SPAM frauds, fakes, and other MALWARE deliveries...

[AplusWebMaster]

Fake 'payment receipt' SPAM

FYI...

Fake 'payment receipt' SPAM - delivers malware
- https://myonlinesecurity.co.uk/atta...our-payment-receipt-malspam-delivers-malware/
15 Mar 2017 - "... an email with the subject of 'Document:36365' coming from random companies, names and email addresses with a semi-random named zip attachment which delivers what looks like Dridex banking Trojan ... One of the emails looks like:
From: Susie <Susie@ novayaliniya .com>
Date: Wed 15/03/2017 09:35
Subject: Document:36365
Attachment: document_3332.zip
Attached is the copy of your payment receipt.
Susie

document_3332.zip: Extracts to: file_356.js - Current Virus total detections 0/56*
MALWR** shows a download of a txt file from http ://mercurytdsconnectedvessel .com/hjg6657 which is renamed by the script to hjg6657.exe (VirusTotal 8/61***) MALWR[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...b09abfad2fa04fd43c476e146f92ddc9b79/analysis/

** https://malwr.com/analysis/NDA3MGE5Yjk3M2I5NDUyYThmNzEzNDE1MjE0NWM0ZjQ/

*** https://www.virustotal.com/en/file/...464a1d91811e1dbc0bce3d80/analysis/1489573275/

4] https://malwr.com/analysis/OGM5NDVmMTkwNjczNGUzNmI0N2Y1MzNkNmZkZDRlODQ/

mercurytdsconnectedvessel .com: 66.135.46.202: https://www.virustotal.com/en/ip-address/66.135.46.202/information/
> https://www.virustotal.com/en/url/0...4515fd6edbf937296548ef72ab49e255bf7/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Returned Sendout Transaction', 'new message' SPAM

FYI...

Fake 'Returned Sendout Transaction' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoo...ned-sendout-transaction-delivers-java-adwind/
16 Mar 2017 - "... This appears to be a newish Java Adwind version in this email, see below for details. The zip/Rar file contains -2- different sized and differently named java.jar files that both are slightly different Adwind versions...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Returned-Sendout-Transaction.png

Benficiary details.jar (497kb) - Current Virus total detections 19/58*
Transaction Report.jar (267kb) - Current Virus total detections 18/59**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...6f02a25f851ab77a7ced2e50/analysis/1489657794/

** https://www.virustotal.com/en/file/...75b35b3e1f03781bb1e4e2be/analysis/1489657804/
___

Fake 'new message' SPAM - delivers sharik, smoke trojan
- https://myonlinesecurity.co.uk/youv...mailbox-malspam-delivers-sharik-smoke-trojan/
15 Mar 2017 - "An email with the subject of 'You’ve got a new message in your NEST mailbox' pretending to come from do_not_reply@ nestpensions .org.uk with a malicious word doc attachment delivers smoke, dofoil, sharik Trojan... Nest Pensions are the UK Government workplace pension services that helps employers to provide a pension for all employees. These emails are coming via a -lookalike- email address info@nestpensions_randomnumber .top. The contact who forwarded me the details received several, all from different nestpensions_nnn .top. The email looks like:
Subject: You’ve got a new message in your NEST mailbox
Attachment: 0239478234862465.doc
There’s a new message in your NEST mailbox.
We’re confirming that payment of 6822.95 will be taken by Direct Debit in accordance with your agreed terms.
Please see the details in attached file.
What do you need to do now?
Please log into www .nestpensions .org.uk. Some messages may have important documents attached for you to read.
Where to go for help
We provide online support and answers to frequently asked questions at www .nestpensions .org.uk/help
Regards
Richard Hardy NEST Employer Services Manager ...

0239478234862465.doc - Current Virus total detections 6/56*. Payload Security** shows a download from
http ://robertefuller .com/adobe1403.exe (VirusTotal 6/61***). Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...58369b83d6826fe816a8cb96/analysis/1489594975/

** https://www.hybrid-analysis.com/sam...f9158369b83d6826fe816a8cb96?environmentId=100
Contacted Hosts
81.29.88.131
92.122.180.80
139.59.64.134

*** https://www.virustotal.com/en/file/...865dac788fa71c7589dafb36/analysis/1489591624/

4] https://www.hybrid-analysis.com/sam...74c865dac788fa71c7589dafb36?environmentId=100
Contacted Hosts
192.150.16.117
139.59.64.134

robertefuller .com: 81.29.88.131: https://www.virustotal.com/en/ip-address/81.29.88.131/information/
> https://www.virustotal.com/en/url/2...bbbea695a273fdb91896413c1a4dd3b6784/analysis/

:fear::fear:

 

[AplusWebMaster]

Update to Fake 'FedEx, UPS and USPS' SPAM

FYI...

Update to Fake 'FedEx, UPS and USPS' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/why-you-should-k-i-s-s-keep-it-simple-stupid/
18 Mar 2017 - "A quick update to the never ending spoofed emails from 'FedEx, UPS and USPS cannot deliver your parcel' malspam that generally delivers Locky ransomware and Kovter with the occasional Nemucod ransomware or Cerber ransomware thrown into the mix... noticed a slight change today where it looks like the “apprentice” coding the javascript file in the email -attachment- has tried to be too clever and resulted in a spectacular fail. Instead of the usual “counter.js” or “counter.txt ” that gives the current download sites and what malware to download & run it just gives the php interpreter file that they bundle with the malware downloads...
Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR* | Payload Security**. If “var m” ends in a character( a-z, A-Z) you get the counter.txt telling you which sites to download from & what malware to download. If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky, occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 (when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files...
* https://malwr.com/analysis/ZGYzZTdhZWUzODY0NDY2ZmExMDUwZGY2NGQzNjNkMmU/
Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128

** https://www.hybrid-analysis.com/sam...93f586da9ff94b03946486f0fa7?environmentId=100
Contacted Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128

... all sites are downloading a 0 byte harmless empty file but if you do a little bit of simple editing of the javascript file and correct the apprentice’s mistake by removing the last digit to leave a character you get MALWR*** | Payload Security[4] -both- showing crypted files and nemucod ransomware at work.
Direct downloads of the malware 1.exe (Locky) VirusTotal 13/62[5] | 2.exe (kovter) VirusTotal 16/62[6]
Currently counter/txt is nemucod ransomware, which delivers a very heavily obfuscated javascript file...
*** https://malwr.com/analysis/YzY4YjU2OWFhOGE0NDFkNDg1MTQ1ZDBhMTQ3NTZhNmU/
Hosts
184.168.58.126
50.63.219.1

4] https://www.hybrid-analysis.com/sam...2878f8512b52561a1f82e0d8db9?environmentId=100
Contacted Hosts (423)

5] https://www.virustotal.com/en/file/...d462823a669ef478f9769fbb/analysis/1489825684/

6] https://www.virustotal.com/en/file/...f8c98ee67406da3661dbc5d6/analysis/1489825694/

... you end up with this txt file on your desktop (and normally the same as a html desktop background) the bitcoin address and the download decryptor links are individual to each javascript attachment. -Every- email attachment has a randomly hard coded address, which is embedded inside the Var “m” in the javascript..."

:fear::fear:

 

[AplusWebMaster]

Fake 'Western Union', 'Your order' SPAM, Twitter app spams

FYI...

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoo...d-via-fake-dropbox-site-delivers-java-adwind/
20 Mar 2017 - "... a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically... The link-in-the-email does not go to dropbox but to a compromised website being used to spread this malware https ://www.opelhugg .com/components/Sendout Report.zip... As usual with these, the zip contains -2- differently named and different size java.jar files...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/spoofed-WU-Sendout-Transaction-Report.png

beneficiary and mtcn details.jar (272kb) - Current Virus total detections 15/59* MALWR**
Sender’s copy of pending transaction..jar (501kb) - Current Virus total detections 20/58***. MALWR[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fb3207ea7b4da6624bff3812/analysis/1489993883/

** https://malwr.com/analysis/MzdiYzJkNDdmMjY3NDNkMjg0MTEwMTZkN2JjYTBmNTY/

*** https://www.virustotal.com/en/file/...79dc4126ea490ec53139c3c8/analysis/1489993897/

4] https://malwr.com/analysis/ZTk2NTBkZjdiMTZiNGNhNzk1OTNiYjdhMTgyNzExMDM/

opelhugg .com: 208.83.210.25: https://www.virustotal.com/en/ip-address/208.83.210.25/information/
> https://www.virustotal.com/en/url/a...a74a299ca8e0ce0cb9d42b7287889c38ffe/analysis/
___

Fake 'Your order' SPAM - delivers Ramnit
- http://blog.dynamoo.com/2017/03/more-highly-personalised-malspam-using.html
20 Mar 2017 - "... comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).
From: customerservice@ newshocks .com [mailto:customerservice@ newshocks .com]
Sent: 15 March 2017 18:23
Subject: [Redacted] Your order 003009 details
Hello [redacted],
We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
If you have an online account with us, you can log in here to see the current status of your order.
You will receive another e-mail from us when we have despatched your order.
Information on order 003009 status here
All prices include VAT at the current rate. A full VAT receipt will be included with your order.
Delivery Address:
[Name and address redacted]
If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
Best regards and many thanks...

The newshocks .com domain used in the "From" field matches the sending server of rel209.newshocks .com (also mail.newshocks .com) on 185.141.164.209. This appears to be a legitimate but -unused- domain belonging to a distributor of car parts. The link-in-the-email goes to clipartwin .com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit* or similar. This is using another -hijacked- but apparently legitimate web server. I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient..."
* https://www.hybrid-analysis.com/sam...d1bba68c045974407e20df6f710?environmentId=100
Contacted Hosts
180.149.132.47
185.117.74.77
52.9.172.230

185.141.164.209: https://www.virustotal.com/en/ip-address/185.141.164.209/information/

newshocks .com: 143.95.232.95: https://www.virustotal.com/en/ip-address/143.95.232.95/information/

clipartwin .com: 198.54.115.198: https://www.virustotal.com/en/ip-address/198.54.115.198/information/
___

Twitter app spams... and Amazon surveys
- https://blog.malwarebytes.com/cybercrime/2017/03/twitter-app-spams-fappening-bait-amazon-surveys/
Mar 20, 2017 - "... dodgy download links and random Zipfiles claiming to contain stolen nude photos and video clips, but today we’re going to look at one specific -spam- campaign aimed at Twitter users. The daisy chain begins with multiple links claiming to display stolen images of Paige, a well known WWE wrestler, caught up in the latest dump of files. With regards to two specific messages, we saw close to -300- over a 24 hour period (and it’s possible there were others we didn’t see). These appear to have been the most common:
> https://blog.malwarebytes.com/wp-content/uploads/2017/03/app-spam.jpg
... The Bit(dot)ly link, so far clicked close to 7,000 times, resolves to the following:
twitter(dot)specialoffers(dot)pw/funnyvideos/redirect(dot)php
That smoothly segues into an offered Twitter App install tied to a site called Viralnews(dot)com:
> https://blog.malwarebytes.com/wp-content/uploads/2017/03/app-install.jpg
... there’s one final -redirect- URL (a bit(dot)do address) which leads to an Amazon themed survey gift card page. Suffice to say, filling this in hands your personal information to marketers – and there’s no guarantee you’ll get any pictures at the end of it (and given the images have been stolen without permission, one might say the people jumping through hoops receive their just desserts in the form of a large helping of “nothing at all”)... it’s time to return to the app and see what it’s been up to on the Twitter account we installed it on:
> https://blog.malwarebytes.com/wp-content/uploads/2017/03/twitter-spam-pile.jpg
Automated spam posts, complete with yet more pictures used as bait. As freshly leaked pictures and video of celebrities continue to be dropped online, so too will scammers try to make capital out of image-hungry clickers. Apart from the fact that these images have been taken without permission so you really shouldn’t be hunting for them, anyone going digging on less than reputable sites is pretty much declaring open season on their computers. Do yourself a favor and leave this leak alone..."

:fear::fear:

 

[AplusWebMaster]

Canada/U.K. hit by Ramnit Trojan - malvertising, 'Important Notification' - phish

FYI...

Canada/U.K. hit by Ramnit Trojan - malvertising
- https://blog.malwarebytes.com/threa...-hit-ramnit-trojan-new-malvertising-campaign/
Mar 21, 2017 - "Over the last few days we have observed an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously -redirect- users to the RIG exploit kit. This particular campaign abuses the ExoClick ad network (ExoClick was informed and took action to stop the fraudulent advertiser based on our reports) and, according to our telemetry, primarily targets Canada and the U.K. The ultimate payloads we collected during this time period were all the Ramnit information stealer (banking, FTP credentials, etc.) which despite a takedown in 2015 has rebounded and is quite active again... The payloads we collected via our honeypot were all the Ramnit Trojan, which is interesting considering the traffic flow from the TDS (Canada, U.K. being the most hits recorded in our telemetry)...
IOCs...
RIG EK IPs:
188.225.38.209
188.225.38.186
188.225.38.164
188.225.38.131
5.200.52.240"
(More detail at the malwarebytes URL above.)
___

'Important Notification' - phish
- https://myonlinesecurity.co.uk/your-email-address-has-been-transmitting-viruses-phishing-scam/
21 Mar 2017 - ".. my webmail is being blocked for spreading viruses, or so this -phishing- scam wants me (and you) to believe...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/webmail-blocked.png

The link goes to http ://ostelloforyou.altervista .org/modules/007008.php where it -redirects- to a page looking like a typical webmail login page on a Cpanel server http ://transcapital .com.ge/language/hgfghj/webmail/index.php where after you insert an email address and password are bounded on to a genuine Cpanel webmail login page on http ://jattours .com:2095/ which appears to be an innocent site picked at random and doesn’t give any indication of actually being hacked or compromised:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/webmail-login.png "

ostelloforyou.altervista .org: 104.28.14.157: https://www.virustotal.com/en/ip-address/104.28.14.157/information/
> https://www.virustotal.com/en/url/d...1837c77b54b88fc5d8d6975c9fd1b55395f/analysis/
104.28.15.157: https://www.virustotal.com/en/ip-address/104.28.15.157/information/
> https://www.virustotal.com/en/url/d...1837c77b54b88fc5d8d6975c9fd1b55395f/analysis/

transcapital .com.ge: 213.157.215.229: https://www.virustotal.com/en/ip-address/213.157.215.229/information/
> https://www.virustotal.com/en/url/4...b0292dfa3bbfdf100d8c54db3463d99300d/analysis/

jattours .com: 192.163.250.41: https://www.virustotal.com/en/ip-address/192.163.250.41/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'Energy bill' SPAM

FYI...

Fake 'Energy bill' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/spoo...4-is-attached-delivers-dridex-banking-trojan/
22 Mar 2017 - "A blank-empty-email with the subject of 'Your GB Energy Supply bill 00077334 is attached' pretending to come from szaoi <szaoi@ 21cn .com> with a malicious word doc attachment delivers Dridex banking Trojan... The email looks like:
From: szaoi <szaoi@ 21cn .com>
Date: Wed 22/03/2017 11:14
Subject: Your GB Energy Supply bill 00077334 is attached
Attachment: bill 000309573.docm

Body content: totally blank/Empty

bill 000309573.docm - Current Virus total detections 11/59*. Payload Security** | Malwr***

Manual analysis shows a download of an encrypted file from one of these locations:
palmcoastcondo .net/de3f3
shadowdalestorage .com/de3f3
lpntornbook .com/de3f3
precisioncut .com.au/de3f3
... which is converted by the macros to polivan2.exe (VirusTotal 12/62[4]) (Payload Security[5]) (MALWR[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...77c69175fcbbe2bb7e13d434/analysis/1490183915/

** https://www.hybrid-analysis.com/sam...41177c69175fcbbe2bb7e13d434?environmentId=100
Contacted Hosts
52.0.119.245
8.8.247.36
107.170.0.14
37.120.172.171
81.12.229.190

*** https://malwr.com/analysis/NGI1MzE5ODMwNDhjNGFiYWFlNmIzN2VkMjIzZjFkY2Q/
Hosts
52.0.119.245

4] https://www.virustotal.com/en/file/...6cb5c2dfdf06d7d5510db007/analysis/1490184702/

5] https://www.hybrid-analysis.com/sam...b4c6cb5c2dfdf06d7d5510db007?environmentId=100
8.8.247.36
107.170.0.14
37.120.172.171
81.12.229.190

6] https://malwr.com/analysis/NWYwZGFlNjU0MGYzNDY4YTgwMGQyMDliZDRkZmRiMjM/
__

'Blank Slate' campaign pushing Cerber ransomware
- https://isc.sans.edu/forums/diary/Blank+Slate+malspam+still+pushing+Cerber+ransomware/22215/
2017-03-22 - "Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, I've seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. I've also been tracking Cerber on a daily basis from malicious spam (malspam). Some malspam pushing Cerber is part of the 'Blank Slate' campaign. Why call it Blank Slate? Because the emails have -no- message text, and there's nothing to indicate what, exactly, the attachments are. Subject lines and attachment names are vague and usually consist of random numbers. An interesting aspect of this campaign is that the file attachments are double-zipped. There's a zip archive within the zip archive. Within that second zip archive, you'll find a malicious JavaScript (.js) file -or- a Microsoft Word document. These files are designed to infect a computer with ransomware...
> https://isc.sans.edu/diaryimages/images/2017-03-22-ISC-diary-image-09.jpg
... Potential victims must open an attachment from a -blank- email, go through -two- zip archives, then double-click the final file. If the final file is a Word document, the victim must also enable-macros..."
(More detail at the isc URL at the top.)

:fear::fear:

 

[AplusWebMaster]

Word file targets -both- Windows and Mac OS X

FYI...

Word file targets -both- Windows and Mac OS X
- https://blog.fortinet.com/2017/03/2...ing-both-apple-mac-os-x-and-microsoft-windows
Mar 22, 2017 - "... new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X -and- Microsoft Windows systems...
When the Word file is opened, it shows notifies victims to enable-the-Macro security option, which allows the malicious VBA code to be executed...
IoCs: URL:
hxxps ://sushi.vvlxpress .com:443/HA1QE
hxxps ://pizza.vvlxpress .com:443/kH-G5
hxxps ://pizza.vvlxpress .com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/
hxxps ://sushi.vvlxpress .com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/ "
(More detail at the fortinet URL above.)

vvlxpress .com: 184.168.221.63: https://www.virustotal.com/en/ip-address/184.168.221.63/information/
> https://www.virustotal.com/en/url/d...6d0c14270c312ff2bc0dd32e7f8f775a0d7/analysis/

- https://www.helpnetsecurity.com/2017/03/23/malicious-word-windows-mac/
Mar 23, 2017 - "... The malicious Word file is currently flagged by nearly half of the malware engines used by VirusTotal*..."
* https://www.virustotal.com/en/file/...ef44fba578d0fdf325cadfa9b089cf48a74/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Photos' SPAM

FYI...

Fake 'Photos' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/photos-from-georgia-delivers-dridex-banking-trojan/
24 Mar 2017 - "... still not seeing the full volume of malware we have been used to seeing, but it is coming in steadily. They have gone back to an old favorite with an email pretending to be from some girl with a simple message saying 'photos' and a simple body content saying 'last 2'. I have only seen 1 copy so far and mine said it came from Georgia. I am pretty sure that almost any girls name will be used, it was in previous runs of this nature... Manual analysis shows a download of an encrypted file from one of these locations:
golongboard .pl/b723dd?
taddboxers .com/b723dd?
dfl210 .ru/b723dd?
naturalcode-thailand .com/b723dd? which is converted by the script to tRIVqu.exe3 and autorun by the script
(VirusTotal 6/62*)...
* https://www.virustotal.com/en/file/...e391a7901374746e224bc178/analysis/1490356510/

One of the emails looks like:
From: Georgia
Date: Thu 01/09/2016 19:22
Subject: photos
Attachment: IMG_67727.zip

last 2

IMG_67727.zip: Extracts to: IMG_7339.vbs and a simple text file with loads of random characters.
Current Virus total detections 7/57**: Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/...a55b6fce78a09d3b7b426883/analysis/1490355913/

*** https://www.hybrid-analysis.com/sam...8f6a55b6fce78a09d3b7b426883?environmentId=100
Contacted Hosts
185.23.21.169
8.8.247.36
192.99.108.183
107.170.0.14
37.120.172.171

golongboard .pl: 185.23.21.17: https://www.virustotal.com/en/ip-address/185.23.21.17/information/
185.23.21.169: https://www.virustotal.com/en/ip-address/185.23.21.169/information/
> https://www.virustotal.com/en/url/d...a1916a23d26986c73bc930b4fad8032c5be/analysis/
taddboxers .com: 107.180.55.17: https://www.virustotal.com/en/ip-address/107.180.55.17/information/
> https://www.virustotal.com/en/url/a...9b040ff758b941b2c6aed3da9d7c6ed425d/analysis/
dfl210 .ru: 194.63.140.43: https://www.virustotal.com/en/ip-address/194.63.140.43/information/
> https://www.virustotal.com/en/url/7...7ed21302ec2cd2869da668ae2fb7fc23923/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Unusual sign-in' SPAM

FYI...

Fake 'Unusual sign-in' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/cerber-and-locky-ransomware-delivered-via-fake-chrome_update-exe
24 Mar 2017 - "... a change to one of the common Cerber -ransomware- delivery methods today... 'pretends to be from Adobe, The body content is all about an unusual sign in activity on your Microsoft account and the -link- goes to a spoofed/fake Chrome download site where the malware payload is a -fake- Google chrome installer...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/unusual-sign-in-activity.png

... Remember many email clients, especially on a mobile phone or tablet, only show the 'Name' in the 'From': and not the bit in <domain .com>. That is why these scams and phishes work so well...

chrome_update.exe - Current Virus total detections 19/61*. Payload Security**.. MALWR***...
The link in the email goes to http ://chromebewfk .top/site/chrome_update.html where you see this
-fake- Google Chrome download page... numerous other sites involved in this campaign, some delivering
Cerber and some Locky ransomware. One other site I have found is:
voperforseanx .top/site/chrome_update.html ...
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/spoofed-chrome-download-site.png
... They also display a -fake- Chrome 'terms & conditions' pop up when you press the 'download now':
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/fake-chrome-installer.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fc521b7abcce905c7a1f3d2c/analysis/1490381016/

** https://www.hybrid-analysis.com/sam...40bfc521b7abcce905c7a1f3d2c?environmentId=100
Contacted Hosts (1088)

*** https://malwr.com/analysis/ZGM2YmQ1MmJiM2U2NDQyOWE5ZTdhMzRlYmI3MDkyZDk/

chromebewfk .top: 47.90.205.113: https://www.virustotal.com/en/ip-address/47.90.205.113/information/
> https://www.virustotal.com/en/url/2...5c3e7134609d9c4ef588ef5f20f95b973c5/analysis/
voperforseanx .top: 47.90.205.113:
> https://www.virustotal.com/en/url/e...cbf008a449c0fb9705cb66a4815c9dd8a75/analysis/

35.187.59.173: https://www.virustotal.com/en/ip-address/35.187.59.173/information/
> https://www.virustotal.com/en/url/2...5c3e7134609d9c4ef588ef5f20f95b973c5/analysis/
> https://www.virustotal.com/en/url/e...cbf008a449c0fb9705cb66a4815c9dd8a75/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Xpress Money' SPAM

FYI...

Fake 'Xpress Money' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/xpress-money-un-respondedoutstanding-claims-delivers-java-adwind/
27 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments... This is more unusual than previous ones because the attachment is an -html- file rather than a zip file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/xpress_money_PDF.png

If you open the attached html file you get a page saying:
e UN-responded/outstanding claims as of march 24th, Pending At Your Branch 2089/234. Download Secured File Here
The -link- behind the download here goes to http ://www.ctraxa .net/wp-content/plugins/akismet/XPRESS%20MONEY.pdf .. where you get a genuine PDF with yet-another-link-embedded:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/xpress_money_PDF.png

... which downloads the zip from http ://www.ctraxa .net/wp-content/plugins/akismet/XPINZ%20&%20UN-respondedoutstanding%20claims%20as%20of%20march%2024th.zip .. which contains -2- identical although different named java.jar files...

Complain Refrence.jar and Sendout Reference.jar (480kb) - Current Virus total detections 39/59*
Payload Security** ...

I have also been informed about -other- sites involved in this massacre scam today including:
http ://locandinadellavalle.altervista .org/wp-content/themes/metro-style/ruhiut/outstanding%20claims%20as%20of%20March%2024,2017.zip... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...050e46d8370169e8302388c2/analysis/1490614148/

** https://www.hybrid-analysis.com/sam...31a050e46d8370169e8302388c2?environmentId=100

ctraxa .net: 212.193.234.99: https://www.virustotal.com/en/ip-address/212.193.234.99/information/
> https://www.virustotal.com/en/url/7...9ecfb995c7dd72e647bf90f798ce503afcc/analysis/

locandinadellavalle.altervista .org: 104.28.2.143: https://www.virustotal.com/en/ip-address/104.28.2.143/information/
> https://www.virustotal.com/en/url/3...22200844a515e4a6798f5f21eaf6c7ce27e/analysis/
104.28.3.143: https://www.virustotal.com/en/ip-address/104.28.3.143/information/
> https://www.virustotal.com/en/url/f...ab3d74b3238d3e61ffe9f5162271fb4a77f/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Important matter' SPAM, 'Message from IT' - Phish

FYI...

Fake 'Important matter' SPAM - delivers unknown malware
- https://myonlinesecurity.co.uk/disturbing-important-matter-malspam-delivers-unknown-malware/
28 Mar 2017 - "This email was forwarded to me by a contact who works for a public service agency. I have redacted the actual recipients domain and any email address. There is a 'Charmaine' [redacted] living at the address listed according to google searches. I am sure that there will be a lot of other emails with other real details that will really scare the recipients into opening these emails and being infected. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain .com >. That is why these scams and phishes work so well... The email looks like:
From: Antony Gfroerer <antongfoufou@ wanadoo .fr>
Date: Tue, 28 Mar 2017 09:37:38 +0000
To: Charmaine [redacted] <c*********@ [redacted]>
Subject: Charmaine
Attachment: victim.dot (renamed from recipients name)
Hello, Charmaine!
I am disturbing you for a very important matter. Though we are not familiar, but I have considerable ammount of information concerning you. The matter is that, most probably mistakenly, the data of your account has been sent to me.
For example, your address is:
5 [redacted] Lane
Perth
Perthshire and Kinross
PH2 [redacted]
I am a lawful citizen, so I decided to personal details may have been hacked. I pinned the file – victim.dot that that was emailed to me, that you could find out what information has become accessible for fraudsters. File password is – 2131
I look forward to hearing from you,
Antony Gfroerer ...

victim.dot - Current Virus total detections 0/55*. Payload Security** is unable to analyse as an unsupported format. MALWR*** shows nothing... I am informed that they download:
galaxytown .net/store/read.gif -and- effeelle .eu/img/logo.gif which appear to be genuine gif files from the headers, although they refuse to display as any sort of image file and must contain some sort of embedded -malware- content... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...0a0b03020c4930221596bcdd/analysis/1490695414/

** https://www.hybrid-analysis.com/sam...29b0a0b03020c4930221596bcdd?environmentId=100
Contacted Hosts
62.149.140.45: https://www.virustotal.com/en/ip-address/62.149.140.45/information/
> https://www.virustotal.com/en/url/f...23c8e2a16ad065684e48cd9f65a3dca3c34/analysis/

*** https://malwr.com/analysis/NDQ3MDg1OGZhYzgxNGYxNzkxZDVmZjlhNWUyNDViYjQ/

galaxytown .net: 67.225.216.115: https://www.virustotal.com/en/ip-address/67.225.216.115/information/
> https://www.virustotal.com/en/url/7...95ae0b0d366e340cd445f706d2ccf198912/analysis/
___

'Message from IT' - Phish
- https://myonlinesecurity.co.uk/important-message-from-it-sector-office-365-phishing/
28 Mar 2017 - "... slightly different than many others and much more involved and complicated. It pretends to be a message from IT support to update webmail to use Office 365 / Outlook web access...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Important-message-from-IT-Sector.png

This email has a genuine PDF attachment:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/O365_upgrade.png
If you follow the link inside the pdf you see a webpage looking like this:
[ http ://radioclassicafm .com.br/lr/barracuda/barracuda/index.html ]
>> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/baracuda_signin1.png
After you input your email address and password, you get told -incorrect- details and -forwarded- to an almost identical looking page where you can put it in again:
>> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/webmail_baracuda_login.png
Then you get sent to an imitation of the Google Verification page where they ask for either your phone number or alternative email address...
>> https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/spoofed_google_verify.png
Then you get a 'success' page... All of these emails use Social engineering tricks to persuade you to open the -attachments- that come with the email..."

radioclassicafm .com.br: 216.172.173.156: https://www.virustotal.com/en/ip-address/216.172.173.156/information/
> https://www.virustotal.com/en/url/2...7c57a3889af277ce93f08422453713bbdc8/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Payment Receipt', 'Confirmation' SPAM

FYI...

Fake 'Payment Receipt' SPAM - delivers malware
- https://myonlinesecurity.co.uk/payment-receipt-79159-malspam-delivers-malware/
30 Mar 2017 - "... -blank- or -empty- body emails today with the subject of 'Payment Receipt 79159'
(almost certainly random numbers) coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment, that does -not- match the subject line which delivers what some AV are calling nymaim Trojan, while others are just giving heuristic detections. This starts with a zip Receipt28765.zip which extracts to PaymentReceipt.zip which extracts to PaymentReceipt86654.exe which has an icon making it look like a PDF file... One of the emails looks like:
From: donotreply@ yuku .biz
Date: Thu 30/03/2017 06:15
Subject: Payment Receipt 79159
Attachment: ea00ba32a5.zip

Body content: Totally empty/blank

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Payment-Receipt-79159.png

Receipt28765.zip: Extracts to: PaymentReceipt86654.exe - Current Virus total detections 18/61*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...30f3bee65ba8239ac3990089/analysis/1490851299/

** https://www.hybrid-analysis.com/sam...c1a30f3bee65ba8239ac3990089?environmentId=100
Contacted Hosts
84.200.69.80: https://www.virustotal.com/en/ip-address/84.200.69.80/information/
> https://www.virustotal.com/en/url/b...053954cc42599623de31429f4d8b673e11e/analysis/
___

Fake 'Confirmation' SPAM - delivers malware
- https://myonlinesecurity.co.uk/conf...ease-see-attachment-malspam-delivers-malware/
30 Mar 2017 - "... an email with the subject of 'uk_confirmation_ph489329718.pdf' (random numbers) coming or pretending to come from info@ random companies and email addresses with a semi-random named zip attachment...
Update: I am being reliably informed it is QuantLoader* which is dropping various malwares including Dridex banking Trojan [1] [2] [3]...
* https://blogs.forcepoint.com/securi...eleased-quant-loader-sold-russian-underground

1] https://www.virustotal.com/en/file/...33e34d13fbe375123c69abf3ac5fbf52fcd/analysis/

2] https://www.virustotal.com/en/file/...24dc295c8d3fcb668960c1ca5b954e871fe/analysis/

3] https://www.virustotal.com/en/file/...1a8f30a2df0828cab63cb764dcb5d111771/analysis/

One of the emails looks like:
From: info@criticare-anaesthesia .co.uk
Date: Thu 30/03/2017 12:15
Subject: uk_confirmation_ph489329718.pdf
Attachment: uk_confirmation_ph489329718.zip
Confirmation letter enclosed. Please see attachment.

uk_confirmation_ph489329718.pdf.zip :Extracts to: uk_confirmation_ph954869378.exe - Current Virus total detections 15/60**. Payload Security***. Nothing is definite on what these are but it looks vaguely like a zeus/Zbot variant.
Update: now getting a -second- run with same file names that Clam AV on the mailserver is detecting as Win.Trojan.Ag-3 and quarantining VirusTotal 10/62[4] | Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/...6592819d3a09dbee31cb5cc1/analysis/1490873262/

*** https://www.hybrid-analysis.com/sam...21f6592819d3a09dbee31cb5cc1?environmentId=100

4] https://www.virustotal.com/en/file/...498012f3ff13a5772ba9107e/analysis/1490874947/

5] https://www.hybrid-analysis.com/sam...4c8498012f3ff13a5772ba9107e?environmentId=100
Contacted Hosts
8.8.247.36
81.12.229.190
107.170.0.14
37.120.172.171

:fear::fear:

 

[AplusWebMaster]

Fake 'Western Union', 'GameStop', 'Payment Request' SPAM

FYI...

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoofed-western-union-daily-cash-report-malspam-delivers-java-adwind/
31 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/Daily-Cash-Report.png

Western Union Cash Report Reference.jar (478kb) - Current Virus total detections 15/59*: MALWR**
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fa2986ace0a15f6925f48a23/analysis/1490914940/

** https://malwr.com/analysis/YmJlMjM2OGRmNGI3NGJhMWIwOWFlYTExMzRjZmM4ZmU/
___

> https://myonlinesecurity.co.uk/spoofed-western-union-refund-delivers-java-adwind/
30 Mar 2017
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/western-union-refund.png
"... links in the email go to http ://www.ctraxa .net/wp-content/plugins/akismet/views/Western Union Refund Transaction.zip ..."
ctraxa .net: 212.193.234.99: https://www.virustotal.com/en/ip-address/212.193.234.99/information/
> https://www.virustotal.com/en/url/d...e77a585ae5b8240613155e009f5c43a0df2/analysis/
2017-03-31
___

Fake 'GameStop' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoo...top-order-no-327609-malspam-delivers-malware/
31 Mar 2017 - "... an email with the subject of '[GameStop] Order No.327609' (random numbers) pretending to come from “GameStop .co.uk Help” with a semi-random named zip attachment which delivers malware. The attachment extracts to -2- files: First a long set of random characters and numbers .exe that has an icon of a PDF file and a genuine PDF with just a few numbers in it called info.pdf...
Update: First indications are that is a plain and simple Dridex banking Trojan, not the Quantloader intermediary...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/GameStop-Order-No.32760.png

066525-960519-20170331-105353-2f0134f7-23cd-f947-1b65-f1a530c28254.zip:
Extracts to: 156910-268936-20161128-151851-de121ee8-6954-4911-80aa-8255b6b023cb.exe
Current Virus total detections 11/62*. Payload Security** | MALWR***
... There are frequently dozens or even hundreds of different download locations, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions from each one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...f486b79dc48a2d5c3648de02/analysis/1490951595/

** https://www.hybrid-analysis.com/sam...61ff486b79dc48a2d5c3648de02?environmentId=100

*** https://malwr.com/analysis/ODM1MzkzM2VjNTg3NDA4NThmMjgwYjdmM2IyMDhhZDI/
___

Fake 'Payment Request' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/payment-request-malspam-spoofing-hedley-ellis-ltd-delivers-dridex/
31 Mar 2017 - "... a 'Payment Request' email coming from random email addresses. The payload is the -same- as this slightly earlier campaign spoofing GameStop .co.uk*. The file -names- are different but the content is
-identical- with -same- SHA-256 hash numbers. All the copies I have seen -spoof- Hedley & Ellis Ltd, Newark Road, Peterborough, PE1 5UA in the email body, but have totally random senders with the email address in the email body...
* https://myonlinesecurity.co.uk/spoo...top-order-no-327609-malspam-delivers-malware/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/03/payment-request.png

... There are frequently dozens or even hundreds of different download locations, sometimes delivering the exact same malware from all locations and sometimes slightly different malware versions from each one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

:fear::fear:

 

[AplusWebMaster]

Fake 'Contract', 'DHL Delivery', 'Western Union' SPAM, 'Quota Exceeded' - Phish

FYI...

Fake 'Contract' SPAM - delivers trojan
- https://myonlinesecurity.co.uk/mals...sword-protected-word-docs-delivering-malware/
4 Apr 2017 - "... malspam emails with password protected word doc attachments. They come with various subjects and themes, but they all contain -genuine- information about the recipient. Some like this one, only have the recipients full Name, Address and email address but some also contain genuine phone numbers, either landline or mobile numbers. An email with the subject of '[recipients name] Contract EFKP030417GD' pretending to come from random senders with a malicious word doc attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/Contract-EFKP030417GD.png

victim.EFKP030417GD.doc - eventually downloads Ursnif (virustotal 10/60*) see VT comments for full details...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.com/en/file/2e01...98534e2fddfd3bc21120c689/analysis/1491230132/
03EF8.exe

Ursnif: http://researchcenter.paloaltonetwo...snif-global-distribution-networks-identified/
"... banking Trojan..."
___

Fake 'DHL Delivery' SPAM - delivers js malware
- https://myonlinesecurity.co.uk/more-spoofed-dhl-delivery-malspam-delivers-malware/
4 Apr 2017 - "... an email with the subject of 'DHL Delivery' coming or pretending to come from DHL Express UK. These do look very realistic and if you are expecting a delivery today (many recipients will be) you can be very easily fooled by it... from the various reports are connections to various well known websites and webmail services like Google, Facebook, Yahoo, Nirsoft .com and what looks like attempted logins. The javascript file is basically -obfuscated- by simple reversing the url strings embedded in the file, so for example these reverse encoded strings embedded in the js file...
/6863daolnwod/se.aicnelapnerarpmoc//tth
/7184daolnwod/moc.leuftnuocsidupe//tth
/4372daolnwod/moc.puorgcmc//tth
/4819daolnwod/ku.oc.nimdagcc.www//tth
/8522daolnwod/xm.moc.zenitramoderfla.www//tth
Transform to:
http ://www .alfredomartinez .com.mx/download2258/ : 162.144.80.161: https://www.virustotal.com/en/ip-address/162.144.80.161/information/
> https://www.virustotal.com/en/url/c...eaef89007d471c88445fc0320dbf2a67052/analysis/
http ://www .ccgadmin .co.uk/download9184/ : 193.238.80.70: https://www.virustotal.com/en/ip-address/193.238.80.70/information/
> https://www.virustotal.com/en/url/8...578ae461ce663889a3777ccb57252315435/analysis/
http ://cmcgroup .com/download2734/ : 216.218.207.100: https://www.virustotal.com/en/ip-address/216.218.207.100/information/
> https://www.virustotal.com/en/url/d...3f2fcaad40dace46365a7a4929e8490798c/analysis/
http ://epudiscountfuel .com/download4817/ : 69.175.87.139: https://www.virustotal.com/en/ip-address/69.175.87.139/information/
> https://www.virustotal.com/en/url/2...fc5330723030c92a7e1b6089ad1e7e38783/analysis/
http ://comprarenpalencia .es/download3686/ : 149.202.107.130: https://www.virustotal.com/en/ip-address/149.202.107.130/information/
> https://www.virustotal.com/en/url/d...c8ac768f375b23fbbbdb814f46cb32dd5f9/analysis/
...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/dhl-delivery-malspam-email.png

The link in the email goes to http ://atvicon .com/OXF31666g/ where you see an open directory. Selecting index.php gives you the download of the .js file (VirusTotal 12/56*). The payload Security report** of this .js file shows lots of other urls associated with this malware & downloads, some of which give an immediate download of the .js file. The Payload Security report shows a download of a file named 2tlj63ijo.exe (VirusTotal 28/61***) (Payload Security[4]) ... my -manual- download gave me (VirusTotal 8/62[5]) Payload Security[6] ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...07cc17fc6e01b38374bbcce7/analysis/1491300071/
DHL__Report__5238760711__Di__April__04__2017.js

** https://www.hybrid-analysis.com/sam...7dcf5212f2dc6336ca19007cc17fc6e01b38374bbcce7
Contacted Hosts
216.218.207.100
87.106.105.76
67.205.128.122

*** https://www.virustotal.com/en/file/...51b2457b4a00463d6c3745682b98a276f92/analysis/
2tlj63ijo.exe

4] https://www.hybrid-analysis.com/sam...4a00463d6c3745682b98a276f92?environmentId=100
Contacted Hosts
87.106.105.76
67.205.128.122

5] https://www.virustotal.com/en/file/...392c964613d0004188e61c84/analysis/1491300282/
5960.exe

6] https://www.hybrid-analysis.com/sam...e01392c964613d0004188e61c84?environmentId=100
Contacted Hosts
87.106.105.76
67.205.128.122

atvicon .com: 67.222.136.31: https://www.virustotal.com/en/ip-address/67.222.136.31/information/
___

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoo...-verification-on-142017-delivers-java-adwind/
4 Apr 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments... Unlike today’s slightly earlier Java Adwind malspam spoofing Bank of Bahamas*, this one does have a new Java Adwind version at the end of the complicated delivery chain...
* https://myonlinesecurity.co.uk/spoo...ation-of-funds-transfer-delivers-java-adwind/

Screenshot: https://myonlinesecurity.co.uk/wp-c...78-MTCN-18-Funds-Verification-on-1_4_2017.png

These contain a genuine PDF that has a link to the site to download a zip file. First the pdf looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/mtcn_wu_pdf.png
The link today goes to:
http ://publikasi-fbio .ukdw .ac.id/css/WesternUnion_Fund_Verification_As_of_1st_April_2017.htm
where you see this page with instructions trying to make you think it is genuine with yet another download link:
http ://publikasi-fbio .ukdw .ac.id/css/WesternUnion_Fund_Verification_As_of_1st_April_2017.zip

> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/spoofedWU_downloadpage.png

AWD020025 MTCN 25 Funds Verification.jar (478kb) Current Virus total detections 11/58*: MALWR**
details.jar (119kb) Current Virus total detections 5/55***: Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...7a43df604dc68988e6397df6/analysis/1491283408/
AWD020025 MTCN 25 Funds Verification.jar

** https://malwr.com/analysis/N2JkYTE4ZmZhN2IyNGFmNWJjMGY4ZDQwYmE2NTFiOGU/

*** https://www.virustotal.com/en/file/...cf28f511c33086d008a419f7/analysis/1476250143/

4] https://www.hybrid-analysis.com/sam...776cf28f511c33086d008a419f7?environmentId=100

publikasi-fbio .ukdw .ac.id: 119.235.252.122: https://www.virustotal.com/en/ip-address/119.235.252.122/information/
> https://www.virustotal.com/en/url/c...38d1bda8c5be50a59f2048071e297f1f960/analysis/
___

'Quota Exceeded' - Phish
- https://myonlinesecurity.co.uk/spoo...n-com-quota-exceeded-please-add-now-phishing/
4 Apr 2017 - "... phishing attempts for email credentials...:

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/Quota-Exceeded-Please-Add-Now.png

If you follow the -link- inside-the-email you see a webpage looking like this:
http ://maharajasweet .com/flash/bestdomain/?email=victim@domain.com :
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/maharahjasweet_webmail_phish.png

... recognize familiar details like our email address or domain name... look at the -real- address in the URL bar at the top of the page:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/maharahjasweet_webmail_phish2.png
After you input your email address and password, you get a 'success' page:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/success.png

... whether it is a straight forward attempt, like this one, to -steal- your personal, bank, credit card or email and social networking log in details... the final IP address outside of your network in the Received: fields can be trusted as others can be -spoofed- ..."

maharajasweet .com: 209.200.238.28: https://www.virustotal.com/en/ip-address/209.200.238.28/information/
> https://www.virustotal.com/en/url/2...785f1271b369dc8163a78caa51861e05373/analysis/

:fear::fear:

 

[AplusWebMaster]

Malvertising on iOS

FYI...

Malvertising on iOS - VPN app
- https://blog.malwarebytes.com/threa...tising-on-ios-pushes-eyebrow-raising-vpn-app/
April 6, 2017 - "... we discovered this -scareware- campaign that pushes a ‘free’ VPN app called 'My Mobile Secure' to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is 'infected with viruses':
> https://blog.malwarebytes.com/wp-content/uploads/2017/04/scareware_.png
... Apple has released an update to their mobile operating system (iOS 10.3.1*) to avoid so-called “browser lockers” via incessant JavaScript popups that prevented users from closing the offending page. Having said that, social engineering attacks such as the one above are still active and prey on the surprise effect or culpability someone may experience after browsing sites with pirated material:
* https://support.apple.com/HT207688
... According to their website, MobileXpression is a market research panel designed to 'understand the trends and behaviors of people using the mobile Internet'. This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymize your online activity by encrypting your data from your ISP, government, bad guys, etc... Free does not mean Open Source or risk-free for that matter. But the fact of the matter is that people tend to gravitate towards free products, especially if those are pushed aggressively via hungry advertisers. For this reason, users should pay even more attention before installing a free app:
> https://blog.malwarebytes.com/wp-content/uploads/2017/04/privacy1.png
... data should never be collected in the first place because some very unfortunate things can happen once it is logged in a database. Haven’t there been enough data breaches lately to be seriously concerned with what kind of data a company may collect (inadvertently or not)? Choosing the right VPN application these days has become very challenging due to the renewed interest in online privacy (there are other reasons people buy VPNs as well, such as to bypass geo-restrictions from services like Netflix, the BBC, etc). It’s important to take the time to review the companies behind those products, their policies, and real reviews, not -fake- or sponsored ones. At the end of the day, you are placing your data and trust in someone else’s hands.
Kudos to CloudFlare for terminating the scareware domain in less than five minutes.
IOCs:
onclkds .com: 206.54.163.50
xml.admetix .com: 173.239.53.20
clk1005 .com: 173.192.117.80
inclk .com: 108.168.157.87
browserloading .com: 52.3.189.94
52.21.139.228
52.4.167.240
giveawaywins .com: 104.31.67.144
104.31.66.144
securecheckapp .com: 192.64.119.233

206.54.163.50: https://www.virustotal.com/en/ip-address/206.54.163.50/information/
> https://www.virustotal.com/en/url/6...fa9421793436dfe0d7b5c56b3d5a2ad21a9/analysis/
173.239.53.20: https://www.virustotal.com/en/ip-address/173.239.53.20/information/
> https://www.virustotal.com/en/url/6...4ad5625d80591ce70ce0321f13ac98d9603/analysis/
173.192.117.80: https://www.virustotal.com/en/ip-address/173.192.117.80/information/ <<<
108.168.157.87: https://www.virustotal.com/en/ip-address/108.168.157.87/information/
> https://www.virustotal.com/en/url/6...bef57329df0e6b16a1efd30f48f4a6f3683/analysis/
52.29.11.13: https://www.virustotal.com/en/ip-address/52.29.11.13/information/ <<<
104.31.67.144: https://www.virustotal.com/en/ip-address/104.31.67.144/information/ <<<
104.28.17.3: https://www.virustotal.com/en/ip-address/104.28.17.3/information/ <<<
192.64.119.233: https://www.virustotal.com/en/ip-address/192.64.119.233/information/ <<<
..."

:fear::fear:

 

[AplusWebMaster]

Fake 'Customer Statement', '.JPG' SPAM

FYI...

Fake 'Customer Statement' SPAM - deliverers malware
- https://myonlinesecurity.co.uk/spoo...ustomer-statement-malspam-deliverers-malware/
7 Apr 2017 - "An email with the subject of pretending to come from random companies with a zip file that extracts to another zip that eventually extracts to a malicious word doc attachment delivers malware probably Dridex banking Trojan. Currently Payload Security has a massive backlog so analysis is pending...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/customer-statement.png

Statement_SE8743.docm - Current Virus total detections 8/58* MALWR**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ad65c580f4c983277381b7d1/analysis/1491553437/

** https://malwr.com/analysis/Nzg2ZDExM2Q4ODU2NGM0ODkwNzRlMzc3MTg1MGM4NjQ/
Hosts
195.114.1.135
___

Fake '.JPG' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/emailing-pic9744891-jpg-malspam-delivers-dridex/
7 Apr 2017 - "... an email with a subject saying something like 'Emailing: PIC9744891.JPG' (random numbers and file extensions... Gif, JPG, Tiff, Png or any other image or doc file extension). They all come from random senders. The zip attachment extracts to another zip file that eventually extracts to the VBS dropper...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/dridex-malspam.png

PIC9390310.vbs - Current Virus total detections 5/56* - MALWR** shows a download of an encrypted file from
http ://staciedunlop .com/87hcwc? which is converted by the script to KhtLPsv.exe (VirusTotal 14/61***)
Each VBS file has 4-or-5 embedded urls that download the encrypted text file that gets converted to the Dridex payload... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...4a3163dec32c11d90b36f411/analysis/1491567450/

** https://malwr.com/analysis/YzY3OGY0MWU1ZGZkNDBkYTljYjQxYzRjNjhmYTJlOWQ/
Hosts
64.69.93.68

*** https://www.virustotal.com/en/file/...c103bc5a5bab208413b7539b/analysis/1491568169/

staciedunlop .com: 64.69.93.68: https://www.virustotal.com/en/ip-address/64.69.93.68/information/
> https://www.virustotal.com/en/url/8...d3a66ea2227285e66909ecf359393a3af59/analysis/

:fear::fear:

 

[AplusWebMaster]

'Paypal Update acct info' – phish

FYI...

'Paypal Update acct info' – Phish
- https://myonlinesecurity.co.uk/paypal-update-account-information-phishing-with-a-difference/
8 Apr 2017 - "We see lots of phishing attempts for PayPal details. This one is slightly different than many others and much more involved and complicated. This one has an html -attachment- that contains the phishing acts... They ask you to give all the usual details... The whole HTML file is -encrypted- ...
Update: ... by numerous contacts on Twitter, eventually it has been discovered that
http ://www.accunetix .net/80f78664.php is the phishing drop site...

Screenshot: https://myonlinesecurity.co.uk/wp-c...spoofed-paypal-Update-account-information.png

The html form looks like this (reduced in size to fit on one screenshot):
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/paypal-phishing-html-atatchment.png

... Watch for -any- site that invites you to enter ANY personal or financial information..."

accunetix .net: 94.102.60.170: https://www.virustotal.com/en/ip-address/94.102.60.170/information/
> https://www.virustotal.com/en/url/a...7b5758a90a343619c219a27d563eed6c62d/analysis/

:fear::fear:

 

[AplusWebMaster]

Fake 'Scanned image', 'scan data' SPAM

FYI...

Fake 'Scanned image' SPAM - delivers Cerber
- https://myonlinesecurity.co.uk/scan...own-email-address-delivers-cerber-ransomware/
10 Apr 2017 - "... An email with the subject of 'Scanned image from MX-2600N' pretending to come from noreply@ your own email address with a zip file attachment that extracts to another zip file then a malicious word doc delivers Cerber ransomware...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/Scanned-image-from-MX-2600N.png

20170410_294152.docm - Current Virus total detections 11/58*: Payload Security** shows a download of an encrypted txt file from http ://villa-kunterbunt-geseke .de/nkjv78v which is transformed by the macro script to redchip2.exe (VirusTotal 8/61***). Payload Security[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...dc4f81e0609f4252f803e889/analysis/1491816739/

** https://www.hybrid-analysis.com/sam...5b1dc4f81e0609f4252f803e889?environmentId=100
Contacted Hosts
85.114.146.10

*** https://www.virustotal.com/en/file/...a11765a09dece6458cf998d5/analysis/1491816149/

4] https://www.hybrid-analysis.com/sam...7a8a11765a09dece6458cf998d5?environmentId=100
Contacted Hosts
194.9.25.17

villa-kunterbunt-geseke .de: 85.114.146.10: https://www.virustotal.com/en/ip-address/85.114.146.10/information/
> https://www.virustotal.com/en/url/2...c1cd037e36031a783e9fdc68ecfa6c1ec24/analysis/
___

Fake 'scan data' SPAM - delivers Dridex
- https://myonlinesecurity.co.uk/scan...r-own-email-address-tries-to-deliver-malware/
10 Apr 2017 - "... an email with the subject of 'scan data' pretending to come from noreply@ your own email address...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/scan-data-malspam.png

... several antiviruses on VirusTotal 8/56* declare this as 'a malicious PDF file'. PDF examiner** declares this 'a suspicious.embedded doc file' and 'suspicious.warning: object contains JavaScript' | Payload Security***...
ScanData155328.docm (VirusTotal 10/57[4]) (Payload Security [5]) | MALWR[6]. This contacts:
super-marv .com/874hv... It looks like it should download an -encrypted- txt file that is converted to redchip2.exe... Update: this one is Dridex... An alternative pdf gave me Payload Security[7] which downloaded redchip2.exe from
hiddencreek .comcastbiz .net/874hv (Virustotal 10/61[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...8f58f8db42582e9f50c51151/analysis/1491827466/
[See 'File detail']

** https://www.malwaretracker.com/pdfsearch.php?hash=8009ae9232ae700f52bfa06d241b8f27

*** https://www.hybrid-analysis.com/sam...07f8f58f8db42582e9f50c51151?environmentId=100
Contacted Hosts
194.9.25.17
143.95.251.11

4] https://www.virustotal.com/en/file/...db7a8885636707dc0ba1de7c/analysis/1491829510/
ScanData155328.docm

5] https://www.hybrid-analysis.com/sam...823db7a8885636707dc0ba1de7c?environmentId=100
Contacted Hosts
194.9.25.17
143.95.251.11

6] https://malwr.com/submission/status/ODI4NWRmNGFlMWRjNDg0MzhjMjY0MjU3NWQxMmRhM2Q/
Hosts
143.95.251.11

7] https://www.hybrid-analysis.com/sam...73717ece82a0394e98ca079108e?environmentId=100
Contacted Hosts
194.9.25.17
216.87.186.165
185.44.105.92
64.79.205.100
185.25.184.214

8] https://www.virustotal.com/en/file/...558984052720aa85d311bca7/analysis/1491828872/
redchip2.exe

hiddencreek .comcastbiz .net: 216.87.186.165: https://www.virustotal.com/en/ip-address/216.87.186.165/information/

:fear::fear:

 

[AplusWebMaster]

Fake 'RBS', 'scanned file' SPAM, Fake Google Maps listings

FYI...

Fake 'RBS' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spoofed-rbs-fw-important-bacs-documents-malspam-delivers-malware/
11 Apr 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from RBS BACs <GRGBACspaymentsdelivery@ rbsdocuments .co.uk> with a malicious word doc spreadsheet attachment delivers malware... it appears to be Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/rbs_bacs.png

RBS_BACs_11042017.doc - Current Virus total detections 3/54*. Payload Security currently is not responding for me. MALWR** shows nothing relevant.
I am informed that it uses PowerShell to download http ://hitecmetal .com.my/images/NGVN4LNyaCV6amPf8jsgJeHVgLX.png which of course is -not- a png but a renamed .exe file (VirusTotal 11/60***) which even more suggests ursnif or Trickbot banking Trojans... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...02bc9a64bd9914a1cbe08b40/analysis/1491904361/

** https://malwr.com/analysis/ZGRhZGUwZDBmNzY1NDRiMjhkZDFiNDQ0MzZhMjVhNTQ/

*** https://www.virustotal.com/en/file/...b431cff894de13976fbea801/analysis/1491905198/
kxecz.exe

hitecmetal .com.my: 110.4.45.192: https://www.virustotal.com/en/ip-address/110.4.45.192/information/
___

Fake 'scanned file' SPAM - delivers malware
- https://myonlinesecurity.co.uk/scan...-drops-malicious-word-macro-delivers-malware/
11 Apr 2017 - "... an email that has a multitude of subjects all along the line of 'scanned file/image document/image etc. pretending to come from totally random senders with a pdf attachment. This PDF does have an embedded word doc inside... Payload Security Hybrid Analysis... is currently down. I assume this will turn out to be Dridex in the same way it did yesterday*...
* https://myonlinesecurity.co.uk/scan...r-own-email-address-tries-to-deliver-malware/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/image-data.png

20170411414556.pdf - Current Virus total detections 10/57*. MALWR**...
Update: ... the word macro content shows downloads of -encrypted- txt files from:
medjobsmatch .com/kjv783r
outoftheboxpc .org/kjv783r
jenya.kossoy .com/kjv783r
Which MALWR*** managed to decode as redchip2.exe (VirusTotal 8/61[4]) which although not being detected as Dridex is either likely to be Dridex or Kegotip... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...aa9347691ddf02e2ca89e8e8/analysis/1491908876/

** https://malwr.com/analysis/OGUxZGU5YzQyODMyNDQwYTk1NmFkNjJlMjg1NmQ4Yjg/

*** https://malwr.com/analysis/NjNkM2JiMGY2ZGNhNGRjMzgzMDUwMjk1ZmM5MGZmZmU/
Hosts
23.229.143.7

4] https://www.virustotal.com/en/file/...6f1e60664997a269784143f2/analysis/1491910444/

medjobsmatch .com: 23.229.143.7: https://www.virustotal.com/en/ip-address/23.229.143.7/information/

outoftheboxpc .org: 216.87.186.17: https://www.virustotal.com/en/ip-address/216.87.186.17/information/

jenya.kossoy .com: 64.111.126.118: https://www.virustotal.com/en/ip-address/64.111.126.118/information/
___

Fake Google Maps listings redirect Users to fraudulent sites
- https://www.bleepingcomputer.com/ne...edirect-users-to-fraudulent-sites-each-month/
Apr 10, 2017 - "... This is the result of a study carried out by Google and University of California, San Diego researchers, who analyzed over 100,000 businesses marked as 'abusive' and added to Google Maps between June 2014 and September 2015. Researchers say that 74% of these abusive listings were for local businesses in the US and India, mainly in pockets around certain local hotspots, especially in large metropolitan areas such as New York, Chicago, Houston, or Los Angeles. In most cases, the scheme was simple. A customer in need of a locksmith or electrician would search Google Maps for a local company. If he navigated to the website of a fake business or called its number, a call center operator posing as the business' representative would send over an unaccredited contractor that would charge much more than regular professionals. If a customer's situation were urgent, the contractor would often charge more than the initial agreed upon price. Researchers said that 40.3% of all the listings for fake companies they found focused on on-call services, such as locksmiths, plumbers, and electricians, were customers were desperate to resolve issues... To list a business card on Google Maps, companies must go through a series of checks that involves Google mailing a postal card, or making a phone call to the business headquarters. After analyzing over 100,000 fake listings, researchers said miscreants registered post office boxes at UPS stores and used the same address to register tens to hundreds of listings per address. They did the same thing for their phone contact, by buying cheap VoIP numbers from providers such as Bandwidth .com, Level 3, Twilio, or Ring Central... The research team discovered that crooks managed to hijack 0.5% of Google Maps' outbound traffic for the studied period... Google also says it currently detects and disables around 85% fake listings before they ever appear on Google Maps..."
> https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45976.pdf
[ 9 pages ]

:fear::fear:

 

[AplusWebMaster]

Fake 'resume' SPAM, Ransomware variants

FYI...

Fake 'resume' SPAM - delivers malware
- https://myonlinesecurity.co.uk/spear-phishing-fake-resume-malspam-leads-to-malware/
12 Apr 2017 - "An email with the subject of 'Greetings' come from a random name and email address that says it is a resume applying for employment with a malicious word doc attachment delivers malware... Update: I am very reliably informed this is a Zyklon HTTP bot* which is being used in DDOS attacks against a wide variety of sites and is a password and other credential stealer, including all windows, office and many other software licencing keys, as well as email credentials, website passwords and any other password that you can think of...
* https://security.radware.com/ddos-t...advisories-attack-reports/zyklon-http-botnet/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/sarah-resume.png

Sarah-Resume.doc - Current Virus total detections 7/57**. Payload Security*** shows a download using PowerShell from
http ://185.165.29.36 /11.mov which is -renamed- by the macro to k4208.exe
(VirusTotal 7/61[4]) (Payload Security[5]) and autorun and in turn drops iTunes.exe and autorun
(VirusTotal 5/61[6]) (Payload Security[7])... The word doc has a slightly different instruction message than we usually see:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/content-locked.png
This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/...e7f817442f7729b653e3e749/analysis/1491973686/

*** https://www.hybrid-analysis.com/sam...67de7f817442f7729b653e3e749?environmentId=100
Contacted Hosts
185.165.29.36
78.47.139.102
76.73.17.194
154.35.32.5
86.59.21.38
194.109.206.212
84.146.168.11
91.121.230.210
185.66.250.141
192.87.28.82
163.172.29.21
178.162.194.82
130.230.113.235

4] https://www.virustotal.com/en/file/...5a0f0b71e9d959b4fc3ed448/analysis/1491963473/

5] https://www.hybrid-analysis.com/sam...3845a0f0b71e9d959b4fc3ed448?environmentId=100
Contacted Hosts (20)

6] https://www.virustotal.com/en/file/...8dfbd26182ac4711f29c2826/analysis/1491963495/

7] https://www.hybrid-analysis.com/sam...bf48dfbd26182ac4711f29c2826?environmentId=100
Contacted Hosts (13)
___

Ransomware variants - emails
- https://isc.sans.edu/diary.html?storyid=22290
2017-04-12 - "... malicious spam (malspam) on Tuesday morning 2017-04-11. At first, I thought it had limited distribution. Later I found several other examples, and they were distributing yet another ransomware variant... The ransomware is very aware of its environment, and I had use a physical Windows host to see the infection activity...:
> https://isc.sans.edu/diaryimages/images/2017-04-12-ISC-diary-image-01.jpg
... I collected 14 samples of the malspam on Tuesday 2017-04-11. It started as early as 14:12 UTC and continued through at least 17:03 UTC. Each email had a -different- subject line, a -different- sender, -different- message text, and a -different-link- to click:
> https://isc.sans.edu/diaryimages/images/2017-04-12-ISC-diary-image-02.jpg
... -All- are subdomains of ideliverys .com on 47.91.88.133 port 80. The domain ideliverys .com was registered the-day-before on Monday 2017-04-10...
As usual, humans are the weakest link in this type of infection chain. If people are determined to bypass all warnings, and their systems are configured to allow it, they will become infected. Unfortunately, that's too often the case. I don't believe the situation will improve any time soon, so we can expect these types of malspam campaigns to continue..."
(More detail at the first ISC URL at the top.)

ideliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-address/47.91.88.133/information/
> https://www.virustotal.com/en/url/1...b9644a94ac3ce41b069a74c2b4d26cf9d0f/analysis/

:fear::fear: