SPAM frauds, fakes, and other MALWARE deliveries... Options

[AplusWebMaster]

FYI...

Malicious ADP Spam
- http://threattrack.tumblr.com/post/5107169...dp-invoice-spam
22 May 2013 - "Subjects Seen:
Invoice #[removed] - Remit file
Typical e-mail details:
Attached is the invoice (ADP_Invoice_[removed].zip) received from your bank.
Please print this label and fill in the requested information. Once you have filled out
all the information on the form please send it to payroll.invoices @adp .com.
For more details please see the attached file.
Please do not reply to this e-mail, it is an unmonitored mailbox!
Thank you ,
Automatic Data Processing, Inc...

Malicious URLs
116.122.158.195 :8080/ponyb/gate.php
mail.yaklasim .com:8080/ponyb/gate.php
10healthynails .com/ponyb/gate.php
advprintgraphics .com/ponyb/gate.php
50.63.222.182 /GGBG2H.exe
Malicious File Name and MD5:
ADP_Invoice_[removed].zip (638d32dc80678f17609fe21dF73c6f6d)
ADP_Invoice_[removed].exe (a8aab9bcd389348823b77b090fb0afcc)
uszyly.vxe (707423e64a6ab41d694a9e1d8e823d292)

Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data...yMJg1qz4rgp.png
___

- http://tools.cisco.com/security/center/threatOutbreak.x?i=77
Fake Purchase Order E-mail Messages - 2013 May 22
Fake Xerox Scan Attachment E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Document Sharing E-mail Messages - 2013 May 22
Fake Facebook Voice Comment E-mail Message - 2013 May 22
Fake DHL Order Tracking Notification E-mail Messages - 2013 May 22
Fake Product Order Quote Request E-mail Messages - 2013 May 22
Fake Check Return Notification E-mail Messages - 2013 May 22
Fake Picture Link E-mail Messages - 2013 May 22
Fake Money Transfer Notification E-mail Messages - 2013 May 22
Fake Invoice Statement Attachment E-mail Messages - 2013 May 22
Fake Product Order E-mail Messages - 2013 May 22
Fake Holiday Photo Sharing Request E-mail Messages - 2013 May 22
Fake Scanned Document Attachment E-mail Messages - 2013 May 22
Fake Payment Request Notification E-mail Messages - 2013 May 22
(More detail and links at the cisco URL above.)



This post has been edited by AplusWebMaster: May 22 2013, 02:45 PM

[AplusWebMaster]

FYI...

Spear-phish e-mails lead to APT
- https://atlas.arbor.net/briefs/index#-1950400672
Elevated Severity
May 22, 2013
Yet another targeted attack is dissected. Password theft was one of the motivating factors in the campaign.
Analysis: Well-crafted spear-phish e-mails were sent to the victim organizations. These spear phish included exploit code for patched vulnerabilities in Microsoft Office and also delivered bait files of interest to the target. In some cases, the bait files contain exploit code and in other cases they merely serve as a distraction. This is a tried-and-true method in wide use by cybercriminals and nation-state espionage actors. Once the malware is installed, credential theft applications can be used. The document provided by trend includes various Indicators of Compromise (IOCs) that organizations can use to help detect if they have been or are currently a victim. Additionally, domains used for malicious purposes are sometimes re-used at a later time, so keeping an eye on DNS logs and HTTP activity can help spot a new campaign re-using older infrastructure.
Source: http://www.trendmicro.com/cloud-content/us...eted-threat.pdf

- http://blog.trendmicro.com/trendlabs-secur...w-apt-campaign/
"... The distribution method of this campaign involves spear-phishing emails that contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158*)..."
* https://web.nvd.nist.gov/view/vuln/detail?v...d=CVE-2012-0158 - 9.3 (HIGH) - MS12-027

- https://www.net-security.org/malware_news.php?id=2500
May 20, 2013 - "... Dubbed "Safe," the campaign has first been spotted in October 2012 and has so far resulted in nearly 12,000 unique IP addresses spread over more than 100 countries to be connected to two sets of command-and-control (C&C) infrastructures..."
___

Fake ‘Export License/Payment Invoice’ emails lead to malware
- http://blog.webroot.com/2013/05/23/fake-ex...ead-to-malware/
May 23, 2013 - "... just intercepted yet another currently ongoing malicious spam campaign, enticing users into executing a fake Export License/Payment Invoice. Once gullible and socially engineering users do so, their PCs automatically join the botnet operated by the cybercriminals. More details:
Detection rate for the malicious executable: MD5: 4e7dc191117a6f30dd429cc619041552 * ... Trojan.Win32.Inject.foiq; Trojan.Zbot.
Once executed, the sample starts listening on port 28723...
It then phones back to the following C&C servers:
213.230.101.174 :11137
87.203.65.0 :12721
180.241.97.79 :16114
83.7.104.50 :13647
84.59.222.81 :10378
194.94.127.98 :25549
98.201.143.22 :19595
78.139.187.6 :14384
180.183.178.134 :20898
We’ve also seen the following C&C server IP (194.94.127.98) in previously profiled malicious campaigns... As well as 78.139.187.6 ... We’re aware of more MD5s that phoned back to the same IPs over the last couple of days..."
(More detail at the webroot URL above.)
* https://www.virustotal.com/en/file/de224cd7...sis/1369151297/
File name: invoice copy.exe
Detection ratio: 33/47
Analysis date: 2013-05-21
___

Fake FBI Ransomware - spikes...
- http://blog.webroot.com/2013/05/23/recent-...king-worldwide/
May 23, 2013 - "Recently we have seen a spike of this ransomware in the wild as it appears as though its creators are not easily giving up. This infection takes your computer hostage and makes it look as though the authorities are after you, when in reality this is all just an elaborate attempt to make you -pay- to unblock your computer. Once infected, a warning similar to the one below* will take up your entire screen in such a way that you can’t get around it, thus effectively blocking you from accessing your files, programs or anything else on your computer. To further scare you into believing that you’ve been caught in illegal activity, your IP address, rough location, internet service provider, operating system and webcam image may be displayed.
* https://webrootblog.files.wordpress.com/201...erdiv.png?w=869
To ensure maximum profits, the malware writers made sure that everyone understood their warning and payment instructions by localizing the infection around the world... there are variants of this infection that will encrypt your files so even after the infection is removed, documents, pictures and many other files on the hard drive will be inaccessible. Once the files are encrypted it can be very difficult or impossible to restore the original unencrypted versions. To avoid data loss, we strongly suggest periodically backing up your data...The infection executable may be located in the AppData, Temp, or User Profile directories and typically loads by adding itself to the Run keys or by modifying the Winlogon Shell entry. In some cases it may load using only a shortcut that’s placed in the Startup folder..."



This post has been edited by AplusWebMaster: Yesterday, 11:15 AM