Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

A community of volunteers who share their knowledge, and answer your tech questions. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message, and all ads will be removed once you have signed in.

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1353 replies to this topic

#1351 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,570 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 18 December 2014 - 07:03 AM

FYI...

More than 100,000 'WordPress sites infected with Malware'
- https://www.sans.org...ites/xvi/99#301
Dec 15, 2014 - "More than 100,000 websites running on WordPress content management system have been found to be infected with malware that attacks the devices of site visitors. Google has blacklisted more than 11,000 domains. Reports suggest that the attackers exploited a vulnerability in the Slider Revolution Premium plug-in*, which the company has known about since September 2014..."
> http://arstechnica.c...erious-malware/
Dec 15, 2014
(More links at the sans URL above.)

* http://blog.sucuri.n...s-websites.html
Dec 14, 2014
___

 

Fake 'AquAid Card' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
18 Dec 2014 - "'AquAid Card Receipt' pretending to come from Tracey Smith <tracey.smith@aquaid.co.uk> with a malicious word doc attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus. Modern versions of Microsoft office, that is Office 2010 and 2013 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them.  If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you. Definitely DO -NOT- follow the advice they give to enable macros to see the content... The email looks like:
    Hi
    Please find attached receipt of payment made to us today
    Tracey
    Tracey Smith| Branch Administrator
    AquAid | Birmingham & Midlands Central
    Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP ...


Screenshot: http://myonlinesecur...cious-email.jpg

The macros in this malicious word doc try to connect to http ://sardiniarealestate .info/js/bin.exe  ..which is saved as %TEMP%\YEWZMJFAHIB.exe – this has a marginally better detection rate of 3/53*. As we have seen in so many recent attacks like this one, there are 2 versions of the malware:
18 December 2014 : CAR014 151239.doc ( 124kb) | Current Virus total detections: 2/56**
CAR014 151239.doc (130 kb) | Current Virus total detections: 2/55***
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them..."
* https://www.virustot...sis/1418893740/

** https://www.virustot...sis/1418891360/

***  https://www.virustot...sis/1418891888/


> http://blog.dynamoo....rd-receipt.html
18 Dec 2014
- https://www.virustot...sis/1418893415/
... Recommended blocklist:
74.208.11.204
81.169.156.5
"
___

Fake 'Internet Fax' SPAM - trojan Upatre.FH
- http://blog.mxlab.eu...ojan-upatre-fh/
Dec 18, 2014 - "... intercepted a new trojan distribution campaign by email with the subject “Internet Fax Job”, the email is sent from the spoofed address “MyFax <no-replay@ my-fax.com>” and has the following body:
    Fax image data
    hxxp ://bursalianneler .com/documents/fax.html


The downloaded file fax8642174_pdf contains the 21 kB large file fax8642174_pdf.exe. The trojan is known as Upatre.FH. The trojan will installs itself by creating the service ioiju.exe and makes sure that it boots when Windows starts, modifies several Windows registries... At the time of writing, 1 of the 55 AV engines did detect the trojan at Virus Total*..."
* https://www.virustot...7f048/analysis/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
192.185.52.226: https://www.virustot...26/information/
78.46.73.197: https://www.virustot...97/information/
UDP communications
203.183.172.196: https://www.virustot...96/information/
203.183.172.212: https://www.virustot...12/information/
___

Fake 'JPMorgan Chase' SPAM - fake PDF malware
- http://myonlinesecur...ke-pdf-malware/
17 Dec 2014 - "'JPMorgan Chase & Co You have received a new secure message' pretending to come from random names @jpmorgan .com with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    This is a secure, encrypted message.
    Desktop Users:
    Open the attachment (message_zdm.html) and follow the instructions.
    Mobile Users:
    Voltage secure mail is not currently supported on mobile devices. If you experience issues, please access your secure message from a fully functional browser.
    Need Help?
    Your personalized image for: <redacted>
This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
Email Security Powered by Voltage IBE
Copyright 2013 JPMorgan Chase & Co. All rights reserved


Screenshot: http://myonlinesecur...ure-message.jpg

17 December 2014: message_zdm.zip: Extracts to:  message_zdm.exe
Current Virus total detections: 11/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1418844158/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
217.199.168.166: https://www.virustot...66/information/
UDP communications
217.10.68.152: https://www.virustot...52/information/
217.10.68.178: https://www.virustot...78/information/

- http://threattrack.t...re-message-spam
Dec 18, 2014
Screenshot: https://gs1.wac.edge...JHwm1r6pupn.png
Tagged: JPMorgan, Upatre
___

ICANN e-mail accounts, zone database breached in spearphishing attack
Password data, other personal information of account holders exposed.
- http://arstechnica.c...hishing-attack/
Dec 17 2014 - "Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet's address system, said in a release published Tuesday* that the breach also gave attackers administrative access to all files stored in its centralized zone data system**, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system. Domain registries use the database to help manage the current allocation of hundreds of new generic top level domains (gTLDs) currently underway. Attackers also gained unauthorized access to the content management systems of several ICANN blogs... As the group controlling the Internet's domain name system, ICANN is a prime target for all kinds of attacks from hackers eager to obtain data that can be used to breach other targets..."
* https://www.icann.or...2-2014-12-16-en

* https://czds.icann.org/en
___

Worm exploits nasty Shellshock bug to commandeer network storage systems
- http://arstechnica.c...torage-systems/
Dec 15 2014 - "Criminal hackers are actively exploiting the critical shellshock vulnerability* to install a self-replicating backdoor on a popular line of storage systems, researchers have warned. The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday** by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it. Infected systems are equipped with a secure shell (SSH) server and a new administrative user, giving the attackers a persistent backdoor to sneak back into the device at any time in the future..."
* http://arstechnica.c...with-nix-in-it/

** https://isc.sans.edu...e Devices/19061
 

:ph34r:  <_<


Edited by AplusWebMaster, 19 December 2014 - 05:33 AM.


#1352 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,570 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 19 December 2014 - 05:50 AM

FYI...

Fake 'BACS payment' SPAM - XLS malware
- http://myonlinesecur...el-xls-malware/
19 Dec 2014 - "'BACS payment Ref:9408YC' coming from random email addresses with a malicious Excel XLS attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

Please see below our payment confirmation for funds into your account on Tuesday re invoice 9408YC
Accounts Assistant
Tel:  01874 430 632
Fax: 01874 254 622


19 December 2014: 9408YC.xls - Current Virus total detections: 0/53* 0/55** 0/53***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1418987287/

** https://www.virustot...sis/1418987903/

*** https://www.virustot...sis/1418987497/

- http://blog.dynamoo....ef901109rw.html
19 Dec 2014
> https://www.virustot...sis/1418994768/
"... UPDATE: A further version of this is doing the rounds with an attachment which also has zero detections at VirusTotal*..."
* https://www.virustot...sis/1418994768/
... Behavioural information
TCP connections
194.146.136.1: https://www.virustot....1/information/
___

Fake ACH SPAM
- http://blog.dynamoo....ction-case.html
19 Dec 2014 - "This -fake- ACH spam leads to malware:
    Date:    19 December 2014 at 16:06
    Subject:    Blocked Transaction. Case No 970332
    The Automated Clearing House transaction (ID: 732021371), recently initiated from your online banking account, was rejected by the other financial institution.
    Canceled ACH transaction
    ACH file Case ID     083520
    Transaction Amount     1458.42 USD
    Sender e-mail     info@victimdomain
    Reason of Termination     See attached statement
  Please open the word file enclosed with this email to get more info about this issue.


In the sample I have seen, the attachment is ACH transfer 1336.doc which despite the name is actually a .DOCX file, which has a VirusTotal dectection rate of 4/54*. Inside are a series of images detailing how to turn off macro security.. which is a very -bad- idea.
1] https://1.bp.blogspo...1600/image3.png

2] https://2.bp.blogspo...1600/image4.png

3] https://1.bp.blogspo...1600/image5.png

4] https://4.bp.blogspo...1600/image6.png

If you enable macros, then this macro... will run which will download a malicious binary from http ://nikolesy .com/tmp/ten.exe, this has a VirusTotal detection rate of 8/51** as is identified as the Dridex banking trojan."
* https://www.virustot...sis/1419014981/

** https://www.virustot...sis/1419015141/
___

Fake 'my-fax' SPAM
- http://blog.dynamoo....ymy-faxcom.html
19 Dec 2014 - "This -fake- fax spam leads to malware:
    From:    Fax [no-replay@ my-fax .com]
    Date:    19 December 2014 at 15:37
    Subject:    Employee Documents - Internal Use
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Fax Documents
    DOCUMENT LINK: http ://crematori .org/myfax/company.html
    Documents are encrypted in transit and store in a secure repository...


... Clicking the link downloads a file fax8127480_924_pdf.zip which in turn contains a malicious executable fax8127480_924.exe which has a VirusTotal detection rate of 3/55*. Most automated analysis tools are inconclusive... but the VT report shows network connections to the following locations:
http ://202.153.35.133:40542/1912uk22//0/51-SP3/0/
http ://202.153.35.133:40542/1912uk22//1/0/0/
http ://natural-anxiety-remedies .com/wp-includes/images/wlw/pack22.pne
Recommended blocklist:
202.153.35.133
natural-anxiety-remedies .com
"
* https://www.virustot...sis/1419003908/

202.153.35.133: https://www.virustot...33/information/
___

Fake 'Target Order Confirmation' - malware SPAM
- http://www.hoax-slay...n-malware.shtml
Dec 19, 2014 - "Order confirmation email purporting to be from Target claims that the company's online store has an order addressed to you... The email is -not- from Target. The link in the message opens a compromised website that contains malware. The Target version is just one in a series of similar malware messages that have falsely claimed to be from well-known stores, including Walmart, Costco and Wallgreens...
> http://www.hoax-slay...n-malware-1.jpg
If you use a non-Windows operating system, you may see a message claiming that the download is not compatible with your computer. If you are using one of the targeted operating systems, the malicious file may start downloading automatically. Alternatively, a message on the website may instruct you to click a link to download the file. Typically, the download will be a .zip file that hides a .exe file inside. Opening the .exe file will install the malware. The malware payload used in these campaigns can vary. But, typically, the malware can steal personal information from your computer and relay it to online scammers. The malware in this version is designed to add your computer to the infamous Asprox Botnet... This email is just one in a continuing series of malware messages that claim to be from various high profile stores, including Costco, Walmart and Wallgreens. Other versions list order or transaction details, but do not name any particular store. Again, links in the messages lead to malware websites. In some cases, the malware is contained in an attached file. If you receive one of these -bogus- emails, do -not- click any links or open any attachments..."
___

Walgreens Order Spam
- http://threattrack.t...eens-order-spam
Dec 19, 2014 - "Subjects Seen:
    Order Status
Typical e-mail details:
    E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.
    Detailed order information is provided here.
    Walgreens


Malicious URLs:
    rugby-game .com/search.php?w=ZT5EpruzameN92MeSlvI09DbnfrIhx1yqu3wrootEpM=
Malicious File Name and MD5:
    Walgreens_OrderID-543759.exe (39CEBF3F19AF4C4F17CA5D8EFB940CB6)


Screenshot: https://gs1.wac.edge...U7f51r6pupn.png

Tagged: Walgreens, Kuluoz
___

Ars was briefly hacked yesterday; here’s what we know
If you have an account on Ars Technica, please change your password today..
- http://arstechnica.c...s-what-we-know/
Dec 16 2014 - "At 20:00 CT on December 14, an Internet intruder gained access to one of the Ars Web servers and spent the next hour attempting to get from the Web server to a more central machine. At 20:52, the attempt was successful thanks to information gleaned from a poorly located backup file. The next day, at 14:13, the hacker returned to the central server and replaced the main Ars webpage with a defacement page that streamed a song from the band Dual Core... "All the Things"... by 14:29, our technical team had removed the defaced page and restored normal Ars operations. We spent the afternoon changing all internal passwords and certificates and hardening server security even further. Log files show the hacker's movements through our servers and suggest that he or she had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses and passwords. Those passwords, however, are stored in hashed form (using 2,048 iterations of the MD5 algorithm and salted with a random series of characters). Out of an excess of caution, we strongly encourage all Ars readers - especially any who have reused their Ars passwords on other, more sensitive sites - to change their passwords today. We are continuing with a full autopsy of the hack and will provide updates if anything new comes to light..."
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 19 December 2014 - 04:32 PM.


#1353 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,570 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 07:01 AM

FYI...

Targeted Destructive Malware - Alert (TA14-353A)
- https://www.us-cert....lerts/TA14-353A
Last revised: Dec 20, 2014 - "Systems Affected: Microsoft Windows
Overview: US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.
SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2*. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host...
Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.
Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.
... *summary of the C2 IP addresses:
203.131.222.102 Thailand...
217.96.33.164 Poland...
88.53.215.64 Italy...
200.87.126.116 Bolivia...
58.185.154.99 Singapore...
212.31.102.100 Cypress...
208.105.226.235 United States..."
(More detail at the us-cert URL above.)

203.131.222.102: https://www.virustot...02/information/
217.96.33.164: https://www.virustot...64/information/
88.53.215.64: https://www.virustot...64/information/
200.87.126.116: https://www.virustot...16/information/
58.185.154.99: https://www.virustot...99/information/
212.31.102.100: https://www.virustot...00/information/
208.105.226.235: https://www.virustot...35/information/
___

Fake FedEx SPAM – malware
- http://myonlinesecur...ervice-malware/
20 Dec 2014 - "'Postal Notification Service' pretending to come from FedEx with  a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various  Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment...

Screenshot: http://myonlinesecur...ion-Service.jpg

20 December 2014 : notification.zip: Extracts to:  notification_48957348759483759834759834758934798537498.exe
Current Virus total detections: 1/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an unknown file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1419076775/

"Package Delivery" Themed Scam Alert
- https://www.us-cert....emed-Scam-Alert
Dec 19, 2014
> http://www.consumer....ered-your-inbox
 

:ph34r:  <_<


Edited by AplusWebMaster, Today, 08:31 AM.


#1354 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,570 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 11:39 AM

FYI...

Angler EK on 193.109.69.59
- http://blog.dynamoo....1931096959.html
22 Dec 2014 - "193.109.69.59 (Mir Telematiki Ltd, Russia) is hosting what appears to be the Angler Exploit Kit... infection chain... The last step is where the badness happens, hosted on 193.109.69.59 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:
qwe.holidayspeedsix .biz
qwe.holidayspeedfive .biz
qwe.holidayspeedseven .biz
A quick look at the contents of 193.109.68.0/23 shows some other questionable sites. A look at the sites hosted* in this /23 indicates that most of them appear to be selling counterfeit goods, so -blocking- the entire /23 will probably be no great loss.
Recommended -minimum- blocklist:
193.109.69.59
holidayspeedsix .biz
holidayspeedfive .biz
holidayspeedseven .biz
"
* http://www.dynamoo.c...s/mmuskatov.csv

193.109.69.59: https://www.virustot...59/information/
___

Fake 'Tiket alert' SPAM
- http://blog.dynamoo....ket-really.html
22 Dec 2014 - "Sometimes the spammers don't really try very hard. Like they have to make a quota or something. A "Tiket alert" from the FBI.. or is it FBR? Really?

    From:    FBR service [jon.wo@ fbi .com]
    Date:    22 December 2014 at 18:29
    Subject:    Tiket alert
    Look at the link file for more information.
    http <redacted>
    Assistant Vice President, FBR service
    Management Corporation


I have seen another version of this where the download location is negociomega .com/ticket/fsb.html. Clicking on the link downloads a file ticket8724_pdf.zip which in turn contains a malicious executable ticket8724_pdf.exe. This has a VirusTotal detection rate of 2/54*. Between that VirusTotal analysis and the Anubis analysis we can see that the malware attempts to phone home to:
http ://202.153.35.133 :42463/2212us12//0/51-SP3/0/
http ://202.153.35.133 :42463/2212us12//1/0/0/
http ://moorfuse .com/images/unk12.pne
202.153.35.133 is Excell Media Pvt Ltd, India.
Recommended blocklist:
202.153.35.133
moorfuse .com
mitsuba-kenya .com
negociomega .com
"
* https://www.virustot...sis/1419277515/
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
188.132.231.115: https://www.virustot...15/information/
___

Fake 'Employee Documents' Fax SPAM
- http://blog.mxlab.eu...cious-zip-file/
Dec 19, 2014 - "... intercepted quite a large distribution campaign by email with the subject “Employee Documents – Internal Use”, this email is sent from the spoofed address “Fax <no-replay@ my-fax .com>” and has the following body:
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Fax Documents
    DOCUMENT LINK: ... <redacted>
    Documents are encrypted in transit and store in a secure repository ...


The downloaded file fax8127480_924_pdf.zip contains the 26 kB large file fax8127480_924.exe. The trojan is known as W32/Trojan.HZAT-8029, W32/Trojan3.MYF, Downloader-FSH!FFA9EE754457, Upatre.FH or a variant of Win32/Kryptik.CTMJ... Virus Total*..."
https://www.virustot...a5dcb/analysis/
File name: fax8127480_924.exe
Detection ratio: 26/53
Analysis date: 2014-12-22
... Behavioural information
TCP connections
202.153.35.133: https://www.virustot...33/information/
174.127.104.112: https://www.virustot...12/information/
83.166.234.251: https://www.virustot...51/information/
23.10.252.26: https://www.virustot...26/information/
50.7.247.42: https://www.virustot...42/information/
217.172.180.178: https://www.virustot...78/information/
UDP communications
173.194.71.127: https://www.virustot...27/information/
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, Today, 04:03 PM.



2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users