Fake 'USPS, UPS, DHL, FEDEX' SPAM, Kelihos Botnet takedown
FYI...
Fake 'USPS, UPS, DHL, FEDEX' SPAM - delivers mole ransomware
- https://myonlinesecurity.co.uk/more-usps-delivery-messages-delivering-mole-ransomware/
12 Apr 2017 - "... USPS, UPS, DHL, FEDEX and all the other delivery companies being spoofed and emails pretending to be from them delivering all sorts of malware, usually via zip attachments containing JavaScript files. I saw this post on Sans Security blog*... and expected that I would soon see them...they started to flood in today.
* https://isc.sans.edu/diary.html?storyid=22290
There are a multitude of different subjects. Some of then ones I received today are:
' Official notice regarding your order
IMPORTANT USPS MONEYBACK INFO IN REGARDS TO YOUR PARCEL
AUTOMATED notice in regards to your parcel’s status
WARNING: INFO ABOUT A LATEST REFUND '
These subjects today are different to the unusual subjects we see listed in the sans blog post.
Typical senders -imitating- USPS include:
USPS Delivery <huo4@ doverealty .net>
USPS Express Delivery <ooyyomq57575452@ avensonline .org>
USPS Priority Parcels <rejunwuj75324281@ vki-interiors .com>
USPS Ground Support <heyluogf13136286@ parcerianet .com.br> ...
... these -all- use various subdomains of ideliverys .com... you see what looks like a word online website and you are invited to download then latest 'plugin' version to read the documents online:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/spoofed-word-online-plugin.png
plugin.exe - Current Virus total detections 29/60**. Payload Security***.. I assume this is the same mole ransomware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/...ba3db4c83f64c93f522e74e57e6fc547b11/analysis/
*** https://www.hybrid-analysis.com/sam...3f64c93f522e74e57e6fc547b11?environmentId=100
ideliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-address/47.91.88.133/information/
> https://www.virustotal.com/en/url/1...b9644a94ac3ce41b069a74c2b4d26cf9d0f/analysis/
- https://myonlinesecurity.co.uk/changes-to-fake-usps-delivery-messages-delivering-malware/
13 Apr 2017 - "... USPS, UPS, DHL, FEDEX SPAM... a -hybrid- campaign mixing elements of all the previous campaigns...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/OFFICIAL-USPS-REFUND-INFO.png
... These all use various subdomains of maildeliverys .com to divert to
http ://tramplinonline .ru/counter/1.htm where you see what looks like a word online website and you are invited to download then -latest- 'plugin' version to read the documents online:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/fake_word_online_trampoline.png
... this is where the hybrid element comes into play. Once you press download, you get a zip file plugin.zip which extracts to plugin.js ... starts with the first site in the array (var ll) and then downloads these (if the first site cannot be contacted or the file is missing) it moves on to next site and so on, eventually giving -3- malware files.
/counter/exe1.exe (mole ransomware) VirusTotal 6/62[1]
/counter/exe2.exe delivers kovter/powerliks VirusTotal 7/62[2]
/counter/exe3.exe VirusTotal 0/61[3] | VirusTotal 3/62[4] (first one possibly corrupt)
Today’s sites are:
forum-turism .org.ro/images/layout
boorsemsport .be/templates/yoo_aurora/less/uikit
eurostandard .ro/pics/size1
alita .kz/tmp/installation/language/cs-CZ
sportbelijning .be/libraries/joomla/application/web
tramplinonline .ru
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/...de7646f48c595bd154f4b1e1/analysis/1492102514/
2] https://www.virustotal.com/en/file/...e3ea0648be71d17e2251bf84/analysis/1492110707/
3] https://www.virustotal.com/en/file/...76fe2abea099f985c129debf/analysis/1492110713/
4] https://www.virustotal.com/en/file/...931af4127e5d541dfa2c6850/analysis/1492109005/
maildeliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-address/47.91.88.133/information/
> https://www.virustotal.com/en/url/7...82bfe5144a4d150fcd5a0851f53d2e6b637/analysis/
tramplinonline .ru: 92.242.42.146: https://www.virustotal.com/en/ip-address/92.242.42.146/information/
> https://www.virustotal.com/en/url/a...b547d54253f09395298ad99564db2cf991e/analysis/
___
Kelihos.E Botnet – Takedown
- http://blog.shadowserver.org/2017/04/12/kelihos-e/
April 12, 2017 - "On Monday April 10th 2017, The US Department of Justice (DOJ) announced* a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator. The Kelihos botnet (and its predecessor Waledec) was one of the most active spamming botnets. Earlier versions of the malware were also involved in delivering trojan horses, stealing user credentials and crypto currency wallets, and in crypto currency mining. The Kelihos botnet was made up of a network of tens of thousands of infected Windows hosts worldwide. It used its own peer-to-peer (P2P) protocol, along with backup DNS domains, to provide resilient command and control (C2) facilities... The Kelihos.E botnet takedown occurred on Friday April 8th 2017, with 100% of the peer-to-peer network being successfully taken over by law enforcement and C2 traffic redirected to our sinkholes, C2 backend server infrastructure being seized/disrupted, as well as multiple fallback DNS domains being successfully sinkholed under US court order..."
* https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0
April 10, 2017 - "The Justice Department today announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software..."
:fear::fear:
FYI...
Fake 'USPS, UPS, DHL, FEDEX' SPAM - delivers mole ransomware
- https://myonlinesecurity.co.uk/more-usps-delivery-messages-delivering-mole-ransomware/
12 Apr 2017 - "... USPS, UPS, DHL, FEDEX and all the other delivery companies being spoofed and emails pretending to be from them delivering all sorts of malware, usually via zip attachments containing JavaScript files. I saw this post on Sans Security blog*... and expected that I would soon see them...they started to flood in today.
* https://isc.sans.edu/diary.html?storyid=22290
There are a multitude of different subjects. Some of then ones I received today are:
' Official notice regarding your order
IMPORTANT USPS MONEYBACK INFO IN REGARDS TO YOUR PARCEL
AUTOMATED notice in regards to your parcel’s status
WARNING: INFO ABOUT A LATEST REFUND '
These subjects today are different to the unusual subjects we see listed in the sans blog post.
Typical senders -imitating- USPS include:
USPS Delivery <huo4@ doverealty .net>
USPS Express Delivery <ooyyomq57575452@ avensonline .org>
USPS Priority Parcels <rejunwuj75324281@ vki-interiors .com>
USPS Ground Support <heyluogf13136286@ parcerianet .com.br> ...
... these -all- use various subdomains of ideliverys .com... you see what looks like a word online website and you are invited to download then latest 'plugin' version to read the documents online:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/spoofed-word-online-plugin.png
plugin.exe - Current Virus total detections 29/60**. Payload Security***.. I assume this is the same mole ransomware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
** https://www.virustotal.com/en/file/...ba3db4c83f64c93f522e74e57e6fc547b11/analysis/
*** https://www.hybrid-analysis.com/sam...3f64c93f522e74e57e6fc547b11?environmentId=100
ideliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-address/47.91.88.133/information/
> https://www.virustotal.com/en/url/1...b9644a94ac3ce41b069a74c2b4d26cf9d0f/analysis/
- https://myonlinesecurity.co.uk/changes-to-fake-usps-delivery-messages-delivering-malware/
13 Apr 2017 - "... USPS, UPS, DHL, FEDEX SPAM... a -hybrid- campaign mixing elements of all the previous campaigns...
Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/OFFICIAL-USPS-REFUND-INFO.png
... These all use various subdomains of maildeliverys .com to divert to
http ://tramplinonline .ru/counter/1.htm where you see what looks like a word online website and you are invited to download then -latest- 'plugin' version to read the documents online:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/04/fake_word_online_trampoline.png
... this is where the hybrid element comes into play. Once you press download, you get a zip file plugin.zip which extracts to plugin.js ... starts with the first site in the array (var ll) and then downloads these (if the first site cannot be contacted or the file is missing) it moves on to next site and so on, eventually giving -3- malware files.
/counter/exe1.exe (mole ransomware) VirusTotal 6/62[1]
/counter/exe2.exe delivers kovter/powerliks VirusTotal 7/62[2]
/counter/exe3.exe VirusTotal 0/61[3] | VirusTotal 3/62[4] (first one possibly corrupt)
Today’s sites are:
forum-turism .org.ro/images/layout
boorsemsport .be/templates/yoo_aurora/less/uikit
eurostandard .ro/pics/size1
alita .kz/tmp/installation/language/cs-CZ
sportbelijning .be/libraries/joomla/application/web
tramplinonline .ru
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/...de7646f48c595bd154f4b1e1/analysis/1492102514/
2] https://www.virustotal.com/en/file/...e3ea0648be71d17e2251bf84/analysis/1492110707/
3] https://www.virustotal.com/en/file/...76fe2abea099f985c129debf/analysis/1492110713/
4] https://www.virustotal.com/en/file/...931af4127e5d541dfa2c6850/analysis/1492109005/
maildeliverys .com: 47.91.88.133: https://www.virustotal.com/en/ip-address/47.91.88.133/information/
> https://www.virustotal.com/en/url/7...82bfe5144a4d150fcd5a0851f53d2e6b637/analysis/
tramplinonline .ru: 92.242.42.146: https://www.virustotal.com/en/ip-address/92.242.42.146/information/
> https://www.virustotal.com/en/url/a...b547d54253f09395298ad99564db2cf991e/analysis/
___
Kelihos.E Botnet – Takedown
- http://blog.shadowserver.org/2017/04/12/kelihos-e/
April 12, 2017 - "On Monday April 10th 2017, The US Department of Justice (DOJ) announced* a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator. The Kelihos botnet (and its predecessor Waledec) was one of the most active spamming botnets. Earlier versions of the malware were also involved in delivering trojan horses, stealing user credentials and crypto currency wallets, and in crypto currency mining. The Kelihos botnet was made up of a network of tens of thousands of infected Windows hosts worldwide. It used its own peer-to-peer (P2P) protocol, along with backup DNS domains, to provide resilient command and control (C2) facilities... The Kelihos.E botnet takedown occurred on Friday April 8th 2017, with 100% of the peer-to-peer network being successfully taken over by law enforcement and C2 traffic redirected to our sinkholes, C2 backend server infrastructure being seized/disrupted, as well as multiple fallback DNS domains being successfully sinkholed under US court order..."
* https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0
April 10, 2017 - "The Justice Department today announced an extensive effort to disrupt and dismantle the Kelihos botnet – a global network of tens of thousands of infected computers under the control of a cybercriminal that was used to facilitate malicious activities including harvesting login credentials, distributing hundreds of millions of spam e-mails, and installing ransomware and other malicious software..."
:fear::fear:
Last edited: