7%) are identified as malicious, but in reality I believe this to be much higher. In particular, the following IP ranges seem to be clearly bad from those ratings:
51.254.10.131
51.254.162.81
51.255.131.66
51.255.142.101
149.202.234.190
149.202.237.68
178.33.200.138
I can see -61- active IPs in the vds24 .net range, so perhaps it is only a small proportion. However, depending on your network stance, you may want to consider blocking -all- the IP ranges specified above just to be on the safe side."
1] http://blog.dynamoo.com/2015/12/malware-spam-your-order-12345678-11.html

2] http://blog.dynamoo.com/2015/12/malware-spam-invoice-66626337ba2deb0f.html

3] https://twitter.com/ConradLongmore/status/675310855559503872
___

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-rockspring-remittance.html
15 Dec 2015 - "This -fake- financial spam comes with a malicious attachment:
From: Kristina Salinas
Date: 15 December 2015 at 14:59
Subject: Rockspring Remittance Advice - WIRE
Dear Customer,
Please find attached your Remittance Details for the funds that will be deposited to your bank account on December 15th.
Rockspring Capital is now sending through the bank the addenda information including your remit information.
If you are not seeing your addenda information in your bank reporting you may have to contact your local bank representative.
Accounts Payable

Attached is a malicious document with a -random- name. I have only seen one sample so far with a VirusTotal detection rate of 3/55*. The Malwr report** indicates that -same- behaviour as this earlier spam run*** which is dropping Nymaim ransomware."
* https://www.virustotal.com/en/file/...bc70f5725b27f773770a607a/analysis/1450192082/

** https://malwr.com/analysis/MDQ1MWQzNjcwODU4NDVmMjgxZDY4Y2Y0ZTU5N2NhZjI/
31.184.234.5

*** http://blog.dynamoo.com/2015/12/malware-spam-invoice-attached.html

:fear::fear:

 

[AplusWebMaster]

Fake 'e-Invoice', 'Your Order', 'Unpaid Invoice' SPAM, 'You have been hacked' – Phish

FYI...

Fake 'e-Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/your-...an-word-doc-or-excel-xls-spreadsheet-malware/
16 Dec 2015 - "An email with the subject of 'Your e-Invoice(s) from Barrett Steel Services Ltd' pretending to come from samantha.morgan@ barrettsteel .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please find attached your latest Invoice(s).
Kind Regards,
Samantha Morgan,
Barrett Steel Services Ltd,
Phone: 01274654248
Email: samantha.morgan@ barrettsteel .com
PS
Have you considered paying by BACS ? Our details can be found on the attached invoice.
Please reply to this email if you have any queries.
You can use the link below to perform an Experian credit check...

16 December2015:e-Invoice Barrett Steel Services Ltd.doc - Current Virus total detections 4/54*
MALWR** shows us this downloads what looks like Dridex banking Trojan from http ://wattplus .net/98g654d/4567gh98.exe (VirusTotal 4/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...783179c1158b6fe20af15ed2/analysis/1450263394/

** https://malwr.com/analysis/MzMxYjE0NGIyZDAyNGNjODkzOTBiYTljOWI0ODk3Mjg/
181.224.138.100
199.7.136.84

*** https://www.virustotal.com/en/file/...88a8ba124201820a617d7d25/analysis/1450263681/

- http://blog.dynamoo.com/2015/12/malware-spam-your-e-invoices-from.html
16 Dec 2015 - "This -fake- financial spam does not come from Barrett Steel Services Ltd but is instead a simple -forgery- with a malicious attachment:
From: samantha.morgan@ barrettsteel .com
Date: 16 December 2015 at 09:44
Subject: Your e-Invoice(s) from Barrett Steel Services Ltd
Dear Customer,
Please find attached your latest Invoice(s).
Kind Regards,
Samantha Morgan,
Barrett Steel Services Ltd,
Phone: 01274654248
Email: samantha.morgan@ barrettsteel .com
PS
Have you considered paying by BACS ? Our details can be found on the attached invoice.
Please reply to this email if you have any queries...

Attached is a file e-Invoice Barrett Steel Services Ltd.doc which I have seen just a single variant of, with a VirusTotal detection rate of 4/54* which according to this Malwr analysis** downloads a malicious binary from the following location:
wattplus .net/98g654d/4567gh98.exe
This downloaded binary has a detection rate of 4/53*** and according to this Malwr report[4] it attempts to contact:
199.7.136.84 (Megawire, Canada)
I strongly recommend that you -block- traffic to that IP. Other analysis is pending. The payload is almost definitely the Dridex banking trojan."
* https://www.virustotal.com/en/file/...783179c1158b6fe20af15ed2/analysis/1450263394/

** https://malwr.com/analysis/MjQ2NmE3NzZmNjJhNDBiOWFmZTdkYmZjMGI3MzhlMTc/
199.7.136.84

*** https://www.virustotal.com/en/file/...88a8ba124201820a617d7d25/analysis/1450263681/

4] https://malwr.com/analysis/MjQ2NmE3NzZmNjJhNDBiOWFmZTdkYmZjMGI3MzhlMTc/
199.7.136.84
___

Fake 'Your Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-documentation-your-order.html
16 Dec 2015 - "This -fake- financial spam is not from John S. Shackleton (Sheffield) Ltd but is instead a simple -forgery- with a malicious attachment. It is the second spam in a day pretending to be from a steel company.
From Jonathan Carroll [Jonathan@ john-s-shackleton .co.uk]
Date Wed, 16 Dec 2015 11:11:09 -0000
Subject Documentation: Your Order Ref: SGM249/013
Your Order: SGM249/013
Our Order: 345522
Advice Note: 355187
Despatch Date: 22/12/15
Attachments:
s547369.DOC Shackleton Invoice Number 355187
John S. Shackleton (Sheffield) Ltd
4 Downgate Drive
Sheffield
S4 8BU
Tel: 0114 244 4767
Fax: 0114 242 5965 ...

I have only seen a single sample of this spam, with an attachment s547369.DOC which has a VirusTotal detection rate of 4/55*. According to this Malwr Report** it downloads a malicious binary from:
bbbfilms .com/98g654d/4567gh98.exe
This binary has a detection rate of 4/53*** and is the -same- payload as found in this spam run[4], leading to the Dridex banking trojan."
* https://www.virustotal.com/en/file/...0551c48a3d52ffc4b161b85d/analysis/1450264586/

** https://malwr.com/analysis/ZTIyYWM4Y2ZlOTUwNDE4MjlhZjFiNzYxZThmOTI5NjE/
199.91.68.54
199.7.136.84

*** https://www.virustotal.com/en/file/...88a8ba124201820a617d7d25/analysis/1450264859/

4] http://blog.dynamoo.com/2015/12/malware-spam-your-e-invoices-from.html

- http://myonlinesecurity.co.uk/docum...hackleton-sheffield-ltd-office-macro-malware/
16 Dec 2015 - "An email with the subject of 'Documentation: Your Order Ref: SGM249/013' pretending to come from Jonathan Carroll <Jonathan@'john-s-shackleton'.co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Your Order: SGM249/013 Our Order: 345522 Advice Note: 355187 Despatch Date: 22/12/15 Attachments: s547369.DOC Shackleton Invoice Number 355187
John S. Shackleton (Sheffield) Ltd
4 Downgate Drive
Sheffield
S4 8BU
Tel: 0114 244 4767
Fax: 0114 242 5965 ...

16 December 2015: s547369.DOC - Current Virus total detections 4/56*
MALWR shows us this downloads what looks like Dridex banking Trojan from http ://bbbfilms .com/98g654d/4567gh98.exe which is the -same- malware as described in this slightly earlier malspam run** of malicious Office docs..."
* https://www.virustotal.com/en/file/...0551c48a3d52ffc4b161b85d/analysis/1450261722/

** http://myonlinesecurity.co.uk/your-...an-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'Invoice No. 4515581' SPAM - macro malware
- http://myonlinesecurity.co.uk/invoi...ries-of-bristol-limited-office-macro-malware/
16 Dec 2015 - "An email with the subject of 'Invoice No. 4515581' [random numbers] pretending to come from Sharon Samuels <sharons775@ brunel-promotions .co.uk> the numbers after sharons are random so almost everybody gets a -different- sharons sender number @ brunel-promotions .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Good morning
Please find attached your latest invoice, for your attention.
Please be advised that your goods have been despatched for delivery.
Regards
Sharon
Calendars and Diaries of Bristol Limited...

16 December 2015: IN4515581.xls - Current Virus total detections 4/55*
MALWR** shows us that it downloads Dridex banking Trojan from http ://printempsroumain .org/98g654d/4567gh98.exe which appears to be a slightly different version from today’s earlier Malspam run. Dridex does update frequently throughout the day and changes file # regularly to try to avoid antivirus detections..."
* https://www.virustotal.com/en/file/...b5958dd091eeaddf3adf1635/analysis/1450270016/

** https://malwr.com/analysis/OTE2MzhhM2YxNzVkNGU4ZmJhMmI3Zjg1OTE0YjdiOTI/
194.24.228.5
199.7.136.84
___

Fake 'Unpaid Invoice' SPAM - leads to Teslacrypt
- http://blog.dynamoo.com/2015/12/malware-spam-unpaid-invoice-from.html
16 Dec 2015 - "This -fake- financial spam is -not- from Staples or Realty Solutions but is instead a simple -forgery- with a malicious attachment.
From: Virgilio Bradley
Date: 16 December 2015 at 14:37
Subject: Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice
Dear Valued Customer,
This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.
Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.
Regards,
Virgilio Bradley
Customer Service Department
Realty Solutions
182 Shobe Lane
Denver, CO 80216

The names, amounts and reference numbers -change- from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55*. According to this Malwr report**, the macro in the document downloads a binary from:
iamthewinnerhere .com/97.exe
This appears to be Teslacrypt ransomware and it has a detection rate of 5/53***. Unlike some other malware, the domain iamthewinnerhere .com has been registered specifically to host this malware, and is located on:
185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
84.200.69.60 (Ideal-Hosting UG, Germany) ...
Recommended minimum blocklist:
iamthewinnerhere .com
185.69.152.145
84.200.69.60 "
* https://www.virustotal.com/en/file/...18fc30f5534737993324cfd0/analysis/1450277884/

** https://malwr.com/analysis/OTE2YjVlNTUxMmRmNDJiZWE0MTQ1MzdlYmRjYjg5YmY/
185.69.152.145
78.47.139.102

*** https://www.virustotal.com/en/file/...2d4c8c28b73ddea43245bfb6/analysis/1450278299/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
192.254.189.98: https://www.virustotal.com/en/ip-address/192.254.189.98/information/

- http://myonlinesecurity.co.uk/unpai...cro-malware-delivering-teslacrypt-ransomware/
16 Dec 2015 - "An email with the subject of 'Unpaid Invoice' from Staples Inc., Ref. 80053334, Urgent Notice' [random numbers] coming from random senders and email addrresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Valued Customer,
This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $155,74 which was advanced to you from our company on November 21st, 2015.
You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.
Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015...

16 December 2015: invoice_80053334_copy.doc - Current Virus total detections 0/53*
MALWR** shows us that this downloads from iamthewinnerhere .com/97.exe (VirusTotal 6/54***) which appears to be Teslacrypt ransomware rather than the usual Dridex we have been seeing with these office macros. Unlike a lot of other currently spreading malware which is being delivered through compromised sites, the domain iamthewinnerhere .com has been registered specifically to host this malware..."
* https://www.virustotal.com/en/file/...18fc30f5534737993324cfd0/analysis/1450281302/

** https://malwr.com/analysis/OTE2YjVlNTUxMmRmNDJiZWE0MTQ1MzdlYmRjYjg5YmY/
185.69.152.145
78.47.139.102

*** https://www.virustotal.com/en/file/...2d4c8c28b73ddea43245bfb6/analysis/1450278299/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
192.254.189.98: https://www.virustotal.com/en/ip-address/192.254.189.98/information/
___

Fake 'account past due' SPAM - office macro / teslacrypt ransomware
- http://myonlinesecurity.co.uk/your-...cro-malware-delivering-teslacrypt-ransomware/
16 Dec 2015 - "An email with the subject of 'Your account has a debt and is past due' coming from random senders and email addrresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Our records show that your account has a debt of $612.{rand(10,99)}}. Previous attempts of collecting this sum have failed.
Down below you can find an attached file with the information on your case.

16 December 2015: invoice_10166218_copy.doc - Current Virus total detections 2/55*
MALWR** shows us that this downloads from iamthewinnerhere .com/80.exe (VirusTotal 11/54***) which appears to be Teslacrypt ransomware rather than the usual Dridex we have been seeing with these office macros. Unlike a lot of other currently spreading malware which is being delivered through compromised sites, the domain iamthewinnerhere .com has been registered specifically to host this malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...dcd02f24bee532145545fccf/analysis/1450282241/

** https://malwr.com/analysis/YWZlZmQ5YTRiYzFkNGQ0NjgxYjYyZGY0MzE1OTQxNTg/
185.69.152.145
78.47.139.102
192.254.189.98
192.185.21.121
162.144.12.170
72.167.1.1
192.254.250.243
78.110.50.123

*** https://www.virustotal.com/en/file/...56bb70b1c6d8d372b9ab5c212ecb9d428cd/analysis/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
192.254.189.98: https://www.virustotal.com/en/ip-address/192.254.189.98/information/
___

'You have been hacked' – Phish...
- http://myonlinesecurity.co.uk/only-apps-com-you-have-been-hacked-phishing-scam/only-apps_email/
16 Dec 2015 - "... this email message which is very weird and appears to be a phishing attempt that spectacularly fails:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/only-apps_email-1024x635.png

... The alleged registrant Michael Huber has also been spotted in at least 1 previous scam and phishing attempt [1] with -fake- details:
1] https://www.phishtank.com/phish_detail.php?phish_id=3440367&frame=details
Address lookup
canonical name only-apps .com
addresses
146.0.74.182: https://www.virustotal.com/en/ip-address/146.0.74.182/information/
89.35.134.132: https://www.virustotal.com/en/ip-address/89.35.134.132/information/
... The sending email address just tracks back to what looks like a scummy email marketing scam site:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/appseeking-1-1024x599.png
appseeking .com: 62.75.194.45: https://www.virustotal.com/en/ip-address/62.75.194.45/information/ "
___

'Your PayPal account has been limited' – Phish
- http://myonlinesecurity.co.uk/your-paypal-account-has-been-limited-phishing/
16 Dec 2015 - "Quite a big PayPal phishing spam run today saying 'Your PayPal account has been limited' pretending to come from PayPal <confirmagain@ ppservice .com>...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/paypal-account-limited-email-1024x757.png

The link in this case goes to http ://hiperkarma .hu/vsase/savdm/ligofren.htm which -redirects- you to http ://www .adventurehaliburton .com/message/newone/websrc.htm?cmd=-submit?IOF4U3OFTN9CT98GJV945MJVG945IIIRTHMJOGGVRTOVJ4G5OC589V459JERGTMOGVJKLDV48934C57654CERI54VGTR which has an old style PayPal log in page looking like this screenshot:
> http://myonlinesecurity.co.uk/wp-co...dventure_haliburton_paypal_phish-1024x662.png
... Which is a typical phishing page that looks very similar to a genuine old style PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details along with mother’s maiden name and other info to -steal- your identity. Many of them are also designed to specifically -steal- your email, facebook and other social network log in details..."

:fear::fear:

 

[AplusWebMaster]

Fake '12/16 A Invoice', 'Fuel Card Invoice', 'Required your attention' SPAM - telsacr

FYI...

Fake '12/16 A Invoice' SPAM - office malware
- http://myonlinesecurity.co.uk/1216-a-invoice-broadband-invoice-office-malware/
17 Dec 2015 - "An email pretending to be a broadband invoice with the subject of '12/16 A Invoice' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
Hi,
Please find attached a recharge invoice for your broadband.
Many thanks,
Valeria Larson

The name of the alleged sender matches the name in the body of the email. All the attachment invoice numbers are random...
17 December 2015: invoice63548716.doc - Current Virus total detections 0/52*
... contains an embedded object in base64 encoded format which is most likely Upatre which MALWR** shows us contacts http ://109.234.37.214 /chicken/bacon.php and downloads and automatically runs luxary.exe (VirusTotal 3/54***) The MALWR analysis[4] is somewhat inconclusive but might suggest Dridex or Dyre banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...e787105e721e6a1f1961e4c031d211a9b99/analysis/

** https://malwr.com/analysis/MDg5NmVjNWI4YTljNGU1Yzk4YjdiMzk2NWNiOTJjNDc/
5.9.99.35
109.234.37.214
80.96.150.201
184.25.56.93

*** https://www.virustotal.com/en/file/...1b7bb7bcb84c4a0d9169b57d/analysis/1450340515/

4] https://malwr.com/analysis/MmRjZWYyNjJlYmM1NGM3M2I5ZjM1ZjJiYzEwZmVmZjk/
80.96.150.201
184.25.56.100

- http://blog.dynamoo.com/2015/12/malware-spam-1216-invoice.html
17 Dec 2015 - "This -fake- financial spam leads to malware:
From: Kelley Small
Date: 17 December 2015 at 08:39
Subject: 12/16 A Invoice
Hi,
Please find attached a recharge invoice for your broadband.
Many thanks,
Kelley Small

The sender's name is randomly generated... There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least -six- different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2]...). Detection rates are close to zero. The Malwr reports for those documents is a mixed bag [3] [4]..., but overall they spot data being POSTed to:
179.60.144.18 /chicken/bacon.php
91.203.5.169 /chicken/bacon.php
Sources tell me there is another download location of:
195.191.25.145 /chicken/bacon.php
Those IPs are likely to be malicious and belong to:
179.60.144.18 (Veraton Projects Ltd, Netherlands)
91.203.5.169 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
195.191.25.145 (Hostpro Ltd, Ukraine)
They also GET from:
savepic .su/6786586.png
A file karp.exe is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54[5]. According to this Malwr report[6] this communicates with:
80.96.150.201 (SC-Nextra Telecom SRL, Romania)
It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.
Recommended blocklist:
80.96.150.201
179.60.144.18
91.203.5.169
195.191.25.145
savepic .su "
1] https://www.virustotal.com/en/file/...d801c055e8e196bfa43a2c2b/analysis/1450341961/

2] https://www.virustotal.com/en/file/...fe8dbbcd6712b287e1d25eb4/analysis/1450341971/

3] https://malwr.com/analysis/MmIxMWRlOTI2MzYxNDBmNmI3ZWQ1N2MxYjZhODdmZWM/

4] https://malwr.com/analysis/MDM0ZGE3MTlhM2VjNGVlOGE1ZmVmM2ZhODhkNmM3NmQ/

5] https://www.virustotal.com/en/file/...1b7bb7bcb84c4a0d9169b57d/analysis/1450342614/

6] https://malwr.com/analysis/MTM4M2NlMDFlYTRiNGMzZDk4YTE1MTk0MjY0Y2I3ODQ/
___

Fake 'Fuel Card Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-your-latest-right-fuel.html
17 Dec 2015 - "This -fake- financial email is not from Right Fuel Card Company but is instead a simple forgery with a malicious attachment.
From: Right Fuel Card Company [invoice@ rightfuelcard .co.uk]
Date: 17 December 2015 at 11:11
Subject: Your Latest Right Fuel Card Invoice is Attached
Please find attached your latest invoice.
PLEASE ALSO NOTE OUR NEW OPENING HOURS ARE:
Monday - Thursday 9am - 5pm
Friday 9am - 3pm...
Should you have any queries please do not hesitate to call us on 0845 625 0153 (Calls to this number cost 5 pence per minute plus your telephone company's access charge) or via email to info@rightfuelcard.co.uk.
Regards
Customer Services
The Right Fuelcard Company Limited

Attached is a file A01CardInv1318489.xls - at present I only have a single sample of this. VirusTotal is down at the moment so I cannot tell you the detection rate. The Malwr analysis* shows behaviour consistent with several Dridex runs going on this morning, with a download from:
infosystems-gmbh .de/65dfg77/kmn653.exe
The payload is the Dridex banking trojan, and is identical to the payload here[1], here[2] and here[3]."
* https://malwr.com/analysis/YWUxNzc3YmY2ZGMxNGEzOWFlMWJiOWRmNDI0MjcyN2Q/
217.69.162.183
151.80.142.33

1] http://blog.dynamoo.com/2015/12/malware-spam-email-from-transport-for.html

2] http://blog.dynamoo.com/2015/12/malware-spam-james-wheatley-sent-you.html

3] http://blog.dynamoo.com/2015/12/malware-spam-currys-pc-world.html

- http://myonlinesecurity.co.uk/your-...ed-word-doc-or-excel-xls-spreadsheet-malware/
17 Dec 2015 - "An email with the subject of 'Your Latest Right Fuel Card Invoice is Attached' pretending to come from Right Fuel Card Company <invoice@ rightfuelcard .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...ht-Fuel-Card-Invoice-is-Attached-1024x549.png

17 December 2015: A01CardInv1318489.xls - Current Virus total detections *
MALWR** shows it downloads http ://ghsoftware .de/65dfg77/kmn653.exe which is the -same- Dridex banking malware as today’s earlier malspam run***..."
*

** https://malwr.com/analysis/NjJiMDJlMWU0ZjMyNDJmNGJiMDk1ZjE5OTk4ZjU0ZTk/
82.165.100.180
151.80.142.33

*** http://myonlinesecurity.co.uk/james...pp-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'Required your attention' SPAM – js malware telsacrypt
- http://myonlinesecurity.co.uk/required-your-attention-js-malware-leading-to-teslacrypt/
17 Dec 2015 - "An email with the subject of 'Required your attention' coming from random email addresses and names with a zip attachment is another one from the current bot runs... The content of the email says:
Dear Partner,
As per your request, we have made special prices for you, which leave us only a very small margin.
Kindly find attached the prices with your personal discount, and if you need anything else, dont hesitate to contact us.
Our best wishes, The sales team

17 December 2015: SCAN_PRICES_64904074.zip - Extracts to: invoice_copy_CYcpbM.js
Current Virus total detections 7/53* ... which downloads teslacrypt ransomware from either
whatdidyaysay .com/80.exe -or- iamthewinnerhere .com/80.exe (VirusTotal 1/53**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected.,,"
* https://www.virustotal.com/en/file/...0b7612b1b11536cc650c3ad9/analysis/1450348471/

** https://www.virustotal.com/en/file/...6fadf1de0290caf975d3bbd3a68b64662b1/analysis/

whatdidyaysay .com: A temporary error occurred during the lookup...

iamthewinnerhere .com: 5.178.71.10: https://www.virustotal.com/en/ip-address/5.178.71.10/information/

- http://blog.dynamoo.com/2015/12/malware-spam-required-your-attention.html
17 Dec 2015 - "This spam email has a malicious attachment:
From: Brittany Quinn
Date: 17 December 2015 at 10:52
Subject: Required your attention
Dear Partner,
As per your request, we have made special prices for you, which leave us only a very small margin.
Kindly find attached the prices with your personal discount, and if you need anything else, don’t hesitate to contact us.
Our best wishes, The sales team

The sender's name varies from email to email, as does the name of the attachment but it in a format similar to SCAN_PRICES_01106759.zip. Contained within is a malicious obfuscated Javascript with a detection rate of 6/54* which is a bit clear when deobfuscated, and it downloads from:
whatdidyaysay .com/97.exe?1
iamthewinnerhere .com/97.exe?1
This has a detection rate of 3/53**. Automated analysis is inconclusive [1] [2] but this is Teslacrypt and is likely to be similar in characteristics to this spam run***."
* https://www.virustotal.com/en/file/...70a96cbb249e8c43e55384e9/analysis/1450353478/
invoice_752WwU.js

** https://www.virustotal.com/en/file/...855728ec2b50586c3ca65d24/analysis/1450353720/
97.exe

*** http://blog.dynamoo.com/2015/12/malware-spam-your-account-has-debt-and.html

1] https://www.hybrid-analysis.com/sam...b3fe3855728ec2b50586c3ca65d24?environmentId=1

2] https://malwr.com/analysis/NzBlYjI5NmIwNDA3NGY5NWE5NzU3OGY4MGM2Yzg1YzQ/
___

Fake 'PHS documents' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-your-new-phs-documents-are.html
17 Dec 2015 - "This convincing-looking -fake- financial email does -not- come from PHS, but is instead a simple forgery with a malicious attachment:
From: PHSOnline [documents@ phsonline .co.uk]
Date: 17 December 2015 at 11:48
Subject: Your new PHS documents are attached
Dear Customer
Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.
We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.
Regards
PHS Group

Effectively, this is a re-run of this spam from October*. I have only seen a single sample of this. There is a malicious Excel document attached, G-A0287580036267754265.xls with a VirusTotal detection rate of 4/54**. According to the Malwr report*** this attempts to download a binary from:
infosystems-gmbh .de/65dfg77/kmn653.exe
At present, this download location 404s but other versions of the document will probably have different download locations. The payload is the Dridex banking trojan, as seen several times today [1] [2]..."
* http://blog.dynamoo.com/2015/10/malware-spam-your-new-phs-documents-are.html

** https://www.virustotal.com/en/file/...509bea0abda9fc16e5c8866a/analysis/1450354676/

*** https://malwr.com/analysis/ZGZkZmQ4Y2JjNDllNDRiY2FiZDgxM2M0N2IxMTQzNjY/

1] http://blog.dynamoo.com/2015/12/malware-spam-email-from-transport-for.html

2] http://blog.dynamoo.com/2015/12/malware-spam-james-wheatley-sent-you.html

infosystems-gmbh .de: 217.69.162.183: https://www.virustotal.com/en/ip-address/217.69.162.183/information/
> https://www.virustotal.com/en/url/f...0f299fdf60d1bd656df98a7ece90cd96aa5/analysis/

- http://myonlinesecurity.co.uk/your-...ed-word-doc-or-excel-xls-spreadsheet-malware/
17 Dec 2015 - "An email with the subject of 'Your new PHS documents are attached' pretending to come from PHSOnline <documents@ phsonline .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...r-new-PHS-documents-are-attached-1024x561.png

17 December 2015: G-A0287580036267754265.xls - Current Virus total detections 4/54*
MALWR** shows us that it downloads Dridex banking malware from
http ://dirkjraab .de/65dfg77/kmn653.exe (VirusTotal 4/51***) Which is the same as these 2 earlier spam runs [1] [2]..."
* https://www.virustotal.com/en/file/...379979de80dd93b119903fc3/analysis/1450353861/

** https://malwr.com/analysis/MmI4MWE2YmNkODYzNGQ0YzljYTFlN2EzNzY5YTkwMjc/
185.21.102.30
151.80.142.33

*** https://www.virustotal.com/en/file/...ea32067f9c6f68d963a52094/analysis/1450351607/
TCP connections
117.239.73.244: https://www.virustotal.com/en/ip-address/117.239.73.244/information/
8.253.82.158: https://www.virustotal.com/en/ip-address/8.253.82.158/information/

1] http://myonlinesecurity.co.uk/your-...ed-word-doc-or-excel-xls-spreadsheet-malware/

2] http://myonlinesecurity.co.uk/james...pp-word-doc-or-excel-xls-spreadsheet-malware/

:fear::fear: