Fake 'Urgent bill', 'Attached Image' SPAM
FYI...
Fake 'Urgent bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/urgent-bill-has-invalid-account-number-malspam-delivers-locky/
30 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the emails looks like:
From: Adolfo Alexander <Alexander.Adolfo@ escondidohistory .org>
Date: Wed 30/11/2016 09:06
Subject: Urgent
Attachment: unpaid_forum.zip
Dear forum, our accountant informed me that in the bill you processed, the invalid account number had been specified.
Please be guided by instructions in the attachment to fix it up.
30 November 2016: unpaid_forum.zip: Extracts to: -snk-284042943.js - Current Virus total detections 10/55*
MALWR** shows a download of an encrypted file from http ://revaitsolutions .com/ij1driqioc which is converted by the script to K3GepPJAfH.tdb (VirusTotal 5/57***). Payload Security[4]. The tdb file is actually a dll file that is run by rundll32 but given a different extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3ecfc1caeda3a35c37e76c7d/analysis/1480496588/
** https://malwr.com/analysis/MmFiNzdjMTcyZjhlNGQ1ZmJkNWE4YmE3ODJmZGYyMWI/
Hosts
166.62.28.127
*** https://www.virustotal.com/en/file/...4b9f9933ddc3a3fd3942cc9b/analysis/1480498073/
4] https://www.hybrid-analysis.com/sam...11b3ecfc1caeda3a35c37e76c7d?environmentId=100
Contacted Hosts
166.62.28.127
185.75.46.138
91.201.41.145
91.142.90.46
52.42.26.69
54.240.162.193
52.35.54.251
___
Fake 'Attached Image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/atta...m-canonyour-own-email-address-delivers-locky/
30 Nov 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky... The email looks like:
From: canon@ thespykiller .co.uk
Date: Wed 30/11/2016 09:23
Subject: Attached Image
Attachment: 6479_005.docm
Body content: Totally blank/empty
30 November 2016: 6479_005.docm - Current Virus total detections 9/55*
Both MALWR** and Payload Security*** show a download from satherm .pt/873nf3g which is converted by the macro to ajufr51.dll (VirusTotal 5/57[4]). Manual analysis shows an attempt to download from
http ://travelinsider .com.au/021ygs7 which is currently giving me a 404. There are normally 5 or 6 download locations buried inside the macro or scrpt files with these Locky versions.
C2 http ://91.142.90.61 /information.cgi | 95.213.195.123 /information.cgi... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1418bd2ba2800dc495cdd55b/analysis/1480498411/
** https://malwr.com/analysis/MjEwOGQ3YTJhYWU3NGMwZWJmYTg2Mjg0NmRjZWQzNTQ/
Hosts
80.172.235.175
91.142.90.61
*** https://www.hybrid-analysis.com/sam...4aa1418bd2ba2800dc495cdd55b?environmentId=100
Contacted Hosts
80.172.235.175
95.213.195.123
91.142.90.61
2.16.4.33
52.42.26.69
54.240.162.55
52.35.54.251
91.198.174.192
91.198.174.208
4] https://www.virustotal.com/en/file/...62dd9a613e7a86ebc5d447b1/analysis/1480499902/
___
Forced install - Chrome extension...
- https://blog.malwarebytes.com/cybercrime/2016/11/forced-into-installing-a-chrome-extension/
Nov 29, 2016 - "We have found a number of websites whose sole purpose is to try and force an extension on anyone visiting that site with Chrome. Most often, you can likely land on one of these sites after a -redirect- from a crack, keygen, or adult entertainment site... site runs a JavaScript producing this dialog box, telling you you’ll have to 'Add Extension to Leave':
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/prompt1.png
Clicking “Cancel” once changes it to add a tick box marked “Prevent this page from creating additional dialogs”:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning2w.png
Thinking that this is the ticket out of the page, you will tick that box and click “OK”. At this point, your tab will go into “Full Screen” mode, and you can see which extension they want you to install:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning3w.png
The app is called Veritasi and a big arrow pointing to the “Add extension” button is displayed on the site. Clicking the said button initiates the installation of the app:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning4.png
When I looked up Veritasi, we noticed it was added to the “Web Store” the same day we found it and it’s supposedly meant to improve your sound quality online:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/soundimprove.png
A similar extension was found and described by Botcrawl.com who classified it as adware. It has the permission “Read and change all your data on the websites you visit”, which is not unusual for a browser extension, but it’s all what -adware- needs to do its job:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/permissionsw.png
If your Windows machine gets stuck on a site like this, use the Ctrl-Alt-Del key combination to invoke the Task Manager. Use “End Process” on every active “chrome.exe” process until the browser shuts down. When you restart Chrome, it will ask if you want to “Restore” the open tabs. I would recommend -not- to, unless it’s really necessary. We have sent in an abuse report and blocked the sites involved to protect as many possible victims as we could..."
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/abuse.png
... A full removal guide can be found on our forums*..."
* https://forums.malwarebytes.org/topic/191194-removal-instructions-for-veritasi/
:fear::fear:
FYI...
Fake 'Urgent bill' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/urgent-bill-has-invalid-account-number-malspam-delivers-locky/
30 Nov 2016 - "... Locky downloader... an email with the subject of 'Urgent' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of unpaid_recipient’s name.zip... One of the emails looks like:
From: Adolfo Alexander <Alexander.Adolfo@ escondidohistory .org>
Date: Wed 30/11/2016 09:06
Subject: Urgent
Attachment: unpaid_forum.zip
Dear forum, our accountant informed me that in the bill you processed, the invalid account number had been specified.
Please be guided by instructions in the attachment to fix it up.
30 November 2016: unpaid_forum.zip: Extracts to: -snk-284042943.js - Current Virus total detections 10/55*
MALWR** shows a download of an encrypted file from http ://revaitsolutions .com/ij1driqioc which is converted by the script to K3GepPJAfH.tdb (VirusTotal 5/57***). Payload Security[4]. The tdb file is actually a dll file that is run by rundll32 but given a different extension... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...3ecfc1caeda3a35c37e76c7d/analysis/1480496588/
** https://malwr.com/analysis/MmFiNzdjMTcyZjhlNGQ1ZmJkNWE4YmE3ODJmZGYyMWI/
Hosts
166.62.28.127
*** https://www.virustotal.com/en/file/...4b9f9933ddc3a3fd3942cc9b/analysis/1480498073/
4] https://www.hybrid-analysis.com/sam...11b3ecfc1caeda3a35c37e76c7d?environmentId=100
Contacted Hosts
166.62.28.127
185.75.46.138
91.201.41.145
91.142.90.46
52.42.26.69
54.240.162.193
52.35.54.251
___
Fake 'Attached Image' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/atta...m-canonyour-own-email-address-delivers-locky/
30 Nov 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from canon@ your-own-email-domain with a malicious word doc attachment delivers Locky... The email looks like:
From: canon@ thespykiller .co.uk
Date: Wed 30/11/2016 09:23
Subject: Attached Image
Attachment: 6479_005.docm
Body content: Totally blank/empty
30 November 2016: 6479_005.docm - Current Virus total detections 9/55*
Both MALWR** and Payload Security*** show a download from satherm .pt/873nf3g which is converted by the macro to ajufr51.dll (VirusTotal 5/57[4]). Manual analysis shows an attempt to download from
http ://travelinsider .com.au/021ygs7 which is currently giving me a 404. There are normally 5 or 6 download locations buried inside the macro or scrpt files with these Locky versions.
C2 http ://91.142.90.61 /information.cgi | 95.213.195.123 /information.cgi... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1418bd2ba2800dc495cdd55b/analysis/1480498411/
** https://malwr.com/analysis/MjEwOGQ3YTJhYWU3NGMwZWJmYTg2Mjg0NmRjZWQzNTQ/
Hosts
80.172.235.175
91.142.90.61
*** https://www.hybrid-analysis.com/sam...4aa1418bd2ba2800dc495cdd55b?environmentId=100
Contacted Hosts
80.172.235.175
95.213.195.123
91.142.90.61
2.16.4.33
52.42.26.69
54.240.162.55
52.35.54.251
91.198.174.192
91.198.174.208
4] https://www.virustotal.com/en/file/...62dd9a613e7a86ebc5d447b1/analysis/1480499902/
___
Forced install - Chrome extension...
- https://blog.malwarebytes.com/cybercrime/2016/11/forced-into-installing-a-chrome-extension/
Nov 29, 2016 - "We have found a number of websites whose sole purpose is to try and force an extension on anyone visiting that site with Chrome. Most often, you can likely land on one of these sites after a -redirect- from a crack, keygen, or adult entertainment site... site runs a JavaScript producing this dialog box, telling you you’ll have to 'Add Extension to Leave':
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/prompt1.png
Clicking “Cancel” once changes it to add a tick box marked “Prevent this page from creating additional dialogs”:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning2w.png
Thinking that this is the ticket out of the page, you will tick that box and click “OK”. At this point, your tab will go into “Full Screen” mode, and you can see which extension they want you to install:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning3w.png
The app is called Veritasi and a big arrow pointing to the “Add extension” button is displayed on the site. Clicking the said button initiates the installation of the app:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/warning4.png
When I looked up Veritasi, we noticed it was added to the “Web Store” the same day we found it and it’s supposedly meant to improve your sound quality online:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/soundimprove.png
A similar extension was found and described by Botcrawl.com who classified it as adware. It has the permission “Read and change all your data on the websites you visit”, which is not unusual for a browser extension, but it’s all what -adware- needs to do its job:
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/permissionsw.png
If your Windows machine gets stuck on a site like this, use the Ctrl-Alt-Del key combination to invoke the Task Manager. Use “End Process” on every active “chrome.exe” process until the browser shuts down. When you restart Chrome, it will ask if you want to “Restore” the open tabs. I would recommend -not- to, unless it’s really necessary. We have sent in an abuse report and blocked the sites involved to protect as many possible victims as we could..."
> https://blog.malwarebytes.com/wp-content/uploads/2016/11/abuse.png
... A full removal guide can be found on our forums*..."
* https://forums.malwarebytes.org/topic/191194-removal-instructions-for-veritasi/
:fear::fear:
Last edited: