FYI...
Angler Exploit Kit strikes MSN.com via Malvertising Campaign
- https://blog.malware...ising-campaign/
Aug 27, 2015 - "The same ad network – AdSpirit .de – which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN .com. This is the work of the -same- threat actors that were behind the Yahoo! malvertising. The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers. The ad request came from AppNexus, which loaded the booby-trapped advert from AdSpirit and the subsequent malvertising chain.
Infection chain:
msn .com/en-us/news/politics/dozens-of-clinton-emails-were-classified-from-the-start-us-rules-suggest/ar-BBlXPkl?ocid=iehp (publisher)
lax1.ib.adnxs .com/{redacted} (AppNexus Ad network)
pub.adspirit .de/adframe.php?pid=7&ord=[timestamp]prdclick_0 (AdSpirit Ad network)
trkp-a1009.rhcloud .com/?tr28-0a22 (OpenShift redhat Redirection)
fox23tv .com/?cn67CuYcDcbvV (Same ad but with redirection to malicious URL)
abbezcqerrd.irica.wieshrealclimate .com (iframe to exploit kit)
hapme.viwahcvonline .com (Angler EK landing page)
> https://blog.malware.../redir_flow.png
This time, rogue actors are leveraging RedHat’s cloud platform, rhcloud .com to perform multiple -redirections- to the Angler exploit kit (in the previous attack they were using Microsoft’s Azure). While we did not collect the malware payload associated with this campaign, we believe it is either Ad fraud or ransomware, Angler’s trademark. Angler has been acting up strange lately, for instance last week it fell out of favour briefly for the Neutrino EK when compromised sites decided to redirect to the latter. Following our report, AppNexus -deactivated- the creative in question and said they were investigating this issue in greater depth..."
viwahcvonline .com: 141.8.224.93: https://www.virustot...93/information/
> https://www.virustot...f2078/analysis/
___
Fake 'resume' SPAM leads to Cryptowall
- http://blog.dynamoo....e-leads-to.html
26 Aug 2015 at 22:48 - "This -fake- resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware. In the only sample I saw, the spam looks like this:
From: emmetrutzmoser@ yahoo .com
To:
Date: 26 August 2015 at 23:29
Subject: RE:resume
Signed by: yahoo .com
Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply
Best regards
Janet Ronald
Attached was a file Janet_Ronald_resume.doc [VT 5/56*] which contains a malicious macro... The format of this message is very similar to this other fake resume spam seen recently[1], and a key feature here is that the message is really sent through Yahoo! and is not a forgery.
1] http://blog.dynamoo....iel-resume.html
Deobfuscating the macro shows that a file is downloaded from http :// 46.30.46.60 /444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report** shows some of this in action, but Techhelplist[2] did the hard work of decrypting it..
> https://4.bp.blogspo.../cryptowall.png
...
2] https://twitter.com/...633492441268224
To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report*** on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report[3] which has some nice screenshots.
3] https://www.hybrid-a...environmentId=2
Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:
46.30.46.60 (Eurobyte, Russia)
linecellardemo .net / 23.229.194.224 (GoDaddy, US)
You might want to block the entire 46.30.46.0/24 range because.. well, Russia really."
* https://www.virustot...sis/1440622900/
** https://www.hybrid-a...environmentId=1
*** https://www.virustot...22920/#comments
___
Fake 'Attachement' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
27 Aug 2015 - "A -blank- email with the subject of 'Attachement' pretending to come from your own email address with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Almost all of these malicious word documents appear to be blank or look something like this image when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
The email has a totally empty-blank body and just an XLS Excel spreadsheet attachment:
27 August 2015 : 20131030164403.xls - Current Virus total detections 4/57*
Downloads Dridex banking malware from http ://pintart .pt/43t3f/45y4g.exe (VirusTotal**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1440669673/
** https://www.virustot...sis/1440670039/
... Behavioural information
TCP connections
91.239.232.145: https://www.virustot...45/information/
23.14.92.27: https://www.virustot...27/information/
pintart .pt: 80.172.241.24: https://www.virustot...24/information/
___
Fake 'Payslip' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Aug 2015 - "'Payslip for period end date 27/08/2015' pretending to come from noreply@ fermanagh. gov.uk with a zip attachment is another one from the current bot runs... The email looks like:
Dear administrator
Please find attached your payslip for period end 27/08/2015
Payroll Section ...
Some emails have arrived malformed-and-damaged and look like:
This is a multi-part message in MIME format.
——————=_Next_25232_7367279505.4684370133215
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Dear ae48852507a
Please find attached your payslip for period end 27/08/2015
Payroll Section ...
27 August 2015: payslip.zip: Extracts to: payslip.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...65298/analysis/
- http://blog.dynamoo....period-end.html
27 Aug 2015 - "... Attached is a file payroll.zip which contains a malicious executable payroll.scr - or it would have done, but in my case the email was malformed and the archive was not attached properly. This executable has a detection rate of 3/56* and the Hybrid Analysis report** indicates that it sends traffic to a server at 197.149.90.166 (Cobranet, Nigeria) which has been used in a few recent attacks and is definitely worth blocking."
* https://www.virustot...sis/1440677452/
** https://www.hybrid-a...environmentId=1
197.149.90.166: https://www.virustot...66/information/
___
Fake 'Girls List' Spam ...
- https://blog.malware...g-in-mailboxes/
Aug 27, 2015 - "... spammers are changing up their dating site spam tactics a little bit in the wake of the continued Ashley Madison fallout, with the below curious missives landing in spamtraps over the last day or so:
> https://blog.malware.../crowdspam1.jpg
... emails are identical, and read as follows:
> https://blog.malware.../crowdspam2.jpg
... well, they -would- read as follows if they had any text in them to read. The emails are entirely -blank- instead offering up two attachments called “girls_list”. A “girl list” would seem to conjure up visions of swiped data and things you’re not supposed to have access to; as it turns out, opening up the .HTML attachment -redirects- you in a browser to a -porn- dating site which splashes... many nude photos around the screen... These emails are already caught by Gmail as spam, but other providers may -not- be flagging them yet. While I’m sure there are lots of fun things you can do with a list, allowing yourself to be redirected-to-porno-spam is probably not one of them and you should avoid these mails. With websites and services jumping on the AM data bandwagon*, it’s clear that anything involving dating and lists is going to be a hot topic for some time to come. Don’t fall for it."
* http://www.troyhunt....sites-like.html
24 Aug 2015 - "... harvesting email addresses and spamming searched victims..."
___
Malvertising campaigns increase 325%
- http://net-security....ews.php?id=3088
26.08.2015 - "Cyphort* investigated the practices used by cyber criminals to inject malicious advertisements into legitimate online advertising networks. Researchers found that malvertising campaigns carried out by hackers increased 325 percent in the past year... The problem of malvertising isn’t going away and cyber criminals will continue finding ways to monetize their attacks. According to the Association of National Advertisers, ad-fraud will cost global advertisers more than $6 billion in 2015..."
* http://www.cyphort.c...y/malvertising/
Edited by AplusWebMaster, 27 August 2015 - 11:50 AM.
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
