Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech - Register now for FREE

Get answers from experts today. (it's 100% free). Spyware, Virus, Trojan, Rootkit? Remove malware > Virus Removal Forum. Learn how it works.

Create an Account Login to Account


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
1448 replies to this topic

#1441 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 15 April 2015 - 07:03 AM

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://blog.dynamoo....ving-water.html
15 Apr 2015 - "This -fake- invoice does not come from Living Water, but instead is a simple forgery with a malicious attachment.

    From: Natalie [mailto:accounts@living-water.co.uk]
    Sent: Wednesday, April 15, 2015 9:43 AM
    Subject: Invoice from Living Water
    Dear Customer  :
    Your invoice is attached.  Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Living Water
    0203 139 9051


In the sample that I received, the attachment was named Inv_300846161_from_Living_W.doc which has a VirusTotal detection rate of 1/55*. This contains a malicious macro... which downloads a file from the following location:
http ://adlitipcenaze .com/353/654.exe
There are probably other download locations, but they will all have the same payload. This is saved as %TEMP%\rizob1.0.exe and currently has a detection rate of 6/57**. Automated analysis tools... show attempted connections to the following IPs:
89.28.83.228 (StarNet, Moldova)
78.24.218.186 (TheFirst-RU, Russia)
37.140.199.100 (Reg.Ru Hosting, Russia)
According to this Malwr report it drops a Dridex DLL with a detection rate of 4/57***.
Recommended blocklist:
89.28.83.228
78.24.218.186
37.140.199.100

MD5s:
2ecf5e35d681521997e293513144fd80
9932c4a05ca0233f27b0f8404a8dc5bd
68e1e7251314944a4b4815adced70328
* https://www.virustot...sis/1429086775/

** https://www.virustot...sis/1429086792/

*** https://www.virustot...sis/1429088210/


- http://myonlinesecur...dsheet-malware/
15 Apr 2015
> https://www.virustot...sis/1429086260/
___

Fake 'info' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
15 Apr 2015 - "'RE: info' pretending to come from user <michael@ mwrk .co .za> with a zip attachment is another one from the current bot runs...The email looks like:

    Always choose a reliable partner.
    We are those who can offer the best financial proposal to you.
    We can find the best solution to solve your specific problem.
    Details see the attachment.


15 April 2015: New doc(43).zip : Extracts to: partner.exe
Current Virus total detections: 2/57* . This 'RE: info' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429093267/
... Behavioural information
TCP connections
83.219.139.124: https://www.virustot...24/information/
88.221.15.80: https://www.virustot...80/information/
5.141.22.43: https://www.virustot...43/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/
 

:ph34r:  <_<


Edited by AplusWebMaster, 15 April 2015 - 10:02 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1442 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 16 April 2015 - 06:02 AM

FYI...

Fake 'Receipt' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Apr 2015 - "'RECEIPT' pretending to come from  Carmen Rodriguez <crodriguez@ hswcorp .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Thank you for your business.
     Carmen Rodriguez
    Administrative Assistant


16 April 2015 : 58173841.doc | Current Virus total detections: 3/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1429173650/
___

Fake ACH SPAM - Malware
- http://blog.dynamoo....tification.html
16, Apr 2015 - "This -fake- ACH spam leads to malware:
    From:    aileen.alberts@ [redacted]
    Date:    16 April 2015 at 15:55
    Subject:    Decisive notification about your Automated Clearing House payment
    The Automated Clearing House transaction transfer, recently initiated from your company"s online bank account, has been rejected by the EPA.
    Rejected ACH payment
    Automated Clearing House transfer Case #     L669461617
    Transaction Total     27504.02 US Dollars
    Email     [redacted]
    Reason of Termination     Download full details
    Please visit the link provided at the top to see more information about this problem.


The link in the email goes to a download location at dropbox .com which downloads a malicious Word document Automated_Clearing_House transaction9090.doc which contains this macro... it is rather different from other offerings. From what I can tell, it downloads an encrypted file... from:
sundsvallsrk .nu/tmp/1623782.txt -or-
hpg .se/tmp/1623782.txt
And some sort of executable from Dropbox with a detection rate of 3/57*. Automated analysis tools are inconclusive at the moment... although the Payload Security report[1] does show several dropped files including two malicious scripts... Of note is that one of the scripts downloads what looks like a PNG from:
savepic .su/5540444.png
For now, I would recommend blocking traffic to
sundsvallsrk .nu
hpg .se
savepic .su
"

1] https://www.hybrid-a...environmentId=2

* https://www.virustot...sis/1429197445/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'IRS tax refund' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Apr 2015 - "'Payment confirmation for tax refund request # 3098-2344342' pretending to come from Internal Revenue Service <office@ irs .gov> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...und-request.png
"... Payment method : Wire transfer..."

16 April 2015 : confimation_3098-2344342.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429207628/

- http://www.irs.gov/t...pics/tc152.html
"There are -three- options for receiving your federal individual income tax refund:
- The fastest way is by direct deposit (electronic funds transfer) into your checking or savings account, including an individual retirement arrangement (IRA);
- By purchase of U.S. Series I Savings Bonds; or
- By paper check sent to the address listed on your return..."
... 'Wire Transfer' is -not- an option.
___

SCAM lures Facebook Users with “Hot Video”, Drops Trojan
- https://blog.malware...o-drops-trojan/
Apr 16, 2015 - "... as more and more users are creating, sharing, and viewing videos on Facebook now more than ever, we can also expect online criminals to jump in on the bandwagon and attempt to get some of the attention, too... if you see an interesting post on your feed carrying a link to a supposed video that, once visited looks similar to the screenshot below, know that you’re no longer on Facebook but on an imitation page located at http ://storage [dot]googleapis[dot]com/yvideos/video2[dot]html:
> https://blog.malware.../fake-fb-yt.png
The individual or group behind this scam has abused Google’s free online file storage service to house the HTML page that has mimicked Facebook’s interface. This method has been a long-time practice of phishers who use free such services like Dropbox and Google Drive in their campaigns. Once you hit the Play button, an error message appears on top, saying that Flash Player is required to view the video. A file named youtube.scr is downloaded instead:
> https://blog.malware...ke-fb-yt-dl.png
... This file lacks the sophistication to detect virtual environments, so one can easily test it against any free, online sandbox—in this case, I used this one from Payload Security — to see how badly it behaves on a system once executed. Malwarebytes Anti-Malware (MBAM) detects* youtube.scr as Trojan.Ransom.AHK."
* https://www.virustot...sis/1429127928/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Business Support Giveaway - 419 Scam
- https://blog.malware...eaway-419-scam/
Apr 15 - "... we can’t get too excited, because it’s just a fresh run of a 419 scam which has been in circulation in similar forms for about a year or two:
> https://blog.malware...04/unfound1.jpg
... Not the most watertight of scams when your gameplan is effectively “We’re all about solving global problems and saving the world in times of disaster...” Of course, most recipients probably don’t own a bank or a gold-plated yacht and may well throw reason out the window in favour of hitting the -reply- button. As with all mails of this type, the only thing you’re going to get is some identity fraud, financial loss and the possibility of turning yourself into a money mule. It certainly isn’t worth responding to the senders, so feel free to -delete- it and advise any recipients you know to do the same thing. This is one piece of business support you can definitely do without."
 

:ph34r: <_<


Edited by AplusWebMaster, 16 April 2015 - 02:39 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1443 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 April 2015 - 05:42 AM

FYI...

 

Fake 'Credit Card Statement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 Apr 2015 - "'Credit Card Statement' pretending to come from Julie Mckenzie <julie38@ swift-cut .co .uk> ( random numbers after Julie) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...d-Statement.png

17 April 2015 : C Swift Credit Card.doc - Current Virus total detections: 0/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429265218/

- http://blog.dynamoo....e-mckenzie.html
17 Apr 2015
"... Attached is a file C Swift Credit Card.doc which comes in at least -four- different versions, all of which are malicious and all of which have a macro... These macros download a file from one of the following locations:
http ://oolagives .com/24/733.exe
http ://derekthedp .com/24/733.exe
http ://sempersleep .com/24/733.exe
This is saved as %TEMP%\grant8i.exe and has a VirusTotal detection rate of 11/54* (identified clearly as a Dridex component). Automated analysis... shows that it attempts to communicate with:
46.36.219.32 (FastVPS, Estonia)
I recommend that you -block- traffic to that IP address. Furthermore, the Malwr report shows it dropping a malicious DLL with a detection rate of 6/53**."
* https://www.virustot...sis/1429294915/
... Behavioural information
TCP connections
46.36.219.32: https://www.virustot...32/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

** https://www.virustot...sis/1429295949/
___

Fake 'Conference' SCAM
- http://blog.dynamoo....ays-summit.html
17 Apr 2015 - "This spam email forms part of a Conference Scam*:
* http://www.theatlant...r-visas/280445/

    From:    United Nations Summit [no_replytoold@ live .com]
    Reply-To:    unitednation .unt@gmail .com
    Date:    16 April 2015 at 17:59
    Subject:    Your Invited For A Five Days Summit 5th -9th May, 2015 in London (UK),
    Dear Invitee, Nonprofit/NGO Colleague,
    UN General Assembly invites companies and organizations to participate in this important meeting. UN convening a Four-day Global Summit of Economists, Educationists, Administrators, Manufacturers, International Finance, Corporate Finance, Researchers, Non-Governmental Organizations, Religious Leaders, Community Organizations,lawyer and law firm,individuals from the public and Private Sector from 5th-9th May, 2015 in London (UK) to assess the worst global economic down turn since the Great Depression. The aim is to identify emergency and long-term responses to mitigate the impact of the crisis, especially on vulnerable populations, and initiate a needed dialogue on the transformation of the international financial architecture, taking into account the needs and concerns of all countries of the world. You are invited to take part in the International Conference.
    Registration to this Summit is absolutely "free" and strictly for invited individuals and organizations only. As an invitee, you have received a registration code UN/CODE/66987/2015-UK with the invitation letter, which grants you access to the registration form.
    The United Nations General Assembly will sponsor free travel costs and all-round flight tickets for all participant. Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel...


...  Notice that "Invited participants will only be responsible for their hotel accommodation and feeding cost at the Royal Queens Hotel." There is -no- hotel in London with the name "Royal Queens Hotel", but the scammers will magic one up for you to take pre-payment for your hotel.. and will then -vanish- with your money. There are some similarly-named hotels in London, for example the Hotel Royal @ Queens, but this is not the same hotel. Be warned though that sometimes scammers do go to the effort of setting up a -fake- hotel website to make the scam more credible.
Avoid."
___

Flash EK strikes again via Google’s DoubleClick
- https://blog.malware...es-doubleclick/
Apr 16, 2015 - "A few days ago, we blogged about a -malvertising- attack on the HuffingtonPost website* via a major ad network which took advantage of a vulnerability in Flash Player... another major attack was also being carried on around the same time, most likely by the same gang. Working with ClarityAd, we quickly confirmed the malicious activity around 04/11 which showed a well-known ad network (merchenta) with direct ties to Google’s DoubleClick being caught in a large malvertising incident. The latest malvertising attack was carried through merchenta, a company that provides a platform for ad exchange and direct integrations with top publishers. They boast a 28 -billion- monthly impressions for the US alone and work directly with top tier ad networks such as Google’s DoubleClick. The criminals posed as an advertiser, infiltrated the platform via a third party and managed to house a malicious advert directly on merchanta’s ad platform which was fed into Google’s DoubleClick channels. Within minutes, the booby trapped ad had a 95% reach in USA, Europe & UK exposing a huge number of people worldwide:
> https://blog.malware...4/merchenta.png
Although DoubleClick is 'not directly responsible' for loading the malicious ad, it starts the chain of trust with the publisher, which unfortunately has little control over the subsequent transactions taking place:
> https://blog.malware.../04/newflow.png
... this malicious SWF had -zero- detection on VirusTotal** when it was first submitted... All ad networks have been informed, but the attack did last for a few days most likely infecting a significant number of people. This latest example is yet another reminder of one of the big weaknesses with online advertising. Ad networks rely on third parties and the chain of trust can easily be broken when -one- rogue actor joins in... These crooks essentially pose as working for a fortune 500 company and submit a clean advert. The ad network is very interested because that will be a big customer and so they make sure to accommodate the client as much as they can. The advert still goes through quality assurance and security tests before finally getting ready for prime time. Right before that happens, the rogue advertiser sends a new version of the ad (with only a minor change they claim) and the ad network, not wanting to lose a client, skips the checks that were already done. It turns out that the new version of the ad is malicious and yet has -full- clearance to be displayed via major networks. This is just one of the many tricks rogue advertisers will use to insert themselves in the chain..."
* https://blog.malware...all-ransomware/
Apr 13, 2015

** https://www.virustot...sis/1429069586/
File name: merchenta-flash-malware.swf
Detection ratio: 0/57
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 17 April 2015 - 09:08 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1444 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 20 April 2015 - 05:30 AM

FYI...

Fake 'Pending payment' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
20 Apr 2015 - "'Pending payment' pretending to come from Hector Malvido <handyman1181@ hotmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ing-payment.png

20 April 2015 : filename-1.doc - Current Virus total detections: 2/57* | 3/50**
... So far I have seen 2 versions of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429523984/

** https://www.virustot...sis/1429523284/

- http://blog.dynamoo....or-malvido.html
20 Apr 2015
"...  filename-1.doc (3/57* detection by AV vendors)...
...  %TEMP%\grant8i.exe - VirusTotal detection rate of 5/57**
... Dridex DLL with a 3/57*** detection rate...
Recommended blocklist:
89.28.83.228
MD5s:
673626be5ea81360f526a378355e3431
7ca6884ad8900797c7f0efaaabe0c0da
8c0661aefa9aa25d8fddf2a95297e04e "
* https://www.virustot...sis/1429525562/

** https://www.virustot...sis/1429525576/

*** https://www.virustot...sis/1429526728/
___

Fake 'HSBC credit card' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Apr 2015 - "'HSBC credit card balance – new credit terms' coming from random names and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:

    Dear client,
    We are pleased to inform you that our bank is ready to offer you a bank
    loan. We would like to ask you to open the Attachment to this letter and
    read the terms.
     HSBC ...


These all have random attachment names. The name of the pretend sender matches the attachment zip name. Some I have seen are:
    mark.zip
    info.zip
    john.shank.zip
These extract to names like monkey.exe had.exe blya.exe fable.exe
20 April 2015: random zip name : Extracts to: random file name
Current Virus total detections: 3/55* | 3/55** | 3/55*** . This 'HSBC credit card balance – new credit terms' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429531817/

** https://www.virustot...sis/1429531906/

*** https://www.virustot...sis/1429531906/
___

UPS Spam
- http://threattrack.t...231653/ups-spam
Apr 20, 2015 - "Subjects Seen
    Status update for tracking# 25768265
Typical e-mail details:
    Dear customer,
    Unfortunately we were not able to deliver the package sent to you on 29 Nov 2014 because your delivery address does not exist.
    Please download and print out the following shipping invoice and collect your package at the nearest UPS office :
    wwwapps .ups. com/WebTracking/track.aspx?trk=25768265&action=download_pdf_invoice
    Thank you for choosing UPS 


Malicious URLs
    baloomedia .com/wp-content/plugins/cached_data/label_0420.zip
Malicious File Name and MD5:
    label_420.pif (ed9b821c16763450cc8e807528030bc4)


Tagged: UPS, Dyreza

176.126.200.42: https://www.virustot...42/information/
___

Fiesta EK spreads Crypto-Ransomware ...
- http://blog.trendmic...ho-is-affected/
Apr 20 2015 - "... no great surprise to see the Fiesta exploit kit being used to deliver crypto-ransomware. The choice of exploits delivered is broadly in line with other exploit kits. Flash, Internet Explorer, Adobe Reader/Acrobat, and Silverlight are all targeted:
Exploits used by Fiesta:
> https://blog.trendmi...sta-crypto9.png
... after March 19, we noticed a -change- in the malware payloads delivered to victims. Before that date, crypto-ransomware was being delivered to end users. Aside from encrypting the user’s files, this particular variant terminates some running processes (Process Explorer, Task Manager, the Command Prompt, Regedit, and Msconfig) so that it cannot be terminated by the user easily:
Screenshot of crypto-ransomware:
> https://blog.trendmi...sta-crypto2.png
After March 19, Fiesta served up a threat best known from previous years: fake antivirus. Again, it disables some common system tools such as Task Manager, Process Explorer, and Internet Explorer, so that this -fake- antivirus cannot be easily shut down. It’s not clear why the attackers chose to return to this older kind of threat:
Screenshot of fake antivirus:
> https://blog.trendmi...sta-crypto3.png
... Best practices: The first step to -defend- against these attacks is: keep software up-to-date. By removing the vulnerabilities that an exploit kit targets, users can prevent themselves from becoming the next victims of these attacks..."
 

:ph34r:   <_<


Edited by AplusWebMaster, 20 April 2015 - 12:36 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1445 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 21 April 2015 - 04:51 AM

FYI...

Fake 'E-Ticket' SPAM – javascript malware
- http://myonlinesecur...script-malware/
21 Apr 2015 - "'E-Ticket 7694892' pretending to come from E-Ticket <online@ ticket .com> with a link to a zip attachment is another one from the current bot runs... The email looks like:

    This is your e-ticket receipt.
    SEAT / 30A/ZONE 3
    DATE / TIME 7 MAY, 2014, 09:19 AM
    ARRIVING / Tulsa
    ST / OK
    REF / KE.7818 BAG / 4PC
    TOTAL PRICE / 438.16 USD
    FORM OF PAYMENT / CC
    Download E-Ticket 7694892
    Yours sincerely,
    American Airlines E-Ticket services.


21 April 2015: E-Ticket 7694892.zip: Extracts to: E-Ticket 7694892.js
Current Virus total detections: 9/57* ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429584330/
___

Fake 'invoice' SPAM - malicious doc attachment
- http://blog.dynamoo....ce-i413136.html
21 Apr 2015 - "This spam email does not come from LA Grinding but is instead a simple forgery with a malicious attachment.
    From: Lichelle Ebner [mailto:Lichelle5938@ lagrinding .co .uk]
    Sent: Tuesday, April 21, 2015 9:55 AM
    Subject: LAG invoice I413136
    Dear Accounts Payable,
    Attached is a copy of invoice  I413136 .The items were shipped.  Please feel free to contact me if you have any questions or cannot read the attachment.
   Thank you for your business.
    Sincerely,
    Lichelle Ebner
    L. A. Grinding Company
    Ph. (818) 846-9134
    FAX (818)846-1786


So far I have seen just a single sample with an attachment I413136.doc which has a VirusTotal detection rate of 2/57* and which contains this malicious macro... in turn this downloads a component from:
http ://eternitymobiles .com/25/144.exe
..although there are probably different versions of the macro with different download locations, the binary itself should be the same in all cases. This is saved as %TEMP%\pierre6.exe and it has a detection rate of 5/56**. Automated analysis tools... show that it attempts to communicate with a familiar IP:
89.28.83.228 (StarNet SLR, Moldova)
According to this Malwr report it also drops a malicious Dridex DLL with a detection rate of 3/56***.
Recommended blocklist:
89.28.83.228 ..."
* https://www.virustot...sis/1429609465/

** https://www.virustot...sis/1429609471/

*** https://www.virustot...sis/1429610872/
___

Fake 'Admin Exchange' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Apr 2015 - "'Administrator – Exchange Email id3405629' pretending to come from Administrator@ no-reply <Administrator@ your domain > with a zip attachment is another one from the current bot runs... The email looks like:

    no-reply,
    This attachment provides you with managing facilities for your mailboxes, public folders, distribution lists, contact and mail service general settings. Please save the attached file to your hard drive before deleting this message.  
    To open the attachment (Exchange_id3405629.zip) please use the following password: Ujh6JZ2mHN
    Thank you,
    Administrator


Note: the address it pretends to come from will be your own email domain and the link in the email will appear to be your own web site or domain.
21 April 2015: Exchange_id3405629.zip: Extracts to: Exchange.exe
Current Virus total detections: 1/54*  NOTE: we are also seeing the same malware payload coming in as a -fake- fax, and with the subject of Internal ONLY . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429610427/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustot...44/information/

- http://threattrack.t...inistrator-spam
Apr 21, 2015
Tagged: Exchange, Dyreza
___

Fake 'new my info' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Apr 2015 - "'new my info' pretending to come from random names and email addresses with a zip attachment that is named after the alleged sender is another one from the current bot runs... The email looks like:

    Hello! I have found some interesting information that you might need!
    Check out the attached file!
     Bicicletes Nadal Oliver, S.L.
    Passeig Ferrocarril, 61
    07500 Manacor (Mallorca)
    Illes Balears
    Tel.971-843358 ...


21 April 2015: warehouseop02.zip: Extracts to:  Alla.exe
Current Virus total detections: 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429618876/
___

Dridex re-directing to Malicious Dropbox hosted file via Google
- https://isc.sans.edu...l?storyid=19609
2015-04-21 - "... this malware may use Google Analytics to count how many people opened the file, but I haven't confirmed that. Google -redirects- are however used to obscure the destination... Google will show a note that the user was redirected, but the file will download right away. It will not open, and the user will have to open it to enable the Macro to execute (DON'T)... Word document... example I received:
> https://isc.sans.edu... 8_26_43 AM.png
... Virustotal only shows 4 "hits" out of 57* AV tools tested for this binary:
(More detail at the ISC URL above.)
https://www.virustot...sis/1429631351/
File name: ACH transaction0336.doc
 

:ph34r:  <_<


Edited by AplusWebMaster, 21 April 2015 - 03:22 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1446 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 22 April 2015 - 05:06 AM

FYI...

Fake 'voice message' SPAM – fake wav malware
- http://myonlinesecur...ke-wav-malware/
22 Apr 2015 - "New voice message in mailbox' pretending to come from Voipfone Voicemail <voicemail@ voipfone .co .uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-in-mailbox.png

22 April 2015: WAV0004291.wav.zip: Extracts to: WAV0004291.wav.exe
Current Virus total detections: 3/52* . This 'New voice message in mailbox' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429691927/
... Behavioural information
UDP communications
23.101.187.68: https://www.virustot...68/information/
___

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
22 Apr 2015 - "'New Invoice ID:SI19779D' from [random company] pretending to come from [random name] using random names at random email addresses with a link to a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nwave_email.png

Note: I received this as a bounced return to thespykiller. I can categorically state that it was never sent from thespykiller domain. The bad guys -spoof- email addresses to pretend to send from all the time. 99.9% of the time the alleged sending domain has -never- been hacked and they just pretend to send from that domain. I have since received several different versions from loads of random companies. The invoice number is also random is all cases.
22 April 2015 : SI19779D.docm - Current Virus total detections: 0/55*
So far I am only seeing 1 version of this malware... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429707780/
___

HSBC Payment Advice Spam
- http://threattrack.t...ent-advice-spam
Apr 22, 2015 - "Subjects Seen:
    Payment Advice - Advice Ref:[GB007112] / CHAPS credits
Typical e-mail details:
    Sir/Madam,
    Please download document from server, payment advice is issued at the request of our customer. The advice is for your reference only.
    Download link:
    bilbaopisos .es/HSBC_BANK-DATA/new_secure.html
    Yours faithfully,
    Global Payments and Cash Management
    HSBC


Malicious URLs
    bilbaopisos .es/HSBC_BANK-DATA/new_secure.html
Malicious File Name and MD5:
    new_secure_payment.exe (c290126e419ff58678c3e490d89d7343)


Screenshot: https://41.media.tum...1r6pupn_500.png

Tagged: HSBC, Upatre

bilbaopisos .es: 216.119.143.194: https://www.virustot...94/information/

- http://blog.mxlab.eu...ous-javascript/
Apr 23, 2015
wadv.com .br: 54.191.242.215: https://www.virustot...15/information/

> https://www.virustot...9ac0b/analysis/
___

Fake 'New document' SPAM - malware
- http://blog.dynamoo....ument-with.html
22 Apr 2015 - "I have only seen one sample of this -spam- so far, it is likely that other variants use different company names:
    From:    Tamika Cortez
    Date:    22 April 2015 at 14:33
    Subject:    New document with ID:G27427P from RESTAURANT GROUP PLC was generated
    New report with ID:G27427P was generated by our system. Please follow the link below to get your report.
    Download report ID:G27427P
    Best regards ,Tamika Cortez
    RESTAURANT GROUP PLC


In this case, the link in the email goes to: http ://igruv.tourstogo .us/oalroshimt/fokreeshoo/thovoaksij?arg1=victim@victimdomain.com&arg2=G27427P.vbs&arg3=RESTAURANT%20GROUP%20PLC
..which includes the -victim's- email address in the URL. In turn, this -redirects- to:
http ://igruv.tourstogo .us/oalroshimt/fokreeshoo/thovoaksij/files/G27427P.vbs  
As the name suggests, this is a VBScript (VT 1/56*), in this case it is lightly obfuscated... and it initiates a download from:
http ://185.91.175.183/ sas/evzxce.exe
..which is saved as %TEMP%\jhvwrvcf.exe. The download location is 176.31.28.226 (OVH, France). This file has a VirusTotal detection rate of 6/57**. Automated analysis tools... show network connections to the following IPs:
144.76.73.3 (Hetzner, Germany)
5.44.216.44 (Camelhost SIA, Latvia)
62.210.214.249 (Iliad Entreprises / Poney Telecom, France)
89.184.66.18 (Invest Ltd, Ukraine)
...  it drops a Dridex DLL with a detection rate of 3/57***.
Recommended blocklist:
176.31.28.226
144.76.73.3
5.44.216.44
62.210.214.249
89.184.66.18
..."
* https://www.virustot...sis/1429710473/

** https://www.virustot...sis/1429710529/

*** https://www.virustot...sis/1429711770/
___

IRS Spam
- http://threattrack.t...679123/irs-spam
Apr 21, 2015 - "Subjects Seen
    Your FED TAX payment (ID:X3ZIRS507273813) was Rejected
Typical e-mail details:
    *** PLEASE DO NOT RESPOND TO THIS EMAIL ***
    Your federal Tax payment (ID: X3ZIRS507273813), recently sent from your  checking account was returned by the your financial institution.
    For more information, please download attached notification. (Security Adobe PDF file)
    Transaction Number: X3ZIRS507273813}
    Payment Amount: $ 5478.41
    Transaction status: Rejected                                                  
    ACH Trace Number: 8888888888                
    Transaction Type: ACH Debit Payment-DDA       
    Internal Revenue Service
    Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.


Malicious File Name and MD5:
    FEDERAL_tax_notify.exe (344afdc58ad6d110f1b3f8dbdbb86576)


Screenshot: https://40.media.tum...1r6pupn_500.png

Tagged: IRS, Ruckgov
 

:ph34r:   <_<


Edited by AplusWebMaster, 23 April 2015 - 05:01 AM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1447 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 23 April 2015 - 04:21 AM

FYI...

Fake 'Refund on Order' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
23 Apr 2015 - "'Refund on order 204-2374256-3787503' pretending to come from Amazon .co.uk <payments-messages@ amazon .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...256-3787503.png

23 April 2015 : 204-2374256-3787503-credit-note.doc - Current Virus total detections: 4/54*
... the malicious macro inside this example downloads myshland .com/42/335.exe which is saved and run as %Temp%\pierre5.exe (Virus Total**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429773545/

** https://www.virustot...sis/1429775442/

- http://blog.dynamoo....-order-204.html
23 Apr 2015
... Recommended blocklist:
185.12.95.191
87.236.215.151
94.23.171.198
185.35.77.250
149.154.64.70
..."
___

Fake 'Annual report' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Apr 2015 - "'Annual report' pretending to come from olivia <olivia@ cdc .co.uk> with a zip attachment is another one from the current bot runs...The email looks like:
    Hi,
    Annual report sent to you, maybe yours.
    CDC Consulting
    Algyr le parc
    119 BL de la Bataille de Stalingrad
    69100 Villeurbanne


23 April 2015: Annual report.zip: Extracts to: Luk22.exe
Current Virus total detections: 4/56* . This Annual report is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429792521/
... Behavioural information
TCP connections
23.253.254.67: https://www.virustot...67/information/
81.7.109.65: https://www.virustot...65/information/
95.80.123.41: https://www.virustot...41/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
23.102.23.44: https://www.virustot...44/information/

- http://threattrack.t...ual-report-spam
Apr 23, 2015
Tagged: Annual Report, Upatre, Dyreza
___

eFax Spam
- http://threattrack.t...79183/efax-spam
Apr 23, 2015 - "Subjects Seen:
    You have a new eFax from 977-374-7446 - 4 pages
Typical e-mail details:
    eFax Message [Caller-ID: 977-374-7446]
    You have received a 3 pages fax on Thu, 23 Apr 2015 08:20:40 -0600 .
    You can view your eFax online, in PDF format, by visiting :
    efax .com/documents/view_fax.aspx?utm_source=eFax&fax_type=doc&caller_id=977-374-7446
    * This fax’s reference # is 50184025


Malicious URLs
    91.194.254.239/fax_33663232.pdf.zip
Malicious File Name and MD5:
    pdf_fax_33663232.pif (fe6e9444534f34f735fa94eb7c526207)


Screenshot: https://36.media.tum...1r6pupn_500.png

91.194.254.239: https://www.virustot...39/information/

Tagged: eFax, Dyreza
 

:ph34r:   <_<


Edited by AplusWebMaster, 23 April 2015 - 12:50 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1448 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 24 April 2015 - 04:40 AM

FYI...

Fake 'Invoice' SPAM - malicious PDF attachment
- http://myonlinesecur...ox-pdf-malware/
24 Apr 2015 - "'Invoice 519658' pretending to come from Colin Fox <colin@nofss .co .uk> with a PDF attachment is another one from the current bot runs... This email contains a genuine PDF which has embedded -scripts- that will infect you. So far none of the automatic analysis tools can find any malicious content but it is trying to send multicast messages... this evil pdf when opened in Adobe reader drops a word document containing macros, so DO NOT SAVE OR OPEN THIS PDF FILE: Just -delete- the email and any attachment as soon as it appears in your inbox. There appear to be several different versions of the PDF malware dropper although all are named the same and every copy that I have seen is the same file size (23kb) The malicious Macro inside the dropped word document (VirusTotal*) from one of the malicious PDF downloads and executes -> http ://bepminhchi .com/83/61.exe (virus total**)... Adobe reader in recent versions has 'Protected view' automatically -enabled- and unless you press the button to enable all features, you will be safe from this attack...
> http://myonlinesecur...tected-view.png
If you do enable all features, then you have a second chance to protect yourself, by pressing either cancel or never allow opening files of this type on the pop up warning. Pressing allow WILL almost certainly automatically open the word doc and run the malicious macro so infecting you. Make sure Adobe reader ( or any other PDF reader software) is updated to the -latest- version to protect you. Older versions are vulnerable to these attacks. If using Adobe make sure you -uncheck- any additional offerings of security scans/Google chrome or toolbars that it wants to include in the download:
> http://myonlinesecur...015/04/doc4.png

Screenshot: http://myonlinesecur...oice-519658.png

24 April 2015: Sales Invoice 519658.pdf - Current Virus total detections: 2/57***
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429860267/

** https://www.virustot...sis/1429860321/
... Behavioural information
TCP connections
185.12.95.191: https://www.virustot...91/information/
88.221.14.249: https://www.virustot...49/information/
UDP communications
104.41.150.68: https://www.virustot...68/information/

*** https://www.virustot...sis/1429858901/

bepminhchi .com: 115.146.126.39: https://www.virustot...39/information/

- http://blog.dynamoo....nnofsscouk.html
24 Apr 2015
... Recommended blocklist:
185.12.95.191
149.154.64.70
78.24.218.186
89.28.83.228
"
___

Fake 'Western Order' SPAM - malicious attachment
- http://blog.dynamoo....well-nigel.html
24 Apr 2015 - "The spam email is not from SSE Contracting, but is instead a simple forgery with a malicious attachment:

Screenshot: https://4.bp.blogspo...-enterprise.png

So far I have only seen one sample Western Order.doc [VT 4/57*] which contains a malicious macro... which is functionally identical to the one used in this spam run** which was also happening this morning."
* https://www.virustot...sis/1429871852/

** http://blog.dynamoo....nnofsscouk.html

- http://myonlinesecur...dsheet-malware/
24 Apr 2015
Screenshot: http://myonlinesecur...stern-Order.png
"... same dridex malware that was dropped by today’s earlier malware run 'Invoice 519658 Colin Fox' – PDF malware*..."
* http://myonlinesecur...ox-pdf-malware/
___

Fake 'invoice for car repairs' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
24 Apr 2015 - "'invoice for car #' random numbers coming from random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
    hi,
    The invoice for car repairs.
     Gruss, Claus
     Claus Leykauf
    Galgengasse 14
    91257 Pegnitz
    Germany
    tel.: +49 (0) 9241 724785
    fax: +49 (0) 9241 724786
    mobile: +49 (0) 172 8801123 ...


24 April 2015: ed0j5av43xs04bk #19641661.zip: Extracts to: car-repairs.exe
Current Virus total detections: 0/58* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1429872340/
___

Fake 'You win green card' – malware attachment
- http://myonlinesecur...n-card-malware/
24 Apr 2015 - "'You win green card' pretending to come from USA Green > <random email addresses> with a zip attachment is another one from the current bot runs... The email looks like:

    Your requested report is attached here. USA.

24 April 2015: green_card_usa_483273289748923749823798.zip: Extracts to:   green_card_usa_483273289748923749823798.exe
Current Virus total detections: 5/56* ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1429873777/
___

Fileless Malware ...
- http://blog.trendmic...ed-in-the-wild/
Updated April 22, 2015 - "... It’s no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats. A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM of being installed in target computer’s hard drive. POWELIKS* is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry... Another example of fileless malware is “Phasebot,” which we found being peddled in websites that sell malware and other malicious online tools by the supposed malware creator. We detect Phasebot as TROJ_PHASE.A. Phasebot contains -both- rootkit and fileless execution capabilities. We noticed that this malware had the same features as Solarbot**, an old bot that was first seen in the wild around late 2013. This is made more evident when we compared the sites that sold the two malware(s)... Compared to Solarbot, Phasebot places a distinct emphasis on stealth and evasion mechanisms. It -encrypts- its communications to its C&C server by using random passwords each time it connects to the server. The malware was designed to check if the following programs are installed in the affected system:
.NET Framework Version 3.5
 Windows PowerShell
... Both of these programs are integrated into current versions of Windows. After verifying that the affected system have these programs, Phasebot creates the following registry key where the encrypted shell code will be written:
 HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{Bot GUID}
... Using Windows PowerShell can also be seen as strategic because this tool is included in the initial installation packages of Windows OS versions 7 and higher. And since more users have computers that run on Windows 7 and higher, cybercriminals have a bigger net of potential victims. (And not coincidentally, the targeted .NET framework version 3.5 is also found in Windows 7 and higher)... It’s highly possible that they will not limit themselves to simply using the Windows registry to hide their malware... The emergence of fileless malware can be a serious threat to users who are not familiar with this type of infection. Users are often advised to look for suspicious files or folders, but -not- in places like the Windows registry, which is used for fileless infection... Because fileless malware are hard to detect, they’re also difficult to remove. Much like rootkits, the location of the malware makes detection and deletion more difficult than the typical malware infection..."
* https://www.trendmic...TROJ_POWELIKS.A

** http://www.infosecur...jans-share-dna/
 

:ph34r: :ph34r:  <_<


Edited by AplusWebMaster, 24 April 2015 - 01:44 PM.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1449 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,824 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted Today, 05:00 AM

FYI...

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....om-invoice.html
27 Apr 2015 - "This fake invoice email does -not- come from Booking .com but is a simple forgery with a malicious attachment.
    From:    invoice@ booking .com
    Date:    27 April 2015 at 08:55
    Subject:    [1138593] Booking.com Invoice 01/03/2015 - 31/03/2015
    Dear customer,
    Herewith you receive the electronic invoice regarding the commissions for the period from 01/03/2015 to 31/03/2015.
    If you have any questions, please contact our Credit Control Department at telephone number
    +44 (0)208 612 8210 (e-mail:  ).
    Thank you for working with Booking .com.


The only sample I have seen of this is badly mangled and required some work to extract and decode the attachment invoice-1501383360.doc which has a VirusTotal detection rate of 3/57*. This contains a malicious macro... which downloads a component from the following location:
http ://voipconcerns .com/62/927.exe
There are probably other slightly different versions of the Word document that download from different locations, however the binary will be the same. This malicious executable is saved as %TEMP%\zigma2.5.exe and has a VirusTotal detection rate of 2/57**. Automated analysis tools... show an attempted network connection to:
185.12.95.191 (RuWeb CJSC, Russia)
According to the Malwr report it also drops a malicious Dridex DLL with a detection rate of 4/57***..."
* https://www.virustot...sis/1430122282/

** https://www.virustot...sis/1430122455/

*** https://www.virustot...sis/1430123480/

185.12.95.191: https://www.virustot...91/information/

voipconcerns .com: 174.37.237.228: https://www.virustot...28/information/

- http://myonlinesecur...dsheet-malware/
27 April 2015 - " invoice-1501383360.doc - Current Virus total detections: 3/56*
... which connects to and downloads tom-lebaric .com/62/927.exe which is saved as %Temp%\zigma2.4.exe and automatically run ( VirusTotal*)..."
* https://www.virustot...sis/1430121196/

tom-lebaric .com: 176.223.208.22: https://www.virustot...22/information/
___

Fake 'Hello' SPAM - malware attached
- http://myonlinesecur...ke-pdf-malware/
27 Apr 2015 - "An email saying 'Hello! Can you please check the Attachment that I have sent? I need your help' with the subject of 'HI your name@ your domain' coming from random email addresses with  a zip attachment is another one from the current bot runs...The email looks like:

    Hello! Can you please check the Attachment that I have sent? I need your help.
    Thanks
    Rob Robichaud
    Hub City Auto Paints and Supplies Ltd.
    A Division of Autochoice Parts & Paints
    CSR
    153 Loftus St
    Moncton, NB ...


Each email has a random named attachment that is named after your email address. All extract to different named files with different #
27 April 2015: derek- #52256657.zip: Extracts to: LOG.exe
Current Virus total detections: 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430135783/
... Behavioural information
TCP connections
176.106.122.31: https://www.virustot...31/information/
88.221.15.80: https://www.virustot...80/information/
UDP communications
191.233.81.105: https://www.virustot...05/information/
___

Fake 'Your account #513457796162 has been blocked' SPAM – malware attachment
- http://myonlinesecur...locked-malware/
27 April 2015 - "'Your account #513457796162 has been blocked' pretending to come from Pauletta Stile with a zip attachment is another one from the current bot runs... The email looks like:

    Your account #513457796162 was blocked for violation of our TOS.
    Please see attached.
    Pauletta Stile
    Langenbacherstr. 25 57586 Weitefeld
    GERMANY
    +49 2743 80 70
    Weitefeld
    +49 2743 00 03 56


I have only received 1 copy of this malware so far. The last time a similar one was spammed out, we saw them coming form random email addresses with random subject numbers and attachment numbers.
27 April 2015: 513457796162.zip: Extracts to: 513457796162.scr
Current Virus total detections: 1/31*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an Excel spreadsheet instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1430140877/
... Behavioural information
UDP communications
23.102.23.44: https://www.virustot...44/information/
___

Fake 'Invoice 215042210' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 Apr 2015 - "'Invoice 215042210 from FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.' pretending to come from “FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.” <replyTo@ quickbooks .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:

    Dear Customer :
    Your invoice is attached. Please remit payment at your earliest
    convenience.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    FRONT RANGE WHOLESALE RESTAURANT SUPPLIES INC.


27 April 2015 : Inv_215042210_from_FRONT_RANGE_WHOLESALE_RESTAURANT_SUPPLIES_INC._5316.doc
Current Virus total detections: 2/57* which connects to and downloads 91.194.254.240 /us274/file.exe which in turn is saved as %Temp%\rramcgaq.exe and automatically runs... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1430143720/

91.194.254.240: https://www.virustot...40/information/
 

:ph34r:  <_<


Edited by AplusWebMaster, 52 minutes ago.

This machine has no brain.
......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.



19 user(s) are reading this topic

1 members, 18 guests, 0 anonymous users


    AplusWebMaster