Fake 'invoice' SPAM - doc malware
28 Jan 2015 - "'Windsor Flowers Invoice 1385' pretending to come from Windsor Flowers Accounts <windsorflowersaccounts@ hotmail .com> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... This email has what appears to be a genuine word doc attached which is malformed and contains a macro script virus... The email looks like:
Dear Accounts payable
Please see attached invoice 1385 for flowers within January 15.
Our bank details can be found at the bottom of the invoice.
If paying via transfer please reference our invoice number.
If you have any queries, please do not hesitate to contact me.
Many thanks in advance
74 Leadenhall Market
Tel: 020 7606 4277...
28 January 23015: Windsor Flowers Invoice 1385 Sheet1.doc (2 different versions)
Current Virus total detections: (76kb) 3/57* | (84 kb) 3/57** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
Fake 'RBS' SPAM - pdf-malware
28 Jan 2015 - "'RBS Morning commentary' pretending to come from RBS .COM <no-replay@ rbs .com> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
Please refer to the details below if you are having problems reading the attached file.
Please do not contact your Treasury Centre for technical issues – these should be routed to RBS FM support.The attached file is in zip format; first you have to unzip it (self-extracting archive, Adobe PDF) and then it can be viewed in Adobe Acrobat Reader 3.0 or above. If you do not have a copy of the software please contact your technical support department...
All the attachment numbers are random but all extract to same -malware- payload.
28 January 2015: attachment3532715.zip: Extracts to: attachment.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
... Behavioural information
Jan 28, 2015
xHamster involved in large Malvertising campaign ...
Jan 27, 2015 - "... a particular large malvertising campaign in progress from popular adult site xhamster[.]com, a site that boasts half a billion visits a month. In the past two days we have noted a 1500% increase in infections starting from xHamster. Contrary to the majority of drive-by download attacks which use an exploit kit, this one is very simple and yet effective by embedding landing page and exploit within a rogue ad network... The URL linked to is a simplified landing page hosted by what looks like a rogue ad network. The landing simply consists of preparing for a Flash Player exploit... the Flash exploit itself (0 detection on VT*), again hosted on the same ad network. Depending on your version of Flash you may get the recent 0-day:
Upon successful exploitation, a malicious payload (Bedep) VT 2/57**, is downloaded from:
hxxp ://nertafopadertam .com/2/showthread.php
What we see post exploitation is ad fraud as described here***... While malvertising on xHamster is nothing new, this particular campaign is extremely active. Given that this adult site generates a lot of traffic, the number of infections is going to be huge."
Edited by AplusWebMaster, 28 January 2015 - 09:30 AM.