SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

PUPs Masquerade as Installer for Antivirus and Anti-Adware

FYI...

PUPs Masquerade as Installer for Antivirus and Anti-Adware
- https://blog.malwarebytes.org/onlin...e-as-installer-for-antivirus-and-anti-adware/
Dec 18, 2015 - "... two pieces of programs claiming to be two different security software, being housed in a domain purporting to be a safe antivirus download hub. The destination in question, however, has been known to serve a -fake- Malwarebytes installer. The domain is antivirus-dld[DOT]com, and users must avoid visiting it or -block- it with their browsers. Below are screenshots of its subdomains where users can supposedly download the AVG and AdwCleaner programs:
1. https://blog.malwarebytes.org/wp-content/uploads/2015/12/avg.png
...
2. https://blog.malwarebytes.org/wp-content/uploads/2015/12/adwcleaner.png
... -both- installers show differences in file names and hashes, they exhibit more identical markings than what we see on the surface... AV engines detect these as variants of the SoftPulse family... As this “Thank you” GUI window is displayed, the supposed program, in this case AVG, is then downloaded and installed automatically. Users can’t see this happening at first because the installer’s GUI is overlaying the real program’s GUI:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/avg05.png
Immediately after installation, the default browser opens to reveal an advertisement of an online dating site. We reckon that various ads are randomized:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/avg06.png
Clicking -any- of these links directs users to magno2soft[DOT]com, a domain that the Google Chrome browser blocks, tagging it as malicious. Additionally, we did a quick look up of their “24/7 free support” phone number—(+1) 844 326 2917—to see if something comes up. It turns out that this number is also used by -other- domains... We have also noted that their contents are also identical to Magno2soft’s. Be advised to -not- visit these sites as some of them automatically download an executable file... Domains like antivirus-dld[DOT]com may only appear legitimate, but they’re just hubs distributing pieces of software you may not want lurking in your hard drive."

antivirus-dld[DOT]com: 23.229.195.163: https://www.virustotal.com/en/ip-address/23.229.195.163/information/

magno2soft[DOT]com: 178.33.154.37: https://www.virustotal.com/en/ip-address/178.33.154.37/information/
> https://www.virustotal.com/en/url/5...bc052f9c430600de13bebe419648c2d9b8c/analysis/

:fear::fear:

 

[AplusWebMaster]

Angler EK drops TeslaCrypt...

FYI...

Angler EK drops TeslaCrypt via recent Flash Exploit
- https://blog.malwarebytes.org/exploits-2/2015/12/angler-ek-drops-ransomware-newexploit/
Dec 19, 2015 - "On December 18, security company Fortinet blogged* about a possible new variant of the CryptoWall ransomware distributed via spam. Around the same time we discovered that the Angler exploit kit was also pushing this new ‘variant’. However it is not CryptoWall... but rather TeslaCrypt. Files are encrypted and appended with a .vvv extension. In order to recover those files, victims must pay $500USD or face the risk of seeing this amount double within less than a week...
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/newcryptowall.png
Angler EK uses a very recently patched flaw in Adobe Flash Player up to version 19.0.0.245** (CVE-2015-8446)**, making it the most lethal exploit kit at the moment..."
> https://www.virustotal.com/en/file/...489f62fc35c880f0a4127092/analysis/1450545960/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
107.180.50.210: https://www.virustotal.com/en/ip-address/107.180.50.210/information/
109.232.216.57: https://www.virustotal.com/en/ip-address/109.232.216.57/information/

* http://blog.fortinet.com/post/new-cryptowall-variant-in-the-wild

** http://malware.dontneedcoffee.com/2015/12/angler-ek-is-exploiting-flash-1900245.html

>> https://forums.spybot.info/showthre...tes-advisories&p=467614&viewfull=1#post467614

*** https://www.adobe.com/software/flash/about/

:fear::fear:

 

[AplusWebMaster]

Angler EK drops TeslaCrypt...

FYI...

Angler EK drops TeslaCrypt via recent Flash Exploit
- https://blog.malwarebytes.org/exploits-2/2015/12/angler-ek-drops-ransomware-newexploit/
Dec 19, 2015 - "On December 18, security company Fortinet blogged* about a possible new variant of the CryptoWall ransomware distributed via spam. Around the same time we discovered that the Angler exploit kit was also pushing this new ‘variant’. However it is not CryptoWall... but rather TeslaCrypt. Files are encrypted and appended with a .vvv extension. In order to recover those files, victims must pay $500USD or face the risk of seeing this amount double within less than a week...
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/newcryptowall.png
Angler EK uses a very recently patched flaw in Adobe Flash Player up to version 19.0.0.245** (CVE-2015-8446), making it the most lethal exploit kit at the moment..."
> https://www.virustotal.com/en/file/...489f62fc35c880f0a4127092/analysis/1450545960/
TCP connections
78.47.139.102: https://www.virustotal.com/en/ip-address/78.47.139.102/information/
107.180.50.210: https://www.virustotal.com/en/ip-address/107.180.50.210/information/
109.232.216.57: https://www.virustotal.com/en/ip-address/109.232.216.57/information/

* http://blog.fortinet.com/post/new-cryptowall-variant-in-the-wild

** http://malware.dontneedcoffee.com/2015/12/angler-ek-is-exploiting-flash-1900245.html

>> https://forums.spybot.info/showthre...tes-advisories&p=467614&viewfull=1#post467614

*** https://www.adobe.com/software/flash/about/

:fear::fear:

 

[AplusWebMaster]

Fake 'INVOICE' SPAM, DHL - Phish, 'Juniper' -critical- patch

FYI...

Fake 'INVOICE' SPAM – doc/xls malware
- http://myonlinesecurity.co.uk/brend...ce-word-doc-or-excel-xls-spreadsheet-malware/
21 Dec 2015 - "... An email with the subject of 'Invoice' pretending to come from Brenda Howcroft <accounts@ swaledalefoods .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/swaledale_foods_invoice-1024x778.png

21 December 2015: Invoice 14702.doc - Current Virus total detections 1/53*
... waiting for analysis to complete on this but it is almost certain to be a downloader for Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2ea09a9cb770a5942c22e5d8/analysis/1450699970/

- http://blog.dynamoo.com/2015/12/malware-spam-invoice-brenda-howcroft.html
21 Dec 2015 - "This -fake- financial spam does not come from Swaledale Foods but is instead a simple -forgery- with a malicious attachment.
From: Brenda Howcroft [accounts@ swaledalefoods .co.uk]
Date: 21 December 2015 at 10:46
Subject: INVOICE
Your report is attached in DOC format.
To load the report, you will need the free Microsoft® Word® reader, available to download...
Many thanks,
Brenda Howcroft
Office Manager
t 01756 793335 sales
t 01756 790160 accounts ...

Attached is a file Invoice 14702.doc which comes in at least -9- different versions... sources say that at least some versions download from the following locations:
110.164.184.28 /jh45wf/98i76u6h.exe
getmooresuccess .com/jh45wf/98i76u6h.exe
rahayu-homespa .com/jh45wf/98i76u6h.exe
This dropped file has a detection rate of 6/54*. The Hybrid Analysis report** plus some other sources indicate network traffic to:
199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is the Dridex banking trojan...
Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169 "
* https://www.virustotal.com/en/file/...2dc610de228ced805f0991eb/analysis/1450707029/
TCP connections
199.7.136.88
13.107.4.5

** https://www.hybrid-analysis.com/sam...172be2dc610de228ced805f0991eb?environmentId=1
___

Backdoors in Juniper's firewalls ...
- http://net-security.org/secworld.php?id=19259
21 Dec 2015

>> https://isc.sans.edu/diary.html?storyid=20521
Last Updated: 2015-12-21 - "We decided to move to raise our "Infocon" to yellow over the backdoor in Juniper devices. We decided to do this for a number of reasons:
- Juniper devices are popular, and many organizations depend on them to defend their networks
- The "backdoor" password is now -known- and exploitation is trivial at this point. [2]
- With this week being a short week for many of us, addressing this issue -today- is critical.
Who is effected by this issue? Juniper devices running ScreenOS 6.3.0r17 through 6.3.0r20 are affected by the -fixed- backdoor password (CVE-2015-7755). [1]
Juniper devices running ScreenOS 6.2.0r15 through 6.2.0r18 and ScreenOS 6.3.0r12-6.3.0r20 are affected by the VPN decryption problem (CVE-2015-7756). [1] ... There are two distinct issues. First of all, affected devices can be accessed via telnet or ssh using a specific "backdoor" password. This password can not be removed or changed unless you apply Juniper's patch..."
(More detail at the isc URL above.)
1] https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&actp=search

2] https://community.rapid7.com/commun...7755-juniper-screenos-authentication-backdoor

Other references:
> https://www.imperialviolet.org/2015/12/19/juniper.html

>> https://gist.github.com/fox-srt/ca94b350f2a91bd8ed3f

- https://www.us-cert.gov/ncas/curren...-Releases-Out-band-Security-Advisory-ScreenOS
Dec 17, 2015

Exploit attempts - Juniper Backdoor...
- https://isc.sans.edu/diary.html?storyid=20525
Last Updated: 2015-12-22 00:19:29 UTC - "We are detecting numerous login attempts against our ssh honeypots using the ScreenOS backdoor password. Our honeypot doesn't emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be "manual" in that we do see the attacker trying different commands. We saw the first attempt at 17:43:43 UTC..."
___

DHL - Phish...
- http://myonlinesecurity.co.uk/shipping-document-inv-bl-dhl-phishing/
21 Dec 2015 - "An email with the subject of 'SHIPPING DOCUMENT & INV-BL' coming from Ionel Ghenade <ionel_ghenade@ yahoo .com> is a phishing attempt to gain log in details for your DHL account... I don’t suppose many recipients will actually have a DHL account, although some will. This email does come from Yahoo. I do not know whether the sender has had his account hacked or it is a yahoo account created just for this phishing attempt. If your DHL account does get compromised, they will use it to send illegal and -stolen- goods at your expense and you will be held responsible for that... The email has a mass of recipients in the to: box (about 100) so that is the first warning or a mass spam and something wrong. The content simply says:
Hello,
THE DHL DOCUMENT HAS BEEN SENT TO YOU AS AS DIRECTED.
Regards

... And has a html attachment to the email that at first glance appears to be a PDF attachment. If you are unwise enough to open the attachment. the first thing you see is a JavaScript pop up alerting you with this message:
Encripted DHL file, Your Email has been configured To view Document information, Sign in to continue!
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/dhl_js_popup.png
Press OK and you get:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/dhl_login-1024x917.png
Which of course looks like a DHL log in page, if you don’t look at the web address in the URL bar. In this case it is a local file on your computer, not a webpage. If you enter any email address and password, you are then sent to the genuine DHL site. This scam works because of the windows default behaviour to hide file extensions. In this case without the final extension HTML showing, you are mislead into thinking that it is a PDF file... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .html file it really is, so making it much more likely for you to accidentally open it..."
___

Password checks... ??
- http://myonlinesecurity.co.uk/are-your-passwords-secure/
21 Dec 2015 - "We keep seeing sites that offer to check your passwords and make sure they are safe and secure. One that popped up on Twitter today is:
- http://www.sbrcentre.co.uk/pages/3031/1/Check_Your_Password.html
This aims to educate you and suggest how long it would take to crack your password. Entering -any- password on any of these sites is a total mistake. All these sites that tell you how long and secure your password is, are pure snake oil and a high rating means absolutely -nothing- in the real world. First look at the site. It uses standard HTTP -not- an encrypted HTTPS connection, so in the event you have any problems on your network, anything you send to that site can be easily intercepted. Secondly, even though they say that they do not retain any passwords, how do you know that is true. A misconfiguration can easily store every password in plain text for any hacker to obtain and potentially track back to you. I made up a password to test it:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/sbrc_1-1024x546.png
...
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/sbrc_2-1024x548.png
... Check it out with a -fake- password but don’t rely on being safe because of that fake password. Most breaches come because of errors or user interaction not having a short password. Having a long, complicated password that would, take 17 trillion years to crack does not mean you are safe. A high proportion of password hacks either come from the website that holds your password and it doesn’t matter if it is 2 characters long or 20000 characters long, if the site doesn’t encrypt stored passwords and keep them in plain text for any hacker to get hold of via security holes in that site. The other primary password loss method is YOU, when you enter details on a -fake- website or respond to a -phishing- email and give away all your passwords or log in information’s. In many cases a long complicated password is a detriment because you cannot remember it and write it down on a sticky note pinned to the monitor for everyone to see. Either use a password manager or use an easy to remember pass -phrase- or combination or words that mean something to you & no-one else, rather than a single word."

:fear::fear:

 

[AplusWebMaster]

Fake 'fax', 'New Account', 'PAYMENT RECEIVED' SPAM - HSBC Phish

FYI...

Fake 'fax' SPAM - JS malware
- http://myonlinesecurity.co.uk/you-have-received-fax-document-00979545-interfax-online-js-malware/
22 Dec 2015 - "An email with the subject of 'You have received fax, document 00979545' [random numbered] pretending to come from Interfax Online <incoming@ interfax .net> with a zip attachment is another one from the current bot runs... The content of the email says :
A new fax document for you.
You can find your fax document in the attachment.
Scanned in: 50 seconds
File name: task-00979545.doc
Sender: Gerald Daniels
File size: 252 Kb
Pages sent: 3
Resolution: 200 DPI
Date of scan: Mon, 21 Dec 2015 19:39:17 +0300
Thank you for using Interfax!

2 September 2015: task-00979545.zip: Extracts to: task-00979545.doc.js
Current Virus total detections 10/54*. MALWR shows us it downloads -2- malware files 3009102.exe (virus total 4/53**) and 1af9fcbe48b1f[1].gif (VirusTotal 5/52***) and 1 innocent file from http ://martenmini .com/counter/? (long list of random characters). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...1f20b8bcb0043b4d969dedfc/analysis/1450770443/

** https://www.virustotal.com/en/file/...d92f3dee136a3ce58fdd2ed3/analysis/1450751819/

*** https://www.virustotal.com/en/file/...2acf3ceac6d656df0123a59a/analysis/1450771087/
___

Fake 'New Account' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-british-gas-ac-no.html
22 Dec 2015 - "This -fake- financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple -forgery- with a malicious attachment.
From: trinity [trinity@ topsource .co.uk]
Date: 22 December 2015 at 10:36
Subject: British Gas - A/c No. 602131633 - New Account
Hi ,
Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.
Thanks & Regards,
Pallavi Parvatkar ...

Attached is a file British Gas.doc with... a VirusTotal detection rate of 2/54*. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.
UPDATE: These automated analyses [1] [2] show that the malicious document downloads from:
weddingme .net/786h8yh/87t5fv.exe
This has a VirusTotal detection rate of 3/54**. All those reports indicate malicious traffic to:
199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
The payload looks like Dridex...
Recommended blocklist:
199.7.136.88
151.80.142.33 "
* https://www.virustotal.com/en/file/...21552c591f88773b7ffc8e6b/analysis/1450781888/

1] https://www.hybrid-analysis.com/sam...072c421552c591f88773b7ffc8e6b?environmentId=2

2] https://malwr.com/analysis/Yjc4NzYyMDg0NzFlNDc5Y2FlNWYyNjRkZjk4OTJkNWQ/

** https://www.virustotal.com/en/file/...bc805c574bb9a38dbf159641/analysis/1450782995/
TCP connections
199.7.136.88
90.84.59.19

- http://myonlinesecurity.co.uk/briti...ty-word-doc-or-excel-xls-spreadsheet-malware/
22 Dec 2015
Screenshot: http://myonlinesecurity.co.uk/wp-co...-Gas-Ac-No-602131633-New-Account-1024x690.png

22 December 2015 : British Gas.doc - Current Virus total detections 2/54*
Reverse it** shows a download of what looks like Dridex banking Trojan from
weddingme .net/786h8yh/87t5fv.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...21552c591f88773b7ffc8e6b/analysis/1450781888/

** https://www.reverse.it/sample/03b0c...072c421552c591f88773b7ffc8e6b?environmentId=1

*** https://www.virustotal.com/en/file/...bc805c574bb9a38dbf159641/analysis/1450781177/
TCP connections
199.7.136.88
90.84.59.19
___

Fake 'PAYMENT RECEIVED' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-cwih8974-payment-received.html
22 Dec 2015 - "This -fake- financial spam does not come from Les Caves de Pyrene but is instead a simple -forgery- with a malicious attachment.
From: Avril Sparrowhawk [Avril.Sparrowhawk@lescaves.co.uk]
Date: 22 December 2015 at 11:14
Subject: CWIH8974 PAYMENT RECEIVED
Good afternoon
Thanks very much for your payment we recently from you, however there was a missed invoice. Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?
I have attached the invoice for your reference.
Kind regards
Avril
Avril Sparrowhawk
Credit Controller
Les Caves De Pyrene
Pew Corner
Old Portsmouth Road
Artington
Guildford
GU3 1LP
' +44 (0)1483 554784
6 +44 (0)1483 455068 ...

Attached is a malicious document CWIH8974.doc of which I have seen just a single sample with a VirusTotal detection rate of 2/54*. There may be other variations of the document, but in this case it downloads a malicious binary from:
secure.novatronica .com/786h8yh/87t5fv.exe
This has a VirusTotal detection rate of 2/53** and is the -same- payload as found in this earlier spam run***, leading to the Dridex banking trojan."
* https://www.virustotal.com/en/file/...1d19004caa0a173419c90b9f/analysis/1450784063/

** https://www.virustotal.com/en/file/...bc805c574bb9a38dbf159641/analysis/1450784374/
TCP connections
199.7.136.88
90.84.59.19

*** http://blog.dynamoo.com/2015/12/malware-spam-british-gas-ac-no.html

- http://myonlinesecurity.co.uk/cwih8...owhawk-office-macro-malware-downloads-dridex/
22 Dec 2015
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/CWIH8974-PAYMENT-RECEIVED-1024x753.png

22 December 2015: CWIH8974.doc - Current Virus total detections *
Payload Security Hybrid analysis** shows it downloads a Dridex banking Trojan from
secure.novatronica .com/786h8yh/87t5fv.exe which is the -same- payload as today’s earlier malspam run***..."
* https://www.virustotal.com/en/file/...1d19004caa0a173419c90b9f/analysis/1450784063/

** https://www.hybrid-analysis.com/sam...7c15b1d19004caa0a173419c90b9f?environmentId=2

*** http://myonlinesecurity.co.uk/briti...ty-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'new payment terms' SPAM - PDF malware
- http://myonlinesecurity.co.uk/att-new-payment-terms-and-payment-fake-pdf-malware/
22 Dec 2015 - "An email with various subjects based around the theme of invoices or payments coming from random email addresses and senders with a zip attachment is another one from the current bot runs... Some of the subjects seen include:
ATT: / new payment terms and payment
Invoice Updated: # 15/12/2015 from DXB International, Inc.
FW: Payment for Invoice
The contents of the emails vary with each email and it is totally -random- which combination of subject and email body you will get. The attachment name remains consistent. Some of the ones I have seen include:
We appreciate your business.
Kind Regards,
Marketing and Sales Manager
Jimmie McCoy
-Or-
Receipts attached. Thank you
Sales Manager
Peter Skinner
-Or-
I have two sets as samples ready to ship Invoice # 0311683, 1 box, 1 lbs, $46.28 Please let us know how you want us to ship these goods.
Thanks & Best Regards,
Payroll Supervisor
Frederick Castillo ...

22 December 2015: Inv#186;-1089-12-2015_PDF.zip: Extracts to: Inv._Nº-1089-12-2015_PDF.exe
Current Virus total detections 2/54*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...29469dc868366e7e584516d9/analysis/1450791506/
___

Fake 'MUST READ' SPAM - doc malware
- http://myonlinesecurity.co.uk/must-...suspect-last-seen-in-camden-word-doc-malware/
22 Dec 2015 - "An email with the subject of 'MUST READ! Police hunt missing terror suspect last seen in Camden!' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...rror-suspect-last-seen-in-Camden-1024x712.png

22 December 2015: suspect details 44165680.doc - Current Virus total detections 4/54*
MALWR** shows a download from http ://31.41.44.224 /portal/portal.php which is named as govuk.exe
(VirusTotal 2/54***). I am not certain what the payload actually is yet and am awaiting full analysis.
Update: fast work from the host of 31.41.44.224 https ://www .cishost .ru/ who took down the malware very quickly... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c9700dc444cf171d4114d097/analysis/1450796426/

** https://malwr.com/analysis/NTAxMjlkN2Q1ZDBiNDcyZmEwNWE2M2M4NTU0YjFmN2M/

*** https://www.virustotal.com/en/file/...ded0788b5f22310e41638af7/analysis/1450796555/
portal.exe

31.41.44.224: https://www.virustotal.com/en/ip-address/31.41.44.224/information/
___

HSBC - Phish...
- https://blog.malwarebytes.org/fraud-scam/2015/12/hsbc-phish-your-account-is-currently-locked/
Dec 22, 2015 - "Customers of HSBC should -avoid- the following URL, which is (most likely) part of an email based phishing campaign. While we don’t have an example of an email to hand, we can certainly shine some light on the website itself which is:
hsbc-message(dot)com
... in the hopes of helping you to avoid a nasty surprise this holiday season:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/hsbclocked1.jpg
... They urge visitors to click next (because hey, that form expires today!) and continue with the process, which is little more than a straight lunge for payment information:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/hsbclocked2.jpg
... To be specific: Card number, expiration date, card verification code, and finally the ATM PIN number. After this, the victim is shown a “We’ll get back to you in 24 hours” message before being forwarded on to a HSBC website:
> https://blog.malwarebytes.org/wp-content/uploads/2015/12/hsbclocked3.png
From a quick scan of various websites, it seems HSBC scams are all the rage right now [1], [2], [3], [4] so please be extra careful with your logins. Scammers are always looking for a way to grab some fast cash, and regardless of whether they approach you by email, SMS or phonecall..."
1] https://twitter.com/Nicv27/status/676108831940870144

2] https://www.instagram.com/p/_XvF5ypr4M/

3] https://www.instagram.com/p/_W6zn3nX-A/

4] http://www.scamcallfighters.com/sca...4053-Credit-Card--Bank-Acct--Fraud-35513.html

hsbc-message(dot)com: 98.139.135.129: https://www.virustotal.com/en/ip-address/98.139.135.129/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'invoice', 'Fee Invoice', 'chasing payment' SPAM, Joomla 3.4.7

FYI...

Fake 'invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-christmas-industrial.html
23 Dec 2015 - "This -fake- invoice has a malicious attachment:
From: Rachael Murphy
Date: 23 December 2015 at 13:05
Subject: Christmas Industrial Decorating invoice-50473367)
Good afternoon,
Please find attached 1 invoice for processing.
Regards and Merry Christmas!
Rachael Murphy
Financial Manager ...
This email has been scanned by the Symantec Email Security.cloud service.

The sender's name and reference number varies, the attachment is in the format invoice45634499.doc and it comes in at least -three- different versions (VirusTotal results [1] [2] [3]). Analysis is pending, the payload is likely to be the Dridex banking trojan."
1] https://www.virustotal.com/en/file/...677fd3c98b506fea9dbebf67b1631e8920d/analysis/

2] https://www.virustotal.com/en/file/...ab6d1914bd3e4423999f0b0962da535a591/analysis/

3] https://www.virustotal.com/en/file/...62004ba944f065b89e8ee12987d4d95d665/analysis/

- http://myonlinesecurity.co.uk/chris...47-word-doc-or-excel-xls-spreadsheet-malware/
23 Dec 2015 - "An email with the subject of 'Christmas Industrial Decorating invoice-22306947)' pretending to come from random senders and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Tony Monroe <MonroeTony50@ bors-spic .ro>
Date: Wed 23/12/2015 12:56
Subject: Christmas Industrial Decorating invoice-22306947) (random numbers)
Good afternoon,
Please find attached 1 invoice for processing.
Regards and Merry Christmas!
Tony Monroe
Financial Manager ...

23 December 2015: invoice22306947.doc - Current Virus total detections 2/54*
... automatic analysis is inconclusive but it appears to have the same payload as described in THIS post** which is most likely to be Dridex banking Trojan..."
* https://www.virustotal.com/en/file/...06fea9dbebf67b1631e8920d/analysis/1450875552/

** http://myonlinesecurity.co.uk/fw-me...ce-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'Fee Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-fw-meridian-acc-no.html
23 Dec 2015 - "This -fake- financial spam comes with a malicious attachment. The sender's name and reference number is randomly generated.
From: Josie Ruiz
Date: 23 December 2015 at 11:38
Subject: FW: Meridian (Acc. No. 51588088) - Professional Fee Invoice
Dear Sir/Madam,
Re: Meridian Professional Fees
Please find attached our fee note for services provided, which we trust meets with your approval.
Payment should be made to Meridian International VAT Consulting Ltd. within the agreed payment terms.
We look forward to your remittance in due course.
Yours sincerely
Josie Ruiz
Financial CEO ...

The attachment has the same reference number as the subject, and there are at least -five- different versions... likely to be the Dridex banking trojan.
UPDATE 1: Hybrid Analysis of some of the samples [1] [2] shows some download locations:
146.120.89.92 /volkswagen/bettle.php
109.234.34.164 /volkswagen/bettle.php
Those IPs belong to:
146.120.89.92 (Ukrainian Internet Names Center LTD, Ukraine)
109.234.34.164 (McHost.Ru Inc, Russia)
This is actually an executable with a detection rate of 4/53*. The purpose of this executable is unknown, but it is certainly malicious. Analysis is still pending.
UPDATE 2: This Threat Expert report** and this Hybrid Analysis*** both report traffic to a presumably hacked server at:
104.131.59.185 (Digital Ocean, US)
Recommended blocklist:
104.131.59.185
146.120.89.92
109.234.34.164 "
* https://www.virustotal.com/en/file/...62b7e40f5448aabf21620f6b/analysis/1450879468/

** http://www.threatexpert.com/report.aspx?md5=265f3b610aed3745ba19fd795a748e57

*** https://www.hybrid-analysis.com/sam...e124462b7e40f5448aabf21620f6b?environmentId=4

1] https://www.hybrid-analysis.com/sam...38c6fe199375b1d7558780869b504?environmentId=1

2] https://www.hybrid-analysis.com/sam...03f90a3a828e10bf53437ae6f182b?environmentId=4

- http://myonlinesecurity.co.uk/fw-me...ce-word-doc-or-excel-xls-spreadsheet-malware/
23 Dec 2015
Screenshot: http://myonlinesecurity.co.uk/wp-co...3835341-Professional-Fee-Invoice-1024x771.png

23 December 2015: invoice63835341.doc - Current Virus total detections 2/54*
... according to Dynamoo** this downloads from 109.234.34.164 /volkswagen/bettle.php which gave me a file called bettle.exe (VirusTotal ***)..."
* https://www.virustotal.com/en/file/...e670c7e38d627bcadf532ee3/analysis/1450873882/

** http://blog.dynamoo.com/2015/12/malware-spam-fw-meridian-acc-no.html

*** https://www.virustotal.com/en/file/...62b7e40f5448aabf21620f6b/analysis/1450879468/
___

Fake 'Invoice 70146427' SPAM - malicious attachment
- http://blog.dynamoo.com/2015/12/malware-spam-uksm-invoice-70146427.html
23 Dec 2015 - "This -fake- financial spam comes with a malicious attachment. It does -not- come from uksafetymanagement .co.uk but is instead a simple forgery.
From: Claire Carey
Date: 23 December 2015 at 12:01
Subject: UKSM Invoice 70146427
Good time of day,
Thank you for choosing UK Safety Management Ltd. to carry out your Portable Appliance Testing.
Please find enclosed your invoice.
Claire Carey...

The sender's name and reference number are randomly generated. Attached is a file in the format invoice29111658.doc which comes in at least -three- different versions... Analysis of the documents is pending. However, this is likely to be the Dridex banking trojan. The payload appears to be the -same- as the one found in this spam run*."
* http://blog.dynamoo.com/2015/12/malware-spam-fw-meridian-acc-no.html
___

Fake 'chasing payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/real-...ed-word-doc-or-excel-xls-spreadsheet-malware/
23 Dec 2015 - "An email with the subject of 'REAL Digital chasing payment 6910.47' pretending to come from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/REAL-Digital-chasing-payment-1024x589.png

23 December 2015: invoice21891491.doc - Current Virus total detections 2/53*
ReverseIt analysis** is inconclusive and doesn’t show any payload, However it is likely to be the Dridex banking trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fdefd2adb621ffcd5d56dc57/analysis/1450873320/

** https://www.reverse.it/sample/d6878...72b0700b7975f05f7cdd79af3db50?environmentId=4
___

Tis the season for shipping and phishing
- https://securelist.com/blog/phishing/73174/tis-the-season-for-shipping-and-phishing/
Dec 23, 2015 - "... delivery services send email notifications and provide shipment tracking systems. However, this type of communication also creates the ideal conditions for cybercriminals to send phishing messages in the name of major delivery services, and we end up with an increase in the number of these messages. The fraudsters have a clear aim: to trick unwitting users into downloading a malicious program or entering their confidential data on a phishing site. For example, one scam message detected by Kaspersky Lab asked the user to fill in and sign a delivery form in order to receive a shipment. The message had a DOC file attached to it containing the exploit Exploit.MSWord.Agent.gg, which allowed the cybercriminal to, among other things, gain remote access to the infected computer:
> https://securelist.com/files/2015/12/shipping_phishing_eng_1.png
In another -scam- message the fraudsters write that the shipment is already at a DHL office, but the courier cannot deliver it because the delivery address is unclear. The recipient is asked to follow a link within 48 hours and enter the shipment number on the tracking page; otherwise, the shipment will be returned to the sender:
> https://securelist.com/files/2015/12/shipping_phishing_eng_2.png
A closer inspection reveals that none of the links in the message lead to the DHL site; instead they all point to the same URL packed with the help of a URL shortening service. Another typical fraudster trick is also used in the email – the victim is warned there is a limited amount of time to react (in this case, 48 hours). If the user fails to follow the link in time, the shipment will be returned to the sender. The plan is simple – distract users with warnings about the urgency of doing something quickly rather than giving them time to think things through logically. If unwitting users follow the link, they are taken to a specially crafted site in the corporate style of DHL, and are prompted to type in their login credentials to enter the shipment tracking system:
> https://securelist.com/files/2015/12/shipping_phishing_eng_3.png
... A similar situation exists around FedEx, another large delivery service provider. Kaspersky Lab has detected multiple phishing messages sent in the name of this company:
> https://securelist.com/files/2015/12/shipping_phishing_eng_4.png
There’s nothing new about this scheme – the victim enters account credentials on a crafted site in order to view information about a shipment:
> https://securelist.com/files/2015/12/shipping_phishing_eng_5.png
The fact that this site is -fraudulent- and has nothing to do with FedEx is clear from the URL in the browser address bar. The conclusion that can be made from the examples given above is that you shouldn’t be too trusting or inattentive while you are online. Never follow links in email messages; it’s safer if you manually type the URL of the required site in your browser address bar. Whenever a page prompts you to enter confidential data, always check the URL in the address bar first. If anything looks suspicious in the URL or in the website design, think-twice before entering any personal data. Last but not least, always keep your security software up to date; it should also include an anti-phishing tool that will help you keep your data confidential, and your money safe. That way, you will be in a good mood for the holidays."
___

Joomla 3.4.7 released
- https://www.joomla.org/announcements/release-news/5643-joomla-3-4-7-released.html
21 Dec 2015 - "Joomla! 3.4.7 is now available. This is a -security- release for the 3.x series of Joomla which addresses a -critical- security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.6 release..."

Installing Joomla
> https://docs.joomla.org/J3.x:Installing_Joomla

Upgrade Packages
> https://github.com/joomla/joomla-cms/releases/tag/3.4.7

- https://www.us-cert.gov/ncas/current-activity/2015/12/22/Joomla-Releases-Security-Update-CMS
Dec 22, 2015

:fear::fear:

 

[AplusWebMaster]

Domain renewal SCAM , PayPal,Tesco bank phish

FYI...

Domain renewal SCAM
- http://myonlinesecurity.co.uk/domain-renewal-scam/
24 Dec 2015 - "Many (almost all of us) that have websites and .com domain names and haven’t chosen to use domain privacy will regularly get -scam- messages like this one, trying to fool us into thinking we have to pay these scammers to renew our domain name. They deliberately make it look & sound like a genuine domain renewal and hope that you won’t look carefully at the small print and see it is an SEO scam.
-Don’t- pay it and dump it in the bin:
Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/seo_domain_scam.png "
___

PayPal phish ...
- http://myonlinesecurity.co.uk/your-access-is-restricted-✔-paypal-phishing/
24 Dec 2015 - "A slightly different PayPal phishing spam run today saying 'Your Access Is restricted ✔' pretending to come from PayPal <jhon@ cilegonfab.co.id>. There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like :
Urgent: Your card has been stopped !
Your Access Is restricted ✔
Your PayPal account has been limited
You sent a payment of $xxxx USD/GBP/ Euro to some company or person
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order ...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/Your-Access-Is-restricted-1024x773.png

The link in this case goes to https ://updateinfo .fwd.wf/gb-uk/scr/?q=login&email=youremail@example .com
Note: the HTTPS Secure SSL login which is unusual for a phishing site and shows the effort that the phishers are starting to go to, in order to persuade you to give them your details:
> http://myonlinesecurity.co.uk/wp-co...cess-is-restricted_-paypal-phish-1024x575.png
Which is a typical phishing page that looks very similar to a genuine PayPal log in page, if you don’t look carefully at the URL in the browser address bar. One feature of note is the way the phishers try to block known anti-phishing or antivirus companies from getting to the page. I used the default email address they conveniently inserted and invented a random password and ended up with this 404 page... If I use a “genuine” email with a random password, I get this page (split into 2 screenshots for clarity):
> http://myonlinesecurity.co.uk/wp-co...ss-is-restricted_-paypal-phish_3-1024x541.png
...
> http://myonlinesecurity.co.uk/wp-co...ss-is-restricted_-paypal-phish_4-1024x568.png
... This one wants your personal details, your Paypal account log in details and your credit card and bank details along with mother’s maiden name and other info to steal your identity. Many of them are also designed to specifically steal your facebook and other social network log in details..."
___

Tesco bank phish ...
- http://myonlinesecurity.co.uk/your-recent-attempt-to-transfer-funds-tesco-bank-phishing/
24 Dec 2015 - "An email with the subject 'Your Recent Attempt to Transfer Funds' pretending to come from Tesco Bank is a currently spreading a phishing attempt. There are a few major common subjects in a phishing attempt. Lots of them are involve your Bank or Credit Card... This particular phishing campaign starts with an email with a link (all the social media icons in the email do go to genuine Tesco bank social media sites or to a company called Payoneer who say “Payoneer empowers global commerce by connecting businesses, professionals, countries and currencies with its innovative cross-border payments platform.”):

Screenshot: http://myonlinesecurity.co.uk/wp-co...Recent-Attempt-to-Transfer-Funds-1024x636.png
Sends you to:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/tesco_cefix_phish-1024x602.png
If you fill in a user name you get a page asking for password and security number:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/tesco_cefix_phish_1-1024x561.png
Fill in that and you get to a typical phishing page.This one wants your personal details, your account log in details and your credit card and bank details. Many of them are also designed to specifically -steal- your email, Facebook and other social network log in details:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/tesco_cefix_phish_2-1024x693.png
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."

:fear::fear:

 

[AplusWebMaster]

Fake 'WhatsApp' SPAM

FYI...

Fake 'WhatsApp' SPAM - malware
- http://myonlinesecurity.co.uk/fake-whatsapp-a-sound-memo-has-been-received-aud-malware/
27 Dec 2015 - "An email appearing to be a WhatsApp notification with the subject of 'A sound memo has been received aud' pretending to come from WhatsApp <peter.kroell@ towncountry .at> (random email addresses) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...sound-memo-has-been-received-aud-1024x585.png

27 December 2015: mabella12.zip: Extracts to: gully.exe - Current Virus total detections 19/54*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...9dbaab64770b531644aae953/analysis/1451228525/
TCP connections
50.63.202.44: https://www.virustotal.com/en/ip-address/50.63.202.44/information/
98.139.135.129: https://www.virustotal.com/en/ip-address/98.139.135.129/information/
108.166.170.106: https://www.virustotal.com/en/ip-address/108.166.170.106/information/
208.100.26.234: https://www.virustotal.com/en/ip-address/208.100.26.234/information/
141.8.225.124: https://www.virustotal.com/en/ip-address/141.8.225.124/information/
173.201.93.128: https://www.virustotal.com/en/ip-address/173.201.93.128/information/

:fear::fear:

 

[AplusWebMaster]

AMEX, Straight2Bank - Phish

FYI...

AMEX - Phish...
- http://myonlinesecurity.co.uk/confirm-your-account-profile-american-express-phishing-attempt-fail/
28 Dec 2015 - "... An email with the subject of 'Confirm Your Account Profile! 12/28/2015' pretending to come from American Express Online <narobiprojectors@ inbox .com> (I have received several this afternoon/evening, all pretending to come from different names @ inbox .com)...

Screenshot: http://myonlinesecurity.co.uk/wp-co...-Your-Account-Profile-12-28-2015-1024x563.png

The -attached- HTML page which is complete with bad spelling mistakes and looks glaringly wrong would attempt to send your information (-if- you were unwise enough to fill in the page) to
http ://fantasticvacationhomes .com/verification3.php
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/bad-amex-phish-1024x693.png "

fantasticvacationhomes .com: 192.185.141.50: https://www.virustotal.com/en/ip-address/192.185.141.50/information/
___

Straight2Bank - Phish...
- http://myonlinesecurity.co.uk/straight2bank-website-changes-phishing/
28 Dec 2015 - "An email saying 'Straight2Bank Website changes' pretending to come from Straight2Bank <Milan.Colquhoun@ s2b.standardchartered .com> is one of today’s phishing attempts. I have received loads of these this morning and they are using several -different- phish sites... The link in the email directs you to a -fake site-, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):

Screenshot: http://myonlinesecurity.co.uk/wp-co...sible-Irregular-Account-Activity-1024x758.png

... previous versions of phish attempts against this bank they only asked for passwords, log in details and pin numbers and didn’t ask for any other personal information... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."

:fear::fear:

 

[AplusWebMaster]

Most vulnerabilities in 2015

FYI...

Most vulnerabilities in 2015: Mac OS X, iOS, and Flash
- http://venturebeat.com/2015/12/31/s...lnerabilities-in-2015-mac-os-x-ios-and-flash/
Dec 31, 2015 - "Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities. Rounding out the top five are Adobe’s Flash Player, with 314 vulnerabilities; Adobe’s AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities.
For comparison, last year the top five (in order) were: Microsoft’s Internet Explorer, Apple’s Mac OS X, the Linux Kernel, Google’s Chrome, and Apple’s iOS. These results come from CVE Details*, which organizes data provided by the National Vulnerability Database (NVD). As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures... the 2015 list of the top 50 software products** in order of total distinct vulnerabilities..."
* http://www.cvedetails.com/top-50-vendors.php?year=2015

** http://1u88jj3r4db2x4txp44yqfj1.wpe...p-content/uploads/2015/12/cve_top_50_2015.png

Top 50 list of products categorized by company - Graphic:
> http://1u88jj3r4db2x4txp44yqfj1.wpe...t/uploads/2015/12/cve_top_50_company_2015.png

:fear::fear:

 

[AplusWebMaster]

Evil network: 199.195.196.176/29, Javascript Ransomware

FYI...

Evil network: 199.195.196.176/29...
- http://blog.dynamoo.com/2016/01/evil-network-19919519617629-roman.html
4 Jan 2016 - "199.195.196.176/29 is a small bunch of IPs hosting browser-hijacker sites, belonging to Hosting Services, Inc. in Utah and suballocated to a customer. Several domains are flagged by Google as leading to PUAs or malware [1] [2] [3] [4] [5] [6], and almost all those domains also have anonymous registrations... Blocking 199.195.196.176/29 or monitoring traffic to it might detect infected hosts, that appear to have a bunch of per-install crapware and other stuff installed."
(More detail at the dynamoo URL above.)
1] https://www.google.com/transparency...gnostic/index.html#url=yourfiledownloader.biz

2] https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=smile-files.com

3] https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=express-files.com

4] https://www.google.com/transparency...gnostic/index.html#url=yourfiledownloader.com

5] https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=down4loading.net

6] https://www.google.com/transparency...nostic/index.html#url=yourfile-downloader.net

> http://centralops.net/co/DomainDossier.aspx
network:Network-Nameedicated Server
network:IP-Network:199.195.196.176/29
network:IP-Network-Block:199.195.196.176 - 199.195.196.183
network:Org-Name:Alyabiev, Roman
network:Street-Addressr. Molodeznoi 7 kv. 101
network:City:Kemerovo
network:State:
networkostal-Code:650044
network:Country-Code:RU ...
___

Ransom32: The first javascript ransomware
- https://isc.sans.edu/diary.html?storyid=20569
2016-01-04 - "... new variant and this one has been built using javascript. This malware -fakes- the NW.js framework. Once installed, connects to its C&C server on TOR network port 85 to get the bitcoin address and the crypto key used for encryption. This trend is not new and we have seen how malware is being built more and more sophisticated to avoid being detected by any antimalware control at the endpoint. You have to integrate endpoint security with network security and correlate any possible alerts that might indicate an incident happening, like a computer being connected to TOR network."
More info at: http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/

:fear::fear:

 

[AplusWebMaster]

Fake 'Invoice', 'Penalty Charge Notice', 'Payment notification' SPAM, Facebook Phish

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-invoice-205611-49934798.html
6 Jan 2016 - "This -fake- financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:
From: Bertha Sherman
Date: 6 January 2016 at 09:29
Subject: Invoice-205611-49934798-CROSSHILL SF
Dear Customer,
Please find attached Invoice 02276770 for your attention.
Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept' ...

I have seen at least -four- different attachments with names in a format similar to invoice40201976.doc... Malwr reports... show that the malware contained within POSTs to:
37.46.130.53 /jasmin/authentication.php
179.60.144.21 /jasmin/authentication.php
195.191.25.138 /jasmin/authentication.php
Those reports also show communication to other suspect IPs, giving:
94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)
This Hybrid Analysis* also shows similar characteristics. The macro drops a file tsx3.exe with a detection rate of 7/55**. The Malwr report*** doesn't give any particular insight as to what this is, but it is likely to be a banking trojan or ransomware. There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost .RU IP in Russia:
109.234.34.224 /jasmin/authentication.php ...
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* https://www.hybrid-analysis.com/sam...297f192d2f57e34a8107f1aea5300?environmentId=2

** https://www.virustotal.com/en/file/...0c818dcfb77261e14d8de933/analysis/1452075219/

*** https://malwr.com/analysis/MmFjNGZjZjllOWVlNDFlNTlhYzcxNDlkMmRhMmZjZWY/

1] http://blog.dynamoo.com/2016/01/malware-spam-invoice-for-ia20114520.html

2] http://blog.dynamoo.com/2016/01/malware-spam-payment-notification-from.html

- http://myonlinesecurity.co.uk/invoi...sf-word-doc-or-excel-xls-spreadsheet-malware/
6 Jan 2016 - "An email with the subject of 'Invoice-205611-88038421-CROSSHILL SF' coming from random email addresses and senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

6 January 2016: invoice88038421.doc - Current Virus total detections 2/56*
MALWR** shows tsx3.exe downloaded from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal 6/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...6673563c0ecff0b083e8b284/analysis/1452072516/

** https://malwr.com/analysis/YTI1YTcwNjdmZjExNDM5YTk0YzNkZDI1YzExMWZjNGY/

*** https://www.virustotal.com/en/file/...0c818dcfb77261e14d8de933/analysis/1452073223/
___

Fake 'Penalty Charge Notice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-invoice-for-ia20114520.html
6 Jan 2016 - "This -fake- financial spam comes with a malicious attachment. The sender's name, reference numbers and attachment names vary. It seems to be closely related to this spam run*.
From: Viola Carrillo
Date: 6 January 2016 at 09:53
Subject: Invoice for IA20114520
To Whom It May Concern,
Please find attached an invoice relating to Penalty Charge Notice Number IA20114520 along with a copy of the contravention.
In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.
Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.
Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.

I have seen two variants of the attachment (VirusTotal results [1] [2]) and these two Malwr reports [3] [4] indicate identical characteristics to the payload in this spam run* which is also being sent out today."
* http://blog.dynamoo.com/2016/01/malware-spam-invoice-205611-49934798.html

1] https://www.virustotal.com/en/file/...078e38ffefe3e959d92edc70/analysis/1452076482/

2] https://www.virustotal.com/en/file/...df47a048ce8f1609d56e1174/analysis/1452076495/

3] https://malwr.com/analysis/NTIyNzhmYmUxOWQyNDY0MTlmZWNiZDFhMGY0OWUxNGQ/
195.191.25.138
78.47.119.93
13.107.4.50

4] https://malwr.com/analysis/YWZjODliMmRkYjVjNGFhZDkzM2FmOGNmMDYwMzNlNWQ/
195.191.25.138
78.47.119.93
13.107.4.50

- http://myonlinesecurity.co.uk/invoice-for-ia20122439-word-doc-or-excel-xls-spreadsheet-malware/
6 Jan 2016 - "The second of today’s Dridex downloaders... pretends to be a penalty-charge-notification is an email with the subject of 'Invoice for IA20122439' (random numbers) pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

6 January 2016 : invoice20122439.doc - Current Virus total detections 2/56*
MALWR** shows us a download of tsx3.exe from http :// 109.234.34.224/jasmin/authentication.php
... this is the -same- Dridex payload as described in today’s slightly earlier Malspam run***..."
* https://www.virustotal.com/en/file/...3a2605ab25f002343690ff27/analysis/1452076028/

** https://malwr.com/analysis/MWFhNTVjZGI2NTI0NDUwMWFjZjVkYzhmNjFkY2JjZjc/
109.234.34.224
78.47.119.93
13.107.4.50

*** http://myonlinesecurity.co.uk/invoi...sf-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'Payment notification' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/payme...ed-word-doc-or-excel-xls-spreadsheet-malware/
6 Jan 2016 - "The Third of today’s Dridex downloaders... pretends to be an energy statement is an email with the subject of 'Payment notification from Third Energy Services Limited' coming from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Blair Maldonado <MaldonadoBlair76939@ ewb-mn .org>
Date: Wed 06/01/2016 10:29
Subject: Payment notification from Third Energy Services Limited
Body content:
Payment notification from Third Energy Services Limited
Third Energy Services Limited
Registered in England & Wales. Registered number: 50380220.
Registered office: 7th Floor. Portland House, Bressenden Place, London, UK, SW1E 5BH
Tel: 01944 759904 ot 0207 0420 800
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Third Energy. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone...

6 January 2016: remit50380220.doc - Current Virus total detections 2/55*
MALWR** once again shows a download of tsx3.exe from http :// 195.191.25.138/jasmin/authentication.php which is the -same- Dridex banking malware as described in today’s earlier malspam runs [1] [2]..."
* https://www.virustotal.com/en/file/...4f21972b81db63778a5f2c49/analysis/1452076128/

** https://malwr.com/analysis/ZmUwNWIzMjk5NDg0NDlkNDgzMGMyZWY0NWM2YmMxMjM/
195.191.25.138
94.158.214.45
78.47.119.93
13.107.4.50
2.61.168.116

1] http://myonlinesecurity.co.uk/invoice-for-ia20122439-word-doc-or-excel-xls-spreadsheet-malware/

2] http://myonlinesecurity.co.uk/invoi...sf-word-doc-or-excel-xls-spreadsheet-malware/

- http://blog.dynamoo.com/2016/01/malware-spam-payment-notification-from.html
6 Jan 2016 - "This -fake- financial email comes with a malicious attachment.
From: Addie Caldwell
Date: 6 January 2016 at 10:31
Subject: Payment notification from Third Energy Services Limited
Payment notification from Third Energy Services Limited...

... -three- different versions of the attachment (in the format remit85752524.doc or similar)... similar characteristics to this spam run* plus this additional URL:
109.234.34.224 /jasmin/authentication.php
This IP is allocated to McHost .RU in Russia and can be considered as malicious. The payload is unknown, but is possible Dridex.
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* http://blog.dynamoo.com/2016/01/malware-spam-invoice-205611-49934798.html
___

Fake 'BACS PAYMENT' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-sta19778072-bacs-payment.html
6 Jan 2016 - "This -fake- financial spam comes with different sender names, reference details and attachment names. However, in all cases the attachment is malicious.
From: Forrest Cleveland
Date: 6 January 2016 at 11:23
Subject: STA19778072 - BACS PAYMENT
Importance: High
Hello,
Wasn’t sure who to email.
I don’t know if you have been asked but Statestrong Products Ltd are making one payment today for two cars. Could you let me know when it is in the account please as these are both collections tomorrow...

So far I have seen -three- different attachment variants... same general characteristics as this spam run*. However in this case the dropped file tsx3.exe has been updated and the -new- version has a detection rate of 6/54**. The Malwr report*** indicates very similar traffic to before.
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* http://blog.dynamoo.com/2016/01/malware-spam-invoice-205611-49934798.html

** https://www.virustotal.com/en/file/...2dffa979018dbddb29356e9d/analysis/1452080581/

*** https://malwr.com/analysis/NjUyZjQ4YTUyMjc4NDkyNzkzY2E2N2I1NjIxYjcyNTc/
78.47.119.93
165.254.102.181

- http://myonlinesecurity.co.uk/sta37626091-bacs-payment-word-doc-or-excel-xls-spreadsheet-malware/
6 Jan 2016 - "The 4th of today’s Dridex malspam downloaders... email with the subject of 'STA37626091 – BACS PAYMENT' (random numbers) coming from random email addresses and senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2016/01/STA37626091-BACS-PAYMENT-1024x535.png

6 January 2016: remit37626091.doc - Current Virus total detections *
MALWR** shows us it once again downloads tsx3.exe which looks like Dridex banking malware from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal ***) this looks like an updated version from earlier, but Dridex is known to update at frequent intervals throughout the day, often as frequently as -hourly- ..."
* https://www.virustotal.com/en/file/...e3ad43c0d9c62de20549f1b6/analysis/1452079135/

** https://malwr.com/analysis/MjEyZjhkOWI0YzlhNGZjNjg3YzgyMTY2NzAzODk3NTA/
37.46.130.53
78.47.119.93
13.107.4.50

*** https://www.virustotal.com/en/file/...2dffa979018dbddb29356e9d/analysis/1452078831/
___

Fake 'Unilet Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-unilet-invoice-67940597.html
6 Jan 2016 - "This fake invoice seems to be a bit confused as to who is sending it. It has a malicious attachment.
From: Desiree Doyle
Date: 6 January 2016 at 12:29
Subject: Unilet Invoice 67940597
Hello,
Please find attached another invoice to pay please by BACS.
Thanks
Desiree Doyle
Accounts Department
-----Original Message-----
From: Desiree Doyle
Sent: 06 January 2016 12:30
To: Desiree Doyle
Subject: Scanned from a Xerox Multifunction Device
Please open the attached document. It was scanned and sent to you using a Xerox Multifunction Device.
Attachment File Type: pdf, Multi-Page
Multifunction Device Location: Melbury House-MG01
Device Name: 7225 ...

The attachment has a random name in the format remit41071396.doc and I have seen -three- different versions with quite low detection rates [1] [2] [3]. The Malwr reports for these [4] [5] [6] indicate that it has the -same- behaviour as the spam documented here*, dropping a file tsx.exe ..."
1] https://www.virustotal.com/en/file/...8907dc1fccb1fdc28fc1cef4/analysis/1452084584/

2] https://www.virustotal.com/en/file/...982ff604ff75bd3b97cbcb0b/analysis/1452084616/

3] https://www.virustotal.com/en/file/...2f453642a183792d09db299e/analysis/1452084631/

4] https://malwr.com/analysis/Yjk3ZWRhYTEyZjU3NDQ2ZmJhMmMwZWQ3NWI1ZDQ5MGQ/
37.46.130.53
2.61.168.116
78.47.119.93
13.107.4.50
94.158.214.45

5] https://malwr.com/analysis/NmZmMTM2MzE5NTQ2NGExNGEyN2U1ZTU4YTNhNzVmNjY/
179.60.144.21

6] https://malwr.com/analysis/YjE1NzljMWJhOWYzNGVlYTk4NzBmM2EwNGE4NzQxZDU/
37.46.130.53
78.47.119.93
13.107.4.50

* http://blog.dynamoo.com/2016/01/malware-spam-invoice-205611-49934798.html

- http://myonlinesecurity.co.uk/unile...vice-bournemouth-university-word-doc-malware/
6 Jan 2016 - "Yet another Dridex downloader coming in an email with the subject of 'Unilet Invoice 58520927' (random numbers) pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2016/01/Unilet-Invoice-58520927-1024x518.png

6 January 2016: remit58520927.doc - Current Virus total detections 2/56*
MALWR** once again shows us tsx3.exe being downloaded from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal 6/54***) -Same- Dridex Banking malware as THIS earlier malspam[4]..."
* https://www.virustotal.com/en/file/...733b2faa279eaddc4f576079/analysis/1452083864/

** https://malwr.com/analysis/NTM3Yzg2MmQzNDgwNDljZmI3OGE5M2JjYjk5ODBlNGI/
37.46.130.53
78.47.119.93
13.107.4.50

*** https://www.virustotal.com/en/file/...2dffa979018dbddb29356e9d/analysis/1452083988/

4] http://myonlinesecurity.co.uk/sta37626091-bacs-payment-word-doc-or-excel-xls-spreadsheet-malware/
___

Facebook “Page Disabled” Phish - wants your Card Details
- https://blog.malwarebytes.org/fraud...-page-disabled-phish-wants-your-card-details/
Jan 6, 2015 - "Fake Facebook Security pages are quite a common sight, and there’s a “Your page will be disabled unless…” -scam- in circulation at the moment on random Facebook comment sections which you should steer clear of. The scam begins with a message like this:
Warning!!!
Your page will be disabled.
Due to your page has been reported by other users.
Please re-confirm your page in order to avoid blocking. You violate our terms of service. If you are the original owner of this account, please re-confirm your account in order to avoid blocking.
If the multiple exclamation marks and generally terrible grammar didn’t give the game away, the following request certainly might:
To complete your pages account please confirm Http below:
https(dot)lnkd(dot)in/bNF9BUY?Facebook.Recovery.page
"Attention"
If you do not confirm, then our system will automatically block your account and you will not be able to use it again.
Thank you for the cooperation helping us improve our service.
The Facebook Team

... Google Safe Browsing flags the final destination as a dubious website: and fires up a “Deceptive site ahead” warning:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/fakefacebook1.jpg
... After harvesting your Facebook credentials, they then go after payment information:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/fakefacebook3.jpg
... Should the victim enter their information and hit the button, they’ll be forwarded on to the real Facebook Security Facebook page. There’s also a “Confirm Paypal” button which leads to a phish for -that- service, too:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/fakefacebook4.jpg
The above page is located at:
report-fanpage(dot)gzpot(dot)com/Next/paypal(dot)com(dot)htm
Make no mistake, this is one phishing scam that could cost you a lot more than your Facebook login. Should you be sent any attempts at panicking you into entering your logins on a so-called “Security Page”, you should give both destination URL and comment sender a very wide berth."

> https://www.virustotal.com/en/url/f...34952e4acde35a27d2d40547f795ba7d6a8/analysis/

report-fanpage.gzpot .com: 31.170.166.81: https://www.virustotal.com/en/ip-address/31.170.166.81/information/
> https://www.virustotal.com/en/url/a...0ffc025cef3e600002a2642ac79554796a9/analysis/

:fear::fear:

 

[AplusWebMaster]

Malvertising - CryptoWall, Fake 'Angel Springs', 'Ibstock Group Invoice' SPAM

FYI...

Malvertising - Pop-under Ads sends CryptoWall4
- https://blog.malwarebytes.org/malve...ampaign-via-pop-under-ads-sends-cryptowall-4/
Jan 7, 2016 - "We have caught a new malvertising campaign on the PopAds network launching the Magnitude exploit kit via pop-under ads. A pop-under is an ad window that appears behind the main browser window and typically remains open until the user manually closes it. Unsuspecting victims running -outdated- versions of the Flash Player were immediately infected with the CryptoWall ransomware. This campaign started around January 1st with ads mostly placed on various adult and video streaming sites and lead to an increase in Magnitude EK activity. Infection flow overview:
serve.popads .net/servePopunder.php?cid={redacted}
{redacted}.name/
Magnitude EK domain ...
According to our data, this attack mainly targeted European users:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/graphic.png
CryptoWall 4 infection: Once a system is infected, personal files are encrypted and usable as indicated in the dreaded CryptoWall ransom page:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/ransompage.png
To recover pictures, documents and other import files, users are asked to pay in order to receive a “decryption” key... Prevention: Ransomware is one particular type of malware where prevention and backups are more important than ever. Since this particular attack relies on web exploits to infect the machine, it is crucial to keep your browser and related plugins up-to-date. You may also want to consider disabling or removing the Flash Player altogether since it has suffered a high number of zero-day exploits in recent history (even the latest version was vulnerable)..."
popads .net: 184.154.76.140: https://www.virustotal.com/en/ip-address/184.154.76.140/information/

- http://www.csoonline.com/article/30...sed-a-free-certificate-from-lets-encrypt.html
Jan 7, 2016
___

Fake 'Angel Springs' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-your-latest-documents-from.html
7 Jan 2016 - "This -fake- financial spam comes with a malicious attachment. The name of the sender varies, as does the reference number in the subject field that matches the attachment name.
From: Leonor Stevens
Date: 7 January 2016 at 10:13
Subject: Your Latest Documents from Angel Springs Ltd [1F101177]
Dear Customer,
Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.
Here's a few ways we've made it easier for you:
Your new documents are now attached to your email. You don't have to follow a link now to get to your documents...

The three samples I have sent for analysis... show an initial communication with:
176.103.62.108 /ideal/jenny.php
91.223.88.205 /ideal/jenny.php
These IPs belong to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
I note that 91.223.88.204 also hosts some bad things.. and the entire 176.103.48.0/20 block has a history of evil-ness... Note that there are probably other download locations. Check back later if you are interested.
These malicious documents drop a binary geroin.exe which has a detection rate of 3/54*. The Malwr report** for this shows it phoning home to:
78.47.119.93 (Hetzner, Germany)...
Recommended blocklist:
176.103.48.0/20
91.223.88.204/30
78.47.119.93 "
* https://www.virustotal.com/en/file/...1c1a58a3b76b522b0539403d/analysis/1452162035/

** https://malwr.com/analysis/NGY4M2MzMWQzYjE1NDczYjgzMjVkODdjZTdmZGM4NDQ/

- http://myonlinesecurity.co.uk/your-...f1-word-doc-or-excel-xls-spreadsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Your Latest Documents from Angel Springs Ltd [090190F1]' (random characters) pretending to come from random names and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From:Shanna Bolton <BoltonShanna6995@ dsldevice .lan>
Date:Thu 07/01/2016 08:57
Subject: Your Latest Documents from Angel Springs Ltd [090190F1] ...
Dear Customer,
Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we’ve invested in upgrading our billing systems to make things a little easier for you.
Here’s a few ways we’ve made it easier for you:
Your new documents are now attached to your email. You don’t have to follow a link now to get to your documents...

7 January 2016: 090190F181854503.doc - Current Virus total detections 2/54*
... downloads geroin.exe which looks like Dridex banking malware from http ://91.223.88.205 /ideal/jenny.php (VirusTotal 3/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d8d266edef9d054173356f25/analysis/1452161327/

** https://www.virustotal.com/en/file/...1c1a58a3b76b522b0539403d/analysis/1452162035/
___

Fake 'Ibstock Group Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/ibsto...80-word-doc-or-excel-xls-spreadsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Invoice 38178369 19/12 4024.80' pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2016/01/Invoice-38178369-1912-402480-1024x746.png

7 January 2016: invoice38178369.doc - Current Virus total detections *
Downloads the -same Dridex banking malware from http ://193.201.227.12 /ideal/jenny.php as described in this slightly earlier post:
> http://myonlinesecurity.co.uk/your-...f1-word-doc-or-excel-xls-spreadsheet-malware/
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2dada7dbd9f7b399831ef0ff/analysis/1452163655/

- http://blog.dynamoo.com/2016/01/malware-spam-invoice-01147665-1912.html
7 Jan 2016 - "This -fake- financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam* which was sent out earlier today.
From: Amber Smith
Date: 7 January 2016 at 10:38
Subject: Invoice 01147665 19/12 £4024.80 ...
Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.
Its invoice 01147665 19/12 £4024.80 P/O ETCPO 35094
Can you have a look at it for me please?
Thank-you !
Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group ...

The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far... show these documents communicating with:
193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
IPs are allocated to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)
As before, a binary geroin.exe is dropped which communicates with:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post*."
* http://blog.dynamoo.com/2016/01/malware-spam-your-latest-documents-from.html
___

Fake 'Close Invoice Finance Limited' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-close-invoice-finance.html
7 Jan 2016 - "This fake financial spam comes with a malicious attachment:
From: Carey Cross
Date: 7 January 2016 at 11:35
Subject: Close Invoice Finance Limited Statement 1/1
Dear Customer,
Please find attached your latest statement from Close Brothers Invoice Finance.
Your username is 05510/0420078
Your password should already be known to you...
Regards
Close Brothers Invoice Finance

The sernder's name will vary, as will the attachment name. I have only seen a single sample at the moment with a detection rate of 2/54*. Functionally, the payload is identical to that found in this earlier spam run**, and it drops the Dridex banking trojan."
* https://www.virustotal.com/en/file/...885f4e0e717a0051e736bfa2/analysis/1452167385/

** http://blog.dynamoo.com/2016/01/malware-spam-your-latest-documents-from.html

- http://myonlinesecurity.co.uk/close...11-word-doc-or-excel-xls-spreadsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Close Invoice Finance Limited Statement 1/1' pretending to come from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

7 January 2016: invEF362145.doc - Current Virus total detections 2/56*
Downloads the -same- Dridex banking malware from http :// 193.201.227.12/ideal/jenny.php as described in today’s earlier posts [1] [2]..."
* https://www.virustotal.com/en/file/...50cb74f40e07bd4c3f792971/analysis/1452168289/

1] http://myonlinesecurity.co.uk/ibsto...80-word-doc-or-excel-xls-spreadsheet-malware/

2] http://myonlinesecurity.co.uk/your-...f1-word-doc-or-excel-xls-spreadsheet-malware/

:fear::fear:

 

[AplusWebMaster]

Fake 'Invoice' SPAM, Malvertisers...

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/invoi...gb-word-doc-or-excel-xls-spreadsheet-malware/
8 Jan 2016 - "An email with the subject of 'Invoice from DSV 7FF6AB68, ARIA (UK) LTD, 61694956, Customer ref: ALEX MUNRO, SE/GB' pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Melba Schneider <SchneiderMelba36@ euro-net .pl>
Date: Fri 08/01/2016 10:47
Subject: Invoice from DSV 7FF6AB68 , ARIA (U K) LTD, 61694956, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 7FF6AB68
Total Amount: GBP 60,00
Due Date: 28.01.2016
If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.
Best Regards
Melba Schneider
DSV Road Limited
Scandinavia House ...

8 January 2016: logmein_pro_receipt.xls - Current Virus total detections 1/54*
MALWR** shows us a download of hram.exe from http :// 194.28.84.79/softparade/spanish.php which looks like Dridex banking malware (virusTotal 4/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ac96ff51193d45d8ad02449b/analysis/1452250187/

** https://malwr.com/analysis/NWEyMzUwNWUxNzE0NGM0YjhjOTQzNDc2NDJjOThkYmI/
194.28.84.79
78.47.119.93

*** https://www.virustotal.com/en/file/...7f26d57835ddc0a9bd3b38b0/analysis/1452250858/

- http://blog.dynamoo.com/2016/01/malware-spam-invoice-from-dsv-723a36b7.html
8 Jan 2016 - "This -fake- financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.
From: Hoyt Fowler
Date: 8 January 2016 at 10:49
Subject: Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
Invoice/Creditnote no.: 723A36B7
Total Amount: GBP 60,00
Due Date: 28.01.2016
If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
Please see attached document.
Best Regards
Hoyt Fowler
DSV Road Limited
Scandinavia House ...

... In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55*. According to this Malwr report**, the sample attempts to download a further component:
194.28.84.79 /softparade/spanish.php
There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too. A file named hram.exe is dropped onto to target system with a detection rate of 4/54***. The Malwr report indicates that this communicates with:
78.47.119.93 (Hetzner, Germany)
This is a -critical- IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan...
Recommended blocklist:
78.47.119.93
194.28.84.79 "
* https://www.virustotal.com/en/file/...ac96ff51193d45d8ad02449b/analysis/1452252108/

** https://malwr.com/analysis/MjI0NDM4NWVlZGNmNGY0OGI0ZGRiZTFkYTFiY2RmODQ/
194.28.84.79
78.47.119.93

*** https://www.virustotal.com/en/file/...7f26d57835ddc0a9bd3b38b0/analysis/1452252679/
___

'Let’s Encrypt'... abused by Malvertisers
- http://blog.trendmicro.com/trendlab...ets-encrypt-now-being-abused-by-malvertisers/
Jan 6, 2016 - "... the potential for 'Let’s Encrypt' being -abused- has always been present. Because of this, we have kept an eye out for -malicious- sites that would use a Let’s Encrypt certificate. Starting on December 21, we saw activity going to a malvertising server, with traffic coming from users in Japan. This campaign led to sites hosting the Angler Exploit Kit, which would download a banking Trojan (BKDR_VAWTRAK.AAAFV) onto the affected machine:
Daily hits to malvertising server:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/01/Lets-Encrypt-2-01.png
... The malvertisers used a technique called “domain shadowing”. Attackers who have gained the ability to create subdomains under a legitimate domain do so, but the created subdomain leads to a server under the control of the attackers. In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site... Traffic to this created subdomain was protected with HTTPS and a Let’s Encrypt certificate... The domain hosted an ad which appeared to be related to the legitimate domain to disguise its traffic. Parts of its redirection script have also been moved from a JavaScript file into a .GIF file to make identifying the payload more difficult. Anti-AV code similar to what we found in the September attack is still present. In addition, it uses an open DoubleClick -redirect- ... users should also be aware that a “secure” site is -not- necessarily a safe site, and we also note that the best defense against exploit kits is still keeping software up-to-date to minimize the number of vulnerabilities that may be exploited..."

> http://news.netcraft.com/archives/2...deceptive-ssl-certificates-to-fraudsters.html

> http://news.netcraft.com/wp-content/uploads/2016/09/pie.png

Fraudulent Digital Certificates
- https://technet.microsoft.com/en-us/library/security/2607712.aspx

> https://www.fdic.gov/news/news/financial/2004/fil2704a.html

:fear::fear:

 

[AplusWebMaster]

Russian ISP prevents Cisco from Shutting Down Cybercriminal Gang

FYI...

Russian ISP prevents Cisco from Shutting Down Cybercriminal Gang
- http://yro.slashdot.org/story/16/01...s-cisco-from-shutting-down-cybercriminal-gang
Jan 09, 2016 - "Cisco's Talos research team* has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign**. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware."
* http://blog.talosintel.com/2016/01/rigging-compromise.html
Jan 7, 2016 - "... when a provider is notified of malicious activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response led Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough."

** http://news.softpedia.com/news/unco...shutting-down-cybercriminal-gang-498667.shtml
___

LLoyds bank - 'update to our mobile banking app' – Phish
- http://myonlinesecurity.co.uk/lloyds-bank-the-update-to-our-mobile-banking-app-phishing-scam/
9 Jan 2016 - "... Today’s example is an email received with a subject of 'UPDATE NOTIFICATION' pretending to come from Lloyds plc <info@ glc .com>. Mobile apps and mobile banking is the new big thing and banks are encouraging users to use mobile banking... This one wants your personal bank log-in details in order to steal all your money. Many of them are also designed to specifically steal your email, facebook and other social network log in details... The original email looks like this, It will NEVER be a genuine email from Your bank, or any other financial body so don’t ever follow the link or fill in the html (webpage) form that comes attached to the email... If you are unwise enough to follow the link which goes to http ://toxicwingsli .com/op.htm and then -redirects- you to http ://joelcomm .net/wp-content/l10yds/1e9644d8cb4d7dc77c5770ae1b84b3fa/ you see a webpage looking like the genuine Lloyds log in page, look carefully at the url in the top bar and you can see it isn’t Lloyds at all but a fake site:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2015/05/lloyds-bank-tax-refund-phish_webpage1.png

If you still haven’t realised that it is a phishing attempt and give them your username & password, you will be sent to the next page which asks for your memorable information. You then get bounced on to the genuine Lloyds Bank site..."

toxicwingsli .com: 166.62.118.179: https://www.virustotal.com/en/ip-address/166.62.118.179/information/

joelcomm .net: 23.235.226.77: https://www.virustotal.com/en/ip-address/23.235.226.77/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'latest invoice', 'E-Service', 'Kaseya Invoice' SPAM

FYI...

Fake 'latest invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-your-latest-invoice-from.html
11 Jan 2016 - "This -fake- financial spam does not come from UKFast but is instead a simple -forgery- with a malicious attachment.
From UKFast Accounts [accounts@ ukfast .co.uk]
Date Mon, 11 Jan 2016 11:00:10 +0300
Subject Your latest invoice from UKFast No.1228407

I am unable to determine what the body text is at the moment. In this case, the attachment was named Invoice-1228407.doc and has a VirusTotal detection rate of 3/54*. The Malwr report** shows that the malicious macro... downloads an executable from:
www .vmodal .mx/5fgbn/7tfr6kj.exe
This binary has a detection rate of 2/54***... This Malwr report[4] for the dropped file indicates network traffic to:
114.215.108.157 (Aliyun Computing Co, China)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/...13cb10625b6c0a7c928aa11b/analysis/1452505104/

** https://malwr.com/analysis/MTliNWQ5Nzc2ZjE5NGUzZmI5MDAzMzgxNGVmYzQyZDU/
185.21.134.14
114.215.108.157
13.107.4.50

*** https://www.virustotal.com/en/file/...f993d912719ae8af8774cd0b/analysis/1452505941/
TCP connections
114.215.108.157: https://www.virustotal.com/en/ip-address/114.215.108.157/information/
8.253.82.158: https://www.virustotal.com/en/ip-address/8.253.82.158/information/
110.77.142.156: https://www.virustotal.com/en/ip-address/110.77.142.156/information/

4] https://malwr.com/analysis/NTYzMjk4ZjlmOGUzNDFlNjliMjYwNTE4ZWQ1NTA2Mzg/

- http://myonlinesecurity.co.uk/your-...07-word-doc-or-excel-xls-spreadsheet-malware/
11 Jan 2016 - "An email with the subject of 'Your latest invoice from UKFast No.1228407' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: UKFast Accounts <accounts@ukfast.co.uk>
Date: Mon 11/01/2016 09:00
Subject: Your latest invoice from UKFast No.1228407
Hi,
Thank you for choosing UKFast. Please find attached your latest invoice. You can also download it.
As you have chosen to pay by Direct Debit there’s nothing more you need to do, payment will be taken on or after the date stated on your invoice.
Should you have any queries relating to this invoice please raise an invoice query from within MyUKFast. Alternatively you can contact us on 0845 458 3535.
Remember you can view all your invoices, set who should receive these alerts and much more all via MyUKFast.
Kind Regards ...

11 January 2016: Invoice-1228407.doc - Current Virus total detections 3/54*
downloads Dridex banking malware from http ://www .vmodal .mx/5fgbn/7tfr6kj.exe (VirusTotal 1/55**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...13cb10625b6c0a7c928aa11b/analysis/1452505104/

** https://www.virustotal.com/en/file/...f993d912719ae8af8774cd0b/analysis/1452507654/
TCP connections
114.215.108.157: https://www.virustotal.com/en/ip-address/114.215.108.157/information/
8.253.82.158: https://www.virustotal.com/en/ip-address/8.253.82.158/information/
110.77.142.156: https://www.virustotal.com/en/ip-address/110.77.142.156/information/
___

Fake 'E-Service' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-e-service-europe-ltd.html
11 Jan 2016 - "This -fake- financial spam does not come from E-Service (Europe) Ltd but is instead a simple -forgery- with a malicious attachment:
From Andrew Williams [andrew.williams@ eurocoin .co.uk]
Date Mon, 11 Jan 2016 17:07:38 +0700
Subject E-Service (Europe) Ltd Invoice No: 10013405
Dear Customer,
Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
to make payment for all transactions on or before their due date.
Please contact E-Service (Europe) if you have any issues or queries preventing your
prompt payment ...

E-Service have been exceptionally quick about posting an update on their Twitter page*.
* https://twitter.com/EServiceUK/status/686496655831625728
However, they have -not- been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan. So far, I have seen -five- different versions of the attachment, all named Invoice 10013405.XLS ... The Malwr reports for the attachment... show that the macro in the spreadsheet downloads a file from the following locations:
arellano .biz/5fgbn/7tfr6kj.exe
pastorsschoolinternational .org/5fgbn/7tfr6kj.exe
www.c0-qadevtest .net/5fgbn/7tfr6kj.exe
This dropped file has a detection rate of 1/55**. It is the -same- binary as found in this earlier spam run*** which phones home to:
114.215.108.157 (Aliyun Computing Co, China)
This is an IP that I strongly recommend blocking..."
** https://www.virustotal.com/en/file/...f993d912719ae8af8774cd0b/analysis/1452509215/
TCP connections
114.215.108.157
8.253.82.158
110.77.142.156

*** http://blog.dynamoo.com/2016/01/malware-spam-your-latest-invoice-from.html

- http://myonlinesecurity.co.uk/e-ser...05-word-doc-or-excel-xls-spreadsheet-malware/
11 Jan 2016 - "An email with the subject of 'E-Service (Europe) Ltd Invoice No: 10013405' pretending to come from with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Andrew Williams <andrew.williams@ eurocoin .co.uk>
Date: Mon 11/01/2016 10:22
Subject: E-Service (Europe) Ltd Invoice No: 10013405
Dear Customer,
Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you to make payment for all transactions on or before their due date.
Please contact E-Service (Europe) if you have any issues or queries preventing your prompt payment...

11 January 2016: loInvoice 10013405.XLS - Current Virus total detections 7/54*
Downloads from http ://arellano .biz/5fgbn/7tfr6kj.exe which the -same- Dridex banking malware as described in this slightly earlier post**..."
* https://www.virustotal.com/en/file/...1a3c57777b58c934012bb5fd/analysis/1452509257/

** http://myonlinesecurity.co.uk/your-...07-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'Kaseya Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-kaseya-invoice-1ed0c068.html
11 Jan 2016 - "This -fake- financial email has a malicious attachment:
From: Terry Cherry
Date: 11 January 2016 at 10:48
Subject: Kaseya Invoice - 1ED0C068
Dear Accounts Payable,
Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.
Our bank details for wire transfer are included on the attached invoice.
Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@ kaseya .com) for assistance with adding card details through our portal.
Please do not hesitate to let us know if you have any questions.
Thanks again for your patronage.
Sincerely,
Terry Cherry
Kaseya Customer Invoicing ...

The sender's name, references and attachments may vary. This appears to be a spam from Dridex 120, and it is a characteristic that there is a very-large-number-of-variants of the attachments. In this case, I analysed three different attachments with detection rate of about 2/55 [1].. and which according to these Malwr reports [4].. downloads a binary from the following locations:
5.189.216.10 /montana/login.php
77.246.159.154 /montana/login.php
109.234.39.40 /montana/login.php
All of these IPs should be considered to be malicious:
5.189.216.10 (LLHost Inc, Netherlands)
77.246.159.154 (JSC Server, Russia)
109.234.39.40 (McHost.ru, Russia)
A binary named trap.exe ... a detection rate of 5/54[7] is downloaded. According to this Malwr report[8] the executable phones home to:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan.
Recommended blocklist:
78.47.119.93
5.189.216.10
77.246.159.154
109.234.39.0/24 "
1] https://www.virustotal.com/en/file/...ba4b1c0dfdb98659a65e5f70/analysis/1452510008/

4] https://malwr.com/analysis/MjY3NDlmNmM0NzIyNGRhNmEzYWFlOTdkM2UwM2FjY2M/

7] https://www.virustotal.com/en/file/...df382e6a619cf40d3f8dbb20/analysis/1452510360/

8] https://malwr.com/analysis/NTA1YzViMzVhNTEwNGZhYjhkYzczMmNmNWU4ZjQyOWM/

- http://myonlinesecurity.co.uk/kaseya-invoice-dd5a9977-word-doc-or-excel-xls-spreadsheet-malware/
11 Jan 2016 - "An email with the subject of 'Kaseya Invoice – DD5A9977' pretending to come from random names, companies and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Alvin Fry <FryAlvin59518@ attrazioneviaggi .it>
Date: Mon 11/01/2016 11:00
Subject: Kaseya Invoice – DD5A9977
Dear Accounts Payable,
Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.
Our bank details for wire transfer are included on the attached invoice.
Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@ kaseya .com) for assistance with adding card details through our portal.
Please do not hesitate to let us know if you have any questions.
Thanks again for your patronage...

11 January 2016: Invoice-19071543.doc - Current Virus total detections 2/55*
downloads the -same- Dridex banking malware form the same locations as described in THIS post**..."
* https://www.virustotal.com/en/file/...8873385d879665436755b06c/analysis/1452515923/

** http://myonlinesecurity.co.uk/invoice-11jan15-61828018-gb-word-doc-or-excel-xls-spreadsheet-malware/
___

Fake 'Invoice-11JAN15' SPAM - leads to malware
- http://blog.dynamoo.com/2016/01/malware-spam-invoice-11jan15-53771728-gb.html
11 Jan 2016 - "This rather generic looking spam email leads to malware:
From: Raleigh Frazier [FrazierRaleigh8523@ amnet .net.au]
Date: 11 January 2016 at 11:20
Subject: Invoice-11JAN15-53771728-GB
Dear Customer,
Please find attached Invoice 53771728 for your attention.
Should you have any Invoice related queries please do not hesitate to
contact either your designated Credit Controller or the Main Credit Dept. on
02051 2651180.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept'

The name of the sender, references and attachment name varies. There are at least -three- different variations of the attachment, probably more. Detection rates are approximately 2/55*... and these Malwr reports [4].. indicate that the behaviour is very similar to the one found in this spam run**."
* https://www.virustotal.com/en/file/...86827d5d4d1fd3fda8dc5665/analysis/1452511471/

4] https://malwr.com/analysis/YjA0MjRlM2E4YzQ4NGYzZWExNGNmMjgyMmIxZDBiODc/

** http://blog.dynamoo.com/2016/01/malware-spam-kaseya-invoice-1ed0c068.html

:fear::fear:

 

[AplusWebMaster]

Fake 'Lattitude Invoice', 'payment', 'Payment Advice', 'Sales Invoice' SPAM, Ransom32

FYI...

Fake 'Lattitude Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-lattitude-global.html
12 Jan 2016 - "This -fake- financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple -forgery- with a malicious attachment.
From: Darius Green
Date: 12 January 2016 at 09:33
Subject: Lattitude Global Volunteering - Invoice - 3FAAB65
Dear customer,
Please find attached a copy of your final invoice for your placement in Canada.
This invoice needs to be paid by the 18th January 2016.
Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer our bank details are.
You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.
Account Name: Lattitude Global Volunteering
Bank: Barclays Bank
Sort Code: 20-71-03
Account No. 20047376
IBAN: GB13BARC20710320047376
SWIFBIC: BARCGB22
Kind regards
Luis Robayo
Accounts Department
Lattitude Global Volunteering ...

I have personally only seen two samples so far with detection rates of 2/55 [1] [2]. These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:
31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php
This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be -malicious- and should be blocked.
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)
A file kfc.exe is dropped onto the target system which has a detection rate of 6/52*... Those previous Malwr reports indicate that it phones home to a familiar IP of:
78.47.119.93 (Hetzner, Germany)
Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84 "
1] https://www.virustotal.com/en/file/...ebdf2cfc2e4128dc9f8a5055/analysis/1452594409/

2] https://www.virustotal.com/en/file/...913c7fbd69621262b924bf76/analysis/1452594427/

3] https://malwr.com/analysis/YzM3NTc3MjFlMWQ0NDUyMzkyZDQ2YThhZmQyMDYxMjM/

4] https://malwr.com/analysis/MzdjNGRjNmE0OTRiNGU1YTlmOGYwNTMxM2Q2NjM3ZjM/

* https://www.virustotal.com/en/file/...7ea088d792ac290d157cd9a8/analysis/1452595124/

- http://myonlinesecurity.co.uk/latti...yo-word-doc-or-excel-xls-spreadsheet-malware/
12 Jan 2016 - "An email with the subject of 'Lattitude Global Volunteering – Invoice – AF6643A' (random numbers) pretending to come from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

12 January 2016: Invoice – AF6643A.doc - Current Virus total detections 2/54*
MALWR analysis** shows it downloads Dridex banking malware from http :// 5.149.254.84/shifaki/indentification.php named as 120CR.exe Which looks suspiciously familiar from recent days (VirusTotal 6/54***)..."
* https://www.virustotal.com/en/file/...9dd601d20e6c5942da0925c0/analysis/1452591731/

** https://malwr.com/analysis/ZTFjNWI2ZjU1NDJmNGI3YThjYzdjYWE5MDRkZDE0MGU/
5.149.254.84
78.47.119.93

*** https://www.virustotal.com/en/file/...7ea088d792ac290d157cd9a8/analysis/1452592072/
___

Fake 'payment' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/mgu-t...er-word-doc-or-excel-xls-spreadsheet-malware/
12 Jan 2016 - "An email with the subject on the -theme- of payment, transaction, Transfer coming from random email addresses and random people with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These malicious word docs appear to based on the Black Energy dropper described HERE:
> https://isc.sans.edu/forums/diary/BlackEnergy+XLS+Dropper/20601/
The email looks like:
From: Random senders like Hermione Acevedo <info@ gistparrot .com> or Avye Brown <werbeteam@ gmx .de>
Date: Tue 12/01/2016 06:02
Subject: Random subjects like Fwd: MGU Transaction, AI Transaction, VL Payment, AJ Transfer
Good morning
Please find the receipt attached to this message. The Transaction will be posted on your account in two days.
Regards
Hermione Acevedo
-Or-
Good Day
Please check the invoice enclosed with this message. The Transaction will be posted on your bank within 1-2 days.
Best regards
Avye Brown

12 January 2016: 51U5P05W22P34.doc - Current Virus total detections 1/54*
ReverseIT analysis**. These are very -different- to previous macro word docs. This one contacts
crechemploi .be/wpl.jpg?ICpz8scC0AI=35 (VirusTotal 0/54***) and downloads an -image- file wpl.jpg which is extremely large 245kb for a small image. It looks like it has embedded -malware- inside it which in this example is named 3088239.exe (VirusTotal 2/55[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...10e605bdaf653d2a637b331d/analysis/1452581898/

** https://www.reverse.it/sample/fa7bc...63906747c76aff28648b9eef1aa69?environmentId=1
195.154.231.179: https://www.virustotal.com/en/ip-address/195.154.231.179/information/
104.224.128.163: https://www.virustotal.com/en/ip-address/104.224.128.163/information/

*** https://www.virustotal.com/en/file/...b8b816843242457a5b37b673/analysis/1452584610/

4] https://www.virustotal.com/en/file/...ac298d636d34596ee5a294ca/analysis/1452585387/

crechemploi .be: 195.154.231.179: https://www.virustotal.com/en/ip-address/195.154.231.179/information/
___

Fake 'Payment Advice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-payment-advice-0002014343.html
12 Jan 2016 - "This -fake- financial spam is not from Wipro but is instead a simple -forgery- with a malicious attachment.
From: Bhavani Gullolla [bhavani.gullolla1@ wipro .com]
Date: 12 January 2016 at 09:51
Subject: Payment Advice - 0002014343
Dear Sir/Madam,
This is to inform you that we have initiated the electronic payment through our Bank.
Please find attached payment advice which includes invoice reference and TDS deductions if any.
Transaction Reference :
Vendor Code :9189171523
Company Code :WT01
Payer/Remitters Reference No :63104335
Beneficiary Details :43668548/090666
Paymet Method : Electronic Fund Transfer
Payment Amount :1032.00
Currency :GBP
Processing Date :11/01/2016 ...

The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54 [1] [2], and according to the Malwr reports [3] [4] they both download a -malicious- binary from:
hotpointrepair .info/u5y4g3/76u54g.exe
This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55* and this Malwr report** shows network traffic to:
199.231.189.9 (Interserver Inc, US)
I strongly recommend that you -block- this IP address..."
1] https://www.virustotal.com/en/file/...f0f04f54d9945fa7b5125a7b/analysis/1452596943/

2] https://www.virustotal.com/en/file/...ca21ac54946a7840cf79068d/analysis/1452596954/

3] https://malwr.com/analysis/NWFkMjdkMDZhNmJjNDQ3NjhhZGNjMzA0NWIwOGJlZDg/
66.147.242.93
199.231.189.9
8.254.249.78

4] https://malwr.com/analysis/MTRjMDQ4OGM2MWM3NGIxMTgxYzFkNmY2OGExYWVmZjk/
66.147.242.93
199.231.189.9
184.28.188.195

* https://www.virustotal.com/en/file/...38b97a996f068b076e04ea3b/analysis/1452597607/

** https://malwr.com/analysis/MjMyMzQ1MDA3ODQ2NDc0OGExNjFjNzNhOWM3MmZlMDU/
199.231.189.9
13.107.4.50

hotpointrepair .info: 66.147.242.93: https://www.virustotal.com/en/ip-address/66.147.242.93/information/
> https://www.virustotal.com/en/url/d...ccbd0ad7bccbb239984e787dd7493b611b3/analysis/
___

Fake 'Sales Invoice' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/sales...ng-word-doc-or-excel-xls-spreadsheet-malware/
12 Jan 2016 - "An email with the subject of 'Sales Invoice SIN040281 from Charbonnel et Walker Limited' pretending to come from Corinne Young <corinne.young@ charbonnel .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...rom-Charbonnel-et-Walker-Limited-1024x464.png

12 January 2016: SIN040281.DOC - Current Virus total detections 4/55*
Downloads Dridex banking malware from http ://hotpointrepair .info/u5y4g3/76u54g.exe (VirusTotal 1/55**)
-same- Dridex malware as other malspam runs. Note: Dridex updates frequently during the day, so you might get a different malware version... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/08/protected-view-macros_21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...6c28c17348ace8b49e4ad21f/analysis/1452601210/

** https://www.virustotal.com/en/file/...f54014eb4cf41c05db2d93c2/analysis/1452599104/
TCP connections
199.231.189.9: https://www.virustotal.com/en/ip-address/199.231.189.9/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/

hotpointrepair .info: 66.147.242.93: https://www.virustotal.com/en/ip-address/66.147.242.93/information/
> https://www.virustotal.com/en/url/d...ccbd0ad7bccbb239984e787dd7493b611b3/analysis/
___

'LloydsLink online website changes' - PHISH
- http://myonlinesecurity.co.uk/lloydslink-online-website-changes-phishing/
12 Jan 2016 - "... Today’s example is an email received with a subject of 'LloydsLink online website changes' pretending to come from LloydsLink online <Hugo.Batzold@ lloydslink.online .lloydsbank .com>.
We have been seeing these sort of emails for -numerous- banks recently... Note the 0 instead of the o in the second Lloyds. you see a webpage looking identical to the genuine Lloydslink log-in page, look carefully at the url in the top bar and you can see it isn’t Lloyds at all but a -fake- site:

Screenshot: http://myonlinesecurity.co.uk/wp-content/uploads/2016/01/lloydslink_phishing_scam-1024x365.png

If you still haven’t realised that it is a phishing attempt and give them your username & password, you will then get bounced on to the -genuine- Lloyds Bank site:
> https://lloydslink.online.lloydsbank.com/Logon/Logon.xhtml
... and think that you just didn’t enter details correctly or mistyped a digit and need to re-enter them and won’t even pay any attention, until you get the dreaded letter or phone call saying someone has emptied your bank account. All of these emails use Social engineering tricks to persuade you to follow the links or open the attachments that come with the email..."
___

Ransom32 – the malicious package
- https://blog.malwarebytes.org/intelligence/2016/01/ransom32-look-at-the-malicious-package/
Jan 11, 2016 - "Ransom32 is a new ransomware implemented in a very atypical style. Emisoft provides a good description of its functionality here:
> http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/
... we will focus on some implementation details of the malicious package. Ransom32 is delivered as an executable, that is in reality a autoextracting WinRAR archive. By default it is distributed as a file with .scr extension:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/ransom32_scr.png
The WinRAR script is used to drop files in the specified place and autorun the unpacked content... Installation directory created in %TEMP%... The unpacked content consist of following files:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/ransom32_content.png
chrome.exe spoofs Google’s browser, but in reality it is an element responsible for preparing and running the Node JS application (that is the -main- part of the ransomware). After the chrome.exe is run from the %TEMP% folder, it installs the above files into %APPDATA% -in folder Chrome Browser:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/installed.png
... After encrypting the files, the ransom nag-window is displayed. The gui is generated by javascript, with the layout defined by the included CSS:
> https://blog.malwarebytes.org/wp-content/uploads/2016/01/ransom32_screen.png
The internet connection is operated via included Tor client – renamed to rundll32.exe ...
Conclusion: In the past, malware authors cared mostly about small size of their applications – that’s why early viruses were written in assembler. Nowadays, technologies used and goals have changed. The most important consideration is not the size, but the ability to imitate legitimate applications, for the purpose of avoiding detection. Authors of Ransom32 went really far in this direction. Their package is huge in comparison to typical samples. It consists of various elements, including legitimate applications – i.e the tor client (renamed to rundll32.exe). The technology that they have chosen for the core – Node JS – is a complete change of direction from the malware written in low-level languages. However, compiled Java Script (although it works about 30 percent slower than not compiled) is not very popular and there is lack of tools to analyze it – which makes it a good point for malware authors, who gain some level of code protection..."
(More detail at the malwarebytes URL at the top.)

:fear::fear:

 

[AplusWebMaster]

MS account Phish, Fake 'Scanned Document', 'Order' SPAM

FYI...

MS account security info verification – Phish
- http://myonlinesecurity.co.uk/microsoft-account-security-info-verification-phishing/
13 Jan 2016 - "... phishing attempts against Microsoft office and outlook accounts. This one starts with an email with the subject 'Microsoft account security info verification' pretending to come from Microsoft <security-noreply@ account .microsoft .com> . One of the major common subjects in this sort of phishing attempt is 'Your password will expire soon' or 'update your email' or something very similar. This one wants only wants your email / Microsoft account log in details...

Screenshot: http://myonlinesecurity.co.uk/wp-co...count-security-info-verification-1024x550.png

The link behind the 'Upgrade Now' is http ://tenga .my/wp-content/outnew/index.php?email=victim@doamain.com. If you are unwise enough to follow the link you see a webpage looking like:
> http://myonlinesecurity.co.uk/wp-content/uploads/2015/12/fake-microsoft365-log-in-1024x542.png
... which is a very good imitation of a genuine Microsoft 365 log on page. If you do fill in the email and password, you immediately get sent to the genuine Office 365 log on page and you just think that you might have entered the email or password incorrectly and do it again. All of these emails use Social engineering tricks to persuade you to follow links or open the attachments that come with the email..."

tenga .my: 181.224.159.177: https://www.virustotal.com/en/ip-address/181.224.159.177/information/
> https://www.virustotal.com/en/domain/tenga.my/information/
___

Fake 'Scanned Document' SPAM - doc/xls malware
- http://myonlinesecurity.co.uk/scann...rs-word-doc-or-excel-xls-spreadsheet-malware/
13 Jan 2016 - "An email with the subject of 'Scanned Document MRH Solicitors' pretending to come from Color @ MRH Solicitors <color93@ yahoo .co.uk> (random color numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Color @ MRH Solicitors <color93@ yahoo .co.uk>
Date: Wed 13/01/2016 08:26
Subject: Scanned Document
Find the attachment for the scanned Document

13 January 2016: ScannedDocs122151.xls - Current Virus total detections 7/54*
Downloads Dridex banking malware from http ://armandosofsalem .com/l9k7hg4/b4387kfd.exe (VirusTotal 3/56**)...
DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecurity.co.uk/?attachment_id=5895
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c539253cc985c50955a8a9e0/analysis/1452675230/

** https://www.virustotal.com/en/file/...87380af7fa79ff8c1ecc34e8/analysis/1452675552/

armandosofsalem .com: 192.254.189.167: https://www.virustotal.com/en/ip-address/192.254.189.167/information/

- http://blog.dynamoo.com/2016/01/malware-spam-scanned-document-color-mrh.html
13 Jan 2016 - "... The Hybrid Analysis* of the dropped binary shows attempted network traffic to the following domains:
exotelyxal .com
akexadyzyt .com
ekozylazal .com
These are hosted on an IP worth blocking:
158.255.6.128 (Mir Telematiki Ltd, Russia)"
* https://www.hybrid-analysis.com/sam...8be9c87380af7fa79ff8c1ecc34e8?environmentId=4
b4387kfd.exe
___

Fake 'Order' SPAM - doc malware
- http://myonlinesecurity.co.uk/order...ch-john-russell-yesss-co-uk-word-doc-malware/
13 Jan 2016 - "An email with the subject of 'Order 0046/033777 [Ref. MARKETHILL CHURCH]' pretending to come from JOHN RUSSELL <John.Russell@ yesss .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecurity.co.uk/wp-co...0046033777-Ref-MARKETHILL-CHURCH-1024x966.png

13 January 2016: Order 0046_033777 [Ref. MARKETHILL CHURCH].doc - Current Virus total detections 6/55*
MALWR** shows a download from http ://amyzingbooks .com/l9k7hg4/b4387kfd.exe which will be a Dridex banking malware (VirusTotal 2/55***). This site was used in earlier Dridex downloads today but -different- versions were offered... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...139c2f6e2286555a7caf3f0c/analysis/1452694400/

** https://malwr.com/submission/status/OWI1N2Y1NmRkMDk3NDlhZWI3MzliMmQ4YTdhOWY2NDA/

*** https://www.virustotal.com/en/file/...2c91f9fe4c410225dec2c10d/analysis/1452695776/
TCP connections
85.25.200.103: https://www.virustotal.com/en/ip-address/85.25.200.103/information/

- http://blog.dynamoo.com/2016/01/malware-spam-order-0046033777-ref.html
13 Jan 2016 - "... This binary has a detection rate of 4/53*. The Hybrid Analysis** shows the malware phoning home to:
85.25.200.103 (PlusServer AG, Germany)
I recommend that you -block- traffic to that IP."
* https://www.virustotal.com/en/file/...2c91f9fe4c410225dec2c10d/analysis/1452699929/

** https://www.hybrid-analysis.com/sam...d72322c91f9fe4c410225dec2c10d?environmentId=1

:fear::fear:

 

[AplusWebMaster]

Fake 'scanner' SPAM, Evil network: 46.30.40.0/21

FYI...

Fake 'scanner' SPAM - doc malware
- http://myonlinesecurity.co.uk/messa...er-at-your-own-email-domain-word-doc-malware/
14 Jan 2016 - "An empty or blank email with the subject of 'Message from local network scanner' pretending to come from jpaoscanner at your own email domain with a malicious word doc attachment is another one from the current bot runs... The attachment to these are named Scann16011310150.docf . Note the F after the doc which effectively makes them useless because windows doesn’t know what to do with them and asks you. They will open in Word, if you tell them to, and do contain a malicious macro that will infect you.
Update: a second batch a few minutes after the first run now has a proper word doc attachment, although the body is still -blank- . The email looks like:
From: jpaoscanner@ ....co.uk
Date:Thu 14/01/2016 10:52
Subject: Message from local network scanner

Body content: EMPTY

12 January 2016: Scann16011310150.docf - Current Virus total detections 2/53*
downloads Dridex banking malware from 199.59.58.162 :80 /~admin1/786h5g4/9787g4fr4.exe (VirusTotal 3/56**)
(reverseIT***)
12 January 2016: Scann16011310150.doc - Current Virus total detections 3/54[4]
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...180792de04bc227c9c30725d/analysis/1452768488/

** https://www.virustotal.com/en/file/...f83f06dfa8b670529eaa0bc6/analysis/1452770219/

*** https://www.reverse.it/sample/ecacd...815c4180792de04bc227c9c30725d?environmentId=1
Contacted Hosts:
199.59.58.162: https://www.virustotal.com/en/ip-address/199.59.58.162/information/
188.138.88.14: https://www.virustotal.com/en/ip-address/188.138.88.14/information/

4] https://www.virustotal.com/en/file/...71ed9a93fc59859e48a9f832/analysis/1452769443/

- http://blog.dynamoo.com/2016/01/malware-spam-message-from-local-network.html
14 Jan 2016 - "This -fake- document scan comes with a malicious attachment.
From: jpaoscanner@ victimdomain .tld
Date: 14 January 2016 at 10:45
Subject: Message from local network scanner

There is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a file Scann16011310150.docf which comes in at least -five- different versions...
Hybrid Analysis shows one of the samples in action, downloading a binary from:
www .willsweb .talktalk .net/786h5g4/9787g4fr4.exe
This has a detection rate of 3/55*. That same analysis reports that it phones home to:
188.138.88.14 (PlusServer AG, France)...I strongly recommend that you -block- traffic to that IP..."
* https://www.virustotal.com/en/file/...f83f06dfa8b670529eaa0bc6/analysis/1452771350/
TCP connections
188.138.88.14: https://www.virustotal.com/en/ip-address/188.138.88.14/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/
___

800 risk experts from 40 countries identify the top global business risks
- http://net-security.org/secworld.php?id=19327
14 Jan 2016
> http://www.net-security.org/images/articles/agcs-012016-1.jpg

>> http://www.net-security.org/images/articles/agcs-012016-2.jpg
___

Evil network: 46.30.40.0/21...
- http://blog.dynamoo.com/2016/01/evil-network-463040021-eurobyte-llc-and.html
13 Jan 2016 23:23 - "... From looking around, it seemed that whoever Eurobyte rented servers to had an unhealthy interest in CryptoWall and the Angler EK. Eurobyte is a Russian hosting company, which in turn is a customer of Webzilla in the Netherlands... there are -thousands- of subdomains hosted in the 46.30.40.0/21 range, where the main domain (e.g. www) is hosted in a completely -different- location. The subdomains are then used to host malware such as the Angler Exploit Kit... What appears to be going on here is a domain shadowing attack on a massive scale[1], primarily leading victims to exploit kits. There do appear to be some genuine Russian-language sites hosted in this block. But if you don't tend to send visitors to Russian sites, I would very strongly recommend -blocking- 46.30.40.0/21 from your network... The attack is known sometimes as 'domain shadowing'... While researching this topic, I discovered that Talos had done some similar work* which also pointed a finger at Eurobyte and their very lax control over their network."
* http://blog.talosintel.com/2016/01/rigging-compromise.html
Jan 7, 2016 - "... when a provider is notified of -malicious- activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response lead Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough."

1] http://blogs.cisco.com/security/talos/angler-domain-shadowing#shadowing

:fear::fear:

 

[AplusWebMaster]

Fake 'order #7738326' SPAM

FYI...

Fake 'order #7738326' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/01/malware-spam-your-order-7738326-from.html
15 Jan 2016 - "This -fake- financial spam does not come from The Safety Supply Company but is instead a simple -forgery- with a malicious attachment:
From: Orders - TSSC [Orders@ thesafetysupplycompany .co.uk]
Date: 15 January 2016 at 09:06
Subject: Your order #7738326 From The Safety Supply Company
Dear Customerl
Thank you for your recent purchase.
Please find the details of your order through The Safety Supply Company attached to this email.
Regards,
The Sales Team

So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55*... likely to be the Dridex banking trojan. This Hybrid Analysis** on the first sample shows it downloading from:
149.156.208.41 /~s159928/786585d/08g7g6r56r.exe
That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:
216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)
I have now seen another version of the DOC file [VT 4/54***] which has similar characteristics[4]... This related spam run gives some additional download locations:
nasha-pasika .lviv .ua/786585d/08g7g6r56r.exe
arm .tv/786585d/08g7g6r56r.exe
Sources also tell me that there is one at:
204.197.242.166 /~topbun1/786585d/08g7g6r56r.exe
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41 "
* https://www.virustotal.com/en/file/...189c2ac7115f5e377e854996/analysis/1452849120/

** https://www.hybrid-analysis.com/sam...ceaee189c2ac7115f5e377e854996?environmentId=1

*** https://www.virustotal.com/en/file/...3247532acc550f1fb9e73a5d/analysis/1452849706/

4] https://www.hybrid-analysis.com/sam...dc5283247532acc550f1fb9e73a5d?environmentId=1

- http://myonlinesecurity.co.uk/your-...ny-word-doc-or-excel-xls-spreadsheet-malware/
15 Jan 2016 - "An email with the subject of 'Your order #7738326 From The Safety Supply Company' pretending to come from 'Orders – TSSC <Orders@ thesafetysupplycompany .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Orders – TSSC <Orders@ thesafetysupplycompany .co.uk>
Date: Fri 15/01/2016 09:20
Subject: Your order #7738326 From The Safety Supply Company
Dear Customerl
Thank you for your recent purchase.
Please find the details of your order through The Safety Supply Company attached to this email.
Regards,
The Sales Team

15 January 2016: Order.doc - Current Virus total detections 4/54*
downloads Dridex banking malware from 149.156.208.41 /~s159928/786585d/08g7g6r56r.exe (VirusTotal 2/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...e0a6c2df528a83848b1c9de0/analysis/1452851905/

** https://www.virustotal.com/en/file/...6fcc97f60c1a11ce8eef4988/analysis/1452851228/
___

SPAM with damaged or broken office doc or XLS attachments
- http://myonlinesecurity.co.uk/kelly...maged-or-broken-office-doc-or-xls-attachment/
15 Jan 2016 - "The Dridex bots are still not having a good day today. The -3rd- malformed/damaged/broken malspam is an email with the subject of 'Statement pretending to come from Kelly Pollard <kelly.pollard@ carecorner .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... Some malformed or misconfigured email servers might attempt to fix the broken email and actually deliver a working copy.
The damaged/broken attachment has a name something like Statement 012016.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc, unlike the earlier ones. VirusTotal Detections 7/55* which will attempt to download Dridex banking malware... (waiting for analysis) please check back later..."
* https://www.virustotal.com/en/file/...2b912c5122b03fd38b28199a/analysis/1452864034/
Statement 012016.doc

- http://blog.dynamoo.com/2016/01/malware-spam-fail-statement-kelly.html
15 Jan 2016 - "This fake financial spam is meant to have a malicious attachment, but it is corrupt:
From Kelly Pollard [kelly.pollard@ carecorner .co.uk]
Date Fri, 15 Jan 2016 13:56:01 +0200
Subject Statement
Your report is attached in DOC format.
Kelly Pollard
Marketing Manager ...

The attachment is named Statement 012016.doc but due to an error in the email it is corrupt, and is either zero length or will produce garbage. If it were to work, it would produce a payload similar to that found here* and here**, namely the Dridex banking trojan. This is the -third- corrupt Dridex run today..."
* http://blog.dynamoo.com/2016/01/malware-spam-scanned-image-from-mx.html
15 Jan 2015
** http://blog.dynamoo.com/2016/01/malware-spam-fail-reservation.html
15 Jan 2015

:fear::fear: