Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93098 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2072 replies to this topic

#1501 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 14 July 2015 - 02:50 PM

FYI...

IE 0-day added to mix...
- http://blog.trendmic...y-added-to-mix/
July 14, 2015 - "... -another- vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065*. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability..."
* https://technet.micr...curity/MS15-065
July 14, 2015

> https://support.micr...n-us/kb/3065822
Last Review: 07/14/2015 - Rev: 1.0
Applies to:
    Internet Explorer 11
    Internet Explorer 10
    Windows Internet Explorer 9
    Windows Internet Explorer 8
    Windows Internet Explorer 7
    Microsoft Internet Explorer 6.0

> https://web.nvd.nist...d=CVE-2015-2425
Last revised: 07/14/2015
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 15 July 2015 - 05:49 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#1502 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 16 July 2015 - 07:58 AM

FYI...

Fake 'Perfect job' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 July 2015 - "An email with subjects like 'Perfect achievement !  / Perfect job !  / Great work !' coming from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Congratulations ! You will take a 30% rake-off for the latest selling. Please overlook the attached documents to know the entire sum you’ve received.
    Every day you demonstrate that you are the superior strength of our crew in the market. I am elate and appreciative to get such a capable and experienced subordinate. Keep up the good achievements.
    With the best regards.
    Michelle Silva General manager

-Or-
    Congratulations ! You will receive a 30% commission for the previous disposition. Please check out the enclosed documents to find out the whole amount you’ve won.
    Everyday you prove that you are the major force of our crew in the trading. I am sublime and appreciative to get such a capable and skilled workman. Continue the great job.
    All the best.
    Kathryn Brooks Company management

-Or-
    Congratulations ! You will win a 40% commission for the latest realization. Please overlook the next documentation to get to know the whole amount you’ve won.
    Everyday you demonstrate that you are the major strength of our team in the world of trade. I am sublime and appreciative to have such a capable and proficient subordinate. Proceed the good achievements.
    All the best.
    Sharon Silva General manager

-Or-
    Congratulations ! You will gain a 45% rake-off for the last disposal. Please overlook the following documentation to know the whole amount you’ve won.
    Everyday you convince that you are the best power of our team in the market. I am sublime and beholden to have such a clever and able sub. Continue the perfect job.
    With best wishes.
    Kathryn Pearson General manager


And others with similar wording... If you are unwise enough to try to open the word doc, you will see this message:
> http://myonlinesecur...osition_doc.png
Do -not- follow their suggestions to enable editing  or content, otherwise you will be infected...

25 February 2015: total_sum_from_latest_disposition.doc - Current Virus total detections: 4/55*
... This tries to connect to 2 web sites:
thereis.staging.nodeproduction .com/wp-content/uploads/78672738612836.txt
... which downloads an encrypted text file... and to
www.buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt which gives the web address of http ://midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe. This file is an Upatre downloader for the typical Dyre banking malware (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1437049226/

** https://www.virustot...sis/1437046046/
... Behavioural information
TCP connections
64.182.208.183: https://www.virustot...83/information/
93.185.4.90: https://www.virustot...90/information/
176.36.251.208: https://www.virustot...08/information/
88.221.14.249: https://www.virustot...49/information/

nodeproduction .com: 72.10.52.104: https://www.virustot...04/information/

buildingwalls .co.za: 196.220.41.72: https://www.virustot...72/information/

midwestlabradoodles .com: 72.167.131.160: https://www.virustot...60/information/

- http://blog.dynamoo....t-job-good.html
16 July 2015
"... Recommended blocklist:
93.185.4.90
thereis.staging.nodeproduction .com
www.buildingwalls .co.za
midwestlabradoodles .com
"
___

Fake 'About your suggestions' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 July 2016 - "'About your suggestions' pretending to come from emaillambflan <emaillambflan@ totalnetwork .it> with a zip attachment is another one from the current bot runs... The email looks like:
    We chatted few hours ago. We have thought about your programs how to perfect our work and financial profit. Your suggestions seem extremely inspiring and we undoubtedly want such a genius like you. We consider your plans are feasible and would like to implement them. Attached are our progression charts and processes directory. Please look through them and if you will have some questions ask about it. Also make a succinct plan thus we will confer about the elements of every step./r/n We are waiting for your reply soon !

16 July 2015: figures_and_guide.zip: Extracts to: figures_and_directory.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1437056410/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
109.86.226.85: https://www.virustot...85/information/
23.14.92.65: https://www.virustot...65/information/
___

Sales Commission Spam
- http://threattrack.t...commission-spam
July 16, 2015 - "Subjects Seen
    Good achievement !
Typical e-mail details:
    Congratulations ! You will win a 43% commission for the last sale. Please see the next documents to get to know the whole sum you’ve obtained.
    Daily you prove that you are the best power of our team in the world of commerce. I am proud and grateful to get such a gifted and experienced worker. Go on the excelent job.
    With best wishes.
    Kathryn Brooks Director


Screenshot: https://41.media.tum...1r6pupn_500.png

Malicious File Name and MD5:
    amount_from_last_realization.scr (1e314705c1f154d7b848fcc20bfcd5e8)


Tagged: Sales Commission, Upatre
 

:ph34r: :ph34r:    <_<


Edited by AplusWebMaster, 16 July 2015 - 12:39 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1503 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 July 2015 - 07:23 AM

FYI...

Fake 'eFax' SPAM - leads to malware
- http://blog.dynamoo....om-unknown.html
17 July 2015 - "This -fake- fax spam leads to malware:

Screenshot: https://2.bp.blogspo...00/fake-fax.png

Although the numbers and some other details change in the spam messages, in all cases the download location has been from a legitimate but -hacked- site at:
breedandco .com/fileshare/FAX-1400166434-707348006719-154.zip
The ZIP file has a detection rate of 6/55* and it contains a malicious exeuctable named FAX-1400166434-707348006719-154.scr which has a detection rate of 4/55**. Automated analysis... shows a characterstic callback pattern that indicates Upatre (which always leads to the Dyre banking trojan):
93.185.4.90 :12325/ETK7//0/51-SP3/0/GKBIMBFDBEEE
93.185.4.90 :12325/ETK7//41/5/1/GKBIMBFDBEEE
This IP is allocated to C2NET in the Czech Republic. The malware also attempts to enumerate the IP address of the target by accessing checkip .dyndns .org which is a legitimate service. It is worth looking for traffic to that domain because it is a good indicator of compromise.
The malware reaches out to some other malicious IPs (mostly parts of a botnet):
93.185.4.90 (C2NET, Czech Republic)
62.204.250.26 (TTNET, Czech Republic)
76.84.81.120 (Time Warner Cable, US)
159.224.194.188 (Content Delivery Network Ltd, Ukraine)
178.222.250.35 (Telekom Srbija, Serbia)
181.189.152.131 (Navega.com, Guatemala)
194.28.190.84 (AgaNet Agata Goleniewska, Poland)
194.28.191.213 (AgaNet Agata Goleniewska, Poland)
199.255.132.202 (Computer Sales & Services Inc., US)
208.123.135.106 (Secom Inc, US)
Among other things, the malware drops a file XGwdKLWhYBDqWBb.exe [VT 10/55***] and vastuvut.exe [VT 6/55****].
Recommended blocklist:
93.185.4.90
62.204.250.26
76.84.81.120
159.224.194.188
178.222.250.35
181.189.152.131
194.28.190.84
194.28.191.213
199.255.132.202
208.123.135.106
"
* https://www.virustot...sis/1437133169/

** https://www.virustot...sis/1437133178/

*** https://www.virustot...sis/1437135014/

**** https://www.virustot...sis/1437135026/
___

Fake 'You've earned it' SPAM - malware
- http://blog.dynamoo....d-it-youve.html
17 July 2015 - "This is another randomly-generated round of malware spam, following on from this one[1].
1] http://blog.dynamoo....t-job-good.html

     Date:    16 July 2015 at 12:53
    Subject:    Excelent job !
    Congratulations ! You will obtain a 25% commission for the latest sale. Please overlook the next papers to know the whole sum you've gained.
    Daily you prove that you are the main force of our branch in the sales. I am elate and beholden to have such a gifted and able employee. Proceed the good achievements.
    All the best.
    Michelle Curtis Company management
    ---------------------
    Date:    16 July 2015 at 11:53
    Subject:    Good achievement !
    Congratulations ! You will win a 40% rake-off for the latest sale. Please see the these documents to find out the entire sum you've won.
    Everyday you assure that you are the head power of our group in the sales. I am sublime and beholden to get such a talented and skillful workman. Continue the good achievements.
    With the best regards.
    Sharon Silva Company management
...

Attached is a malicious Word document which in the two samples I saw was called
total_sum_from_last_sale.doc
total_sum_from_latest_disposition.doc
Both these documents were identical apart from the filename, and have a VirusTotal detection rate of 4/55*. Inside the document is this malicious macro... which according to Hybrid Analysis downloads several components (scripts and batch files) from:
thereis.staging .nodeproduction .com/wp-content/uploads/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/78672738612836.txt
www .buildingwalls .co.za/wp-content/themes/corporate-10/papa.txt
These are executed, then a malicious executable is downloaded from:
midwestlabradoodles .com/wp-content/themes/twentyeleven/qwop.exe
This has a VirusTotal detection rate of 8/55** and that report plus other automated analysis tools... phones home to the following malicious URLs:
93.185.4.90 :12317/LE2/<MACHINE_NAME>/0/51-SP3/0/MEBEFEBFEBEFJ
93.185.4.90 :12319/LE2/<MACHINE_NAME>/41/7/4/
That IP belongs to C2NET in the Czech Republic. It also sends non-malicious traffic to icanhazip.com (a legitimate site that returns the IP address) which is a good indicator of compromise.
This malware drops the Dyre banking trojan.
Recommended blocklist:
93.185.4.90
thereis .staging.nodeproduction .com
www .buildingwalls .co.za
midwestlabradoodles .com

* https://www.virustot...sis/1437053265/

** https://www.virustot...sis/1437054039/
 

:ph34r: :ph34r: <_<


Edited by AplusWebMaster, 17 July 2015 - 10:33 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1504 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 27 July 2015 - 05:57 AM

FYI...

Fake 'copy' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 July 2015 - "An email with a subject simply saying 'copy' pretending to come from belinda.taylor@ bssgroup .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email body simply says: copy

27 July 2015 : 13409079779.docm - Current Virus total detections: 4/56*
Downloads Dridex banking malware from:
 terrasses-de-santeny .com/yffd/yfj.exe . Other versions of this downloader will download the -same- Dridex banking malware from alternative locations. So far we have seen
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://terrasses-de-santeny .com/yffd/yfj.exe  
http ://blog.storesplaisance .com/yffd/yfj.exe
http ://telechargement.storesplaisance .com/yffd/yfj.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1437987707/

terrasses-de-santeny .com: 94.23.55.169: https://www.virustot...69/information/

madagascar-gambas .com: 'Could not find an IP address for this domain name' (May have been taken-down)

technibaie .net: 94.23.1.145: https://www.virustot...45/information/

storesplaisance .com: 94.23.1.145: FR / 16276 (OVH SAS)
___

Fake 'Order Confirmation' SPAM - malicious attachment
- http://blog.dynamoo....mation-ret.html
27 July 2015 - "This spam does not come from Royal Canin, but is instead a simple -forgery- with a malicious attachment:
    From     "[1NAV PROD RCS] " [donotreply@ royal-canin .fr]
    Date     Mon, 27 Jul 2015 18:49:16 +0700
    Subject     Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
    Please find attached your Sales Order Confirmation
    Note: This e-mail was sent from a notification only e-mail address that
    cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.


Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55*, which in turn contains a malicious macro... which downloads an executable from one of the following locations (there are probably more):
http ://www.madagascar-gambas .com/yffd/yfj.exe
http ://technibaie .net/yffd/yfj.exe
http ://blog.storesplaisance .com/yffd/yfj.exe
This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55**. Automated analysis tools... show that it attempts to phone home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)..."

* https://www.virustot...sis/1437999231/

** https://www.virustot...sis/1437999249/

> http://myonlinesecur...dsheet-malware/
27 July 2015: Order Confirmation RET-396716 230715.xml - Current Virus total detections: 1/56*
... Which downloads an updated version of Dridex banking malware..."
* https://www.virustot...sis/1437997926/
___

Fake 'Loan service' – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 July 2015 - "'New Loan service nearby' with a zip attachment is another one from the current bot runs... Alternative subjects for this malspam run include: 'New Credit service near you'. The email looks like:
    We are happy to inform you that we are founding a affiliate in your vicinity next week. We are credit services firm with more than 15 years practice , and several branches in the region. We give help to individuals and corporations in profiting money for the objective. We provide all the acts , consisting of bringing the money source that sets the lowest percentage and the best conditions of pays , all the paperwork , and etc.
    We are enclosing the invite ticket for the opening celebration and service’s accommodation schedule. Wish to see you on our opening.
    Give us a chance to maintain you!
    Thanks,
    Truly yours,
    Mike Ward General management Info

-Or-
    We are happy to announce you that we are opening a branch in your area soon. We are loan accommodations firm with more than 25 years workmanship, and several offices in the region.
    We provide help to ordinary people and corporations in availing money for the objective.
    We ensure all the actions, consisting of bringing the fiscal source that offers the lowest commissions and the best terms of payment, all the papers, and so on.
    We are applying the engagement card for the opening and organization’s accommodation schedule. Hope to see you on that day.
    Give us a chance to serve you!
    Thanking you,
    Yours truly,
    Mike Ward General management Superior


And the usual other variety of computer bot generated wording that doesn’t quite read as proper English.
27 July 2015: invitation_and_accommodations.zip: Extracts to: call_and_accommodations.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438000007/
... Behavioural information
TCP connections
91.198.22.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
173.248.31.6: https://www.virustot....6/information/
2.18.213.48: https://www.virustot...48/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 27 July 2015 - 10:11 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1505 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 28 July 2015 - 05:55 AM

FYI...

Fake 'suspicious account activity' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "'Important Notice: Detecting suspicious account activity' pretending to come from 'Service Center' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Subject: Important Notice: Detecting suspicious account activity
    Date:   Mon, 27 Jul 2015 22:51:16 +0000 (GMT)
    From:   Service Center <redacted >
    Detecting suspicious account activity
    <https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
    The attachment contain steps to secured your account. If you are viewing
    this email on a mobile phone or tablets, please save the document first
    and then open it on your PC.
    Click Here to download attachment.
    <https ://dl.dropboxusercontent .com/s/dr20sz06iuluwtv/Email%20activity.doc?dl=0>
    Thanks,
    Account Service


If you are unwise enough to follow the links then you will end up with a word doc looking like:
> http://myonlinesecur...ctivity_doc.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named Account Details.exe which has an icon of an Excel spreadsheet to fool you into thinking it is innocent and infect you.
28 July 2015 : Email activity.doc Current Virus total detections: 21/55*
... Downloads https ://onedrive.live .com/download?resid=9AC15691E4E70C4D!123&authkey=!AL1jJDlqNUg-vAM&ithint=file%2cexe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438037595/

** https://www.virustot...sis/1438062482/
___

Fake 'Please Find Attached' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "'Please Find Attached – Report form London Heart Centre' pretending to come from lhc.reception@ heart. org.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...eart-Centre.png

28 July 2015: calaidzis, hermione.docm - Current Virus total detections: 9/55*
... Downloads what looks like Dridex banking malware from http ://chloedesign .fr/345/wrw.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438067899/

** https://www.virustot...sis/1438068193/
... Behavioural information
TCP connections
93.171.132.5: https://www.virustot....5/information/
2.18.213.25: https://www.virustot...25/information/

chloedesign .fr: 85.236.156.24: https://www.virustot...24/information/
___

Fake 'Air France' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
28 June 2015 - "'Your Air France boarding documents on 10Jul. pretending to come from Air France <cartedembarquement@ airfrance .fr> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ts-on-10Jul.png

28 July 2015: Boarding-documents.docm - Current Virus total detections: 9/55*
... which downloads Dridex banking malware from http ://laperleblanche .fr/345/wrw.exe which is the -same- malware as in today’s earlier malspam run using malicious word docs with macros**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438071620/

** http://myonlinesecur...rd-doc-malware/

laperleblanche .fr: 94.23.1.145: https://www.virustot...45/information/

- http://blog.dynamoo....e-boarding.html
28 June 2015 - "... -same- exact payload as this earlier attack* today..."
* http://blog.dynamoo....d-attached.html
"... phones home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
I recommend that you -block- that IP. The malware is the Dridex banking trojan..."
___

Fake 'Invoice notice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 July 2015 - "A series of emails with subjects of: 'Invoice delivery / Invoice notice / Receipt alert / DHL notice / UPS notification / Invoice information' and numerous -other- similar subjects with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    You had got the bill !
    Delivered at: Tue, 28 Jul 2015 16:15:36 +0500.
    Number of sheets: 0.
    Mailer ID: 3.
    Delivery number: 843.
    Kindly be advised that attached is photo-copy of the 1st page alone.
    We are going to mail the originals to You at the address indicated already.

-Or-
    You have received the bill !
    Received at: Tue, 28 Jul 2015 11:43:15 +0000.
    Amount of sheets: 9.
    Addresser ID: 79187913.
    Delivery order: 6199843296.
    Kindly be advised that attached is scan-copy of the 1st page alone.
    We are going to dispatch the originals to You at the location mentioned earlier.


And multiple similar content. If you are unwise enough to open the attachment then you will end up with a word doc looking like this:
> http://myonlinesecur..._6199843296.png
DO -NOT- follow their advice/instructions or suggestions to enable content, that will activate the malicious macro inside the document and download and automatically run a file named word.exe which has an icon designed to fool you into thinking it is innocent and infect you. These emails have attachments with names like Invoice_number_6199843296.doc / Order_No._843.doc / Bill_No._95.doc and -multiple- variations of the names and numbers.
28 July 2015 : Invoice_number_6199843296.doc - Current Virus total detections:7/56*
... goes through a convoluted download procedure giving you http ://bvautumncolorrun .com/wp-content/themes/minamaze/lib/extentions/prettyPhoto/images/78672738612836.txt which is a base 64 encoded file that transforms into a password stealer. It also goes to http ://iberianfurniturerental .com/wp-content/plugins/nextgen-gallery/admin/js/Jcrop/css/fafa.txt which automatically downloads http ://umontreal-ca .com/word/word.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438080189/

** https://www.virustot...sis/1438081346/

bvautumncolorrun .com: 184.168.166.1: https://www.virustot....1/information/

iberianfurniturerental .com: 173.201.169.1: https://www.virustot....1/information/

umontreal-ca .com: 89.144.10.200: https://www.virustot...00/information/
___

Fake 'Voice Message' SPAM – wav malware
- http://myonlinesecur...ke-wav-malware/
28 July 2015 - "'Voice Message Attached from 08439801260' pretending to come from voicemessage@ yourvm .co.uk with a wav (sound file) attachment is another one from the current bot runs... The email looks like:

    Time: Jul 28, 2015 3:08:34 PM
    Click attachment to listen to Voice Message


28 July 2015: 08439801260_20150725_150834.wav - Current Virus total detections: 2/55*
... Which downloads Dridex banking malware from laurance-primeurs .fr/345/wrw.exe
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438082138/

laurance-primeurs .fr: 94.23.1.145: https://www.virustot...45/information/
___

Fake 'Incoming Fax' SPAM - malware
- http://blog.dynamoo....ernal-only.html
28 July 2015 - "This -fake- fax message leads to malware:
    From:    Incoming Fax [Incoming.Fax@ victimdomain]
    Date:    18 September 2014 at 08:39
    Subject:    Internal ONLY
    **********Important - Internal ONLY**********
    File Validity: 28/07/2015
    Company : http ://victimdomain
    File Format: Microsoft word
    Legal Copyright: Microsoft
    Original Filename: (#2023171)Renewal Invite Letter sp.doc
    ********** Confidentiality Notice ********** ...
    (#2023171)Renewal Invite Letter sp.exe


Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
http ://umontreal-ca .com/word/word.exe ... This has a VirusTotal detection rate of 2/55*.
umontreal-ca .com (89.144.10.200 / ISP4P, Germany) is a -known- bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
UPDATE: This Hybrid Analysis report shows traffic to the following IPs:
67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)
Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208
"
* https://www.virustot...sis/1438087963/
___

Fake 'cash prizes for shopping' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
28 July 2015 - "Another set of emails with subjects including 'Get cash prizes for shopping' and 'Get cash payments for purchasing' with a zip attachment is another one from the current bot runs... The email looks like:
    Love purchasing? We have something special for you!
    Do you want to get cash compensations on buys you make in your favorite stores? Just get our debit card to make your purchases, and then you will commence enhancing the rewards. Bear in mind only one rule – the more you use it – the more you receive. So kindly check out the applied info to learn how this offer proceeds and how to open your bank account.
    It was never so pure, fast and so close to your dreams. Don’t lose your time. Join us, keep to us and shopping will give!

-Or-
    Being fond of shopping? We propose something special for you!
    Do you want to get cash rewards on purchases you make in your favorite shops? Just use our debit card to make your purchases, and then you will start increasing the  remunerations. Bear in mind one rule – the more you use it – the more you get. So please read the enclosed documentations to see how it operates and how to open your account.
    It was never so elementary, fast and so close to your dreams. Don’t lose your chance. Join us, stick to us and shopping will pay!


And numerous other similar computer generated text...
28 July 2015: bank_offering_and_card_information.zip: Extracts to: special_offering_and_card_details.scr
Current Virus total detections: 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438090452/
... Behavioural information
TCP connections
216.146.43.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
24.33.131.116: https://www.virustot...16/information/
95.100.255.176: https://www.virustot...76/information/
___

Russian Underground - Revamped
- http://blog.trendmic...round-revamped/
July 28, 2015 - "When big breaches happen and hundreds of millions of credit card numbers and SSNs get stolen, they resurface in other places. The underground now offers a vast landscape of shops, where criminals can buy credit cards and other things at irresistible prices. News and media coverage on significant breaches are increasingly shaping up to becoming an everyday occurrence. 2014 became the “year of the POS breach” for the retailers like Neiman Marcus, Staples, Kmart, and Home Depot. The first part of 2015 has also seen some major breaches within the consumer industry (Chick-fil-A, RyanAir) but also with health insurers (Anthem, Premera). A simple shopping trip to the grocery store (Albertsons or Supervalu) or to Home Depot can prove fatal—paying with debit/credit card has its inherent risks. But what happens with the compromised data and personal information?... right after a significant data breach, the underground experiences an influx of new cards. These stolen credentials surface in places, where they get categorized within databases and sold in a very orderly fashion in underground “marketplaces.” Marketplaces in many ways are what forums used to be: a place of trade, but marketplaces now allow for standardized sales of products and services at a set price that can be bought with a few easy clicks similar to online-shopping. These places often have a professional-looking, user-friendly graphical interface, where the buyer can easily filter the available cards by very specific criteria such as ZIPcode, city, address of the card owner, type of card, etc... several credit cards that can be linked to big, well-known corporations by looking at the (valid) information offered about the card owner, his (corporate) address, zip code, and card number and validity date. What this tells us is that the clever cybercriminal, wanting to operate in a time-efficient manner and maximize his earnings, will make the best use of these new search/filter options offered by marketplaces. He will narrow his search to the big corporations, keep a database with addresses and locations and regularly filter the best marketplaces for the most recent outpour of -fresh- credit card leaks... Many corporations allow their employees to use credit cards for business travels but in the event of a card being stolen, the corporation is affected directly. The benefit these cards render for criminal purposes is obvious: if a corporate card has a transaction limit of, say, US$ 2,000, it can be a gold mine for cybercriminals. Due to hundreds of transactions that are processed, it’s difficult for the corporate card owner to detect and trace back any suspicious movement..."
> https://www.trendmic...isticated-tools
July 28, 2015
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 28 July 2015 - 10:14 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1506 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 29 July 2015 - 06:08 AM

FYI...

Fake 'New mobile banking app' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "Today’s set of Upatre downloaders come with an email subject of 'New mobile banking application / The latest mobile banking application / Renewed mobile banking app' with a zip attachment is another one from the current bot runs... The email looks like:
    Dear patron!
    We would like to introduce you new mobile banking app for our bank patrons. Our mobile banking options help you to enter your bank account safely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial operations. Our application is simple to use and highly safe.
    To learn more about application features and work, please view the enclosed info. Download link is also included.

-Or-
    Dear client!
    We would like to introduce you new mobile banking app for our bank customers. Our mobile banking services help you to access your bank account securely anywhere you want. A quick and easy registration is all you need to start using mobile banking options. With mobile banking, you can realize most of all financial procedures. Our application is toiless to use and extremely safe.
    To know more about application details and work, please see the attached information. Download link is also inside.

-Or-
    Dear patron!
    We are glad to present you new mobile banking app for our bank patrons. Our mobile banking accommodations help you to enter your bank account safely any place you want. A quick and simple registration is all you need to begin using mobile banking options. With mobile banking, you can realize most of all bank operations. Our app is toiless to use and very safe.
    To know more about application details and functioning, kindly view the affixed document. Download link is also inside.


 And numerous very similar computer generated versions of the above.
29 July 2015: id697062389app_features.doc.zip: Extracts to:  app_brochure.exe
Current Virus total detections: 0/55*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438168067/
... Behavioural information
TCP connections
216.146.38.70: https://www.virustot...70/information/
93.185.4.90: https://www.virustot...90/information/
176.36.251.208: https://www.virustot...08/information/
95.101.72.123: https://www.virustot...23/information/
___

Fake 'Get our deposit card' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "The latest upatre downloader to hit the presses is an email with a subject of 'Get our deposit card and receive 067' (varying amounts) pretending to come from jesse_rice with a zip attachment is another one from the current bot runs... The email looks like:
    Deposit card containing many profitable features is new extraordinary proposal of ours.
    One of the great items that will actually intrigue you is the 98 money back pize. When you outlay 300 USD or more within 3,2,5,4,6 months buying by this card, you will earn a 23 award. There is also 5% cash back award function that give you opportunity to take 5% cash back on up to 1500 USD during each three month quarter. It’s not a disposable prize. You will turn on your feature every 3 month quarter without any extra fees! There are a lot of other bonuses that you will have. You can browse them in the applied to learn more about it and find all details. Feel free to to ask if you have any questions.
    We sincerely look forward to your response


29 July 2015: 220317964deposit_card_features_details.zip: Extracts to: card_features_details.exe
Current Virus total detections: 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438176115/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.185.4.90: https://www.virustot...90/information/
69.144.171.44: https://www.virustot...44/information/
2.20.143.37: https://www.virustot...37/information/
___

USA TODAY Fantasy Sports... serves Malware
- https://blog.malware...serves-malware/
July 28, 2015 - "... We routinely detect infections coming from forums during our daily crawl of potentially malicious URLs. One of the reasons for this comes from the underlying infrastructure that powers those sites. Indeed, server side pieces of software such as Apache or vBulletin are often abused by cyber criminals who can easily exploit security holes especially if these applications are not kept up to date. Case in point, the Fantasy Sports discussion forum part of USA TODAY Sports Digital Properties was recently redirecting members towards scam sites and even an exploit kit that served malware. The forum statistics show a total of 117,470 threads, 3,348,218 posts and 18,447 members.
> https://blog.malware...15/07/graph.png
...  domain is involved in multiple nefarious activities via -malvertising- such as -fake- Flash Player applications, tech support scams or exploit kits. In some cases, all of the above combined...
> https://blog.malware...07/scampage.png
Nuclear exploit kit: Probably the worst case scenario is to be -redirected- to an exploit kit page and have your computer infected.
> https://blog.malware...7/Fiddler21.png
In this particular instance, we were served the Nuclear EK, although given the URL pattern it would have been very easy to call this one Angler EK. This change was noted by security researcher @kafeine* about a week ago...
* https://twitter.com/...564043345858562
Had the exploit been successful, a piece of malware known as Glupteba (VT link**) would have been dropped and executed. Compromised machines are enrolled into a large botnet that can perform many different malicious tasks... We have notified USA Today about this security incident..."
** https://www.virustot...sis/1437954473/
... Behavioural information
TCP connections
195.22.103.43: https://www.virustot...43/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 29 July 2015 - 08:10 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1507 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 30 July 2015 - 05:39 AM

FYI...

Fake 'settlement failure' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "Today’s first set of Upatre downloaders come with email subjects that include 'Calculated response settlement failure / Estimated response settlement failure / Estimated response payment default / Calculated invoice payment default' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ent-failure.png

30 July 2015: official_document_copies_id942603754.pdf.zip: Extracts to: public_order_copies.exe
Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438249041/
___

Fake 'ADP Payroll' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "'Invoice #[random numbers]' pretending to come from ADP – Payroll Services <payroll.invoices@ adp .com> with a zip attachment is another one from the current bot runs... The email looks like:
     Attached are the latest statements received from your bank.
    Please print this label and fill in the requested information. Once you have filled out
    all the information on the form please send it to payroll.invoices@adp.com.
     For more details please see the attached file.
    Please do not reply to this e-mail, it is an unmonitored mailbox!
     Thank you ,
    Automatic Data Processing, Inc.
    1 ADP Boulevard
    Roseland
    NJ 07068
    © Automatic Data Processing, Inc. (ADP®) . All rights reserved...


30 July 2015: ADP_Invoice _0700613.zip : Extracts to: ADP_Invoice.scr
Current Virus total detections: 2/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438267744/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
178.222.250.35: https://www.virustot...35/information/
2.18.213.56: https://www.virustot...56/information/
___

Fake 'check returned' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
30 July 2015 - "'Your cheque has been returned' pretending to come from jobs-asia with a zip attachment is another one from the current bot runs... The email looks like:
    I enclose a check that has been returned unpaid for occasions shown there.
    We have written off you with the sum.
    If you have any questions, kindly write to us. We’ll endeavor to help you.
    Faithfully,
    Lloyd Bailey
    Service department


30 July 2015: cheque_and_description_i4Aev0CF.zip: Extracts to: cheque_and_explanation.exe
Current Virus total detections: 0/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438267061/
... Behavioural information
TCP connections
104.238.141.75: https://www.virustot...75/information/
93.185.4.90: https://www.virustot...90/information/
67.221.195.6: https://www.virustot....6/information/
2.18.213.24: https://www.virustot...24/information/
___

Fake 'Income tax settlement failure' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
29 July 2015 - "'Income tax settlement failure sent id: [number]' with a zip attachment is another one from the current bot runs... The email looks like:
    In accordance with taxing authority information You have defaulted a term to settle the estimated tax sums.
    Kindly see attached the official order from the revenue service.
    Furthermore please be noted of the fact that additory penalties would be applied unless the debt amounts are not remitted within four working days.
    Regard this reminder as highly important.
    Rebecca Crouch Tax Department


29 July 2015: public_order_scan713432229.zip: Extracts to: official_order_copies.exe
Current Virus total detections: 3/56*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438208026/
... Behavioural information
TCP connections
104.238.136.31: https://www.virustot...31/information/
93.185.4.90: https://www.virustot...90/information/
87.249.142.189: https://www.virustot...89/information/
88.221.14.145: https://www.virustot...45/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 30 July 2015 - 10:44 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1508 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 31 July 2015 - 06:08 AM

FYI..

Fake 'Chess Bill' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
31 July 2015 - "'Your latest Chess Bill Is Ready' pretending to come from  CustomerServices@ chesstelecom .com with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    Your bill summary
    Account number: 24583
    Invoice Number: 2398485
    Bill date: July 2015
    Amount: £17.50
    How can I view my bills?
    Your Chess bill is ready and waiting for you online. To check out your detailed bill, previous bills and any charges you’ve incurred since your last bill, just sign into My Account www .chesstelecom .com/myaccount ...


31 July 2015 : 2015-07-Bill.docm - Current Virus total detections: 5/56*
Downloads Dridex banking malware from:
http ://laboaudio .com/4tf33w/w4t453.exe
http ://chateau-des-iles .com/4tf33w/w4t453.exe
http ://immobilier-ctoovu .com/4tf33w/w4t453.exe
http ://delthom .eu.com/4tf33w/w4t453.exe
http ://ctoovu .com/4tf33w/w4t453.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438334839/

laboaudio .com: 94.23.55.169: https://www.virustot...69/information/
chateau-des-iles .com: 94.23.1.145: https://www.virustot...45/information/
immobilier-ctoovu .com: 94.23.55.169
delthom .eu.com: 94.23.1.145
ctoovu .com: 94.23.55.169
___

Apple Care – phish
- http://myonlinesecur...-care-phishing/
31 July 2015 - "'Apple Care' pretending to come from Apple <secure@ appletechnicalteam .com> is one of the latest phish attempts to steal your Apple Account and your Bank, credit card and personal details...

Screenshot: http://myonlinesecur.../Apple-Care.png

... The actual site this sends you to is http ://applesurveillance .com/account/?email=a@a.a which can very easily be mistaken for a genuine Apple site. To make it even worse, the phishers have gone to the effort of setting up the domain properly and are using an email address to send from “Apple <secure@ appletechnicalteam .com> ” which has the correct domainkeys and SPF records so it doesn’t look like spam and will be allowed past most spam filters. They have also set up the applesurveillance .com site so that it appears to a security researcher or investigator that the account has been suspended by the hosting provider, when it actually is -live- when you put any email address into the url:
> http://myonlinesecur...fy_apple_ID.png
When you fill in your user name and password you get a page looking very similar to this one ( split into sections), where the phishers try to validate your details to make sure that you are entering “genuine ” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format:
> http://myonlinesecur..._apple_ID_2.png
...
> http://myonlinesecur..._apple_ID_3.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 31 July 2015 - 06:27 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1509 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 01 August 2015 - 12:29 PM

FYI...

Countrywide Money Ltd SPAM
- http://blog.dynamoo....-money-ltd.html
1 Aug 2015 - "You know things must be desperate when a business turns to spam. Here's a dubious-looking spam that seems to be presenting itself in a way that looks like a get-rich-quick scheme:
From:    Countrywide Money [info@ countrywidemoney .co.uk]
Reply-To:    Info@ countrywidemoney .co.uk
Date:    1 August 2015 at 05:11
Subject:    Extra Income FOR YOU!...
... to Unsubscribe Click Here!

Screenshot: https://1.bp.blogspo...countrywide.jpg

... the Unsubscibe link doesn't work. Tsk tsk. Now, I'm sure this is a legitimate business offer and not some sort of scam. But all those banknotes and the general pitch seems to suit an operation in Lagos rather than one in the UK... A non-trading individual? Let's look at that web site for a moment:
> https://1.bp.blogspo...ountrywide2.jpg

Well, it doesn't look like a personal homepage to me... It turns out that the sole director is one "Tony Edwards"... A little bit more digging at DueDil* shows some equally disappointing looking financials...  I'm not sure why this person feels that promoting their business through -spam- is appropriate. I certainly won't be signing up to this scheme."
* https://www.duedil.c...e-money-limited
___

Your Files Are Encrypted with a 'Windows 10 Upgrade'
- http://blogs.cisco.c...tb-locker-win10
July 31, 2015 - 'Update 8/1: To see a video of this -threat- in action click here:
> http://cs.co/ctb-locker-video
Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a -spam- campaign that was taking advantage of a different type of current event. Microsoft released Windows 10 earlier this week (July 29) and it will be available as a free upgrade to users who are currently using Windows 7 or Windows 8. This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain. The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign:
> https://blogs.cisco....blacked_out.png
Email Message: The email message above is a sample of the type of messages that users are being presented with. There are a couple of key indicators in the message worth calling out.
First, the from address, the adversaries are spoofing the email to look like it is coming directly from Microsoft (update<at>microsoft.com). This is a simple step that tries to get users to read further:
> https://blogs.cisco....in10_header.png
However, a quick look at the email header reveals that the message actually originated from IP address space allocated to Thailand. Second, the attackers are using a similar color scheme to the one used by Microsoft. Third, there are a couple of red flags associated with the text of the email. As you can see below, there are several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email:
> https://blogs.cisco....cter_errors.png
... Payload: Once a user moves past the email, downloads the zip file, extracts it, and runs the executable, they are greeted with a message similar to the following:
>> https://blogs.cisco..../CTB-Locker.png
The payload is CTB-Locker, a ransomware variant. Currently, Talos is detecting the ransomware being delivered to users at a high rate. Whether it is via spam messages or exploit kits, adversaries are dropping a huge amount of different variants of ransomware. The functionality is standard however, using asymmetric encryption that allows the adversaries to encrypt the user’s files without having the decryption key reside on the infected system. Also, by utilizing Tor and Bitcoin they are able to remain anonymous and quickly profit from their malware campaigns with minimal risk...
Conclusion: The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise. As a defense, users are encouraged to backup their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers.  Adversaries are always looking to leverage current events to get users to install their malicious payloads. This is another example, which highlights the fact that technology upgrades can also be used for malicious purposes..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 01 August 2015 - 02:00 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1510 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 03 August 2015 - 04:50 AM

FYI...

Bogus Win10 'activators'
- http://net-security....ews.php?id=3082
03.08.2015 - "... bogus Windows 10 "activators".
* http://www.net-secur...ld.php?id=17960

> https://blog.malware...ps-and-surveys/
___

Fake 'E-bill' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
3 Aug 2015 - "'E-bill : 6200228913 – 31.07.2015 – 0018' pretending to come from  noreply.UK.ebiller@ lyrecobusinessmail .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    Please find enclosed your new Lyreco invoicing document nA^ 6200228913 for a total amount of 43.20 GBP, and  due on 31.08.2015
    We would like to remind you that all of your invoices are archived electronically free of charge and can be reviewed by  you at any time.
    For any questions or queries regarding your invoices, please contact Customer Service on Tel : 0845 7676999*.
    Your Lyreco Customer Service
    *** Please do not reply to the sender of this email...


3 August 2015: 0018_6200228913.docm - Current Virus total detections: 5/55*
Downloads Dridex banking malware from http ://immobilier-roissyenbrie .com/w45r3/8l6mk.exe or http ://scootpassion .com/w45r3/8l6mk.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438596426/

** https://www.virustot...sis/1438596617/

immobilier-roissyenbrie .com: 94.23.55.169: https://www.virustot...69/information/

scootpassion .com: 37.0.72.24: https://www.virustot...24/information/

- http://blog.dynamoo....3-31072015.html
3 Aug 2015
"... Recommended blocklist:
46.36.219.141
94.23.55.169
"
___

DHL DELIVERY - phish ...
- http://myonlinesecur...ils-_-phishing/
3 Aug 2015 - "'DHL DELIVERY DETAILS' pretending to come from noreply@ dhl .com is one of the latest attempts to steal your email account details...

Screenshot: http://myonlinesecur...phish_email.png

... click-the-link (DON'T) in the email you will be sent to http ://cherysweete1843 .org/DHL%20_%20Tracking/DHL%20_%20Tracking.htm (or whichever other site the phishers have set up to steal your information). The site looks like:
> http://myonlinesecur...8/dhl_phish.png
... entering an email address and password, just gives you a download of the image that was originally in the email. It just looks like the phishers are trying to get email account details and hoping that an unwary user will be unwise enough to give them the password for their email account so it can be used for sending more spam. Of course there will be a few users who genuinely have DHL accounts and the log in details might be enough to compromise the account and use the account to send stolen or illegal items through the DHL network with minimum risk to the criminals. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

cherysweete1843 .org: 178.217.186.27: https://www.virustot...27/information/
___

First Firmware Worm That Attacks Macs
- http://www.wired.com...m-attacks-macs/
8.03.15 - "... when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked... The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware... findings on August 6 at the Black Hat security conference in Las Vegas. A computer’s core firmware — also referred to at times as the BIOS, UEFI or EFI—is the software that boots a computer and launches its operating system. It can be infected with malware because most hardware makers don’t cryptographically sign the firmware embedded in their systems, or their firmware updates, and don’t include any authentication functions that would prevent any but legitimate signed firmware from being installed... it operates at a level below the level where antivirus and other security products operate and therefore does not generally get scanned by these products, leaving malware that infects the firmware unmolested. There’s also no easy way for users to manually examine the firmware themselves to determine if it’s been altered... malware infecting the firmware can maintain a persistent hold on a system throughout attempts to disinfect the computer. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate malicious code, the malicious firmware code will remain intact..."
___

Fake Android Virus Alert(s)...
- https://blog.malware...hinese-hackers/
Aug 3, 2015 - "... messages of impending doom on a mobile device are always more worrying than on a desktop, because many device owners may not be locking down their phones the way they do their PCs. It’s even worse if on a mobile data package, because nobody wants to end up on premium rate services or websites and contend with spurious charges. Once the popups and redirects take hold, it’s sometimes hard to keep your composure and get a handle on multiple tiny screens doing weird things. In the above case, there’s no infection to worry about so no need to panic. Advert redirects to unwanted locations are always a pain – especially if younger members of your family happen to be on the phone at the time the -redirects- happen – but you’ve generally got to work at it to infect a mobile device with something bad. Keeping the “Allow installs from unknown sources” checkbox -unticked- and the “Very Apps” checkbox -ticked- won’t make your phone bulletproof, but it will go a long way towards keeping you secure."
___

Fake 'pictures' SPAM - JS malware
- http://myonlinesecur...ion-js-malware/
2 Aug 2015 - "'my relaxation' pretending to come from Facebook <update+pw_k1-d2r1@ facebookmail .com> with a zip attachment is another one from the current bot runs... The email looks like:

    Here are some pictures!!
    See you later! I love you.


2 August 2015: File_7866.zip: Extracts to: File_7866.js - Current Virus total detections: 10/56*
Downloads Adobe_update-86R8IJHUY0CCI.exe from http ://kheybarco .com and also downloads a genuine PDF file which is a German language hotel invoice from HRS group (this is an updated version of this Malspam run** from last week)...
** http://myonlinesecur...oup-js-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438493868/

kheybarco .com: 176.9.8.205: https://www.virustot...05/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 03 August 2015 - 12:21 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#1511 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 04 August 2015 - 05:34 AM

FYI...

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
4 Aug 2015 - "'INVOICE HH / 114954' pretending to come from haywardsheath@ hpsmerchant .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Please find attached INVOICE HH / 114954
    Automated mail message produced by DbMail.
    Registered to Heating & Plumbing Supplies, License MBS2009358.


4 August 2015: R-20787.doc - Current Virus total detections: 5/56*
... downloads Dridex banking malware from http ://ilcasalepica .it/45g33/34t2d3.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438684390/

** https://www.virustot...sis/1438684442/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustot...57/information/
8.254.218.142: https://www.virustot...42/information/

ilcasalepica .it: 195.234.171.179: https://www.virustot...79/information/

- http://blog.dynamoo....-hh-114954.html
4 Aug 2015 - "... The payload is the Dridex banking trojan.
Recommended blocklist:
194.58.111.157
62.210.214.106
31.131.251.33
"
___

Malware spam: "Need your attention"
- http://blog.dynamoo....-attention.html
4 Aug 2015 - "A variety of malicious spam messages are in circulation, each with "Need your attention" in the subject. Each message has a different sender, attachment name and reference number in the subject along with some other variations. Here is an example:
     From:    Hilda Buckner
    Date:    4 August 2015 at 13:29
    Subject:    Need your attention: OO-6212/863282
    Greetings
    Hope you are well
    Please find attached the statement that matches back to your invoices.
    Can you please sign and return.


In that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro... What that macro does (other ones may be slightly different) is download a VBS script from pastebin .com/download.php?i=0rYd5TK3... which is then saved as %TEMP%\nnjBHccs.vbs. That VBS then downloads a file from 5.196.241.204 /bt/bt/ched.php which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero* (MD5 = 00dca835bb93708797a053a3b540db16). The Malwr report indicates that this phones home to 80.247.233.18 (NFrance Conseil, France). The payload is probably the Dridex banking trojan. Note that the malware also sends apparantly non-malicious traffic to itmages .ru , for example:
itmages .ru/image/view/2815551/2b6f1599
itmages .ru/image/view/2815537/2b6f1599
Therefore I would suggest that monitoring for traffic to itmages .ru is a fairly good indicator of compromise."
* https://www.virustot...sis/1438693059/
... Behavioural information
TCP connections
23.14.92.97: https://www.virustot...97/information/
178.255.83.2: https://www.virustot....2/information/
80.247.233.18: https://www.virustot...18/information/

5.196.241.204: https://www.virustot...04/information/

itmages .ru: 176.9.0.165: https://www.virustot...65/information/

comment: Derek Knight said...
"It is -ransomware- not Dridex this time and the most evil thing about it, is it uses a legitimate digital signature so it will blow past antiviruses and operating system protections. Correctly digitally signed files are treated as good."
4 Aug 2015
___

Fake 'AMEX Alert' SPAM - Phish... malware
- http://myonlinesecur...ssible-malware/
4 Aug 2015 - "'Account Alert: IMPORTANT CardMembership Notification' pretending to come from American Express <AmericanExpress@ aecom .com> with an html webpage attachment... seems to be a malware downloader...

Screenshot: http://myonlinesecur...otification.png

The attached webpage looks like:
> http://myonlinesecur...ification_1.png
4 August 2015: AYNEUS018829.html - Current Virus total detections: 4/55*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
https://www.virustot...sis/1438622967/
___

Malvertising Campaign Takes on Yahoo!
- https://blog.malware...takes-on-yahoo/
Aug 3, 2015 - "June and July have set new records for malvertising attacks. We have just uncovered a large scale attack abusing Yahoo!’s own ad network. As soon as we detected the malicious activity, we notified Yahoo! and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at the time of publishing this blog.
This latest campaign started on July 28th, as seen from our own telemetry. According to data from SimilarWeb, Yahoo!’s website has an estimated 6.9 Billion visits per month making this one of the largest malvertising attacks we have seen recently... As with the previous reported cases this one also leverages Microsoft Azure websites... We did not collect the payload in this particular campaign although we know that Angler has been dropping a mix of ad fraud (Bedep) and ransomware (CryptoWall)... Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain. The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns."
> http://bits.blogs.ny...y-in-yahoo-ads/

- http://net-security....ews.php?id=3083
04.08.2015 - "... In the first half of this year the number of malvertisements has jumped 260 percent compared to the same period in 2014. The sheer number of unique malvertisements has climbed 60 percent year over year... fake Flash updates have replaced fake antivirus and fake Java updates as the most commonly method used to lure victims into installing various forms of malware including ransomware, spyware and adware..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 04 August 2015 - 09:31 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1512 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 05 August 2015 - 06:21 AM

FYI...

Fake 'Ofcom Spectrum' SPAM - doc/xls malware
- http://myonlinesecur...rd-doc-malware/
5 Aug 2015 - "'IMPORTANT – Document From Ofcom Spectrum Licensing' pretending to come from Spectrum.licensing@ ofcom. org.uk with a malicious word doc/xls attachment is another one from the current bot runs... The email looks like:
    Dear Sir/Madam,
    Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.
    Please read the document carefully and keep it for future reference.
    If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee’s responsibility to ensure all information we hold is correct and current.
    If you have any enquiries relating to this document, please email
    spectrum.licensing@ ofcom .org.uk
    Yours faithfully,
    Ofcom Spectrum Licensing ...


5 August 2015: logmein_pro_receipt.xls - Current Virus total detections: 6/55*
Downloads Dridex banking malware from http ://naturallyconvenient .co.za/75yh4/8g4gffr.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438771928/

** https://www.virustot...sis/1438771421/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustot...57/information/
2.18.213.40: https://www.virustot...40/information/

naturallyconvenient .co.za: 197.221.14.220: https://www.virustot...20/information/

- http://blog.dynamoo....ument-from.html
5 Aug 2015
"... downloads a malware executable from:
naturallyconvenient .co.za/75yh4/8g4gffr.exe
... phoning home to:
194.58.111.157 (Reg.RU, Russia)
That IP has been used for badness a few times recently and I definitely recommend that you block traffic to it..."
___

Fake 'Booking Confirmation' SPAM – doc malware
- http://myonlinesecur...dsheet-malware/
5 Aug 2015 - "'Booking Confirmation – Accumentia (16/9/15)' pretending to come from <david.nyaruwa @soci .org> with a malicious word doc is another one from the current bot runs... The email looks like:
    Please find attached a proforma invoice for Accumentia’s booking of the council room on 16/09/15. The deposit to confirm the booking is 25% (ie £205.50) with the balance due by the date of the meeting.
    Regards,
    David Nyaruwa
    Project Accountant ...


5 August 2015: Accumentia Booking (16-9-15).doc - Current Virus total detections: 7/55*
Downloads -same- Dridex banking malware as today’s other 2 malspam runs [1] [2]
1] http://myonlinesecur...rd-doc-malware/
...
2] http://myonlinesecur...rd-doc-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1438773636/

- http://blog.dynamoo....nfirmation.html
5 Aug 2015 - "... Accumentia Booking (16-9-15).doc which comes in at least two different versions [VirusTotal results 6/56* and 7/56**]...  download -malware- from the following locations:
hunde-detektive .de/75yh4/8g4gffr.exe
naturallyconvenient .co.za/75yh4/8g4gffr.exe
This file has a detection rate of 4/55*** and the Malwr report shows that it phones home to the familiar IP of:
194.58.111.157 (Reg.RU, Russia)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan..."
* https://www.virustot...005eb/analysis/

** https://www.virustot...5bff2/analysis/

*** https://www.virustot...sis/1438773952/
... Behavioural information
TCP connections
194.58.111.157: https://www.virustot...57/information/
2.18.213.40: https://www.virustot...40/information/

hunde-detektive .de: 81.169.145.89: https://www.virustot...89/information/
___

Fake 'passport' SPAM – JS malware cryptowall/fareit
- http://myonlinesecur...uez-js-malware/
5 Aug 2015 - "'My passport – Reginald Vazquez' pretending to come from Reginald Vazquez <Reginald.Vazquez@ iconbrandingsolutions .com> with a zip attachment is another one from the current bot runs... The email looks like:
    Please find attached copy of the passport for my wife and daughter as requested. please note we need to complete on the purchase in 4 weeks from the agreed date.
    Kind regards,
    Reginald Vazquez


5 August 2015: Reginald Vazquez.zip - Extracts to: Reginald Vazquez.js
Current Virus total detections: 0/55*. Downloads 2 files from 31072015a .com 1 is -cryptowall-, the second is -fareit- VirusTotal [1] [2]. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustot...sis/1438775249/
... Behavioural information
TCP connections
188.165.164.184: https://www.virustot...84/information/
5.196.199.72: https://www.virustot...72/information/
45.56.87.253: https://www.virustot...53/information/
103.28.39.102: https://www.virustot...02/information/
81.218.71.215: https://www.virustot...15/information/
212.90.148.43: https://www.virustot...43/information/
184.168.47.225: https://www.virustot...25/information/
198.211.120.49: https://www.virustot...49/information/
98.130.136.200: https://www.virustot...00/information/

2] https://www.virustot...sis/1438775261/
... Behavioural information
TCP connections
192.186.240.131: https://www.virustot...31/information/
82.208.47.134: https://www.virustot...34/information/
160.153.34.130: https://www.virustot...30/information/
50.62.121.1: https://www.virustot....1/information/
192.254.185.141: https://www.virustot...41/information/
50.63.93.1: https://www.virustot....1/information/

31072015a .com:
> http://centralops.ne...ainDossier.aspx
Registrant Country: RU
Admin Country: RU
Tech State/Province: RU ...
route:          178.151.105.0/24
descr:          Kiev,  Troyeshchyna
origin:         AS13188
AS13188: https://www.google.c...c?site=AS:13188
...
89.185.15.235: https://www.virustot...35/information/
94.45.73.242: https://www.virustot...42/information/
46.119.54.121: https://www.virustot...21/information/
31.43.132.156: https://www.virustot...56/information/
217.73.85.49: https://www.virustot...49/information/
62.244.60.154: https://www.virustot...54/information/
194.242.102.188: https://www.virustot...88/information/
176.111.43.241: https://www.virustot...41/information/
95.47.4.154: https://www.virustot...54/information/
194.44.37.3: https://www.virustot....3/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 05 August 2015 - 07:48 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1513 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 06 August 2015 - 06:58 AM

FYI...

Fake 'Voice message' SPAM – malware
- http://myonlinesecur...ke-wav-malware/
6 Aug 2015 - "'RE: Voice message from 07773403290 pretending to come from tel: 07773403290 <non-mail-user@ voiplicity .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...07773403290.png

6 August 2015: message_01983527496.wav.zip: Extracts to: message_01983527496.exe
Current Virus total detections: 0/58* . Downloads other files from mastiksoul .org or wedspa .su which appear to be Dridex/Cridex banking malware and posts stolen information to wedspa .su  (VirusTotal**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper wav ( sound) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438846882/

** https://www.virustot...sis/1438847706/
... Behavioural information
TCP connections
212.47.196.149: https://www.virustot...49/information/
8.254.218.94: https://www.virustot...94/information/

mastiksoul .org: 74.220.207.107: https://www.virustot...07/information/

wedspa .su:
94.229.22.39: https://www.virustot...39/information/
94.242.58.226: https://www.virustot...26/information/
185.26.113.229: https://www.virustot...29/information/

- http://blog.dynamoo....ssage-from.html
6 Aug 2015 - "... Recommended blocklist:
185.26.113.229
212.47.196.149
"
___

Chinese Actors Copy/Paste HackingTeam 0-Days in Site Hack
- https://blog.malware...s-in-site-hack/
Aug 6, 2015 - "... The HackingTeam archive provided very easy to reuse zero-days that even contained instructions. Exploit kit authors still repackaged the exploits to their liking from the original copies, simply reusing the same vulnerability. Not all threat actors did that though. We found a particular attack on a Chinese website where the perpetrators literally copied and pasted the exploit code from HackingTeam, and simply replaced the default ‘calc.exe’ payload with theirs:
> https://blog.malware...8/copypaste.png
... The only thing that really differs is the payload... malicious binaries.
Files used:
mogujie.exe: https://www.virustot...sis/1438875540/
desktop.exe: https://www.virustot...sis/1438875538/
SWF(1): https://www.virustot...sis/1438459365/
SWF(2): https://www.virustot...sis/1438534343/..."

210.56.51.74: https://www.virustot...74/information/
___

Malware-injecting 'man-in-the-cloud' attacks
- http://www.theinquir...e-cloud-attacks
Aug 06 2015 - "... Imperva has revealed a new type of attack called 'man-in-the-cloud' (MITC) that allows hackers to access cloud storage services without the need for a password. The research was unveiled at the Black Hat security conference in Las Vegas, and shows how the attack enables hackers to hijack users of cloud-based storage services, such as Box, Dropbox, Google Drive and Microsoft OneDrive, without their knowledge. Imperva said that the hacker gains authentication to the cloud service by stealing a token that is generated the first time a cloud syncing service is used on a PC, without compromising the user's cloud account username or password. From here, an attacker can access and steal a user's files, and even add malware or ransomware to the victim's cloud folder. Imperva said in some cases "recovery of the account from this type of compromise is not always feasible"..."

- http://www.darkreadi.../d/d-id/1321501
8/5/2015
___

Threat Group-3390 Targets Organizations for Cyberespionage
- http://www.securewor...cyberespionage/
5 Aug 2015 - "... TG-3390 is known for compromising organizations via SWCs and moving quickly to install backdoors on Exchange servers. Despite the group's proficiency, there are still many opportunities to detect and disrupt its operation by studying its modus operandi. The threat actors work to overcome existing security controls, or those put in place during an engagement, to complete their mission of exfiltrating intellectual property. Due to TG-3390's determination, organizations should formulate a solid -eviction- plan before engaging with the threat actors to prevent them from reentering the network..."
(More detail at the URL above.)
* http://www.securewor...respionage/#r01
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 06 August 2015 - 01:40 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1514 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 07 August 2015 - 07:38 AM

FYI...

Fake ad 'Sleek Granite Computer' SPAM - malicious attachment
- http://blog.dynamoo....e-computer.html
7 Aug 2015 - "What the heck is a Sleek Granite Computer? As clickbait it is kind of weird.. but perhaps interesting enough to get people to click on the malicious attachment it comes with:
     From:    mafecoandohob [mafecoandohob@ bawhhorur .com]
    To:    Karley Pollich
    Date:    7 August 2015 at 13:17
    Subject:    Sleek Granite Computer
    Good day!
    If you remember earlier this week we discussed with You our new project which we intend to start next month.
    For Your kind review we enclose here the business plan and all the related documents.
    Please send us an e-mail in case You have any comments or proposed changes.
    According to our calculations the project will start bringing profit in 6 months.
    Thanks in advance.
    Karley Pollich
    Dynamic Response Strategist
    Pagac and Sons
    Toys, Games & Jewelery
    422-091-2468


The only sample of this I had was -malformed- and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe. This has a VirusTotal detection rate of 4/55* with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre/Dyre traffic pattern to:
195.154.241.208 :12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208 :12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM
This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom .eu. Traffic is also spotted to:
37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)
There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.
Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50
"
* https://www.virustot...sis/1438950940/
___

Fake 'Tax Refund' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
7 Aug 2015 - "Amongst all of today’s usual bunch of spoofed HMRC tax refund phishing attempts, we are seeing an email tonight saying 'Tax Refund New Message Alert!' pretending to come from HM Revenue & Customs <security.custcon@ hmrc .gsi .gov .uk> with a zip attachment is another one from the current bot runs... The email looks like:
    Dear Customer,
    After the last anual calculations of your fiscal activity we have discovered
    that you are eligible to receive a tax refund of GBP 1048.55.
    Kindly complete the tax refund request and allow 1-15 working days to process it.
    Please download the document attached to this email and confirm your tax refund.
    A refund can be delayed for a variety of reasons.
    For example: Submitting invalid records or applying after the deadline.
    Yours sincerely, Edward Troup
    Tax Assurance Commissioner.
    Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.


7 August 2015: TaxRefund0036192.zip - Extracts to: TaxRefund0036192.pdf.exe
Current Virus total detections: 4/56* which looks to be this rather nasty ransom ware Trojan**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1438968024/

** https://usa.kaspersk...at#.VcURnHnbK70
"... via the Andromeda botnet"
___

Updates in... Ransomware
- http://blog.trendmic...-of-ransomware/
Aug 7, 2015 - "...  ransomware variants have evolved to do more than just encrypt valuable system files. CryptoFortress targeted files in shared network drives while TeslaCrypt targeted gamers and mod users. Now we are seeing another feature rapidly gaining ground in the world of ransomware: the ability to increase the ransom price on a deadline... A recent attack on an Australian company revealed a new TorrentLocker variant that can double the price of decryption after a deadline of five days. The cyber attack started with a business email. We noted a TorrentLocker spam run targeting Australia that probably delivered the infected email. TorrentLocker is a persistent threat in the region... After clicking on one of these infected emails, a manager’s system ended up with the crypto-ransomware TROJ_CRYPLOCK.XW. Nothing happened at first. The manager deleted the email and thought nothing of it until hours later. By then, it was too late. The malware had already encrypted 226 thousand files before it popped the warning and all IT admins can do is stare at a screen asking them for AU $640 in five days, after which the price will double to AU $1280:
> https://blog.trendmi..._updates_01.png
...  Continuing upgrades in crypto-ransomware show that users need to be vigilant with attack vectors that may be used to get the malware in their machines. While installing security software to protect all endpoints is paramount to security, it is equally important to use a multi-layered approach.
- Always have a -backup- strategy, most efficiently by following the 3-2-1 rule*...
- Trust products proven to detect ransomware before it reaches your system—either as a bad URL, a malicious email, or via unpatched exploits.
- Noting the way that the Australian company was hacked, it pays to also educate employees about safe email and Web browsing procedures..."
* http://blog.trendmic...the-3-2-1-rule/
"... backup best practices is the three-two-one rule. It can be summarized as: if you’re backing something up, you should have:
    At least three copies,
    In two different formats,
    with one of those copies off-site..."
___

RIG Exploit Kit 3.0 - 1 Million Strong and Growing
- https://atlas.arbor....ndex#1344414045
Elevated Severity
Aug 6, 2015 - "The RIG exploit kit, used to deliver various forms of -malware- onto compromised systems, has seen a recent surge in victims. The surge, impacting more than 1.25 million systems globally, is spreading via a large -malvertising- campaign at an average rate of 27,000 new victims a day*..."
* https://www.trustwav...puters-Per-Day/
___

Google, Samsung to issue monthly Android security fixes
- http://www.reuters.c...N0QC00320150807
Aug 6, 2015 8:03pm EDT - "... As with Apple's iPhones, the biggest security risk comes with apps that are not downloaded from the official online stores of the two companies... a key avenue was to convince targets to download legitimate-seeming Android and iPhone apps from imposter websites."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 08 August 2015 - 04:59 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1515 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 10 August 2015 - 06:34 AM

FYI...

Fake 'Your order' SPAM – doc malware
- http://myonlinesecur...rd-doc-malware/
10 Aug 2015 - "'Your order 10232 from Create Blinds Online: Paid' pretending to come from orders@ createblindsonline .co.uk with a malicious word doc attachment  is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
... The email looks like:
    We would like to thank you for your recent order. Order Status updated on: 10/08/2015 Your Customer ID: 1761 Your Order ID: 10232
    Invoice Number: 10232
    Delivery Note:   We received your order and payment on Aug/102015 Your order details are attached:
    Kind regards
    Create Blinds Online Team ...


Screenshot: http://myonlinesecur...inds-Online.png

10 August 2015: invoice-10232.doc  Current Virus total detections: 5/55*  Downloads Dridex banking malware from http ://mbmomti .com.br/435rg4/3245rd2.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439189964/

** https://www.virustot...sis/1439190149/
... Behavioural information
TCP connections
78.47.119.85: https://www.virustot...85/information/
191.234.4.50: https://www.virustot...50/information/

mbmomti .com.br: 187.17.111.99: https://www.virustot...99/information/

- http://blog.dynamoo....10232-from.html
10 Aug 2015 - "... attempts to download a -malicious- binary from one of the following locations:
mbmomti .com.br/435rg4/3245rd2.exe
j-choi .asia/435rg4/3245rd2.exe
... generates traffic to 78.47.119.85 (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan."
j-choi .asia: 153.122.0.184: https://www.virustot...84/information/
___

Fake 'MI Package' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Aug 2015 - "'Premium Charging MI Package for Merchant 17143013' pretending to come from GEMS@ Worldpay .com with a malicious word doc attachment is another one from the current bot runs... This email has what appears to be a genuine word doc or Excel XLS spreadsheet attached which is malformed and contains a macro script virus... DO NOT follow the advice they give to enable macros or enable editing to see the content:
> http://myonlinesecur...w-macros_21.png
... The email looks like:
    *** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.

10 August 2015: 17143013 01.docm - Current Virus total detections: 5/56*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1439196186/

- http://blog.dynamoo....harging-mi.html
10 Aug 2015 - "... one sample with named 17143013 01.docm ...  detection rate of 5/55* and it contains this malicious macro... which then downloads a component from:
gardinfo .net/435rg4/3245rd2.exe
This is exactly the -same- payload as seen in this spam run** also from this morning."
* https://www.virustot...sis/1439198630/

** http://blog.dynamoo....10232-from.html

gardinfo .net: 62.210.16.61: https://www.virustot...61/information/
___

Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo....iel-resume.html
10 Aug 2015 "This fake résumé comes with a malicious attachment:
    From:    alvertakarpinskykcc@ yahoo .com
    Date:    10 August 2015 at 19:40
    Subject:    Resume
    Signed by:    yahoo .com
    Hi my name is Gabriel Daniel doc is my resume
    I would appreciate your immediate attention to this matter
    Kind regards
    Gabriel Daniel


Interestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro... which has a VirusTotal detection rate of 2/56*. As far as I can tell, it appears to download a disguised JPG file from 46.30.43.179/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on:
> https://1.bp.blogspo.../cryptowall.png
So, it is pretty clear that the payload here is -Cryptowall- (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?v=c91jzn46yr
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?b=86v97tziud5m
conopizzauruguay .com/wp-content/wp-content/themes/twentythirteen/cccc.php?o=ups5xom3u2sb01
It also directs the visitor to various personalised ransom pages hosted on 80.78.251.170 (Agava, Russia).
Recommended blocklist:
46.30.43.179
80.78.251.170
conopizzauruguay .com
"
*https://www.virustot...sis/1439219044/

conopizzauruguay .com: 208.113.240.70: https://www.virustot...70/information/
___

.COM.COM Used For Malicious Typo Squatting
- https://isc.sans.edu...l?storyid=20019
2015-08-10 - "... domains ending in ".com.com" are being -redirected- to what looks like malicious content. Back in 2013, A blog by Whitehat Security pointed out that the famous "com.com" domain name was sold by CNET to known typo squatter dsparking .com [1]. Apparently, dsparking .com paid $1.5 million for this particular domain. Currently, the whois information uses privacy protect, and DNS for the domain is hosted by Amazon's cloud. All .com.com hostnames appear to resolve to 54.201.82.69, also hosted by Amazon (amazon .com .com is also directed to the same IP, but right now results in more of a "Parked" page, not the -fake- anti-malware as other domains). The content you receive varies. For example, on my first hit from my Mac to facebook .com .com , I received the following page:
> https://isc.sans.edu... 2_34_58 PM.png
And of course the -fake- scan it runs claims that I have a virus :) . As a "solution", I was offered the well known scam-app "Mackeeper". Probably best to -block- DNS lookups for any .com.com domains. The IP address is likely going to change soon, but I don't think there is any valid content at any ".com.com" host name. The Whitehat article does speak to the danger of e-mail going to these systems... Amazon EC2 abuse was notified."
1] https://blog.whiteha...ould-scare-you/

54.201.82.69: https://www.virustot...69/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 10 August 2015 - 02:40 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Related Topics



3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users