SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake 'Scanned image' SPAM

FYI...

Fake 'Scanned image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/scan...-from-your-own-email-domain-delivers-locky-2/
4 July 2016 - "An email with the subject of 'Scanned image' pretending to come from random names at your own email domain or company with a malicious word doc macro attachment delivers Locky Ransomware... The email looks like:
From: Random names at your own email domain
Date: Mon 04/07/2016 11:33
Subject: Scanned image
Attachment: 04-07-2016_rndnum(4,9)}}.docm
Image data has been attached to this email.

4 July 2016: 04-07-2016_rndnum(4,9)}}.docm - Current Virus total detections 6/54*
.. MALWR** shows a download from http ://clear-sky .tk/nb4vervge which is Locky Ransomware although not showing in the sandbox analysis. This means that once again the Locky gang have upped the stakes and changed their anti-analysis/ anti-sandbox protections to make it more difficult to detect and protect against (VirusTotal 3/53***).. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...114b5e39459b16027aa01eaf/analysis/1467628388/

** https://malwr.com/analysis/ZTJmMTIwODc4NTNlNDA3Y2IyNTAwZGI0NmRlNjAxOTY/
Hosts
213.239.227.58: https://www.virustotal.com/en/ip-address/213.239.227.58/information/
>> https://www.virustotal.com/en/url/2...716d56ceaddaf0ea532f7663cf825781d09/analysis/

*** https://www.virustotal.com/en/file/...82bab16893196e156ea8afad/analysis/1467627485/

:fear::fear:

 

[AplusWebMaster]

Fake 'Rechnung', 'Scanned image' SPAM, Fake 'Quick cash' fraud SCAM/PHISH

FYI...

Fake 'Rechnung' SPAM - downloads Locky
- https://myonlinesecurity.co.uk/rechnung-2016-93910-mpsmobile-gmbh-malspam-delivers-locky-ransomware/
5 July 2016 - "An email partly in German and partly in English pretending to be a-mobile-phone-bill with the subject of 'Rechnung 2016-93910' [random numbered] pretending to come from mpsmobile GmbH <info@ mpsmobile .de> with a zip attachment which downloads Locky ransomware... One of the emails looks like:
From: mpsmobile GmbH <info@mpsmobile .de>
Date: Tue 05/07/2016 10:45
Subject: Rechnung 2016-93910
Attachment: 52751_Rechnung_2016-93910_20160705.zip
Sehr geehrte Damen und Herren, anbei erhalten Sie das Dokument ‘Rechnung 2016-93910′ im PDF-Format. Um es betrachten und ausdrucken zu können, ist der PDF Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren. Mit freundlichen Grüssen mpsmobile Team ...
Dear Ladies and Gentlemen, please find attached document ”Rechnung 2016-93910’ im PDF-Format. To view and print these forms, you need the PDF Reader, which can be downloaded on the Internet free of charge. Best regards mpsmobile GmbH ...

5 July 2016: 52751_Rechnung_2016-93910_20160705.zip: Extracts to: 63227_2016-53001_20160705.js
Current Virus total detections 23/56*. Payload Security** | MALWR*** was unable to find anything but manual analysis shows a download from http ://brewinbooks .com/98uhnvcx4x (VirusTotal 3/53[4]) which looks like Locky Ransomware but MALWR[5] doesn’t show any activity which is probably due to anti-sandbox protection in the file. Other download locations so far found include:
http ://brazilmart .com/98uhnvcx4x
http ://brewinbooks .com/98uhnvcx4x
http ://thecorporate .gift/98uhnvcx4x
http ://lojaeberlin .com/98uhnvcx4x
http ://topbag .com.au/98uhnvcx4x
http ://hangusaxachtay .com/98uhnvcx4x
http ://flyingcarts .com/98uhnvcx4x
http ://imbagscanta .com/98uhnvcx4x
http ://foxprint .ro/98uhnvcx4x
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...7d7281a162181c8b430078d1/analysis/1441173827/

** https://www.hybrid-analysis.com/sam...74cf758dc5dde9a9c6f96dd831c?environmentId=100
Contacted Hosts
79.170.44.88
185.106.122.46
185.106.122.38
192.42.116.41
5.196.70.240

*** https://malwr.com/analysis/MTViYTEyZGNmMTBkNDVmOWFiM2E2ZjE3N2I4MTczNjQ/

4] https://www.virustotal.com/en/file/...bb82d73c250be250a2f994e6/analysis/1467711259/

5] https://malwr.com/analysis/MTczYmY2MjM0YTQ5NDA4N2E0MDBmZWMyZGZkNjkyYmI/
___

Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-scanned-image-leads-to.html
5 July 2016 - "This -fake- document scan appears to come from within the victim's own domain but has a malicious attachment.
From: administrator8991@ victimdomain .com
Date: 5 July 2016 at 12:47
Subject: Scanned image
Image data has been attached to this email.

Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52* and 6/52**. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:
leafyrushy .com/98uhnvcx4x
sgi-shipping .com/98uhnvcx4x
There will be a lot more locations too. This drops a binary with a detection rate of 5/55[3] which appears to be Locky ransomware. Hybrid Analysis[4] shows it phoning home to:
185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)
Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be Locky ransomware.
Recommended blocklist:
185.106.122.0/24
185.129.148.0/24 "
* https://virustotal.com/en/file/2620...6b5610277feed23501d8f5ee/analysis/1467721871/

** https://virustotal.com/en/file/34c9...61322121d57af1f39507c85c/analysis/1467721877/

1] https://malwr.com/analysis/ZTNkYzVmMGI4MDc2NDM2NWI4ZWIzZDNkZWYzZDliYTM/
Hosts
209.222.76.2

2] https://malwr.com/analysis/Y2RlMTJlYTIyNmNjNDRhOGIyMjc1MjlmMWMwZGJjYjk/
Hosts
160.153.74.199

3] https://virustotal.com/en/file/2a92...368d478fa1128916fd5bae6e194d13634f0/analysis/

4] https://www.hybrid-analysis.com/sam...a1128916fd5bae6e194d13634f0?environmentId=100
Contacted Hosts
185.106.122.38
185.106.122.46
185.129.148.6
___

Fake 'Quick cash' fraud SCAM/PHISH
- https://myonlinesecurity.co.uk/fake-invoices-quick-cash-systems-binary-options-fraud-scams/
5 July 2016 - "... Instead of the usual spam emails, we are seeing loads of -fake- invoices, all with links to various companies that pass through or redirect the user to
http ://www.quickcashsystem .biz/?offerID=1062&p=10274a38b6a0b47645075132d8d48c (They are probably affiliate references so the scummy scammers can pay the evil fraudsters who send victims to them). The reference number is different, depending on the “victim’s IP number”. I visited via different proxies and got a different reference number each visit... This all starts off with an email like one of these:
This first one pretends to be an Account Balance Warning from an unnamed bank. All the links go to
http ://beckham7 .com/lists/link.php?M=28914&N=33&L=18&F=H where you are -redirected- (eventually) to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e where a video immediately starts playing offering you, showing you a big mansion, expensive cars and the chance to make $$$$$.

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/account_balance_beckham7-1024x733.png

This one pretends to be an electronics invoice and at a first quick glance, you could quite easily mistake it for an Ebay invoice and follow the links to see what on earth has happened, because you don’t remember ordering anything. This one leads to http ://a2cd .com/lists/link.php?M=29114&N=33&L=18&F=H which -redirects- to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/fake_invoice_a2cd-1-1024x608.png
This 3rd example is so generic that almost anyone receiving it would click through to see what or how this mistake could have been made. This goes to
http ://steps123 .com/lists/link.php?M=29215&N=41&L=20&F=H and -redirects- to
http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/fake_invoice_steps123-1024x580.png
You eventually end up on this page, whichever link you follow to start with:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/quick_cash-1024x644.png
If you look at the small print at the very bottom of the page, you just see in very light type a link to disclaimer and privacy:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/QC_disclaimer_link.png
Following the disclaimer link, you get a page that does warn you “The www .quickcashsystem .biz sales video is fictitious and was produced to portray the potential of the www .quickcashsystem .biz 3rd party signals software. Actors have been used to present this opportunity and it should be viewed for entertainment purposes. We do not guarantee income or success, and example results in the video and anywhere else on this website do not represent an indication of future success or earnings.”

quickcashsystem .biz: 5.189.129.65: https://www.virustotal.com/en/ip-address/5.189.129.65/information/
>> https://www.virustotal.com/en/url/6...f0b15e4d63a5637bdbd26b1db0699660189/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'random hex numbers' SPAM, CryptXXX ransomware updated

FYI...

Fake 'random hex numbers' SPAM - Locky ransomware
- http://blog.dynamoo.com/2016/07/malware-spam-with-random-hexadecimal.html
6 July 2016 - "I only have a couple of samples of this very minimalist spam, consisting of just a "Subject" with a random hex number (e.g. 90027696CCCC611D) and a matching .DOCM attachment (e.g. 90027696CCCC611D.docm).
My trusted analysis source (thank you) says that these DOCM files contain a macro (no surprises there) that downloads a binary from the following locations:
blingberry24 .com/90ujn3b8c3
danseduchat .com/90ujn3b8c3
harveyventuresltd .com/90ujn3b8c3
noveltybella .com/90ujn3b8c3
www .proxiassistant-ao .com/90ujn3b8c3
www .sacandolalengua .com/90ujn3b8c3
The payload is Locky ransomware with a detection rate of 3/52*. The same source says that C2 locations are:
89.108.84.42 (Agava JSC, Russia)
148.163.73.29 (GreencloudVPS JSC, Vietnam)
Agava in particular is a regular source of badness, and I would suggest that you consider blocking the entire 89.108.80.0/20 range, or at least this minimum recommended blocklist:
89.108.84.42
148.163.73.29 "
* https://www.virustotal.com/en/file/...e15434cf0c3d28ae15450c1e4910ea3a2b6/analysis/
___

CryptXXX ransomware updated
- https://isc.sans.edu/diary.html?storyid=21229
2016-07-06 - "When generating exploit kit (EK) traffic earlier today, I noticed a change in post-infection activity on a Windows host infected with CryptXXX ransomware. This happened after an infection caused by Neutrino EK triggered from the pseudoDarkleech campaign:
Flow chart for Neutrino EK/CryptXXX caused by pseudoDarkleech
> https://isc.sans.edu/diaryimages/images/2016-07-06-ISC-diary-image-01.jpg
This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. As I write this, I haven't found anything online yet describing these recent changes, so this diary takes a quick look at the traffic:
An infected Windows desktop from earlier today
> https://isc.sans.edu/diaryimages/images/2016-07-06-ISC-diary-image-02a.jpg
Details: Today's EK traffic was on 198.71.54.211 using the same domain shadowing technique we've seen before from various campaigns using Neutrino EK... Post-infection traffic was over 91.220.131.147 on TCP port 443 using custom encoding, a method CryptXXX has used since it first appeared earlier this year..."
(More detail at the isc URL above.)

198.71.54.211: https://www.virustotal.com/en/ip-address/198.71.54.211/information/
>> https://www.virustotal.com/en/url/f...acaccb5194eb9f0b6f8948dd1f5959dea55/analysis/

91.220.131.147: https://www.virustotal.com/en/ip-address/91.220.131.147/information/
>> https://www.virustotal.com/en/url/0...3f18bb1e470bf4d24ae22990ff0166a0571/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'AU Fedcourts' SPAM, Fake updates, Crimeware Shake-up, Cybercrime - UK

FYI...

Fake 'AU Fedcourts' SPAM - Malware
- https://isc.sans.edu/diary.html?storyid=21241
2016-07-08 - "Earlier today people have started reporting that they have received a subpoena email from the Australian Federal courts:
> https://isc.sans.edu/diaryimages/images/Capture.PNG
The email links through to a various compromised sites which -redirect- the user to a federalcircuitcourt .net web server. Once on the web server you are expected to enter a number and the captcha shown before a case.js file is downloaded:
> https://isc.sans.edu/diaryimages/images/fedc-captcha.png
... feel free to -block- the domain federalcircuitcourt .net in your web proxies. This is -not- a legitimate domain. The federal circuit court has issued a media release:
> http://www.federalcircuitcourt.gov.au/wps/wcm/connect/fccweb/about/news/mr080716
'Media Release - Spam Warning...
If you receive one of these emails:
Do not click on any of the links as they may contain viruses or malware
Delete the item from your inbox and Deleted folder...'"

federalcircuitcourt .net: 192.3.21.105: https://www.virustotal.com/en/ip-address/192.3.21.105/information/
>> https://www.virustotal.com/en/url/4...ed35c98b653e9eaefeaea99b13046959082/analysis/
104.223.53.210: https://www.virustotal.com/en/ip-address/104.223.53.210/information/
>> https://www.virustotal.com/en/url/1...b89b6608c6c14a2d8ffb0dea9d95f6badf1/analysis/
___

Malware masquerades as Firefox update
- https://www.helpnetsecurity.com/2016/07/08/kovter-malware-masquerades-firefox/
July 8, 2016 - "Click-ad-fraud Kovter malware, packaged as a legitimate Firefox browser update, is being delivered to unsuspecting victims via drive-by-download attacks. Kovter, which also occasionally installs other malware, has been around for a few years now, and has gone through many changes that keep it a current threat:
> https://www.virustotal.com/en/file/...97f2513710c6b1247beee455699b44d827a/analysis/
'firefox-patch.exe
Detection ratio: 27/53 ...'
Users are advised always to be wary of random pop-ups telling them some software needs an update. Most software by now – and popular browsers especially – have in-software mechanisms for downloading and implementing updates. If, for whatever reason, they don’t want to use it, updates should be picked up directly from the vendors’ official websites or from well-reputed download sites..."
___

Crimeware Shake-up ...
- http://blog.talosintel.com/2016/07/lurk-crimeware-connections.html
July 7, 2016 - "For a couple of weeks in June the threat landscape was changed. Several high profile threats fell off the scene, causing a shake-up that hadn't been seen before. For a period of three weeks the internet was safer, if only for a short time. Still to date the Angler exploit kit has not returned and the threat outlook appears to be forever changed... Earlier this month a group of individuals were arrested in Russia. The arrest was linked to a Russian-specific piece of malware named Lurk, a banking trojan that was specifically targeting Russian banks. Due to the malware being restricted to Russia there wasn't a lot of public information regarding the threat itself... The Necurs botnet is back online and delivering both Locky & Dridex. It was down for approximately three weeks, but it's resurgence shows that again these threats are making far too much money to -not- be resilient. In time it's likely all of the major threats that we've seen be hindered or disappear will return:
> https://3.bp.blogspot.com/-bEajbYmy...Jwttg_bXwCKgB/s400/CrimewareTimeline_blog.png
... There is no way to say for certain that all of these threats are connected, but there is one single registrant account that owned domains attached to all of them. If this one group was running all of these activities this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars. However, the celebration will be short lived as we've seen in the past, when a group this size is taken down a vacuum is created. All of these threats will come back, in some form or another, and will have learned from the mistakes of their predecessors. The best evidence of this was the author of Blackhole exploit kit being arrested, for a time there was an arms race between exploit kits to see who would take the top spot. That eventually gave rise to Angler, which took the sophistication of exploit kits and drive-by-downloads to a level not seen with Blackhole. We expect the same thing to occur now as Angler and possibly Nuclear leave the threat landscape. Other lesser known kits will likely try to fill the void, which we have already seen with Rig and Neutrino, as well as the new kits that are likely already under development... despite all the variety and different actors making use of these technologies there potentially was a much smaller group responsible for a far larger chunk of the crimeware space than previously estimated..."
___

Cybercrime surpasses traditional crime in UK
- http://www.darkreading.com/threat-i...passes-traditional-crime-in-uk/d/d-id/1326208
July 8, 2016 - "Cybercrime is currently outpacing traditional crime in the United Kingdom in terms of impact spurred on by the rapid pace of technology and criminal cyber-capability, according to the UK’s National Crime Agency. The trend suggests the need for a more collective response from government, law enforcement, and industry to reduce vulnerabilities and prevent crime, the NCA report says:
> http://www.nationalcrimeagency.gov.uk/publications/709-cyber-crime-assessment-2016/file
... The UK’s Office of National Statistics included cybercrime for the first time in its 2015 annual Crime Survey of England and Wales. The survey estimated that there are 2.46 million cyber incidents and 2.11 million victims of cybercrime in the UK last year... The assessment shows that cybercrime activity is growing fast and evolving, with the threats from Distributed Denial of Service (DDoS) and ransomware attacks increasing significantly in 2015. The threats from DDoS and ransomware attacks have increased, driven by ready access to easy to-use tools and by wider criminal understanding of its potential for profit through extortion. Ransomware attacks have also increased in frequency and complexity, and now include threats to publish victim data online, as well as the permanent encryption of valuable data, the assessment states. The most advanced and serious cybercrime threat to the UK is the direct or indirect result of a few hundred international cybercriminals who target UK businesses to commit highly profitable, malware-facilitated fraud... Under-reporting continues to obscure the full impact of cybercrime in the UK. This shortfall in reporting hampers the ability of law enforcement to understand the operating methods of cyber criminals and most effectively respond to the threat. As a result, the NCA is urging businesses to view cybercrime not only as a technical issue but as a board-level responsibility, and to make use of the reporting paths available to them, sharing intelligence with law enforcement and each other... most security tools have been reversed-engineered and bypassed by cybercriminal crews. So the emphasis should be on intrusion suppression, where security professionals decrease the dwell time the adversaries have to freely roam their organizations networks..."

Fraud News:
- http://www.actionfraud.police.uk/news

:fear::fear:

 

[AplusWebMaster]

Fake 'bill enclosed', 'excel file' SPAM, State cyberattacks, ProcessExplorer

FYI...

Fake 'bill enclosed' SPAM - malspam word doc
- https://myonlinesecurity.co.uk/plea...g-malspam-word-docs-delivers-unknown-malware/
12 July 2016 - "An email with the subject of 'Re: senders name' pretending to come from random senders with a malicious word doc attachment is another one from the current bot runs... There are a multitude of single line body content with this malspam run. Some of the ones I have seen so far include:
Please find the bill enclosed with this msg. The Payment will be posted in 1 hours.
Please check the IOU attached to this email. The Transfer should appear in 40 minutes.
Check the report enclosed with this msg. The Transaction will be posted in 15 minutes
Find the voucher enclosed with this msg. The Funds will be posted in 5 days
Find the voucher enclosed with this email. The Transfer should appear within 6 hours
Find the invoice attached to this message. The Funds will be posted in 4 days
Please check the report attached to this msg. The Funds will be posted in 5 days
Check the check attached to this email. The Transaction should appear in 3 days
Find the bill enclosed with this msg. The Payment will be posted in 5 days
One of the emails looks like:
From: Lacey Jefferson <kithuat4@ centec .vn>
Date: Tue 12/07/2016 06:34
Subject: Re:Lacey Jefferson
Attachment: MF1H6N-Lacey Jefferson.dotm
Please find the bill enclosed with this msg. The Payment will be posted in 1 hours.

12 July 2016: MF1H6N-Lacey Jefferson.dotm - Current Virus total detections 3/55*
.. MALWR** crashes every time. Hybrid Analysis*** also doesn’t show or give any download or dropped files.
Manual attempts using Libre office also crash LIbre office, so it is possible that either the macro is malformed and not running properly or a new anti-analysis protection or a 0 day is being used
- Update: Manual analysis by one of the analysts on Twitter[4] (thanks) has discovered this download
bring-me .in/su.jpg which is a jpg containing Steganographically embedded malware. We are still waiting for fuller analysis to extract the malware from the jpg file. This is normally done by the macro inside the word doc.
- Further Update: to decode jpg & get the Dridex banking Trojan use offset 0x13CC XOR: 0x68
The jpg looks like this screenshot:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/bring_me_in_su.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1849559e06bdd8d3d64e214a/analysis/1468303224/

** https://malwr.com/analysis/YTRhZWQ1YzM1NDc1NDQ0ODgyMGRjYzk3Yjk1ZWZmMTg/

*** https://www.hybrid-analysis.com/sam...4861849559e06bdd8d3d64e214a?environmentId=100

4] https://twitter.com/malwrhunterteam/status/752757247642566656

bring-me .in: 213.186.33.18: https://www.virustotal.com/en/ip-address/213.186.33.18/information/
>> https://www.virustotal.com/en/url/a...d50bea1a1684cac191705da166a3379fdaa/analysis/
___

Fake 'excel file' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-heres-that-excel-file.html
12 July 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Benita Clayton
Date: 12 July 2016 at 15:04
Subject: Fw:
hi [redacted],
Here's that excel file (latest invoices) that you wanted.
Best regards,
Benita Clayton
Vice President US Risk Management

Sender details vary from message to message. Attached is a ZIP file containing part of the recipient's email address plus some other elements, within which is a malicious. js script beginning with -SWIFT-. Trusted external analysis (thank you again) shows the scripts download an obfuscated binary... Locky then phones home to one of the following locations:
5.196.189.37 (Just Hosting, Russia / OVH, Ireland)
77.222.54.202 (SpaceWeb CJSC, Russia)
109.234.34.146 (McHost.Ru, Russia)
192.71.249.220 (EDIS, Sweden)
Recommended blocklist:
5.196.189.37
77.222.54.202
109.234.34.0/24
192.71.249.220 "
___

Google notifies users of 4,000 state-sponsored cyber attacks per month ...
- http://www.reuters.com/article/us-google-cyberattack-idUSKCN0ZR2IU
Jul 12, 2016 - "A senior executive of Alphabet Inc's Google unit said on Monday that the company was notifying customers of 4,000 state-sponsored cyber attacks per month... Google senior vice president and Alphabet board member Diane Greene mentioned the figure... The internet search leader, which develops the Android mobile system and also offers email and a range of other applications for consumers, has led the way in notifying users of government spying. Others, including Microsoft Corp, have since followed suit. Google had previously said that it had been issuing tens of thousands of warnings every few months and that customers often upgraded their security in response."
___

Using Process Explorer to detect malware
- https://isc.sans.edu/forums/diary/Process+Explorer+and+VirusTotal/19931
"Did you know you can have all EXEs of running processes scanned with VirusTotal?...
Enable VirusTotal checks... And accept the VirusTotal terms...
(... by default Process Explorer only submits hashes to VirusTotal, not files, unless you explicitly instruct it to submit a file)
... now you can see the VirusTotal scores..."
(More detail at the isc URL above.)
___

Akamai - Network Traffic Overview
> https://www.akamai.com/us/en/soluti.../visualizing-akamai/real-time-web-monitor.jsp
July 12, 2016 09:10:28 PM GMT - "44% above normal..."

:fear::fear:

 

[AplusWebMaster]

Fake ransomware SCAM

FYI...

Fake ransomware SCAM, malware just deletes victims’ files
Tagged as 'Ranscam', Powershell and script-based malware is a botched smash-and-grab
- http://arstechnica.com/security/201...e-windows-malware-just-deletes-victims-files/
Jul 12, 2016 - "... 'Ranscam' is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for 'encrypted' files that were actually just plain -deleted- by a batch command. 'Once it executes it, it pops up a ransom message looking like any other ransomware', Earl Carter, security research engineer at Cisco Talos, told Ars. 'But then what happens is it forces a reboot, and it just deletes-all-the-files. It doesn't try to encrypt anything — it just -deletes- them all'. Talos discovered* the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address..."
* http://blog.talosintel.com/2016/07/ranscam.html
July 11, 2016 - "... The unfortunate reality is, all of the user’s files have already been deleted and are unrecoverable by the ransomware author as there is no capability built into Ranscam that actually provides recovery functionality. The author is simply relying on 'smoke and mirrors'. in an attempt to convince victims that their files can be recovered in hopes that they will choose to pay the ransom..."

:fear::fear:

 

[AplusWebMaster]

Kovter- click-fraud malware, Exploit kits

FYI...

Kovter’s persistence methods
- https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
July 14, 2016 - "Kovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious modules in PowerShell scripts as well as in registry keys to make detection and analysis difficult... Authors of Kovter put a lot of effort in making their malware stealth and hard to detect. During the initial assessment of some of the Kovter samples we could notice that it is signed by valid Comodo certificate (it was stolen, got revoked later)... After the sample gets deployed, Kovter runs PowerShell and installs itself in the system... Observing it via Process Explorer we can find the command passed to PowerShell. It’s purpose is to execute a code stored in an environment variable (names are random, new on each run)... Conclusion: Thanks to the techniques employed by Kovter, no executable needs to be dropped on the disk – that’s why is known as “fileless”. Even the file to which the initial link leaded does not contain any code to be executed. Instead, it is used just for the flow obfuscation. Running it, in reality leads to running the code stored in the registry, that is sufficient to unpack and re-run the real payload. Persistence used by this malware is creatively designed and exceptional in comparison to most of the malware. Not only it is scattered into several layers, but also obfuscated at every stage and containing tricks that slow down the analysis process..."
(More detail at the malwarebytes URL above.)
___

Exploit kits - cyber-crime marketplace
- http://www.theregister.co.uk/2016/07/13/sundown_exploit_kit_updates/
13 Jul 2016 - "Cybercrooks behind the Sundown Exploit Kit are rapidly updating the hacking tool in a bid to exploit a gap in the market created by the demise of the Angler and Nuclear exploit kits. While RIG and Neutrino have been the primary protagonists in the void left by Angler and Nuclear, Sundown is also vying for an increased share in the exploit kit marketplace. Security researchers at Zscaler ThreatLabZ* reckon the miscreants behind Sundown have accelerated the evolution of what started out as a fairly rudimentary exploit kit since the beginning of 2016. The crooks behind Sundown used stolen code from the rival RIG exploit kit for a short time before subsequently knitting together their own code, security researchers at cloud security firm Zscaler ThreatLabZ report. Elements of the latest version of the cybercrime toolkit include an image referencing the self-styled Yugoslavian Business Network – likely a reference to the infamous Russian Business Network cybercrime group... Exploit kits in general are used to booby-trap websites in order to sling malware at visiting surfers through drive-by-download attacks. The tactic relies on exploiting security holes in typically Windows PCs, browser vulnerabilities and (increasingly) Flash flaws."
* https://www.zscaler.com/blogs/research/sundown-chronicles-observations-exploit-kits-evolution

:fear::fear:

 

[AplusWebMaster]

Ransomware review, EK adopts IE flaw

FYI...

Ransomware - Threat Activity Review
- https://atlas.arbor.net/briefs/index#-811293044
July 14, 2016 - "... Analysis: Locky ransomware has seen unprecedented distribution attempts over the last week and coupled with the new ability to encrypt systems -without- an internet connection, will likely see successes not previously seen... While casting a wide distribution net and having a well-coded product make for a great potential return on investment, creating less expensive variants can be profitable too. Stampado*, with its low price, could lead to even more individuals attempting to make money with ransomware. While the overall quality of Stampado has yet to be determined, the price tag will potentially lead to substantial purchases and usage. Understanding these new threats in a timely fashion can allow researchers to create mitigations before these new variants see widespread distribution... Currently, there is no magic one stop fix for ransomware threats. However, companies and individuals can thwart ransomware operations by applying system updates in an expedient manner, avoiding macro-enabled documents, avoiding attachments containing JavaScript and by performing routine backups that are maintained offline."
Source: http://www.inforisktoday.com/researchers-unleash-ransomware-annihilation-a-9255

* https://heimdalsecurity.com/blog/security-alert-stampado-ransomware-on-sale/
___

Neutrino EK adopts IE flaw
- https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html
July 14, 2016 - "A security researcher recently published source code for a working exploit for CVE-2016-0189* and the Neutrino Exploit Kit (EK) quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows. Microsoft patched CVE-2016-0189 in May on Patch Tuesday**. Applying this patch will protect a system from this exploit...."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0189
Last revised: 05/11/2016

MS16-051: Cumulative Security update for Internet Explorer: May 10, 2016
** https://support.microsoft.com/en-us/kb/3155533
Last Review: 05/10/2016 17:12:00 - Rev: 1.0

:fear::fear:

 

[AplusWebMaster]

Fake 'bank account report', 'Scan**' SPAM, Compromised Joomla sites, 'Insider Threat'

FYI...

Fake 'bank account report' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-bank-account-report-leads.html
18 July 2016 - "This -fake- financial spam has a malicious attachment:
From "Boyd Dennis"
Date Mon, 18 Jul 2016 11:34:11 +0200
Subject bank account report
How is it going?
Thank you very much for responding my email in a very short time. Attached is the
bank account report. Please look at it again and see if you have any disapproval.
--Yours faithfully,Boyd DennisHSBC HLDGSPhone: +1 (593) 085-57-81, Fax: +1 (593)
085-57-41

The sender name and details vary, although it all follows the same pattern. Attached is a ZIP file containing elements of the recipients email address and some random digits. Contained within is a .wsf script that downloads a file... I don't have a copy of the payload at present, but it does phone home to:
77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
176.111.63.51 (United Networks Of Ukraine Ltd , Ukraine)
209.126.112.14 (MegaHosterNetwork, Ukraine)
The payload appears to be Locky ransomware.
Recommended blocklist:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14 "

- https://myonlinesecurity.co.uk/bank-account-report-malspam-leads-to-locky-ransomware/
18 July 2016 - "... an email with the subject of 'bank account report' pretending to come from random senders with a zip attachment containing a WSF file which downloads Locky Ransomware... One of the emails looks like:
From: Greta Lowe <Lowe.14640@ swimthebridge .com>
Date: Mon 18/07/2016 09:58
Subject: bank account report
Attachment: rob_22285.zip
Hi
Thank you very much for responding my email in a very short time. Attached is the bank account report. Please look at it again and see if you have any disapproval.
—
Yours truly,
Greta Lowe
BT GROUP
Phone: +1 (371) 956-22-56, Fax: +1 (371) 956-22-38

18 July 2016: rob_22285.zip: Extracts to: account_report 883.wsf - Current Virus total detections 3/55*
.. MALWR** as usual cannot decode or run these Js or WSF files without crashing due to the protections inside them. Payload Security*** shows a download of an encrypted file from my-result .ru/0j1nlpj8 which has to be decrypted by the WSF file to give ypnI2jnqVVbmiz.exe (VirusTotal 3/54[4])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...40a62f7e2ee7c651ad6de0e2/analysis/1468832454/

** https://malwr.com/analysis/MzcwMTAyMTM4ZWYzNDZiOWJjYjMxYTQ2Nzc2Y2IwNjM/

*** https://www.hybrid-analysis.com/sam...54f2f30aa42179344fc217e5086?environmentId=100
Contacted Hosts
95.163.18.88

4] https://www.virustotal.com/en/file/...a4658c59c75158edb198a49f/analysis/1468832994/

my-result .ru: 95.163.18.88: https://www.virustotal.com/en/ip-address/95.163.18.88/information/
>> https://www.virustotal.com/en/url/0...c280ef34b7fc370f4c08d670b3817e1fa7b/analysis/
___

Fake 'Scan**' SPAM - word macro delivers Locky
- https://myonlinesecurity.co.uk/sent-from-my-samsung-device-malspam-word-macro-delivers-locky/
18 July 2016 - "... from THIS earlier Malspam[1] delivering Locky ransomware via WSF files inside a zip we are also seeing a concurrent malspam run using Word Docs with macros. They are very terse and simple emails with a subject of 'Scan******' (random numbers) pretending to come from random senders with a malicious word docm attachment where the attachment name -matches- the subject...
1] https://myonlinesecurity.co.uk/bank-account-report-malspam-leads-to-locky-ransomware/
The email looks like:
From: Lynnette <clearke0303@ vinyl-lps .com>
Date: Mon 18/07/2016 11:28
Subject: SCAN0000467
Attachment: SCAN0000467.docm
Sent from my Samsung device

18 July 2016: SCAN0000467.docm - Current Virus total detections 8/52* - Payload Security** shows a download from yifruit .com/54ghnnuo (VirusTotal 3/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a06901481e25fba19bd2c7dc/analysis/1468837749/

** https://www.hybrid-analysis.com/sam...33ca06901481e25fba19bd2c7dc?environmentId=100
Contacted Hosts
211.149.194.192

*** https://www.virustotal.com/en/file/...228c454b65d15a2d8eecc5b3/analysis/1468836377/

yifruit .com: 211.149.194.192: https://www.virustotal.com/en/ip-address/211.149.194.192/information/
>> https://www.virustotal.com/en/url/8...bf6b1c771f2c21a455d06d21bba1b1ecaea/analysis/

- http://blog.dynamoo.com/2016/07/malware-spam-sent-from-my-samsung.html
18 JUuly 2016 - "This rather terse spam has a malicious attachment:
From: Ila
Date: 18 July 2016 at 13:01
Subject: scan0000511
Sent from my Samsung device

The sender and subject vary, but the subject seems to be in a format similar to the following:
scan0000511
SCAN000044
COPY00002802
Attached is a .DOCM file with the -same- name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading... The payload is Locky with a detection rate of 4/53*. It phones home to:
77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
That's a subset of the IPs found here**, so I recommend you block the following IPs:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14 "
* https://www.virustotal.com/en/file/...c2b3a7beb3c228c454b65d15a2d8eecc5b3/analysis/

** http://blog.dynamoo.com/2016/07/malware-spam-bank-account-report-leads.html
___

Compromised Joomla sites are foisting ransomware on visitors
- https://www.helpnetsecurity.com/2016/07/18/compromised-joomla-sites-ransomware/
July 18, 2016 - "Administrators of WP and Joomla sites would do well to check for specific -fake- analytics code injected into their properties, as a ransomware delivery campaign taking advantage of vulnerable sites has been going strong for over a month now... Sucuri CTO Daniel Cid noted*: '... We recommend checking your logs for requests from 46 .183 .219 .91 – if you find requests similar to the ones in this post, consider your website compromised. At this point you should take steps to remove the malware immediately and prevent reinfection.'"
* https://blog.sucuri.net/2016/07/new-realstatistics-attack-vector-compromising-joomla-sites.html

46.183.219.91: https://www.virustotal.com/en/ip-address/46.183.219.91/information/

> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8562
Last revised: 06/28/2016 - "Joomla! 1.5.x, 2.x, and 3.x before 3.4.6... as exploited in the wild in December 2015."
___

'Delilah' – first 'Insider Threat' Trojan
- http://blogs.gartner.com/avivah-litan/2016/07/14/meet-delilah-the-first-insider-threat-trojan/
July 14, 2016 - "Criminal recruitment of insiders is becoming an industry now with the release of a new Trojan called “Delilah”. Delilah recruits targeted insiders via social engineering and/or extortion, sometimes using ransomware techniques... Diskin Advanced Technologies (DAT) reports that the bot is delivered to victims via downloads from multiple popular adult and gaming sites... instructions to victims usually involve usage of VPN services, TOR and comprehensive deletion of browser history (probably to remove audit trails). These -bots- still require a high level of human involvement to identify and prioritize individuals who can be -extorted- into operating as insiders at desirable target organizations. Criminals who want to use the bot can also acquire managed social engineering and fraudster services to help them out, in case they lack those specific skills... Organizations should also seek to prevent endpoints from getting infected in the first place by preventing employees from visiting high risk adult and gaming sites using organizational systems... Conclusion: Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web. With Trojans like Delilah, organizations should expect insider recruitment to escalate further and more rapidly. This will only add to the volume of insider threats caused by disgruntled employees selling their services on the Dark Web in order to harm their employers."

:fear::fear:

 

[AplusWebMaster]

Fake 'business analysis', 'documents attached' SPAM, Magnitude EK malvertising

FYI...

Fake 'business analysis' SPAM - .wsf script / ransomware
- http://blog.dynamoo.com/2016/07/malware-spam-i-attached-detailed.html
19 July 2016 - "This spam has a malicious attachment. And also mismatched (brackets}.
From "Lynnette Slater"
Date Tue, 19 Jul 2016 10:47:09 +0200
Subject Business Analysis
Message text
I attached the detailed business analysis (updated}
King regards,
Lynnette Slater
Briglin Pottery ...

The message will appear to be "from" different individuals, varying from message to message. However, the main part of the body text is always the same. Attached is a ZIP file containing elements of the recipients email address and some random letters and numbers. I have been unable to obtain a copy of the attachment at the moment, but it is likely to be Locky ransomware and if I get further details I will post them here.
UPDATE: My usual trusted source for analysis (thank you) reports that these ZIP files contain a malicious .wsf script which downloads a component... I don't have a decrypted sample of the binary at present, although the C2 locations are reported as:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine, Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
___

Fake 'documents attached' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/07/malware-spam-documents-natalie-pywell.html
19 July 2016 - "This spam does not come from Abbey Glass UK, but is instead a simple forgery with a malicious attachment:
From Natalie Pywell [Natalie.Pywell6@ abbeyglassuk .com]
Date Tue, 19 Jul 2016 15:27:20 +0530
Subject Documents
Dear Customer
Please find your documents attached.
If you have any questions please reply by email or contact me on 01443 238787.
Kind regards
Natalie Pywell
**This email has generated from an automated system**
This email has been sent via the Fusemail mail filtering service provided by Pro-Copy
Limited

The sender's email address varies somewhat. Attached is a randomly named ZIP file which contains a malicious .js script. Analysis is pending, but it looks like Locky ransomware and is probably similar to the one found in this spam run*."
* http://blog.dynamoo.com/2016/07/malware-spam-i-attached-detailed.html
19 July 2016
___

Fake 'Documents from work' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-documents-from-work.html
19 July 2016 - "This rather terse spam appears to come from the victim themselves (but doesn't). It has a malicious attachment.
From: recipient@ victim .tld
To: recipient@victim.tld
Subject: Documents from work.
Date: 19 July 2016 at 12:20

There is -no- body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component... The dropped payload has a detection rate of 3/54* and it phones home to the following locations:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
That's a subset of the locations found here**. The payload is Locky ransomware.
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
* https://www.virustotal.com/en/file/...50a6f74b397742ff58356db99832f17b0db/analysis/

** http://blog.dynamoo.com/2016/07/malware-spam-i-attached-detailed.html
19 July 2016

77.222.54.202: https://www.virustotal.com/en/ip-address/77.222.54.202/information/
>> https://www.virustotal.com/en/url/8...98cd0ba802b08464292391da4bd77ccfca9/analysis/
194.1.236.126: https://www.virustotal.com/en/ip-address/194.1.236.126/information/
>> https://www.virustotal.com/en/url/d...86db37cabaa19365db157a79cc7f915138c/analysis/
185.117.153.176: https://www.virustotal.com/en/ip-address/185.117.153.176/information/
>> https://www.virustotal.com/en/url/2...689e19b4f037673c5e3ef2166601a4d49bd/analysis/
176.111.63.51: https://www.virustotal.com/en/ip-address/176.111.63.51/information/
>> https://www.virustotal.com/en/url/c...be5fd9f384a065c5255f5b9055fd569b353/analysis/
___

Magnitude EK malvertising not affected by slowdown in EK activity
- https://blog.malwarebytes.com/cyber...aign-not-affected-by-slowdown-in-ek-activity/
July 19, 2016 - "We have been tracking a malvertising campaign distributing the Cerber ransomware linked to the actor behind the Magnitude exploit kit for months. It will pop on one ad network, then onto another and come back again... Despite a global slowdown in exploit kit activity, this particular distribution channel has remained active and strong... One of this attackers’ favourite spot has been on torrent or streaming sites but also via monetized URL shorteners that use a pay-per-view/click model when people open up a shortened URL and have to wait for an advert to load before getting to their destination. It is no surprise that more ads – and low quality ones especially – means chances of drive-by downloads are dramatically increased... For ad networks to stop this continuing onslaught for good would require no longer accepting risky customers and closing up their platform for arbitrage with unknown buyers. Playing whack-a-mole with crooks wearing many different hats is simply an ineffective solution where malicious ads always end up making it through..."
(Long list of IOC's at the malwarebytes URL above.)

:fear::fear:

 

[AplusWebMaster]

Fake 'transaction' SPAM, CrypMIC ransomware, Business sites hijacked

FYI...

Fake 'transaction' SPAM - Java Adwind Trojan
- https://myonlinesecurity.co.uk/java-adwind-trojans-via-fake-transaction-malspam-emails/
20 July 2016 - "Overnight we received 2 separate sets of malspam emails both eventually leading to the same Java Adwind Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/Pending-Sendout-Transaction-1024x568.png

Update: I am also getting some of these 'Pending Sendout Transaction' emails coming through pretending to come from amirmuhammed @almuzaniexchange .ae "
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/Confirm-To-Release-email-1024x617.png

20 July 2016: Sendout-Copy.zip: Extracts to: Sendout_copy..js - Current Virus total detections 1/54*
.. Payload Security**. This is a JavaScript file that automatically downloads and runs
http ://ebhar .net/css/new_file_jacob.jar Which is the -same- Java Adwind Trojan as the Java.jar file in the second email.

20 July 2016: Sendout-Report.rar: Extracts to: Sendout-Copy.jar - Current Virus total detections 18/55[3]
.. Payload Security [4].
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...69861fe4c83982cb77137624/analysis/1468989481/

** https://www.hybrid-analysis.com/sam...8fe69861fe4c83982cb77137624?environmentId=100
Contacted Hosts
216.194.169.160

3] https://www.virustotal.com/en/file/...9c413231277d4547ef386201/analysis/1468989622/

4] https://www.hybrid-analysis.com/sam...f519c413231277d4547ef386201?environmentId=100

ebhar .net: 216.194.169.160: https://www.virustotal.com/en/ip-address/216.194.169.160/information/
>> https://www.virustotal.com/en/url/5...3bb5a0d3f57fb088bb48df8d6f9a8459851/analysis/
___

CrypMIC ransomware follows CryptXXX ...
- http://blog.trendmicro.com/trendlab.../crypmic-ransomware-wants-to-follow-cryptxxx/
July 20, 2016 - "... a new ransomware family that mimics CryptXXX in terms of entry point, ransom notes and payment site UIs. CrypMIC’s perpetrators are possibly looking for a quick buck owing to the recent success of CryptXXX...
Comparison of CrypMIC (left) and CryptXXX (right) ransom notes and user interfaces of their payment sites
> https://blog.trendmicro.com/trendla...e/files/2016/07/20160718crypmiccryptxxx08.png
CrypMIC and CryptXXX share many similarities; both are spread by the Neutrino Exploit Kit and use the same format for sub-versionID/botID (U[6digits]/UXXXXXX]) and export function name (MS1, MS2). Both threats also employed a custom protocol via TCP Port 443 to communicate with their command-and-control (C&C) servers... The demise of the Angler exploit kit from crypto-ransomware activity has made CryptXXX migrate to Neutrino exploit kit, which have been recently reported to be delivering -other- ransomware families such as CryptoWall, TeslaCrypt, CryptoLocker and Cerber. We have observed that CrypMIC and CryptXXX were distributed by Neutrino interchangeably over the course of a week. CrypMIC was first pushed by Neutrino on July 6th before switching back to delivering CryptXXX 4.001 on July 8th. It started redistributing CrypMIC on July 12th before reverting to CryptXXX the next day. On the same week, Neutrino also distributed Cerber via -malvertising- as well as -other- malware from other cybercriminal groups. By July 14th, Neutrino has started to distribute an apparently newer version of CryptXXX (5.001)... CryptXXX automatically scans the machine for network-drives then proceeds to encrypt files stored on them. CryptXXX 4.001 also downloads and executes an information-stealing module on its process memory — named fx100.dll ... the decryptor created by CrypMIC’s developers has been reported to be not functioning properly. Additionally, paying the ransom only makes businesses and users susceptible to more ransomware attacks. Besides regularly backing up files, keeping systems updated with the latest patches is another means of mitigating the risks of ransomware. A multilayered defense that can secure systems, servers and networks is also recommended..."

> https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxx-ransomware
July 14, 2016 - "... detected an email campaign with document attachments containing malicious macros. If opened, these attachments download and install CryptXXX ransomware..."
___

Business sites hijacked to deliver ransomware ...
- http://arstechnica.com/information-...bsites-hijacked-to-deliver-crypto-ransomware/
7/19/2016, 5:56 PM - "If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for*. These sites are -redirecting- visitors to a -malicious- website that attempts to install CryptXXX — a strain of cryptographic ransomware first discovered in April. The sites were most likely exploited by a botnet called SoakSoak* or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea**. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin. In this recent wave of compromises, SoakSoak planted code that -redirects- visitors to a website hosting the Neutrino Exploit Kit... Even as those organizations try to regain control of their websites, others are likely to be rapidly compromised because of the vast number of sites that are behind on patching site add-ons like WordPress plugins."
* https://storify.com/BelchSpeak/soaksoak-web-compromises-lead-to-cryptxxx-ransomwa

** https://www.invincea.com/2016/07/major-websites-getting-soaksoakd-delivering-cryptxxx-ransomware/

:fear::fear:

 

[AplusWebMaster]

Twitter account - phish

FYI...

'Authorize your Twitter account' - phishing scam
- https://blog.malwarebytes.com/cyber...authorize-your-twitter-account-phishing-scam/
July 21, 2016 - "... a phish targeting people who desire Twitter verification. The fake site, located at
twitterverifiy(dot)verifiy(dot)ml
... poses as an app to be authorised, but is simply out to -steal- login credentials. Take note of the rather unique spelling of “verify” in the URL, too:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/wiki-twitter-phish.jpg
After hitting the “Authorize app” button, the victim is redirected off to the real Twitter website. At this point, the scammers are free to do what they like with the stolen account. One assumes the scammers behind this one aren’t really paying attention to who they send their messages to (and the screenshot cuts off the username of the spam account, so we can’t see what else they’re up to). Suffice to say, if you have your Direct Messages open to all then potentially you could receive a missive such as the one above. Verification has a specific process attached to it, and although it’s currently changing, you definitely won’t get a blue tick next to your Username by giving permission to phish pages posing as non-existent apps. No matter who you are, now matter how involved in issues of privacy and / or security you may be, there’s always the possibility you could get caught out by a clever scam. Keep your wits about you, and steer clear of “too good to be true” offers..."

:fear::fear:

 

[AplusWebMaster]

Fake 'sorry', 'Fedex label', 'Invoice/Credit/Statement' SPAM, Upgrade Outlook - PHISH

FYI...

Fake 'sorry' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/07/malware-spam-i-am-truly-sorry-that-i.html
22 July 2016 - "This spam has a malicious attachment:
From: "Lizzie Carpenter"
Subject: sales report
Date: Fri, 22 Jul 2016 21:38:25 +0800
I am truly sorry that I was not available at the time you called me yesterday.
I attached the report with details on sales figures.
Best of luck,
Lizzie Carpenter
SCHRODER GLOBAL REAL ESTATE SEC LTD ...

The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report". In a change from recent malware runs, the script does -not- directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script. This executable has a detection rate of 4/54* and trusted analysis says that it is Locky ransomware, phoning home to:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
* https://virustotal.com/en/file/c501...996930f435d1008dc26a388c/analysis/1469197692/
___

Fake 'Fedex label' SPAM - .docm leads to Locky
- https://myonlinesecurity.co.uk/plea...enzies-com-malspam-leads-to-locky-ransomware/
22 July 2016 - "An email with the subject of 'PO5' pretending to come from Mary Leons <mary.leons@ airmenzies .com> with a malicious word doc attachment which downloads Locky ransomware... The email looks like:
From: Mary Leons <mary.leons@ airmenzies .com>
Date: Fri 22/07/2016 10:04
Subject: PO5
Attachment: 906569711935.docm
Hi
Please see Fedex label as attached
Kindest Regards
Mary Leons
Customer Service Supervisor | Air Menzies International ...

22 July 2016: 906569711935.docm - Current Virus total detections 10/55*
.. MALWR** shows a download from http ://dillerator.chat .ru/09yhbvt4 (VirusTotal 6/53***).
Other download locations for today’s Locky version include [duplicate's removed]:
http ://allmusic .c0.pl/09yhbvt4
allmusic .c0.pl: 95.211.144.65: https://www.virustotal.com/en/ip-address/95.211.144.65/information/
http ://delta5.homepage.t-online .de/09yhbvt4
t-online .de:
2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92
217.6.164.162: https://www.virustotal.com/en/ip-address/217.6.164.162/information/
62.153.159.92: https://www.virustotal.com/en/ip-address/62.153.159.92/information/
http ://dillerator.chat .ru/09yhbvt4
chat .ru: 195.161.119.85: https://www.virustotal.com/en/ip-address/195.161.119.85/information/
http ://files.igamingbusiness .co.uk/09yhbvt4
igamingbusiness .co.uk: 109.108.132.162: https://www.virustotal.com/en/ip-address/109.108.132.162/information/
http ://fotouniek.grafi-offshore .com/09yhbvt4
grafi-offshore .com: 85.214.152.145: https://www.virustotal.com/en/ip-address/85.214.152.145/information/
http ://hxt.50webs .com/09yhbvt4
50webs .com: 198.23.53.64: https://www.virustotal.com/en/ip-address/198.23.53.64/information/
http ://mizosiri3.web.fc2 .com/09yhbvt4
fc2 .com: 52.41.146.181: https://www.virustotal.com/en/ip-address/52.41.146.181/information/
54.187.26.65: https://www.virustotal.com/en/ip-address/54.187.26.65/information/
http ://okumachiryouin.yu-yake .com/09yhbvt4
yu-yake .com: 112.140.42.29: https://www.virustotal.com/en/ip-address/112.140.42.29/information/
http ://pamm-invest .ru/09yhbvt4
pamm-invest .ru: 81.177.135.251: https://www.virustotal.com/en/ip-address/81.177.135.251/information/
http ://tattoo-studio .nl/09yhbvt4
tattoo-studio .nl: 80.69.86.210: https://www.virustotal.com/en/ip-address/80.69.86.210/information/
http ://www.gerichtszeichnungen .de/09yhbvt4
gerichtszeichnungen .de: 2a01:238:20a:202:1148::
81.169.145.148: https://www.virustotal.com/en/ip-address/81.169.145.148/information/
http ://www.moran10.karoo .net/09yhbvt4
karoo .net: Could not find an IP address for this domain name.
http ://www.silvotecna .co.cl/09yhbvt4
silvotecna .co.cl: Could not find an IP address for this domain name.
http ://www.sirigor.republika .pl/09yhbvt4
republika .pl: 213.180.150.17: https://www.virustotal.com/en/ip-address/213.180.150.17/information/

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...cad51e071460ff83800bf9d3/analysis/1469178299/

** https://malwr.com/analysis/MjI2YWM0Y2FiZmYzNGYyMDkyZGQ4NDdjODViYmNiOGU/
Hosts
195.161.119.85

*** https://www.virustotal.com/en/file/...425c853e250b21e3d139e0f8/analysis/1469188310/

dillerator.chat .ru: 195.161.119.85: https://www.virustotal.com/en/ip-address/195.161.119.85/information/
>> https://www.virustotal.com/en/url/b...b6b85208fd6beb71c17e9aa5d878626bb6c/analysis/
___

Fake 'Invoice/Credit/Statement' SPAM - leads to Locky
- https://myonlinesecurity.co.uk/vp-invoicecreditstatement-h10040-malspam-leads-to-locky/
22 July 2016 - "... an email with the subject of 'VP Invoice/Credit/Statement – H10040' pretending to come from Prism Server Account <accounts@ vpplc .com> with a malicious word doc attachment which downloads Locky ransomware...
The email looks like:
From: Prism Server Account <accounts@ vpplc .com>
Date: Fri 22/07/2016 10:27
Subject: VP Invoice/Credit/Statement – H10040
Attachment: INVOICE.DOCM
Please find document(s) attached.
The attached file(s) are in Adobe PDF format. Use Adobe Acrobat Reader or equivalent to view the file(s)...

This attachment downloads the same Locky ransomware as described in this post* from the same locations... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://myonlinesecurity.co.uk/plea...enzies-com-malspam-leads-to-locky-ransomware/
___

HelpDesk Upgrade Outlook Web - PHISH
- https://myonlinesecurity.co.uk/ict-helpdesk-upgrade-outlook-web-app-phishing/
22 July 2016 - "... many small companies and even ISPs do outsource IT support and email to 3rd parties and an end user never really is sure who the email provider actually is... slightly more believable than many others and it is quite easy to fall for it...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/ICT-HelpDesk-Upgrade_email-1024x676.png

The -link- in the email goes to:
http ://xprs.imcreator .com/free/icthelpdesk/password
... which looks like this:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/07/icthelpdesk_site-1024x535.png "

imcreator .com: 97.74.141.1: https://www.virustotal.com/en/ip-address/97.74.141.1/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Emailing: Photo - Document' SPAM

FYI...

Fake 'Emailing: Photo - Document' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/07/malware-spam-emailing-photo-25-07-2016.html
25 July 2016 - "This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
From: Rebeca [Rebeca3@ victimdomain .tld]
Date: 25 July 2016 at 10:16
Subject: Emailing: Photo 25-07-2016, 34 80 10
Your message is ready to be sent with the following file or link
attachments:
Photo 25-07-2016, 34 80 10 ...

Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".
An alternative -variant- comes with a malicious -Word- document:
From: Alan [Alan306@ victimdomain .tld]
Date: 25 July 2016 at 12:40
Subject: Emailing: Document 25-07-2016, 72 35 48
Your message is ready to be sent with the following file or link
attachments:
Document 25-07-2016, 72 35 48 ...

The attachment is this case is a .DOCM filed named in a similar way as before. This analysis is done by my usual trusted source (thank you). These scripts and macros download a component... The payload here is Locky ransomware, and it phones home to the following addresses:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176 "

77.222.54.202: https://www.virustotal.com/en/ip-address/77.222.54.202/information/
>> https://www.virustotal.com/en/url/8...98cd0ba802b08464292391da4bd77ccfca9/analysis/
194.1.236.126: https://www.virustotal.com/en/ip-address/194.1.236.126/information/
>> https://www.virustotal.com/en/url/d...86db37cabaa19365db157a79cc7f915138c/analysis/
185.117.153.176: https://www.virustotal.com/en/ip-address/185.117.153.176/information/
>> https://www.virustotal.com/en/url/2...689e19b4f037673c5e3ef2166601a4d49bd/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Attached Image', 'list of activities' SPAM, Ransomware 2.0

FYI...

Fake 'Attached Image' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-attached-image-leads-to.html
26 July 2016 - "This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.
From: victim@ victimdomain .tld
To: victim@ victimdomain .tld
Date: 26 July 2016 at 10:27
Subject: Attached Image ...

Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number... In this example* the script downloads a malicious binary from:
www .isleofwightcomputerrepairs .talktalk .net/okp987g7v
There will be -many- other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54**. The Hybrid Analysis*** for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216 "
* https://malwr.com/analysis/MWYxYjBhOWQzM2U2NDZkMmJmY2JhNWY0ZmFhZjEzZWY/
Hosts
62.24.202.31

** https://virustotal.com/en/file/96bc...8b446de37eeb78cf6bf199bb961204daf25/analysis/

*** https://www.hybrid-analysis.com/sam...7eeb78cf6bf199bb961204daf25?environmentId=100
Contacted Hosts
91.234.35.216
31.41.47.41

- https://myonlinesecurity.co.uk/yet-...etending-to-come-from-your-own-email-address/
26 July 2016 - "An email with the subject of 'Attached Image' pretending to come from your own email address with a zip attachment which downloads Locky Ransomware... One of the emails looks like:
From: your own email address
Date: Tue 26/07/2016 10:22
Subject: Attached Image
Attachment: 0324923_02.zip ...

26 July 2016: 0324923_02.zip: Extracts to: 753707_02.js - Current Virus total detections 8/54*
.. MALWR** shows a download of xxxx from
http ://exploromania4x4club .ro/okp987g7v?tKLWyjuj=PrkWVPasbrS which gave me lnHLopubGiz.exe (VirusTotal 5/54***).
Hybrid Analysis[4] . This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...51b9180d36c4fe287836d9af/analysis/1469524580/

** https://malwr.com/analysis/YjY2ZmQyMzhlNjBkNDY4MThjOTJiODdkMTNhNGY2OWM/
Hosts
89.42.216.118
*** https://www.virustotal.com/en/file/...b78cf6bf199bb961204daf25/analysis/1469524971/

4] https://www.hybrid-analysis.com/sam...8ba51b9180d36c4fe287836d9af?environmentId=100
Contacted Hosts
89.42.216.118: https://www.virustotal.com/en/ip-address/89.42.216.118/information/
>> https://www.virustotal.com/en/url/d...5411e7979059e28154964b5df790adac66e/analysis/
31.41.47.41: https://www.virustotal.com/en/ip-address/31.41.47.41/information/
91.234.35.216: https://www.virustotal.com/en/ip-address/91.234.35.216/information/
___

Fake 'list of activities' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-list-of-activities-leads.html
26 July 2016 - "This -fake- business spam has a malicious attachment:
From "Penelope Phelps"
Date Tue, 26 Jul 2016 23:02:43 +1100
Subject list of activities
Hello,
Attached is the list of activities to help you arrange for the coming presentation.
Please read it carefully and write to me if you have any concern.
Warm regards,
Penelope Phelps
ALLIED MINDS LTD
Security-ID ...

The sender's name, company and 'Security-ID' vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script... This Malwr report* and this Hybrid Analysis** show this particular sample downloading from:
akva-sarat.nichost .ru/bokkdolx
There will be -many- other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55***. Further analysis is pending, however it is quite likely that this sample uses the -same- C2 servers as seen earlier today[4]."
* https://malwr.com/analysis/ZTA1ZmZmOGViOWVkNDIwZDgyMzU2ZTdiYzRjMmY0NjQ/
Hosts
195.208.0.150

** https://www.hybrid-analysis.com/sam...f0a3d226e021097855658ea67a3?environmentId=100
Contacted Hosts
195.208.0.150: https://www.virustotal.com/en/ip-address/195.208.0.150/information/
>> https://www.virustotal.com/en/url/9...ae3816ea1a37c4aa20afce4d425bdf0300d/analysis/

*** https://virustotal.com/en/file/6cd6...1d7c2f07d58fcac3619b546749a71c429e2/analysis/

4] http://blog.dynamoo.com/2016/07/malware-spam-attached-image-leads-to.html
___

Ransomware 2.0 ...
- http://www.techrepublic.com/article...r-and-its-a-massive-threat-to-the-enterprise/
July 26, 2016 - ... profits from ransomware are making it one of the fastest growing types of malware and new versions could negatively impact entire industries, according to a Cisco report
"... Cisco used data from its customers to create the report, since there are more than 16 billion web requests that go through the Cisco system daily, with nearly 20 billion threats blocked -daily- and with more than 1.5 million unique malware samples daily, which works out to 17 new pieces of malware every second..."

:fear::fear:

 

[AplusWebMaster]

Fake 'Sent from my Samsung', 'updated details' SPAM

FYI...

Fake 'Sent from my Samsung' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-sent-from-my-samsung_27.html
27 July 2016 - "This spam comes in a few different variations:
From: Lottie
Date: 27 July 2016 at 10:38
Subject: scan0000510
Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component... The dropped file is Locky ransomware and it has a detection rate of 2/52*. It phones home to the following locations:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
(Thank you to my usual source for this data) There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.
Recommended blocklist:
5.9.253.160/27
178.62.232.244 "
* https://www.virustotal.com/en/file/...3b266e9682da8d6a0359895e3f86f47dfda/analysis/

5.9.253.173: https://www.virustotal.com/en/ip-address/5.9.253.173/information/
>> https://www.virustotal.com/en/url/5...d5117fa4f682e93b9c8fa939e1fa615d145/analysis/
178.62.232.244: https://www.virustotal.com/en/ip-address/178.62.232.244/information/
>> https://www.virustotal.com/en/url/2...bdaa0364dfef0a905f4d88bfab0360e9b6e/analysis/
___

Fake 'updated details' SPAM - malicious attachment
- http://blog.dynamoo.com/2016/07/malware-spam-attached-is-updated.html
27 July 2016 - "This spam has a malicious attachment:
Subject: updated details
From: Faith Davidson (Davidson.43198@ optimaestate .com)
Date: Wednesday, 27 July 2016, 11:13
Attached is the updated details about the company account you needed
King regards
Faith Davidson ...

The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample* shows the script download from:
beauty-jasmine .ru/6dc2y
There will be -many- more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55**. Analysis of this payload is pending, however the C2 servers may well be the same as found here***."
* https://www.hybrid-analysis.com/sam...97a29d73c6756d30c1ffb53b7da?environmentId=100
Contacted Hosts
195.208.1.120: https://www.virustotal.com/en/ip-address/195.208.1.120/information/
>> https://www.virustotal.com/en/url/4...caf7519c13f639f73fe3786690c7e50ed8c/analysis/

** https://virustotal.com/en/file/085d...4fb99767fbe1f1e1b5ec022c1121c8a5de3/analysis/

*** http://blog.dynamoo.com/2016/07/malware-spam-sent-from-my-samsung_27.html

:fear::fear:

 

[AplusWebMaster]

Fake 'invoice', 'Self Billing Statement' SPAM

FYI...

Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-please-check-attached.html
28 July 2016 - "This -fake- financial spam leads to malware:
Subject: Invoice
From: Kendall Harrison (Harrison.59349@ chazsmedley .com)
Date: Thursday, 28 July 2016, 10:33
Hello,
Please check the attached invoice and confirm me if I sent the right data
Yours sincerely,
Kendall Harrison
320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3

The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted". The Malwr analysis* for the partially deobfuscated script and this Hybrid Analysis** show this particular sample downloading from:
83.235.64.44/~typecent/xvsb58
This drops a malicious Locky ransomware binary with a detection rate of 7/55***. Analysis of this binary is pending.
UPDATE: Thank you to my usual source for this analysis... C2 locations:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)
Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0 "
* https://malwr.com/analysis/Nzg5YzJmZjNlYTk3NDU4M2I5YjgzNmM5Y2Q3NGQwNmM/
Hosts
83.235.64.44

** https://www.hybrid-analysis.com/sam...e20308a54380b1d5fd0f87f4229?environmentId=100
Contacted Hosts
83.235.64.44: https://www.virustotal.com/en/ip-address/83.235.64.44/information/
>> https://www.virustotal.com/en/url/7...9de9b4a6de1e65040b4627d593ff2dfe541/analysis/

*** https://virustotal.com/en/file/1da2...bc59c6337ca62370f095172768c07c23f9e/analysis/
___

Fake 'Self Billing Statement' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-self-billing-statement.html
28 July 2016 - "This -fake- financial spam comes with a malicious attachment:
From Kathryn Smith [kathryn@ powersolutions .com]
Date Thu, 28 Jul 2016 16:21:41 +0530
Subject Self Billing Statement

I do not know if there is any body text at present. Attached is a file with a name similar to 'Self Billing Statement_431.zip' which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js).
Analysis by a trusted party shows that these scripts download a component...
This originally dropped this payload* since updated to this payload**, both of which are Locky ransomware.
The C2 servers to -block- are exactly the -same- as found in this earlier spam run***."
* https://www.virustotal.com/en/file/...fa3b7c4282e097cc95b2fdc999e45a95000/analysis/

** https://www.virustotal.com/en/file/...d7b6719d0333db9e5bf5d716bec9531f36d/analysis/

*** http://blog.dynamoo.com/2016/07/malware-spam-please-check-attached.html

:fear::fear:

 

[AplusWebMaster]

Fake 'Bank account record', 'Voicemail' SPAM, RIG Exploit Kit

FYI...

Fake 'Bank account record' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-bank-account-record-leads.html
29 July 2016 - "This -fake- financial spam leads to malware:
Subject: Bank account record
From: Stephen Ford (Ford.24850@ aworkofartcontracting .com)
Date: Friday, 29 July 2016, 10:56
Good morning,
Did you forget to finish the Bank account record?
Read the attachment and let me know if there is anything I didn't make clear.
Yours sincerely,
Stephen Ford
57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe

The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attached is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record"...
According to the Hybrid Analysis* on that script and Malwr report** on a partly deobfuscated version the script downloads a binary from:
oleanderhome .com/q59ldt5r
This dropped binary has a detection rate of 5/55*** and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2]. The is also traffic to kassa.p0 .ru which is more of a puzzle and doesn't look particularly malicious****. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs. If I get more information on this I will post it here."
* https://www.hybrid-analysis.com/sam...bb0482d2daea608d445434ff4bb?environmentId=100
Contacted Hosts
195.216.243.102
107.180.50.233

** https://malwr.com/analysis/OGYzZWU1YjVlNmU1NDE2M2I2M2IwMDY4MzFlMTJhNGE/
Hosts
195.216.243.102: https://www.virustotal.com/en/ip-address/195.216.243.102/information/
107.180.50.233: https://www.virustotal.com/en/ip-address/107.180.50.233/information/
>> https://www.virustotal.com/en/url/d...44f6f3b09e05f00e0515a5341e7cc9c0e6e/analysis/

*** https://virustotal.com/en/file/00f8...499d3cc840f6c05c6cbf54d1ded756b0c13/analysis/

**** https://urlquery.net/report.php?id=1469786112022

1] https://www.hybrid-analysis.com/sam...40f6c05c6cbf54d1ded756b0c13?environmentId=100

2] https://malwr.com/analysis/Njk0YmQ0ZjEyMWRiNGI5MmE2NTkwYzVmOTE5MjZjMzA/

UPDATE: My trusted source (thank you) gives the following... C2 servers are the same as found here*.
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139 "
* http://blog.dynamoo.com/2016/07/malware-spam-voicemail-from-anonymous.html
29 July 2016
___

Fake 'Voicemail' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/07/malware-spam-voicemail-from-anonymous.html
29 July 2016 - "This -fake- voicemail spam has a malicious attachment:
From SureVoIP [voicemailandfax@ surevoip .co.uk]
Date Fri, 29 Jul 2016 17:47:41 +0700
Subject Voicemail from Anonymous <Anonymous> 00:02:15
Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
00:02:37Account: victimdomain .tld

The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf...
The downloaded binary is Locky ransomware, phoning home to:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139 "

178.62.232.244: https://www.virustotal.com/en/ip-address/178.62.232.244/information/
>> https://www.virustotal.com/en/url/2...bdaa0364dfef0a905f4d88bfab0360e9b6e/analysis/
91.195.12.143: https://www.virustotal.com/en/ip-address/91.195.12.143/information/
>> https://www.virustotal.com/en/url/f...b2e28b33199a8e3ef02a7bf51e742a257dd/analysis/
91.230.211.139: https://www.virustotal.com/en/ip-address/91.230.211.139/information/
>> https://www.virustotal.com/en/url/3...48b3f6ec32ea0e86b79d01150fd78dd29a4/analysis/
___

Recent Activity - RIG Exploit Kit
- https://atlas.arbor.net/briefs/index#233459834
July 28, 2016 - "... Analysis: In the wake of the disappearance of the previously successful Angler exploit kit and Nuclear Exploit Kit, cybercrime continues through other kits such as Neutrino, RIG, Sundown and others although campaign activity as recently as June has been lower volume compared to the time period when Angler and Nuclear were active... It is likely that this exploit kit traffic will increase over time, as prior users of other exploit kits migrate."
> https://blog.malwarebytes.com/threa...7/a-look-into-some-rig-exploit-kit-campaigns/

:fear::fear:

 

[AplusWebMaster]

Fake 'Corrected report' SPAM, Google snippets abused

FYI...

Fake 'Corrected report' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-please-review-attached.html
1 Aug 2016 - "This spam comes with a malicious attachment:
Subject: Corrected report
From: Joey Cox (Cox.48@ sodetel .net.lb)
Date: Monday, 1 August 2016, 13:37
Dear webmaster,
Please review the attached corrected annual report.
Yours faithfully
Joey Cox

The name of the sender will vary. Attached is a ZIP file with a random name, containing a malicious .WSF script beginning with "annual report". This attempts to download Locky ransomware (MANY locations listed)...
The dropped binary then attempts to phone home to:
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname evradikfreeopti.ru]
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy.ru]
91.219.29.48/upload/_dispatch.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
The host for that last one comes up over and over again, it's time to -block- that /22.."
Recommended blocklist:
91.230.211.139
37.139.30.95
91.219.28.0/22 "

91.230.211.139: https://www.virustotal.com/en/ip-address/91.230.211.139/information/
>> https://www.virustotal.com/en/url/3...48b3f6ec32ea0e86b79d01150fd78dd29a4/analysis/
37.139.30.95: https://www.virustotal.com/en/ip-address/37.139.30.95/information/
>> https://www.virustotal.com/en/url/1...a73d004bedad71f277118095988b32d5508/analysis/
91.219.29.48: https://www.virustotal.com/en/ip-address/91.219.29.48/information/
>> https://www.virustotal.com/en/url/e...d52eede7d87da38a3598e2f7c725d4c8257/analysis/
___

Google featured snippets abused by SEO scammers
- https://blog.malwarebytes.com/cyber...les-featured-snippets-abused-by-seo-scammers/
Aug 1, 2016 - "... online crooks are abusing Google’s featured snippets via compromised-websites that -redirect- to -bogus- online stores. A featured snippet is triggered when a user types in a question via a standard search. Google will display a block with a summary of the answer and a link to the site, on top of the regular search results. Because of this prominent placement, Blackhat SEO miscreants are extremely interested in featured snippets as they can capture a large amount of traffic and redirect it to any site of their choosing. In this particular case, a hacked Hungarian sports site (which has nothing to do with software or license keys) is used to game Google’s algorithm which programmatically determines that a page contains a likely answer to the user’s question. People who click-on-the-link will be -redirected- to cheapmicrosoftkey[.]com a site that offers various license keys for Microsoft products at ‘discounted’ prices. Buying from such dubious online shops is -never- a good idea as you might actually purchase stolen merchandise, or worse, get completely scammed:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/flow_snippet.png
... In an added twist, if you visited the Hungarian website directly, you would be -redirected- to the Neutrino exploit kit and get infected with the CrypMIC ransomware. This is a good example of the multiple ways criminals can monetize a -hacked- site. It is quite likely in this case that the site was hacked several different times in unrelated automated attacks, perhaps even via the same vulnerability... As an end user, beware of online deals that sound too good to be true. This example is particularly tricky as people would be inclined to trust their search engine for showing them the answer to their question. We have reported this particular abuse to the Google team."
IOC:
IP: 185.139.238.210: https://www.virustotal.com/en/ip-address/185.139.238.210/information/

cheapmicrosoftkey[.]com: 185.139.238.210

:fear::fear:

 

[AplusWebMaster]

Fake 'Paid bills', 'Unable to deliver' SPAM, Tech Support Scams

FYI...

Fake 'Paid bills' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/08/malware-spam-please-see-attached-last.html
2 Aug 2016 - "This -fake- financial spam has a malicious attachment:
From: Nathanial Lane
Date: 2 August 2016 at 12:05
Subject: Paid bills
Hello [redacted],
Please see the attached last month’s paid bills for the company
Best regards
Nathanial Lane

The name of the sender varies. It appears that these are being sent out in very-high-volumes. Attached to the email message is a randomly-named ZIP file which contains a malicious .js script beginning with "sales charts".
Thank you to my usual source for this analysis: the script downloads... (from MANY locations)...
The payload is Locky ransomware, phoning home to:
37.139.30.95/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname belyi.myeasy .ru]
93.170.128.249/upload/_dispatch.php (Krek Ltd, Russia)
Recommended blocklist:
37.139.30.95
93.170.128.249 "

37.139.30.95: https://www.virustotal.com/en/ip-address/37.139.30.95/information/
>> https://www.virustotal.com/en/url/1...a73d004bedad71f277118095988b32d5508/analysis/
93.170.128.249: https://www.virustotal.com/en/ip-address/93.170.128.249/information/
Country: RU
___

Fake 'Unable to deliver' SPAM - leads to ransomware
- http://blog.dynamoo.com/2016/08/malware-spam-unable-to-deliver-your.html
2 Aug 2016 - "This -fake- FedEx email has a malicious attachment.
From: FedEx International Ground [terry.mcnamara@ luxmap .com]
Date: 2 August 2016 at 18:53
Subject: [REDACTED], Unable to deliver your item, #000179376
Dear [Redacted],
This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.
Thanks and best regards,
Terry Mcnamara,
Support Manager.

Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis* on the sample shows that the script downloads -ransomware- from opros.mskobr .ru but a quick examination of the code reveals several download locations:
opros.mskobr .ru
alacahukuk .com
www .ortoservis .ru
aksoypansiyon .com
samurkasgrup .com
Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:
195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)
A couple of binaries are dropped onto the system, a.exe (detection rate 2/53)** [may not be malicious] and a2.exe (detection rate 7/53)***.
The payload seems to be Nemucod/Crypted or some related ransomware.
Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32 "
* https://www.hybrid-analysis.com/sam...5bccc9db6b3fafdbbdfa6a6a02e?environmentId=100
Contacted Hosts
195.208.64.20

** https://www.virustotal.com/en/file/...432dd6a0c2c3d79833ccac95/analysis/1470163333/

*** https://www.virustotal.com/en/file/...9c7b088bf432af15f1439dbf/analysis/1470163336/
___

Tech Support Scams - two for one ...
- https://blog.malwarebytes.com/cyber.../tech-support-scams-two-for-the-price-of-one/
Aug 2, 2016 - "... Running an executable file posing as an installer for “VMC Media Player”, we were greeted by these prompts telling us we were going to be logged off:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/warning1-1.png
..
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/warning3.png
— and this site opening in our default browser:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/warning2-1.png
Since yolasite .com offers users the option to track visitors to their sub-domain, we suspect this site to be built to keep track of the people that installed the “software”. We have reported this site to Yola and are awaiting a reply. This sequence of events is programmed in a simple batch file that opens the site and commands the computer to shut down in 5 minutes... Once the victims log back on, they will be confronted with this -fake- BSOD screen:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/main-2.png
The screen’s text rambles a lot about errors and Trojans and displays the phone-number they would like you to call. It also shows a seemingly unrelated prompt to “get the product key”, which we will discuss later on, and a button labeled “Microsoft Help” that opens the site www[dot]microsoft[dot]aios[dot]us:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/site.png
Here you can download remote administration tools to get ”support” for a great variety of products. We have seen complaints about the people running this site and its predecessors for at least two years. The site shows a prompt that is a bit unclear about your options:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/choices.png
The listed options are YES to “Start Support Session” or NO to “Browse Support Site”, but the buttons are labeled OK and Cancel. I tested for you, and Cancel gets rid of the pop-up. And if you allow more pop-ups and click OK a few times, you will eventually get the option to download the legitimate remote administration tool TeamViewer.
And the second Tech Support Scam? Ah yes, let’s circle back to the prompt that promised us a product key:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/getthenext.png
Click OK on that one, and you will see a download prompt for a file called license_key.exe:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/downloadfromrun.png
This file has been reported to Mediafire. If you run this file, you may get some déjà vu feelings as you will see the “Thank you” prompt to notify that you will be logged off and visit another Yola site, this time it’s thankyou1234[dot]yolasite[dot]com using the URL shortener lnk.direct. Statistics of the URL shortener showed it was created 06/29/2016 and had 1143 visitors over the past month... The relatively good news about this repetition is that it will get rid of the fake BSOD for you because it alters the Winlogon Shell registry value yet again, only to replace it with -another- Tech Support Scammers -lock-screen- however. This time one that looks a lot like some of the earlier ones. A phone number and a form requesting “a product key”:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/main-3.png
Only this time it looks like you are completely -stuck- without any option. The part of the form that you would expect to fill out and the “Cancel” button are both unresponsive, so most people will end up having to use Ctrl-Alt-Del to get out of this. The name of the running processes for both rounds is fatalerror(.exe). We have dubbed the second one “Product Key” as that is the name of the folder it creates in Program Files (x86). But for the benefit of the Tech Support Scammers there is an “Easter egg” hidden in this screen. If you click -anywhere- in the 5th line (the one starting with the words “PRODUCT KEY”) you will go to this screen:
> https://blog.malwarebytes.com/wp-content/uploads/2016/07/theretheyare.png
... Summary: In what must be an attempt to drive victims crazy enough to call one of their numbers, Tech Support Scammers replace one logon lock-screen with another... save yourself the hassle and get protected."

yolasite[dot]com: 2400:cb00:2048:1::6810:69f9
2400:cb00:2048:1::6810:68f9
2400:cb00:2048:1::6810:67f9
2400:cb00:2048:1::6810:6af9
2400:cb00:2048:1::6810:6bf9
104.16.105.249: https://www.virustotal.com/en/ip-address/104.16.105.249/information/
104.16.106.249: https://www.virustotal.com/en/ip-address/104.16.106.249/information/
104.16.103.249: https://www.virustotal.com/en/ip-address/104.16.103.249/information/
104.16.107.249: https://www.virustotal.com/en/ip-address/104.16.107.249/information/
104.16.104.249: https://www.virustotal.com/en/ip-address/104.16.104.249/information/

aios[dot]us: 107.180.21.20: https://www.virustotal.com/en/ip-address/107.180.21.20/information/
>> https://www.virustotal.com/en/url/7...abe5abd3614ab6d2ea1c79c91093f4a8b79/analysis/

:fear::fear: