More than 100,000 'WordPress sites infected with Malware'
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
Dec 15, 2014
(More links at the sans URL above.)
Dec 14, 2014
Fake 'AquAid Card' SPAM – doc malware
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <email@example.com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
Please find attached receipt of payment made to us today
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...
The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
18 Dec 2014
... Recommended blocklist:
Fake 'Internet Fax' SPAM - trojan Upatre.FH
Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
Fax image data
hxxp ://bursalianneler .com/documents/fax.html
The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
... Behavioural information
Fake 'JPMorgan Chase' SPAM - fake PDF malware
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
This is a secure, encrypted message.
Open the attachment (message_zdm.html) and follow the instructions.
Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved
17 December 2014: message_zdm.zip: Extracts to: message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
... Behavioural information
Dec 18, 2014
Tagged: JPMorgan, Upatre
ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
Worm exploits nasty Shellshock bug to commandeer network storage systems
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
** https://isc.sans.edu...e Devices/19061
Edited by AplusWebMaster, Yesterday, 05:33 AM.