2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Norfolk Dance' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
8 Oct 2015 - "An email with the subject of 'Receipt from Norfolk Dance' pretending to come from  <info@ norfolkdance .co.uk> with a malicious word doc attachment is another one from the current bot runs... Please find receipt for payment attached.
Many Thanks
Norfolk Dance
14 Chapel Field North
Norwich
Norfolk
NR2 1NY
Telephone: 01603 283399
E mail...

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
...
8 October 2015: Receipt.doc - Current Virus total detections 2/56*  
Downloads the same Dridex Banking malware from the same locations as described in today’s earlier malspam run of malicious macro enabled word docs**...
** http://myonlinesecur...dsheet-malware/
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1444298476/

- http://blog.dynamoo....folk-dance.html
8 Oct 2015 - "This -fake- financial email is not from Norfolk Dance but is instead a simply -forgery- with a malicious attachment:
    From     "info" [info@ norfolkdance .co.uk]
    Date     Thu, 08 Oct 2015 12:39:28 +0300
    Subject     Receipt from Norfolk Dance
    Please find receipt for payment attached.
    Many Thanks
    Norfolk Dance
    14 Chapel Field North
    Norwich
    Norfolk
    NR2 1NY
    Telephone: 01603 283399
    E mail...

Attached is a file Receipt.doc which I have seen in two different versions (VT detection rate 4/56* and 3/56**) each containing a different malicious macro... which download a malicious binary from one of the following locations:
katastimataone .com/bvcb34d/983bv3.exe
archives.wnpvam .com/bvcb34d/983bv3.exe
This is saved as %TEMP%\fDe12.exe and currently has a VirusTotal detection rate of 4/55***. The VirusTotal report indicates traffic to the following IP:
198.61.187.234 (Rackspace, US). I recommend that you block traffic to this IP. Automated analysis is pending (check back later) but the payload is almost definitely the Dridex banking trojan..."
* https://www.virustot...sis/1444298450/

** https://www.virustot...sis/1444298460/

*** https://www.virustot...sis/1444298587/

katastimataone .com: 209.139.209.187: https://www.virustot...87/information/

wnpvam .com: 38.96.175.221: https://www.virustot...21/information/

198.61.187.234: https://www.virustot...34/information/
___

Fake 'SwagBags Order' SPAM - doc malware
- http://myonlinesecur...dsheet-malware/
8 Oct 2015 - "An email with the subject of 'New Order Confirmation: 3535' pretending to come from SwagBags .biz <customerservices@ swagbags .biz> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...gs-1024x558.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content...
8 October 2015 : Invoice_3535.doc - Current Virus total detections 2/54*.
Both MALWR** and Payload security*** shows the download to be what looks like Dridex banking malware from http ://vsehochuti.unas .cz/bvcb34d/983bv3.exe (VirusTotal 1/56 [4])
Other download locations that I have been informed about are:
katastimataone .com/bvcb34d/983bv3.exe
swaineallen .uk/bvcb34d/983bv3.exe
archives.wnpvam .com/bvcb34d/983bv3.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1444293293/

** https://malwr.com/an...zI3NThhOTlhOTY/

*** https://www.hybrid-a...environmentId=1

4] https://www.virustot...sis/1444293943/

unas .cz: 88.86.117.145: https://www.virustot...45/information/

katastimataone .com: 209.139.209.187: https://www.virustot...87/information/

swaineallen .uk: 94.136.40.15: https://www.virustot...15/information/

wnpvam .com: 38.96.175.221: https://www.virustot...21/information/
___

Fake 'Deposit' SPAM - malicious attachment
- http://blog.dynamoo....-frederico.html
8 Oct 2015 - "This -fake- financial email does not comes from Frederico Kessler but is instead a simple -forgery- with a malicious attachment:
    From     Frederico Kessler [Frederico.Kessler@ Gamesys .co.uk]
    Date     Thu, 08 Oct 2015 04:14:23 -0700
    Subject     Deposit Payment
    Hi,
    Attached is receipt of transfer regarding the deposit increase for our new contract
    to the Cherry Tree Cottage.
    Let me know if its all sorted.
    Frederico Kessler
    Product Owner | Games Platform
    [cid:9DCD81C9-9267-4802-AAE1-B3AF9887E131]
    [gamesysign]
    4th Floor, 10 Piccadilly
    London, W1J 0DD
    Email...

Attached is a malicious Excel document named Payments Deposit.xls which comes in -five- different versions...  each containing a slightly modifed macro... which downloads a malicious executable from the following locations:
archives.wnpvam .com/bvcb34d/983bv3.exe
swaineallen .uk/bvcb34d/983bv3.exe
katastimataone .com/bvcb34d/983bv3.exe
vsehochuti.unas .cz/bvcb34d/983bv3.exe
dmedei.3x .ro/bvcb34d/983bv3.exe
These download locations have been in use for a couple of other spam runs.. [2] but now the payload has been altered and has a VirusTotal detection rate of 3/56*. That VirtusTotal report and this Hybrid Analysis report** show traffic to:
198.61.187.234 (Rackspace, US). I recommend that you block traffic to that IP."
* https://www.virustot...sis/1444305640/
... Behavioural information
TCP connections
198.61.187.234: https://www.virustot...34/information/
191.234.4.50: https://www.virustot...50/information/

** https://www.hybrid-a...environmentId=6

2] http://blog.dynamoo....folk-dance.html

wnpvam .com: 38.96.175.221: https://www.virustot...21/information/

swaineallen .uk: 94.136.40.15: https://www.virustot...15/information/

katastimataone .com: 209.139.209.187: https://www.virustot...87/information/

unas .cz: 88.86.117.145: https://www.virustot...45/information/

3x .ro: 89.42.39.160: https://www.virustot...60/information/
___

Fake 'eBay Invoice' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Oct 2015 - "An email with the subject of 'Your eBay Invoice is Ready' pretending to come from eBay <ebay@ ebay .com> with a zip attachment is another one from the current bot runs... The content of the email which shouldn’t fool anybody because it has -no- eBay logos or links and is totally in plain text, which EBay -never- sends because they want to grab you and get you on the eBay site spending money, says :
    PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
    Dear Customer,
    Please open the attached file to view invoice.
    If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download this attachment...
    This email has been scanned by the Symantec Email Security.cloud service.
    This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient... Blah, blah, blah.

8 October 2015: ebay_4175127742232_081015.zip: Extracts to: ebay_4175127742232_081015.exe            

Current Virus total detections 4/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1444304267/
___

Fake 'HMRC Online Service Complaints' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
8 Oct 2015 - "An email with the subject of 'Online Service Complaints – Submission received by HM Revenue and Customs' pretending to come from HMRC Complaints <helpdesk@ ir-efile .gov.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ms-1024x556.png

8 October 2015: HMRC.Complaint.zip: Extracts to:  HMRC.Complaint.scr
Current Virus total detections 2/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1444302682/
___

Fake 'eFax' .doc attachment - malware
- https://isc.sans.edu...l?storyid=20225
Last Updated: 2015-10-08 - "... Below is a screenshot from the malspam example Wayne sent us. Links in the email -all- went to the appropriate eFax URLs. The attached Word document is the -only- malicious part of the message:
> https://isc.sans.edu...y-image-01a.jpg
... Looking at the email headers, you'll find the recipient's email server received the message from a Unified Layer IP address at 67.222.39.168... The Word document has macros. If macros are enabled, the document will try to drop malware and infect the Windows host:
> https://isc.sans.edu...ry-image-03.jpg
Below are indicators of compromise (IOCs) for the malware associated with this malspam:
185.42.15.7 - babsuptono .ru - POST /gate.php
151.236.10.194 - toftereventhi .ru - POST /gate.php
93.171.158.226 - buteventheckand .ru - POST /gate.php
136.243.24.4 - germantest.redsnapper .net - GET /m.exe
... Attachment name: fax_message_326-816-3257.doc
First submission:  2015-10-06 14:28:27 UTC
Virus Total link* - Hybrid-Analysis link** ..."
* https://www.virustot...aa8a5/analysis/

** https://www.hybrid-a...environmentId=2

185.42.15.7: https://www.virustot....7/information/
151.236.10.194: https://www.virustot...94/information/
93.171.158.226: https://www.virustot...26/information/
136.243.24.4: https://www.virustot....4/information/

"... same signature": https://www.hybrid-a...ureid:network-1
 

  

Edited by AplusWebMaster, 08 October 2015 - 10:39 AM.

[AplusWebMaster]

FYI...

Fake 'contract' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
8 Oct 2015 - "An email with the subject of 'contract' pretending to come from random companies and email addresses with a zip file containing a malicious word doc attachment is another one from the current bot runs... The email looks like:
    Dear customer,  
    I’m sending you a new contract of the project (Double ordinary certificate)
-Or-
    Dear customer,  
    I’m sending you a new contract of the project (Information about updated summary)

The name in brackets in the body of the email matches the name of the zip attachment that contains the word doc which also has random names... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
...
> http://myonlinesecur...tected-mode.png

8 October 2015: Double ordinary certificate.zip - Extracts to: Collect corporate  business inventories.doc
Current Virus total detections 3/56* ... which doesn’t connect to a webserver but has the Upatre binary embedded inside the word doc inside a rtf file that gets extracted and run from %temp%\w13.exe (VirusTotal 3/57**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1444322597/

** https://www.virustot...sis/1444323758/
___

Fake 'GTA V for Mobile' sites lead to 'Surveys'
- https://blog.malware...ead-to-surveys/
Oct 8, 2015 - "... GTA V used as -bait- in many cases... here's one which focuses on the allure of portability to reel in unsuspecting fans of the title. A number of sites are claiming to offer up mobile versions of the game, despite it requiring an Xbox 360 / Xbox One / PS3 / PS4 / decent gaming PC to run – not to mention the disk space taken up, which is a fair amount to say the least (you aren’t going to find many phones with -50GB- available just to be able to install a game). The sites in question are:
gta5forpsp(dot)com
androidgta5(dot)com
iosgta5(dot)com
Despite this, mobile gamers are being told they can run it on Android, iOS and PSP. The three sites we looked at all share similar designs, displaying what they claim to be GTA V running on the aforementioned devices and a download link:
> https://blog.malware...ahandheld11.jpg
... they also use the well worn technique of saying “As seen on…” and listing numerous well known online publications (none of which appear to mention their mysterious version of GTA V)... the creators of the Grand Theft Auto titles, Rockstar Games, don’t mention a handheld version of GTA V anywhere either. It’s almost like it doesn’t exist. This is probably a good time to make a callback to that -50GB- game size, and then see how big one of the mobile downloads is:
> https://blog.malware...tahandheld4.jpg
... If in doubt, check the official website of a game developer and discover straight from the source which platform your desired evening’s entertainment runs on. In the above case, there is -no- official version of GTA V for handhelds whatsoever..."

gta5forpsp(dot)com: 91.121.223.39: https://www.virustot...39/information/
androidgta5(dot)com: https://www.virustot...653e1/analysis/
iosgta5(dot)com: https://www.virustot...23744/analysis/
 

  

Edited by AplusWebMaster, 09 October 2015 - 03:24 AM.

[AplusWebMaster]

FYI...

Fake 'DHL invoice' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
9 Oct 2015 - "An email that appears to come from DHL with the subject of 'Your latest DHL invoice : MSE7396821' pretending to come from e-billing.uk1@ dhl .com with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...21-1024x549.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...w-macros_21.png
...
9 October 2015 : MSE7396821.doc - Current Virus total detections 5/56*
Downloads a Dridex banking malware http ://roadmark .co.uk/fsf4fd32/8ik6sc.exe which is saved as  %temp%\vtsabd.exe (VirusTotal 2/56**)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1444382592/

** https://www.virustot...sis/1444382939/
... Behavioural information
TCP connections
86.105.33.102: https://www.virustot...02/information/
191.234.4.50: https://www.virustot...50/information/

roadmark .co.uk: 88.208.252.196: https://www.virustot...96/information/

- http://blog.dynamoo....hl-invoice.html
9 Oct 2015 - "... In the only sample I have seen, the attached file is named MSE7396821.doc and has a VirusTotal detection rate of 5/55*. This contains a malicious macro... which downloads a file from the following location:
flexicall .co.uk/fsf4fd32/8ik6sc.exe
There will undoubtedly be different versions of the document with different download locations. This binary is saved as %TEMP%\vtsAbd.exe and has a VirusTotal detection rate of 2/54**. That VirusTotal report, this Malwr report[3] and this Hybrid Analysis report[4] show network traffic to:
86.105.33.102 (Data Net SRL, Romania)
I recommend that you block traffic to and from that IP address. The payload appears to be the Dridex banking trojan."
* https://www.virustot...sis/1444381402/

** https://www.virustot...sis/1444381818/
... Behavioural information
TCP connections
86.105.33.102: https://www.virustot...02/information/
191.234.4.50: https://www.virustot...50/information/

3] https://malwr.com/an...zViOGNmYzIzOWU/

4] https://www.hybrid-a...environmentId=3

flexicall .co.uk: 109.228.12.96: https://www.virustot...96/information/

"... same signature": https://www.hybrid-a...environmentId=3
 

  

Edited by AplusWebMaster, 09 October 2015 - 05:21 AM.

[AplusWebMaster]

FYI...

Fake 'Insurance' SPAM - malicious attachment
- http://blog.dynamoo....-insurance.html
12 Oct 2015 - "This spam does not come from No Letting Go but is instead a simple forgery with a malicious attachment.
    From     [accounts@ nolettinggo .co.uk]
    Date     Mon, 12 Oct 2015 11:43:16 +0330
    Subject     Insurance
    Dear all
    Please find attached insurance paperwork including EL certificate.  Invoices
    will follow at the beginning of November.
    Regards
    Karen

In the only sample I have seen so far, the attachment name is SKMBT_C36014102815580.doc which has a VirusTotal detection rate of 8/56*. This particular document contains this malicious macro... which downloads a malware component from the following location:
ukenterprisetours .com/877453tr/rebrb45t.exe
The usual pattern is that there are several different versions of the document downloading from different locations, but the payload is the same in all cases. This binary is saved as %TEMP%\gicage.exe and has a detection rate of 2/56**. That VirusTotal report and this Hybrid Analysis report[3] show network traffic to:
149.210.180.13 (TransIP BV, Netherlands)
I strongly recommend that you block or monitor traffic to this IP. The payload is the Dridex banking trojan..."
* https://www.virustot...sis/1444637908/

** https://www.virustot...sis/1444638547/
... Behavioural information
TCP connections
149.210.180.13: https://www.virustot...13/information/
92.123.225.120: https://www.virustot...20/information/

3] https://www.hybrid-a...environmentId=3

ukenterprisetours .com: 46.20.120.64: https://www.virustot...64/information/

- http://myonlinesecur...rd-doc-malware/
12 Oct 2015 - "An email that appears to come from nolettinggo .co.uk with the subject of 'Insurance' pretending to come from accounts@ nolettinggo .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...go-1024x497.png

... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
...
12 October 2015 : SKMBT_C36014102815580.doc - Current Virus total detections 7/55*  
.. Downloads Dridex banking malware from http ://capricorn-cleaning .co.uk/877453tr/rebrb45t.exe
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1444635759/

capricorn-cleaning .co.uk: 109.108.129.21: https://www.virustot...21/information/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....es-invoice.html
12 Oct 2015 - "This -fake- financial email is not from United Utilities but is instead a simple forgery with a malicious attachment:
    From     "UUSCOTLAND" <UUSCOTLAND@ uuplc .co.uk>
    Date     Mon, 12 Oct 2015 17:12:12 +0530
    Subject     Water Services Invoice
    Good Morning,
    I hope you are well.
    Please find attached the water services invoice summary for the billing period of
    12 September 2015 to 12 October 2015.
    If you would like any more help, or information, please contact me...
    Kind regards
    Melissa
    Melissa Lears
    Billing Specialist
    Business Retail
    United Utilities Scotland
    T: 0345 0726077 (26816)...
    The information contained in this e-mail is intended only for the individual to whom it is addressed. It may contain legally privileged or confidential information or otherwise be exempt from disclosure. If you have received this Message in error or there are any problems, please notify the sender immediately and delete the message from your computer. You must not use, disclose, copy or alter this message for any unauthorised purpose...

Attached to the email is a file 12 October 2015 Invoice Summary.doc which comes in at least -four- different versions (VirusTotal results: [1] [2] [3] [4]) which contain a macro... Download locations spotted so far are:
ukenterprisetours .com/877453tr/rebrb45t.exe
eventmobilecatering .co.uk/877453tr/rebrb45t.exe
thewimbledondentist .co.uk/877453tr/rebrb45t.exe
cardiffhairandbeauty .co.uk/877453tr/rebrb45t.exe
All those download locations are on UK sites, but there are three apparently unrelated IP addresses in use:
46.20.120.64: https://www.virustot...64/information/
109.108.129.21: https://www.virustot...21/information/
213.171.218.221: https://www.virustot...21/information/
This is saved as %TEMP%\gicage.exe and has a VirusTotal detection rate of just 1/56[5]...
149.210.180.13 (TransIP BV, Netherlands)
86.105.33.102 (Data Net SRL, Romania)
I would recommend blocking traffic to both those IPs. The payload is the Dridex banking trojan.
Recommended blocklist:
149.210.180.13: https://www.virustot...13/information/
86.105.33.102: https://www.virustot...02/information/
.
1] https://www.virustot...sis/1444652575/

2] https://www.virustot...sis/1444652586/

3] https://www.virustot...sis/1444652597/

4] https://www.virustot...sis/1444652607/

5] https://www.virustot...sis/1444652695/

- http://myonlinesecur...rd-doc-malware/
12 Oct 10`5 - "An email that appears to come from United Utilities Scotland with the subject of 'Water Services Invoice' pretending to come from UUSCOTLAND <UUSCOTLAND@ uuplc .co.uk> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-1024x690.png

.. DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
...
12 October 2015: 12 October 2015 Invoice Summary.doc - Current Virus total detections 8/55*
... Downloads from the same locations as described in today’s earlier malspam run** of malicious word docs, but delivers an updated Dridex version (VirusTotal 1/56 ***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1444654116/

** http://myonlinesecur...rd-doc-malware/

*** https://www.virustot...sis/1444652695/
... Behavioural information
TCP connections
86.105.33.102: https://www.virustot...02/information/
191.234.4.50: https://www.virustot...50/information/
___

Fake 'Invoice 1377' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
12 Oct 2015 - "An email with the subject of 'Invoice 1377' pretending to come from info@ peachsoftware .co.uk with a zip attachment is another one from the current bot runs... The content of the email says:

    Please see invoice attached

12 October 2015: invoice-1377.zip: Extracts to: invoice-1377.exe
Current Virus total detections 4/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1444648227/
___

Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles
- http://www.securewor...kedin-profiles/
7 Oct 2015 - "Summary: While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.
Fake LinkedIn accounts: The 25 fake LinkedIn accounts identified by CTU researchers fall into two categories: fully developed personas (Leader) and supporting personas (Supporter). The table in the Appendix lists details associated with the accounts. The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas. The photos used in the fake accounts are likely of innocent individuals who have no connection to TG-2889 activity...
Legitimate endorsers of -fake- TG-2889 LinkedIn accounts by country:
> http://www.securewor...ge007_500px.png
... Ongoing threat: Updates to profile content such as employment history suggest that TG-2889 regularly maintains these fake profiles. The persona changes and job alterations could suggest preparations for a new campaign, and the decision to reference Northrup Grumman and Airbus Group may indicate that the threat actors plan to target the aerospace vertical. It is likely that TG-2889 maintains personas that have not yet been identified, and that other threat groups also use this tactic. CTU researchers advise organizations to educate their users of the specific and general risks:
- Avoid contact with known fake personas.
- Only connect to personas belonging to individuals they know and trust.
- Adopt a position of sensible caution when engaging with members of colleagues' or friends' networks that they have not -verified- outside of LinkedIn.
When evaluating employment offers originating from LinkedIn, seek confirmation that the individual is legitimate by directly contacting the individual's purported employer. Organizations may want to consider policing abuse of their brand on LinkedIn and other social media sites..."
 

 

Edited by AplusWebMaster, 12 October 2015 - 05:24 PM.

[AplusWebMaster]

FYI...

Fake 'Customer Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
13 Oct 2015 - "An email appearing to come from 'QuickHostUK' with the subject of 'Customer Invoice' pretending to come from QuickHostUK <info@ quickhostuk .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear customer,
    This is a notice that an invoice has been generated on 11/10/2015.
    Your payment method is: Credit/Debit Card
    Invoice #302673
    Amount Due: £40.00GBP
    Due Date: 18/10/2015
    Invoice Items
    Fully Managed Hosting – Starter (18/10/2015 – 17/11/2015) £40.00GBP
    Sub Total: £40.00GBP
    Credit: £0.00GBP
    Total: £40.00GBP
    Payment will be taken automatically on 18/10/2015 from your credit card on record with us. To update or change the credit card details we hold for your account please login...

13 October 2015: Invoice-302673.doc - Current Virus total detections 5/56*
... Which downloads Dridex banking malware from http ://thelureofnoma .com/~web/34fc34t45t/8ijfew.exe (VirusTotal 1/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1444732952/

** https://www.virustot...sis/1444733145/

thelureofnoma .com: 69.72.240.66: https://www.virustot...66/information/
___

Fake 'Bank - Third Party Payment' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
13 Oct 2015 - "An email appearing to come from 'Commonwealth Bank of Australia' with the subject of  'First NetBank Third Party Payment' pretending to come from NetBankNotification@ cba .com.au with a zip attachment is another one from the current bot runs... The content of the email says :
    First NetBank Third Party Payment
    Your first transfer to the following third party account(s) has been successfully processed:
    From Account:     **** **** **** 6439 MasterCard
    To Account(s):   Bonnie Sharpe 511-187 ***7654 AMEX $6,990.72 Assistance to Refugees
    Date:            13/10/2015
    Please check attached file for more information about this transaction.
    Yours sincerely,
    Commonwealth Bank of Australia
    Please do not reply. To confirm this is a genuine email sent by the Bank, please check your inbox on the NetBank home page.
    Message: 932750168

13 October 2015: CBA Third Party Payment 932750168.zip: Extracts to: CBA Third Party Payment 949078743.scr
Current Virus total detections 10/57*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."  
* https://www.virustot...sis/1444709718/
 

  

Edited by AplusWebMaster, 13 October 2015 - 06:41 AM.

[AplusWebMaster]

FYI...

Flash 0-Day used in Pawn Storm...
>> http://blog.trendmic...storm-campaign/
Oct 14, 2015 - "... the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years... Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 19.0.0.185 and 19.0.0.207... We have notified Adobe about our discovery and are working with them to address this security concern. Updates to this entry will be made once more information is available."

'Just released 10.13.2015 .'Suggest Flash be -disabled- immediately until a new fix/release from Adobe is available...

* 'Suggest Java be disabled, too. Next scheduled release of Java update due 10.20.2015.
- https://community.qu...ay-october-2015
Oct 13, 2015 - "... Oracle will have their CPU later this month, on the 20th..."
___

Fake 'DocuSign' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Oct 2015 - "An email with the subject of 'Completed: Optus agreement no JTJW-650508' pretending to come from thiaminenz570@ cintas .com; on behalf of; 'DocuSign via DocuSign <dse_eu1@ docusign .net>' with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...gn-1024x780.png

14 October 2015: Optus agreement no JTJW-650508.zip: Extracts to: Optus agreement no LPRH-300726.scr
Current Virus total detections 6/56*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1444797213/
___

Fake 'SMSF Gateway Svc Msg' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
14 Oct 2015 - "An email with the subject of 'Australia Post SMSF Gateway Service Message' pretending to come from SMSF Gateway Team <SMSFGateway-NO-REPLY@ smsfmsg .auspost .com.au> with a zip attachment is another one from the current bot runs... The content of the email says:
    We’re pleased to advise you that the Australia Post SMSF Gateway Service has received a superannuation contribution message.
    The details of this message are in the attached PDF.
    The contribution payment should appear in your nominated bank account with a payment reference number listed in the PDF to allow for easy reconciliation.  
    Kind Regards
    The SMSF Gateway Team ...

14 October 2015: Contribution448772241.zip: Extracts to: Contribution308911799.scr
Current Virus total detections  4/56*... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1444789129/
___

FBI, Security Vendors Partner for DRIDEX Takedown
- http://blog.trendmic...-dridex-botnet/
Oct 13, 2015 - "Multiple command-and-control (C&C) servers used by the DRIDEX botnet have been taken down by the Federal Bureau of Investigation (FBI), following the action taken by the National Crime Agency (NCA) in the UK. US law enforcement officials obtained court orders that resulted in the seizure of multiple servers used by DRIDEX. This crippled the malware’s C&C network, which is used by the malware to send the stolen information to the cybercriminals and to download configuration files that include the list of targeted banks. Furthermore, charges have been made against Andrey Ghinkul, aka Andrei Ghincul and Smilex, the Moldovan administrator of the botnet. Taking down cybercriminals is no small feat. Tracking down and shutting down cybercrime operations requires the constant collaboration of researchers and law enforcement agencies, each providing their own expertise. The takedown of the command-and-control (C&C) network used by the banking malware DRIDEX is the latest example of that partnership’s success... DRIDEX has slowly been making a name for itself this past year and has been viewed as the successor to the Gameover Zeus (GoZ) malware. Its prevalence in the threat landscape can be attributed to its business model, P2P (peer-to-peer) architecture, and unique routines. Unlike other malware, DRIDEX operates using the BaaS (Botnet-as-a Service) business model. It runs several bot networks, each identified by a number and each containing a specific set of target banks.  Our investigation revealed that its target banks mostly come from the US and Europe (particularly Romania, France, and the UK)... users in the US and the UK accounted for more than 35% of DRIDEX infections:
> https://blog.trendmi...5/10/dridex.jpg
The P2P architecture of DRIDEX was built as an improved version of GoZ’s architecture. Learning from the GoZ takedown, creators of DRIDEX added a another layer in its architecture before the command-and-control (C&C) server. Apart from these, DRIDEX is also equipped to remove or hide tracks in the system. Similar to the Chthonic variant of ZBOT, it uses an invisible persistence technique which involves writing autostart reg key upon system shutdown and deleting autostart reg key upon system startup. However, only DRIDEX cleans up the stored configuration in the registry and changes the malware copy location. DRIDEX is easily spread using malicious email attachments, usually Microsoft Office documents that contain macros. The use of macros could be seen as one way of ensuring a higher chance of successful attacks. Macros are commonly used in automated and interactive documents. The feature is usually deactivated by default, but if it was already enabled prior to the attack, the attack commences without any additional requirements. Otherwise, the attack must use a strong social engineering lure in order to convince the user to enable the feature. Furthermore, we found that the macro code contains garbage and useless code... While the takedown of the C&C servers now prevents DRIDEX from executing malicious activities, total cleanup still requires users to ensure that DRIDEX has been removed from their systems..."

>>> http://www.justice.g...alware-disabled
Oct 13, 2015 - "... Victims of Bugat/Dridex may use the following webpage created by US-CERT for assistance in removing the malware:
> https://www.us-cert.gov/dridex..."
Oct 13, 2015
 

 

Edited by AplusWebMaster, 14 October 2015 - 06:41 PM.

[AplusWebMaster]

FYI...

Fake 'Scan' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
15 Oct 2015 - "An email with the subject of '[Scan] 2015-10-14 5:29:54 p.m.' pretending to come from 'Ray White <rw@raylian .co.uk>' with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...pm-1024x357.png

15 October 2015: 2015-10-14 5-29-54 p.m..doc . Current Virus total detections 4/54*
... Which downloads Dridex banking malware from http ://23.229.157.230/~gwhill2377/86575765/6757645.exe (VirusTotal 0/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1444898925/

** https://www.virustot...sis/1444899628/
... Behavioural information
TCP connections
89.32.145.12: https://www.virustot...12/information/
88.221.14.138: https://www.virustot...38/information/

23.229.157.230: https://www.virustot...30/information/
> https://www.virustot...fd790/analysis/

- http://blog.dynamoo....4-52954-pm.html
15 Oct 2015 - "This rather terse spam email has a malicious attachment. It does not come from Raylian but is instead a simple forgery:
     From     Ray White [rw@ raylian .co.uk]
    Date     Thu, 15 Oct 2015 10:56:35 +0200
    Subject     [Scan] 2015-10-14 5:29:54 p.m.
    Amanda's attached.

In the only sample I saw, the attachment was named 2015-10-14 5-29-54 p.m..doc which has a VirusTotal detection rate of 4/56 and which contains this malicious macro... The Hybrid Analysis report* shows this particular version (there will be others) downloading a binary from:
sdhstribrnalhota .xf .cz/86575765/6757645.exe
Despite the apparently random name, this is a real business website (SDH Stříbrná Lhota) that has been compromised. This binary has a detection rate of just 2/56** and is saved as %TEMP%\CrowSoft1.exe. The Hybrid Analysis report*** for this indicates connections to:
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
The payload appears to be the Dridex banking trojan, still going strong despite reports of arrests in the crime gang responsible.
Recommended blocklist:
89.32.145.12
195.154.251.123
* https://www.hybrid-a...environmentId=1

** https://www.virustot...sis/1444903993/
... Behavioural information
TCP connections
89.32.145.12: https://www.virustot...12/information/
88.221.14.138: https://www.virustot...38/information/

*** https://www.hybrid-a...environmentId=1
 

  

Edited by AplusWebMaster, 15 October 2015 - 09:14 AM.

[AplusWebMaster]

FYI...

Fake 'DHL' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
16 Oct 2015 - "An email that appears to come from 'DHL Australia' with the subject of 'Return consignment AVD524417' pretending to come from DSC.AU.Returns@ dhl .com with a zip attachment is another one from the current bot runs... The content of the email says :
    BOOKING OF YOUR CONTROLLED RETURN
        Print off labels (on a LASER printer as this will ensure driver can scan barcode) and affix to carton.
        Please ensure all other labels are removed from carton.
        You can book your own freight by calling our Carrier Partner Startrack Express on 12 18 58 quoting Reference No. 524417
        Alternatively, DHL will call within 3 business days after labels are sent to assist in booking in your freight for collection.
        Quote the consignment Number that is on your labels (attached to your email with prefix AVD)
        Startrack Express will provide you with a booking number, please retain this number.
        Below is a mandatory TRANSFER SUMMARY. This must be completed prior to the arrival of driver; if not complete, this may result in a futile pick up.
        Goods are required back into warehouse no later than 7 working days. Please ensure good are ready for collection.
    STARTRACK EXPRESS TRANSFER SUMMARY REPORT ...

16 October 2015: FL-AVD524417.zip: Extracts to: FL-AVD084542.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1444969428/
___

Backdoor Zegost delivered via Hacking Team exploit
- http://research.zsca...ivered-via.html
Oct 16, 2015 - "...  In past two months, we've spotted multiple instances of Zegost Backdoor Trojan installation attempts leveraging Hacking Team's Adobe Flash exploit (CVE-2015-5119) payload. These attacks do not appear to be targeted, but the payload involved in the infection cycle has some resemblance to recent APT payloads from HttpBrowser & the PlugX RAT family. Attack Chain: The infection cycle starts with a legitimate Chinese real estate and shopping site www[.]kongquechang[.]com, which appears to have been compromised by the attackers and contains an injected script. The injected script will cause a series of -redirects- leading to Hacking Team's exploit payload... Attackers are abusing the Chinese URL shortening service t .cn to -redirect- victims to the attack server and also Baidu's URL shortening service dwz .cn to deliver the Adobe Flash exploit payload... Below is the complete list of C&Cs it tries to connect.
80.247.233.18: https://www.virustot...18/information/
91.121.82.113: https://www.virustot...13/information/
69.164.213.85: https://www.virustot...85/information/
79.143.191.147: https://www.virustot...47/information/
199.241.30.233: https://www.virustot...33/information/
162.243.12.14: https://www.virustot...14/information/
188.93.73.90: https://www.virustot...90/information/
195.154.184.240: https://www.virustot...40/information/
Conclusion: The use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based whitelisting approach by signing their samples..."
(More detail at the zscaler URL at the top.)

kongquechang[.]com: Could not find an IP address for this domain name.
 

Edited by AplusWebMaster, 16 October 2015 - 01:49 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice / PO' SPAM - malicious attachment
- http://blog.dynamoo....-stephanie.html
19 Oct 2015 - "This -fake- financial spam does not come from Bombardier Transportation but is instead a simple -forgery- with a malicious attachment:
    From     "Stephanie Greaves" [sgreaves@ btros .co.uk]
    Date     Mon, 19 Oct 2015 12:06:42 +0430
    Subject     COS007202
    Good morning,
    Please see attached purchase order.
    Kind regards,
    Stephanie Greaves
    Administration Apprentice
    Bombardier Transportation (Rolling Stock) UK Ltd
    Electronics, Cabling, & Interior Division
    Litchurch Lane, Derby, DE24 8AD

Attached is a file COS007202.doc which comes in at least three different versions (VT results [1] [2] [3]) each containing a slightly different malicious macro... Analysis of the documents is pending, but they will almost definitely drop the Dridex banking trojan...
UPDATE: According to these Hybrid Analysis reports [4] [5] [6] , those macros download from the following locations:
euroagroec .com/35436/5324676645.exe
demo9.iphonebackstage .com/35436/5324676645.exe
webmatique .info/35436/5324676645.exe
The binary they download has a VirusTotal detection rate of 3/56[7] and is saved as %TEMP%\CrowSoft1.exe. Both the VirusTotal and Hybrid Analysis reports show what looks like malicious traffic going to:
157.252.245.49 (Trinity College Hartford, US)
I recommend that you -block- traffic to that IP..."
1] https://www.virustot...sis/1445246850/

2] https://www.virustot...sis/1445246860/

3] https://www.virustot...sis/1445246874/

4] https://www.hybrid-a...environmentId=3

5] https://www.hybrid-a...environmentId=3

6] https://www.hybrid-a...environmentId=1

7] https://www.virustot...sis/1445249638/
___

Fake 'Online banking app form' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Oct 2015 - "An email appearing to come from Nat West Leicester Business Banking Customer Support with the subject of 'Online banking application form********* CRM:013545192' (random numbers) pretending to come from 'NW – Leicester CRT <Leicester.CMT@ NatWest .com> with a zip attachment is another one from the current bot runs... The content of the email says:
    Please find enclosed the requested online application form which
    you will need to complete and return to myself via the post.
    Kind Regards
    Janine Lyles
    Relationship Manager’s Assistant
    Leicester Business Banking Customer Support
    1st Floor
    1 Granby Street
    Leicester
    LE1 6EJ
    Tel: 0116 2752435
    Fax: 0116 2575469
    E Mail ...

19 October 2015: Online banking upd appl form.zip: Extracts to: Online banking upd appl form.scr
Current Virus total detections 3/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445250902/
 

  

Edited by AplusWebMaster, 19 October 2015 - 06:21 AM.

[AplusWebMaster]

FYI...

Fake 'P.O.' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
20 Oct 2015 - "An email appearing to come from Xstrata with the subject of 'PurchaseOrder DR67CV_30HJ' from 'Xstrata' by 'Emerson, Vicky (PROD)' pretending to come from XstrataQLD@ axis.ventyx .com with a zip attachment is another one from the current bot runs... The content of the email says :
    Please find attached a PurchaserOder from Xstarta for your action. It has been sent via Mincom Axis.
    This PurhcaseOrder is in PDF format and can be viewed with Adobe Acrobat Reader. You may ACCEPT or REJECT this PurchaseOrdre from this email by following the isntructions below. In either case, an email will be generated for you to send to the Buyer via Mincom Axis. Type in any notes or comments you wish to convey to the buyer in the email Body and send the email but do not modify any part of the email Subject.
    To ACCEPT the whole PucrhaseOrder, click the following link and complete your details ...

20 October 2015: PurchaseOrder_9EP31W_52M1_707850624.zip: Extracts to: PurchaseOrder_816785634_036545298.exe
Current Virus total detections 6/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445314610/
___

Fake 'P.O.' SPAM - doc malware
- http://blog.dynamoo....r-no-48847.html
20 Oct 2015 - "This -fake- financial spam comes with a malicious payload:
    From     Harminder Saund [MinSaund77@ secureone .co.uk]
    Date     Tue, 20 Oct 2015 16:08:53 +0700
    Subject     Purchase Order No: 48847
    Attached is a copy of our Purchase Order number 48847
    Harminder Saund
    Secure One

The sender's email address varies slightly, for example:
MinSaund77@ secureone .co.uk
MinSaund92@ secureone .co.uk
MinSaund94@ secureone .co.uk
MinSaund013@ secureone .co.uk
Attached is a file PO_48847.DOC which I have seen two different versions of so far (VirusTotal [1] [2]) each containing a slightly different malicious macro... There are probably different versions of the document with different macros. Automated analysis is pending, however the payload is most likely the Dridex Shifu banking trojan. Please check back for updates..."
1] https://www.virustot...sis/1445335728/

2] https://www.virustot...sis/1445335747/
UPDATE: So far, three download locations have been identified..
ladiesfirst-privileges .com/656465/d5678h9.exe
papousek.kvalitne .cz/656465/d5678h9.exe
pmspotter. wz.cz/656465/d5678h9.exe
This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56*... The Hybrid Analysis reports [1] [2] indicate that it calls home to:
fat.uk-fags .top / 188.166.250.20 (Digital Ocean, Singapore)
I recommend that you -block- traffic to that IP."
* https://www.virustot...sis/1445341067/

1] https://www.hybrid-a...environmentId=3

2] https://www.hybrid-a...environmentId=3
___

Fake 'NOTIFICATION' SPAM - xls malware
- http://blog.dynamoo....tmailbella.html
20 Oct 2015 - "This spam comes with a malicious attachment:
    From     "GOMEZ SANCHEZ"[postmail@ bellair .net]
    To    
    Date     Tue, 20 Oct 2015 13:14:56 +0430
    Subject     victim@ victimdomain .tld
    Congratulations
    Print out the attachment file fill it and return it back by fax or email
    Yours Sincerely
    GOMEZ SANCHEZ

The "Subject" is the victim's own email address. Attached is a file FINAL NOTIFICATION.xls which comes (so far) in three different variants (VirusTotal [1] [2] [3]) contains one of -three- malicious macros... Analysis of the payload is pending, but is likely to be the Dridex Shifu banking trojan. Please check back later..."
1] https://www.virustot...sis/1445335252/
FINAL NOTIFICATION .xls - 4/56
2] https://www.virustot...sis/1445335267/
FINAL NOTIFICATION-2 .xls - 4/54
3] https://www.virustot...sis/1445335281/
FINAL NOTIFICATION-3 .xls - 4/56
UPDATE: So far, three download locations have been identified..
ladiesfirst-privileges .com/656465/d5678h9.exe
papousek.kvalitne .cz/656465/d5678h9.exe
pmspotter.wz. cz/656465/d5678h9.exe
This file is downloaded as %TEMP%\shhg32c.exe and it has a VirusTotal detection rate of 4/56*... The Hybrid Analysis reports [1] [2] indicate that it calls home to:
fat.uk-fags .top / 188.166.250.20 (Digital Ocean, Singapore)
I recommend that you block traffic to that IP."
* https://www.virustot...sis/1445341067/

1] https://www.hybrid-a...environmentId=3

2] https://www.hybrid-a...environmentId=3

ladiesfirst-privileges .com: 159.253.148.199: https://www.virustot...99/information/

papousek.kvalitne .cz: 88.86.117.145: https://www.virustot...45/information/

pmspotter.wz. cz: 88.86.117.153: https://www.virustot...53/information/

Shifu banking trojan: http://news.softpedi...ay-490580.shtml
 

  

Edited by AplusWebMaster, 20 October 2015 - 09:27 AM.

[AplusWebMaster]

FYI...

Fake 'E-Toll' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Oct 2015 - "An email with the subject of 'Your E-Toll account statement' pretending to come from RMSETollDontReply@ rms.nsw. gov.au with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Valued Customer,
    Please find attached your E-Toll account statement.
    If you would like to claim Cashback please:
        Simply login to your account and click on the ‘Claim Cashback’ link on the Account Overview screen. Follow the easy steps and submit your claim online. Please note: Online claims can only be completed on E-Toll accounts with online access.
        Mail the E-Toll transaction statements that list your toll usage for eligible trips and a completed Cashback rebate form to the following address: Roads and Maritime Services M5 Cashback Locked Bag 3 Dubbo NSW 2830
    Rebates must be claimed within 12 calendar months of the end of the Cashback quarter.
    Thank you for choosing E-Toll
    Regards
    The E-Toll Team Roads and Maritime Services
    To view documents in PDF format, you must have Adobe Acrobat PDF reader software version 5 or above installed on your computer.
    This email was sent to you by Roads and Maritime Services. This is an unmonitored email address so please do not reply to this email...

21 October 2015: Oct 2015ST.zip: Extracts to: Oct 2015ST.exe
Current Virus total detections 3/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445398880/
___

Fake 'Delayed tax return' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Oct 2015 - "An email that appears to come from Australian Taxation Office with the subject of 'Delayed tax returns over 30 days' pretending to come from DelayedReturn <DelayedReturn@ ato. gov.au> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ys-1024x769.png

21 October 2015: TaxAgentReport516177320151020230248.zip: Extracts to: TaxAgentReport061836020151020223957.exe
Current Virus total detections 5/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445398912/
___

Fake 'INVOICE' SPAM - malicious attachment
- http://blog.dynamoo....payment_21.html
21 Oct 2015 - "This -fake- financial spam is not from Lancashire Police but is a simple -forgery- with what appears to be a malicious attachment.
    From:    Whitehead, Lyn [Lyn.Whitehead@ lancashire.pnn.police .uk]
    Date:    21 October 2015 at 10:15
    Subject:    INVOICE FOR PAYMENT - 7500005791
    Hello
    Please find attached an invoice that is now due for payment.
    Regards
    Lyn
    Lyn Whitehead (10688)
    Business Support Department - Headquarters
    Email: Lyn.Whitehead@ lancashire.pnn.police .uk ...

The attachment appears contain some sort of malicious OLE object rather than a macro, but so far I have not been able to analyse it. Furthermore, this document does not seem to open properly in other applications, so I suspect that it contains an unknown exploit. Analysis is still pending. The VirusTotal report shows a detection rate of zero. The Malwr report is inconclusive. Other analysis is pending please check back.
UPDATE 1: Another version of this is in circulation, also with zero detections at VirusTotal... The Hybrid Analysis for both samples in inconclusive...
UPDATE 2: An analysis of the documents shows an HTTP request to:
ip1.dynupdate.no-ip .com:8245
All this returns is the IP address of the computer opening the document. Although not malicious in itself, you might want to look out for it as an indicator of compromise...
UPDATE 4: The Hybrid Analysis reports for the documents can be found here [1] [2] [3] show that the macros... in the document download a binary from the following locations:
www .sfagan.co .uk/56475865/ih76dfr.exe
www .cnukprint .com/56475865/ih76dfr.exe
www .tokushu. co.uk/56475865/ih76dfr.exe
www .gkc-erp .com/56475865/ih76dfr.exe
At present this has a zero detection rate at VirusTotal*... Those reports in addition to this Malwr report[4] indicate malicious traffic to the following IPs:
89.32.145.12 (Elvsoft SRL, Romania / Coreix Ltd, UK)
119.47.112.227 (Web Drive Ltd, New Zealand)
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
157.252.245.49 (Trinity College Hartford, US)
The payload is probably the Shifu banking trojan.
Recommended blocklist:
89.32.145.12
119.47.112.227
195.154.251.123
157.252.245.49 "
1] https://www.hybrid-a...environmentId=1

2] https://www.hybrid-a...environmentId=1

3] https://www.hybrid-a...environmentId=1

4] https://malwr.com/an...TRkZDE2ZTk1ZDM/

* https://www.virustot...sis/1445428911/
... Behavioural information
TCP connections
119.47.112.227: https://www.virustot...27/information/
8.254.218.14: https://www.virustot...14/information/
195.154.251.123: https://www.virustot...23/information/
___

Fake 'PNC' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
21 Oct 2015 - "An email with the subject of 'Your PNC Bank Online Statement is ready to be viewed'  pretending to come from PNCBank_Statements@ pnc .com with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ed-1024x550.png

21 October 2015: Statement_7208_10212015.zip: Extracts to: Statement_3374_10212015.zip.scr
Current Virus total detections 5/57* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445449142/
___

Chrome -clone- 'eFast' serves ads, collects info
- http://net-security....ews.php?id=3129
21.10.2015 - "A Google Chrome lookalike browser dubbed 'eFast' is being actively pushed onto users. The software is at best annoying and unwanted, and at worst can lead users to malware. Posing as a legitimate application that will benefit users, eFast is actually only helpful to its creators - it sidelines other browsers, generates intrusive online ads (the creators are paid for each click), redirects users to potentially malicious pages, and monitors their Internet browsing activity, which is then sold to third party companies. "eFast Browser is mostly proliferated as a 'bundle' with other (mostly free) software," PC Risk's Tomas Meskauskas warns*. "Users do not expect bundled applications to be concealed, and thus, developers intentionally hide them within the 'Custom' or 'Advanced' settings. Users who rush the download/installation processes and skip this section often inadvertently install potentially unwanted programs. In doing so, they expose their systems to risk of infection and compromise their privacy"... During installation, eFast will attempt to -replace- Chrome if that is already installed, by deleting all the shortcuts to it on your taskbar and desktop. "To make sure that you will use your new browser, eFast makes itself the default browser and takes over some file-associations. File-associations are settings that determine which program will run when files with a certain extension are opened," Malwarebytes' Pieter Arntz explains**..."
* https://www.pcrisk.c...y-efast-browser
eFast Browser removal instructions

** https://blog.malware...e-associations/
 

 

Edited by AplusWebMaster, 21 October 2015 - 01:39 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice Summary.doc' SPAM - malicious attachment
- http://blog.dynamoo....invoice_22.html
22 Oct 2015 - "This -fake- invoice does not comes from United Utilities Scotland, but is instead a simple forgery with a malicious attachment...
From     "UUSCOTLAND" [UUSCOTLAND@ uuplc. co.uk]
Date     Thu, 22 Oct 2015 19:30:13 +0700
Subject     Water Services Invoice
Good Morning,
I hope you are well.
Please find attached the water services invoice summary for the billing period of
22 September 2015 to 22 October 2015.
If you would like any more help, or information, please contact me on 0345 0726077.
Our office is open between 9.00am and 5.00pm Monday to Friday. I will be happy to
help you. Alternatively you can email me at uuscotland@uuplc.co.uk.
Kind regards
Melissa
Melissa Lears
Billing Specialist
Business Retail
United Utilities Scotland ...

So far I have seen -three different- versions of the attachment, all named 22 October 2015 Invoice Summary.doc with detection rates of about between 4/55 and 7/55 at VirusTotal [1] [2] [3] containing... malicious macros... Analysis of the documents is pending, but one key indicator is that the file appears to be saved as %TEMP%\bluezone3.exe. Check back later for updates."
1] https://www.virustot...sis/1445520172/

2] https://www.virustot...sis/1445520186/

3] https://www.virustot...sis/1445520199/

 

UPDATE 1: This VirusTotal report* also identifies the following download locations:
beauty.maplewindows .co.uk/t67t868/nibrd65.exe
dtmscomputers .co.uk/t67t868/nibrd65.exe
namastetravel .co.uk/t67t868/nibrd65.exe
This file has a VirusTotal detection rate of 2/54** and that report indicates network traffic to: 198.74.58.153 (Linode, US)
Further analysis is pending, in the meantime I suggest that you -block- traffic to the above IP."
* https://www.virustot...sis/1445520186/

** https://www.virustot...sis/1445521267/

198.74.58.153: https://www.virustot...53/information/
___

Fake Java "pop-ups for Download"
- https://blog.malware...java-i-ordered/
Oct 22, 2015 - "... The downloaded file is called setup.exe and is recognized by a few scanners* that detect this file as potentially unwanted adware. (PUP.Optional.Media)... It installs a program called Media Downloader version 1.5:
> https://blog.malware...0/warning4w.png
The other one I want to show you is not actually a pop-up, but a background image that was made to look like one:
> https://blog.malware...5/10/site1w.png
Clicking this “Install” button downloads and prompts you to install a bundler that does install Java version 1.8.25 but not until they have offered the other components of the bundle. In this case I had to “Decline” Norton360, Weatherbug, PC Mechanic and Stormfall Age of War. Note that the latest version for my system is Version 8 Update 65. Version 8u25 is over a year old. Paying attention to the UAC prompt could have saved us some work here. Super IS (Fried Cookie Ltd.) somehow doesn’t have that official ring to it to convince me that this is the Java installer I was promised:
> https://blog.malware.../UACpromptw.png
Probably triggered by the critical patch update that was released by Oracle there are some sites that use this opportunity to lure users into using Java prompt -lookalikes- or bundled installers (for outdated versions). As always, get your software from trusted sources..."
* https://www.virustot...b02a9/analysis/
___

Email account credentials - PHISH
- http://myonlinesecur...tials-phishing/
22 Oct 2015 - "I came across this slightly different email -phishing- attempt this morning... The original email is quite bland, but just enticing enough to persuade a user to click and fill in the forms...

Screenshot: http://myonlinesecur...il-1024x338.png

If you did follow the link, you would see a webpage looking like this:
> http://myonlinesecur...ee-1024x565.png
This site is hosted on a free hosting company weebly .com. Unfortunately these free hosts have minimal checks and it is easy to put up almost anything that can infect  a user or act as a phishing site. Weebly does eventually respond to abuse reports but in my experience they are quite slow and take a long time to think about whether the site contravenes their T&Cs. Do -not- fill in the forms otherwise your email account will be compromised. You -never- need to give your email account password to anybody."
___

Apple Invoice - Phish
- https://blog.malware...-invoice-phish/
Oct 22, 2015 - "... a blatant attempt to swipe your payment information. Couched in the well-worn guise of a supposed Apple Store refund, the mail wants potential victims to hand over their Apple ID / password and then a chunk of personal / payment details:
> https://blog.malware...applephis01.jpg
... Of course, you probably did not authorise any sort of purchase for a “CoPilot Premium HD” which is exactly the “Oh no my money, I must retrieve it” reaction they’re banking on (unless you actually did buy one of these, in which case things might get a little confusing). Nothing will have people rushing to click buttons and hand over information faster than the possibility of someone making unauthorised payments – clicking the refund links will take them to a -fake- login, via a -redirect- on a potentially compromised t-shirt website. The phish pages themselves are located at
aut0carhire(dot)com/index/user12-appleid/index(dot)html
> https://blog.malware...applephish1.jpg
After handing over Apple ID credentials, the victim is taken to the next step which involves them giving name, address, DOB and full payment information:
> https://blog.malware...applephish2.jpg
... Unfortunately, hitting the “Cancel Transaction” button here would be pretty much the exact opposite of cancelling a transaction and victims could expect to see many more actual payments suddenly leaving their bank account. If you have this sitting in your mailbox, delete it. If you’ve already sent the scammers your details, notify your bank and cancel the card – while keeping an eye out for any dubious payments. Apple themed phish scams are a popular choice for criminals, and whether faced with iTunes logins, “Find my phone” fakeouts, iCloud shenanigans or payment receipts such as the one above, recipients should be wary and – if in doubt – head to -official- Apple pages* to find out if a payment really is being processed."
* http://www.apple.com/shop/account/home

 

aut0carhire(dot)com: 97.74.181.128: https://www.virustot...28/information/
>> https://www.virustot...0f05e/analysis/
 

  

Edited by AplusWebMaster, 22 October 2015 - 02:50 PM.

[AplusWebMaster]

FYI...

Fake 'cleaning invoice' SPAM - malicious attachment
- http://blog.dynamoo....ce-deborah.html
23 Oct 2015 - "This -fake- financial spam comes with a malicious attachment:
    From     "deborah Sherer" [thesherers@ westnet .co.uk]
    Date     Fri, 23 Oct 2015 17:03:19 +0700
    Subject     cleaning invoice
    Hello
    attached is invoice for payment
    thanks
    Deborah Sherer
    ---
    This email has been checked for viruses ...

Attached is a file Cleaning022958.doc which comes in three different versions (VirusTotal results [1] [2] [3]) containing a macro... and downloads a malicious binary from one of the following locations:
www .bhtfriends .org/tydfyyur54/43e67tko.exe
zomb.webzdarma .cz/tydfyyur54/43e67tko.exe
nisanyapi .com/tydfyyur54/43e67tko.exe
This is saved as %TEMP%\lenderb2.exe and has a VirusTotal detection rate of just 1/55* (that's just a generic detection by Kaspersky). That VirusTotal report plus this Hybrid Analysis report** show network traffic to:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
Private sources also identify these following IPs as part of the C2 infrastructure:
157.252.245.49 (Trinity College Hartford, US)
198.74.58.153 (Linode, US)
68.168.100.232 (Codero, US)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
195.154.251.123
157.252.245.49
198.74.58.153
68.168.100.232 "
1] https://www.virustot...sis/1445595890/

2] https://www.virustot...sis/1445595902/

3] https://www.virustot...sis/1445595912/

* https://www.virustot...sis/1445595923/

** https://www.hybrid-a...environmentId=1
___

Fake 'Credit Note' SPAM - malicious attachment
- http://blog.dynamoo....06536-from.html
23 Oct 2015 - "This -fake- financial spam has a malicious attachment:
    From:    Accounts [message-service@ post.xero .com]
    Date:    23 October 2015 at 15:08
    Subject:    Credit Note CN-06536 from Trump Hotels & Casino Resorts Inc. for [redacted] (2752)
    Hi Mattie,
    Attached is your credit note CN-06536 for 8954.41 GBP.
    This has been allocated against invoice number
    If you have any questions, please let us know.
    Thanks,
    Avnet, Inc.

The message is neither from Avnet, Xero or Trump Hotels, but is a simple forgery. Attached is a file Credit Note CN-06536.doc ..  but  it's actually a -ZIP- file rather than a DOC file. Whoops. Renaming the .DOC to .ZIP creates a valid archive, and the executable inside is named Credit Note CN-83607.exe  and has a VirusTotal detection rate of 4/55*. VT identifies this as Upatre which implies that the payload is the Dyre banking trojan...  the current version of Update/Dyre phones home to 197.149.90.166 (Cobranet, Nigeria) which I strongly recommend you block.
UPDATE: The Hybrid Analysis report is here**, reporting the Nigerian IP and also showing that the malware saves itself as:
%TEMP%\homebast.exe
C:\Windows\mLunoMqU.exe "
* https://www.virustot...sis/1445609013/

** https://www.hybrid-a...environmentId=1

197.149.90.166: https://www.virustot...66/information/
___

Fake 'Scan Data' SPAM - malicious attachment
- http://blog.dynamoo....75-t2-scan.html
23 Oct 2015 - "This -fake- document scan appears to originate from within the victim's own organisation, but doesn't. Instead it comes with a malicious attachment.
    From:    DocuCentre-V C6675 T2 [reception@ victimdomain .com]
    Reply-to:    reception@ victimdomain .com
    Date:    23 October 2015 at 09:23
    Subject:    Scan Data from FX-D6DBE1
    Number of Images: 1
    Attachment File Type: DOC
    Device Name: DocuCentre-V C6675 T2
    Device Location:

Attached is a file 22102015160213-0001.doc which comes in a few different versions. The payload is Dridex and all the files and downloaded binaries are the same as used in this spam run*."
* http://blog.dynamoo....ce-deborah.html
___

Fake 'Receipt for Payment' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
23 Oct 2015 - "An email saying 'Thank you for filing your taxes with FreeTaxUSA' with the subject of  'Receipt for Payment' pretending to come from random companies and email addresses with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nt-1024x939.png

23 October 2015: unjammed black fly.zip: Extracts to: 9842548_2377731824.exe
Current Virus total detections 2/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445596923/
___

Western Union Business Solutions Spam
- http://threattrack.t...-solutions-spam
Oct 23, 2015 - "Subjects Seen:
    Order 49746970 Booked - Western Union Business Solutions Online FX for Corporate
Typical e-mail details:
    Please be advised that Order 49746970 totaling 70,494.00 USD has been booked on Oct 23 2015.
    Click on the attached file to view details of the order or to print a receipt.
    This email was sent by Western Union Business Solutions. We respect your right to privacy.
    Thank you for using Western Union Business Solutions.
    Sincerely,
    Western Union Business Solutions

Malicious File Name and MD5:
    westernunion_order_receipt.exe (E4510056BB38A37EE7AE485AA6C4B36A)

Screenshot: https://40.media.tum...1r6pupn_500.png

Tagged: Western Union, Upatre
___

Paypal - PHISH... again.
- http://myonlinesecur...mited-phishing/
23 Oct 2015 - "... There are a few major common subjects in a phishing attempt involving either PayPal or your Bank or Credit Card, with a message saying some thing like:
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your Account Access Is Limited
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    Confirmation of Order

Screenshot: http://myonlinesecur...ed-1024x780.png

... the links to the -phishing- website are behind the 'update your info' button or the 'update now' link... The eventual site is the highlighted part of the very long url which goes via googleadservices. Now many phishers have been using google search links to persuade a recipient to click-a-link. Hovering over the link in an email will show google which most people would think was safe... The only way is look at the address bar and in the -Genuine- PayPal site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green)...
> http://myonlinesecur...aypal_phish.png
This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
___

Fake 'Notice to Appear' SPAM - malicious attachment
- http://blog.dynamoo....-to-appear.html
22 Oct 2015 - "This -fake- legal spam comes with a malicious attachment:
    From:    District Court
    Date:    22 October 2015 at 19:03
    Subject:    Notice to Appear
    Notice to Appear,
    This is to inform you to appear in the Court on the October 27 for your case hearing.
    Please, prepare all the documents relating to the case and bring them to Court on the specified date.
    Note: The case may be heard by the judge in your absence if you do not come.
    You can review complete details of the Court Notice in the attachment.
    Sincerely,
    Michael Newell,
    District Clerk

Attached is a file Notice_to_Appear_00800614.zip which in turn contains a malicious script Notice_to_Appear_00800614.doc.js... This obfuscated script translates into something a bit more understandable which clearly references the following domains:
www .flowarrior .com
www .abama .org
littlefacesofpanama-association .com
The Hybrid Analysis report* shows that it downloads a file as %TEMP%\5883173.exe which has a VirusTotal detection rate of 5/55** (possibly Cridex). It references the following IPs as being highly suspect:
91.121.108.77 (OVH, France)
78.24.220.229 (TheFirst-RU, Russia)
A -large- number of IPs are queried... I have not had the chance to check those individual IP addresses, but I recommend that you -block- the following two at least:
91.121.108.77
78.24.220.229 "
* https://www.hybrid-a...environmentId=1

** https://www.virustot...sis/1445547994/

> https://www.virustot...51464/analysis/
___

G DATA Malware Report H1 2015
- https://www.gdata-so...st-half-of-2015
Oct 22, 2015 - "... G DATA, is releasing their H1 2015 Malware Report, which looks at malware over the first half of 2015. Among the findings, researchers discovered a 64.8 percent spike of new malware strains as compared to the first half of 2014. This averages out to 12 new strains per minute. In all, the total number of malware strains this year is expected to be well above the level of 2014, with the U.S., China and France hosting the most malicious and fraudulent websites. In looking more closely at the banking industry, researchers found that Wells Fargo was the most frequently targeted financial services company by banking Trojans, and the Swatbanker family was the mostly frequently seen banking Trojan in the 6 month period, followed by the ZeuS family... websites related to the healthcare industry were most frequently classified as malicious (26.6 percent), with technology and telecom a distant second. The most commonly seen malware campaign was “Money Rain,” promising various ways to easily acquire money. While this campaign was seen on websites for all of the categories researched, 37 percent of the websites that were clearly connected to Money Rain were in the healthcare industry. Also of note, a new category, personal ads and dating, was revealed to be in the top 10 list of most prevalent malicious and fraudulent websites.
> https://static.gdata...s_48890w417.jpg
Additional Key Findings Include:
• The "Top 10" list of prevented malware attacks is dominated by adware and Potentially Unwanted Programs (PUP). Dealply and Graftor are the most prevalent families in this field.
• Ukraine is new to the Top 10 list of countries most frequently found to be hosting malicious websites with 5% of the activity, putting the country in fourth place. This could potentially be due to the political havoc occurring in this region.
• Exploits for vulnerabilities are now being integrated into exploit kits after just a few days. Users who do not keep their systems up-to-date will easily fall victim to cyber criminals.           
• The vulnerabilities in Adobe Flash were most frequently abused to silently and automatically attack and compromise PCs (Exploit)..."
PDF - Full report: https://public.gdata..._H1_2015_EN.pdf

> https://static.gdata...s_48866w800.jpg
 

  

Edited by AplusWebMaster, 23 October 2015 - 10:57 AM.

[AplusWebMaster]

FYI...

Fake 'Tax Invoice' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
26 Oct 2015 - "An email with the subject of 'MBIE Companies Office Tax Invoice' pretending to come from revenue@ med.govt .nz with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-1024x557.png

26 October 2015: Notification20151026_MCX79GF[_var=nSYMBOL]-54.zip: Extracts to: Notification20151026-AUNK7401f-26.exe
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445819602/
___

Fake 'Sales Invoice' SPAM - malicious attachment
- http://blog.dynamoo....ur-norwich.html
26 Oct 2015 - "This -fake- financial spam does not come from Norwich Camping but is instead a simple -forgery- with a malicious attachment:
    From     "Norwich Camping" [sales@ norwichcamping .co.uk]
    Date     Mon, 26 Oct 2015 13:43:14 +0430
    Subject     #NC-242455-Zmj Your Norwich Camping Order has shipped!
    You Norwich Camping & Leisure order "#NC-242455-Zmj" has now been shipped. Your chosen
    payment method has now been charged.
    Kind regards,
    The Norwich Camping & Leisure

Attached is a file invoice-2425.doc of which I have only seen a single sample so far with a VirusTotal detection rate of 5/55*. The document contains this malicious macro... which apparently downloads a malicious binary to %TEMP%\|ZipCock32.exe ... it is most likely that it downloads the Dridex banking trojan.
UPDATE: According to this Hybrid Analysis report** version of the malicious document downloads an executable from:
img1.buyersbestfriend. com/76r56e87y8/65df78.exe
This has a VirusTotal detection rate of 5/55***. That report indicates malicious traffic to:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
I recommend that you block traffic to that IP."
* https://www.virustot...sis/1445854612/

** https://www.hybrid-a...environmentId=2

*** https://www.virustot...sis/1445857776/
... Behavioural information
TCP connections
195.154.251.123: https://www.virustot...23/information/
88.221.14.130: https://www.virustot...30/information/
___

Fake 'PHS docs' SPAM - malicious attachment
- http://blog.dynamoo....uments-are.html
26 Oct 2015 - "This spam does not come from PHSOnline, but is instead a simple -forgery- with a malicious attachment.
    From     "PHSOnline" [documents@ phsonline .co.uk]
    Date     Mon, 26 Oct 2015 20:28:50 +0700
    Subject     Your new PHS documents are attached

I don't have a copy of the body text for these messages, but the attachment is named G-A0287580036267754265.doc which comes in -three- different versions... containing a macro... which downloads a malicious binary from one of the following locations:
tranquilosurf .com/~info/76r56e87y8/65df78.exe
masaze-rumburk .cz/76r56e87y8/65df78.exe
img1.buyersbestfriend .com/76r56e87y8/65df78.exe
The Hybrid Analysis reports those those documents are here: [1] [2] [3]. The file is saved as %TEMP%\ZipCock32.exe and this has VirusTotal detection rate of just 1/55[4]. The Hybrid Analysis report for this binary[5] shows it downloading from the following location:
195.154.251.123 (Online SAS / Iliad Entreprises / Poney Telecom, France)
This is almost definitely the Dridex banking trojan. Note that the documents and download locations appear to be the -same- as the one use in this earlier attack*, but the payload has now changed."
* http://blog.dynamoo....ur-norwich.html

1] https://www.hybrid-a...environmentId=1

2] https://www.hybrid-a...environmentId=2

3] https://www.hybrid-a...environmentId=2

4] https://www.virustot...sis/1445868517/

5] https://www.hybrid-a...environmentId=1
___

Despite takedown, the Dridex botnet is running again
- http://www.computerw...ning-again.html
Oct 26, 2015 - " Spam emails containing the Dridex malware are being seen almost daily despite the arrest of one of its key operators in August. The finding confirms that while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations... Dridex, also referred to as Cridex or Bugat, is advanced malware that collects financial login details and other personal information that can be used to drain bank accounts. The U.S. and U.K. said the Dridex botnet - or the collection of computers infected with the malware - had been disrupted following their operations. Two weeks before the DOJ's announcement, Palo Alto Networks wrote* that it noticed a drop in Dridex activity but that it resumed again around the start of October. Much of that activity has now resumed, wrote Brad Duncan, a security researcher with Rackspace, on the Internet Storm Center blog**... there appear to be more files labeled as Dridex on VirusTotal... Although some of the samples be could mislabeled, it backs up what Palo Alto noticed..."  

* http://researchcente...rgeting-the-uk/
Oct 1, 2015

** https://isc.sans.edu...ll active/20295
Last Updated: 2015-10-24

- http://www.securewor...over-operation/
13 Oct 2015 - "... The malware... steals credentials, certificates, cookies, and other sensitive information from a compromised system, primarily to commit Automated Clearing House (ACH) and wire fraud. As of this publication, authorities have linked the botnet to an estimated £20 million (approximately $30.5 million) in losses in the UK, and at least $10 million in losses in the United States. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex) but is distinct from previous Bugat variants, particularly with respect to its modular architecture and its use of a hybrid peer-to-peer (P2P) network to mask its backend infrastructure and complicate takedown attempts..."
 

 

Edited by AplusWebMaster, 26 October 2015 - 08:46 AM.

[AplusWebMaster]

FYI...

Fake 'Payslip' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Oct 2015 - "An email with the subject of 'Payslip for period ending 27/Oct/2015' pretending to come from Datacom Pay Systems <powerpay@ datacom .co.nz> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ng-1024x677.png

27 October 2015: Payslip 27Oct2015.zip: Extracts to: Payslip 27Oct2015.scr
Current Virus total detections 12/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445921468/

- http://threattrack.t...om-payslip-spam
27 Oct 2015 - "Subjects Seen
    Payslip for period ending 27/Oct/2015
Typical e-mail details:
    Dear Customer,
    Attached is your payslip for period ending 27/Oct/2015.
    Please note the attached payslip is password protected - the password is the same as your employee self service login password.The content of this email and its attachments are confidential. If you are not the intended recipient of this message please contact Datacom on 0800 856 856 or +64 9 366 1150.This email message has been sent from an unmanned account. Please do not reply to this address...

Screenshot: https://41.media.tum...1r6pupn_500.png

Malicious File Name and MD5:
    payslip (1CE90078C006CFEE77248E8EDFD68BD2)

Tagged: Datacom, Upatre
___

Fake 'BACS Remittance' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Oct 2015 - "An email with the subject of 'Cyngor Sir Ddinbych – Taliad BACS / Denbighshire CC – BACS Remittance' pretending to come from credbills@ denbighshire .gov.uk > <credbills@ denbighshire .gov.uk> with a zip attachment is another one from the current bot runs... The content of the email says :
    Gweler manylion taliad BACS yn atodedig
    Please see attached Bacs Remittance ...
The information contained in this e-mail message and any files transmitted with it is intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately. The contents of this e-mail represents the views of the individual(s) named above and do not necessarily represent the views of Denbighshire County Council. However, as a Public Body, Denbighshire County Council may be required to disclose this e-mail [or any response to it] under legislative provisions...

27 October 2015: DenbighshireCC.zip: Extracts to: DenbighshireCC.zip
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445942099/
New_Cardholder_Application_scr

- http://blog.dynamoo....ych-taliad.html
27 Oct 2015 - "I've never had malware spam in Welsh before.. this is not from Denbighsire County Council, but is instead a simple -forgery- with a malicious attachment:
    From     "credbills@ denbighshire .gov.uk" [credbills@ denbighshire .gov.uk]
    Date     Tue, 27 Oct 2015 17:46:01 +0530
    Subject     Cyngor Sir Ddinbych - Taliad BACS / Denbighshire CC - BACS Remittance
    Gweler manylion taliad BACS yn atodedig
    Please see attached Bacs Remittance ...
        Mae'r wybodaeth a gynhwysir yn yr e-bost hwn ac unrhyw ffeiliau a drosglwyddir gydag
    o wedi eu bwriadu yn unig ar gyfer pwy bynnag y cyfeirir ef ato neu atynt. Os ydych
    wedi derbyn yr e-bost hwn drwy gamgymeriad, hysbyswch yr anfonwr ar unwaith os gwelwch
    yn dda...

Attached is a file DenbighshireCC.zip which contains a malicious executable DenbighshireCC.scr. This has a VirusTotal detection rate of 5/55*. The Hybrid Analysis report** shows characterstics common to the Upatre/Dyre banking trojan. In particular it identifies traffic to a know bad IP:
197.149.90.166 (Cobranet, Nigeria)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustot...sis/1445953248/

** https://www.hybrid-a...environmentId=2
___

Fake 'VeriFone' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Oct 2015 - "An email with the subject of 'VeriFone Services UK and Ireland Ltd' pretending to come from donotreply_invoices@ verifone .com with a zip attachment is another one from the current bot runs... The content of the email says :
    Please see attached Invoice(s).
    Thanks and Regards,
    VeriFone Services UK and Ireland Ltd
    Confidentiality Note: This email message contains information that is confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this message is prohibited. If you have received this message or attachment in error, please notify us immediately by email and delete the original. Thank you.
    While we use standard virus checking software, we accept no responsibility for viruses or anything similar in this email or any attachments. We also do not accept any responsibility for any changes to, or interception of, this email or any attachment after it leaves our information system. This electronic message, including attachments, is intended only for the use of the individual or company named above or to which it is addressed. The information contained in this message shall be considered confidential and proprietary...

27 October 2015: 20151027104526.zip: Extracts to: 20151027104526.scr
Current Virus total detections 0/56* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445943801/
___

Fake 'RBS' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
27 Oct 2015 - "An email appearing to come from Sunderland City Council with the subject of 'RBS Cardholder Application Form' pretending to come from Hester Knapp <Hester.Knapp@ sunderland .gov.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...il-1024x540.png

27 October 2015: New_Cardholder_Application_Hester_Knapp.zip: Extracts to: New_Cardholder_Application_Hester_Knapp.scr
Current Virus total detections 0/55* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1445943801/

- http://blog.dynamoo....pplication.html
27 Oct 2015 - "This -fake- financial spam does not come from Sunderland City Council, but is instead a simple -forgery- with a malicious attachment:
    From     "Wm Palmer" [Wm.Palmer@ sunderland .gov.uk]
    Date     Tue, 27 Oct 2015 18:39:34 +0700
    Subject     RBS Cardholder Application Form
    Dear Customer,
    We now have the go ahead from Corporate Procurement to apply to RBS for your Corporate
    Purchase Card. Please find attached the RBS application form which requires your
    signature as cardholder on page 2. Also please add the date. Once done can you scan
    the document and email it back to me or alternatively post it back to me c/o Purchase
    Card Administration Team, Transactional Finance, Room 1.34, Civic Centre, Sunderland
    SR2 7DN.
    Kind regards,
    Wm.
    Wm Palmer
    Purchase Ordering Officer ...

Attached is a file New_Cardholder_Application_Wm_Palmer.zip containing a malicious executable New_Cardholder_Application.scr - which is exactly the -same- malware as used in this other fake council spam run today*."
* http://blog.dynamoo....ych-taliad.html
 

  

Edited by AplusWebMaster, 27 October 2015 - 09:36 AM.