SPAM frauds, fakes, and other MALWARE deliveries...

AplusWebMaster · Mar 11, 2016

Fake 'Amazon order', 'Scanned image', 'Payment' SPAM, 4 million malware spams

FYI...

Fake 'Amazon order' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecurity.co.uk/your-...-773659-js-malware-leads-to-locky-ransomware/
11 Mar 2016 - "An email with the subject of 'Your Amazon order #204-217966-773659' [random numbered] pretending to come from AMAZON.COM <no-reply@ Amazon .com> with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: http://myonlinesecurity.co.uk/wp-co...r-Amazon-order-204-217966-773659-1024x656.png

11 March 2016: ORD204-217966-773659.zip: Extracts to: ZGQ8748487803.js - Current Virus total detections 6/57*
.. MALWR** shows a download of Locky ransomware from http ://onsancompany .com/system/logs/uy78hn654e.exe
(VirusTotal 5/57***). Other download locations so far discovered for Locky today include:
solucionesdubai .com.ve/system/logs/uy78hn654e.exe
ghayatv .com/system/logs/uy78hn654e.exe
dolcevita-ykt .ru/system/logs/uy78hn654e.exe
mercadohiper .com.br/system/logs/uy78hn654e.exe
chinhuanoithat .com/system/logs/uy78hn654e.exe
http ://nhinh .com/system/logs/uy78hn654e.exe
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...85d3be4e0209e978bf0e2117/analysis/1457692698/

** https://malwr.com/analysis/MGZhZjA4YjRkMWEzNDdhMThmZjExMzU3OWVlZTZjNDg/
Hosts
103.18.4.151
31.184.196.78
91.219.30.254

*** https://www.virustotal.com/en/file/...7d587cba8cd21064c9a6e526/analysis/1457691942/
TCP connections
31.184.196.75: https://www.virustotal.com/en/ip-address/31.184.196.75/information/

- http://blog.dynamoo.com/2016/03/malware-spam-your-amazon-order-137.html
11 Mar 2016 - "This fake Amazon spam comes with a malicious attachment:
From: AMAZON.COM [Mailer-daemon@ amazon .com]
Date: 11 March 2016 at 09:09
Subject: Your Amazon order #137-89653734-2688148
Hello,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order #137-89653734-2688148 Placed on March 11, 2016
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon.
Amazon .com

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script... Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192 "
___

Fake 'Scanned image' SPAM - leads to malware
- http://blog.dynamoo.com/2016/03/malware-spam-scanned-image-image-data.html
11 Mar 2016 - "This -fake- document scan leads to malware. It appears to come from within the victim's own domain, but this is a trivial forgery.
From: admin [lands375@ victimdomain .tld]
Date: 11 March 2016 at 09:02
Subject: Scanned image
Image data in PDF format has been attached to this email.

Attached is a document named in a similar format to 11-03-2016-6440705503.zip which contains a randomly-named malicious script. So far I have seen -three- versions of this script (VirusTotal results [1] [2] [3]) which according to the Malwr reports [4].. download a malicious binary from:
ghayatv .com/system/logs/uy78hn654e.exe
This is Locky ransomware, the -same- as dropped in this other spam run* - that post also contains a list of C2s to block."
* http://blog.dynamoo.com/2016/03/malware-spam-your-amazon-order-137.html

1] https://www.virustotal.com/en/file/...d4d76db6c6c0e135bcdb7f20/analysis/1457690743/

2] https://www.virustotal.com/en/file/...306b32b79c78201c41a9399b8566af5c931/analysis/

3] https://www.virustotal.com/en/file/...445e5427c3a657e6f2fa9651/analysis/1457691017/

4] https://malwr.com/analysis/YWVkNzRlZDRjZWRlNDJjNjk3MDM0ZWM3ZjcyYWUzM2E/
___

Fake 'Payment' SPAM - leads to Locky ransomware
- http://myonlinesecurity.co.uk/fw-pa...cuments-js-malware-leads-to-locky-ransomware/
11 Mar 2016 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware.. The email looks like:
From: Inez Harding <HardingInez04459@ jazztel .es>
Date: Fri 11/03/2016 08:15
Subject: FW: Payment 16-03-#280729
Attachment: payment_doc_280729.zip
Dear voicemail,
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Inez Harding
Account Manager

5 March 2016: payment_doc_280729.zip: Extracts to 2 files:
Post_Tracking_Label_id00-371904814#.js [VT*] [VT**]. MALWR [1] [2] shows -both- download Locky Ransomware from http ://50.28.211.199 /hdd0/89o8i76u5y4 (VirusTotal 5/56***). I am informed[3] that there are several other download locations, all of which appear to be offering a slightly -different- Locky ransomware download... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...8f4e01cb9c4a75116c3c1d30/analysis/1457687806/

** https://www.virustotal.com/en/file/...335269544feafcc960531032/analysis/1457687807/

1] https://malwr.com/analysis/YjkxNjNkNDNmM2E3NDNlZjk0MzZiMjcxZGYwZTM0YjE/
Hosts
50.28.211.199
31.184.196.78
91.234.32.192

2] https://malwr.com/analysis/MjgzYjZlZjEyZDg0NDc5OWJjZDM3MzQ4NTljYmRkZjE/
Hosts
50.28.211.199
91.234.33.149
31.184.196.78
31.184.196.75

*** https://www.virustotal.com/en/file/...cfdede6856fa507d684a1293/analysis/1457689671/
TCP connections
91.219.30.254: https://www.virustotal.com/en/ip-address/91.219.30.254/information/

3] http://blog.dynamoo.com/2016/03/malware-spam-fw-payment-16-03-507586-we.html
11 Mar 2016 - "These spam messages come from various senders with different references and attachment names.
From: Thanh Sears
Date: 11 March 2016 at 10:29
Subject: FW: Payment 16-03-#507586
Dear [redacted],
We have received this documents from your bank, please review attached documents.
Yours sincerely,
Thanh Sears
Financial Manager

Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script... The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to -block- are the same as found in this earlier Locky run*..."
1] https://www.virustotal.com/en/file/...a9cae4f09bac4b7877bb7836/analysis/1457693183/

2] https://www.virustotal.com/en/file/...c5f97db5c47c556ec2236585/analysis/1457693194/

* http://blog.dynamoo.com/2016/03/malware-spam-your-amazon-order-137.html
___

Massive Volume of Ransomware Downloaders being Spammed
- https://www.trustwave.com/Resources...lume-of-Ransomware-Downloaders-being-Spammed/
March 9, 2016 - "We are currently seeing extraordinarily huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware. Ransomware encrypts data on a hard drive, and then demands payment from the victim for the key to decrypt the data. Our Spam Research Database saw around 4 million malware spams in the last -seven- days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps... your last line of defense against ransomware infection is always having an up to date and good backup process."

:fear::fear:

AplusWebMaster · Mar 12, 2016

Fake 'Urgent Notice' SPAM - Teslacrypt, Malvertising Magnitude

FYI...

Fake 'Urgent Notice' SPAM - JS malware leads to Teslacrypt
- http://myonlinesecurity.co.uk/urgent-notice-96954696-js-malware-leads-to-teslacrypt-ransomware/
Last revised 12 March 2016 - "An email with the subject of 'Urgent Notice # 96954696' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt or locky ransomware...
Update 12 March 2016: Unusual for a Saturday.. they are going after the domestic/consumer market instead of office/Enterprise/companies. Another big malspam run of this email today with malicious js attachments (VirusTotal 12/57*). (MALWR**) with a connection to and download of http ://joecockerhereqq .com/80.exe?1 (VirusTotal 5/57***). This definitely looks like Teslacrypt...
WARNING: following the MALWR links will give a browser warning in ALL browsers. Their SSL certificate has -expired- yesterday 11 March 2016. In this case -ONLY- it is safe to ignore the warning and visit the site until they install the updated certificate.. The email looks like:
From: Lacy eaton <eatonLacy97994@ listenary .com>
Date: Fri 11/03/2016 20:42
Subject: Urgent Notice # 96954696
Attachment: statistic_96954696.zip
Dear Customer!
According to our data you owe our company a sum of $877,13. There are records saying that you have ordered goods in a total amount of $ 877,13 in the third quarter of 2015.
Invoice has been paid only partially. The unpaid invoice #96954696 is enclosed below for your revision.
We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
Please check out the file and do not hesitate to pay off the debt.
Otherwise we will have to start a legal action against you.
Regards,
Lacy eaton ...

11March 2016: statistic_96954696.zip: Extracts to: details_jEpMnR.js - Current Virus total detections [4] .. MALWR[5] shows a download of teslacrypt or locky from http ://joecockerhereqq .com/69.exe?1 or http ://joecockerhereff .com/69.exe?1 (VirusTotal [6]) Payload Security Hybrid analysis [7]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...c2cffea41ed12dee17422fe3/analysis/1457728759/

** https://malwr.com/analysis/ZWM4ZTU4NDZhOTY3NGE0ZWEyMmZiZDJhN2U0MTMzYTU/
Hosts
54.212.162.6
203.124.115.1
166.62.4.223

*** https://www.virustotal.com/en/file/...1d2240fdce5aebe87763e1d4/analysis/1457772426/
TCP connections
203.124.115.1: https://www.virustotal.com/en/ip-address/203.124.115.1/information/
166.62.4.223: https://www.virustotal.com/en/ip-address/166.62.4.223/information/

4] https://www.virustotal.com/en/file/...e179c769baf324709719f062/analysis/1457728932/

5] https://malwr.com/analysis/ZjFmNTYyYmYxZjZiNDkzZjk3ZjFiNmM0NGNmZWZlNWE/
Hosts
212.119.87.77
204.44.102.164

6] https://www.virustotal.com/en/file/...7ca04013704b8fd4014a4c3a/analysis/1457731360/
TCP connections
91.219.30.254: https://www.virustotal.com/en/ip-address/91.219.30.254/information/

7] https://www.hybrid-analysis.com/sam...8f2cb7ca04013704b8fd4014a4c3a?environmentId=1
91.234.32.192: https://www.virustotal.com/en/ip-address/91.234.32.192/information/
>> https://www.virustotal.com/en/url/7...24f5e032c1d8a6e242f9448f0e6c34fd9c6/analysis/

- http://blog.dynamoo.com/2016/03/malware-spam-urgent-notice-78815053.html
12 Mar 2016 - "This spam comes from random senders, and has random references, dollar amounts and attachment names:
From: Donnie emily
Date: 12 March 2016 at 14:01
Subject: Urgent Notice # 78815053
Dear Customer!
According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.
Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.
We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
Please check out the file and do not hesitate to pay off the debt.
Otherwise we will have to start a legal action against you.
Regards,
Donnie emily ...

Attached is a randomly-named ZIP files, in the sample I have seen... plus a random string of characters. I have seen -six- versions of this script... This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different... malicious domains are also on the same servers... there are a vast number of malicious IPs and servers in this cluster...
Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone .com
sappmtraining .com
shirongfeng .cn
vtechshop .net "
___

Malvertising Magnitude ...
- https://labsblog.f-secure.com/2016/...d-by-pua-also-delivers-magnitude-exploit-kit/
Mar 7, 2016 - "... we noticed yet another malvertising campaign... pushing users towards Magnitude exploit kit:
> https://newsfromthelab.files.wordpress.com/2016/03/magnitude_graph_20160304.png?w=752&h=367
... we found with one of the ad platforms, click2.danarimedia .com, is that, it is also being used by some distribution of Conduit Toolbars, which is considered 'potentially unwanted' as they usually come bundled with free software and -forces- changes to browser settings... The -redirection- from our upstream from the -same- ad platform to Magnitude EK... we should not underestimate the power of Potentially Unwanted Applications (PUA). Because even if a program started as potentially unwanted, it doesn’t mean that attackers could not take advantage of it in delivering other threats to the user’s machine. It is very possible that users could get redirected to exploits kits and eventually end up with a malware infection, which is for this particular exploit kit, is a CryptoWall ransomware:
> https://newsfromthelab.files.wordpress.com/2016/03/cryptowall.png?w=799&h=600 "
... -ongoing- today.

click2.danarimedia .com: 199.212.255.138: https://www.virustotal.com/en/ip-address/199.212.255.138/information/
199.212.255.137
199.212.255.136
199.212.255.140
199.212.255.139

:fear::fear:

AplusWebMaster · Mar 14, 2016

Fake 'Blocked Transaction', 'Credit details', 'blank email', 'Debt#' SPAM, ApplePHISH

FYI...

Fake 'Blocked Transaction' SPAM - leads to Teslacrypt
- http://blog.dynamoo.com/2016/03/malware-spam-blocked-transaction-case.html
14 Mar 2016 - "This -fake- financial transaction has a malicious attachment:
From: Judy brittain
Date: 14 March 2016 at 08:12
Subject: Blocked Transaction. Case No 19706002
The Automated Clearing House transaction (ID: 19706002), recently initiated from your online banking account, was rejected by the other financial institution.
Canceled ACH transaction
ACH file Case ID: 09293
Transaction Amount: 607,89 USD
Sender e-mail: brittainJudy056@ panick .com.ar
Reason of Termination: See attached statement

The sender's name, references and dollar amounts vary from message to messages. The attachment names are randomly-generated (the format seems the same as this*) containing either one-or-four malicious scripts. According to this analysis** the scripts download from:
ohelloguyzzqq .com/85.exe?1
Although the infection mechanism seems the same as this spam run*, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55***. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here*."
* http://blog.dynamoo.com/2016/03/malware-spam-debt-85533-customer-case.html

** https://www.hybrid-analysis.com/sam...a7fe7ccb9e52176d602dc5691b656?environmentId=1

*** https://www.virustotal.com/en/file/...a1a4dd6fea9bb7e349e3f5a1/analysis/1457945732/
___

Fake 'Credit details' SPAM - leads to Teslacrypt
- http://blog.dynamoo.com/2016/03/malware-spam-credit-details-id-87320357.html
14 Mar 2016 - "So many -Teslacrypt- campaigns, so little time...
From: Ladonna feather
Date: 14 March 2016 at 14:50
Subject: Credit details ID: 87320357
Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.
NOTE: This is the automatically generated message. Please, do not reply.

... names, references and attachment names vary.. malicious scripts in the attachment...
This is Teslacrypt ransomware...
Recommended blocklist:
54.212.162.6: https://www.virustotal.com/en/ip-address/54.212.162.6/information/
212.119.87.77: https://www.virustotal.com/en/ip-address/212.119.87.77/information/
78.135.108.94: https://www.virustotal.com/en/ip-address/78.135.108.94/information/
washitallawayff .com: 31.128.86.113
176.8.242.205
94.143.247.194
174.118.252.36
46.185.13.41
92.52.181.125
93.123.236.46
213.111.147.60
37.1.3.115
77.122.205.79
___

Fake 'IMG from Admin' SPAM - JS malware leads to locky or Dridex
- https://myonlinesecurity.co.uk/emai...l-domain-js-malware-leads-to-locky-or-dridex/
14 Mar 2016 - "An email with the subject of 'Emailing: IMG_18977' [random numbered] pretending to come from admin-at-your-own-email-domain with a zip attachment is another one from the current bot runs which downloads what looks like either Locky ransomware or Dridex banking Trojan... The email looks like:
From: admin admin@ victim domain .tld
Date: Mon 14/03/2016 12:14
Subject: Emailing: IMG_18977
Attachment: IMG_18977.zip
Your message is ready to be sent with the following file or link attachments:
IMG_18977
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.
Please consider the environment before printing this email.
E-mail messages may contain viruses, worms, or other malicious code. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective action against such code. Henry Schein is not liable for any loss or damage arising from this message...

14 March 2016: IMG_18977.zip: Extracts to: ICG8994683408.js - Current Virus total detections 4/56*
... unable to get any analysis from automatic analysers, both MALWR and Hybrid analysis are down at the moment... Manual analysis of the javascript file shows it connects to
http ://lampusorotmurah .com/system/logs/78tgh76.exe (VirusTotal 3/57**) which is inclusive but is likely to be either Dridex banking Trojan or Locky ransomware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...8f9fef0a3abf84748386194b/analysis/1457961662/

** https://www.virustotal.com/en/file/...b67a03b953e87dfd2c116852/analysis/1457962014/

lampusorotmurah .com: 72.34.33.170: https://www.virustotal.com/en/ip-address/72.34.33.170/information/
>> https://www.virustotal.com/en/url/9...e90cf6ad9f964d34969138dca50348d52f8/analysis/
___

Fake 'blank email' SPAM - JS malware downloads kovter boaxxe and ransomware
- https://myonlinesecurity.co.uk/blan...lware-downloads-kovter-boaxxe-and-ransomware/
14 Mar 2016 - "An email addressed to 'abuse' at your-email-domain with -no- subject coming from Support <support@ hvp-online .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: Support <support@ hvp-online .com>
Date: Mon 14/03/2016 08:51
Subject: blank
Attachment: 0000783426.zip

Body content: Totally empty

14 March 2016: 0000783426.zip: Extracts to: 0000783426.doc.js - Current Virus total detections 13/57*
.. ReverseIt** and Wepawet*** shows a download of -3- files from a combination of these locations which will be Boaxxe, Kovter and some sort of ransomware:
nueva.alite .eu
arbasal .com
app.ulled .com
norbert.thecua.perso .sfr.fr
diarga.fall.perso.neuf .fr
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b9f7aea5a2776fed5f35ef31/analysis/1457947548/

** https://www.reverse.it/sample/cfe18...70e7db9f7aea5a2776fed5f35ef31?environmentId=4
Host Address
91.142.215.21
87.106.240.27
217.111.217.243
86.65.123.70
173.201.146.128

*** https://wepawet.iseclab.org/view.php?hash=232cf82b5aa52ac7b003ea52918e9511&type=js
___

Fake 'Traffic Violation' SPAM - leads to Teslacrypt
- http://blog.dynamoo.com/2016/03/malware-spam-traffic-report-id-62699928.html
14 Mar 2016 - "This -fake- legal email has a malicious attachment:
From: Myrna baker
Date: 14 March 2016 at 15:58
Subject: Traffic report ID: 62699928
Dear Citizen,
We are contacting you on behalf of a local Traffic Violation Bureau.
Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 49757
Unfortunately, we will have no other option rather than passing this case to the local police authorities.
Please, see the report with the documents proofs attached for more information on this case.

Details in the email vary from message to message. The payload is Teslacrypt ransomware, as seen in this earlier spam run*."
* http://blog.dynamoo.com/2016/03/malware-spam-credit-details-id-87320357.html

- https://myonlinesecurity.co.uk/traffic-report-id-02271147-js-malware-leads-to-ransomware/
14 March 2016: post_scan_02271147.zip: Extracts to: accent_nUIboL.js - Current Virus total detections 4/56* reverseIT** shows a download of what is probably Teslacrypt from
giveitallhereqq .com/69.exe?1 (VirusTotal 4/56***)
* https://www.virustotal.com/en/file/...7ea012b859628a64385dc68b/analysis/1457965942/

** https://www.hybrid-analysis.com/sam...4f2717ea012b859628a64385dc68b?environmentId=1
Host Address
54.212.162.6: https://www.virustotal.com/en/ip-address/54.212.162.6/information/
>> https://www.virustotal.com/en/url/7...dd23860c5f2ff954186b217ba479f85f869/analysis/

*** https://www.virustotal.com/en/file/...d4b5043a2b7a098ecef9d635/analysis/1457974614/
TCP connections
198.1.95.93: https://www.virustotal.com/en/ip-address/198.1.95.93/information/
___

Fake 'Debt#' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/debt-80574-customer-case-nr-693-js-malware-leads-to-teslacrypt/
13 Mar 2016 - "An email with the subject of 'Debt #80574, Customer Case Nr.: 693' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt... The email looks like:
From: Tanya best <bestTanya09673@ bezeqint .net>
Date: Sun 13/03/2016 16:14
Subject: Debt #80574 , Customer Case Nr.: 693
Attachment: money_44821787.zip
Body content:
Dear Customer,
Despite our constant reminders, we would like to note that the mentioned debt #80574 for $500,74 is still overdue for payment.
We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.
Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.
We hope on your understanding.
Kind regards,
Finance Department
Tanya best ...

13 March 2016: money_44821787.zip: Extracts to: -4- different named but identical js files by #
Current Virus total detections 1/57*. SecureIT** shows a download of what appears to be Teslacrypt from
ohelloguyqq .com/70.exe (VirusTotal 4/57***)
JS files from zip I got were Post_Parcel_Label_id00-611695718#.js
Post_Shipment_Label_id00-436290447#.js
Post_Tracking_Label_id00-503290854#.js
Post_Tracking_Label_id00-993809340#.js
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...5ef487b4cad35d682cd23499/analysis/1457889197/

** https://www.reverse.it/sample/9caaf...c3e855ef487b4cad35d682cd23499?environmentId=4
78.135.108.94: https://www.virustotal.com/en/ip-address/78.135.108.94/information/

*** https://www.virustotal.com/en/file/...f53d640d61db7bc6bce39e20/analysis/1457890122/

- http://blog.dynamoo.com/2016/03/malware-spam-debt-85533-customer-case.html
13 Mar 2016 - "The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments...
From: Lamar drury
Date: 13 March 2016 at 18:43
Subject: Debt #85533 , Customer Case Nr.: 878
Dear Customer,
Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.
We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.
Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.
We hope on your understanding.
Kind regards,
Finance Department
Lamar drury ...

Attached is a ZIP file... plus a random number. Inside are one-to-four malicious .js scripts... There are at least -22- unique scripts... These appear [1] [2] to download a malicious binary from one of the following locations:
ohelloguyff .com/70.exe
ohelloguyzzqq .com/85.exe?1
Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56*... Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94 "

1] https://www.hybrid-analysis.com/sam...fc92960b27432ee22b655fcd86408?environmentId=4

2] https://www.hybrid-analysis.com/sam...d6ddd38afef18afc9e759d52105d9?environmentId=1

* https://www.virustotal.com/en/file/...c23dae989803573e22788938/analysis/1457899296/
___

Apple Store Support Ticket #35652467 – Apple PHISH
- https://myonlinesecurity.co.uk/apple-store-support-ticket-35652467-apple-phish-fail/
14 Mar 2016 - "An email pretending to come from 'App Store Billing #7221' <apple.id3627@ applemarketingpro .com> is one of the latest -phish- attempts to -steal- your Apple and bank/credit card details...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/Apple_store_refund_email-1024x625.png

The link in the email -if- you did copy & paste the link into a browser window -redirects- to another dyndns link where you would see a webpage looking like this where they want a lot of details and have gone to a lot of effort to validate the forms and stop obvious fake information being put in:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/Apple_store_refund-1024x557.png
The links behind the 'unsubscribe' and 'Click-here-to-view-our-privacy-policy' lead you to the Romanian Security Team forum. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

applemarketingpro .com: 174.35.126.195: https://www.virustotal.com/en/ip-address/174.35.126.195/information/

:fear::fear:

AplusWebMaster · Mar 15, 2016

Malvertising, Fake 'Insufficient Funds', 'my photo', 'Doc Enclosed', 'Itinerary' SPAM

FYI...

Malvertising Campaign... Leads to Angler Exploit Kit/BEDEP
- http://blog.trendmicro.com/trendlab...paign-in-us-leads-to-angler-exploit-kitbedep/
Updated Mar 15, 2016 - "A malvertising campaign related to the Angler Exploit Kit is currently targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone. Based on our monitoring, the malicious ads were delivered by a compromised-ad-network in various highly-visited mainstream websites–including news, entertainment, and political commentary sites. As of this writing, while the more popular portals appear to be no longer carrying the bad ad, the malvertising campaign is still ongoing and thus continues to put users at risk of downloading malware into their systems... Users and organizations are advised to make sure that keep their applications and systems up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others..."
(More detail at the trendmicro URL above.)

- https://blog.malwarebytes.org/malve...er-malvertising-campaign-hits-top-publishers/
Mar 15, 2016 - "... on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while:
Publisher Traffic (monthly)[1]
msn .com 1.3B
nytimes .com 313.1M
bbc .com 290.6M
aol .com 218.6M
my.xfinity .com 102.8M
nfl .com 60.7M
realtor .com 51.1M
theweathernetwork .com 43M
thehill .com 31.4M
newsweek .com 9.9M
1] Numbers pulled from SimilarWeb .com
... Rogue domains:
Domain Name: TRACKMYTRAFFIC .BIZ: 104.28.18.116: https://www.virustotal.com/en/ip-address/104.28.18.116/information/
104.28.19.116: https://www.virustotal.com/en/ip-address/104.28.19.116/information/
>> https://www.virustotal.com/en/url/7...bd78970ee7b0b7c4a86239fc7e746035230/analysis/
Domain Name: TALK915 .PW: 104.27.191.84: https://www.virustotal.com/en/ip-address/104.27.191.84/information/
104.27.190.84: https://www.virustotal.com/en/ip-address/104.27.190.84/information/
>> https://www.virustotal.com/en/url/4...1c4aacfd200b1370a9545960f8f20030128/analysis/
... On Sunday, when the attack really expanded, the Angler exploit kit was then used... Angler EK has gone through several changes lately, in its URI patterns but also in the landing page itself. It is also the only one to use a recently patched Silverlight vulnerability*... the actual malware payload in each of these attacks, chances are quite high that it would be one of the several strains of ransomware currently out there..."
* http://malware.dontneedcoffee.com/2016/02/cve-2016-0034.html
(More detail at the malwarebytes URL above.)
___

Fake 'Insufficient Funds' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/insu...on-id12719734-js-malware-leads-to-teslacrypt/
15 Mar 2016 -"... an email with the subject of 'Insufficient Funds Transaction ID:12719734' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt... The email looks like:
From: Random names & email addresses
Date: Tue 15/03/2016 06:29
Subject: Insufficient Funds Transaction ID:12719734
Attachment: money_12719734.zip
Dear Valued Customer,
Your transaction 12719734 dated on 13/03/2016 4:24 PM was declined due to insufficient funds on your account.
For more details please refer to the report enclosed.
Thank you!

15 March 2016: money_12719734.zip: Extracts to: details_sESWjv.js
| access_21202865.zip: Extracts to: details_AdbdeE.js - Current Virus total detections [1] [2]:
.. MALWR [3] [4] shows a download of what looks like Teslacrypt from
http ://giveitalltheresqq .com/80.exe?1 or http ://giveitalltheresqq .com/69.exe?1 VirusTotal [5] ...
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustotal.com/en/file/...0fa734494f962dfe60060ec4/analysis/1458027607/

2] https://www.virustotal.com/en/file/...0fa734494f962dfe60060ec4/analysis/1458027607/

3] https://malwr.com/analysis/NGRlNTQzZjFmZTU0NDVkMzhkZjNiZWMzNGEyNDA0YTQ/
Hosts
54.175.175.52: https://www.virustotal.com/en/ip-address/54.175.175.52/information/
>> https://www.virustotal.com/en/url/b...4b1373bda31bf0774691d7a3367d07b9ca7/analysis/
>> https://www.virustotal.com/en/url/5...1d91d35d795a821bd8a7f615a8450513f7e/analysis/
107.180.50.183: https://www.virustotal.com/en/ip-address/107.180.50.183/information/

4] https://www.virustotal.com/en/file/...57a15dd3937dabb58b915fda/analysis/1458027237/

5] https://www.virustotal.com/en/file/...57a15dd3937dabb58b915fda/analysis/1458027237/
___

Fake 'my photo' SPAM - fake jpg malware
- https://myonlinesecurity.co.uk/photomy-photoimagepic-sent-from-my-iphone-fake-jpg-malware/
15 Mar 2016 - "... An email with the subject of 'photo,my photo,image,pic' pretending to come from lyle.house@ hotmail .co.uk (probably random addresses) with a zip attachment is another one from the current bot runs... The email looks like:
From: lyle.house@ hotmail .co.uk
Date: Tue 15/03/2016 10:52
Subject: photo,my photo,image,pic
Attachment: IMG_0024415_02-2016 JPG.zip
photo Sent from my iPhone

The link behind photo goes to https ://www.dropbox .com/s/5eaj5qwy9yz3xmo/IMG_0024415_02-2016%20JPG.zip?dl=0 where a zip file is downloaded. I am unable to find an abuse report for dropbox to alert them...
15 March 2016: IMG_0024415_02-2016 JPG.zip: Extracts to: IMG_0024415_02-2016 JPG,jpeg.exe
Current Virus total detections 4/57* MALWR** - The detections are inconclusive...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg ( image) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...62a0c42c7b83e7460e0ed010/analysis/1458039815/
TCP connections
87.117.242.31: https://www.virustotal.com/en/ip-address/87.117.242.31/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/

** https://malwr.com/analysis/NTkyMzc3YTQzNGJiNGIwZWIzNmI5NTY5NTU0NTdiYmI/
Hosts
87.117.242.31
13.107.4.50
___

Fake 'Document Enclosed' SPAM - fake PDF malware
- https://myonlinesecurity.co.uk/document-enclosed-fake-pdf-malware/
15 Mar 2016 - "... An email with the subject of 'Document Enclosed' pretending to come from Ka2521@ hotmail .co.uk with a zip attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/document_-enclosed-1024x426.png

15 March 2016: INV.P10119.03.2016.XML.zip: Extracts to: INV.P10119.03.2016.XML.PDF,.exe
Current Virus total detections 4/57* which is the -same- malware as described in this other Malspam run**.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...62a0c42c7b83e7460e0ed010/analysis/1458039815/
TCP connections
87.117.242.31
13.107.4.50

** https://myonlinesecurity.co.uk/photomy-photoimagepic-sent-from-my-iphone-fake-jpg-malware/
___

Fake 'Itinerary' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/itin...vel-com-js-malware-leads-to-locky-ransomware/
15 Mar 2016 - "An email with the subject of 'Itinerary #13B0B450E' [random numbered] pretending to come from no-reply@ clicktravel .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/Itinerary-13B0B450E-1024x382.png

15 March 2016: Hotel-Fax-V004X3R8_4983252052512314320.zip: Extracts to: USH3121122904.js
Current Virus total detections 5/57* - MALWR** shows a download of Locky ransomware from
http ://flaxxup .com/87yg756f5.exe (VirusTotal 3/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...e7609e09b86949b95a50e017/analysis/1458040913/

** https://malwr.com/analysis/YzcxMGYyMzRjNWYyNDE1OTg3MGE1ZDg4Y2I4ODcyMzA/
Hosts
98.131.204.1: https://www.virustotal.com/en/ip-address/98.131.204.1/information/
51.254.181.122: https://www.virustotal.com/en/ip-address/51.254.181.122/information/

*** https://www.virustotal.com/en/file/...b8588ea734530f74c2586087/analysis/1458039440/
TCP connections
37.139.27.52: https://www.virustotal.com/en/ip-address/37.139.27.52/information/
149.202.109.205: https://www.virustotal.com/en/ip-address/149.202.109.205/information/
___

Dropbox spreading malware via spoofed emails about orders – fake PDF malware
- https://myonlinesecurity.co.uk/drop...spoofed-emails-about-orders-fake-pdf-malware/
16 Mar 2016 - "... from these earlier malspam runs [1] [2] we now have a series of emails with the basic subject of 'orders' pretending to come from different companies with a -link- to Dropbox to download a zip attachment... another one from the current bot runs... The email looks like:
From: admin@ t-mobile .de
Date: Tue 15/03/2016 13:02
Subject: Fwd: INVOICE – Your Order from Sports
Attachment: 9937700846-001.PDF.zip
Order Details
Order Number: 31860 Date Ordered: Tuesday 15 March, 2016 Order In Progress If you have any questions or queries regarding your order please contact us

Some of the subjects and alleged senders seen so far include:
'Fwd: INVOICE – Your Order from Sports' pretending to come from admin@ t-mobile .de
'order 15/03/2016' pretending to come from benelle@ bt .com
'Fwd: INVOICE – Your Order' pretending to come from wdcabs1@ gmail .com
All -three- of these emails have the -same- body content and the -same- link-to-Dropbox to download the malware https ://www.dropbox .com/s/gckssj2hhyrfo2u/9937700846-001.PDF.zip?dl=0
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/dropbox-malware-1024x541.png
There are no abuse links or method of reporting malware, only to report DCMA and copyright infringements, by the tiny flag in bottom left corner...
15 March 2016: 9937700846-001.PDF.zip : Extracts to: 9937700846-001.PDF.exe
.. Current Virus total detections 5/56* which is exactly the -same- malware as described in the earlier malspam runs**... These are spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://myonlinesecurity.co.uk/document-enclosed-fake-pdf-malware/

2] https://myonlinesecurity.co.uk/photomy-photoimagepic-sent-from-my-iphone-fake-jpg-malware/

* https://www.virustotal.com/en/file/...62a0c42c7b83e7460e0ed010/analysis/1458046592/
TCP connections
87.117.242.31: https://www.virustotal.com/en/ip-address/87.117.242.31/information/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/

** https://myonlinesecurity.co.uk/photomy-photoimagepic-sent-from-my-iphone-fake-jpg-malware/
___

Documents with malicious macros deliver fileless malware to financial-transaction systems
- http://www.csoonline.com/article/30...malware-to-financial-transaction-systems.html
Mar 14, 2016 - "Spammed Word documents with malicious macros have become a popular method of infecting computers over the past few months. Attackers are now taking it one step further by using such documents to deliver fileless malware that gets loaded directly in the computer's memory. Security researchers from Palo Alto Networks analyzed a recent attack campaign that pushed spam emails with malicious Word documents to business email addresses from the U.S., Canada and Europe... 'Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat', the Palo Alto researchers said in a blog post*..."
* http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macro-based-attacks/
Mar 11, 2016 - "... users should ensure that macros are -not- enabled by default and should be wary of opening -any- macros in files received from untrusted sources..."

:fear::fear:

AplusWebMaster · Mar 16, 2016

Fake 'Your order', 'Unpaid Invoice', 'Document1', 'Bestellung', 'Order status' SPAM

FYI...

Malvertising Attacks Targeting The UK
- https://blog.malwarebytes.org/malve...k-into-malvertising-attacks-targeting-the-uk/
Mar 16, 2016 - "We recently stumbled upon a -malvertising- incident on a large British newspaper site which we decided to investigate in greater details. As with many attacks we have found lately, the line between legitimate advertisers and rogue ones is getting finer and finer. Indeed, in many cases ad networks simply cannot tell them apart without actual proof of malicious activity... Malvertising Flow:
dailymail .co.uk
adclick.g.doubleclick .net
track.bridge .systems (Russian RTB?)
cdn.exeterquads .com (Fake ad server)
geraeuschvollste.ciderstore .co.uk (Angler EK landing)
At first sight, exterquads .com looks like a legitimate business (which it is) located in the UK. However, the subdomain (the ‘cdn‘ preceding the main domain) was registered via criminals who managed to steal the registrant’s credentials in order to create a rogue URL that points to their own server. This is called 'domain shadowing'*.
Legitimate domain:
Hostname: exeterquads .com
IP address: 5.196.39.216
Running on: Microsoft-IIS/8.5
Rogue (shadowed) sub-domain:
Hostname: cdn.exeterquads .com
IP address: 5.63.145.76: https://www.virustotal.com/en/ip-address/5.63.145.76/information/
Running on: nginx/1.0.15
The crooks also -stole- the graphics from this legitimate business to create an ad banner which looks rather convincing but is meant to be a -decoy- for the real motivation behind this attack. Indeed, alongside the banner, an innocuous 1×1 pixel image is served (supposedly for tracking purposes). This is where 'fingerprinting' happens. The -rogue- code hiding in the image can be decoded to reveal a nefarious intent to identify real victims and eliminate those running security tools, the latter being of no interest to the criminals:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/flow.png
The final part of this rogue code is to launch the exploit kit URL, which for all these campaigns has been Angler EK. Because this campaign was aimed at people living in the UK, we searched for additional rogue advertisers abusing other businesses. We found quite a handful of them that have been used in recent attacks... one way to determine whether an advertiser is legit is by checking the domain info and seeing if there are any discrepancies between the main domain and sub-domain. Also, many of those rogue-subdomains use free-SSL-certificates, while the core domain doesn’t... The UK malvertising campaign is of a rather large size, just after the US one. We have also spotted specific campaigns targeting Canadians, Australians and the French with a similar modus operandi. The amount of work spent -forging- legitimate brands and advertising under such disguise is really astonishing. We managed to get in touch with one company whose brand had been abused and they clearly were none the wiser when asked whether they were aware of this ad banner residing on a sub-domain. However, they managed to find out the source of the problem once they talked with their hosting provider... This kind of attack is a reminder of just how many different ways a website can-be-compromised or leveraged to fulfill certain goals. It also shows how difficult it can be for ad networks to -vet- new customers and weed out malicious ones."
* https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows
___

Cyber criminals snap up expired domains to serve malicious ads
- http://www.reuters.com/article/us-website-malware-idUSKCN0WI2DZ
Mar 16, 2016 - "Expired domain names are becoming the latest route for cyber criminals to find their way into the computers of unsuspecting users. Cyber criminals launched a malicious advertising campaign this week targeting visitors of popular news and entertainment websites after gaining ownership of an expired web domain of an advertising company. Users visiting the websites of the New York Times, Newsweek, BBC and AOL, among others, may have installed malware on their computers if they clicked on the malicious ads. Bresntsmedia .com, the website used by -hacks- to serve up malware, expired on Jan. 1 and was registered again on March 6 by a different buyer, security researchers at Trustwave SpiderLabs wrote in a blog*. Buying the domain of a small but legitimate ad company provided the criminals with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, the researchers said... The researchers also found two more expired "media"-related domains - envangmedia .com and markets.shangjiamedia .com - used by the same cyber criminals. The people behind the campaign may be on keeping a watch for expired domains with the word "media" in them, they said."
* https://www.trustwave.com/Resources/SpiderLabs-Blog/Angler-Takes-Malvertising-to-New-Heights/

envangmedia .com: 136.243.149.196: https://www.virustotal.com/en/ip-address/136.243.149.196/information/
>> https://www.virustotal.com/en/url/5...2b5d88063f73021e40b308b5c89c87e221a/analysis/

markets.shangjiamedia .com: 136.243.149.201: https://www.virustotal.com/en/ip-address/136.243.149.201/information/
>> https://www.virustotal.com/en/url/b...203cd6fb8a031936cb514d3af73c375b055/analysis/
___

Fake 'Your order' SPAM - doc malware delivers Dridex
- https://myonlinesecurity.co.uk/your...al-order-number-93602-word-doc-macro-malware/
16 Mar 2016 - "An email saying 'Thank you for shopping with 365 Electrical' with the subject of 'Your order summary from 365 Electrical. Order number: 93602' (random numbers) coming from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: random names and email addresses
Date: Wed 16/03/2016 10:29
Subject: Your order summary from 365 Electrical. Order number: 93602
Attachment: Sales Order Document for Emailing_140603632941_1752380.doc
Dear customer,
Thank you for shopping with 365 Electrical. This is to acknowledge that we’ve received your order (see attached document). Please note that acceptance of your order takes place when the goods are loaded onto one of our vehicles for delivery to you.
Your order number is 93602.
Please read the following important information:
Damaged Goods: Must be reported within 48 hours of delivery date with photographic evidence. Do not install any damaged or unwanted items. This counts as acceptance of goods and the item is then non-returnable and non-refundable.
Delivery Timeslots: You must ensure that you can be available all day on your chosen day of delivery; if you find you cannot keep to the delivery date you must notify us before 12 noon one working day before...
Thank you,
365 Electrical

16 March 2016: Sales Order Document for Emailing_140603632941_1752380.doc - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://api.holycrossservices .com/dri/donate.php which gave me
crypted120med.exe (VirusTotal 4/56***). This looks like Dridex banking Trojan.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...db89df30ad47eac4fb93e807/analysis/1458123902/

** https://malwr.com/analysis/NDIwOGNmNzA3YWFlNDZmMzljZWEyODE2ZWQyMGY2YTM/
Hosts
176.103.56.36
188.93.239.28
184.27.46.153

*** https://www.virustotal.com/en/file/...f06c343048bc94c9e803d0e9/analysis/1458124624/
TCP connections
188.93.239.28: https://www.virustotal.com/en/ip-address/188.93.239.28/information/
88.221.14.11: https://www.virustotal.com/en/ip-address/88.221.14.11/information/
___

Fake 'Unpaid Invoice' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/unpaid-invoice-word-doc-macro-malware/
16 Mar 2016 - "An email with the subject of 'Unpaid Invoice' pretending to come from Dave.Maule@ tiscali .co.uk ( probably random) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Dave.Maule@ tiscali .co.uk
Date: Wed 16/03/2016 11:08
Subject: Unpaid Invoice
Attachment: original invoice feb2016.doc
I noticed that your invoice is overdue by 25 days and wanted to reach out to make sure that you received our original invoice and my reminder email on 02/16.
You can pay us by CC, direct deposit or with a check.
If you have any questions, please let us know and we’d be happy to respond.
Warm Regards,
A Cooper

16 March 2016: original invoice feb2016.doc - Current Virus total detections 23/57*
.. Waiting for analysis. This is highly likely to download either Dridex banking Trojan or Locky ransomware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...4a69935b4fef1091f9c79fb0/analysis/1458127451/
___

Fake 'Document1' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/docu...address-js-malware-leads-to-locky-ransomware/
16 Mar 2016 - "A -blank/empty- email with the subject of 'Document1' pretending to come from your own email address and sent to your own email address with a zip attachment is another one from the current bot runs which downloads Locky ransomware... The email looks like:
From: your own email address
Date: Wed 16/03/2016 11:58
Subject: Document1
Attachment: Document1.zip

Body content: totally -blank-

16 March 2016: Document1.zip: Extracts to: CDF6840557603.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky ransomware from
http ://winjoytechnologies .com/v4v5g45hg.exe (VirusTotal 1/56***) which is a -different- Locky binary from this earlier malspam run[1]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...c36f71fc53e0d657750764a7/analysis/1458129749/

** https://malwr.com/analysis/NmRlMGE2ZTVhY2FiNDFiZDkzYzdhZjhiZGNmYzRjMTQ/
Hosts
192.185.37.228: https://www.virustotal.com/en/ip-address/192.185.37.228/information/
91.195.12.187: https://www.virustotal.com/en/ip-address/91.195.12.187/information/

*** https://www.virustotal.com/en/file/...cc4c72940b61a1e06ba01157/analysis/1458129716/
TCP connections
91.195.12.187

1] https://myonlinesecurity.co.uk/best...roup-com-js-malware-leads-to-dridex-or-locky/
___

Fake 'Bestellung' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/best...roup-com-js-malware-leads-to-dridex-or-locky/
16 Mar - "An email written partly in English -and- partly in German supposedly from Buhler group with the subject of 'Bestellung 69376' [random numbered] pretending to come from david.favella654@ buhlergroup .com (-random- numbers after david.favella) with a zip attachment is another one from the current bot runs... Update: I am reliably informed this is Locky ransomware not Dridex... The email looks like:
From: david.favella654@ buhlergroup .com
Date: Wed 16/03/2016 10:03
Subject:Bestellung 69376
Attachment: Bestellung Bestellung 69376.zip
Sehr geehrte Damen und Herren,
anbei erhalten Sie unsere Bestellung. Diese ist maschinell erstellt und ist daher ohne Unterschrift gültig.
Dear ladies and gentlemen,
enclosed you receive our order. This order has been created automatically and is valid without signature.
Mit freundlichen Grüßen / Best regards ...

16 March 2016: Bestellung Bestellung 69376.zip: Extracts to: BOY8641744807.js
Current Virus total detections 6/57*.. MALWR** shows a download of Locky ransomware from
http ://vital4age .eu/v4v5g45hg.exe (VirusTotal 0/57***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...ad4cf20eed98a6b8ce10e459/analysis/1458127067/

** https://malwr.com/analysis/ODQzZTFhN2RkMDRkNDA5NzkyYWZiYTY0ZTFiMjhjMGM/
Hosts
85.13.152.231: https://www.virustotal.com/en/ip-address/85.13.152.231/information/
>> https://www.virustotal.com/en/url/d...b91502ba209a4a045806596e6526785f427/analysis/

*** https://www.virustotal.com/en/file/...32811303a5c640022b6fd6cb/analysis/1458127276/
TCP connections
149.202.109.205: https://www.virustotal.com/en/ip-address/149.202.109.205/information/
91.195.12.187: https://www.virustotal.com/en/ip-address/91.195.12.187/information/
___

Fake 'Order status updated' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/re-m...d-to-order-processing-word-doc-macro-malware/
16 Mar 2016 - "An email with the subject of 'RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing' pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... This mass malspam run has a subject that looks like 'RE: [random company name] – Order Number [random number] status updated to order processing'. The attachment names are based on the company name in the subject and include:
CML MICROSYSTEMS – Order NUM. 09725_866338_23.doc
MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
MXC CAPITAL PLC – Order NUM. 80048_534442_26.doc
ROSSETI JSC – Order NUM. 39475_569330_86.doc
Some subjects include:
RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing
RE: CML MICROSYSTEMS – Order Number 09725/866338/23 status updated to order processing
RE: ROSSETI JSC – Order Number 39475/569330/86 status updated to order processing
RE: MXC CAPITAL PLC – Order Number 80048/534442/26 status updated to order processing
One example email looks like:
From: Horton.Elena9@ incrcc .org
Date: Wed 16/03/2016 13:34
Subject: RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing
Attachment: MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
Dear customer,
First of all thank you for purchasing with us.
We want to let you know that your order 89785/682352/15 status has been updated to ORDER PROCESSING
If you have any questions about your order, send an email to sales@fromdomain qouting your order number 89785/682352/15 or simply reply to this message.
Your unique reference: Your order number listed above.
MINERAL & FINANCIAL INVESTMENTS LTD
You can download and view a copy of your invoice from the attached document...

16 March 2016: MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
.. Current Virus total detections 1/57*..
Update: a resubmission to MALWR** got a download from http ://api.kairoshealthcare .org/dri/donate.php
which gave freshmeat.exe (VirusTotal 4/56***) which appears to ebb an -updated- Dridex binary although also using the same download locations from this earlier Malspam run[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2f56868a944b270ecccfd41f/analysis/1458134954/

** https://malwr.com/analysis/NDA2M2RhNzlkZjZhNDkzMzhkYjljNTJkN2ZmYzUzNGU/
Hosts
213.159.214.241: https://www.virustotal.com/en/ip-address/213.159.214.241/information/
188.93.239.28
13.107.4.50

*** https://www.virustotal.com/en/file/...961bc4c1e9c28d2580d3f753/analysis/1458137759/
TCP connections
188.93.239.28: https://www.virustotal.com/en/ip-address/188.93.239.28/information/
>> https://www.virustotal.com/en/url/c...1db4dd5a5d801f871ca4ccae216adcb5c4b/analysis/
13.107.4.50: https://www.virustotal.com/en/ip-address/13.107.4.50/information/

4] https://myonlinesecurity.co.uk/your...al-order-number-93602-word-doc-macro-malware/

:fear::fear:

AplusWebMaster · Mar 17, 2016

Fake 'Interparcel Documents', 'Remittance Adivce', 'Documentxx', 'PDFPart2.pdf' SPAM

FYI...

Fake 'Interparcel Documents' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malware-spam-interparcel-documents.html
17 Mar 2016 - "This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
From: Interparcel [bounce@ interparcel .com]
Date: 17 March 2016 at 08:51
Subject: Interparcel Documents
Your Interparcel collection has been booked and your documents are ready.
There is a document attached to this email called Shipping Labels (620486055838).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
Thank you for booking with Interparcel.

Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:
gooddrink .com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots .com/wp-content/plugins/hello123/56h4g3b5yh.exe
The detection rate for the binary is 5/57*. This DeepViz report** on the binary shows network connections to:
195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)
As mentioned before, these characteristics look like the Dridex banking trojan.
Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78 "
1] https://www.virustotal.com/en/file/...cf6096311077cde2074b5cfa/analysis/1458205307/

2] https://www.virustotal.com/en/file/...283f26ae4f7f3e48290f2c4a/analysis/1458205319/

3] https://malwr.com/analysis/Yjk4MWRiOWM0YzU1NGQyNGI4MzMzNDBhYTAzNDdlZTM/
Hosts
185.85.191.251

4] https://malwr.com/analysis/ZDljMjUwMTVmMTA2NGFmNTg4ZTE0NjllNjU1MzM1NzY/
Hosts
62.210.16.61

* https://www.virustotal.com/en/file/...a5f491b26195a8950629d748/analysis/1458206236/

** https://sandbox.deepviz.com/report/hash/912a16dfeb25668f0e6ee5d6ec6746d8/

- https://myonlinesecurity.co.uk/interparcel-documents-word-doc-macro-malware-leads-to-dridex/
17 Mar 2016 - "An email with the subject of 'Interparcel Documents' pretending to come from Interparcel <bounce@ interparcel .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Interparcel <bounce@ interparcel .com>
Date: none
Subject: Interparcel Documents
Attachment: Shipping Labels (642079569307).doc
Your Interparcel collection has been booked and your documents are ready.
There is a document attached to this email called Shipping Labels (642079569307).doc.
Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
Thank you for booking with Interparcel.

17 March 2016: Shipping Labels (642079569307).doc - Current Virus total detections 8/57*
.. MALWR** shows a download from http ://www.corecircle .it/wp-content/plugins/hello123/56h4g3b5yh.exe (VirusTotal ***) This is likely to be the Dridex banking Trojan. Hybrid Analysis[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...42c636f0177481606c3bf0a0/analysis/1458204597/

** https://malwr.com/analysis/ZjBiOWMxZDQ4NzM4NDAzNDlkODc4YjVhNTYzNDg4NGE/
Hosts
62.149.142.224

*** https://www.virustotal.com/en/file/...a5f491b26195a8950629d748/analysis/1458205050/

4] https://www.hybrid-analysis.com/sam...77234a5f491b26195a8950629d748?environmentId=4
Host Addresses
195.169.147.26
64.76.19.251
___

Fake 'Remittance Adivce' SPAM - doc malware leads to Dridex
- https://myonlinesecurity.co.uk/remittance-adivce-word-doc-macro-malware-leads-to-dridex/
17 Mar 2016 - "An email with the subject of' Remittance Adivce' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Note the -misspelling- in the subject 'Remittance Adivce' instead of 'Remittance Advice' which should be enough to raise warning flags. One of the emails looks like:
From: Gill.Wilmer07@ urbanmountainhomes .com
Date: Thu 17/03/2016 09:16
Subject: Remittance Adivce
Attachment: remitadv_ana.doc
Please find attached a remittance advice for payment made yo you today.
Please contact the accounts team on 020 7523 2565 or via reply email for any queries regarding this payment.
Kind Regards
Wilmer Gill

17 March 2016: remitadv_ana.doc - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://bakery.woodwardcounseling .com/michigan/map.php which gave me crypted120med.exe (virustotal 3/56***) MALWR[4] which looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...03547a60713b5f635bad9d91/analysis/1458206097/

** https://malwr.com/analysis/M2U5MDVjMzJmMzJkNDBjODkxY2E0MzA3NGM5YjUwY2M/
Hosts
217.12.199.94
188.93.239.28

*** https://www.virustotal.com/en/file/...6d9a4d7020108d16c6f2db06/analysis/1458204974/
TCP connections
38.64.199.33
104.86.111.136

4] https://malwr.com/analysis/Yjg0NDU3MzRhZjQyNDcwMjgyOGNlY2E1ZWQyMzJlMjA/
Hosts
188.93.239.28

- http://blog.dynamoo.com/2016/03/malware-spam-remittance-adivce-from.html
17 Mar 2016 - "This fake financial spam has a malicious attachment and poor spelling in the subject field.
From: Booth.Garth19@ idsbangladesh .net.bd
Date: 17 March 2016 at 09:17
Subject: Remittance Adivce
Please find attached a remittance advice for payment made yo you today.
Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.
Kind Regards
Garth Booth

... Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148 "
___

Fake 'Documentxx' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/03/malware-spam-documentxx-apparently.html
17 Mar 2016 - "This spam appears to come from-the-victim, but this is just a simple forgery (explained here*). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is -no- body text. Here is an example:
From: victim@ domain .tld
To: victim@ domain .tld
Date: 17 March 2016 at 10:37
Subject: Document32

* http://blog.dynamoo.com/2011/09/why-am-i-sending-myself-spam.html
Inside is a randomly-named script (samples VirusTotal reports [1] [2]..). These Malwr reports [8] [9].. indicate that the -script- attempts to download a binary from the following locations:
escortbayan.xelionphonesystem .com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel .pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors .com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman .com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados .com.br/wp-content/plugins/hello123/89h8btyfde445.exe
The dropped binary has a detection rate of just 2/57**. Those reports and these other automated analyses [14] [15].. show network traffic to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)
This is Locky ransomware.
Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114 "
1] https://www.virustotal.com/en/file/...44fd582e3e8494a9c7a8a7ee/analysis/1458212406/

2] https://www.virustotal.com/en/file/...2cfcdbe128f25bc48510b965/analysis/1458212403/

8] https://malwr.com/analysis/YWE1ZTY1NGY2N2YyNGZmYWIxNjIzZTg3MTBkODYzNTE/

9] https://malwr.com/analysis/Zjg1NmY3YTBjY2QxNGQwZTlhNzAzMWE4YWQyMmQwNGU/

** https://www.virustotal.com/en/file/...71027a81fa3830a51937d544/analysis/1458213349/

14] https://malwr.com/analysis/OWVjNzBlNmNlMGQ4NDZjNWJkM2U0MTdiNTczMDNjZDE/

15] https://www.hybrid-analysis.com/sam...ed0d871027a81fa3830a51937d544?environmentId=4
___

Fake 'PDFPart2.pdf' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/pdfp...y-three-js-malware-leads-to-locky-ransomware/
17 Mar 2016 - "An email with the subject of 'PDFPart2.pdf' pretending to come from Administrator admin@ your-own-email domain with a zip attachment is another one from the current bot runs which downloads Locky ransomware... The -broken- email looks like:
From: Administrator admin@ your own email domain
Date: Thu 17/03/2016 12:34
Subject: PDFPart2.pdf
Attachment: PDFPart2.zip
—-_com.android.email_2732400748040
Content-Type: multipart/alternative; boundary=”–_com.android.email_2732400748040″
—-_com.android.email_2732400748040 ...
.. When it is fixed...
From: Administrator admin@ your own email domain
Date: Thu 17/03/2016 12:34
Subject: PDFPart2.pdf
Attachment: PDFPart2.zip
Sent from my Samsung Galaxy Note 4 – powered by Three

17 March 2016: PDFPart2.zip: Extracts to: MNS2053291109.js - Current Virus total detections 6/57*
.. MALWR** shows a download of Locky ransomware from
http ://www.tuttiesauriti .org/wp-content/plugins/hello123/89h8btyfde445.exe (VirusTotal 5/56***) which although the same file name as today’s earlier locky malspam run is a -different- binary.. A second version CHR5185491610.js (VirusTotal [4]).. MALWR shows a download of the -same- Locky ransomware from
http ://cepteknik .org/wp-content/plugins/hello123/89h8btyfde445.exe ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...d9859bd6f0b76d6f914068da/analysis/1458220341/

** https://malwr.com/analysis/ODEwMTZiNGMwOTZkNDg1Mjk0OTc0NWYxYWVhNThhY2E/
Hosts
62.149.140.49: https://www.virustotal.com/en/ip-address/62.149.140.49/information/
78.40.108.39

*** https://www.virustotal.com/en/file/...290555d4bcb5d86d9080b13c/analysis/1458220984/
TCP connections
78.40.108.39: https://www.virustotal.com/en/ip-address/78.40.108.39/information/
>> https://www.virustotal.com/en/url/9...ff8b0803eb301ad38d16ebb4f8823f0a495/analysis/

4] https://www.virustotal.com/en/file/...f87643d110e21f2827f23330/analysis/1458221038/

- http://blog.dynamoo.com/2016/03/malware-spam-pdfpart2pdf-sent-from-my.html
17 Mar 2016 - "This spam run has a malicious attachment. It appears to come from within the user's own domain.
From: Administrator [admin@ victimdomain .tld]
Date: 17 March 2016 at 12:54
Subject: PDFPart2.pdf
Sent from my Samsung Galaxy Note 4 - powered by Three
Sent from my Samsung Galaxy Note 4 - powered by Three

All the attachments that I saw were corrupt, but it appears to be trying to download a -script- that installs Locky ransomware..."
___

Fake 'Invoice' SPAM - RTF malware leads to Dridex
- https://myonlinesecurity.co.uk/invo...op-delivery-word-rtf-malware-leads-to-dridex/
17 Mar 2016 - "An email with the subject of 'Invoice DOINV32142' from Tip Top Delivery (random characters) pretending to come from random email addresses with a malicious word doc RTF attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/tiptop-delivery-invoice-1024x783.png

17 March 2016: Invoice_DOINV32142_from_tip_top_delivery.rtf - Current Virus total detections 3/57*
.. MALWR** shows a download of what looks like Dridex banking Trojan from
http ://parts.woodwardcounselinginc .com/michigan/map.php which gave me twitt_us.exe (VirusTotal 3/57***).
It looks like a continuation of this earlier Dridex malspam[1] with similar sites... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...dddfc03a2b9a5630702e59c0/analysis/1458235091/

** https://malwr.com/analysis/YjdhMzA5NjMzYzJlNDM1N2JmYzFjMWIyNWIwYTgzN2M/
Hosts
176.107.177.85
188.93.239.28
8.254.249.62

*** https://www.virustotal.com/en/file/...608e3dfca51057d64da7716c/analysis/1458235750/
TCP connections
188.93.239.28
104.86.111.136

1] https://myonlinesecurity.co.uk/remittance-adivce-word-doc-macro-malware-leads-to-dridex/

:fear::fear:

AplusWebMaster · Mar 18, 2016

Fake 'Unpaid Issue', 'Proof of Delivery', 'Attached Image', 'FedEx' SPAM, Evil nets..

FYI...

Teslacrypt SPAM: 'Unpaid Issue…'
- https://blog.malwarebytes.org/intelligence/2016/03/teslacrypt-spam-campaign-unpaid-issue/
Mar 18, 2016 - "We have all seen the current upsurge in Ransomware attacks. It has been covered on an international scale, with new variants appearing at a very fast pace, some target Windows, some target Macs and some have cross platform capabilities... The email seen below is an example how the orchestrated attack is carried out (thanks to Conrad Longmore* for the email example):
From: Jennie bowles
Date: 10 March 2016 at 12:27
Subject: GreenLand Consulting – Unpaid Issue No. 58833
Dear Client! For the third time we are reminding you about your unpaid debt. You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off. We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly. Otherwise we will have to start a legal action against you.
Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St FL 58833 928-429-4994
The emails usually contain a ZIP file which contains a malicious script/downloader. Upon running this specific malicious script/downloader I was greeted by Teslacrypt ransomware (69.exe) from:
hellomississmithqq[.]com /
IP: 54.212.162.6: https://www.virustotal.com/en/ip-address/54.212.162.6/information/
>> https://www.virustotal.com/en/url/5...a34b921cd58c294b8f3b67fa0db41f2a41e/analysis/
... below are some of the associated domains / IPs identified from the above sample. This Teslacrypt ransomware campaign has recently morphed into a hybrid Teslacrypt/Locky ransomware campaign. The aforementioned domain hellomississmithqq[.]com was seen serving up both Teslacrypt and Locky Ransomware on 10 March 2016).
Identified command and control:
multibrandphone[.]com
vtechshop[.]net
sappmtraining[.]com
shirongfeng[.]cn
controlfreaknetworks[.]com
tele-channel[.]com
Associated IP addresses with hellomississmithqq[.]com:
46.108.108.182
54.212.162.6
78.135.108.94
134.19.180.8
202.120.42.190
216.150.77.21
142.25.97.48
202.120.42.190
... Ransomware is not going away, on the contrary it is becoming more and more prevalent with new variants coming out at a fast pace and targeting multiple platforms. It is recommended that users are using anti-malware protection, especially one that has a website protection option..."
* http://blog.dynamoo.com/
___

Evil networks to block 2016-03-18
- http://blog.dynamoo.com/2016/03/evil-networks-to-block-2016-03-18.html
18 Mar 2016 - "A follow-up to this list* posted a few days ago. These networks are primarily distributing Angler and in my opinion you should -block- their entire ranges to be on the safe side...
85.204.74.0/24
89.45.67.0/24
89.108.83.0/24
148.251.249.96/28
184.154.89.128/29
184.154.135.120/29
185.30.98.0/23
185.117.73.0/24
185.141.25.0/24
194.1.237.0/24
212.22.85.0/24
217.12.210.128/25 "
* http://blog.dynamoo.com/2016/03/evil-networks-to-block-2016-03-07.html
___

Fake 'Proof of Delivery' SPAM - doc macro malware leads to Dridex
- https://myonlinesecurity.co.uk/ukma...70316-word-doc-macro-malware-leads-to-dridex/
18 Mar 2016 - "An email with the subject of 'Proof of Delivery Report: 16/03/16-17/03/16' pretending to come from UKMail Customer Services <list_reportservices@ ukmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-c...f-of-Delivery-Report160316-17031-1024x763.png

18 March 2016: poddel-pdf-2016031802464600.docm - Current Virus total detections 9/57*
.. MALWR** shows a download from http ://felipemachado .com/wp-content/plugins/hello123/r34t4g33.exe
(VirusTotal 9/57***) which looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d2627ea71e345552b6cf4c5f/analysis/1458295346/

** https://malwr.com/analysis/NWVkYjY1OGMxNDExNGM5ZWJmODQxYWQ4YzJjMWNiNzc/
Hosts
93.104.215.155
64.147.192.68
184.25.56.51

*** https://www.virustotal.com/en/file/...d2627ea71e345552b6cf4c5f/analysis/1458295346/

- http://blog.dynamoo.com/2016/03/malware-spam-proof-of-delivery-report.html
18 Mar 2016 - "This spam does not come from UKMail but is instead a simple -forgery- with a malicious attachment:
From: UKMail Customer Services [list_reportservices@ ukmail.com]
Date: 18 March 2016 at 02:46
Subject: Proof of Delivery Report: 16/03/16-17/03/16
Dear Customer,
Please find attached your requested Proof of Delivery (POD) Download Report
ATTACHED FILE: POD DOWNLOAD ...

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm ...
Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78 "
___

Fake 'Attached Image' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/blan...-domain-js-malware-leads-to-locky-ransomware/
18 Mar 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from a scanner, copier or multi-functional device at your-own-domain with a random numbered zip attachment is another one from the current bot runs which downloads Locky ransomware... The email looks like:
From: scanner or copier at your-own-email domain
Date: Fri 18/03/2016 10:24
Subject: Attached Image pretending to come from a scanner or copier at your own domain
Attachment: 9369_001.zip (all random numbers)

Body content: totally blank

5 March 2016: 9369_001.zip : Extracts to: AGK4044783108.js - Current Virus total detections 2/57*
.. MALWR** shows a download of Locky ransomware from
http ://naairah .com/wp-content/plugins/hello123/j7u7h54h5.exe (VirusTotal 2/55***)
.. MALWR[4] and from http ://robyrogers .com.au/wp-content/plugins/hello123/8888ytc6r.exe (VirusTotal 4/57[5])... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...72caacc55919146028a66c13/analysis/1458300821/

** https://www.virustotal.com/en/file/...72caacc55919146028a66c13/analysis/1458300821/
Hosts
149.202.201.228
46.148.20.46
27.131.66.9
195.154.126.159

*** https://www.virustotal.com/en/file/...ed8d43a5eef116d5ec176bf9/analysis/1458301083/
TCP connections
46.148.20.46

4] https://malwr.com/analysis/NGY4ZjQxYTFjMjI2NGM0YTk4OGU1ZmY0MWQ5NjkzMzg/
Hosts
185.82.216.143

5] https://www.virustotal.com/en/file/...5474f9b1296076efab0ee2ec/analysis/1458301375/
___

Fake 'FedEx' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/fede...-shawn-maddox-js-malware-leads-to-ransomware/
18 Mar 2016 - "An email with the subject of 'FedEx_00196222.zip' pretending to come from mogotoys@ server.robo-apps .com; on behalf of; FedEx 2Day <shawn.maddox@ mogotoys .com> with a zip attachment is another one from the current bot runs which downloads ransomware... The email looks like:
From: mogotoys@ server.robo-apps .com; on behalf of; FedEx 2Day <shawn.maddox@ mogotoys .com>
Date: Fri 18/03/2016 02:49
Subject: Problems with item delivery, n.00196222
Attachment: FedEx_00196222.zip
Dear Customer,
Your parcel has arrived at March 15. Courier was unable to deliver the parcel to you.
Shipment Label is attached to email.
Yours sincerely,
Shawn Maddox,
Sr. Station Agent.

18 March 2016: FedEx_00196222.zip: Extracts to: FedEx_00196222.doc.js - Current Virus total detections 12/57*
.. Wepawet** shows downloads from a combination of of these -5- locations:
evakuator-lska .com.ua | rpexpress .qc.ca | omergoksel .com | web.benzol .net.pl | cspfc.immo .perso.sf
.. Hybrid analysis*** shows the download location to be
evakuator-lska .com.ua where it gave -2- files VirusTotal [1][2] which look like Kovter and Boaxxe...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...bfe66755731bbff7b80f90d8/analysis/1458279168/

** https://wepawet.iseclab.org/view.php?hash=529964ebc9bf02f0f2138fd28eef4046&type=js

*** https://www.reverse.it/sample/f3a52...25fc5bfe66755731bbff7b80f90d8?environmentId=1
Contacted Hosts
78.109.16.100
28.59.23.77
47.206.106.113
145.24.135.107
178.33.69.66
87.118.110.192
189.60.150.37
28.29.231.118
DNS Requests
evakuator-lska .com.ua: 78.109.16.100: https://www.virustotal.com/en/ip-address/78.109.16.100/information/
>> https://www.virustotal.com/en/url/0...f24223e436f5309b855a70fc15df7364c5c/analysis/
find-dentalimplants .com: 173.201.146.128: https://www.virustotal.com/en/ip-address/173.201.146.128/information/
>> https://www.virustotal.com/en/url/9...06a6410bf5d5208871f49ccb3b65b976076/analysis/

1] https://www.virustotal.com/en/file/...ec9e50d8537d09384d0df341/analysis/1458249226/

2] https://www.virustotal.com/en/file/...8e623fb2dc1339299da4534c/analysis/1458282807/

:fear::fear:

AplusWebMaster · Mar 21, 2016

Fake 'Fax transmission', 'Your account ID' SPAM, Hospital serves Ransomware

FYI...

Fake 'Fax transmission' SPAM - malicious script attachment
- http://blog.dynamoo.com/2016/03/malware-spam-fx-service-fax.html
21 Mar 2016 - "This -fake- fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple -forgery- with a malicious attachment.
From: FX Service [emailsend@ w.e191.victimdomain .tld]
Date: 21 March 2016 at 14:32
Subject: Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff
Please find attached to this email a facsimile transmission we
have just received on your behalf
(Do not reply to this email as any reply will not be read by
a real person)

Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide-number-of-malicious-scripts (some example VirusTotal results [1] [2]..). Malwr analysis of those samples [6] [7].. shows binary download locations at:
http ://modaeli .com/89h766b.exe
http ://spormixariza .com/89h766b.exe
http ://sebastiansanni .org/wp-content/plugins/hello123/89h766b.exe
http ://cideac .mx/wp-content/plugins/hello123/89h766b.exe
There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56*. This Malwr report** of the payload indicates that it is Locky ransomware.
All of those sources plus this Deepviz report*** show network traffic to the following IPs:
195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine) ...
Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90 "
1] https://www.virustotal.com/en/file/...e5c1b353bfa1c72bb44a88297d756d9f7a3/analysis/

2] https://www.virustotal.com/en/file/...a6986d7f38eedd1729c0966aded4c283fc1/analysis/

6] https://malwr.com/analysis/NDA4MTliNGJmMDE2NDQ1YmJlOGY0NWVkOTE4YjdiYWY/

7] https://malwr.com/analysis/MTRhYmQwYzY0NDFmNDI4YjlmNmE3NWFjYzNmYzg3NmU/

* https://www.virustotal.com/en/file/...bcf78a4e01458d3ae7e3d918/analysis/1458575289/

** https://malwr.com/analysis/MGU5NDIxNDQ1MzU5NGRlYmJjYTI2M2I5NTJiYjg4MGY/

*** https://sandbox.deepviz.com/report/hash/808a8eac400c6abf49d352ae1d944c2a/
___

Fake 'Your account ID... has been suspended' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/your...een-suspended-js-malware-leads-to-teslacrypt/
21 Mar 2016 - "An email with the subject of 'Your account ID:98938 has been suspended' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
From: random email addresses
Date: Beatriz gepp <geppBeatriz957@ jjdior .com>
Subject: Your account ID:98938 has been suspended.
Attachment: warning_letter_34692556.zip
Your bank account associated with the ID:98938 has been suspended because of the unusual activity connected to this account and a failure of the account holder to pay the taxes on a due date.
Your debt: - 394,42 USD
For more details and the information on how to unlock your account please refer to the document attached.

21 March 2016: warning_letter_34692556.zip: Extracts to: letter_I22vNL.js - Current Virus total detections 15/56*
.. MALWR** shows a download of teslacrypt from http ://grandmahereqq .com/80.exe?1 (VirusTotal ***)
Note: this also tries to download http ://google .com/80.exe?1 which does-not-exist... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...47c84b93af8745ad7440c49f/analysis/1458579387/

** https://malwr.com/analysis/Njc2NGU2ZjI4ZTljNDUxMWFkZDE4MGJmYzlkZjVmNGQ/
Hosts
54.212.162.6
216.58.192.14

*** https://www.virustotal.com/en/file/...a6e18ccefd4d141aa4d5995b/analysis/1458581354/
___

Hacked Canadian Hospital Website serves Ransomware
- https://blog.malwarebytes.org/secur...ospital-serves-ransomware-via-hacked-website/
Mar 21, 2016 - "... Norfolk General Hospital, based in Ontario, became a teaching facility for McMaster University’s Faculty of Health Sciences in 2009. The web portal is powered by the Joomla CMS, running version 2.5.6 (latest version is 3.4.8) according to a manifest file present on their server. Several vulnerabilities exist for this outdated installation, which could explain why the site has been hacked. Our honeypots visited the hospital page and got infected with ransomware via the Angler exploit kit. A closer look at the packet capture revealed that malicious-code leading to the exploit kit was -injected- directly into the site’s source code itself. Like many site hacks, this injection is conditional and will appear only -once- for a particular IP address. For instance, the site administrator who often visits the page will only see a clean version of it, while first timers will get served the exploit and malware:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/Flow.png
The particular strain of ransomware dropped here is -TeslaCrypt- which demands $500 to recover your personal files it has encrypted. That payment doubles after a week... We contacted the Norfolk hospital and eventually were able to speak with their IT staff. We shared the information we had (screenshots, network packet capture) and told them about the ransomware payload we collected when we reproduced the attack in our lab. We were told that they were working on upgrading their version of Joomla with their hosting provider..."

Norfolk General Hospital - Ontario: ngh.on .ca: 205.150.58.124:
>> https://www.virustotal.com/en/url/e...cfd17c7c1a020edb87e68f4c4e44db43773/analysis/

:fear::fear:

AplusWebMaster · Mar 22, 2016

Fake 'Credit Note', 'Blank', 'Statement', 'HP', 'bodily injury' SPAM - Facebook Phish

FYI...

Fake 'Credit Note' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/credit-note-from-random-companies-js-malware-leads-to-ransomware/
22 Mar 2016 - "An email with the subject of 'Credit Note CN-73290' from On Semiconductor Corp for [redacted] (0312) pretending to come from Accounts <message-service@ post.xero .com> with a zip attachment is another one from the current bot runs which downloads ransomware... These don’t look like either Locky or Teslacrypt ransomware so it appears that another gang of bad actors are using the same email templates as the 2 prolific malspammers to spread their version of ransomware. One example of the email looks like:
From: Accounts <message-service@ post.xero .com>
Date: Tue, 22 Mar 2016 04:38:32
Subject: Credit Note CN-73290 from On Semiconductor Corp for [victim company ] (0312)
Attachment: Credit Note CN-73290.zip
Hi Kris,
Attached is your credit note CN-73290 for 52611.30 AUD.
This has been allocated against invoice number
If you have any questions, please let us know.
Thanks,
McKesson Corporation ...

22 March 2016: Credit Note CN-73290.zip: Extracts to: Credit Note CN-64451.js
.. Current Virus total detections 2/56*. MALWR** shows a download of some sort of ransomware from
http ://www .frontlinecarloans .com.au/public/js/bin.exe (VirusTotal 6/56***) (Hybrid Analysis [1]) (MALWR [2])
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...43120ce486f33587f692b14e/analysis/1458611843/

** https://malwr.com/analysis/NDVkNDQyYmM2YmYwNDEwOWI1NzIxNzhjNzI3OWEyY2E/
Hosts
103.4.18.250: https://www.virustotal.com/en/ip-address/103.4.18.250/information/
>> https://www.virustotal.com/en/url/f...8bac18528da87f0ae2e4a72d6989bf2af2b/analysis/
104.27.151.145
23.99.222.162

*** https://www.virustotal.com/en/file/...c86bc80d6cce1b915830c959/analysis/1458626108/
TCP connections
104.27.151.145

1] https://www.hybrid-analysis.com/sam...95418c86bc80d6cce1b915830c959?environmentId=4
Contacted Hosts
104.27.150.145

2] https://malwr.com/analysis/NTQ1ZmJkMzVmY2QzNDUzYTk3NzQ1OGUwMDBlMmMwYzk/
Hosts
104.27.150.145
23.101.187.68
104.27.151.145
___

Fake 'Blank 2' SPAM - word macro malware leads to Dridex
- https://myonlinesecurity.co.uk/blank-2-steve-gale-word-macro-malware-leads-to-dridex/
22 Mar 2016 - "An email with a completely blank / empty body with the subject of 'Blank 2' pretending to come from Steve Gale <steve1gales@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Steve Gale <steve1gales@ gmail .com>
Date: Tue 22/03/2016 09:19
Subject: Blank 2
Attachment: Blank 2.docm

Body content: completely empty

22 March 2016: Blank 2.docm - Current Virus total detections 6/56*
.. MALWR** shows a download from http ://www .lightningstars .in/system/logs/87h76hghuhi.exe (VirusTotal 5/56***)
which is inconclusive but looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...95570c266941fa83247adc64/analysis/1458638302/

** https://malwr.com/analysis/YWZlZDM3ZmExN2JlNDcwNzhhZDIyZTNmZjFmMmVjOTM/
Hosts
162.144.73.194: https://www.virustotal.com/en/ip-address/162.144.73.194/information/
>> https://www.virustotal.com/en/url/0...966251ab238a53543485987a1105e47f32f/analysis/

*** https://www.virustotal.com/en/file/...de5480a8049b4376927491d6/analysis/1458637560/
___

Fake 'Statement' SPAM - JS malware leads to Locky Ransomware
- https://myonlinesecurity.co.uk/rand...senders-js-malware-leads-to-locky-ransomware/
22 Mar 2016 - "An email with the subject of 'FW: Statement S#327763' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... One example of the emails looks like:
From: Luis Wagner <WagnerLuis4446@ newthoughtcenterofhawaii .com>
Date: Tue 22/03/2016 09:03
Subject: FW: Statement S#327763
Dear ans,
Please find attached the statement (S#327763) that matches back to your invoices.
Can you please sign and return.
Best regards,
Luis Wagner
Business Development Director

22 March 2016: statement_ans_327763.zip: Extracts to -3- .JS files - 2 are identical & 1 different
.. Current Virus total detections [1] [2]: MALWR* shows -both- download Locky Ransomware from
http ://alexsolenni .it/pol4dsf (VirusTotal 3/57**). This zip file contains -3- js files and an -unknown- file that when examined is actually empty... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustotal.com/en/file/...bce2fc3e7d748fda19fef605/analysis/1458641040/

2] https://www.virustotal.com/en/file/...96ebd907809669f831c14155/analysis/1458641075/

* https://malwr.com/analysis/NmUyYTBhMjAwM2EyNGRhZWE3MDM5OGJmNGIzODA0ODI/
Hosts
178.237.15.128: https://www.virustotal.com/en/ip-address/178.237.15.128/information/
92.63.87.106: https://www.virustotal.com/en/ip-address/92.63.87.106/information/

** https://www.virustotal.com/en/file/...0401d50dd3f354549d0fc0c0/analysis/1458641975/
TCP connections
92.63.87.106
___

Fake 'HP' SPAM - RTF macro malware leads to Dridex
- https://myonlinesecurity.co.uk/hewl...ument-word-rtf-macro-malware-leads-to-dridex/
22 Mar 2016 - "An email that appears to come from HP (Hewlett Packard Enterprises) with the subject of 'Urgent: F400572 HARGREAVES LANSDOWN PLC/ HPE' coming from random names and email addresses with a malicious word doc RTF attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-c...0572-HARGREAVES-LANSDOWN-PLC-HPE-1024x906.png

5 March 2016: fillout_DAINV13955_derek.rtf - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://connect.act-sat-bootcamp .com/dana/home.php
which gave me hpe.jpg (which is -renamed- .exe file and not any sort of image file) (VirusTotal 3/57***)
Detections are inconclusive but likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...17b5756ce9ee9e71da48a7fc/analysis/1458642936/

** https://malwr.com/analysis/MjNhNTQyNGUxMWRmNGZiYTg5N2JhMjNjMTI2MjdhM2U/
Hosts
91.240.86.234: https://www.virustotal.com/en/ip-address/91.240.86.234/information/
>> https://www.virustotal.com/en/url/d...edc7eb642194f2566c6249221496e5b1072/analysis/

*** https://www.virustotal.com/en/file/...4b530516e65b118292f48832/analysis/1458642865/
___

Fake 'bodily injury' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/you-...case-02172723-js-malware-leads-to-ransomware/
22 Mar 2016 - "An email with the subject of 'You are being accused with bodily injury (Case: 02172723)' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-c...with-bodily-injury-Case-02172723-1024x447.png

5 March 2016: post_scan_02172723.zip: Extracts to: post_pgfEUf.js - Current Virus total detections 5/57*
.. MALWR** shows a download of what looks like Teslacrypt but might just be Locky from
http ://isityouereqq .com/80.exe?1(VirusTotal 5/57***) -Both- Locky and Teslacrypt have used the -same- servers and -same- file names over the last few weeks... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...61367716b37c132e1d9a1d50/analysis/1458652839/

** https://malwr.com/analysis/NmRjODg3ODhkOTMzNGFkZmE0YzYzNzU1OTgxZjQwOGM/
Hosts
185.118.142.154: https://www.virustotal.com/en/ip-address/185.118.142.154/information/

*** https://www.virustotal.com/en/file/...03505294b3a25f2254f67740/analysis/1458654208/
___

'Re-activate your Online Banking' – NatWest PHISH
- https://myonlinesecurity.co.uk/re-activate-your-online-banking-natwest-bank-phishing/
22 Mar 2016 - "There are a few major common subjects in a phishing-attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
Urgent: Your card has been stopped !
There have been unauthorised or suspicious attempts to log in to your account, please verify
Your account has exceeded its limit and needs to be verified
Your account will be suspended !
You have received a secure message from < your bank>
We are unable to verify your account information
Update Personal Information
Urgent Account Review Notification
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
Confirmation of Order
Re-activate your Online Banking

The original email looks like this:

Screenshot: https://myonlinesecurity.co.uk/wp-c.../Re-activate-your-Online-Banking-1024x554.png

... the site the link goes to http ://linkage .org.uk//new_website/online/personal-natwest/Log-in.php
where a pop up asks you to download what appears to be the genuine Trusteer rapport security software:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/nat_west_phishing_popup-1024x547.png
... if you close then pop up & then fill in the email address and password [DON'T] you get a typical phishing page that looks very similar to a genuine Nat west bank page, if you don’t look carefully at the URL in the browser address bar... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."

linkage .org.uk: 37.61.235.162: https://www.virustotal.com/en/ip-address/37.61.235.162/information/
>> https://www.virustotal.com/en/url/0...f6b7fc41866bed9395f1c930e8725e96afb/analysis/
___

“Copyright Violation” > Facebook Phish
- https://blog.malwarebytes.org/phishing/2016/03/copyright-violation-facebook-phish/
Mar 22, 2016 - "... we’ve spotted a phishing-scam using them as a launchpad for data theft. The name of the game is worrying the potential victim into clicking-on-the-supplied-link, with a curious mix of copyright violations and account verification. Here’s an example:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/fbcopyscam1.png
As you may have guessed, Facebook doesn’t issue copyright notices then direct you to apps pages. The 'Apps page' on offer here is a 'Get Verified' effort, complete with request for name, email/phone, password, profile link and 'comments':
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/fbcopyscam2.jpg
We reported the page to Facebook, and it is now offline:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/fbcopyscam3.jpg
'Verify your account' -scams- are fairly old, but throwing tall tales of copyright issues into the mix for that extra sheen of panic isn’t quite as common. Always do your best to keep your logins safe and, if in doubt, go to the site owners directly..
–never- enter your credentials into a -link- sent your way in -random- Facebook messages."

:fear::fear:

AplusWebMaster · Mar 23, 2016

Fake 'electronic invoice', 'Back Office' SPAM

FYI...

Fake 'electronic invoice' SPAM - rtf macro malware
- https://myonlinesecurity.co.uk/your...rom-d-e-web-works-word-doc-rtf-macro-malware/
23 Mar 2016 - "Following on from this malspam run yesterday* is today’s similar run with emails with the same subjects pretending to be 'your latest electronic invoice from D.E. Web Works' with a malicious word doc RTF attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt...
* https://myonlinesecurity.co.uk/urge...ogies-word-doc-macro-malware-leads-to-dridex/
One of the emails looks like:
From: Brandie Everett <Everett.Brandie19@ business.telecomitalia .it> (random senders)
Date: Wed 23/03/2016 10:34
Subject: Urgent: F137648 MFI Group/ HPE
Attachment: inv_839922034.rtf
MFI Group
Invoice Due:03/31/2016 IJINV71859 Amount Due: $898.68
Dear Customer: Here is your latest electronic invoice from D.E. Web Works. If your invoice is not attached as a PDF, you can change your preference in the ?Invoice Summary? section at the bottom of this email. If you wish for your invoices to go to someone different in your organization, just reply to this email and let us know. For your convenience, mail your payment to the address listed on the invoice. Please note that if we have you set up for automatic billing to your credit card or ACH, you will still receive this email, but the balance due will reflect a zero balance. If it does not reflect a zero balance, please contact us immediately. If you have questions about the invoice you have received, please feel free to reply to this email or call us... Electronic invoicing is just one more way that D.E. Web Works is doing its part to give back to the environment. For more information about our environmental initiative,contact us Thank you for helping us be Part of the Solution. We sincerely appreciate your business. MFI Group ...

23 March 2016: inv_839922034.rtf - Current Virus total detections 2/57*
.. MALWR** shows a download from http ://wrkstn09.peoriaseniorband .com/dana/home.php which gave me runwithme.exe. The analysis is inconclusive. (VirusTotal 4/56***) but is highly likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a8527d6ba395a45466ad575b/analysis/1458736152/

** https://malwr.com/analysis/NzhmM2Q2NWZjYTZjNGEyZmEwMDRjYjA3NTg5MTE2NTI/
Hosts
109.237.108.25: https://www.virustotal.com/en/ip-address/109.237.108.25/information/
>> https://www.virustotal.com/en/url/2...57e71627470ff1a214e51dcd1663377ab77/analysis/

*** https://www.virustotal.com/en/file/...73b5d7f952bf6274a483a818/analysis/1458736404/
___

Fake 'Back Office: Invoice' SPAM - rtf macro malware
- https://myonlinesecurity.co.uk/the-back-office-invoice-mjinv78470-word-doc-rtf-macro-malware/
23 Mar 2016 - "An email with the subject of 'The Back Office : Invoice (MJINV78470)' pretending to come from random senders with a malicious word doc RTF attachment is another one from the current bot runs... The alleged sender’s name matches the name in the body of the email. The invoice number is random but matches the attachment name & number. One of the emails looks like:
From: Vincenzo Mann <Mann.Vincenzo42@ vyas .com>
Date: Wed 23/03/2016 12:22
Subject: The Back Office : Invoice ( MJINV78470 )
Attachment: backoffice_MJINV78470.rtf
03/23/2016
Please see the attached PDF File for account MJINV78470 in the amount of $
583.44. This Invoice MJINV78470 is due on 03/23/2016.
To view and/or print e-bills, you will need Microsoft Office Word installed on your computer.
If you have any questions or need further assistance, please send a reply.
Please include your name, address, and user name in your message.
Please do not reply to this message.
Thank you.
Vincenzo Mann
The Back Office

23 March 2016: backoffice_MJINV78470.rtf - Current Virus total detections 2/57*
.. MALWR** shows it downloads http ://wrkstn09.satbootcampaz .com/dana/home.php which delivered
runwithme.exe (VirusTotal 4/56***). This is the same downloaded malware as described HERE[1]... looks like a password stealer and Banking Trojan. It might be Dridex or might be Vawtrk[2]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2d097a539453df6e15452767/analysis/1458739404/

** https://malwr.com/analysis/YjQwZDkyNDBmMjc4NGFjNDgzMjY2MjIwMWVjMmY1NTY/
Hosts
109.237.108.25: https://www.virustotal.com/en/ip-address/109.237.108.25/information/
>> https://www.virustotal.com/en/url/d...05fca05c281f9a2151af760d7f2c30e670d/analysis/

*** https://www.virustotal.com/en/url/d...05fca05c281f9a2151af760d7f2c30e670d/analysis/

1] https://myonlinesecurity.co.uk/your...rom-d-e-web-works-word-doc-rtf-macro-malware/

2] https://blogs.mcafee.com/mcafee-labs/w97m-downloader-serving-vawtrak/

:fear::fear:

AplusWebMaster · Mar 24, 2016

Fake 'Your order', 'Payment Receipt', 'Attached docs', 'Sixt Invoice' SPAM

FYI...

Fake 'Your order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malware-spam-your-order-has-been.html
24 Mar 2016 - "This -fake- financial spam does -not- come from Axminster Tools & Machinery, but is instead a simple -forgery- with a malicious attachment:
From: customer.service@ axminster .co.uk
Date: 24 March 2016 at 10:11
Subject: Your order has been despatched
Dear Customer
The attached document provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services ...

Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive.. however a manual analysis of the macros contained within.. show download locations at:
skandastech .com/76f45e5drfg7.exe
ekakkshar .com/76f45e5drfg7.exe
This binary has a detection rate of 6/56* and the Deepviz Analysis** and Hybrid Analysis*** show network traffic to:
71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)
It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.
Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41 "
1] https://www.virustotal.com/en/file/...9d887e48d80b1621eb031ef8593f0bc0f8b/analysis/

2] https://www.virustotal.com/en/file/...c306d908a479f7005db1c35bc19eebc2cb3/analysis/

* https://www.virustotal.com/en/file/...7d51ddb03f7ae71c40079813/analysis/1458816089/

** https://sandbox.deepviz.com/report/hash/54bdf65b31b894f10395a3781bd5c2f1/

*** https://www.hybrid-analysis.com/sam...26e787d51ddb03f7ae71c40079813?environmentId=4

- https://myonlinesecurity.co.uk/axmi...order-has-been-despatched-word-macro-malware/
24 Mar 2016 - "An email with the subject of 'Your order has been despatched' pretending to come from customer.service@axminster .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: customer.service@ axminster .co.uk
Date: Thu 24/03/2016 08:43
Subject: Your order has been despatched
Attachment: LN4244786.docm
Dear Customer
The attached document* provides details of items that have been packed and are ready for despatch.
Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
Customer Services ...

24 March 2016: LN4244786.docm - Current Virus total detections 6/57*
.. Update: I have been reliably informed[1] that there are -several- versions of this macro word doc that will download Dridex from skandastech .com/76f45e5drfg7.exe -or- ekakkshar .com/76f45e5drfg7.exe
(VirusTotal 6/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...b1621eb031ef8593f0bc0f8b/analysis/1458808762/

** https://www.virustotal.com/en/file/...7d51ddb03f7ae71c40079813/analysis/1458814484/

1] https://twitter.com/ConradLongmore/status/712952076117155840
___

Fake 'Payment Receipt' SPAM - leads to Locky ransomeware
- http://blog.dynamoo.com/2016/03/malware-spam-fw-payment-receipt-from.html
24 Mar 2016 - "This -fake- financial spam comes from random recipients, for example:
From: Marta Wood
Date: 24 March 2016 at 10:10
Subject: FW: Payment Receipt
Dear [redacted],
Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
You may be asked to provide your receipt details should you have an enquiry regarding this payment.
Regards,
Marta Wood
Technical Manager - General Insurance

Attached is a ZIP file that incorporates the recipients name plus a word such as 'payment, details or receipt' plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk. VirusTotal detection rates for the scripts are fairly low (examples [1] [2]..). Automated analysis [7] [8].. shows binary download locations at:
stie.pbsoedirman .com/msh4uys
projectpass .org/o3isua
natstoilet .com/l2ps0sa [404]
yourhappyjourney .com/asl2sd [404]
Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries... The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically it is Locky. Automated analyses [21] [22].. show it phoning home to:
195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
... Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39 "
1] https://www.virustotal.com/en/file/...440a6cd4c8ca8165b1cf5ce6f03aa7535ca/analysis/

2] https://www.virustotal.com/en/file/...9a00641ee8a1b7cdca55d183/analysis/1458819009/

7] https://malwr.com/analysis/ODg1YzdiMWM5ZmYzNDBhYTgzM2M1MDZhNTEzYmI0ZTE/

8] https://malwr.com/analysis/NDg0ODM1YmM0ZmFiNDg0OWI2NGE0YTgzZjc0NWFiYjk/

19] https://www.virustotal.com/en/file/...994835a603c10638b3c083d9/analysis/1458819857/

20] https://www.virustotal.com/en/file/...d04f6ef9f97b578e9424c336/analysis/1458819870/

21] https://sandbox.deepviz.com/report/hash/f5d668c551cecb12f6404214fb0c8251/

22] https://sandbox.deepviz.com/report/hash/ae5bffeb730c4488419067322c7906b0/
___

Fake 'Attached docs' SPAM - JS malware
- https://myonlinesecurity.co.uk/attached-documents-afifa-shohab-js-malware/
24 Mar 2016 - "An empty-blank-email with the subject of 'Attached document(s)' pretending to come from Afifa Shohab <afifashohab4650@ gmail .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: Afifa Shohab <afifashohab4650@ gmail .com> [random numbers after the afifashohab]
Date: Thu 24/03/2016 12:58
Subject: Attached document(s)
Attachment: mygov_0239769.zip

Body content: empty

Some of these emails are coming in as working emails and displayed properly with a working attachment, others are misconfigured and corrupt... Screenshot:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/Attached-documents-1024x710.png

24 March 2016: mygov_0239769.zip: Extracts to: UQF2157341011.js - Current Virus total detections 3/56*
... from http ://tijuanametropolitana .com/3476grb4f434r.exe (VirusTotal 4/56**) which is the -same- malware as described HERE[3]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...77c559ab278e8f7435ee6809/analysis/1458826227/

** https://www.virustotal.com/en/file/...34e5ca5a882f521002ab6506/analysis/1458825187/
TCP connections
46.8.44.39: https://www.virustotal.com/en/ip-address/46.8.44.39/information/
>> https://www.virustotal.com/en/url/d...aca7aa8ac7c764c864b7ef584652109fc5d/analysis/

3] https://myonlinesecurity.co.uk/monica-schiavone-fattura-n-6284053f-del-23032016-js-malware/
24 March 2016: FT6284053.zip: Extracts to: XUY9156182001.js - Current Virus total detections 3/57*
.. download from http ://akalbatu .com/3476grb4f434r.exe (VirusTotal 3/57**) ... likely to be either Dridex or Locky ransomware..."
* https://www.virustotal.com/en/file/...782932c497b0b849f128105d/analysis/1458822000/

** https://www.virustotal.com/en/file/...34e5ca5a882f521002ab6506/analysis/1458822302/
TCP connections
46.8.44.39: https://www.virustotal.com/en/ip-address/46.8.44.39/information/
>> https://www.virustotal.com/en/url/d...aca7aa8ac7c764c864b7ef584652109fc5d/analysis/
___

Fake 'Sixt Invoice' SPAM - word macro malware
- https://myonlinesecurity.co.uk/sixt-invoice-0252056792-from-24-03-2016-word-macro-malware
24 Mar 2016 - "An email with the subject of 'Sixt Invoice: 0252056792' from 24.03.2016 (random numbers) pretending to come from random, names, companies and email addresses with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-c...Invoice-0252056792-from-24032016-1024x780.png

24 March 2016: Sixt_receipt_49200616.doc - Current Virus total detections 2/56*
.. downloads from http ://web-intra.fhc-inc .org/live/essentials.php which gave me
65a7fwgybid.xls (VirusTotal 5/56**) which is actually an .exe file -not- an XLS excel spreadsheet -despite- the file name & icon... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1f9e9f4cac209725078d6dbd/analysis/1458833067/

** https://www.virustotal.com/en/file/...aff41ce726ba9067c67eb276/analysis/1458832875/

> https://www.hybrid-analysis.com/sam...a2a7633fa673fe80ef4b0ad483e7e?environmentId=4
Sixt_receipt_15768471.doc
Contacted Hosts
92.63.100.7: https://www.virustotal.com/en/ip-address/92.63.100.7/information/
>> https://www.virustotal.com/en/url/2...46b68f7fdd2c97e9b6d3718bcdf70eac558/analysis/
38.64.199.113: https://www.virustotal.com/en/ip-address/38.64.199.113/information/
>> https://www.virustotal.com/en/url/f...974dc2f27f9ca9be0e421db1cdfaaaf2a17/analysis/
79.124.67.226: https://www.virustotal.com/en/ip-address/79.124.67.226/information/
>> https://www.virustotal.com/en/url/c...137650fc37e5d1f5f7b9b40ca415dcc1e3c/analysis/
222.255.121.202: https://www.virustotal.com/en/ip-address/222.255.121.202/information/
>> https://www.virustotal.com/en/url/4...85aaf1bdaa09d653d89a7ed761b94377124/analysis/
47.88.191.14: https://www.virustotal.com/en/ip-address/47.88.191.14/information/
>> https://www.virustotal.com/en/url/f...8a2d21bbeaa843d0edf867e9fb8f26f7417/analysis/
197.96.139.253: https://www.virustotal.com/en/ip-address/197.96.139.253/information/
>> https://www.virustotal.com/en/url/7...3d73dcc78186d88dd5e18e42cc763867c24/analysis/

:fear::fear:

AplusWebMaster · Mar 25, 2016

Fake 'Invoice Copy' SPAM

FYI...

Fake 'Invoice Copy' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/fw-i...address-js-malware-leads-to-locky-ransomware/
25 Mar 2016 - "Although it is Good Friday... the Locky ransomware campaign continues unabated with an email with the subject of 'FW: Invoice Copy' pretending to come from a random or unknown name at your own email address with a zip attachment is another one from the current bot runs which downloads Locky ransomware...One of the emails looks like:
From: Stacie Tucker <fax@ [redacted] .co.uk> [Your own email address]
Date: Fri 25/03/2016 09:03
Subject: FW: Invoice Copy
Attachment: copy-fax_323571.zip
Dear fax,
Please review the attached copy of your Invoice (number: IN323571) for an amount of $4031.15.
Thank you for your business.
Stacie Tucker
Director, Digital Communications

25 March 2016: copy-fax_323571.zip: Extracts to: PMTac2edf.js.js Current Virus total detections 1/58*
.. MALWR** shows a download of Locky ransomware from
http ://holidaysinkeralam .com/ke4uad (VirusTotal 6/58***). Other download locations so far discovered include:
http ://goldenlifewomen .com/o3isvs (VT[1])
http ://fssblangenlois .ac.at/k3idv (VT[2])
http ://warrendotwarren .url.ph/ldpeo3s (VT[3])
... more detailed breakdown, including the multitude of hosts and differing file #’s delivering today’s malware can be found HERE[4] courtesy of Techelplist. This zip file contains 2 js files and 3 dat files that when examined is actually -empty- ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...14340d34f3254d0304651fdc/analysis/1458900076/

** https://malwr.com/analysis/ZTJkMDAwZGM1MWU1NDdkMDhlZTEyYzk4NzgwNGM2MmQ/
Hosts
184.168.47.225
93.170.104.127

*** https://www.virustotal.com/en/file/...f43cea82c59985de3ef2959e/analysis/1458901000/
TCP connections
89.108.84.132

1] https://www.virustotal.com/en/file/...0802e10fb4bd2dd370e6b1b7/analysis/1458910253/
TCP connections
185.117.72.94

2] https://www.virustotal.com/en/file/...4ee8281449e70d73c441d61e/analysis/1458910585/
TCP connections
89.108.84.132

3] https://www.virustotal.com/en/file/...b79f5bba8e296c777901a0d6/analysis/1458911035/
TCP connections
185.117.72.94

4] https://otx.alienvault.com/pulse/56f53ab04637f23a0c0f414d/

:fear::fear:

AplusWebMaster · Mar 28, 2016

Fake 'Overdue Incoices', 'FW: attached invoice', 'Document(1).pdf', 'invoice' SPAM

FYI...

Fake 'Overdue Incoices' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/fw-overdue-incoices-js-malware-leads-to-locky-ransomware/
28 Mar 2016 - "... mispelled subject of 'FW: Overdue Incoices' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Boyce Day <DayBoyce99@ armadev .com>
Date: Mon 28/03/2016 09:09
Subject: FW: Overdue Incoices
Attachment: sexy123_copy_489051.zip
Dear sexy123,
Please find attached copy updated statement as your account has 3 overdue incoices.
Is there any reasons why they haven’t yet been paid?
Best Wishes,
Boyce Day
Vice President Finance

28 March 2016: sexy123_copy_489051.zip: Extracts to: SCN734815.txt.js - Current Virus total detections 2/58*
.. MALWR** and Hybrid Analysis[3] show a download of Locky ransomware from
http ://www.suansawanresort .com/n7eua (VirusTotal 6/58[4])
Other download locations so far discovered include
http ://bbwsa .com/m7rysa
http ://dukeplasticslab .com/j47akfa
http ://foothillsofhemet .com/k4sifs
http ://www.stopeugenicsnow .eu/m8dhs
http ://blackmountaintipis .com/mxn3aad
This zip file contains 3 js files and 3 unknown files that when examined is actually empty (full of 0 byte padding, actually a mix of 0 & 1)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...c9da6c99e7cd3dcc4f0c7ac7/analysis/1459152409/

** https://malwr.com/analysis/OTkxYzNjYjkzNTE2NDc3Nzk2MmYxNjcyZGJiYmJmOTY/
Hosts
192.254.235.178
84.19.170.249: https://www.virustotal.com/en/ip-address/84.19.170.249/information/
>> https://www.virustotal.com/en/url/0...f8e37a3f4b62ffb9737b4a86586430fcd59/analysis/

3] https://www.reverse.it/sample/4ede8...b5d54c9da6c99e7cd3dcc4f0c7ac7?environmentId=4
Contacted Hosts
192.254.235.178
92.63.87.134: https://www.virustotal.com/en/ip-address/92.63.87.134/information/
>> https://www.virustotal.com/en/url/a...8a97367453700246561d06932971020cae1/analysis/

4] https://www.virustotal.com/en/file/...77a24aaefb9fab696f15dc98/analysis/1459152904/
TCP connections
78.46.170.79
___

Fake 'FW:' attached invoice SPAM - JS leads to Locky Ransomware
- https://myonlinesecurity.co.uk/please-see-the-attached-invoice-and-remit-payment-js-malware
28 Mar 2016 - "... an email with the subject of 'FW:' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads... Locky Ransomware... The email looks like:
From: Random senders
Date: Mon 28/03/2016 09:47
Subject: FW:
Attachment: copy_ellie_734294.zip
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.

5 March 2016: copy_ellie_734294.zip: Extracts to a folder named 'warning' which contains -2- files both appearing to have -same- content although different file # ticket_613588769.js VT 0/57[1] and
125_ticket_942667766.lib VT 0/57[2]. MALWR[3] shows a download from
http ://twocircles .in/HwgIY9 .exe (VirusTotal 5/58[4]) which is inconclusive in detections but MALWR[5] shows contacts of innocent files from Microsoft Update. Hybrid analysis[6] definitely shows Locky Ransomware...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustotal.com/en/file/...e03857064abd536ade8155c5/analysis/1459155351/

2] https://www.virustotal.com/en/file/...7af141b7be2f530d1718d4cf/analysis/1459155491/

3] https://malwr.com/analysis/OWMxMWZmNTMxZGU0NDM5MWJiZGM0ZjIxZWRiMWFhNDg/

4] https://www.virustotal.com/en/file/...29b991f7fcaeedfe9bf53f66/analysis/1459155069/

5] https://malwr.com/analysis/MDg4NmQ1M2ZlOTU4NDE2Zjk2MDUyYmEzMjMwY2ZjYjc/
Hosts
184.25.56.84

6] https://www.hybrid-analysis.com/sam...e481ee03857064abd536ade8155c5?environmentId=4
Contacted Hosts
66.160.196.39: https://www.virustotal.com/en/ip-address/66.160.196.39/information/
>> https://www.virustotal.com/en/url/6...8e83bcb6759f4807eadc04c89fa2beb153c/analysis/
83.217.8.127
___

Fake 'Document(1).pdf' SPAM - JS malware leads to ransomware
- https://myonlinesecurity.co.uk/docu...-email-domain-js-malware-leads-to-ransomware/
28 Mar 2016 - "An email that tries to make you think it is coming from your own email domain/company with the subject of 'Document(1).pdf' pretending to come from netadmin <nadiam1pa@ your email domain .tld> with a zip attachment is another one from the current bot runs which downloads some sort of ransomware... The email looks like:
From: netadmin <nadiam1pa@ your email domain .tld>
Date: Document (1).pdf
Subject: Document (1).pdf
Attachment: Document (1).zip
Document (1).pdf

28 March 2016: Document (1).zip: Extracts to: FDV4328982511.js - Current Virus total detections 7/57*
.. MALWR** shows a download of this ransomware file from
http ://store.brugomug .co.uk/765f46vb.exe (VirusTotal 3/58***) MALWR[4]...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...c4b0e6ec6408dc68ab811252/analysis/1459173075/

** https://malwr.com/analysis/ODEzODQwZDhhNmZjNDUyMjgzOWE5ZDY4NzIxNjg0YzA/
Hosts
50.56.106.21
84.19.170.249: https://www.virustotal.com/en/ip-address/84.19.170.249/information/
>> https://www.virustotal.com/en/url/1...f85fb55d7fe060ad183840af230b27d2673/analysis/

*** https://www.virustotal.com/en/file/...8993313d15d5dc4914bfdb31/analysis/1459171814/
TCP connections
91.200.14.73

4] https://malwr.com/analysis/Y2FmMTY2NjhlMWJhNDQxMjg1YzFiZGI3YTJhNzk5NDE/
Hosts
91.200.14.73: https://www.virustotal.com/en/ip-address/91.200.14.73/information/
>> https://www.virustotal.com/en/url/2...b216385cb557e36ca8e05b78dd7b43adf21/analysis/

store.brugomug .co.uk: 50.56.106.21: https://www.virustotal.com/en/ip-address/50.56.106.21/information/
>> https://www.virustotal.com/en/url/4...c7473b1bad220640c9f97ca5b0d8df4778e/analysis/
___

Fake 'invoice' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/random-company-invoice-word-doc-macro-malware/
28 Mar 2016 - "An email with the subject of [random company name] 'invoice' – [recipient domain] pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... One of the emails looks like:
From: Random senders
Date: Mon 28/03/2016 16:04
Subject: CERAMIC FUEL CELLS Invoice ...
Attachment: Invoice Number 1460847 – Issue Date 02166113.rtf
Sent from my iPad
Begin forwarded message:
Thank you for choosing CERAMIC FUEL CELLS! We hope you enjoy our new invoice format. In our effort to be more environmentally friendly, our new invoice saves paper yet provides all of the same information in a more condensed format. Please let us know if you have any questions or concerns.

28 March 2016: Invoice Number 1460847 – Issue Date 02166113.rtf - Current Virus total detections 4/57*
.. MALWR shows a download from
http ://store.clarksvillevw .com/smartphones/iphonese.php which gave me 122.wav which is -NOT- a wav file despite appearing to be able to be played in windows explorer - but is a renamed .exe file
(VirusTotal 3/58**). This will probably turn out to be either Dridex or Locky ransomware, but analysis is pending...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7d44c5b258abb3e61dd373a8/analysis/1459177325/

** https://www.virustotal.com/en/file/...59c78a0b5e37b724a9c52554/analysis/1459177386/

store.clarksvillevw .com: 185.118.166.167: https://www.virustotal.com/en/ip-address/185.118.166.167/information/
>> https://www.virustotal.com/en/url/f...1559eb159ecf47f2945d3b721415600987c/analysis/
___

Fake 'TERREDOC' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malware-spam-envoi-dun-message-9758w.html
28 Mar 2016 - "This French-language -spam- comes with a malicious attachment:
From: Christine Faure [c.faure@ technicoflor .fr]
Date: 28 March 2016 at 16:54
Subject: Envoi d’un message : 9758W-TERREDOC-RS62937-15000
Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :
9758W-TERREDOC-RS62937-15000
Message de sécurité

To save you putting it into 'Google Translate', the body text reads:
'Your message is ready to be sent with the following file or link attached'...
Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least -eight- different versions each containing a -different- malicious-script (VirusTotal results [1] [2]... The Malwr reports for those samples [9] [10]... show a malicious binary downloaded from:
store.brugomug.co.uk/765f46vb.exe
ggbongs .com/765f46vb.exe
dragonex .com/765f46vb.exe
homedesire .co.uk/765f46vb.exe
scorpena .com/765f46vb.exe
pockettypewriter .co.uk/765f46vb.exe
enduro .si/pdf/765f46vb.exe
185.130.7.22 /files/qFBC5Y.exe
Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57* and according to all those previous reports... the malware phones home to:
83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)
All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware. The other binary appears to be -another- version of Locky which appears to phone home to the -same- servers.
Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100 "
1] https://www.virustotal.com/en/file/...80277eef0d3f0002f77b90dc44882fa0b48/analysis/

2] https://www.virustotal.com/en/file/...5ffb66f45e00ca4e590d24c8/analysis/1459182332/

9] https://malwr.com/analysis/NjFiZGRjNzIyMmFiNDg0NGFmNTcyYjE2NjAxYjQ1NTY/
Hosts
77.234.131.73
109.235.139.64
185.130.7.22

10] https://malwr.com/analysis/YmE5ZmU2ZTZiZTgyNGY4YWFiNWVkYmM2ZmE1NmI1MjI/
Hosts
50.56.106.21
83.217.8.127

* https://www.virustotal.com/en/file/...f33d7ef840e8993313d15d5dc4914bfdb31/analysis/
TCP connections
91.200.14.73

:fear::fear:

AplusWebMaster · Mar 29, 2016

Fake 'Credit Card Declined', 'Payment', 'New Order' SPAM - 'Petya' ransomware

FYI...

Fake 'Credit Card Declined' SPAM - JS malware
- https://myonlinesecurity.co.uk/credit-card-has-been-declined-9764-js-malware/
29 Mar 2016 - "An email with the subject of 'Credit Card Has Been Declined *9764' [random numbered] pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads what looks like it is supposed to be locky ransomware... The email looks like:
From: Shirley brackenbury <brackenburyShirley12280@ covertech .com.br>
Date: Tue 29/03/2016 10:03
Subject: Credit Card Has Been Declined *9764
Attachment: copy_ellie_631312.zip
Your credit card has been declined, cancellation notice is enclosed down below.

29 March 2016: copy_ellie_631312.zip: Extracts to: info_614949608.js and a copy named 290_info_571294222.lib
Current Virus total detections 0/58*. MALWR** shows an attempted download from
http ://teknosolar .com/CLVrSc.exe which is currently giving a 404 not found...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...da1b87310cb3038f35e4a1b6/analysis/1459242165/

** https://malwr.com/analysis/MzM3M2FlMWRmN2M3NGU4Zjg2MzczYzRkZGZkYzgwNzM/
Hosts
185.18.196.201: https://www.virustotal.com/en/ip-address/185.18.196.201/information/
>> https://www.virustotal.com/en/url/7...c381781d46a714495e65a7a623910737dba/analysis/
___

Fake 'Payment' SPAM – doc macro malware
- https://myonlinesecurity.co.uk/emerson-sherman-payment-word-doc-macro-malware/
29 Mar 2016 - "An email with the subject of [random name] 'payment/invoice/report/message/Transaction' pretending to come from the same random name but a totally different email address with a random numbered malicious word doc attachment is another one from the current bot runs... One of the emails looks like:
From: Emerson Sherman <accounts@ rapicutcarbides .com>
Date: Tue 29/03/2016 05:10
Subject: Emerson Sherman. Payment
Attachment: 14385.doc
Good day
I hope you had a good weekend.
Please find the payment confirmation enclosed with this email. The Transfer should appear on your bank within 1 day.
Thanks
Emerson Sherman

29 March 2016: 14385.doc - Current Virus total detections 8/58[1] 7/57[2]
.. Payload Security* shows a download from http ://www .setabayloan .com/sg1.jpg?YSbs= which gave 585816.exe
(VirusTotal 9/57**) and is definitely Dridex banking Trojan. This Dridex affiliate uses jpg images on a website that the macro decodes and extracts the .exe file. That way a victim only sees the genuine image in their temp folders or briefly displayed...
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/setabayloan.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/...ea50477cbffda7d9f08f135f/analysis/1459229375/

2] https://www.virustotal.com/en/file/...c48f172fb032317a157fd1c5/analysis/1459226242/

* https://www.reverse.it/sample/ef3ce...e744dc48f172fb032317a157fd1c5?environmentId=4
Contacted Hosts
129.121.192.16: https://www.virustotal.com/en/ip-address/129.121.192.16/information/
>> https://www.virustotal.com/en/url/2...5fd30ca6ea230ae2d4c71f8a215ce8765d7/analysis/
87.117.242.13

** https://virustotal.com/en/file/07b6...17032c3d24a2a302365bfabf55f2db58d7e/analysis/
___

Fake 'New Order' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/03/malware-spam-re-new-order-p2016280375.html
29 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
From: Rose Lu [salesdeinnovative@ technologist .com]
Date: 29 March 2016 at 02:30
Subject: Re: New Order P2016280375
Good Day,
Please find enclosed our new order P2016280375 for your kind attention and prompt execution.
I look forward to receiving your order acknowledgement in due course.
Best regards
Rose Lu
Office Manager
Suzhou Eagle Electric Vehicle Manufacturing Co., Ltd.
Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China ...

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58*. The Malwr report** is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..
Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe
So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn .no-ip .biz hosted on: 105.112.39.114 (Airtel, Nigeria)
I strongly recommend that you -block- traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before***) so you might want to consider -blocking- those too."
* https://www.virustotal.com/en/file/...248a9c7c7eeaef1b8ac6b9b126cdb02ece1/analysis/

** https://malwr.com/analysis/ZjEwNzIzMmRlYjdmNDA0NmI5ZmRhNTYyMzE1MTYzZTk/

1] https://malwr.com/analysis/NTM5OTY3ZThmZDE0NDgyNzk5NTk2MDgzODViNmE5ZGY/
Hosts
105.112.39.114

2] https://www.hybrid-analysis.com/sam...f4c2186e8ac443271cffff9647749?environmentId=1
Contacted Hosts
105.112.39.114

3] https://sandbox.deepviz.com/report/hash/126a5f535909881c668ab956bb66e3c0/

*** http://blog.dynamoo.com/2013/11/dynamic-dns-sites-you-might-want-to.html
___

Fake 'Sent from my iPhone' SPAM - leads to Locky ransomware
- http://blog.dynamoo.com/2016/03/malware-spam-cce2903201600034-sent-from.html
29 Mar 2016 - "... These spam emails look like the victim is sending them to themselves (but they aren't*). Reference numbers vary a little between emails, but the basic pattern is:
From: victim
To: victim
Date: 29 March 2016 at 17:50
Subject: CCE29032016_00034
Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:
3r .com .ua/ty43ff333.exe
canadattparts .com/ty43ff333.exe
chilloutplanet .com/ty43ff333.exe
gazoccaz .com/ty43ff333.exe
hindleys .com/ty43ff333.exe
jeweldiva .com/ty43ff333.exe
kandyprive .com/ty43ff333.exe
labonacarn .com/ty43ff333.exe
silvec .com/ty43ff333.exe
tbde .com .vn/ty43ff333.exe
zecapesca .com/ty43ff333.exe
This payload has a detection rate of 4/56**. The malware calls back to:
84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)
McHost is almost purely a black-hat ISP in my opinion and should be blocked-on-sight.
Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24 "
* http://blog.dynamoo.com/2011/09/why-am-i-sending-myself-spam.html

** https://www.virustotal.com/en/file/...56087a57a4139fe714fd642cc0d17176760/analysis/
TCP connections
84.19.170.249: https://www.virustotal.com/en/ip-address/84.19.170.249/information/
>> https://www.virustotal.com/en/url/0...f8e37a3f4b62ffb9737b4a86586430fcd59/analysis/

5.135.76.18: https://www.virustotal.com/en/ip-address/5.135.76.18/information/
>> https://www.virustotal.com/en/url/a...6a682bb344e3bced0954b92a6efe41b5e43/analysis/

109.234.35.128: https://www.virustotal.com/en/ip-address/109.234.35.128/information/
>> https://www.virustotal.com/en/url/a...61231d67f6f929d2fcca09e18998f2fc893/analysis/
___

Locky ransomware downloads -hijacked- by vigilante - delivering Eicar test file...
- https://myonlinesecurity.co.uk/lock...lante-and-delivering-eicar-test-file-instead/
29 Mar 2016 - "Another set of -empty/blank- emails that pretend to come from your own email address. This particular bunch have multiple subjects but all starting with 'CCE29032016' and attachments that also start with 'CCE29032016'. Some of the subjects and attachments I have seen include:
CCE29032016_00095.jpg
CCE29032016_00065.docx
CCE29032016_00067.tiff
CCE29032016_00050.pdf
CCE29032016_00002.gif
These are obviously designed to make you think they are coming from a printer, scanner or Multi-functional device on your network. They are -not- image or word files despite the extensions and icons saying they are:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/fake-files.png
These attachments are -not- what they appear to be and are actually renamed zip files with the icons of the files they pretend to be, containing a js file. These files download what is -supposed- to be Locky ransomware from several locations. The ones I have discovered so far include:
http ://chilloutplanet .com/ty43ff333.exe
tbde. com .vn/ty43ff333.exe
canadattparts .com/ty43ff333.exe
... add to the twist all the files that I have seen are -not- Locky ransomware but instead all of these already compromised sites have been discovered by what we think is a “white hat” hacker vigilante who has replaced the locky files with a “safe” file that contains the words 'STUPID LOCKY' then a load of symbols that I won’t post here and EICAR-STANDARD-ANTIVIRUS-TEST-FILE. This would or should be flagged by EVERY antivirus in existence as the Eicar test file (and for that reason I will not post it even in plain text, because many antiviruses would immediately block access to this site). See screenshot:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/stupid-locky.png
It looks like most 'victims' will have been lucky this time, although I am sure there will be some sites in this malspam run that didn’t get discovered by the vigilante and -continue- to infect victims... -Never- attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just -delete- the unexpected zip and not risk any infection."

chilloutplanet .com: 109.71.69.138: https://www.virustotal.com/en/ip-address/109.71.69.138/information/

tbde. com .vn: 162.243.4.79: https://www.virustotal.com/en/ip-address/162.243.4.79/information/

canadattparts .com: 104.131.133.51: https://www.virustotal.com/en/ip-address/104.131.133.51/information/
>> https://www.virustotal.com/en/url/5...5c7b3548272524e9f92074266a8b0b00c4d/analysis/
___

'Petya' ransomware encrypts files, disks, locks users out of computers
- https://www.helpnetsecurity.com/2016/03/29/petya-ransomware-locks-computers/
March 29, 2016 - "A -new- type of ransomware does not only encrypt the victims’ files, but also their disk’s Master File Table (MFT), and it replaces the boot drive’s existing Master Boot Record (MBR) with a malicious loader. It makes the entire computer -unusable- until the ransom is paid or until the victims decide to cut their losses, repair the MBR themselves, and reinstall Windows. The ransomware is called Petya, and is currently being delivered via spear-phishing campaigns aimed at German companies’ HR departments. The -fake- emails are made to look like they are coming from a legitimate job seeker, and instruct the recipient to download the sender’s CV from a Dropbox account. If the recipient falls for the trick, downloads the file, fails to notice that it’s an executable and runs it, the computer will crash because Petya overwrites the MBR of the entire hard drive. The computer will then show the infamous “Blue Screen of Death,” and reboot. The next thing the victim sees is a -fake- CHKDSK notice:
> https://www.helpnetsecurity.com/images/posts/fake-chkdsk.jpg
GData researchers have examples* of the spear-phishing emails, and a video of Petya in action. Trend Micro researchers confirmed** that the ransomware encrypts both part of the disk and victims’ files. They have also notified Dropbox of the fact that their service is being used to propagate the malware, and the company has removed the malicious file along with other links that stored the same file. The malware doesn’t allow the user to restart the computer in Safe Mode. According to Bleeping Computer’s Lawrence Abrams, there is currently no way to restore the files without paying the ransom, nor to decrypt the MFT. Users can repair the MBR and reinstall Windows, but all their files will be lost..."
* https://blog.gdatasoftware.com/2016/03/28213-ransomware-petya-encrypts-hard-drives

** http://blog.trendmicro.com/trendlab...nsomware-overwrites-mbr-lock-users-computers/

Video 0:51 > http://arstechnica.com/security/2016/03/new-ransomware-installs-in-boot-record-encrypts-hard-disk/

:fear::fear:

AplusWebMaster · Mar 30, 2016

Fake 'Additional Info', 'scanner, prtr', 'scanned document' SPAM

FYI...

- https://atlas.arbor.net/briefs/index#-318909613
"... At the present, Locky developers are completely reliant upon some level of user interaction. Educating your workforce on potential threats and the overall threat vectors is still the best way to inhibit threats like Locky."

Fake 'Additional Info' SPAM - leads to ransomware
- http://blog.dynamoo.com/2016/03/malware-spam-additional-information.html
30 Mar 2016 - "This spam has a malicious attachment, leading to ransomware.
From: Joe holdman [holdmanJoe08@ seosomerset .co.uk]
Date: 30 March 2016 at 08:55
Subject: RE: Additional Information Needed #869420
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.

The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default. An analysis of three scripts [1] [2] [3] shows binary downloads from:
cainabela .com/zFWvTM.exe
downloadroot .com/vU4VAZ.exe
folk.garnet-soft .com/jDFXfL.exe
This binary has a detection rate of 6/56*. Automated analysis [4] [5] shows network traffic to:
93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)
These characteristics are consistent with Locky ransomware.
Recommended blocklist:
93.170.131.108: https://www.virustotal.com/en/ip-address/93.170.131.108/information/
>> https://www.virustotal.com/en/url/c...5145fb16132bf914034cce9da36dfa9c486/analysis/
5.135.76.18: https://www.virustotal.com/en/ip-address/5.135.76.18/information/
>> https://www.virustotal.com/en/url/7...b0b9b8e049a8d1605f590871bba6b2227df/analysis/
82.146.37.200: https://www.virustotal.com/en/ip-address/82.146.37.200/information/
>> https://www.virustotal.com/en/url/6...d7a4d5b05dd3ca0f00d6f6c06acf91cbbd2/analysis/
"
1] https://www.virustotal.com/en/file/...0ebd09df373b96ed9ef12a62/analysis/1459325489/

2] https://www.virustotal.com/en/file/...6d00ac2e4a5087e19628a0d2/analysis/1459325501/

3] https://www.virustotal.com/en/file/...9e3b33a075149f823bb2ab85/analysis/1459325510/

* https://www.virustotal.com/en/file/...ac742396f4b570a2c7b48ca9/analysis/1459325587/

4] https://www.hybrid-analysis.com/sam...5a04cac742396f4b570a2c7b48ca9?environmentId=4

5] https://sandbox.deepviz.com/report/hash/df0198d5368df1cd600292fcc77cd45e/
___

Fake 'scanner, prtr' SPAM - leads to Locky ransomware
- https://myonlinesecurity.co.uk/more...-domain-js-malware-leads-to-locky-ransomware/
20 Mar 2016 - "... another series of emails that pretend to be coming from a scanner, printer or multifunctional device at your own email domain with a zip attachment is another one from the current bot runs... In exactly the same way as one of yesterday’s malspam runs* the subjects pretend to be emailing an image or document file:
* https://myonlinesecurity.co.uk/lock...lante-and-delivering-eicar-test-file-instead/
Some of the subjects seen today include:
Emailing: FILE-57146596.tiff
Emailing: docment-6419593.tiff
Emailing: sheet 462244150.JPEG
Emailing: DOC-109.JPEG
Emailing: file_29.TIFF
Emailing: list-51210168.docx ...
One of the emails looks like:
From: CANON <CANON@ your-own-email-domain >
Date: Wed 30/03/2016 12:41
Subject: Emailing: FILE-57146596.tiff
Attachment:FILE-57146596.tiff.zip
Your message is ready to be sent with the following file or link attachments:
FILE-57146596.tiff
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled...

30 March 2016: FILE-57146596.tiff.zip: Extracts to: 414-7888138-1994311.js - Current Virus total detections 5/56*
downloads Locky ransomware from
http ://tmecvn .com/45t3443r3 (VirusTotal 9/56**). Other download locations... include:
http ://bezuhova .ru/45t3443r3
http ://thespinneyuk .com/45t3443r3
http ://tishaclothing .co.za/45t3443r3
http ://formalizar .com.br/45t3443r3
http ://tde.tne .cl/45t3443r3
http ://journal.egostile .net/45t3443r3
http ://cheapairticketindia .net/45t3443r3
http ://creditfinancebank .ru/45t3443r3 and I am sure loads of others will appear during the day... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...e5c02ebea5df4f92c90fdbae/analysis/1459336685/

** https://www.virustotal.com/en/file/...a81395083509c0f78b6ae1de/analysis/1459341039/
TCP connections
5.135.76.18: https://www.virustotal.com/en/ip-address/5.135.76.18/information/
>> https://www.virustotal.com/en/url/7...b0b9b8e049a8d1605f590871bba6b2227df/analysis/
___

Fake -Multiple- Subjects/senders/content SPAM - download Locky ransomware
- https://myonlinesecurity.co.uk/multiple-email-subjects-delivering-locky-ransomware/
30 Mar 2016 - "... a whole series of -different- email -subjects- and body-content coming from random-senders downloading Locky ransomware from multiple-places...
Some of the subjects include:
FW:Expenses Report # 109681 – 03/2016
payment confirmation
Additional Costs
recent bill
RE: Additional Information Needed #075573

The bodies of these emails have -varied- content like these:
We kindly ask you to provide us additional information regarding your case.
Please find the form attached down below.
-Or-
Dear xerox.774,
Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email me.
Best regards
Cleo Morris
Chief Executive Officer

... These -all- download Locky ransomware from -various- sites, some of which include:
http ://drirenaeris .com.au/b7eir (VirusTotal 3/56*)
http ://fabiocaminero .com/2L5pGE.exe (VirusTotal 7/56**)
http ://cssrd.org.lb/VPNQ4Z.exe (VirusTotal 7/56***) ...
These are -more- of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...d572dbc2c0eb709e219264e9/analysis/1459341652/
TCP connections
51.254.240.45: https://www.virustotal.com/en/ip-address/51.254.240.45/information/
>> https://www.virustotal.com/en/url/e...97992060209f289cd6d4d1a8d9beb02e2bd/analysis/

** https://www.virustotal.com/en/file/...ac742396f4b570a2c7b48ca9/analysis/1459343160/

*** https://www.virustotal.com/en/file/...ac742396f4b570a2c7b48ca9/analysis/1459343160/

- http://blog.dynamoo.com/2016/03/malware-spam-additional-costs-leads-to.html
30 Mar 2016 - "... -another- malicious spam run... drops Locky ransomware. Again... phones home to the -same- IPs reported here[1]."
1] http://blog.dynamoo.com/2016/03/malware-spam-additional-information.html
___

Fake 'scanned document' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/scan...sma-bathrooms-limited-word-doc-macro-malware/
29 Mar 2016 - "An email with the subject of 'scanned document' pretending to come from Tara Savill <tara@ charismabathrooms .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/Tara-Savill-Scanned-Document-1024x642.png

29 March 2016: CCF26062014_00002.docm - Current Virus total detections 7/57*
.. MALWR** shows a download of Dridex banking malware from
http ://1901.magflags .de/media/5478hj.exe
Other sites: some of which were also in THIS earlier run*** ... include:
http ://youngstownliquidation .com/5478hj.exe
http ://balikmalzemelerim .com/5478hj.exe
http ://me-shop .net/5478hj.exe
http ://stremyanki .kz/5478hj.exe
http ://mojomojito .com/5478hj.exe
http ://baldwinsun .com/media/5478hj.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ce7272da02ed686245136f3f/analysis/1459249209/

** https://malwr.com/analysis/OWI5NTZhYWU1YmVmNGE4MDlhZTRmMmUzZmEzZmIxMTQ/
Hosts
144.76.126.6: https://www.virustotal.com/en/ip-address/144.76.126.6/information/
>> https://www.virustotal.com/en/url/7...abedccf5390cf810ed651a6fb9ab9262087/analysis/

*** https://myonlinesecurity.co.uk/europower-invoices-word-doc-macro-malware/

:fear::fear:

AplusWebMaster · Mar 31, 2016

Fake 'Print', 'FaxEmail', 'Photos' SPAM

FYI...

Fake 'Print' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/an-e...dresses-js-malware-leads-to-locky-ransomware/
31 Mar 2016 - "A series of emails with the basic subject of 'print' pretending to come from random names with a number at Gmail .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware... Some of the subjects I have seen so far include:
print please
hi prnt
print
hello print
One of the emails looks like:
From: admin <andrew03@ gmail .com>
Date: Mon 04/01/2016 13:31
Subject: print please
Attachment: New Text Document (3).rar
–40719049546ef6119a6e83c9e005
Content-Type: text/plain; charset=UTF-8
–40719049546ef6119a6e83c9e005
Content-Type: text/html; charset=UTF-8
<div dir=”ltr”><br></div>
–40719049546ef6119a6e83c9e005–
–bf5dda1905937f96d0871d6d3006
Content-Type: application/octet-stream; name=”New Text Document (3).rar ...

31 March 2016: New Text Document(3).rar: Extracts to: New Text Document(95).js - Current Virus total detections 4/57*
.. MALWR** didn’t show any download but a manual analysis of the JS file gave me Locky Ransomware from
http ://bianca .com .tr/87h78rf33g (VirusTotal 4/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...665960c7ca8e1b493a71bd87/analysis/1459419468/

** https://malwr.com/analysis/MGFiN2I0OWZiYzcwNDM5ZGE4MWY1MjZjYTI5ZjJiY2M/

*** https://www.virustotal.com/en/file/...735c373fa4ccb08aa9856008/analysis/1459419544/
TCP connections
88.198.119.177: https://www.virustotal.com/en/ip-address/88.198.119.177/information/
___

Fake 'FaxEmail' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/faxemail-fax-from-random-number-js-malware-leads-to-locky-ransomware/
31 Mar 2016 - "An email with the subject of 'FaxEmail Fax from 0632136978' (random number) pretending to come from random number @ f2em .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/FaxEmail-Fax-from-0632136978-1024x585.png

31 March 2016: 783836325-7101s-452012.zip: Extracts to: 21255715-6613c-370201.js
Current Virus total detections 4/56*. MALWR** shows a download of Locky Ransomware from
http ://mentaldevelopment .ir/87h78rf33g (VirusTotal 3/57***)
Other download locations so far discovered include:
http ://meimeiwang .com.cn/87h78rf33g
remontobuvidoma .ru/87h78rf33g (giving a '404 not found')
anop .ir/87h78rf33g
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b7fe50de984f8446a52a9a77/analysis/1459428459/

** https://malwr.com/analysis/ODNmYTM1MDFhNjgxNGI4Mzg4MjBmZTJmZjNiZjkzODE/
Hosts
185.8.173.39
81.177.181.164

*** https://www.virustotal.com/en/file/...e1d03a64324b521a198433df/analysis/1459428606/
TCP connections
88.198.119.177
___

Fake 'Photos' SPAM - JS malware delivers Locky ransomware
- https://myonlinesecurity.co.uk/photos-nadia-maria-ochoa-js-malware-delivers-locky-ransomware/
31 Mar 2016 - "A blank/empty email with the subject of 'Photos' pretending to come from Nadia María Ochoa <nadia_m_ochoa018@ yahoo .es> (random numbers after nadia_m_ochoa) with a zip attachment is another one from the current bot runs... The email looks like:
From: Nadia María Ochoa <nadia_m_ochoa018@ yahoo .es>
Date: Thu 31/03/2016 14:32
Subject: Photos
Attachment: Photos.zip

Body content: Totally Blank

31 March 2016: Photos.zip: Extracts to: 84628561-8282f-490006.js - Current Virus total detections 4/57*
.. downloads Locky ransomware from
site.ipark .tur.br/87h78rf33g (VirusTotal 3/57**). Others sites discovered include
http ://mrsweeter .ru/87h78rf33g which is currently giving a '404' although was used earlier today for delivering Locky. It is almost certain that all the sites in THIS*** post which are delivering the same Locky ransomware file will also be used in a -differing- version of this email... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...55a9f417093070f22b9ce783/analysis/1459431093/

** https://www.virustotal.com/en/file/...e1d03a64324b521a198433df/analysis/1459428606/
TCP connections
88.198.119.177: https://www.virustotal.com/en/ip-address/88.198.119.177/information/
>> https://www.virustotal.com/en/url/7...eee4d334bad6e781a7ae6a3adbba5a21a7d/analysis/

*** https://myonlinesecurity.co.uk/faxemail-fax-from-random-number-js-malware-leads-to-locky-ransomware/

:fear::fear:

AplusWebMaster · Apr 1, 2016

Fake 'REFUND DEPOSIT', 'photos' 'selfie', 'Votre demande' SPAM, 'Petya' analysis

FYI...

Fake 'REFUND DEPOSIT' SPAM - fake PDF malware
- https://myonlinesecurity.co.uk/your-refund-deposit-copy-lloyds-bank-fake-pdf-malware/
Updated: 1 Apr 2016 - "An email with the subject of 'YOUR REFUND DEPOSIT COPY' pretending to come from Lloyds Bank <refund@ lloydsbank .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/03/YOUR-REFUND-DEPOSIT-COPY.png

31 March 2016: Attach.zip: Extracts to: Deposit Slip.exe - Current Virus total detections 8/57*
.. MALWR** | Payload Security***
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...3db6d13229eda8511c996454/analysis/1459447576/

** https://malwr.com/analysis/YzJhMjI3MzY0MmI5NGRjZmJmMzJjNDFjYzg5ZWQ2NzI/

*** https://www.reverse.it/sample/87497...9d9de3db6d13229eda8511c996454?environmentId=4
Contacted Hosts
5.254.112.27
___

Fake 'photos' 'selfie' SPAM - JS malware
- https://myonlinesecurity.co.uk/imag...dom-names-and-numbers-at-yahoo-es-js-malware/
1 Apr 2016 - "... numerous emails with the subject of 'images', 'photos' or 'selfie' pretending to come from random names and numbers at yahoo .es with a zip attachment is another one from the current bot runs which downloads what looks like Locky ransomware... some of these with no extension for the attachment... One of the email looks like:
From: Maite STEPHENS <GALEANA965@ yahoo .es>
Date: Fri, 01 Apr 2016 10:35:17 +0100
Subject: images
Attachment: Photos(80).zip

Body content: Empty/blank body

1 April 2016: Photos(80).zip: Extracts to: IMG0000024405.js - Current Virus total detections 3/56*
.. downloads what looks like Locky ransomware from
http ://rhcequestrian .com/89uyg65fyguy (VirusTotal 5/57**)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...22c77c2443a8cdeaaee129e7/analysis/1459503374/

** https://www.virustotal.com/en/file/...ae642ab4454ff12cb921d8e3/analysis/1459503652/
TCP connections
88.198.119.177: https://www.virustotal.com/en/ip-address/88.198.119.177/information/
>> https://www.virustotal.com/en/url/7...eee4d334bad6e781a7ae6a3adbba5a21a7d/analysis/
___

Fake 'Votre demande' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecurity.co.uk/votre-demande-4906548-js-malware-leads-to-locky-ransomware/
1 Apr 2016 - "... an email written in French with the subject of 'Votre demande – 4906548' [random numbered] pretending to come from Darlene Walden <Darlene.Walden@ gouv .fr> with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: Darlene Walden <Darlene.Walden@ gouv .fr>
Date: Fri 01/04/2016 09:11
Subject: Votre demande – 4906548
Attachment: Cas_4906548.zip
Monsieur / Madame,
Nous avons bien recu votre mail nous demandant de ne pas donner suite a votre demande
d’assurance du 01/04/2016 referencee en marge.
De ce fait, nous procedons a l’annulation de cette derniere a sa date d’effet et vous
precisons que vous ne pourriez vous prevaloir d’aucune garantie.
Pour plus de details s’il vous plait verifier fichier joint (Cas_4906548)
Nous vous remercions de bien vouloir en prendre note...
Translates to:
Sir / Madam,
We have received your mail asking us not to follow your request
Insurance 04/01/2016 referenced margin.
Therefore, we proceed to the cancellation of the latter has its effective date and you
Note that you could avail you of any warranty.
For more details please check attachment (Cas_4906548)
Thank you kindly take note...

1 April 2016: Cas_4906548.zip: Extracts to: Cas_2466628.js - Current Virus total detections 3/57*
.. Payload Security** shows a download of Locky Ransomware from
tag2change .com/images/old/note.exe (VirusTotal 2/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...3fa364571252e552136594f9/analysis/1459501792/

** https://www.reverse.it/sample/ea0d4...822483fa364571252e552136594f9?environmentId=4
Contacted Hosts
108.175.14.122: https://www.virustotal.com/en/ip-address/108.175.14.122/information/
>> https://www.virustotal.com/en/url/d...d7c0888788af95a426568f459277859e550/analysis/

*** https://www.virustotal.com/en/file/...2d925c7e6e998fb9b49d9f80/analysis/1459502285/
___

Fake 'boss scams' meet AI robocallers - dangerous escalation of Fraud
- http://blog.dynamoo.com/2016/04/fake-boss-scams-meet-ai-robocallers-in.html
1 Apr 2016 - "Many of us will be familiar with the 'fake boss' scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady-bank-account for a business transaction you are not allowed to talk about. This type of -fraud- is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and -convincing- calls have to be made to unsuspecting-minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.
Now, the notorious Russian gang dubbed 'Den Duraka' by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer. Sporting the clumsy Russian acronym 'LOZHNYY', this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using -hacked- credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers. Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were -not- suspicious as this seemed consistent with the behaviour of their CEOs. Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely -ignore- any communications from your CEO and indeed any C-level executive..."
___

Petya Ransomware - Malwarebytes analysis
- https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/
April 1, 2016 - "Petya is different from the other popular ransomware these days. Instead of encrypting files one by one, it denies access to the full system by attacking low-level structures on the disk. This ransomware’s authors have not only created their own boot loader but also a tiny kernel, which is 32 sectors long. Petya’s dropper writes the malicious code at the beginning of the disk. The affected system’s master boot record (MBR) is overwritten by the custom boot loader that loads a tiny malicious kernel. Then, this kernel proceeds with further encryption. Petya’s ransom note states that it encrypts the full disk, but this is not true. Instead, it encrypts the master file table (MFT) so that the file system is -not- readable.
PREVENTION TIP: Petya is most dangerous in the Stage 2 of the infection, that starts when system is being rebooted after the BSOD caused by the dropper. In order to prevent your computer from going automatically to this stage, turn off automatic restart after a system failure (see how to do it):
> https://support.microsoft.com/en-us/kb/307973
If you detect Petya in Stage 1, your data still can be recovered. More information about it you can find here:
> https://hshrzd.wordpress.com/2016/03/31/petya-key-decoder/
... Behavioral analysis: This ransomware is delivered via scam emails themed as a job application. E-mail comes with a Dropbox link, where the malicious ZIP is hosted. This initial ZIP contains two elements:
- a -photo- of a young man, purporting to be an applicant (in fact it is a publicly-available-stock image)
- an -executable- pretending to be a CV in a self-extracting archive or in PDF (in fact it is a malicious dropper in the form of a 32bit PE file):
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/petya_exe-1.png
In order to execute its -harmful- features, it needs to run with Administrator privileges. However, it doesn’t even try to deploy any user account control (UAC) bypass technique. It relies fully on social engineering. When we try to run it, UAC pops up this alert:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/uac_popup.png
After deploying the application, the system crashes. When it restarts, we see the following screen, which is an -imitation- of a CHKDSK scan:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/1.png
In -reality- the malicious kernel is already encrypting. When it finishes, the affected user encounters this blinking screen with an ASCII art:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/2.png
Pressing a key leads to the main screen with the ransom note and all information necessary to reach the Web panel and proceed with the payment:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/3.png
... We noted that the website for the victim is well prepared and very informative. The menu offers several language versions, but so far only English works:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/page_main-768x707.png
It also provides a step-by-step process on how affected users can recover their data:
> https://blog.malwarebytes.org/wp-content/uploads/2016/03/guide-768x707.png
... We expect that cybercriminals release as little information about themselves as possible. But in this case, the authors and/or distributors are very open, sharing the team name—”Janus Cybercrime Solutions”—and the project release date—12th December 2015...
Conclusion: In terms of architecture, Petya is very advanced and atypical. Good quality FUD, well obfuscated dropper – and the heart of the ransomware – a little kernel – depicts that authors are highly skilled. However, the chosen low-level architecture enforced some limitations, i.e.: small size of code and inability to use API calls. It makes cryptography difficult. That’s why the key was generated by the higher layer – the windows executable. This solution works well, but introduces a weakness that allowed to restore the key (if we manage to -catch- Petya at -Stage1- -before- the key is erased)..."
(More detail at the malwarebytes URL at the top of this post.)
___

Ransomware and Recent Variants
- https://www.us-cert.gov/ncas/alerts/TA16-091A
March 31, 2016
___

- https://www.virusbulletin.com/blog/2015/05/you-are-your-own-threat-model/
"... Preventing macro malware from infecting your machine is really simple: -don't- enable macros, no matter how much a document urges you to do so..."

:fear::fear:

AplusWebMaster · Apr 4, 2016

Fake 'VeriFone', 'Refund', 'photos', 'Your Booking', 'Your parcel' SPAM

FYI...

Fake 'VeriFone' SPAM - JS malware
- https://myonlinesecurity.co.uk/verifone-services-uk-and-ireland-ltd-invoice-js-malware/
4 Apr 2016 - "An email with the subject of 'VeriFone Services UK and Ireland Ltd' pretending to come from donotreply_invoices@ verifone .com with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: donotreply_invoices@ verifone .com
Date: Mon 04/04/2016 10:29
Subject: VeriFone Services UK and Ireland Ltd
Attachment: VeriFone_20160404095713.zip
Please see attached Invoice(s).
Thanks and Regards,
VeriFone Services UK and Ireland Ltd
Confidentiality Note: This email message contains information that is confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this message is prohibited. If you have received this message or attachment in error, please notify us immediately by email and delete the original...

4 April 2016:VeriFone_20160404095713.zip: Extracts to: VeriFone_20160404092434.js
Current Virustotal detections 3/57*. MALWR** shows a download from
http ://tag2change .com/images/old/note.exe (VirusTotal 4/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...a0071bb9f846c5503d40e9aa/analysis/1459766150/

** https://malwr.com/analysis/YTliMjcxYTI5NTdjNDc3MjgxMDg1NDc3MTA5NTMyYjI/
Hosts
108.175.14.122: https://www.virustotal.com/en/ip-address/108.175.14.122/information/
>> https://www.virustotal.com/en/url/d...d7c0888788af95a426568f459277859e550/analysis/

*** https://www.virustotal.com/en/file/...defc75f6ac49cc3092592892/analysis/1459766714/
___

Fake 'Refund' SPAM - JS malware leads to Teslacrypt ransomware
- https://myonlinesecurity.co.uk/refu...nt-js-malware-leads-to-teslacrypt-ransomware/
4 Apr 2016 - "An email with the subject of 'Refund for #18613 – $2,179,44' [random number, random amount] pretending to come from random names, companies and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... One of the emails looks like:
From: Pongky Morrill <MorrillPongky34@ bitsport .ru>
Date: Mon 04/04/2016 12:20
Subject: Refund for #18613 – $2,179,44
Attachment: copy_nz_930864.zip
Your refund request has been processed.
Please, find the confirmation attached to this e-mail.

4 April 2016: copy_nz_930864.zip: Extracts to: letter_EWxago.js - Current Virus total detections 6/57*
.. MALWR** shows a download of a -new- version of Teslacrypt ransomware from
http ://greetingseuropasqq .com/80.exe?1 (VirusTotal 7/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b6dfaa3d3261b6e83d1ab784/analysis/1459768523/

** https://malwr.com/analysis/ZTdmNzIwNDdjYzJhNDE1NmEyMDM4ZGQ4ZTZmZjU1YTU/
Hosts
54.212.162.6
217.70.180.150
107.180.43.132
107.180.4.122
76.162.168.113
192.186.220.8
71.18.247.59

*** https://www.virustotal.com/en/file/...046df74fa0dfe7e33d9ec422/analysis/1459772578/
TCP connections
217.70.180.150
107.180.43.132
___

Fake 'photos' SPAM - from your own email address delivering Locky ransomware
- https://myonlinesecurity.co.uk/phot...ddress-supposed-to-be-malware-but-empty-zips/
4 Apr 2016 - "An email with the subject of 'Photos' [random number between 1 and 4] pretending to come from your own email address with a zip attachment is -supposed- to be another one from the current bot runs which downloads Dridex, Locky or some other malware but is malformed-and-misconfigured so the attached zip is -empty- ... They use email addresses and subjects that will entice a user to read the email and open the attachment...
Update: Some working copies now trickling through containing -nemucod- downloaders delivering Locky ransomware. The email looks like:
From: Your email address
Date: Mon 04/04/2016 10:48
Subject: Photos 3
Attachment: 20160404_074897_resized.zip
Envoyé de mon Galaxy S6 edge+ Orange

Update: Managed to get a 'working' copy...
4 April 2016: 20160404_409472_resized.zip: Extracts to: 20160401_833019_resized.js
Current Virus total detections 2/57*.. downloads what looks like Locky ransomware from
http ://taytantalya .com/54eftygub (VirusTotal 2/56**)
Some other locations seen include:
hatgiongrangdong .com/54eftygub and
amid-s .com.ua/54eftygub
http ://2ws .club/54eftygub
http ://asensor .com.sg/54eftygub
http ://freya58 .ru/54eftygub
http ://lindecoration .com/54eftygub
http ://lxtrading .com.sg/54eftygub
http ://sargentojoe .com.br/54eftygub
http ://stylekoko .com/54eftygub
http ://waxmod .com/54eftygub ...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...b4de56c79ade0c7d87384911/analysis/1459764701/

** https://www.virustotal.com/en/file/...1fb5f925c1f44c6435a8319a/analysis/1459763558/
TCP connections
91.209.77.86: https://www.virustotal.com/en/ip-address/91.209.77.86/information/
>> https://www.virustotal.com/en/url/e...4ecb26dca3245ca3ad587134abaf3e7d291/analysis/
___

Fake 'Your Booking' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/chan...81-js-malware-leads-to-teslacrypt-ransomware/
4 Apr 2016 - "An email with the subject of 'Changes in Your Booking (Booking Nr:46081)' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt... The email looks like:
From: Trudey Daniel <DanielTrudey588@ eskweb .net>
Date: Mon 04/04/2016 14:40
Subject: Changes in Your Booking (Booking Nr:46081)
Attachment: aqq_copy_830379.zip
There has been some important change in your booking (Booking Nr:46081). Please review the confirmation below.

4 April 2016: aqq_copy_830379.zip: Extracts to: doc_xXsKNB.js - Current Virus total detections 5/57*
.. Downloads Teslacrypt from the same locations as This earlier post**... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...83620b1430e34b179c9e44b2/analysis/1459777068/

** https://myonlinesecurity.co.uk/refu...nt-js-malware-leads-to-teslacrypt-ransomware/
___

Fake 'Your parcel' SPAM - JS malware
- https://myonlinesecurity.co.uk/your-parcel-898322-status-arrived-otis-ryan-js-malware/
4 Apr 2016 - "An email with the subject of 'Your parcel #898322, Status: Arrived Otis Ryan' [random numbered] pretending to come from Otis Ryan <cobranza@ moldecor .com> with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: Otis Ryan <cobranza@ moldecor .com>
Date:
Subject: Your parcel #898322, Status: Arrived Otis Ryan
Attachment: Otis Ryan.zip
Valued Customer, Otis Ryan
The check of 255.00$ for the parcel #617473 was received by our company and now has the Status: Paid.
Our people has already shipped the purchase.
Please, Be sure to write us back if you already received the order, as it should have been delivered on February 3, 2016.
If you have any questions, you can check the details order enclosed to this e-mail, or call our department and we will offer you the other options.

4 April 2016: Otis Ryan.zip: Extracts to: Otis Ryan.js - Current Virus total detections 3/57*
.. MALWR** doesn’t show any downloads but Payload security[1] shows a download of some malware from
yuilouters .com/img/sc.php?m=c2FuZHJhQG9uZWtuaWdodC5jby51aw%3D%3D&f=img.jpg (VirusTotal 4/56***). MALWR[2] - This isn’t a JPG (image file) but a -renamed- .exe file -despite- the icon showing it to be a jpg... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...fd0501e6c108dcab6a1c1d65/analysis/1459789450/

** https://malwr.com/analysis/OTUyMWQ0YTllZGU0NDRhNWIyMWE0Y2ZmYzhkZDZiNTc/

1] https://www.reverse.it/sample/3da03...2f333fd0501e6c108dcab6a1c1d65?environmentId=4
Host Address
130.255.129.102: https://www.virustotal.com/en/ip-address/130.255.129.102/information/

*** https://www.virustotal.com/en/file/...b9081d59e1b46480e9f7dbfc/analysis/1459790694/

2] https://malwr.com/analysis/ZjRjMjg3MjljNTdiNGMyMTg3NGM5ZDcwYjdlNGFjZGQ/

yuilouters .com: 193.33.197.174
176.105.171.196
46.98.193.150
176.124.235.127
176.103.235.5
178.217.162.239
5.1.14.100
79.113.106.239
86.126.0.128
176.36.70.114

:fear::fear:

AplusWebMaster · Apr 5, 2016

Fake 'Receipt', 'Your Balance', 'Bank', 'Invoice - e-pay', 'Unpaid Bill' SPAM

FYI...

Fake 'Receipt' SPAM - xls macro malware
- https://myonlinesecurity.co.uk/receipt-xencourier-co-uk-excel-xls-spreadsheet-macro-malware/
5 Apr 2016 - "An email with the subject of 'Receipt' pretending to come from Mike <mike@ xencourier .co.uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Mike <mike@ xencourier .co.uk>
Date: Tue 05/04/2016 10:10
Subject: Receipt
Attachment: scan0001.xls
Hi
Here is your credit card receipt attached. VAT invoice to follw in due course.
Best regards
Mike ...

5 April 2016: scan0001.xls - Current Virus total detections 4/57*
.. REVERSEIT** and MALWR*** show a download from
http ://unifire .in/43tgw - MALWR[4] VirusTotal 3/56[5]. I am unsure whether this is Dridex or Locky ransomware, judging by the auto analysis, I am guessing on Dridex with an anti-analysis component... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...16d662ba9dc87a14e2286cb6/analysis/1459847342/

** https://www.reverse.it/sample/5e6ce...e02b716d662ba9dc87a14e2286cb6?environmentId=4
Contacted Hosts
184.154.132.107
195.169.147.78

*** https://malwr.com/analysis/YmFhZDA4ODcxY2YzNGY0ZGIwZTI0MzU5Y2IyNDVjZDY/
Hosts
184.154.132.107: https://www.virustotal.com/en/ip-address/184.154.132.107/information/
>> https://www.virustotal.com/en/url/2...249facbc9f02405e7986bf141979d3423d3/analysis/

4] https://malwr.com/analysis/MzE4MTc4YmJjYzYwNGE2YjgwMDFjYTIxNWYyYmIwZmY/

5] https://www.virustotal.com/en/file/...29fb8deea01b22cf21dcdd02/analysis/1459847771/
___

Fake 'Your Balance' SPAM - leads to Teslacrypt
- https://myonlinesecurity.co.uk/actu...66-js-malware-leads-to-teslacrypt-ransomware/
5 Apr 2016 - "An email with the subject of 'Actual Status on Your Balance 49166' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... The email looks like:
From: Random senders
Date: Tue 05/04/2016 13:05
Subject: Actual Status on Your Balance 49166
Attachment: zi_invoices_764173.zip
Please find attached your actual statement for the period of 02/2016 to 03/2016.

5 April 2016: zi_invoices_764173.zip: Extracts to: check_WuKGkn.js - Current Virus total detections 23/56*
.. downloads Teslacrypt ransomware from
http ://marvellrulesqq .com/70.exe?1 (VirusTotal 5/56**)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7d7281a162181c8b430078d1/analysis/1441173827/

** https://www.virustotal.com/en/file/...36edd76a193b5fd4c1af3ca5/analysis/1459859633/
TCP connections
23.229.239.227

marvellrulesqq .com: 185.118.142.154: https://www.virustotal.com/en/ip-address/185.118.142.154/information/
>> https://www.virustotal.com/en/url/8...9a23b17284ca97b5b28e8814b511b593956/analysis/
54.212.162.6: https://www.virustotal.com/en/ip-address/54.212.162.6/information/
>> https://www.virustotal.com/en/url/9...a0579e4d5cffe87cf109d5ffe3d041bd5de/analysis/
104.161.60.151: https://www.virustotal.com/en/ip-address/104.161.60.151/information/
___

Fake 'Bank' SPAM - doc malware
- https://myonlinesecurity.co.uk/pfi-05-04-16-union-national-bank-egypt-word-doc-malware/
5 Apr 2016 - "This email that appears to be from Union National Bank-Egypt with the subject of 'PFI -05.04.16' pretending to come from CEO Finexx Group <sales@ salesbabu .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/04/ghada-abdou-1024x597.png

5 April 2016 : Invvoice.docx - Current Virus total detections 8/56*
.. MALWR** - This -malicious- word doc has an -embedded- .exe file that gets extracted and decoded when you click-on-the-icon inside the word doc to deliver MICROSOFT.exe (VirusTotal 7/55***). This was passed on to me by another analyst... When I extracted the malware from the word doc I got THIS (VT 7/57[4]) differently detected malware... See screenshot (below):
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/04/Invvoice_docx-1024x532.png
These embedded OLE objects will extract from ANY office program that can read & display word docs, as far as I am aware this also includes open office, libre office and all the other non-Microsoft programs. If you do follow their advice and click-on-the-object... it is game-over and you-are-compromised... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5d49c0fbe7eea9d8363986a6/analysis/1459854693/

** https://malwr.com/analysis/OGFiODhjNGE4Yzk3NGViMWE4YmRiNzljMGUxMWFhNzk/

*** https://www.virustotal.com/en/file/...05466c64aeca2aa0194f2f1c/analysis/1459854644/
TCP connections
93.184.220.29
104.86.111.136

4] https://www.virustotal.com/en/file/...f70887b8491b0735817978e1/analysis/1459861778/
___

Fake 'Invoice - e-pay' SPAM - JS malware leads to Dridex
- https://myonlinesecurity.co.uk/invoice-912409-uk-e-pay-email-server-js-malware-leads-to-dridex/
5 Apr 2015 - "An email with the subject of 'Invoice: 912409' pretending to come from UK e-pay Email Server (epay UK) <DO.NOT.REPLY.TO@ uk.epayworldwide .com> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
From: UK e-pay Email Server (epay UK) <DO.NOT.REPLY.TO@ uk.epayworldwide .com>
Date: Tue 05/04/2016 12:24
Subject: Invoice: 912409
Attachment: PeriodSummarybyTerminal.zip
Account: 912409

5 April 2016: PeriodSummarybyTerminal.zip: Extracts to: KFVL-902246613812.js - Current Virus total detections 6/57*
.. Downloads Dridex banking Trojan from
http ://mekongtrails .com/4543t43 (VirusTotal 5/56**) Which appears to be the -same- version and also using the -same- file names and the -same- other download locations as THIS earlier malspam run***... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...56ef0d6c89f96650d2443ce9/analysis/1459859137/

** https://www.virustotal.com/en/file/...29fb8deea01b22cf21dcdd02/analysis/1459858301/

*** https://myonlinesecurity.co.uk/receipt-xencourier-co-uk-excel-xls-spreadsheet-macro-malware/

mekongtrails .com: 173.236.74.11: https://www.virustotal.com/en/ip-address/173.236.74.11/information/
>> https://www.virustotal.com/en/url/1...7771238bd92274d6f5d2ec45e5b7b2ab5f6/analysis/
___

Fake 'Unpaid Bill' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecurity.co.uk/unpa...-service-7650-js-malware-leads-to-teslacrypt/
5 Apr 2016 - "An email with the subject of 'Unpaid Bill for Car Repair Service 7650' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
From: Random
Date: Tue 05/04/2016 16:33
Subject: Unpaid Bill for Car Repair Service 7650
Attachment: copy_xerox.device5_868199.zip
We kindly ask you to review our unpaid bill again and send us the payment in order to avoid additional costs.

5 April 2016: copy_xerox.device5_868199.zip: Extracts to: finance_NJTugN.js - Current Virus total detections 7/57*
.. MALWR** and payload security*** shows a download of Teslacrypt from
marvellrulesqq .com/70.exe?1 (VirusTotal 4/56[4]) or
http ://marvellrulesqq .com/80.exe?1 (VirusTotal 4/57[5]). Although both files are the same size they have different sha1# ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7aa10c12d9385ee4b4d56e33/analysis/1459871414/

** https://malwr.com/analysis/YjNkMDg3MTRiZDBhNDQwNmFhZjdkZTZiYjFiMGYyNGY/
Hosts
104.161.60.151
23.229.239.227
194.228.3.204

*** https://www.hybrid-analysis.com/sam...2ee6c7aa10c12d9385ee4b4d56e33?environmentId=4
Contacted Hosts
54.212.162.6
23.229.239.227
194.228.3.204

4] https://www.virustotal.com/en/file/...7ef01dae2380e0e5ef06bdc4/analysis/1459872787/
TCP connections
23.229.239.227
194.228.3.204
107.180.26.75
192.185.151.39

5] https://www.virustotal.com/en/file/...8eb41cefe56174c44978d05f/analysis/1459873099/
TCP connections
23.229.239.227
194.228.3.204

marvellrulesqq .com: 185.118.142.154: https://www.virustotal.com/en/ip-address/185.118.142.154/information/
>> https://www.virustotal.com/en/url/f...4a292733ac2484c34976e21d176e1ce2817/analysis/
54.212.162.6: https://www.virustotal.com/en/ip-address/54.212.162.6/information/
>> https://www.virustotal.com/en/url/9...a0579e4d5cffe87cf109d5ffe3d041bd5de/analysis/
104.161.60.151: https://www.virustotal.com/en/ip-address/104.161.60.151/information/

:fear::fear:

AplusWebMaster · Apr 6, 2016

Fake 'Voicemail', 'Invoicing', 'Document(1)', 'Remittance Details' SPAM

FYI...

Fake 'Voicemail' SPAM - JS malware
- https://myonlinesecurity.co.uk/soho66-new-voicemail-message-from-07792084437-js-malware/
4 Apr 2016 - "An email with the subject of 'New Voicemail Message From 07792084437' [random numbers] pretending to come from Soho66 <noreply@ soho66 .co.uk> with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: Soho66 <noreply@ soho66 .co.uk>
Date:
Subject: New Voicemail Message From 07792084437
Attachment: MSG0000060895.WAV.RAR
Hi,
You have been left a 0:19 long message (number 11) in mailbox 1006 from 07792060895, on Wed, 06 Apr 2016 06:13:47 -0400
The voicemail message has been attached to this email as a wave file – which you can play on most computers.
Our Regards
The Soho66 Customer Team
Please do not reply to this message. This is an automated message which comes from an unattended mailbox...

6 April 2016: MSG0000060895.WAV.RAR: Extracts to: MSG00004481919.WAV.js - Current Virus total detections 5/57*
.. MALWR** shows a download from http ://mapstor .org/1278u0 (VirusTotal 1/57***). MALWR[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...1b101dd62b2f5c0a64b8c438/analysis/1459938427/

** https://malwr.com/analysis/ZjM2YjA4OWQwM2NhNGM4ZTk5MmY1NzlhMDU4NTBmMDk/
Hosts
104.27.167.24: https://www.virustotal.com/en/ip-address/104.27.167.24/information/
>> https://www.virustotal.com/en/url/c...1b1b0226ec290e1bcf1d3adad1b180b40e7/analysis/

*** https://www.virustotal.com/en/file/...aae5d00031055d5a0d377a3e/analysis/1459939012/

4] https://malwr.com/analysis/NTU2YjIzYWY2ZWYxNDlhYTk2Yjc1ZmVkOWQ0YWJhZmI/
___

Fake 'Invoicing' SPAM - JS malware
- https://myonlinesecurity.co.uk/liberty-wines-invoicing-js-malware/
6 Apr 2016 - "An email with no subject pretending to come from Liberty Wines, Invoicing <invoicing@ libertywines .co.uk> with a zip attachment is another one from the current bot runs which downloads an unknown malware probably either Locky ransomware or Dridex banking Trojan... The email looks like:
From: , Invoicing <invoicing@ libertywines .co.uk>
Date: Wed 06/04/2016 11:50
Subject: [blank/empty]
Attachment: Sales-Invoice LWIN0136332.rar
Dear Customer,
Please find attached your invoice, number: LWIN0136332.
Kind regards,
Liberty Wines

6 April 2016: Sales-Invoice LWIN0136332.rar: Extracts to: MSG00008141521.WAV.js - Current Virus total detections 5/57*
.. MALWR** shows a download from http ://vnnsports .com/1278u0 which although a different # is the -same- malware as described in THIS earlier post***... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...4a3f9f6e33f2201480ffed41/analysis/1459939899/

** https://malwr.com/analysis/MTc4YTRhMWRlYTAxNGI2ZmE3ZDM3MDRiNTczNGIxMGY/
Hosts
184.154.132.107: https://www.virustotal.com/en/ip-address/184.154.132.107/information/
>> https://www.virustotal.com/en/url/e...d2ded58b47e1709b752bc842f1e08059b1b/analysis/

*** https://myonlinesecurity.co.uk/soho66-new-voicemail-message-from-07792084437-js-malware/
___

Fake 'Document(1)' SPAM - doc macro malware
- https://myonlinesecurity.co.uk/docu...our-own-email-address-word-doc-macro-malware/
6 Apr 2016 - "A blank/empty email with the subject of 'Document(1)' pretending to come from your own email address with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: your email address
Date: Wed 06/04/2016 14:15
Subject: Document(1)
Attachment: Document(1).doc

Body content: Totally empty/Blank

6 April 2016: Document(1).doc - Current Virus total detections 10/56*
.. MALWR shows a download of Dridex banking Trojan from
http ://jabez .jp/1278u0 (VirusTotal 12/57**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...85d655274936d506cedd21d8/analysis/1459948652/

** https://www.virustotal.com/en/file/...2586edba805406fa756544d9/analysis/1459961706/
TCP connections
109.235.139.64

jabez .jp: 120.136.14.15: https://www.virustotal.com/en/ip-address/120.136.14.15/information/
___

Fake 'Remittance Details' SPAM - rtf macro malware delivers Dridex
- https://myonlinesecurity.co.uk/remi...s-word-doc-rtf-macro-malware-delivers-dridex/
6 Apr 2016 - "An email with the subject of 'Remittance Details (USD 7956.88) – your-web-address' pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... One of the emails looks like:
From: random senders
Date: Wed 06/04/2016 16:04
Subject: Remittance Details (USD 7956.88) – securityandprivacy.co.uk
Attachment: Invoice Number 0297376 – Issue Date 02165639.rtf
Dear All
Please find attached your banking details and do note the difference from the one we have We are to proceed with the payment of USD 7956.88 so please do verify attached bank details to avoid making payment to the wrong person as it is our custom. Please reply if you have any questions. Thanks Beryl Frye NAMIBIAN RESOURCES...

6 April 2016: Invoice Number 0297376 – Issue Date 02165639.rtf - Current Virus total detections 4/56*
.. MALWR** shows a download of Dridex banking Trojan from
http ://shop.bleutree .biz/tablets/galaxytab3.php which gave me crypted122med.exe (VirusTotal 5/56***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...46087de4435af479d5ffaa80/analysis/1459960107/

** https://malwr.com/analysis/Nzk4YWE5NTlmZDc4NDQzZGI5NjJhNjYzMWRmNDg5NmY/
Hosts
85.143.209.13: https://www.virustotal.com/en/ip-address/85.143.209.13/information/
>> https://www.virustotal.com/en/url/6...42e773b0316455cd9abde881bc4c81a9d13/analysis/

*** https://www.virustotal.com/en/file/...090edc8e33ad906a91e91d16/analysis/1459960596/

shop.bleutree .biz: 85.143.209.13
___

Fake 'Security Update' SPAM - BT phish
- https://myonlinesecurity.co.uk/attention-security-update-bt-phishing/
6 Apr 2016 - "'Attention! Security Update' pretending to come from BT is one of the latest -phish- attempts to steal your BT details and your Bank, credit card and personal details... This one wants your personal details, BT log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/04/BT_phishing-email-1024x781.png

... When (IF) you fill in your user name and password you are sent to a page where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

:fear::fear:

SPAM frauds, fakes, and other MALWARE deliveries...

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member