SPAM frauds, fakes, and other MALWARE deliveries...

AplusWebMaster · Jun 16, 2017

Fake Email account notice - Phish

FYI...

Fake Email account notice – Phish
... 'Your Mailbox Will Be Terminated'
- https://myonlinesecurity.co.uk/your-mailbox-will-be-terminated-phishing-for-email-credentials/
16 Jun 2017 - "We see lots of phishing attempts for email credentials. This one is slightly different...

Screenshot: https://myonlinesecurity.co.uk/wp-c...ll-Be-Terminated-ans@thespykiller.co_.uk-.png

If you follow the link you see a webpage looking like this:
https ://deadsocial .com//media/email_updatep1/login.php?userid=ans@ thespykiller .co.uk
(you can put any email address at the end of the link & get the same page with email already filled in).
The red countdown continues to decrease in time while the page is open:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/spoofed_email_update.png

... After you input your email address and password, you get told 'incorrect details' and forwarded to an almost identical looking page where you can put it in again and it does that on a continual loop:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/spoofed_email_update2.png

... Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information..."

deadsocial .com: 184.154.216.243: https://www.virustotal.com/en/ip-address/184.154.216.243/information/
> https://www.virustotal.com/en/url/7...7eed4d1a9aa178e16a115833e2e7b9b24c7/analysis/

:fear::fear:

AplusWebMaster · Jun 20, 2017

Fake DHL SPAM

FYI...

Fake DHL SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake-dhl-commercial-invoice-malspam-delivers-malware/
20 Jun 2017 - "An email with the subject of 'Commercial Invoice' pretending to come from export@ dhl-invoice .com with a malicious Excel XLS spreadsheet attachment delivers some sort of malware... I am being told that -other- subjects in this malspam run -spoofing- DHL include: 'DHL Commercial Invoice' and 'DHL poforma invoice'. There appear to be several different -spoofed- senders @dhl-invoice .com...

Screenshot: https://myonlinesecurity.co.uk/wp-c...fake-dhl-commercial-invoice-malspam-email.png

dhl_commercial_invoice_.xls - Current Virus total detections 5/55*. Payload Security** shows a download from
http ://travel-taxi .net/test/edf.exe (VirusTotal 51/62[3]), (Payload Security[4]).
Other download locations -embedded- in other versions of the macro include
http ://okinawa35 .net/m/iop.exe
The XLS file looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/dhl_commercial_invoice_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...571e9736c69fef83a2701409/analysis/1497948303/

** https://www.hybrid-analysis.com/sam...fb7571e9736c69fef83a2701409?environmentId=100
Contacted Hosts
202.218.50.130

3] https://www.virustotal.com/en/file/...4b5cc1877acf0bef9aaad55ff73990fe217/analysis/

4] https://www.hybrid-analysis.com/sam...94b5f38de06a51f8ddde3301522?environmentId=100

travel-taxi .net: 203.183.93.149: https://www.virustotal.com/en/ip-address/203.183.93.149/information/
> https://www.virustotal.com/en/url/2...d3ddac39146c339bbbbf39fe736284fc1d5/analysis/

okinawa35 .net: 202.218.50.130: https://www.virustotal.com/en/ip-address/202.218.50.130/information/
> https://www.virustotal.com/en/url/8...31d748438b782edded483613d417c83fd1c/analysis/

:fear::fear:

AplusWebMaster · Jun 21, 2017

Fake 'Invoice', 'Receipt to print' SPAM

FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecurity.co.uk/the-return-of-locky-with-fake-invoice-emails/
21 Jun 2017 - "... an email with the subject of 'Copy of Invoice 79898702' coming or pretending to come from noreply@ random email addresses with a semi-random named zip attachment in the format of 79898702.zip (random 8 digits). The zip matches the subject... Whether this is a permanent return to Locky or a one off, I don’t know... Locky has vanished for while before & returned. It is also very unusual for Locky to come as an executable file inside a zip...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Copy-of-Invoice-79898702.png

79898702.zip: extracts to INV-09837592.zip which in turn Extracts to: INV-09837592.exe
Current Virus total detections 10/60*. Payload Security**. None of the sandboxes are showing any encrypting activity or the usual Locky signs, so it looks like a -new- version with protections against analysis. We only know it is Locky because one of the analysts[1] extracted the Locky payload from the memory while running this file (Virustotal 39/60***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...73c6d60da1750655ad66e219426b3cf9cd8/analysis/
INV-09837592.exe

** https://www.hybrid-analysis.com/sam...a1750655ad66e219426b3cf9cd8?environmentId=100

*** https://www.virustotal.com/en/file/...2d2ff162f7be556dd037a6a1/analysis/1498057764/
_005C0000.mem

1] https://twitter.com/mpvillafranca94/status/877544503720247296

- http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
June 21, 2017 - "... The volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour of this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our systems*. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still actively sending messages containing Locky... we can expect a fixed version of Locky to appear in a future round of Necurs' ransomware spam... it's always risky clicking-on-links or opening -attachments- in strange email messages..."
> https://1.bp.blogspot.com/-O9IsDuPG...iK2tb_5ztyE62QP4DqvegCLcBGAs/s1600/image3.jpg
___

Fake 'Receipt to print' SPAM - delivers malware
- https://myonlinesecurity.co.uk/receipt-to-print-malspam-delivers-malware/
21 Jun 2017 - "... an email with the subject of 'Receipt to print' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers some malware... Earlier WSF files today delivered Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/receipt-to-print.png

Receipt_6706.zip: extracts to archive0124.zip which extracts to: 0923.wsf
Current Virus total detections 11/57*. Payload Security** shows a download of an encrypted file from
http ://tag27 .com/08345ug? which is converted by the script to IeEOifS6.exe (VirusTotal 11/57***).
Manual examination and basic decoding of the WSF file shows these download locations:
tag27 .com/08345ug? > 162.210.102.220
78tguyc876wwirglmltm .net/af/08345ug > 119.28.86.18
malamalamak9 .net/08345ug? > 74.122.121.8
randomessstioprottoy .net/af/08345ug > 119.28.86.18
shreveporttradingantiques .com/08345ug? > 74.220.215.225 ...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1803c23706766a03e6852c71/analysis/1498051603/

** https://www.hybrid-analysis.com/sam...97c1803c23706766a03e6852c71?environmentId=100
Contacted Hosts
162.210.102.220
119.28.86.18
74.122.121.8

*** https://www.virustotal.com/en/file/...dc1f0817b33b9b70126ea45e/analysis/1480617465/

:fear::fear:

AplusWebMaster · Jun 26, 2017

Fake 'INVOICE' SPAM

FYI...

Fake 'INVOICE' SPAM - delivers malware
- https://myonlinesecurity.co.uk/conf...cve-2017-0199-rtf-exploit-to-deliver-malware/
26 Jun 2017 - "An email with the subject of '*CONFIRM ORDER AND REVISE INVOICE*' pretending to come from admin@ random company with a malicious word doc attachment. This word doc is actually an RTF file that uses what looks like the CVE-2017-0199 exploit...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/CONFIRM-ORDER-AND-REVISE-INVOICE.png

Order Ref-22550.doc - Current Virus total detections 16/56*. Neither MALWR nor JoeSandbox could get any malicious content from it. Payload Security is still -down- this morning for maintenance that was hoped to be done over the weekend.
Update: after a bit of manual editing & investigating I was able to find the download location:
https ://dev.null .vg/OtoGQj9.hta (VirusTotal 13/56**) ( MALWR***) which should deliver
http ://allafrance .com/ziko.exe but is currently giving me a 404... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...fff5f5ffff0787fa17c9bd6d/analysis/1498451330/
Order Ref-22550.doc

** https://www.virustotal.com/en/file/...5a4696fdc20c5604d0f538b5/analysis/1498457573/
OtoGQj9.hta

*** https://malwr.com/analysis/ZDI4ZWFmYjRmZDg2NDNkODg2ODQ4NmYzMjAzNjBkNjY/

dev.null .vg: 104.27.187.29: https://www.virustotal.com/en/ip-address/104.27.187.29/information/
> https://www.virustotal.com/en/url/2...6ae40eaa45f52cdebb65f3da722aaa09263/analysis/
104.27.186.29: https://www.virustotal.com/en/ip-address/104.27.186.29/information/
> https://www.virustotal.com/en/url/2...6ae40eaa45f52cdebb65f3da722aaa09263/analysis/

allafrance .com: 85.14.171.25: https://www.virustotal.com/en/ip-address/85.14.171.25/information/
> https://www.virustotal.com/en/url/0...0fc20523df30c2f5c8dc9b2ddb692b7eb4e/analysis/
___

Fake 'invoice' SPAM - links to malware doc file
- https://myonlinesecurity.co.uk/more-invoice-malspam-with-links-to-download-word-doc-deliver-malware/
26 Jun 2017 - "... An email with the subject of 'Cust # 880767-00057' [redacted] pretending to come from Jackie Fill <vs1.kirchdorf@ eduhi .at> (probably random senders) with a -link- that downloads a malicious word doc. The subject and the link that appears in body of the email has the recipients name in it but the actual link doesn’t. The link in this case went to
http ://facyl .com.br/Invoices-payments-and-questions-JBQHL-933-907247/ where it downloaded a macro enabled word doc (the link is very slow & does time out)...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Cust-880767-00057.png

Invoice-NUVKHC-227-980463.doc - Current Virus total detections 9/56*... Joesandbox** shows connections to numerous sites where a malicious file is downloaded using PowerShell, including:
http ://carbeyondstore .com/cianrft/ > 72.52.246.64
http ://motorgirlstv .com/kdm/ > 202.191.62.208
http ://nonieuro .com/xauqt/ > 216.104.189.202
http ://pxpgraphics .com/espzyurt/ > 69.65.3.206
http ://studiogif .com.br/jedtvuziky/ > 192.185.216.153
Eventually giving an .exe file (VirusTotal 10/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...347bb06e622ac246d301ff78/analysis/1498480442/

** https://jbxcloud.joesecurity.org/analysis/297919/1/html

*** https://www.virustotal.com/en/file/...1ecfdb86f122bd7356622fe2/analysis/1498478920/

facyl .com.br: 187.45.187.130: https://www.virustotal.com/en/ip-address/187.45.187.130/information/
> https://www.virustotal.com/en/url/f...59e86f7672c20ace5681af4245b66cb44e5/analysis/

:fear::fear:

AplusWebMaster · Jun 27, 2017

Fake 'Fattura' SPAM, Protect Your Cloud, Petya Ransomware Infections Reported

FYI...

Fake 'Fattura' SPAM - delivers xls attachment malware
- https://myonlinesecurity.co.uk/more-italian-fattura-malspam-delivering-banking-trojans/
27 Jun 2017 - "An email with the subject of 'Fattura n.9171 del 27/06/17' pretending to come from random Italian email addresses with an Excel XLS spreadsheet attachment...
Update: I am 100% assured* that this is Trickbot banking Trojan...
* https://twitter.com/_operations6_/status/879680802136707073

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Fattura_it_spam1.png

Attachment: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Fattura_it_spam2.png

The xls file looks like this, with the instructions to 'enable content' in Italian. They obviously hope that the victim will 'enable content & macros' to see the washed out invoice details in full detail:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/Italian-Fattura-fake-invoice-xls.png

FATTURA num. 6655 del 27-=.xls - Current Virus total detections 6/56[1]. Payload Security[2] shows a download from
https ://3eee22abda47 .faith/nvidia4.dvr (VirusTotal 11/61[3])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/...c30b06dbed92b15b312d9fdd914a9cc9395/analysis/
1_FATTURA num. 5999 del 27-06-2017.xls

2] https://www.hybrid-analysis.com/sam...ed92b15b312d9fdd914a9cc9395?environmentId=100
Contacted Hosts
46.173.218.138

3] https://www.virustotal.com/en/file/...bf056d9bacf55a4f957b2c237b83ef619f8/analysis/
nvidia4.dvr

3eee22abda47 .faith: 46.173.218.138: https://www.virustotal.com/en/ip-address/46.173.218.138/information/
> https://www.virustotal.com/en/url/a...f16df4eaccf0792aa90055ca1962dcfeca1/analysis/
___

Protect Your Cloud - from Ransomware
> http://www.darkreading.com/cloud/9-...ud-environment-from-ransomware/d/d-id/1329221
6/27/2017
___

Multiple Petya Ransomware Infections Reported
- https://www.us-cert.gov/ncas/curren...Multiple-Petya-Ransomware-Infections-Reported
June 27, 2017

- http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
June 27, 2017 - "... a new malware variant has surfaced..."

- https://www.helpnetsecurity.com/2017/06/27/petya-ransomware/
June 27, 2017

- http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD
Jun 27, 2017 | 4:35pm EDT

- http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/
27 June 2017 • 8:50pm GMT

:fear::fear:

AplusWebMaster · Jun 29, 2017

Fake 'UPS cannot deliver' SPAM, 'Blank Slate' ransomware

FYI...

Fake 'UPS cannot deliver' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/retu...pdated-nemucod-ransomware-and-kovter-payload/
29 Jun 2017 - "The 'UPS failed to deliver' messages have come back... it looks like the Kovter gang have taken advantage of the Petya outbreak to add to the mix. They have updated the nemucod ransomware version to make it, on first look, impossible to decrypt at this time without paying the ransom. Thanks to Michael Gillespie* a well known anti-ransomware campaigner for his assistance and pointing me in the right direction about the new nemucod ransomware version...
* https://twitter.com/demonslay335
If you get infected by this or any other ransomware please check out the ID Ransomware service** which will help to identify what ransomware you have been affected by and offer suggestions for decryption...
** https://id-ransomware.malwarehunterteam.com/index.php

The emails are the same as usual (you only have to look through this blog and search for UPS[1] or FedEx[2] or USPS[/3]... hundreds of different examples and subjects)...
1] https://myonlinesecurity.co.uk/?s=UPS

2] https://myonlinesecurity.co.uk/?s=fedex

3] https://myonlinesecurity.co.uk/?s=usps

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/ups_unable_to_deliver.png

... there is a difference in the .js files that are coming in the (attachment) zips... The initial js looks very similar to previous but has much longer vars (var zemk) that is used to download the other files...
Showing a high level of encryption that at this time appears unable to be decrypted without paying the ransom.
This ransom note (or something similar with different links) gets displayed on the victim’s desktop:
>> https://myonlinesecurity.co.uk/wp-content/uploads/2017/06/nemucod_ransomware_instructions.jpg

The original js downloads 3 files - 1 is Kovter as usual, the second is unknown and there is a massive 6.7mb php interpreter. The 2nd file won’t run without the php interpreter. It looks like it also belongs to PHP and both php files together are needed to run the downloaded php counter files to encrypt the computer...
4] https://www.hybrid-analysis.com/sam...0397cb0d907daf30dfdba5e100e?environmentId=100
Contacted Hosts (406)

5] https://jbxcloud.joesecurity.org/analysis/300085/1/html
UPS-Delivery-005156577.doc.js

6]https://www.virustotal.com/en/file/d167368409c3fa244e17cef06eb83174b03fc0397cb0d907daf30dfdba5e100e/analysis/1498629470/
UPS-Delivery-005156577.doc.js
Detection ratio: 9/55

... The Kovter download looks like it works separately to the ransomware but might actually be involved somewhere along the line:
7] https://www.virustotal.com/en/file/...5bc29cfeae402802e382cc92/analysis/1498630707/
da40c167cd75d.png
Detection ratio: 25/62

8] https://www.hybrid-analysis.com/sam...3f05bc29cfeae402802e382cc92?environmentId=100
Contacted Hosts (398)

... Sites involved in this campaign found so far this week:
resedaplumbing .com > 166.62.58.18
modx.mbalet .ru> 95.163.101.104
artdecorfashion .com > 107.180.0.125
eventbon .nl > 109.106.167.212
elita5 .md > 217.26.160.15
goldwingclub .ru > 62.109.17.210
www .gloszp .pl > 87.98.239.19
natiwa .com > 115.84.178.83
desinano .com.ar > 190.183.59.228
amis-spb .ru > 77.222.61.227
perdasbasalti .it > 94.23.64.3
120.109.32.72: https://www.virustotal.com/en/ip-address/120.109.32.72/information/
calendar-del .ru > 77.222.61.227
indexsa.com .ar > 190.183.59.228 ..."
___

'Blank Slate' - malspam campaign -ransomware-
- https://isc.sans.edu/forums/diary/C...+a+malspam+campaign+still+going+strong/22570/
Last Updated: 2017-06-29 - "'Blank Slate' is the nickname for a malicious spam (malspam) campaign pushing -ransomware- targeting Windows hosts... Today I collected 11 Blank Slate emails, so this diary examines recent developments from the Blank Slate campaign. Today's Blank Slate malspam was pushing Cerber and GlobeImposter ransomware... -fake- Chrome pages sent victims zip archives containing malicious .js files designed to infect Windows hosts with ransomware... potential -victims- must open the zip attachment, open the enclosed zip archive, then double-click the final .js file. That works on default Windows configurations..."
(More detail at the isc URL above.)
___

- https://www.bitdefender.com/news/ma...-3330.html?icid=overlay|c|all-pages|goldeneye
Update 6/28 08.00 GMT+3 - "There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction..."

:fear::fear::fear:

AplusWebMaster · Jul 5, 2017

Fake 'Documents', 'Customer message', 'invoice' SPAM, 'AdGholas' malvertising

FYI...

Fake 'Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...nts-malspam-delivers-trickbot-banking-trojan/
5 Jul 2017 - "An email with the subject of 'Important Account Documents' pretending to come from Lloyds bank but actually coming from a look-a-like domain Lloyds Bank Documents <no-reply@ lloydsbankdocs .co.uk> with a malicious word doc attachment... So far we have only found 1 site sending these today:
lloydsbankdocs .co.uk
As usual they are registered via Godaddy as registrar and the emails are sent via IP 37.46.192.51 which doesn’t have any identifying details except AS47869 Netrouting in Netherlands...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/lloyds-Important-Account-Documents.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/lloyds-bank-account-docs.png

AccountDocs.doc - Current Virus total detections 7/57*. Payload Security** shows a download from
http ://pilotosvalencia .com/sergollinhols.png which of course is -not- an image file but a -renamed- .exe file that gets renamed to fsrtat.exe and autorun (VirusTotal 14/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c0579567dd5e36b878c88379bef593a43f6/analysis/

** https://www.hybrid-analysis.com/sam...dd5e36b878c88379bef593a43f6?environmentId=100
Contacted Hosts
81.169.217.4
167.114.174.158
197.248.210.150

*** https://www.virustotal.com/en/file/...6f99fb280b776de0236a722d39871270a11/analysis/
___

Fake 'Customer message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...omer-message-malspam-delivers-banking-trojan/
5 July 2017 - "... delivering banking Trojans is an email with the subject of 'Customer message' pretending to come from 'Nat West Bank' but actually coming from a series of look alike domains - NatWest Bank Plc <alert@ natwest-serv478 .ml> with a malicious word doc attachment... criminals sending these have registered various domains that look-like-genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate-the-bank or some message sending service... we have found 6 but it is highly likely there could be hundreds, because they are -free- domains that don’t need any checkable registration details:
natwest-serv478 .ml > 81.133.163.165
natwest-serv347 .ml > 185.100.68.185
natwest-serv305 .ml > 72.21.246.90
natwest-serv303 .ml > 47.42.101.137
natwest-serv505 .ml > 98.191.98.153
natwest-serv490 .ml > 128.95.65.99
These are registered via freenom .com as registrar and the emails are sent via a series of what are most likely compromised email accounts or mail servers:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/natwest_ip_spam_list.png

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/natwest-customer-message.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/message_payment283_doc.png

message_payment283.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
http ://armor-conduite .com/34steamballons.png which of course is -not- an image file but a renamed .exe file that gets renamed to nabvwhy.exe and autorun (VirusTotal 16/62***) which is a slightly different -Trickbot- payload... An alternative download location is
http ://teracom .co.id/34steamballons.png ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...702392378cb20a0e26878242/analysis/1499266638/
message_payment283.doc

** https://www.hybrid-analysis.com/sam...530702392378cb20a0e26878242?environmentId=100
Contacted Hosts
202.169.44.149
94.42.91.27

*** https://www.virustotal.com/en/file/...87e61978f2d5449d79556e04342f508ff7f/analysis/
nabvwhy.exe

armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-address/193.227.248.241/information/
> https://www.virustotal.com/en/url/9...6a754f5144e5f27dfcacfcd75e172d62e47/analysis/

teracom .co.id: 202.169.44.149: https://www.virustotal.com/en/ip-address/202.169.44.149/information/
> https://www.virustotal.com/en/url/9...35511be0f6f464d42d114c41d4ee16add04/analysis/
___

'AdGholas' malvertising ...
- https://blog.malwarebytes.com/cyber...rtising-thrives-shadows-ransomware-outbreaks/
July 5, 2017 - "... other threat actors have been quite active and perhaps even enjoyed this complimentary diversion. This is certainly true for the most prolific -malvertising- gang of the moment, dubbed 'AdGholas'... A master of disguise, AdGholas has been flying right under the nose of several top ad networks while benefiting from the ‘first to move’ effect. Indeed, the -malvertising- operators are able to quickly roll out and activate a -fake- advertising infrastructure for a few days before getting banned...
> https://blog.malwarebytes.com/wp-content/uploads/2017/06/certs.png
... We collected artifacts that show us the redirection between the AdGholas group and the Astrum exploit kit. This kind of -redirect- is highly conditional in order to evade the majority of ad scanners. While many malvertising actors do not care about cloaking, it is very important to others such as AdGholas because stealthiness is a strength that contributes to its longevity...
IOCs:
AdGholas:
expert-essays[.]com
jet-travels[.]com
5.34.180.73
162.255.119.165
Astrum Exploit Kit:
uniy[.]clamotten[.]com
comm[.]clamotten[.]com
comp[.]computer-tutor[.]info
lexy[.]computer-tutor[.]info
sior[.]ccnacertification[.]info
kvely[.]our-health[.]us
nuent[.]mughalplastic[.]com
mtive[.]linksaffpixel[.]com
cons[.]pathpixel[.]com
sumer[.]pathlinkaff[.]com
nsruc[.]ah7xb[.]com
ction[.]ah7xb[.]com
nstru[.]onlytechtalks[.]com
const[.]linksaffpixel[.]com
quely[.]onlytechtalks[.]com
coneq[.]modweave[.]com
94.156.174.11 ..."
(More detail at the malwarebytes URL above.)
___

Fake 'invoice' SPAM - delivers java adwind malware
- https://myonlinesecurity.co.uk/fake-invoices-spreading-java-adwind/
4 Jul 2017 - "... fake 'invoices' rather then their more usual method of fake 'MoneyGram' or 'Western Union money transfer' reports or updates...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/due-invoices.png

Payment Dunmore 27.26.170001.jar (566kb) - Current Virus total detections 12/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...4901d8fbf29590563a6d8004/analysis/1499145423/

** https://malwr.com/analysis/ZTI2MTE2MjIwYzBlNGNmNGIxMWMwZTBiNWE0NmNlNGE/

:fear::fear:

AplusWebMaster · Jul 6, 2017

Fake 'wire request', 'eFax' SPAM

FYI...

Fake 'wire request' SPAM - delivers banking trojan
- https://myonlinesecurity.co.uk/fake...ful-malspam-delivers-chthonic-banking-trojan/
6 Jul 2017 - "An email with the subject of 'The wire request is unsuccessful!' pretending to come from Billing Support using random senders & email addresses with a malicious word doc attachment delivers Chthonic banking trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/billing-support.png

printed_ty_0717.doc - Current Virus total detections 12/58*. Payload Security** shows a download from
http ://185.117.73.105 /bofasup.exe (VirusTotal 13/57***)... alternative doc detections [1] [2]. Other download locations include: (there are 3 download locations hard coded in the macro):
http ://185.45.192.116 /bofasup.exe
http ://185.117.72.251 /bofasup.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...c4a1e0e2a707e274d7392e3e/analysis/1499318502/

** https://www.hybrid-analysis.com/sam...521c4a1e0e2a707e274d7392e3e?environmentId=100

*** https://www.virustotal.com/en/file/...c19ccc09646b38312b16e7f8cfa9a7ee397/analysis/
bofasup.exe

1] https://www.virustotal.com/en/file/...d747bf537fd1e2326823697c61a108a3968/analysis/
printed_copy_da_0717.doc
Detection ratio: 13/57

2] https://www.virustotal.com/en/file/...bda5cfd9046115dfc4945e63/analysis/1499319821/
copy_wt_0717.doc
Detection ratio: 11/57
___

Fake 'eFax' SPAM - malicious doc/xls attachment
- https://myonlinesecurity.co.uk/more-faked-e-fax-messages-spoofing-nest-pensions-delivers-malware/
6 Jul 2017 - "... spoofed eFax message from 1 month ago[1], the same gang are using a similar range of fake e-faxcorporatexxx.top domains to send these malspam emails. Today’s comes with the usual typical subject of 'eFax message from “0300 200 3822” – 2 page(s)' coming from eFax <message@ e-faxcorporate102 .top> with a malicious word doc attachment which delivers some sort of malware...
1] https://myonlinesecurity.co.uk/fake...am-delivers-smoke-sharik-dofoil-and-trickbot/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/efax_nest.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/securemessagedoc_nest.png

SecureMessage.doc - Current Virus total detections 6/57*... Joesandbox** shows a download from
http ://5.149.252.155 /parcelon13.exe (VirusTotal 15/63***)...
This email attachment contains what appears to be a genuine word doc -or- Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...59f0bd2d211ae043f8a3b85c/analysis/1499264264/
SecureMessage.doc

** https://jbxcloud.joesecurity.org/analysis/304760/1/html

*** https://www.virustotal.com/en/file/...9b37b17d2263589cec6cc3c3/analysis/1499306577/

e-faxcorporate102 .top: 46.8.221.104: https://www.virustotal.com/en/ip-address/46.8.221.104/information/

:fear::fear:

AplusWebMaster · Jul 7, 2017

Fake 'BACs documents' SPAM

FYI...

Fake 'BACs documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake...nts-malspam-delivers-trickbot-banking-trojan/
7 Jul 2017 - "An email with the subject of 'FW: Important BACs documents' pretending to come from Royal Bank of Scotland but actually coming from a look-a-like domain <Secure.Delivery@ rbsdocs .co.uk> with a -link- to a malicious zip attachment containing a .js file... delivering Trickbot banking Trojan... criminals sending these have registered various domains that look like genuine Bank domains. Normally there are 3 or 4 newly registered domains that -imitate- the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today:
rbsdocs .co.uk > 160.153.162.130
As usual they are registered via Godaddy as registrar and hosted by Godaddy on ip 160.153.162.130 but the emails are being sent via host Europe 85.93.88.125...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/rbs_bacs_trickbot.png

Rbs_Account_BACs.js - Current Virus total detections 1/57*. Payload Security** shows a download from
http ://mutfakdolabisitesi .com/grandsergiostalls.png which of course is -not- an image file but a renamed .exe file that gets renamed to qkY5ijY.exe and autorun (VirusTotal 12/64***)... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...b0b3b4e3e716fc0bbb541e8d/analysis/1499423876/
Rbs_Account_BACs.js

** https://www.hybrid-analysis.com/sam...1ebb0b3b4e3e716fc0bbb541e8d?environmentId=100
Contacted Hosts
46.235.11.61
50.19.227.215
37.120.182.208
78.47.139.102

*** https://www.virustotal.com/en/file/...e3b7e928b554467a553ab36e/analysis/1499422646/

mutfakdolabisitesi .com: 46.235.11.61: https://www.virustotal.com/en/ip-address/46.235.11.61/information/
> https://www.virustotal.com/en/url/f...02fd779f4f31f312199fa533ac9233eb157/analysis/

rbsdocs .co.uk: 160.153.162.130: https://www.virustotal.com/en/ip-address/160.153.162.130/information/
> https://www.virustotal.com/en/url/8...2b9886695c375ce26c958d6a75646e8dfec/analysis/
___

'Facebook Lottery' - Scam
- https://myonlinesecurity.co.uk/facebook-lottery-scam/
7 Jul 2017 - "'Oh look I have won the Facebook Lottery', or might have done if there actually was such a thing. Unfortunately it is all a big scam. If you were unwise enough to reply, all you would get is a request for a sum of money for Post & packing and the transfer fee for the money. To make it more attractive than usual, apart from the just over $1m money they are giving you a Facebook cap, tee shirt and wallet, 'Wow! how exciting!'. To show how clueless or how they don’t filter or check email addresses they send to, this was sent to a spam-trap-email address...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/facebook-lottery.png

Email Headers:
124.153.79.193 - mailgw.notvday .in...
188.207.76.172 - static.kpn .net...

:fear::fear:

AplusWebMaster · Jul 10, 2017

Fake 'Delivery Status', 'Secure Communication' SPAM

FYI...

Fake 'Delivery Status' SPAM - delivers ransomware
- https://myonlinesecurity.co.uk/new-...mails-pretending-to-be-email-bounce-messages/
10 July 2017 - "We were notified of a new ransomware version* last night. This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a -fake- 'Delivery Status Notification, failed to deliver' email bounce message. The .js file in the email attachment is a PowerShell -script- and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent 'UPS failed to deliver'** nemucod ransomware versions...
* https://twitter.com/SecGuru_OTX/status/884136470910562304

** https://myonlinesecurity.co.uk/retu...pdated-nemucod-ransomware-and-kovter-payload/

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/powershell_ransomware_email-1.png

There is also a section in the script... causes a fake pop up message making the victim think that the file isn’t running properly:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/allocated_resource_not_found-1.png

After the file has run and encrypted your files, you get a message left called _README-Encrypted-Files .html:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/powershell_ransomware_note.jpg

As well as encrypting the usual image, music, video and document files this also encrypts databases files, email, and very unusually many executable file types. It also encrypts your bitcoin wallet and other similar financial files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustotal.com/en/file/...d952168f9e2d43f76881300c/analysis/1499666506/
Readable Msg-j8k5b798d4.js

2] https://www.reverse.it/sample/7a6d5...fafd952168f9e2d43f76881300c?environmentId=100
Readable Msg-j8k5b798d4.js

The sender domain is also the C2 http ://joelosteel .gdn/pi.php currently hosted by digitalocean .com on 165.227.1.206 ..."

joelosteel .gdn: 165.227.1.206: https://www.virustotal.com/en/ip-address/165.227.1.206/information/
> https://www.virustotal.com/en/url/6...2667c44c830a5b4753f336e8f0acb66e150/analysis/
___

Fake 'Secure Communication' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/yet-...n-malspam-delivering-trickbot-banking-trojan/
10 Jul 2017 - "An email with the subject of 'Secure Communication' pretending to come from HM Revenue & Customs but actually coming from a look-alike-domain < Secure.Communication@ hrmccommunication .co.uk > with a malicious word doc attachment... delivering Trickbot banking Trojan... a very important site involved in today’s campaign with images being hosted on www .libdemvoice .org/wp-content/uploads/2012/06/HMRC-logo-300×102.jpg... they have been hosting an HMRC logo since 2012...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/hmrc_10_july.png

HMRC3909308823743.doc - Current Virus total detections 6/57*. Payload Security** shows a download from one of these 2 locations:
http ://pilotosvalencia .com/grazlocksa34.png -or- http ://ridderbos .info/grazlocksa34.png
which of course is -not- an image file but a renamed .exe file that gets renamed to Sonqa.exe and
autorun (VirusTotal 10/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...712ef16a9f3f6d2e3d64e56c/analysis/1499682599/

** https://www.hybrid-analysis.com/sam...58c712ef16a9f3f6d2e3d64e56c?environmentId=100
Contacted Hosts
81.169.217.4
107.22.214.64
93.99.68.140
195.133.197.179

*** https://www.virustotal.com/en/file/...93feb5a1e0ebc92f0f03ef2d1014ff8c9cf/analysis/

pilotosvalencia .com: 81.169.217.4: https://www.virustotal.com/en/ip-address/81.169.217.4/information/
> https://www.virustotal.com/en/url/4...667882420bdcdf101e58decee449cb1a61a/analysis/

ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-address/84.38.226.82/information/
> https://www.virustotal.com/en/url/e...c1ab859cb2099ee59f2877f15677765e526/analysis/

libdemvoice .org: 104.28.31.9: https://www.virustotal.com/en/ip-address/104.28.31.9/information/
104.28.30.9: https://www.virustotal.com/en/ip-address/104.28.30.9/information/

:fear::fear:

AplusWebMaster · Jul 11, 2017

JAVA_ADWIND telemetry

FYI...

JAVA_ADWIND - Trend Micro telemetry
> http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat/
July 11, 2017 - "... our telemetry for JAVA_ADWIND... the malware has had a steady increase in detections since the start of the year. From a mere 5,286 in January 2017, it surged to 117,649 in June. It’s notable, too, that JAVA_ADWIND detections from May to June, 2017 increased by 107%, indicating that cybercriminals are actively pushing and distributing the malware...
JAVA_ADWIND detections from January to June, 2017:
> https://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/07/jrat-adwind-spam-1.jpg
... a Java EXE, dynamic-link library (DLL) and 7-Zip installer will be fetched from a domain that we uncovered to be a file-sharing platform abused by the spam operators:
hxxps ://nup[.]pw/DJojQE[.]7z
hxxp ://nup[.]pw/e2BXtK[.]exe
hxxps ://nup[.]pw/9aHiCq[.]dll ...
... it appears to have the capability to check for the infected system’s internet access. It can also perform reflection, a dynamic code generation in Java. The latter is a particularly useful feature in Java that enables developers/programmers to dynamically inspect, call, and instantiate attributes and classes at runtime. In cybercriminal hands, it can be -abused- to evade static analysis from traditional antivirus (AV) solutions...
Indicators of Compromise:
Files and URLs related to Adwind/jRAT:
hxxp ://ccb-ba[.]adv[.]br/wp-admin/network/ok/index[.]php
hxxp ://www[.]employersfinder[.]com/2017-MYBA-Charter[.]Agreement[.]pif
hxxps ://nup[.]pw/e2BXtK[.]exe
hxxps ://nup[.]pw/Qcaq5e[.]jar ..."

nup .pw: 149.210.145.237: https://www.virustotal.com/en/ip-address/149.210.145.237/information/
> https://www.virustotal.com/en/url/9...ff2aba3be888f6c06d6649a2d88bc5a6033/analysis/

employersfinder .com: 198.38.91.121: https://www.virustotal.com/en/ip-address/198.38.91.121/information/
> https://www.virustotal.com/en/url/f...c06403a6f02a20e17f79fcbfda358c59e9e/analysis/

ccb-ba .adv.br: 50.116.112.205: https://www.virustotal.com/en/ip-address/50.116.112.205/information/
> https://www.virustotal.com/en/url/7...74d1d117a6ace1fbec47cab9b5aafb30c44/analysis/

:fear::fear:

AplusWebMaster · Jul 13, 2017

Fake 'Confidential Documents' SPAM

FYI...

Fake 'Confidential Documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...nts-malspam-delivers-trickbot-banking-trojan/
13 July 2017 - "An email with the subject of 'Confidential Documents' pretending to come from Lloyds Bank but actually coming from a look-a-like domain <noreply@ lloydsconfidential .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-c.../lloyds-bank-confidential-documents-email.png

... they are asking you to insert an authorisation code or password... (but) there is -no- option in this word doc to do that. The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/protected_doc.png

Protected.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
http ://armor-conduite .com/geroi.png which of course is -not- an image file but a renamed .exe file that gets renamed to Tizpvu.exe and autorun (VirusTotal 9/63***). An alternative download location is
http ://kgshrestha .com.np/geroi.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...5a7823562fca85e87c740b84/analysis/1499942591/

** https://www.hybrid-analysis.com/sam...7f19f630acf9a02f9c48e7f40a7?environmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustotal.com/en/file/...92bf3087f6152c45d7da9a70/analysis/1499942505/

armor-conduite .com: 193.227.248.241: https://www.virustotal.com/en/ip-address/193.227.248.241/information/
> https://www.virustotal.com/en/url/f...d4365552f83d00429b46b30760efc6ee1d6/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustotal.com/en/ip-address/74.200.89.84/information/
> https://www.virustotal.com/en/url/2...8affeedcbca89e774b4fa8f6fa35b9ffcb1/analysis/

:fear::fear:

AplusWebMaster · Jul 14, 2017

Fake 'Secure message' SPAM

FYI...

Fake 'Secure message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-sage-outdated-invoice-malspam-delivers-trickbot/
14 Jul 2017 - "An email with the subject of 'Secure email message. pretending to come from Sage Invoice but actually coming from a look-a-like domain <noreply@ sage-invoice .com> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/sage-outdated-invoice.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/sageInvoice_doc.png

SageInvoice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
http ://ridderbos .info/sergiano.png which of course is -not- an image file but a renamed .exe file that gets renamed to Pmkzc.exe and autorun (VirusTotal 8/61***)... An alternative download location is
http ://kgshrestha .com.np/sergiano.png ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...1cfdb89f6892fcb81954b435/analysis/1500038647/

** https://www.hybrid-analysis.com/sam...7f19f630acf9a02f9c48e7f40a7?environmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86

*** https://www.virustotal.com/en/file/...486ce11319a9a8f6fa83945c/analysis/1493725297/

ridderbos .info: 84.38.226.82: https://www.virustotal.com/en/ip-address/84.38.226.82/information/
> https://www.virustotal.com/en/url/9...769eba4e15a1b1a601ba09e3407ba29cb3b/analysis/

kgshrestha .com.np: 74.200.89.84: https://www.virustotal.com/en/ip-address/74.200.89.84/information/
> https://www.virustotal.com/en/url/d...bf1bafa0e523750216652e29cbeee1b4263/analysis/

:fear::fear:

AplusWebMaster · Jul 18, 2017

Fake 'payment slip' SPAM

FYI...

Fake 'payment slip' SPAM - delivers malware
- https://myonlinesecurity.co.uk/fake...ttachment-delivers-malware-and-a-jrat-trojan/
18 Jul 2017 - "... an email with the subject of 'payment slip' ... pretending to come from random companies, names and email addresses with an ACE attachment (ACE files are a sort of zip file that normally needs special software to extract. Windows and winzip do not natively extract them) which delivers some malware... it has some indications of fareit Trojan. This also has a jrat java.jar file attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/payment-slip.png

> Attachments: bank detailes copy.xls.ace -and- TT COPY MBUNDU GISA 740,236 USD.jar

bank detailes copy.xls.ace: Extracts to: bank detailes copy.xls.exe - Current Virus total detections 6/63*
Payload Security**

TT COPY MBUNDU GISA 740,236 USD.jar - Current Virus total detections 2/59[3]. Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...6ab3531901da32daf869fd28/analysis/1500351301/

** https://www.hybrid-analysis.com/sam...e466ab3531901da32daf869fd28?environmentId=100
HTTP Traffic
104.69.49.57

3] https://www.virustotal.com/en/file/...6068412e3dcc70ffea95e1380b0a79e7698/analysis/

4] https://www.hybrid-analysis.com/sam...3dcc70ffea95e1380b0a79e7698?environmentId=100
Contacted Hosts
174.127.99.198

:fear::fear:

AplusWebMaster · Jul 19, 2017

Fake blank-subject, 'Invoices', 'RFQ' SPAM, Bots - searching...

FYI...

Fake blank-subject SPAM - downloads Trickbot
- https://myonlinesecurity.co.uk/trickbot-downloaded-via-vbs-email-blank-subject-noreply/
18 July 2017 - "... Trickbot downloaders... from noreply@ random email addresses (all spoofed). Has a -blank- subject line and a zip attachment containing a VBS file...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/trickbot_vbs_email.png

doc00042714507507789135.zip extracts to: doc000799723147922720821.vbs - Current Virus total detections 9/57*.
Payload Security* shows a download of an encrypted text file from
http ://pluzcoll .com/56evcxv? which is converted to nbVXsSxirbe.exe (VirusTotal 31/63***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...bc6e33851b26e8c8a47fd6d8/analysis/1500373606/

** https://www.hybrid-analysis.com/sam...9b9bc6e33851b26e8c8a47fd6d8?environmentId=100
Contacted Hosts
210.1.58.190
107.20.242.236

*** https://www.virustotal.com/en/file/...4c719822dd17dd19feb31f3c620294f838c/analysis/

pluzcoll .com: 210.1.58.190: https://www.virustotal.com/en/ip-address/210.1.58.190/information/
> https://www.virustotal.com/en/url/b...35cb9dda67277760818da4e5b8761419e51/analysis/
___

Fake 'Invoices' SPAM - deliver Trickbot
- https://myonlinesecurity.co.uk/multiple-campaigns-delivering-trickbot-banking-trojan/
19 July 2017 - "... pdf attachments that drops a malicious macro enabled word doc that delivers Trickbot...
today we have seen 3 different campaigns and subjects all eventually leading to the same Trickbot payload..."
___

Fake 'RFQ' SPAM - delivers java adwind
- https://myonlinesecurity.co.uk/spoo...-heavy-machinery-co-ltd-delivers-java-adwind/
19 July 2017 - "... emails containing java adwind or Java Jacksbot attachments...
Screenshot: https://myonlinesecurity.co.uk/wp-c...uotation-from-Sino-Heavy-Machinery-Co-Ltd.png ..."
___

Bots - searching for Keys & Config Files
- https://isc.sans.edu/diary/22630
2017-07-19 - "... yesterday, I found a -bot- searching for... interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically leave juicy data amongst the HTML files... Each file was searched with a different combination of lower/upper case characters... This file could contain references to hidden applications (This is interesting to know for an attacker)..."
(More detail at the isc URL above.)

:fear::fear:

AplusWebMaster · Jul 20, 2017

Fake 'eFax', various subjects SPAM

FYI...

Fake 'eFax' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/efax...931-malspam-delivers-trickbot-banking-trojan/
20 July 2017 - "... Trickbot malspams... an email with the subject of 'eFax message from 8473365403' – 1 page(s), Caller-ID: 44-020-3136-4931 pretending to come from eFax but actually coming from a look-a-like domain <message@ efax-download .com> with a malicious word doc attachment... they are registered via Godaddy as registrar hosted on 160.153.16.19 and the emails are sent via AS8972 Host Europe GmbH 85.93.88.109. These are registered with what are obviously -fake- details...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/eFax-download_spam_email.png

... The -link- in the email body goes to
https ://efax-download .com/pdx_did13-1498223940-14407456340-60
where you see page like this with-a-link to download the actual malware binary
https ://efax-download .com/14407456340-60.zip. extracting to 14407456340-60.exe
The page tries initially to automatically download 14407456340-60.pdf.exe (VirusTotal 3/64*).
Payload Security[2]...
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/efax-download.png

DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...127b619efad978b3bc7fc37a/analysis/1500552776/
14407456340-60.pdf.exe

** https://www.hybrid-analysis.com/sam...0d7127b619efad978b3bc7fc37a?environmentId=100

efax-download .com: 160.153.16.19: https://www.virustotal.com/en/ip-address/160.153.16.19/information/
> https://www.virustotal.com/en/url/7...db6231156d8f209eb850186d85bab7c7ed5/analysis/
___

Fake various subjects SPAM - deliver Trickbot, fake flashplayer
- https://myonlinesecurity.co.uk/tric...and-a-fake-flashplayer-from-pastebin-adverts/
20 July 2017 - "... Trickbot banking Trojan campaign comes in an email with varying subjects including:
paper
doc
scan
invoice
documents
Scanned Document
receipt
order
They are all coming from random girls names at random email addresses. There is a zip attachment containing a VBS file...
Download sites found so far are listed on:
- https://pastebin.com/MGAVB1uz // Thanks to Racco42*

* https://twitter.com/Racco42
> Beware - for some reason the pastebin link is giving me -diverts- to a scumware site trying to download a -fake-flashplayer-hta-file (VirusTotal 17/58[1]) (Payload Security [2])
https ://uubeilisthoopla .net/85123457821940/be74be7a58e47c2837f71295a31d1533/24c3df3c0fe3c937281c3d8d7427e1da.html
which downloads
https ://uubeilisthoopla .net/85123457821940/1500548202679984/FlashPlayer.jse
(VirusTotal 4/58[3]) (Payload Security [4])...
1] https://www.virustotal.com/en/file/...c07e4e9803284af24174f3c7/analysis/1500548514/
FlashPlayer.hta

2] https://www.hybrid-analysis.com/sam...f56c07e4e9803284af24174f3c7?environmentId=100
Contacted Hosts
209.126.113.203

3] https://www.virustotal.com/en/file/...00ab92f38731061da27604d0/analysis/1500549163/
FlashPlayer.jse

4] https://www.hybrid-analysis.com/sam...b4500ab92f38731061da27604d0?environmentId=100
Contacted Hosts
209.126.113.203
192.35.177.195

uubeilisthoopla .net: 209.126.113.203: https://www.virustotal.com/en/ip-address/209.126.113.203/information/
> https://www.virustotal.com/en/url/1...979111c83281a93900f9f59828d18720942/analysis/

:fear::fear:

AplusWebMaster · Jul 21, 2017

Fake 'Voice Message' SPAM, Botnet - 500,000 infected machines

FYI...

Fake 'Voice Message' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoo...ble-malspam-delivers-trickbot-banking-trojan/
21 Jul 2017 - "... coming via the Necurs -botnet- is an email with the subject of 'Voice Message Attached from 01258895166' – name unavailable [random numbered] pretending to come from vm@ unlimitedhorizon .co.uk with a zip attachment...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/voice_message_unlimited-horizon.png

01258895166_6382218_592164.zip: Extracts to: 01258861149_20170411_185381.wsf
Current Virus total detections 2/58*. Payload Security** shows a download from
http ://avocats-france-maroc .com/sdfgdsg1? which gave a js file (VirusTotal 7/57[3]) (Payload Security[4]) which contacts a list-of-sites and should download an encrypted text file which is converted by the js file to the Trickbot binary. However, Payload Security[4] couldn’t get anything. The sites I can see in -this- js file are:
aprendersalsa .com/nhg67r? – artegraf .org/nhg67r? – asheardontheradiogreens .com/nhg67r?
asuntomaailma .com/nhg67r?... It will probably be similar to an earlier Trickbot version...
Thanks to Racco42[5] who has found the download sites and payload - PasteBin[6].
> Caution: we have been seeing fake flashplayer downloads & diverts via malicious ads on pastebin...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...ae5d5ca1852e5a7513ea80d3/analysis/1500641858/
01258861149_20170411_185381.wsf

** https://www.hybrid-analysis.com/sam...b21ae5d5ca1852e5a7513ea80d3?environmentId=100
Contacted Hosts
158.69.133.237

3] https://www.virustotal.com/en/file/...7b922112facd2a0383a02023/analysis/1500641867/
sdfgdsg1.js

4] https://www.hybrid-analysis.com/sam...af17b922112facd2a0383a02023?environmentId=100

5] https://twitter.com/Racco42/status/888392692761284608

6] Updated > https://t.co/eD7MtOxind

avocats-france-maroc .com: 158.69.133.237: https://www.virustotal.com/en/ip-address/158.69.133.237/information/
> https://www.virustotal.com/en/url/9...ec94b07c554611ba41dbed2e3bb2877d9e6/analysis/

aprendersalsa .com: 207.7.94.54: https://www.virustotal.com/en/ip-address/207.7.94.54/information/
> https://www.virustotal.com/en/url/2...a7eb2a769bb771fcdcab374779a4b05646f/analysis/

artegraf .org: 185.58.7.72: https://www.virustotal.com/en/ip-address/185.58.7.72/information/

asheardontheradiogreens .com: 199.30.241.139: https://www.virustotal.com/en/ip-address/199.30.241.139/information/
> https://www.virustotal.com/en/url/1...03439d126672c1929b83176efa9a8282dc5/analysis/

asuntomaailma .com: 185.55.85.4: https://www.virustotal.com/en/ip-address/185.55.85.4/information/
___

Malicious Chrome extensions / Facebook fraud - more
- https://www.helpnetsecurity.com/2017/07/21/stealthy-botnet/
July 21, 2017 - "ESET* researchers have unearthed a botnet of some 500,000 infected machines engaged mostly in ad-related fraud by using malicious Chrome extensions, but also Facebook fraud and brute-forcing Joomla and WordPress websites..."
* https://www.welivesecurity.com/2017...dware-campaign-operating-covertly-since-2012/
20 Jul 2017 - "... a huge botnet that they monetize mainly by installing malicious browser extensions** that perform ad injection and click fraud. However, they don’t stop there. The malicious Windows services they install enable them to execute anything on the infected host. We’ve seen them being used to send a fully featured backdoor, a bot performing massive searches on Google, and a tool performing brute-force attacks on Joomla and WordPress administrator panels in an attempt to compromise and potentially resell them.
Figure 1 shows the full Stantinko threat from the infection vector to the final persistent services and related plugins:
> https://www.welivesecurity.com/wp-content/uploads/2017/07/stantinko-infographics-blog-01.png
... Stantinko stands out in the way it circumvents antivirus detection and thwarts reverse engineering efforts to determine if it exhibits malicious behavior. To do so, its authors make sure multiple parts are needed to conduct a complete analysis. There are always -two- components involved: a loader and an encrypted component. The malicious code is -concealed- in the encrypted component that resides either on the disk or in-the-Windows-Registry. This code is loaded and decrypted by a benign-looking executable. The key to decrypt this code is generated on a per-infection basis. Some components use the bot identifier and others use the volume serial number from its victim PC’s hard drive. Making reliable detections based on the non-encrypted components is a very difficult task, since artifacts residing on the disk do not expose malicious behavior until they’re executed. Moreover, Stantinko has a powerful resilience mechanism. After a successful compromise, the victim’s machine has two malicious Windows services installed, which are launched at system startup. Each service has the ability to reinstall the other in case one of them is deleted from the system. Thus, to successfully uninstall this threat, both services must be deleted at the same time. Otherwise, the C&C server can send a new version of the deleted service that isn’t detected yet or that contains a new configuration..."
** https://www.helpnetsecurity.com/images/posts/stantinko-1.jpg
(More detail at the welivesecurity URL above.)

(IOC's): https://github.com/eset/malware-ioc/tree/master/stantinko

:fear::fear::fear:

AplusWebMaster · Jul 25, 2017

Cloud 'Config Error', Petya decryptor released

FYI...

Weather .com, Fusion expose Data via Google Groups Config Error
> http://www.darkreading.com/vulnerab...a-google-groups-config-error--/d/d-id/1329449
7/24/2017 - "Major companies have publicly exposed messages containing sensitive information due to a user-controlled configuration error in Google Groups. Researchers at RedLock Cloud Security Intelligence (CSI) discovered Google Groups belonging to hundreds of companies inadvertently exposed personally identifiable information (PII) including customer names, passwords, email and home addresses, salary compensation details, and sales pipeline data. Internal messages also exposed business strategies, which could create competitive risk if in the wrong hands, explains RedLock*...
* https://blog.redlock.io/google-groups-misconfiguration
The Weather Company, the IBM-owned operator of weather .com and intellicast .com, is among the companies affected. Fusion Media Group, parent company of Gizmodo, The Onion, Jezebel, Lifehacker, and other properties made the same mistake... The companies that leaked data accidentally chose the sharing setting 'public on the Internet', which enabled -anyone- on the Web to access -all- information contained in their messages. RedLock advises all companies using Google Groups to ensure 'private' is the sharing setting** for 'Outside this domain-access to groups'. RedLock's CSI team routinely checks various cloud infrastructure tools for threat vectors, and monitors publicly available data to detect misconfigurations that could cause security incidents..."
** https://blog.redlock.io/hs-fs/hubfs/Blogs/GoogleGroupsSetting.png
___

Petya decryptor for old versions released
- https://blog.malwarebytes.com/malwa...ye-bye-petya-decryptor-old-versions-released/
Last updated: July 25, 2017 - "Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project... Based on the released key, we prepared a decryptor that is capable of unlocking all the legitimate versions of Petya...
WARNING: During our tests we found that in some cases Petya may -hang- during decryption, or cause some other problems potentially -damaging- to your data. That’s why, before any decryption attempts, we recommend you to make an additional backup...
It -cannot- help the victims of pirated Petyas, like PetrWrap or EternalPetya (aka NotPetya)..."
(More detail at the malwarebytes URL above.)

Related:
- https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/

- https://blog.malwarebytes.com/cyber...tya-has-been-published-by-the-malware-author/

:fear::fear:

AplusWebMaster · Jul 26, 2017

Fake 'No Subject', 'Account secure documents' SPAM, BEC attacks

FYI...

Fake 'No Subject' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/fake...kbot-banking-trojan-via-multi-stage-download/
26 Jul 2017 - "Another Trickbot campaign overnight... Pretends to be a bill coming from notifications@ in.telstra .com.au.... You get a wsf file in zip to start with. That has a hardcoded single site in the file. That downloads a .js file which has 4 or sometimes 5 hardcoded urls which download an encrypted txt file that is converted by the js file to a working Trickbot binary. The name & reference number in the email is random...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/spoofed_telstra_email.png

May-July2017.zip: Extracts to: QPX_ 18941124638_411385.wsf - Current Virus total detections 4/57*.
Payload Security** downloads from dodawanie .com/?1 (or one of the other stage 2 sites listed in this pastebin[3]
(VirusTotal 5/577[4]) (Payload Security[5]) which -cannot- examine the file because it is seen as txt. However that downloads of an encrypted file from one of the stage 3 sites listed in this pastebin report[6] which is converted by the script to an .exe file (VirusTotal 17/63[7]) (Payload Security[8])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...b35aaa1d0244a1d97535cbc6/analysis/1501020013/
QPX_ 18941124638_411385.wsf

** https://www.hybrid-analysis.com/sam...d8fb35aaa1d0244a1d97535cbc6?environmentId=100
Contacted Hosts
74.125.104.72
185.23.21.13

3] https://pastebin.com/RvHqTC7y

4] https://www.virustotal.com/en/file/...874583110fd792e5b1817fd3/analysis/1501026192/

5] https://www.hybrid-analysis.com/sam...b53874583110fd792e5b1817fd3?environmentId=100

6] https://pastebin.com/RvHqTC7y

7] https://www.virustotal.com/en/file/...4726874d4eeda24d4b9eff13/analysis/1501041870/
C.exe

8] https://www.reverse.it/sample/b7a7d...95d4726874d4eeda24d4b9eff13?environmentId=100
Contacted Hosts
216.58.198.196
216.58.198.206

dodawanie .com: 185.23.21.13: https://www.virustotal.com/en/ip-address/185.23.21.13/information/
> https://www.virustotal.com/en/url/6...e31af05651fbaeb4bf43b94ac3983c30a84/analysis/
___

Fake 'Account secure documents' SPAM - delivers Trickbot
- https://myonlinesecurity.co.uk/spoofed-hsbc-account-secure-documents-malspam-delivers-trickbot/
26 Jul 2017 - "An email with the subject of 'Account secure documents' pretending to come from HSBC but actually coming from a look-alike-domain <noreply@ hsbcdocs .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan ...

Screenshot: https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/HSBC_Account-Secure-Documents_email.png

The word doc looks like:
> https://myonlinesecurity.co.uk/wp-content/uploads/2017/07/hsbc_PaymentAdvice_doc.png

PaymentAdvice.doc - Current Virus total detections 4/57*. Payload Security** shows a download from
https ://kartautoeskola .com/test/images/logo.png which is -not- an image file but a renamed .exe file
that gets -renamed- to warrantyingresalesdioxide.exe and autorun (VirusTotal 1/63***) Payload Security[4]...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustotal.com/en/file/...541631589be49b3d9ac366af/analysis/1501070044/
PaymentAdvice.doc

** https://www.hybrid-analysis.com/sam...b1b0a2bfd4b586dd39a525b9361?environmentId=100

*** https://www.virustotal.com/en/file/...0a2bfd4b586dd39a525b9361/analysis/1501067853/
vaqqamsxhmfqdrakdrchnwhcd.exe

4] https://www.hybrid-analysis.com/sam...b1b0a2bfd4b586dd39a525b9361?environmentId=100

kartautoeskola .com: 69.160.38.3: https://www.virustotal.com/en/ip-address/69.160.38.3/information/
> https://www.virustotal.com/en/url/9...e61c5a004610e50520b8393f166b31cfe4b/analysis/
___

BEC attacks more costly than Ransomware...
- http://www.darkreading.com/vulnerab...n-ransomware-over-past-3-years/d/d-id/1329414
7/20/2017 - "... cybercriminals walked away with $5.3 billion from business email compromise (BEC) attacks compared with $1 billion for ransomware over a three-year stretch, according to Cisco's 2017 Midyear Cybersecurity Report released*...
* https://engage2demand.cisco.com/cisco_2017_midyear_cybersecurity_report
... Cisco's Martino says targeted cybersecurity -education- for employees can help prevent users from falling for BEC -and- ransomware attacks. The finance department could especially benefit from security training on phishing campaigns, so when the bogus-email comes across the transit of the CEO asking for a funds transfer it can be detected... Regular software patching also is crucial. When spam-laden-malware hits or ransomware attacks similar to WannaCry surfaces, the impact can be minimized... a balanced defensive and offensive posture, with not just firewalls and antivirus but -also- including measures to hunt down possible attacks through data collection and analysis..."

:fear::fear:

AplusWebMaster · Jul 27, 2017

SPAM frauds, fakes, and other MALWARE deliveries...

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member

New member