Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

Get answers from experts today. (it's 100% free). Spyware, Virus, Trojan, Rootkit? Remove malware > Virus Removal Forum. Learn how it works.

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1429 replies to this topic

#1426 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,765 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 26 March 2015 - 08:14 AM

FYI...

Fake 'scanned' results SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Mar 2015 - "'Lou Ann Davis Indus Precision Mfg scanned' pretending to come from user <louann@ indusmfg .com> with a zip attachment is another one from the current bot runs... The email looks like:
    –
     Thank you,
    Lou Ann Davis
    Office Administrator
    Indus Precision Mfg., Inc.
    www .indusmfg .com
    Main: (845)268-0782
    Fax: (845)268-2106


26 March 2015 : Random zip name : Extracts to: scan.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427372574/
___

Fake 'Invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Mar 2015 - "'Yarde Metals Invoice' pretending to come from email.invoice <email.invoice@ yarde .com> with  a zip attachment is another one from the current bot runs... The email looks like:
     Thank you for your order.
    Attached is your original invoice. If you would
    like to pay for
    your order with a wire transfer please contact Angela Palmer
    at 860-406-6311 for bank details.
    Friendly reminder:
    Yarde Metals terms
    are 1/2% 10, Net 30. We appreciate your prompt payment.


26 March 2015: random  zip name: Extracts to:  221324.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427380401/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
46.160.125.167: https://www.virustot...67/information/
91.194.239.126: https://www.virustot...26/information/
93.123.40.17: https://www.virustot...17/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
___

BoA 'Over Limit' Spam
- http://threattrack.t...over-limit-spam
Mar 26, 2015 - "Subjects Seen
    Activity Alert: A Check Exceeded Your Requested Alert Limit
Typical e-mail details:
    A check exceeded your requested alert limit
    We’re letting you know a check written from your account went over the limit you set for this alert.
    For more details please check attached file


Malicious File Name and MD5:
    report_77076291400.scr (6B6E3D3FDE233FE75F64B517F2351D97)


.
___

Steam Codes and Countdowns - 'something for nothing'
- https://blog.malware...and-countdowns/
March 26, 2015 - "... 'something for nothing' makes a reappearance in the land of -gaming- with a twist designed to get would-be winners sending messages to their online friends as fast as they possibly can. The site we’re going to examine is located at: steamcode(dot)org
... which claims they have $20 Steam Codes to give away, as the “We’re the people who give away free $20 Steam Codes!” makes clear on the frontpage. We could have an interesting philosophical debate about when free means free, but we could also just chalk it up as “free, as long as you send some links and fill in a bunch of stuff”. Here’s the nicely designed frontpage:
> https://blog.malware...5/03/stmcd1.jpg
Clicking the button reveals two things – a tantalizing glimpse of half a code, and the reveal that you must share a link with 15 people in 45 minutes or else the code will expire. If you don’t have Under Pressure on your playlist, you might want to go dig it out now:
> https://blog.malware...5/03/stmcd2.jpg
Sites don’t normally place a timer on link sending, because not many people immediately whip out a list of likely candidates to start spamming when confronted with a rapidly diminishing timer. Indeed, start quickfiring identikit messages to all and sundry and you may find more than a few of them either think you’ve been hacked or turned into a spambot for the day. Should the required amount of referrals be reached, the end result is a selection of survey pages for the would-be $20 code recipient... There’s -no- guarantee the full code will be released even with a completed survey – the only person who has anything to lose in this situation is the individual filling in whatever forms are presented, working on the basis that they’re simply hoping the website will hand over a code at the end of the process. Freebie sites offering up items such as vouchers, gift cards and game codes typically resort to surveys at some point in the chain – it’s just how they roll. Displaying a portion of the code and adding in a time sensitive instruction to send URLs to all and sundry focuses on the “So near, yet so far” pressure point, and is a great way to ensure people desperate for free game codes start yelling “How high?” before jumping."
 

:ph34r:  <_<


Edited by AplusWebMaster, 26 March 2015 - 10:42 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1427 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,765 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 27 March 2015 - 04:55 AM

FYI...

Fake ebill Invoice SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 Mar 2015 - "'UK Fuels ebill for ISO Week 201512' pretending to come from invoices@ ebillinvoice .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...Week-201512.png

27 March 2015 : 22328_201512.doc
Current Virus total detections: 3/57* | 2/56** | 2/57*** | 3/57****
... So far I have seen 4 versions of this malware, but previous campaigns over the last few weeks have delivered 2, 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427446840/

** https://www.virustot...sis/1427447362/

*** https://www.virustot...sis/1427447494/

**** https://www.virustot...sis/1427447285/
___

Fake 'NASA MSBA' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 - "'NASA MSBA 27th, 2015' pretending to come from MSBA <NVDB@ nasa .gov> with a zip attachment is another one from the current bot runs... The email looks like:
    Good Afternoon.
    MSFC has posted the upcoming MSBA 27th event on NAIS and
    Fed Biz Ops (Solicitation No.: SB-85515).
    NAIS Posting:
    Please click on
    Mod. 1 Posting.
    Attached is the MSBA Agenda.
    Please join us for this event!


27 March 2015: Random  zip name: Extracts to: MSFC.exe
Current Virus total detections: 4/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427455905/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
UDP communications
23.99.222.162: https://www.virustot...62/information/
___

Fake 'ADP Payroll Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 "'ADP Payroll Invoice for week ending 03/27/2015' pretending to come from user <run.payroll.invoice@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Your ADP Payroll invoice for last week is attached for your review. If
    you have any questions regarding this invoice, please contact your ADP
    service team at the number provided on the invoice for assistance.
     Thank you for choosing ADP Payroll.
     Important: Please do not respond to this message. It comes from an
    unattended mailbox.


27 March 2015: random attachment zip name: Extracts to: ADP.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427467488/
___

Fake 'Information Request' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Mar 2015 - "'Information Request' pretending to come from Nicksen Stone <sale20@ thrivigor .com> with a zip attachment is another one from the current bot runs...
     Hello,
     We specialize in designing and manufacturing high quality metal and
    plastic parts suitable for electronic,industrial,agricultural and
    various applications.
    If you need any parts please feel free to send us drawing or sample for
    free quotes. Thank you.
     With Kind Regards,
    Nicksen Stone, Director
     Ningbo Efforteam Machinery Co.,Ltd
    Phone: +86-13777 101 355


27 March 2015: Random attachment zip name: Extracts to: Information.exe
Current Virus total detections: 3/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427472615/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
46.249.3.66: https://www.virustot...66/information/
66.147.244.169: https://www.virustot...69/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 27 March 2015 - 11:06 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1428 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,765 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 30 March 2015 - 06:36 AM

FYI...

Fake 'Vistaprint Invoice' SPAM - pdf malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'Vistaprint VAT Invoice' (random number) pretending to come from Vistaprint <VistaPrint-cc@ vistaprint .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...VAT-Invoice.png

30 March 2015: Random Attachment zip name: Extracts to:  Invoice_1.exe
Current Virus total detections: 1/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427714331/
___

Fake 'ADP invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'ADP invoice for week ending 30/03/2015' pretending to come from  Wilbert.Downs@ adp .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...week-ending.png

30 March 2015: invoice_285699291.zip: Extracts to: invoice_285699291.scr
Current Virus total detections: 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427728309/
___

Fake 'PDF SWIFT TT COPY' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'PDF SWIFT TT COPY' pretending to come from soumiya@ ulckuwait .com with a zip attachment is another one from the current bot runs... The email looks like:
    Hello,
    Regarding payments for the outstanding, our accounting department have
    approved immediate payment to your accounts.
    Please attached is the Payment confirmation slip ,Kindly help reply
    urgently to  confirm to us
    Best Regards,
    Kosta Curic
    EVRO – TURS DOO
    Po?e?ka 80, Beograd, Srbija
    Jenneth Setu
    Purchase Manager


30 March 2015: Payment Confirmation pdf.zip: Extracts to:  Payment Confirmation pdf.exe
Current Virus total detections: 8/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427732925/
___

Fake 'Quotation' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 Mar 2015 - "'Quotation qzVNVm: (random characters)' pretending to come from Mark Kemsley <mark.kemsley@ energy-solutions .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...3/quotation.png

30 March 2015 : random Attachment zip name: Extracts to: Quotation.exe
Current Virus total detections: 5/50* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427738877/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
141.105.141.87: https://www.virustot...87/information/
79.133.196.204: https://www.virustot...04/information/
UDP communications
23.101.187.68: https://www.virustot...68/information/
 

:ph34r:  <_<


Edited by AplusWebMaster, 30 March 2015 - 02:19 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1429 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,765 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Yesterday, 06:19 AM

FYI...

Fake 'PO' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Your PO: SP14619' pretending to come from Sam S. <sales@ alicorp .com> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...-PO-SP14619.png

31 March 2015 : APIPO1.doc - Current Virus total detections: 3/52* | 5/57**
...  at least one of the macros downloads http ://probagep.sandbox.proserver .hu/54/78.exe (Virus Total***)... previous campaigns over the last few weeks have delivered 2 or 3 or even up to 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427789087/

** https://www.virustot...sis/1427789118/

*** https://www.virustot...sis/1427788227/

- http://blog.dynamoo....4619-sam-s.html
31 Mar 2015
... Recommended blocklist:
91.230.60.0/24
185.91.175.0/24
46.101.38.178
87.236.215.103
66.110.179.66
176.108.1.17
202.44.54.5
128.199.203.165
95.163.121.178
"
___

Fake 'Latest Docs' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Your Latest Documents from RS Components' coming from random names at random companies from  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-Components.png

31 March 2015: G-A7835690138927462557376-1.doc - Current Virus total detections: 0/56*
... only seeing 1 version of this malware, but previous campaigns over the last few weeks have delivered 2 or 3 or even 10 or 12 different versions, some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427798514/

- http://blog.dynamoo....our-latest.html
31 Mar 2015
... Recommended blocklist:
188.120.225.17
1.164.114.195
2.194.41.9
46.19.143.151
199.201.121.169
"
___

Fake 'Passport Copy' SPAM - doc or xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "FW: Passport copy pretending to come from salim@ humdsolicitors .co.uk with what is supposed to be a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ssport-copy.png

31 March 2015 : passport.doc ...

- http://blog.dynamoo....sport-copy.html
31 Mar 2015 - "This fake legal spam comes with a malicious attachment. It appears to be a forwarded message from a solicitors office, but it is just a simple forgery... The attachment is named passport.doc. It is exactly the -same- malicious payload as the one used in this spam run earlier today*, and it drops the Dridex banking trojan on the victim's PC."
* http://blog.dynamoo....4619-sam-s.html
___

Fake 'Debit Note' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
31 Mar 2015 - "'Debit Note [random numbers]' information attached to this email coming from random name and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a completely -blank- body...

31 March 2015 : random name .doc - Current Virus total detections: 0/56* | 0/56** | 0/56*** ..."
* https://www.virustot...sis/1427808913/

** https://www.virustot...sis/1427807988/

*** https://www.virustot...sis/1427808948/

- http://blog.dynamoo....note-12345.html
31 Mar 2015 - "This fake financial spam comes with a malicious attachment. There is -no- body text... The executable downloaded is identical to the one used in this spam run* also taking place today. The payload is the Dridex banking trojan."
* http://blog.dynamoo....our-latest.html
___

Fake 'Your returns label' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
31 Mar 2015 - "'CollectPlus :: Your returns label' pretending to come from info <info@ collectplus .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...turns-label.png

31 March 2015 : Random Attachment zip name: Extracts to:  Reference.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427800182/
___

World Back Up Day ...
- https://blog.malware...e-safety-first/
Mar 31, 2015 - "If your response to the question “When did you last back up?” is something to do with parking your car, then you should really take note of World Back Up Day*...
* http://www.worldbackupday.com/en/
According to the World Back Up Day statistics:
• 30% of people have never backed up their data.
• 113 phones are stolen / lost every minute (Ouch. You may want to invest in some remote wipe technology too).
• 29% of data deletion disasters are caused by accident..."
 

:ph34r:  <_<


Edited by AplusWebMaster, Yesterday, 03:37 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1430 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,765 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 04:43 AM

FYI...

Fake 'Tax Refund' SPAM - malware
- http://blog.dynamoo....ion-office.html
1 Apr 2015 - "This fake tax notification spam leads to malware hosted on Cubby.
    From:    Australian Taxation Office [noreply@ ato .gov .au]
    Date:    1 April 2015 at 00:51
    Subject:    Australian Taxation Office - Refund Notification
    IMPORTANT NOTIFICATION
    Australian Taxation Office - 31/03/2015
    After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2307.15 AUD.
    To view/download your tax notification please click here or follow the link below :
    https ://www .ato .gov .au/AZItems.aspx?id=3673&category=Tax+legislation+and+regulations&sorttype=azindexdisplay&Disp=True?NotificationCode=notification_0354003
    Laurence Thayer, Tax Refund Department Australian Taxation Office


The names and the numbers -change- from email to email. Despite the displayed URL in the message, the link actually goes to cubbyusercontent .com (e.g. https ://www .cubbyusercontent .com/pl/RYR5601763.zip/_33cdead4ebfe45179a32ee175b49c399) but these download locations don't last very long as there is a quota on each download. In this case, the downloaded file is RYR5601763.zip which contains a malicious executable RYR5601763.scr which has a VirusTotal detection rate of 20/57*. Automated analysis tools... show that it downloads components from:
ebuyswap .co.uk/mandoc/muz3.rtf
eastmountinc .com/mandoc/muz3.rtf
It then attempts to phone home to:
141.105.141.87:13819/3103us13/HOME/41/7/4/
That IP is allocated to Makiyivka Online Technologies Ltd in Ukraine. In addition, it looks up the IP address of the computer at checkip .dyndns .org. Although this is benign, monitoring for it can be a good indicator of infection. These URL requests are typical of the Upatre downloader. According to the Malwr report it drops another binary jydemnr66.exe with a detection rate of 11/55** plus a benign PDF file entitled "War by remote control" which acts as some sort of cover for the infection process.
Recommended blocklist:
141.105.140.0/22
ebuyswap .co.uk
eastmountinc .com
"
* https://www.virustot...sis/1427874847/

** https://www.virustot...sis/1427876163/
___

Fake 'Delivery Note' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Apr 2015 - "'CIH Delivery Note 0051037484' pretending to come from Batchuser BATCHUSER <ecommsupport@ cihgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

This email and the information it contains are private, may be confidential and are for the intended recipient only. If you received this email in error please notify the sender immediately, confirm that it has been deleted from your system and that all copies have been destroyed. You should not copy it for any purpose or disclose its contents to any other person.
Internet communications are not secure and therefore CIH does not accept legal responsibility for the contents of this message.
We use reasonable endeavours to virus scan all outgoing emails but no warranty is given that this email and any attachments are virus free. You should undertake your own virus checking. We reserve the right to monitor email communications through our networks.
Combined Independents (Holdings) Ltd is registered in England No 767658 and has its registered offices at
Euro House, Joule Road, Andover, SP10 3GD


1 April 2015 :CIH Delivery Note 0051037484.doc
Current Virus total detections: 0/56* | 0/56** | 0/56*** | 0/56****
So far I have seen 4 versions of this malware... some with word doc attachments and some with Excel xls attachments... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1427875359/

** https://www.virustot...sis/1427875359/

*** https://www.virustot...sis/1427875320/

**** https://www.virustot...sis/1427875511/

- http://blog.dynamoo....-batchuser.html
1 Apr 2015 - "The CIH Group is the name behind the Euronics brand. They are not sending out this spam, instead it is a simple forgery with a malicious attachment...
Recommended blocklist:
91.242.163.70
37.139.47.81
72.167.62.27
212.227.89.182
46.228.193.201
46.101.49.125
198.245.70.182
95.211.184.249
"
___

Fake 'Sales_Order' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Apr 2015 - "'Sales_Order_6100152' pretending to come from Hazel Gough <hazel.gough@ kosnic .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...der_6100152.png

1 April 2015 : Sales_Order_6100152.doc ... same malware although renamed as today’s CIH Delivery Note 0051037484 – word doc or excel xls spreadsheet malware*... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://myonlinesecur...dsheet-malware/
___

Fake 'Unpaid Invoice' SPAM - vbs malware
- http://myonlinesecur...rs-vbs-malware/
1 Apr 2015 - "'Unpaid Invoice [ID:99846] or This is your Remittance Advice [ID:98943]' (all random ID numbers) coming from -random- email addresses, persons and companies with a zip attachment is another one from the current bot runs... The attachments on these are so tiny at less than 1kb in size, that users will be easily fooled into thinking that they are harmless. The zips contain an encoded vbs script... The email body is totally -blank- ...

1 April 2015: Random Attachment zip name: Extracts to: 83JHE76328475243920_1a.doc.vbs
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1427886418/

- http://blog.dynamoo....oice-09876.html
1 Apr 2015 - "... has -no- body text and comes from random senders... It has a ZIP attachment which contains... a malicious VBS script... very similar to the VBA macro used in this spam run yesterday:
> http://blog.dynamoo....our-latest.html
This binary has a detection rate of 4/55*..."
* https://www.virustot...sis/1427886150/
... Behavioural information
TCP connections
188.120.225.17: https://www.virustot...17/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/
___

Xtube Exploit leads to Cryptowall Malware
- https://blog.malware...towall-malware/
31 Mar 2015 - "We wrote about the adult site xtube .com being compromised -redirecting- visitors to a landing page for the Neutrino Exploit kit last week*... The malware that dropped from the exploit was found here** and was called xtube.exe... All user files are encrypted using “RSA-2048″ encryption. In order to pay the -ransom- victims are instructed to visit paytoc4gtpn5cz12.torconnectpay .com. A separate address is also provided over the tor network:
> https://blog.malware...ELP_DECRYPT.png
... 'always good to remember that highly ranked websites (including adult content) are a prime target for hackers due to the traffic they get..."
* https://blog.malware...ia-neutrino-ek/

** https://www.virustot...e1357/analysis/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustot...84/information/
93.185.106.78: https://www.virustot...78/information/

- http://blog.trendmic...ds-for-1q-2015/
April 1, 2015 - "Since the start of 2015, we have spotted several variants of crypto-ransomware plague the threat landscape. In January, the Australia-New Zealand region was beset by variants of TorrentLocker. But we soon discovered that TorrentLocker infections were -not- limited to that region; Turkey, Italy, and France were also affected by this malware. We soon came across an “improved” version of CTB-Locker Ransomware, which now offered a “free decryption” service, an extended deadline to decrypt the files, and an option to change the language of the ransom message. We also saw attacks that combined crypto-ransomware with information-stealing malware. These latest crypto-ransomware variants bring their own tactic to ensure their victims pay the price..."
(More detail at the trendmicro URL above.)
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 34 minutes ago.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.



17 user(s) are reading this topic

1 members, 16 guests, 0 anonymous users


    AplusWebMaster