Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

Get answers from experts today. (it's 100% free). Spyware, Virus, Trojan, Rootkit? Remove malware > Virus Removal Forum. Learn how it works.

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1527 replies to this topic

#1516 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 August 2015 - 07:05 AM

FYI...

Fake 'Website Invoice' SPAM – PDF malware
- http://myonlinesecur...ce-pdf-malware/
11 Aug 2015 - "'Here is your BT Website Invoice. pretending to come from btd.billing.noreply@ bt .com with a PDF attachment is another one from the current bot runs... The email comes in corrupt... There is an HTML attachment which contains what the actual email should read:
***Please do not reply to this automated e-mail as responses are not read***
    Hello
    Here is your latest billing information from BT Directories – please check the details carefully.
    If you need to contact us then you’ll find the numbers in the attachment.
    Kind Regards
    BT Directories Billing & Credit Management ...


And there is a PDF attachment which contains the malware:
11 August 2015 : DirectDebit Invoice_5262307_011220140151449702826.pdf
Current Virus total detections: 4/56*  which is a PDF containing a word doc with embedded macros in the same way as described in today’s earlier malspam run**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439286155/

** http://myonlinesecur...ts-pdf-malware/
11 Aug 2015 - "'Interparcel Documents' pretending to come from Interparcel <bounce@ interparcel .com> with a PDF attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...l-Documents.png

11 August 2015: Shipping Labels (938854744923).pdf - Current Virus total detections: 4/57*
... downloads Dridex from http ://sonicadmedia .com/334f3d/096uh5b.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439281100/

** https://www.virustot...sis/1439284911/

sonicadmedia .com: 192.185.5.3: https://www.virustot....3/information/
___

Fake 'Congratulations on your purchase Windows' SPAM – fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
11 Aug 2015 - "'Congratulations on your purchase Windows' with a zip attachment is another one from the current bot runs... The email looks like:
    The invoice for the license windows 10.
    Invoice id: 5661255582
    License number: 211883074666
    License serial number: XXXXXX-XXXXXX-XXXXXX-QF7303-DG7S86
    Details of the attachment.
    THANKS A LOT FOR BEING WITH US.


Todays Date: Invoice Windows10 1648726511-en.zip:
Extracts to: Invoice Windows10 7848342350-en.exe
Current Virus total detections: 6/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439303996/
___

Asprox botnet... disappears
- http://www.infoworld...disappears.html
Aug 11, 2015 - "The Asprox botnet, whose malware-spamming activities have been followed for years by security researchers, appears to be gone... the botnet seemed to be shut down, wrote Ryan Olson, intelligence director for Palo Alto Networks, in a blog post:
> http://researchcente...e-after-kuluoz/
Olson wrote that Palo Alto thought the botnet's operators may have changed their tactics, and Palo Alto missed the shift. But they verified that Asprox's command-and-control structure shut down - at least for now... Earlier this year, Brad Duncan, a security researcher at Rackspace, also noticed a change:
> https://isc.sans.edu...x Botnet/19435/
... Spam that appeared stylistically close to that sent by Asprox had -different- malware. Asprox has taken a hit before. In November 2008, it was one of several botnets affected by the shutdown of McColo, a notorious California-based ISP that was providing network connectivity for cybercriminals. The shutdown of McColo dramatically cut the amount of spam, but Asprox as well as other botnets came back. The most frequent malware now seen by Palo Alto is Upatre. That malware downloads other harmful programs to a computer, and Palo Alto has seen it involved in installing a banking trojan called Dyre and the Cryptowall ransomware..."
>> http://researchcente...08/kuluoz-2.png
 

:ph34r: :ph34r: <_<


Edited by AplusWebMaster, 11 August 2015 - 10:06 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1517 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 12 August 2015 - 07:09 AM

FYI...

Fake 'Invoices payable' SPAM – JAVA malware
- http://myonlinesecur...e-java-malware/
12 Aug 2015 - "'RE: Re: Invoices payable' with a jar attachment pretending to come from info@ fulplanet .com is another one from the current bot runs...

Screenshot: http://myonlinesecur...ces-payable.png

12 August 2015: Invoice.jar - Current Virus total detections: 4/57*
Luckily, Outlook (as you can see from the screenshot above) and many other email clients automatically -block- java jar files from being accessed or opened in the email client. Webmail clients are more at risk as most allow any attachment. Java is a crossbrowser and cross OS program and that is why it is so dangerous. Malicious Java files can infect and compromise ANY computer whether it is windows or Apple or Android or Linux. You will not be infected and cannot be harmed if you do -not- have Java installed on the computer.  
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown instead of the java executable file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439362101/
___

Fake 'list attached' SPAM – PDF drops word doc – malware
- http://myonlinesecur...rd-doc-malware/
12 Aug 2015 - "'list attached as requested' pretending to come from Danielle | CC Signs Ltd. <orders@ ccsigns .co.uk> with a malicious PDF attachment that drops a word doc is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email has a -blank- body with just this image inside it and looks like:
> http://myonlinesecur...C-Signs-Ltd.jpg

12 August 2015: smo.pdf - Current Virus total detections: 5/56*
... which drops/creates 4.docm (VirusTotal**) which contains a macro that connects to  http ://konspektau.republika .pl/07jhnb4/0kn7b6gf.exe and downloads Dridex banking malware (VirusTotal***). Other download locations include http ://madrigalchor-schloss-benrath .de/07jhnb4/0kn7b6gf.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439370949/

** https://www.virustot...sis/1439371138/

*** https://www.virustot...sis/1439372114/
... Behavioural information
TCP connections
74.119.194.18: https://www.virustot...18/information/
95.101.128.113: https://www.virustot...13/information/

konspektau.republika .pl: 213.180.150.17: https://www.virustot...17/information/

madrigalchor-schloss-benrath .de: 81.169.145.158: https://www.virustot...58/information/
___

Fake 'Invoice for 415 Litmus' SPAM – doc malware
- http://myonlinesecur...itmus-word-doc/
12 Aug 2015 - "'Invoice for 415 Litmus' pretending to come from angela_lrc088128@ btinternet .com  (the lrc088128 is random and I am seeing -hundreds- of lrc******@ btinternet .com being -spoofed- as the from addresses) with a malicious word doc attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png

Screenshot: http://myonlinesecur...-415-Litmus.png

12 August 2015: 415 Litmus Cleaning invoice.docm - Current Virus total detections: 6/56*
The -malicious- macro inside this version of the word doc connects to and downloads Dridex banking malware from http ://madrigalchor-schloss-benrath .de/07jhnb4/0kn7b6gf.exe (Virus Total**) Which is the -same- malware as described in today’s other Malspam run[1] containing malicious PDF dropping word docs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439371782/

** https://www.virustot...sis/1439372114/
... Behavioural information
TCP connections
74.119.194.18: https://www.virustot...18/information/
95.101.128.113: https://www.virustot...13/information/

madrigalchor-schloss-benrath .de: 81.169.145.158: https://www.virustot...58/information/

1] http://myonlinesecur...rd-doc-malware/
___

Fake 'transferred into Your account HSBC' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2015 - "A series of emails on the theme of 'This is to confirm that amounts were transferred into Your account' with subjects like 'Payment affirmation' or 'Conducted transaction information' with an email -link- to entice you into downloading a zip attachment is another one from the current bot runs... Some of the subjects include:
    Conducted transaction information
    Deposited funds receipt
    Fund transfer receipt
    Deposited funds acknowledgment
    Transaction statement
    Transfer verification
    Deposited funds affirmation
    Deposited funds statement
    Balance change receipt
The senders pretend to be bank employees from HSBC and include such titles as:
    Forward Applications Strategist
    Principal Assurance Developer
    Corporate Web Architect
    Principal Factors Director
And hundreds of other similar style of seemingly important sounding titles. The sender matches the job title in the body of the email although the names are totally random...

Screenshot: http://myonlinesecur...affirmation.png

12 August 2015: invoice.pdf.zip: Extracts to: invoice.pdf.exe*
Current Virus total detections: 3/56*. These -Upatre- downloaders normally download either Dridex or Dyreza banking malware. So far the automatic tools haven’t managed to get any actual download. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439376577/
___

Fake 'Important documents BoA' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 Aug 2015 - "'FW: Important documents' pretending to come from Guadalupe Aldridge <Guadalupe.Aldridge@ bankofamerica .com> or Mariano Cotton <Mariano.Cotton@ bankofamerica .com> (and probably loads of other random names @ bankofamerica .com) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...t-documents.png

12 August 2015: AccountDocuments.zip: Extracts to: AccountDocuments.scr
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439398277/
___

Win10 Store, Mail client down for some
- http://www.zdnet.com...-down-for-some/
Updated Aug 10, 11 - "... having problems accessing the Windows 10 Store and a number of Store apps, including Microsoft's new Mail client, for more than a day:
> http://zdnet2.cbsist...10storedown.jpg "
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 12 August 2015 - 01:07 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1518 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 13 August 2015 - 06:54 AM

FYI...

Fake 'Invoice Bristan' SPAM – PDF malware
- http://myonlinesecur...nvoice-malware/
13 Aug 2015 - "'Invoice I623792760' (Random characters and numbers) pretending to come from Bristan Documents <Prism@ bristan .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-I623792760.png

13 August 2015: INVOICE_I623792760.zip: Extracts to: INVOICE_I9288320.exe
Current Virus total detections: 1/57*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439455676/
___

Fake 'Incident' RBS SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
13 Aug 2015 - "'RE: Incident IM07298646' (random numbers) pretending to come from RBS <secure.message@ rbs .co.uk> with a malicious word doc attachment is another one from the current bot runs... This particular version pretends to be signed with an RSA secure key and you need to enable editing and macros to see the content... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecur...tected-view.png

13 August 2015: AccountDocuments.doc - Current Virus total detections: 5/56*
This goes through a convoluted download procedure linking to: http ://hutsul .biz/administrator/components/com_joomlaupdate/rara.txt which is just a simple instruction to download what looks like -Upatre- downloader which will eventually download  Dridex banking malware from http ://klosetaffair .com/scripts/jquery-1.8.3.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439461278/

** https://www.virustot...sis/1439461900/

hutsul .biz: 144.76.80.78: https://www.virustot...78/information/

klosetaffair .com: 192.185.48.205: https://www.virustot...05/information/

- http://threattrack.t...re-webmail-spam
Aug 13, 2015 - Subjects Seen:
    RBC Secure Webmail/Courriel secure
Typical e-mail details:
    Hello  
    You have received a secure e-mail, which may contain personal/confidential information.
    To read and/or reply to the secure e-mail, please follow the simple steps below:
    ·  Double click on the attached Click2View.zip
    IMPORTANT:
    1.) You must be connected to the Internet to view the secure e-mail.
    2.) Please ONLY reply from the above link. DO NOT reply by clicking the “reply” option as this will not be secured.


Malicious File Name and MD5:
    Click2View.scr (51cabd5eb93920043db1b18cf163b108)


Tagged: RBC, Upatre
___

Fake 'Notice of payment' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Aug 2015 - "'Notice of payment' pretending to come from sac.sbi@ sibn .bnc.ca with a zip attachment is another one from the current bot runs... The email looks like:
    You can view and print the notice of payment using the Netscape or Microsoft
    Explorer browsers, versions 6.2 and 5.5. You can export and store the
    notice of payment data in your spreadsheet by choosing the attached file in
    pdf format “.pdf”.
    If you have received this document by mistake, please advise us immediately
    and return it to us at the following E-mail address: “sac.sbi@ sibn .bnc .ca“.
    Thank you.
    National Bank of Canada
    600 de La Gauchetire West, 13th Floor
    Montreal, Quebec H3B 4L2 ...


13 August 2015: PaymentNotice.zip: Extracts to: PaymentNotice.scr
Current Virus total detections: 1/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439483960/
___

SSL Malvertising Campaign Continues
- https://blog.malware...aign-continues/
Aug 13, 2015 - "The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites. We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers:
- drudgereport .com 61.8M visits per month
- wunderground .com 49.9M visits per month
- findagrave .com 6M visits per month
- webmaila.juno .com 3.6M visits per month
- my.netzero .net 3.2M visits per month
- sltrib .com 1.8M visits per month
The malvertising is loaded via AdSpirit .de and includes a -redirection- to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer:
> https://blog.malware...alvertising.png
Redirection chain
    Publisher’s website
    https ://pub.adspirit .de/adframe.php?pid=[redacted]
    https ://pr2-35s.azurewebsites .net/?=pr2-35s-981ef52345
    abcmenorca .net/?xvQtdNvLGcvSehsbLCdz
    Angler Exploit Kit...
We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down."

Update 08/14: The campaign has -moved- to another advertiser (AOL) and new Azure domain:
> https://blog.malware...vertisement.png

abcmenorca .net: 88.198.188.158:
- https://www.virustot...58/information/
Country: DE
Autonomous System: 24940 (Hetzner Online AG)
Diagnostic page for AS24940 (HETZNER-AS)
- https://www.google.c...c?site=AS:24940
"... over the past 90 days, 2335 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2015-08-13, and the last time suspicious content was found was on 2015-08-13... this network has hosted sites that have distributed malicious software in the past 90 days. We found 224 site(s)... that infected 837 other site(s)..."
 

:ph34r:   <_<


Edited by AplusWebMaster, 15 August 2015 - 03:55 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1519 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 August 2015 - 08:55 AM

FYI...

Fake 'Invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
14 Aug 2015 - "'Invoice Bristol Rope & Twine Co' pretending to come from Roger Luke <rogerluke@ bristolrope .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email looks like:
    Thank you for your order. Your Invoice – 14/0238 – from Bristol Rope &
    Twine Co is attached.


14 August 2015: 140238.XLS - Current Virus total detections: 6/57*
... Downloads Dridex banking malware from http ://buero-kontierservice .de/7656/4563.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439545269/

** https://www.virustot...sis/1439545437/
... Behavioural information
TCP connections
62.152.36.25: https://www.virustot...25/information/
2.18.213.90: https://www.virustot...90/information/

buero-kontierservice .de: 81.169.145.157: https://www.virustot...57/information/
___

Fake 'Account management' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Aug 2015 - "'Account management was limited' pretending to be a message from JPMorgan Chase Bank with a zip attachment is another one from the current bot runs... Other subjects in this malware run include:
    Personal account access has been minimized
    Bank account control has been minimized
    Personal account management had been restricted
    Bank account access was blocked ...
The email looks like:
     Dear Bank member,
    Please consider this e-mail alert highly urgent. Kindly note that our
    security department has detected the attempt to withdraw money from Your
    account without confirmation.
    As a security measure the bank had to restrict access to the account
    until we get relevant request from the signatory. Please see attached
    the document to be filled in order to get full access to the account.
    Peter Malcolm,
    Security Department Specialist
    JPMorgan Chase Bank PLC


14 August 2015: Formsheet_to_be_filled in_.zip: Extracts to: Formsheet_to_be_executed_.exe
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439572799/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 14 August 2015 - 12:47 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1520 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 19 August 2015 - 05:48 AM

FYI...

Fake 'SHIPMENT NOTICE' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Aug 2015 - "'SHIPMENT NOTICE' pretending to come from serviceuk@ safilo .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...MENT-NOTICE.png

19 August 2015: ship20150817.zip: Extracts to: ship20150817.exe
Current Virus total detections: 2/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1439977857/

- http://blog.dynamoo....ent-notice.html
19 Aug 2015 - "... the malware attempts to phone home to:
megapolisss006 .su/go/gate.php
.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to -all- of them. This domain is hosted on the following IPs:
195.2.88.196 (Zenon N.S.P., Russia)
94.229.22.39 (Bashrtcomm LIR, Russia)
94.229.22.42 (Bashrtcomm LIR, Russia)
You might want to consider blocking:
195.2.88.0/24
94.229.16.0/21

This though is the recommended minimum blocklist:
195.2.88.196
94.229.22.39
94.229.22.42
..."
___

Fake 'lawsuit' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
19 Aug 2015 - "'wtf is this?lawsuit?' coming from random names and random email addresses with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email looks like:
    why have you sued me? wtf is this?
    i am attaching the subpoena


19 August 2015: subpoena.doc - Current Virus total detections: 5/54*
Connects to http ://bigdiscountsonline .info/css/_notes/rara.txt which is a simple text instruction to download Dridex banking malware from http ://allthatandmore .info/css/_notes/pa.exe (VirusTotal**). It also connects to http ://bigdiscountsonline .info/css/_notes/8179826378126.txt which is a VBS downloader (VirusTotal***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439998392/

** https://www.virustot...sis/1439996382/
... Behavioural information
TCP connections
148.251.34.82: https://www.virustot...82/information/
62.149.142.168: https://www.virustot...68/information/

*** https://www.virustot...sis/1439995932/

bigdiscountsonline .info: 97.74.4.87: https://www.virustot...87/information/
allthatandmore .info: 97.74.4.87
___

Out of band I/E patch - all versions...
- http://myonlinesecur...18-august-2015/
18 Aug 2015

>> http://forums.whatth...915#entry870346
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 19 August 2015 - 11:40 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1521 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 20 August 2015 - 04:49 AM

FYI...

Fake 'Shared from Docs app' SPAM – xls Malware
- http://myonlinesecur...dsheet-malware/
20 Aug 2015 - "'Shared from Docs app' coming  from Admin at random email addresses with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be -blank- or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The Excel spreadsheet in this one looks like this... DO NOT follow their suggestion and enable editing or macros:
> http://myonlinesecur...4_jpg-2.xls.png
The email is very plain and terse and simply says :

    Sent from Mail for Windows 10

20 August 2015: LIST_141114_jpg (2).xls - Current Virus total detections: 4/56*
So far automatic analysis hasn’t retrieved any payload so we are waiting for a manual analysis to be performed. These normally download Dridex banking malware..
Update: we now have managed to get an automatic analysis[2] which gave us: ceece.exe that looks like Dridex but no download location for it (VirusTotal)[3]... We always have problems with automatic analysis when the Doc or LS file is in Russian language and character set... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440065594/

2] https://malwr.com/an...ThlNGU0MTcwMzQ/

3] https://www.virustot...sis/1440066467/
... Behavioural information
TCP connections
62.152.36.25: https://www.virustot...25/information/
191.234.4.50: https://www.virustot...50/information/
___

Fake 'new ID and password' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Aug 2015 - "'Your new ID and password' coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    Your ID name and password has been changed according to your request dated August 19, 2015. Check attachment to view the renewed information.

20 August 2015: doc_ad78120.zip : Extracts to: doc_in30541.exe
Current Virus total detections 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440069970/
___

Fake 'order not avaliable' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
20 Aug 2015 - "An email saying 'We are sorry but the product you’ve ordered is not avaliable now'  with a subject of Order #y0CD3mxQizcBk88ovaw [random characters] coming from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    Good afternoon,
    We are sorry but the product you’ve ordered is not avaliable now.
    Please fill up the attached form of refund and choose a gift as a token
    of our apology for the inconvenience.
    Order #fNcszeK2PW9J1rjN
    Date sent: Thu, 20 Aug 2015 11:42:51 +0100
    Mariam Olson Sr...

-Or-
Good afternoon,
We are sorry but the product you’ve ordered is not avaliable now.
Please fill up the attached form of refund and choose a gift as a token
of our apology for the inconvenience.
Order #4y3Rs24VDxJ8BBW8
Date sent: Thu, 20 Aug 2015 11:45:02 +0100
Carolyn Raynor...


20 August 2015: Order Beier-Swaniawski_fNcszeK2PW9J1rjN.zip: Extracts to: order id283694136_Angus Ferry.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word document instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440070000/
___

Fake 'Transport for London' SPAM - malicious attachment
- http://blog.dynamoo....nsport-for.html
20 Aug 2015 - "This -fake- TfL spam comes with a malicious attachment:
    From     "Transport for London" [noresponse@ cclondon .com]
    Date     Thu, 20 Aug 2015 17:04:26 +0530
    Subject     Email from Transport for London
    Dear Customer
    Please open the attached file(7887775.zip) to view correspondence from Transport
    for London.
    If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download
    this attachment. If you require Adobe Acrobat Reader this is available at no cost...
    Thank you for contacting Transport for London.
    Business Operations
    Customer Service Representative...


The attachment name seems to vary, in the samples I have seen there is 7887775.zip, 0174458.zip and rather oddly [?var=partorderb].zip. From these I have recovered two malicious samples with a VirusTotal detection rate of 6/56* and 1/57**... Hybrid Analysis reports... show the malware connecting to various malicious and non-malicious IPs, but in particular we see a traffic pattern like this:
93.185.4.90 :12326/2008uk77/jI7tL6q34q/0/61-SP1/0/FDMBEFJBMKBEMM
93.185.4.90 :12326/2008uk77/jI7tL6q34q/41/5/42/FDMBEFJBMKBEMM
These GET requests are a characteristic of Upatre/Dyre. 93.185.4.90 is allocated to C2NET, Czech Republic and I strongly recommend that you -block- it."
* https://www.virustot...sis/1440071767/

** https://www.virustot...sis/1440071784/
___

Fake 'ACH failed' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
20 Aug 2015 - "'ACH failed due to technical error' pretending to come from The Electronic Payments Association with a malicious word doc attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
This malicious word doc has what pretends to be a RSA encrypted security key and it wants you to enable editing to see the content. This is almost identical to this slightly older version with a different date. Once again DO NOT not enable editing or macros:
> http://myonlinesecur...tected-view.png
The email looks like:
    ACH PAYMENT REJECTED
    The ACH Payment (ID: 49583071624518), recently initiated from your savings account (by you or any other person), was REJECTED by other financial institution.
    Rejection Reason: See details in the attached report.
    Payment Report: report_49583071624518.doc (Microsoft Word)
    13450 Sunrise Valley Drive, Suite 100
    Herndon, VA 20171
    2014 NACHA – The Electronic Payments Association


20 August 2015 : report_49583071624518.doc - Current Virus total detections 16/57*
... connects to http ://luckytravelshop .info/wp-content/uploads/2015/05/sasa.txt which tells it to download a Dridex banking malware from http: //tadarokab .com/temp/recent.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440087068/

** https://www.virustot...sis/1440081269/

luckytravelshop .info: 23.229.232.199: https://www.virustot...99/information/

tadarokab .com: 38.110.76.140: https://www.virustot...40/information/
___

Fake 'ACH Payment' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Aug 2015 - "'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a zip attachment is another one from the current bot runs...
The email looks like:
    LOGICEASE SOLUTIONS INC       Vendor:10288253   Pay Dt: 20150820 Pay Ref Num: 2000542353
    Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
    The net amount deposited to account number ending   XXXX8014 designated by you is           $1843.73
    IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
    Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.6174...


20 August 2015: Pay_Advice.zip: Extracts to: Pay_Advice.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440085153/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 20 August 2015 - 11:51 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1522 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 21 August 2015 - 06:18 AM

FYI...

Fake 'bank birthday bonus' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Aug 2015 - "A series of emails saying 'Our bank have a birthday today so we would like to give you some bonuses as you’re the most valuable client of ours' with a subject of 'You are our most valued customer. Your ID 23428458 [random numbers]' coming from random names and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ID-23428458.png

All these emails have random senders & companies, random phone numbers but the alleged sender matches the name in the body of the email and the name of the attachment.
21 August 2015: Bank-Reagan Bashirian DDS_(278) 789-4975_client-268119023428458.zip:
Extracts to: Bank Client992322638_West Jermainemouth.exe - Current Virus total detections: 2/57*.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440154416/
___

Fake 'translator job' SCAMs
- http://myonlinesecur...ator-jobs-scam/
21 Aug 2015 - "We all see thousands of adverts and get loads of emails offering us jobs. This one caught my eye earlier:
'Earn Up To $315 A Day Translating Words'. Sent by Real Translator Jobs <realtranslatorjobs@ freonjob .org>
The email reads like a godsend for somebody who speaks an extra language and needs a few $$ or ££ but has all the hallmarks of a scam/multi level marketing/pyramid scheme.

Screenshot: http://myonlinesecur...or-job-scam.png

... If you follow the links to the website you see http ://www.realtranslatorjobs .com/ and a referrer link at the end of the url. I have blanked out the referrer link so he/she doesn’t get any income from the scam by following links from here:
> http://myonlinesecur...obs-website.png
... The first thing that jumps out at you is:
> http://myonlinesecur...-checklist2.jpg
... The only people who get rich and make a lot of money are the originators for this scam and the “affiliates” who promote it and get a commission on every sign up or click through to the website... it will cost you $68 to sign up but there is a special offer for today only for $34 dollars (save 50%!)... don’t fall for it and don’t waste your money. You won’t earn a thing..."
___

Fake 'invoice 2018' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Aug 2015 - "'invoice 2018' pretending to come from Garry White <garry@ whitechappell .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nvoice-2018.png

21 August 2015 : CRFC, Invoice 2018.pdf.zip: Extracts to: CRFC, Invoice 2018.pdf.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440155507/
___

What is event.swupdateservice .net?
- http://blog.dynamoo....servicenet.html
21 Aug 2015 - "...  I saw some mysterious outbound traffic to event.swupdateservice .net/event (138.91.189.124 / Microsoft, US). Googling around for the domain came up with some references to malware, but nothing very conclusive. The WHOIS details for the domain are -anonymised- (never a good sign), and the IP address is also used by event.ezwebservices .net which uses similarly -hidden- details. Team Cymru have an analysis* of what is being phoned home to this mystery server, and I found an existing Malwr analysis** referencing the alternate domain. I eventually found the mystery executable in C:\Users\[username]\AppData\Local\SoftUpdate\SoftUpdate.exe on the afflicted machine... The binary itself does not identify its creator. I found various references (such as in this report***) linking this software and the domains to Emaze .com (a "free" presentation tool)... Neither domain identifies itself through the WHOIS details, nor can I find any contact details on either site... I don't like sharing data with commercial operations who are not prepared to fully reveal their identity, and I personally recommend -blocking- traffic to:
visualbee .com: 168.62.20.37: https://www.virustot...37/information/
emaze .com: 54.83.51.169: https://www.virustot...69/information/
swupdateservice .net
ezwebservices .net  "
* https://totalhash.cy...cfd89b27bc51970

** https://malwr.com/an...TE3MWUzNWNhZjE/

*** https://www.hybrid-a...environmentId=1

138.91.189.124: https://www.virustot...24/information/
___

Fake Malwarebytes?...
- https://blog.malware...ows-10-website/
Aug 21, 2015 - "Here at Malwarebytes, we offer support for a wide variety of Windows Operating Systems – from XP right up to Windows 10. The latter OS is the starting point for this blog post, with a website located at: malwarebytes-windows10(dot)com which seemed to offer up a “Windows 10 ready” version of Malwarebytes Anti-Malware:

Screenshot: https://blog.malware.../08/mbam101.jpg

This installer is -not- ours, so it’s clear that this is a download manager of some sort, and – one would hope – gave the downloader a copy of MBAM at the end of the process. However, the download kept breaking, so we couldn’t get any further than the initial installer splash...
Since we started looking into this, the site has also now apparently rolled down the shutters:
> https://blog.malware.../08/mbam104.jpg
However, the EULA / Privacy Policy on the installer took us to a site located at
qpdownload(dot)com which also offered up a variety of programs including Adblock Plus and yet another MBAM:
> https://blog.malware.../08/mbam105.jpg
... Users of Malwarebytes Anti-Malware will find we detect the “Download Manager” as PUP.Optional.InstallCore.A. Download sites can be cool, but it seems counter-intuitive to offer products designed to reduce advertisements / advertising software on your desktop alongside... adverts..."

malwarebytes-windows10(dot)com: 107.180.24.239: https://www.virustot...39/information/

qpdownload(dot)com: 96.43.136.163: https://www.virustot...63/information/
___

Malvertising on Telstra Media Homepage ...
- https://blog.malware...s-malvertising/
Aug 21, 2015 - "The media home page of Australia’s -largest- telecommunications company, Telstra, was pushing some malvertising similar to the attack we just documented*...
* https://blog.malware...e-plentyoffish/
The infection chain goes like this:
    media.telstra .com.au/home.html (Publisher)
    frexw .co.uk/public/id-55048502/300×250.php (Malvertising)
    gp-urti .info/bard-vb4735/vcyz-46820t.js (Malicious redirector)
    goo .gl/s3LrVw (Abuse of Google URL shortener to load an exploit kit)
    augpdoiof .info/document.shtml?AfWlx={redacted} (Nuclear Exploit Kit)
>> https://blog.malware...lstra_graph.png
While we did not collect the particular sample dropped in this campaign, it is quite likely to be the Tinba banking Trojan... The Google link has now been disabled:
> https://blog.malware...5/08/google.png
The malvertising attack lasted for a few days and was last seen on the 17th."

augpdoiof .info: 45.32.238.228: https://www.virustot...28/information/

gp-urti .info:
  104.24.120.10: https://www.virustot...10/information/
  104.24.121.10: https://www.virustot...10/information/

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 21 August 2015 - 12:07 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1523 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 23 August 2015 - 05:30 PM

FYI...

Neutrino Campaign leveraging WordPress, Flash for CryptoWall
- http://research.zsca...-wordpress.html
Aug 20, 2015 - "Neutrino Exploit Kit... in the past few days we've seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises...  the image below illustrates the components involved in this campaign:
> https://4.bp.blogspo...trino_nexus.PNG
...  there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino... The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page... the primary IP for the observed Neutrino landing pages is '185.44.105.7' which is owned by VPS2DAY .com. Many of the domains pointing to that IP utilize 'xyz', 'ga', 'gq', and 'ml' TLDs. Taking a look at the whois data for some of these domains, a common attribute seems to be the name 'Max Vlapet' for .XYZ domains... This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena..."
- http://it.slashdot.o...rino-ek-traffic
Aug 22, 2015

185.44.105.7: https://www.virustot....7/information/
 

:ph34r: :ph34r:   <_<


This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1524 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 24 August 2015 - 06:14 AM

FYI...

Fake 'Message from scanner' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Aug 2015 - "'Message from scanner' pretending to come from scanner.coventrycitycentre@ brianholt .co.uk with a zip attachment but a completely -empty/blank- body of the email is another one from the current bot runs...

Screenshot: http://myonlinesecur...rom-scanner.png

24 August 2015: Sscanner15081208190.zip: Extracts to:  Sscanner15081208190.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440408248/

- http://blog.dynamoo....om-scanner.html
24 Aug 2015 - "... malicious executable Sscanner15081208190.exe embedded into the attachment Sscanner15081208190.zip . This executable has a detection rate of just 5/54*. The Hybrid Analysis report** shows the malware POSTing to:
smboy .su/mu/tasks.php
.SU (Soviet Union) domains are almost always bad news. If you can block them on your web filter then I recommend that you do so. This particular site is hosted on 95.172.146.73 (RTComm-Sibir, Russia). The  network range of 95.172.146.0/23 does seem to contain some legitimate Russian-language sites, but you might want to -block- the whole range to be on the safe side. The payload is unknown, but typically malware like this will drop either the Dyre banking trojan or some sort of ransomware."
* https://www.virustot...sis/1440414098/

** https://www.hybrid-a...environmentId=1

95.172.146.73: https://www.virustot...73/information/
___

German site dwdl .de -hacked- serving malware via 94.142.140.222
- http://blog.dynamoo....lde-hacked.html
24 Aug 2015 - "... German media website dwdl .de has been -hacked- and is serving up malware, according to this URLquery report*. URLquery's IDS function detects what looks like the RIG Exploit kit:
> https://3.bp.blogspo...600/dwdl-de.png
The exploit is injected code pointing to a server at 94.142.140.222 (Marosnet Telecommunication Company, Russia) which in the example is using filter.michiganbeerhops .com which is a -hijacked-  GoDaddy domain. The exploit only appears to work if the site is accessed via a search engine, which looks like a classic .htaccess hack. URLquery's script relationship chart shows this in action:
> https://3.bp.blogspo...n_graph.php.gif
VirusTotal** gives an overview of other malicious domains on this server. It indicates that the following domains have been -hijacked- and malicious subdomains set up..."
(Long list at the dynamoo URL - top of this post.)
* http://urlquery.net/...d=1440424952903

** 94.142.140.222: https://www.virustot...22/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 24 August 2015 - 08:40 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1525 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 25 August 2015 - 05:00 AM

FYI...

Fake 'Visa Card' SPAM - malicious attachment
- http://blog.dynamoo....d-aug-2015.html
25 Aug 2015 - "This -fake- financial spam does not come from Ellesemere Engineering but is in fact a simple forgery with a malicious attachment:
    From     [david@ ellesmere .engineering]
    To     "'Sharon Howarth'" [sharon@ ellesmere .engineering]
    Date     Tue, 25 Aug 2015 09:52:47 +0200
    Subject     Visa Card Aug 2015
    Visa Card payments this month
    ---
    This email has been checked for viruses...


Attached is a document Visa Card Aug 2015.docm which I have seen in three different versions, containing one of -three- malicious macros... that then attempt to download a malicious binary from one of the following locations:
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
This executable has a detection rate of just 1/55* and the Malwr report** shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- that IP address. The payload to this is almost definitely the Dridex banking trojan."
* https://www.virustot...sis/1440489790/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustot....9/information/
191.234.4.50: https://www.virustot...50/information/

** https://malwr.com/an...jdjMjRjODg5NDY/

internetdsl .pl: 80.48.169.1: https://www.virustot....1/information/

free .fr: 212.27.48.10: https://www.virustot...10/information/

- http://myonlinesecur...-macro-malware/
25 Aug 2015
Screenshot: http://myonlinesecur...rd-Aug-2015.png
25 August 2015: Visa Card Aug 2015.docm - Current Virus total detections 7/55*
Downloads Dridex banking malware.
* https://www.virustot...sis/1440499540/
___

Fake 'Dropbox' SPAM - leads to malware
- http://blog.dynamoo....chedule092.html
25 Aug 2015 - "This -fake- Dropbox email leads to malware, hosted on the sharing service sugarsync .com.
    From:    June Abel via Dropbox [no-reply@ dropbox .com]
    Date:    25 August 2015 at 12:59
    Subject:    June Abel shared "UPDATE_VACATIONS_SCHEDULE_09_2015.pdf" with you
        June used Dropbox to share a file with you!
    Click here to download.     
        © 2015 Dropbox


I have seen three different samples with different download locations:
https ://www.sugarsync .com/pf/D3941255_827_052066225?directDownload=true
https ://www.sugarsync .com/pf/D160756_82_6104120627?directDownload=true
https ://www.sugarsync .com/pf/D2694666_265_638165437?directDownload=true
In each case, the binary downloaded is identical and has a VirusTotal detection rate of 3/55*. Analysis is pending, but the payload appears to be the Dyre banking trojan.
UPDATE: The Hybrid Analysis report** shows traffic to 197.149.90.166 (Cobranet, Nigeria) which I recommend you block."
* https://www.virustot...sis/1440506327/

** https://www.hybrid-a...environmentId=1

sugarsync .com: 74.201.86.21: https://www.virustot...21/information/

197.149.90.166: https://www.virustot...66/information/
___

Fake 'Invoice 26949' SPAM - malicious attachment
- http://blog.dynamoo....from-i-spi.html
25 Aug 2015 - "My spam traps did not collect the body text from this message, so all I have is headers. However, this -fake- financial email is not from i-Spi Ltd and is instead a simple forgery with a malicious attachment:
    From     [sales@ ispitrade .com]
    Date     Tue, 25 Aug 2015 20:37:09 +0800
    Subject     Invoice 26949 from I - SPI Ltd


Attached is a file Inv_26949_from_I__SPI_Ltd_7888.doc which actually comes in several different versions... which contains a malicious macro... that downloads an executable from one of the following locations:
http ://landrevie.g.free .fr/45gf3/7uf3ref.exe
http ://e-projekt.ns1.internetdsl .pl/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
http ://claudio.locatelli.free .fr/45gf3/7uf3ref.exe
http ://spitlame.free .fr/45gf3/7uf3ref.exe
http ://nathalieetalain.free .fr/45gf3/7uf3ref.exe
This Hybrid Analysis report* shows network traffic to:
91.239.232.9 (Hostpro Ltd, Ukraine)
This is the same bad IP as found in this earlier spam run**, I recommend that you block it. The payload here is almost definitely the Dridex banking trojan."
* https://www.hybrid-a...environmentId=1

** http://blog.dynamoo....d-aug-2015.html

- http://myonlinesecur...-macro-malware/
25 August 2015: Inv_26949_from_I__SPI_Ltd_7888.doc "... Downloads the -same- Dridex banking malware as described in today’s earlier malspam run of malicious word docs*..."
* http://myonlinesecur...-macro-malware/
___

Browsefox variant High Stairs - browser hijackers
- https://blog.malware...nt-high-stairs/
Aug 25, 2015 - "Browsefox aka Sambreel aka Yontoo is a family of browser hijackers. When advertised they promise to “customize and enhance your interaction with the websites you visit”, but in reality they are almost never a users choice install. They come -bundled- with other software at many major download sites and at best you will see this screen when the installation starts:
> https://blog.malware...15/08/main1.png
High Stairs is one of the latest additions to this family. It is being offered as a browser extension -without- making clear what it does for the user. If you want to have a look at the EULA and Privacy Policy you will have to visit their website:
> https://blog.malware...015/08/EULA.png
... The EULA clearly states that it allows the “Software” to use -any- means imaginable to deliver advertisements and that it will collect your data. The Privacy Policy lets you know that they will use, share and sell those data to any and all parent, subsidiary or affiliate companies. Bottom line, as long as it brings in cash. Browser hijackers of this family are VM aware, meaning they will not do a full install if they detect they are run on a Virtual Machine. Sometimes the files are downloaded and put in place, but the extensions are not installed and enabled. The -hijackers- from this family do provide browser extensions for IE, Firefox, Chrome and Opera (and probably more)... invisible iframes can be used to deliver anything and everything to your computer, ranging from advertisements (which is very likely in this case) to (in theory) exploit kits. In theory in this case means, that we haven’t seen any exploit kits being delivered through the advertisements these PUPs deliver, but  if the PUP has a vulnerability or their network is compromised a third party could use this in the same manner as has been done with malvertisements on legitimate sites. This browser hijacker is relatively easy to remove. Other variants have been known to install services as well, making them a bit harder to tackle. Unfortunately “High Stairs” is not alone. We see a new Sanbreel variant at least a few times every week. The installer and the installed files are all detected as 'PUP.Optional.HighStairs.A'. Logs, more screenshots and removal instructions for “High Stairs” can be found on our forums*..."
* https://forums.malwa...or-high-stairs/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 25 August 2015 - 12:41 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1526 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 26 August 2015 - 05:39 AM

FYI...

Fake 'Scanned image - MX-2600N' SPAM  – doc/xls malware
- http://myonlinesecur...-macro-malware/
26 Aug 2015 - "'Scanned image from MX-2600N' pretending to come from  noreply@ your email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email looks like:
    Reply to: noreply@ securityandprivacy .co.uk <noreply@ securityandprivacy .co.uk>
    Device Name: Not Set
    Device Model: MX-2600N
    Location: Not Set
    File Format: DOC MMR(G4)
    Resolution: 200dpi x 200dpi
     Attached file is scanned image in DOC format.
    Use Microsoft®Word® of Microsoft Systems Incorporated to view the document.


26 August 2015: noreply@securityandprivacy.co.uk_20150826_181106.doc
Current Virus total detections 7/57*:
Downloads Dridex banking malware from one of these locations:
detocoffee.ojiji .net/45ygege/097uj.exe  (virus Total**)
students.johnbryce .co.il/nagare/45ygege/097uj.exe
groupedanso .fr/45ygege/097uj.exe
asterixpr.republika .pl/45ygege/097uj.exe
fotolagi .com/45ygege/097uj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440582748/

** https://www.virustot...sis/1440583201/
... Behavioural information
TCP connections
91.239.232.9: https://www.virustot....9/information/
191.234.4.50: https://www.virustot...50/information/

- http://blog.dynamoo....ge-from-mx.html
26 Aug 2015 - "... The email appears to come from the victim's own domain, but it does not. The "From" address on email is extremely easy to forge. So far I have seen three different malicious attachments, each one in the format noreply@ victimdomain.com_20150826_181106.doc with detection rates of around 7/56 [1] [2] [3] containing one of three malicious macros... which attempt to download a malicious component from one of the following locations:
http ://fotolagi .com/45ygege/097uj.exe
http ://asterixpr.republika .pl/45ygege/097uj.exe
http ://detocoffee.ojiji .net/45ygege/097uj.exe
This malicious binary currently has a VirusTotal detection rate of just 2/54. Automated analysis... shows network traffic to 91.239.232.9 (Hostpro Ltd, Ukraine) which has been used in serveral attacks recently. The payload is almost definitely the Dridex banking trojan."
1] https://www.virustot...sis/1440583485/

2] https://www.virustot...sis/1440583498/

3] https://www.virustot...sis/1440583515/
___

Fake 'invoice A4545945' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Aug 2015 - "'Copy of invoice A4545945. Please find your invoice attached' pretending to come from Screwfix Direct <online@ screwfix .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear Customer
    Thank you for shopping at Screwfix.
    As requested please find attached a copy of invoice: A4545945.
    You will require a PDF file reader in order to view and print the invoice. Should your invoice not be attached please email invoice@ screwfix .com ensuring that you quote your order reference.
    Please do not reply to this e-mail.
    If you have any queries, please quote the Invoice Number: A4545945, when contacting us:
    Phone:       0500 41 41 41 (03330 112 320 from a mobile) UK based Contact Centre
    E-mail:     online@ screwfix .com
    Write to:   Screwfix, Trade House, Mead Avenue, Yeovil, BA88 8RT ...


26 August 2015: Invoice_A3176864.zip: Extracts to: Invoice.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440580919/
___

Fake 'Invoices from UBM' SPAM - PDF malware
- http://myonlinesecur...-pdf-malware-2/
26 Aug 2015 - "'Your Invoices from UBM' pretending to come form UBM (UK) Limited <ubm@ ubm .com> with a zip attachment is another one from the current bot runs... The email looks like:
Dear Customer,
Please find attached your invoice(s) from UBM. If you have any queries regarding the invoice, payment or service delivered please don’t hesitate to contact us on the details below.
Regards,
UBM Receivables Team.
Tel     : +44 207 921 8506 (21627)
Email : bogumila.murzyn@ ubm .com
Fax   :
****PLEASE DO NOT REPLY TO THE EMAIL ADDRESS ubm@ ubm .com AS IT IS NOT MONITORED**** ...


26 August 2015:65550757_Invoices_26-AUG-2015.zip:
Extracts to:   65550757_Invoices_26-AUG-2015.scr ... which is the -same- Upatre malware that is described in today’s other malspam run with Zip attachments*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* http://myonlinesecur...ke-pdf-malware/
___

Fake 'new fax delivery svc' – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Aug 2015 - "A series of emails saying 'We are a new fax delivery service' with the subject reading Fax #[ random characters] from [random name] with a zip attachment is another one from the current bot runs... The email looks like:
    You have a fax.
    Data sent: Wed, 26 Aug 2015 14:08:41 +0000
    TO: [redacted]
    *********************************
    We are a new fax delivery service – Walker-Gerlach.
    Our company develops rapidly and services remain fastest and open to everyone.
    As our slogan goes: “Fast. Cheap. Best quality.”
    *********************************

-Or-
    You have a fax.
    Data sent: Wed, 26 Aug 2015 14:06:21 +0000
    TO: [REDACTED]
     *********************************
    We are a new fax delivery service – Hirthe-Bayer.
    Our company develops rapidly and services remain fastest and open to everyone.
    As our slogan goes: “Fast. Cheap. Best quality.”
    *********************************


26 August 2015: fax_jxJ3O9_Walker-Gerlach_Colton Leffler.zip
Extracts to: Invoice East Marta.exe
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1440598735/

- http://blog.dynamoo....le-senders.html
26 Aug 2015 - "... - fake- fax spam comes from random senders - company names and attachment names vary from spam to spam... Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56* detection rate at VirusTotal. The Hybrid Analysis report** shows it phoning home to:
197.149.90.166 /260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166 /260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM
This pattern marks the malware out as being Upatre/Dyre. 197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.*** "
* https://www.virustot...sis/1440599515/

** https://www.hybrid-a...environmentId=1

*** http://blog.dynamoo....chedule092.html
___

Bank of America Invoice Spam
- http://threattrack.t...ca-invoice-spam
Aug 26, 2015 - "Subjects Seen
    Invoice Annabell Yost
Typical e-mail details:
    Dear Customer,
    Invoice14768170 from Annabell Yost.
    Sincerely,
    Ellsworth Abbott
    1-100-532-7314
    Bank of America PLC.


Screenshot: https://40.media.tum...1r6pupn_500.png

Malicious File Name and MD5:
    InvoiceFaker__Number.number(5)info_324986219861.exe (276646dc44bb3a2e4bf7ba21f207b5be)


Tagged: bank of america, Upatre
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 26 August 2015 - 12:16 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1527 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 05:10 AM

FYI...

Angler Exploit Kit strikes MSN.com via Malvertising Campaign
- https://blog.malware...ising-campaign/
Aug 27, 2015 - "The same ad network – AdSpirit .de – which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN .com. This is the work of the -same- threat actors that were behind the Yahoo! malvertising. The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers. The ad request came from AppNexus, which loaded the booby-trapped advert from AdSpirit and the subsequent malvertising chain.
Infection chain:
    msn .com/en-us/news/politics/dozens-of-clinton-emails-were-classified-from-the-start-us-rules-suggest/ar-BBlXPkl?ocid=iehp (publisher)
    lax1.ib.adnxs .com/{redacted} (AppNexus Ad network)
    pub.adspirit .de/adframe.php?pid=7&ord=[timestamp]prdclick_0 (AdSpirit Ad network)
    trkp-a1009.rhcloud .com/?tr28-0a22 (OpenShift redhat Redirection)
    fox23tv .com/?cn67CuYcDcbvV (Same ad but with redirection to malicious URL)
    abbezcqerrd.irica.wieshrealclimate .com (iframe to exploit kit)
    hapme.viwahcvonline .com (Angler EK landing page)
> https://blog.malware.../redir_flow.png
This time, rogue actors are leveraging RedHat’s cloud platform, rhcloud .com to perform multiple -redirections- to the Angler exploit kit (in the previous attack they were using Microsoft’s Azure). While we did not collect the malware payload associated with this campaign, we believe it is either Ad fraud or ransomware, Angler’s trademark. Angler has been acting up strange lately, for instance last week it fell out of favour briefly for the Neutrino EK when compromised sites decided to redirect to the latter. Following our report, AppNexus -deactivated- the creative in question and said they were investigating this issue in greater depth..."

viwahcvonline .com: 141.8.224.93: https://www.virustot...93/information/

> https://www.virustot...f2078/analysis/
___

Fake 'resume' SPAM leads to Cryptowall
- http://blog.dynamoo....e-leads-to.html
26 Aug 2015 at 22:48 - "This -fake- resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware. In the only sample I saw, the spam looks like this:
    From:    emmetrutzmoser@ yahoo .com
    To:   
    Date:    26 August 2015 at 23:29
    Subject:    RE:resume
    Signed by:    yahoo .com
    Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply
    Best regards
    Janet Ronald


Attached was a file Janet_Ronald_resume.doc [VT 5/56*] which contains a malicious macro... The format of this message is very similar to this other fake resume spam seen recently[1], and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
1] http://blog.dynamoo....iel-resume.html
Deobfuscating the macro shows that a file is downloaded from http :// 46.30.46.60 /444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report** shows some of this in action, but Techhelplist[2] did the hard work of decrypting it..
> https://4.bp.blogspo.../cryptowall.png
...
2] https://twitter.com/...633492441268224
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report*** on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report[3] which has some nice screenshots.
3] https://www.hybrid-a...environmentId=2
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
46.30.46.60 (Eurobyte, Russia)
linecellardemo .net / 23.229.194.224 (GoDaddy, US)
You might want to block the entire 46.30.46.0/24 range because.. well, Russia really."
* https://www.virustot...sis/1440622900/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...22920/#comments
___

Fake 'Attachement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 Aug 2015 - "A -blank- email with the subject of 'Attachement' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email has a totally empty-blank body and just an XLS Excel spreadsheet attachment:

27 August  2015 : 20131030164403.xls - Current Virus total detections 4/57*
Downloads Dridex banking malware from http ://pintart .pt/43t3f/45y4g.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440669673/

** https://www.virustot...sis/1440670039/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustot...45/information/
23.14.92.27: https://www.virustot...27/information/

pintart .pt: 80.172.241.24: https://www.virustot...24/information/
___

Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Aug 2015 - "'Payslip for period end date 27/08/2015' pretending to come from noreply@ fermanagh. gov.uk with a zip attachment is another one from the current bot runs... The email looks like:
    Dear administrator
    Please find attached your payslip for period end 27/08/2015
    Payroll Section ...


Some emails have arrived malformed-and-damaged and look like:
    This is a multi-part message in MIME format.
    ——————=_Next_25232_7367279505.4684370133215
    Content-Type: text/plain; charset=ISO-8859-1; format=flowed
    Content-Transfer-Encoding: 7bit
    Dear ae48852507a
    Please find attached your payslip for period end 27/08/2015
    Payroll Section ...


27 August 2015: payslip.zip: Extracts to: payslip.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...65298/analysis/

- http://blog.dynamoo....period-end.html
27 Aug 2015 - "... Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly. This executable has a detection rate of 3/56* and the Hybrid Analysis report** indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking."
* https://www.virustot...sis/1440677452/

** https://www.hybrid-a...environmentId=1

197.149.90.166: https://www.virustot...66/information/
___

Fake 'Girls List' Spam ...
- https://blog.malware...g-in-mailboxes/
Aug 27, 2015 - "... spammers are changing up their dating site spam tactics a little bit in the wake of the continued Ashley Madison fallout, with the below curious missives landing in spamtraps over the last day or so:
> https://blog.malware.../crowdspam1.jpg
... emails are identical, and read as follows:
> https://blog.malware.../crowdspam2.jpg
... well, they -would- read as follows if they had any text in them to read. The emails are entirely -blank- instead offering up two attachments called “girls_list”. A “girl list” would seem to conjure up visions of swiped data and things you’re not supposed to have access to; as it turns out, opening up the .HTML attachment -redirects- you in a browser to a -porn- dating site which splashes... many nude photos around the screen... These emails are already caught by Gmail as spam, but other providers may -not- be flagging them yet. While I’m sure there are lots of fun things you can do with a list, allowing yourself to be redirected-to-porno-spam is probably not one of them and you should avoid these mails. With websites and services jumping on the AM data bandwagon*, it’s clear that anything involving dating and lists is going to be a hot topic for some time to come. Don’t fall for it."
* http://www.troyhunt....sites-like.html
24 Aug 2015 - "... harvesting email addresses and spamming searched victims..."
___

Malvertising campaigns increase 325%
- http://net-security....ews.php?id=3088
26.08.2015 - "Cyphort* investigated the practices used by cyber criminals to inject malicious advertisements into legitimate online advertising networks. Researchers found that malvertising campaigns carried out by hackers increased 325 percent in the past year... The problem of malvertising isn’t going away and cyber criminals will continue finding ways to monetize their attacks. According to the Association of National Advertisers, ad-fraud will cost global advertisers more than $6 billion in 2015..."
* http://www.cyphort.c...y/malvertising/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, Yesterday, 11:50 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1528 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 9,030 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 05:18 AM

FYI...

Fake 'Payment Receipt' SPAM – xls malware
- http://myonlinesecur...dsheet-malware/
28 Aug 2015 - "'Payment Receipt' pretending to come from donotreply@ dartford-crossing-charge.service .gov.uk with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png

Screenshot: http://myonlinesecur...ent-Receipt.png

28 August 2015: PaymentReceipt.xls - Current Virus total detections 5/56*:
Downloads Dridex banking malware from http ://cheaplaptops.pixub .com/3453/5fg44.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440757199/

** https://www.virustot...sis/1440756592/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustot...45/information/
23.14.92.35: https://www.virustot...35/information/
91.239.232.9: https://www.virustot....9/information/
31.131.251.33: https://www.virustot...33/information/

pixub .com: 93.188.160.103: https://www.virustot...03/information/
___

Dropbox Spam
- http://threattrack.t...83/dropbox-spam
Aug 28, 2015 - "Subjects Seen:
    Brad Waters shared “TP Resignation Letter 2.pdf” with you
    Reed Contreras shared “TP Resignation Letter 2.pdf” with you

Typical e-mail details:
    Brad used Dropbox to share a file with you!
    Click here to view.


Screenshot: https://40.media.tum...1r6pupn_500.png

Malicious URLs:
    newyearpartyistanbul .com/securestorage/getdocument.html
Malicious File Name and MD5:
     TP Resignation Letter 2.scr (90a60d95b2f0db6722755e535e854e82)


Tagged: Dropbox, Upatre

newyearpartyistanbul .com: 93.89.224.6: https://www.virustot....6/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, Today, 07:00 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users