Fake 'Invoice', 'Overdue Invoice' SPAM, Dyre Trojan - gone dark
FYI...
Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoice-we-070216-kelly-pegg-word-doc-malware/
15 Feb 2016 - "An email with the subject of 'Invoice (w/e 070216)' pretending to come from Kelly Pegg <kpegg@ responserecruitment .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Kelly Pegg <kpegg@ responserecruitment .co.uk>
Date: SKM_C3350160212101601 .docm
Subject: Invoice (w/e 070216)
Attachment: SKM_C3350160212101601 .docm
Good Afternoon
Please find attached invoice and timesheet.
Kind Regards
Kelly
15 February 2016: SKM_C3350160212101601.docm - Current Virus total detections 7/54*
MALWR** shows a download of Dridex banking Trojan from
http ://216.158.82.149 /09u8h76f/65fg67n (VirusTotal 4/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7a346c51714109143fda07d8/analysis/1455537274/
** https://malwr.com/analysis/ZTViNjYyMWI1MzM2NDNjZDk3OTM1Nzk2OTlkYmIyMWU/
216.158.82.149: https://www.virustotal.com/en/ip-address/216.158.82.149/information/
>> https://www.virustotal.com/en/url/b...26f05b2b345d99b4b1889578596414aa391/analysis/
5.45.180.46
13.107.4.50
*** https://www.virustotal.com/en/file/...4c99df0f7a5cc9369c89433c/analysis/1455536293/
TCP connections
5.45.180.46
13.107.4.50
- http://blog.dynamoo.com/2016/02/malware-spam-invoice-we-070216-kelly.html
15 Feb 2016 - "... Attached is a file SKM_C3350160212101601.docm which comes in -several- different variants. The macro in the document attempts to download a malicious executable from:
216.158.82.149 /09u8h76f/65fg67n
sstv.go .ro/09u8h76f/65fg67n
www .profildigital .de/09u8h76f/65fg67n
This dropped a malicious executable with a detection rate of 6/54* which according to these automated analysis tools [1] [2] calls home to:
5.45.180.46 (B & K Verwaltungs GmbH, Germany)
I strongly recommend that you -block- traffic to that address. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/...214fd7fde854c99df0f7a5cc9369c89433c/analysis/
TCP connections
5.45.180.46: https://www.virustotal.com/en/ip-address/5.45.180.46/information/
>> https://www.virustotal.com/en/url/5...7652e1636bfffb0dfcff5166e4dedb385ee/analysis/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/
1] https://malwr.com/analysis/ZWEyODc4YTljYzgwNDgwZWFkZmM3ZTEyNDBjODRiNmI/
5.45.180.46
184.25.56.44
2] https://www.hybrid-analysis.com/sam...fde854c99df0f7a5cc9369c89433c?environmentId=4
___
Fake 'Overdue Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malware-spam-overdue-invoice-012345.html
15 Feb 2016 - "This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
From: Brandi Riley [BrandiRiley21849@ horrod .com]
Date: 15 February 2016 at 12:20
Subject: Overdue Invoice 089737 - COMS PLC
Dear Customer,
The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Brandi Riley
COMS PLC
Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis* shows an attempted download from:
node1.beckerdrapkin .com/fiscal/auditreport.php
This is hosted on an IP that you can assume to be malicious:
193.32.68.40 (Veraton Projects, BZ / DE)
The dropped executable (detection rate 4/54**) then phones home to:
194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)
The payload is the Dridex banking trojan.
Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229 "
1] https://www.virustotal.com/en/file/...ef9a6e89b05fa196f567f74b/analysis/1455541445/
2] https://www.virustotal.com/en/file/...5a64b3c15fcb59dbd724febf/analysis/1455541455/
3] https://www.virustotal.com/en/file/...08c6a7c9ed7302b3da47c6c132999b8e6b1/analysis/
* https://www.hybrid-analysis.com/sam...c9ed7302b3da47c6c132999b8e6b1?environmentId=4
** https://www.virustotal.com/en/file/...66790eed0a1e199e4a6b3122/analysis/1455542606/
TCP connections
202.158.123.130: https://www.virustotal.com/en/ip-address/202.158.123.130/information/
81.52.160.146: https://www.virustotal.com/en/ip-address/81.52.160.146/information/
185.24.92.229: https://www.virustotal.com/en/ip-address/185.24.92.229/information/
>> https://www.virustotal.com/en/url/6...956d6f7b0f36f803b4dedd0e18344af02fa/analysis/
___
Dyre Trojan - gone dark...
- https://securityintelligence.com/dyre-straights-group-behind-the-dyre-trojan-busted-in-moscow/
Feb 9, 2016 - "... Reuters reports* that a police raid took place in November 2015 in a downtown Moscow high-rise. The operation reportedly took place inside the offices of a film distribution and production company called 25th Floor, which is, ironically, in the midst of producing a movie called 'Botnet', loosely based on a 2010 cybercrime case... IBM X-Force researchers indicate that Dyre, which has been a constantly evolving threat, fell silent in November 2015. According to IBM Trusteer, malware infection rates dropped sharply in mid-November, with new user infections appearing in the single digits per day at most. Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration-update-servers and its real-time-webinjection-server were -both- disconnected from the Internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark:
> https://static.securityintelligence.com/uploads/2016/02/Fig1_Attacks_Flatten.png
It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November. Dyre is considered one of the most advanced banking Trojans active in the wild today. Beyond the technical level of its attacks, Dyre is prolific in different parts of the globe and has made its mark as the most active Trojan family in 2015, according to IBM Trusteer data:
> https://static.securityintelligence.com/uploads/2016/02/Fig2_Top_Bankers.png
If the gang operating Dyre has indeed been apprehended in Russia, the event will go down as one of the most significant cybercrime busts in history. More than its magnitude in terms of the fraud losses that will be spared, it will be one of the most noteworthy operations carried out against cybercrime on Russian soil by Russian authorities... Dyre’s absence will also give a bigger market share to other malware like Dridex, for example, which, according to IBM X-Force researchers, has been enhancing its attack methods to match Dyre’s and focusing on high-value business and corporate accounts in the U.K. and the U.S., which closely resembles Dyre’s path through the year before the raid..."
* http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS
:fear::fear:
FYI...
Fake 'Invoice' SPAM - doc malware
- http://myonlinesecurity.co.uk/invoice-we-070216-kelly-pegg-word-doc-malware/
15 Feb 2016 - "An email with the subject of 'Invoice (w/e 070216)' pretending to come from Kelly Pegg <kpegg@ responserecruitment .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Kelly Pegg <kpegg@ responserecruitment .co.uk>
Date: SKM_C3350160212101601 .docm
Subject: Invoice (w/e 070216)
Attachment: SKM_C3350160212101601 .docm
Good Afternoon
Please find attached invoice and timesheet.
Kind Regards
Kelly
15 February 2016: SKM_C3350160212101601.docm - Current Virus total detections 7/54*
MALWR** shows a download of Dridex banking Trojan from
http ://216.158.82.149 /09u8h76f/65fg67n (VirusTotal 4/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7a346c51714109143fda07d8/analysis/1455537274/
** https://malwr.com/analysis/ZTViNjYyMWI1MzM2NDNjZDk3OTM1Nzk2OTlkYmIyMWU/
216.158.82.149: https://www.virustotal.com/en/ip-address/216.158.82.149/information/
>> https://www.virustotal.com/en/url/b...26f05b2b345d99b4b1889578596414aa391/analysis/
5.45.180.46
13.107.4.50
*** https://www.virustotal.com/en/file/...4c99df0f7a5cc9369c89433c/analysis/1455536293/
TCP connections
5.45.180.46
13.107.4.50
- http://blog.dynamoo.com/2016/02/malware-spam-invoice-we-070216-kelly.html
15 Feb 2016 - "... Attached is a file SKM_C3350160212101601.docm which comes in -several- different variants. The macro in the document attempts to download a malicious executable from:
216.158.82.149 /09u8h76f/65fg67n
sstv.go .ro/09u8h76f/65fg67n
www .profildigital .de/09u8h76f/65fg67n
This dropped a malicious executable with a detection rate of 6/54* which according to these automated analysis tools [1] [2] calls home to:
5.45.180.46 (B & K Verwaltungs GmbH, Germany)
I strongly recommend that you -block- traffic to that address. The payload is the Dridex banking trojan."
* https://www.virustotal.com/en/file/...214fd7fde854c99df0f7a5cc9369c89433c/analysis/
TCP connections
5.45.180.46: https://www.virustotal.com/en/ip-address/5.45.180.46/information/
>> https://www.virustotal.com/en/url/5...7652e1636bfffb0dfcff5166e4dedb385ee/analysis/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/
1] https://malwr.com/analysis/ZWEyODc4YTljYzgwNDgwZWFkZmM3ZTEyNDBjODRiNmI/
5.45.180.46
184.25.56.44
2] https://www.hybrid-analysis.com/sam...fde854c99df0f7a5cc9369c89433c?environmentId=4
___
Fake 'Overdue Invoice' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/02/malware-spam-overdue-invoice-012345.html
15 Feb 2016 - "This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
From: Brandi Riley [BrandiRiley21849@ horrod .com]
Date: 15 February 2016 at 12:20
Subject: Overdue Invoice 089737 - COMS PLC
Dear Customer,
The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Brandi Riley
COMS PLC
Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis* shows an attempted download from:
node1.beckerdrapkin .com/fiscal/auditreport.php
This is hosted on an IP that you can assume to be malicious:
193.32.68.40 (Veraton Projects, BZ / DE)
The dropped executable (detection rate 4/54**) then phones home to:
194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)
The payload is the Dridex banking trojan.
Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229 "
1] https://www.virustotal.com/en/file/...ef9a6e89b05fa196f567f74b/analysis/1455541445/
2] https://www.virustotal.com/en/file/...5a64b3c15fcb59dbd724febf/analysis/1455541455/
3] https://www.virustotal.com/en/file/...08c6a7c9ed7302b3da47c6c132999b8e6b1/analysis/
* https://www.hybrid-analysis.com/sam...c9ed7302b3da47c6c132999b8e6b1?environmentId=4
** https://www.virustotal.com/en/file/...66790eed0a1e199e4a6b3122/analysis/1455542606/
TCP connections
202.158.123.130: https://www.virustotal.com/en/ip-address/202.158.123.130/information/
81.52.160.146: https://www.virustotal.com/en/ip-address/81.52.160.146/information/
185.24.92.229: https://www.virustotal.com/en/ip-address/185.24.92.229/information/
>> https://www.virustotal.com/en/url/6...956d6f7b0f36f803b4dedd0e18344af02fa/analysis/
___
Dyre Trojan - gone dark...
- https://securityintelligence.com/dyre-straights-group-behind-the-dyre-trojan-busted-in-moscow/
Feb 9, 2016 - "... Reuters reports* that a police raid took place in November 2015 in a downtown Moscow high-rise. The operation reportedly took place inside the offices of a film distribution and production company called 25th Floor, which is, ironically, in the midst of producing a movie called 'Botnet', loosely based on a 2010 cybercrime case... IBM X-Force researchers indicate that Dyre, which has been a constantly evolving threat, fell silent in November 2015. According to IBM Trusteer, malware infection rates dropped sharply in mid-November, with new user infections appearing in the single digits per day at most. Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration-update-servers and its real-time-webinjection-server were -both- disconnected from the Internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark:
> https://static.securityintelligence.com/uploads/2016/02/Fig1_Attacks_Flatten.png
It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November. Dyre is considered one of the most advanced banking Trojans active in the wild today. Beyond the technical level of its attacks, Dyre is prolific in different parts of the globe and has made its mark as the most active Trojan family in 2015, according to IBM Trusteer data:
> https://static.securityintelligence.com/uploads/2016/02/Fig2_Top_Bankers.png
If the gang operating Dyre has indeed been apprehended in Russia, the event will go down as one of the most significant cybercrime busts in history. More than its magnitude in terms of the fraud losses that will be spared, it will be one of the most noteworthy operations carried out against cybercrime on Russian soil by Russian authorities... Dyre’s absence will also give a bigger market share to other malware like Dridex, for example, which, according to IBM X-Force researchers, has been enhancing its attack methods to match Dyre’s and focusing on high-value business and corporate accounts in the U.K. and the U.S., which closely resembles Dyre’s path through the year before the raid..."
* http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS
:fear::fear:

Last edited: