2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Statement' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
18 Nov 2015 - "An email with the subject of 'Copy Statement' pretending to come from Barnett, Paul <Paul.Barnett@ bausch .com> with a malicious Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...tt-1024x509.png

18 November 2015 : Statement client 0091293(1).xls - Current Virus total detections 4/54*
... Downloads Dridex banking malware from one of these locations http ://www.samsoncontrols .co.uk/h64gf3/89j6cx.exe -or-
http ://iraqiairways .co.uk/h64gf3/89j6cx.exe (VirusTotal 2/39**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1447836428/

** https://www.virustot...sis/1447837417/
TCP connections
182.93.220.146: https://www.virustot...46/information/
191.234.4.50: https://www.virustot...50/information/
___

Fake 'Invoices' SPAM – PDF malware
- http://myonlinesecur...ke-pdf-malware/
18 Nov 2015 - "An email about CIC Group Invoices with the subject of 'Invoices' pretending to come from CIC Group <admin@ cic .fr> with a zip attachment is another one from the current bot runs... The content of the email says:
... Please review the attached invoices and pay them at your earliest convenience. Feel free to contact us if you have any questions.
    Thank you.

18 November 2015: facture_37854634_181115.zip: Extracts to: facture_37854634_181115.exe
Current Virus total detections 3/54*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1447850791/
___

Fake 'invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
18 Nov 2015 - "An email with random subjects that are 2 or 3 letters and then the word invoice or payment, like 'ZV Payment' or 'MU Invoice' or 'SBN Payment' pretending to come from random names, companies and email addresses with a random named malicious word doc attachment is another one from the current bot runs... The email looks like:
    Processing Number: M19Q0R5VG842B
    A new Status: Error
    Total Amount: 20741.84 Great Britain Pounds
    Please click the document attached with this email to see more info.
-Or-
    Payment: L6174S1E
    Status: Authorised
    Transaction Total: 23018.32 GBP
    Please click the document attached with this email to get more information.
-Or-
    Transaction: S1970110
    A new State: Voided
    Total Amount: 35079.44 Great Britain Pounds
    Please check the file attached with this email to have more info.

18 November 2015: VTJ0W7M7VX5.doc - Current Virus total detections 4/55*
MALWR analysis** shows a connection to http ://classic-eng .com/ge.jpg?7538 and a download AhkD7UHKJjGS08990.exe (VirusTotal 4/55**). Full analysis of this download is pending but is very likely to be Dridex banking malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1447830052/

** https://malwr.com/an...TQxMmU1NWUzMjQ/

*** https://www.virustot...sis/1447831128/
TCP connections
78.129.133.249: https://www.virustot...49/information/
191.234.4.50: https://www.virustot...50/information/
___

Fake 'Receipt' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
18 Nov 2015 - "An email saying 'Here is your credit card receipt attached' with the subject of 'Receipt' pretending to come from Mike <mike@xencourier .co .uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hi
    Here is your credit card receipt attached. VAT invoice to follw in due course.
    Best regards
    Mike
    This email is free from viruses and malware ...

18 November 2015: scan0001.xls - Current Virus total detections 6/55*
MALWR analysis** shows me that this is the -same- malware dropper attempting to download an updated version of the Dridex banking malware as described in today’s earlier malspam run***
 http ://www .samsoncontrols .co .uk/h64gf3/89j6cx.exe (the company has removed the malware and hopefully cleaned and fixed the vulnerabilities that allowed them to be used as a conduit for malware distribution). Warning: there were other locations mentioned earlier that might still be live. The http ://iraqiairways .co.uk/h64gf3/89j6cx.exe is still -live- and giving an updated version (virustotal[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1447851533/

** https://malwr.com/an...TcwZjE3Zjg4MTM/

*** http://myonlinesecur...dsheet-malware/

4] https://www.virustot...sis/1447851743/
TCP connections
203.172.180.195: https://www.virustot...95/information/
8.253.82.62: https://www.virustot...62/information/

- http://blog.dynamoo....ceipt-mike.html
18 Nov 2015 - "... it has a malicious attachment scan0001.xls which appears to come in at least -three- different versions... These contain a malicious macro... they attempt to download a malicious binary from the following locations:
www .eurocontainers .it/h64gf3/89j6cx.exe
www .asnp .it/h64gf3/89j6cx.exe
www .samsoncontrols .co.uk/h64gf3/89j6cx.exe [file not found]
This binary has a detection rate of 7/54* and that VirusTotal report and this Malwr report** both indicate malicious network traffic to:
203.172.180.195 (Ministry Of Education, Thailand)..."
* https://www.virustot...sis/1447858997/
TCP connections
203.172.180.195: https://www.virustot...95/information/
8.253.82.62: https://www.virustot...62/information/

** https://malwr.com/an...TNlOTYyMzljZDY/
___

Fake 'InTuIT' SPAM - malware
- http://myonlinesecur...cation-malware/
Nov 18, 2015 - "An email saying you need to update your InTuIT QuickBooks with the subject of 'INTUIT Important Notification' pretending to come from INTUIT QB <qbsupport@ services .intuit .com> with a zip attachment is another one from the current bot runs... Other subjects in this malspam series include:
• INTUIT QB
• INTUIT Please Notify!
• INTUIT QB
• INTUIT QuickBooks
• INTUIT QB Security Warning
• INTUIT Attention
• Intuit QuickBooks Online: Browser Update
• Intuit QuickBooks Online: Supported Browsers
• INTUIT Supported Browsers Update
• INTUIT Security Warning
Other alleged senders include:
• INTUIT QB <services@ quickbooks .intuit .com>
• quickbooks <qbsecuritycenter@ intuit .com>
• INTUIT QB <services@ quickbooks .intuit .com>
• QuickBooks Online <security@ services .qb .intuit .com> ...

Screenshot: http://myonlinesecur...on-1024x662.png

18 November 2015: INTUIT-Browser-up1247.zip: Extracts to: up1247.exe
Current Virus total detections 2/55*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an icon of an excel file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1447857402/
TCP connections
89.163.249.75: https://www.virustot...75/information/
188.247.102.215: https://www.virustot...15/information/
UDP communications
8.8.8.8: https://www.virustot....8/information/

- http://blog.dynamoo....m-leads-to.html
18 Nov 2015 - "... Screenshot:
> https://1.bp.blogspo...s400/intuit.png
The -link- in the email goes to:
kompuser .com/system/logs/update/doc.php?r=download&id=INTUIT-Browser-up1247.zip
This downloads a file INTUIT-Browser-up1247.zip which in turn contains a malicious executable up1247.exe ... which has a VirusTotal detection rate of 2/54*. That VirusTotal report and this Hybrid Analysis report** show that the malware POSTs data to:
onbrk .in/p7yqpgzemv/index.php
The payload is unknown... the same nameservers and have also been used for malicious activity going back to August... Recommended blocklist:
31.210.116.68
188.247.102.215
89.163.249.75
95.173.164.212
kompuser .com
onbrk .in ..."
(More at the dynamoo URL above.)
* https://www.virustot...sis/1447863072/
TCP connections
89.163.249.75: https://www.virustot...75/information/
188.247.102.215: https://www.virustot...15/information/
UDP communications
8.8.8.8: https://www.virustot....8/information/

** https://www.hybrid-a...environmentId=1

- https://security.int...alert.php?a=271
11/18/15
- https://security.int...alert.php?a=270
11/18/15
___

Infoblox - DNS Threat report
- http://net-security....ews.php?id=3155
18.11.2015 - "The creation of DNS infrastructure by cybercriminals to unleash exploit kits increased 75 percent in the third quarter of 2015 from the same period in 2014, according to Infoblox:
> http://www.net-secur...blox-112015.jpg
...  Highly skilled attackers can create exploit kits, which are packages for delivering a malware payload, and then sell or rent these toolkits to those with little technical experience - vastly increasing the ranks of malicious attackers capable of going after individuals, businesses, schools, and government agencies. -Four- exploit kits - Angler, Magnitude, Neutrino, and Nuclear - accounted for -96- percent of total activity in the category for the third quarter. Most exploit kit attacks are distributed through spam emails or compromised web sites, or are embedded in online ads. When users click a link in the emails or ads, the exploit kit takes advantage of vulnerabilities in popular software to deliver a malware payload that can perform actions such as planting ransomware, capturing passwords for bank accounts, or stealing an organization’s data. Cybercriminals need the DNS to register domains for building the “drive-by” locations where exploit kits lie in wait for users, and for communicating with command-and-control servers that send instructions to infected devices and extract information..."

> https://www.infoblox...ns-threat-index
Video: 2:49
 

  

Edited by AplusWebMaster, 19 November 2015 - 08:38 AM.

[AplusWebMaster]

FYI...

Fake 'Shipping notification' SPAM - malicious attachment
- http://blog.dynamoo....tification.html
19 Nov 2015 - "This rather terse spam does -not- come from Ceva Logistics but is instead a simple -forgery- with a malicious attachment.
    From:    noreply@ cevalogistics .com
    Date:    19 November 2015 at 10:27
    Subject:    [Shipping notification] N3043597 (PB UK)

There is -no- body text and the "N" number is randomly generated. All samples I have seen contain a file called shipping-notification.xls which is in the same in all cases, containing this malicious macro... it has a VirusTotal detection rate of 2/54*. The comments on that VirusTotal report plus this Hybrid Analysis report** indicate a malicious binary is downloaded from:
iwcleaner .co.uk/8i65h4g53/o97i76u54.exe
This has an MD5 of e0d24cac5fb16c737f5f016e54292388 and a detection rate of 2/54*** and this Hybrid Analysis report[4] shows malicious traffic to the following IP (which I recommend you block):
182.93.220.146 (Ministry of Education, Thailand)
The payload is almost definitely the Dridex banking trojan."
* https://www.virustot...sis/1447929870/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...sis/1447930055/
TCP connections
182.93.220.146: https://www.virustot...46/information/
191.234.4.50: https://www.virustot...50/information/

4] https://www.hybrid-a...environmentId=2
___

Fake 'Google invoice' SPAM - malicious attachment
- http://blog.dynamoo....invoice-is.html
19 Nov 2015 - "This -fake- invoice does not come from Google, but is instead a simple -forgery- with a malicious attachment:
    From:    billing-noreply@ google .com
    Date:    19 November 2015 at 12:40
    Subject:    Your Google invoice is ready
    Attached to this email, please find the following invoice:
    Invoice number: 1630884720
    Due date: 19-Nov-2015
    Billing ID: 34979743806
    Please follow instructions on the invoice for remitting payment. If you have questions, please contact collections-uk@ google .com.
    Yours Sincerely,
    The Google Billing Team
    Billing ID: 0349-7974-3806

The attachment is named 1630884720.doc which comes in at least two versions (VirusTotal analysis [1] [2]) and which contains a malicious macro... Analysis of the documents is still pending (please check back), although the payload is almost definitely the Dridex banking trojan."
1] https://www.virustot...sis/1447936837/

2] https://www.virustot...sis/1447937222/

- http://myonlinesecur...rd-doc-malware/
19 Nov 2015
"19 November 2015: 1630884720.doc - Current Virus total detections 3/54*
... Downloads Dridex banking malware from bhoomiconsultants .com/8i65h4g53/o97i76u54.exe (VirusTotal 1/54**)..."
* https://www.virustot...sis/1447942173/

** https://www.virustot...sis/1447944295/
TCP connections
182.93.220.146: https://www.virustot...46/information/
8.254.218.142: https://www.virustot...42/information/
___

Fake 'Invoice and VAT Receipt' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
19 Nov 2015 - "An email with the subject of 'Invoice and VAT Receipt EDMUN11118_181859 [Account:EDMUN11118]' pretending to come from support@ postcodeanywhere .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...18-1024x559.png

19 November 2015: EDMUN11118_181859.xls - Current Virus total detections 5/54*
... tries to download Dridex banking malware from http ://lapelsbadges .com/8i65h4g53/o97i76u54.exe which at the present time is not resolving for me. Usually there are several download locations all delivering the same dridex malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1447943292/

- http://blog.dynamoo....at-receipt.html
19 Nov 2015 - "... The attachment is EDMUN11118_181859.xls... download(s) a file... has a VirusTotal detection rate of 1/54* and that VirusTotal report indicates it phoning home to:
182.93.220.146 (Ministry Of Education, Thailand)
I strongly recommend that you -block- that IP address. The payload is the Dridex banking trojan..."
* https://www.virustot...sis/1447949778/
TCP connections
182.93.220.146: https://www.virustot...46/information/
8.254.218.142: https://www.virustot...42/information/
___

Exploit kits... change tactics
- https://isc.sans.edu...l?storyid=20391
Last Updated: 2015-11-19 - "... computers directed to an EK? It often happens through compromised websites. Threat actors compromise legitimate websites, and pages from these compromised servers have injected script that connects the user's computer to an EK server.  This happens behind the scenes, and the user is unaware... Threat actors often use another server as a gate between the compromised website and the EK server. I often call it a "redirect" because it redirects traffic from a compromised website to the EK... The gate is most often another compromised website.  Less often, the gate is a dedicated server established by the threat actor. At times, threat actors have used Pastebin or a URL shortner like goo.gl as the gate. In some cases, you might find a second or -third- gate before you get to the EK... All of this is transparent to the unsuspecting user.  Fortunately, many security professionals study EK traffic.  Specific trends are quickly identified, security professionals share the data, and automated detection is usually available within a day or two. Threat actors know this. Criminals occasionally change tactics in how they direct traffic from compromised websites to their EK servers. For example, earlier this week I noticed a change by an actor using Rig EK. On Monday 2015-11-16, this threat actor was using a distinct gate path. By Wednesday 2015-11-18, the gate patterns had distinctly changed... On Monday 2015-11-16, this actor was using a two gates between the compromised website and Rig EK...
> https://isc.sans.edu...ry-image-01.jpg
On Wednesday 2015-11-18, the same actor had switched to a single gate. These single gates appeared to be hosted on -other- compromised websites...
> https://isc.sans.edu...ry-image-02.jpg
... The first group of Rig EK intercept came from Monday 2015-11-16. The second group came from Wednesday 2015-11-18. Although I could not identify this actor, the traffic represents the -same- criminal group. I'm basing my assessment on the malware payload. Each payload exhibited the -same- behavior on both occasions... I saw Rig EK and the same post-infection traffic after viewing -more- compromised websites on Wednesday 2015-11-18. You'll find the compromised legitimate website, followed by a single gate. Rig EK was on 46.40.46.146 using the domains ftg .askgreatquestions .com, ghf .askmoregetmore .com -or- erf .closelikeapro .com. Post-infection traffic was seen on 62.76.42.21 using the domain alohajotracks .com, just like we saw before on Monday... I've seen a wide variety of paths from compromised websites to an EK server, so this isn't a comprehensive review on the topic.  This is just one example. Don't get me started on -malvertizing- which is a much more complicated chain of events..."
(More detail at the isc URL at the top.)

46.40.46.146: https://www.virustot...46/information/

62.76.42.21: https://www.virustot...21/information/
 

  

Edited by AplusWebMaster, 19 November 2015 - 11:22 AM.

[AplusWebMaster]

FYI...

Fake 'transfer' SPAM - malicious attachment
- http://blog.dynamoo....rre-kibung.html
20 Nov 2015 - "This spam looks like an advanced free fraud, but instead it comes with a malicious attachment. The email appears to originate from within the victim's own domain, but this is a simple -forgery- and does -not- mean that you have been hacked.
    From:    Jean Pierre Kibungu [jpie.kibungu@ victimdomain]
    Date:    20 November 2015 at 09:56
    Subject:    0150363108788101_02416060_1.xls
    Please find attached the swift of the transfer of $30000.
    Kind regards
    Jean Pierre Kibungu
    INCAT
    JEAN PIERRE KIBUNGU AVAR-DA-VISI
    GENERAL MANAGER
    INCAT OILFIELD LOGISTICS (DRC) LTD
    Site:
    Mob: + 243 998 01 95 01
    Headoffice:
    Tel.  +44(0) 1534 758859
    Fax: +44(0) 1534 758834

The telephone number does match that of a genuine company in Jersey, but they are -not- sending this spam. The attachment is named 0150363108788101_02416060_1.xls and so far I have seen just one version of this with a VirusTotal detection rate of 4/53*. It contains this malicious macro...
UPDATE: Sources tell me there are at least two variants with download locations of:
betterimpressions .com/~impressions/65y3fd23d/87i4g3d2d2.exe
192.186.227.64 /~irma1026/65y3fd23d/87i4g3d2d2.exe
This has an MD5 of d410a45dc4710ea0d383dee81fbbcb6f and a VirusTotal detection rate of 4/52**. According to that VirusTotal report and this Malwr report***, it makes a network connection to:
157.252.245.32 (Trinity College, US)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustot...sis/1448014325/

** https://www.virustot...sis/1448014994/
TCP connections
157.252.245.32: https://www.virustot...32/information/
88.221.14.145: https://www.virustot...45/information/

*** https://malwr.com/an...DQ2ODJjZDY2MGM/

- http://myonlinesecur...dsheet-malware/
20 Nov 2015 - "... The email looks like:
    Please find attached the swift of the transfer of $30000.
    Kind regards
    Jean Pierre Kibungu ...

20 November 2015 : 0150363108788101_02416060_1.xls - Current Virus total detections 4/53*
... Analysis of this is pending but is almost certain to be a Dridex banking malware downloader... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448011659/
___

Fake 'Reprint Document' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
20 Nov 2015 - "A concurrent malspam run involving malicious word docs is an email with the subject of 'Reprint Document archive' pretending to come from tracey.beedles@ eurocarparts .com with a malicious word doc attachment is another one from the current bot runs... The email simply says:
    Attached is a Print Manager form.
    Format = Word Document Format File (DOC)

20 November 2015 : pmB3A6.doc - Current Virus total detections 4/53*
This also downloads the same Dridex malware from a -different- location  irisbordados .com/65y3fd23d/87i4g3d2d2.exe than I saw in the other malspam run**... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448020152/
 

** http://myonlinesecur...dsheet-malware/

 

- http://blog.dynamoo....nt-archive.html
20 Nov 2015 - "... if you look at the Hybrid Analysis report* and others, the executable masquerades as mbar.exe / Malwarebytes Anti-Rootkit. The payload is most likely to be the Dridex banking trojan.
Screenshot: https://4.bp.blogspo...0/fake-mbar.png
... Recommended blocklist:
157.252.245.32
89.32.145.12 "
* https://www.hybrid-a...environmentId=1
 

  

Edited by AplusWebMaster, 20 November 2015 - 09:01 AM.

[AplusWebMaster]

FYI...

relode .com - SPAM...
- http://blog.dynamoo....nt-part-ii.html
21 Nov 2015 - "Matt Tant and the moron spammers from relode .com are at it again.
    From:    Matt Tant [matthew@ relode .com]
    To:    "donotemail@ wearespammers .com" [donotemail@ wearespammers .com]
    Date:    21 November 2015 at 22:40
    Subject:    Snagajob integration added
    This just in! In addition to our Craigslist and Indeed integrations, we have just pushed an integration with Snagajob! Do you post only on Craigslist, or do you post on multiple job posting sites?...

I've covered these CAN-SPAM busting idiots before*..."
* http://blog.dynamoo....-matt-tant.html
17 Nov 2015
___

- http://centralops.ne...ainDossier.aspx
relode .com
aliases     
addresses
198.185.159.144: https://www.virustot...44/information/
198.185.159.145: https://www.virustot...45/information/
198.49.23.144: https://www.virustot...44/information/
198.49.23.145: https://www.virustot...45/information/
 

  

[AplusWebMaster]

FYI...

WordPress + Angler EK = compromise for some...
- https://blog.malware...e-a-year-later/
Nov 23, 2015 - "We are seeing -dozens- of WordPress sites compromised recently with the same malicious code -redirecting- to the Angler exploit kit. The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page. It is important to stress this is a conditional injection because webmasters trying to identify the issue may -not- see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit)... The -rogue- code loads a Flash video file from a -suspicious- top-level domain name such as .ga, .tk or .ml which is used to -redirect- visitors to the Angler exploit kit. This is the same attack pattern we documented over a year ago (Exposing the Flash ‘EITest’ malware campaign*)... The latest WordPress version is 4.3.1. This particular ‘EITest campaign’ never actually stopped and saw an increase in the last few months which has been sustained up until now... Angler EK exploits Flash Player... If your WordPress site has been affected, keep in mind that the malicious injected code is just part of the symptoms from having your site hacked. It’s important to identify backdoors, .htaccess modifications as well as the original entry point, by looking at your access and error logs..."
* https://blog.malware...lware-campaign/

Latest Wordpress: https://wordpress.or...ordpress-4-3-1/

Latest Flash: https://helpx.adobe..../apsb15-28.html
___

Fake 'Employee Documents' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
23 Nov 2015 - "An email with the subject of 'Employee Documents Internal Use' pretending to come from HR at your own email domain or company with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    DOCUMENT NOTIFICATION, Powered by NetDocuments
    DOCUMENT NAME: Employee Documents
    DOCUMENT LINK: [Link removed]
    This message may contain information that is privileged and confidential. If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

23 November 2015: Employee Documents(1928).xls - Current Virus total detections 4/54*  
... Connects to and downloads kunie .it/u654g/76j5h4g.exe. It is very likely that the downloaded malware will be Dridex banking malware, although some antiviruses are indicating a -cryptowall- ransomware (VirusTotal 6/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448270398/

** https://www.virustot...sis/1448270247/
TCP connections
89.108.71.148: https://www.virustot...48/information/
90.84.59.51: https://www.virustot...51/information/

- http://blog.dynamoo....-documents.html
23 Nov 2014 - "... Attached is a file Employee Documents(1928).xls ... sources tell me that there are -three- different versions downloading from the following locations:
kunie .it/u654g/76j5h4g.exe
oraveo .com/u654g/76j5h4g.exe
www .t-tosen .com/u654g/76j5h4g.exe
The downloaded binary has a detection rate of just 1/54*. That VirusTotal report and this Hybrid Analysis report** show network connections to the following IPs:
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
157.252.245.32 (Trinity College Hartford, US)
The payload is probably the Dridex banking trojan...
Recommended blocklist:
89.108.71.148
89.32.145.12
157.252.245.32 "
* https://www.virustot...sis/1448276542/
TCP connections
89.108.71.148: https://www.virustot...48/information/
8.254.218.126: https://www.virustot...26/information/

** https://www.hybrid-a...environmentId=1
___

Fake 'UKMail tracking' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
23 Nov 2015 - "An email with the subject of 'UKMail 988271023 tracking information' pretending to come from no-reply@ ukmail .com with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    UKMail Info!
    Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
    Please view the information about your parcel, print it and go to the post office to receive your package.
    Warranties
    UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service...

23 November 2015: 988271023-PRCL.doc - Current Virus total detections 4/54*
... Connects to & downloads an updated Dridex banking malware from
xsnoiseccs .bigpondhosting .com/u654g/76j5h4g.exe (VirusTotal 3/56**)...  DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448280511/

** https://www.virustot...sis/1448282238/
TCP connections
89.108.71.148: https://www.virustot...48/information/
23.62.99.136: https://www.virustot...36/information/

- http://blog.dynamoo....3-tracking.html
23 Nov 2015 - "... The attachment is named 988271023-PRCL.doc ... This binary has a VirusTotal detection rate of 5/54*. That VirusTotal report plus this Hybrid Analysis report** and Malwr report*** indicate malicious traffic... The payload is likely to be the Dridex banking trojan...
Recommended blocklist:
157.252.245.32
89.32.145.12
89.108.71.148
91.212.89.239
89.189.174.19
122.151.73.216
37.128.132.96
195.187.111.11
37.99.146.27
77.221.140.99
195.251.145.79 "
* https://www.virustot...sis/1448285502/

** https://www.hybrid-a...environmentId=1

*** https://malwr.com/an...jM0ZDM2NmFhM2I/
___

Dyreza trojan evolves for Win10
- http://www.itnews.co...ndows-10-412101
Nov 23 2015 - "Notorious banking trojan Dyreza has evolved to target the Windows 10 operating system, according to cyber-security firm Heimdal*. The new feature of this pernicious strain of malware includes support for Windows 10, so cyber-criminals can stay up to date with the developments of their prey as well as the ability to latch on to Microsoft Edge, Window's 10's replacement for the much-maligned internet explorer. Heimdall also noted that this new version of Dyreza “kills a series of processes linked to endpoint security software, in order to make its infiltration in the system faster and more effective”. Nearly 100,000 machines have apparently infected by Dyreza worldwide and Dyreza strains have been developed for just about every kind of Windows operating system in recent memory including Windows 7 through 10 as well as Winserver 2003 and Vista... Occasionally known as -Dyre- this particular trojan digs itself right into a users' browser. From there, it directs users to modified versions of otherwise legitimate webpages. If Dyreza is installed on a computer, it might steal online banking details as a user logs into what they think is a normal online -banking- webpage. It commonly spreads itself in large swathes of phishing emails in a tactic is known as 'spray and pray'. But once Dyreza does hits a target, it collects users data and becomes part of a botnet, allowing the attacker to receive the critical information from many users... The research also notes that this new strain arrives just in time for the holidays, with Christmas, Thanksgiving and more importantly, Black Friday, the US's post-thanksgiving shopping event, just around the corner..."
* https://heimdalsecur...indows-10-edge/
___

Cybercriminal Underground - 2015
- https://www.trendmic...ground-in-2015/
Nov 23, 2015 - "... Data leaked in the underground allows cybercriminals to commit various crimes like financial fraud, identity and intellectual property theft, espionage, and extortion. Chinese cybercriminals have managed to enhance the way they share data as seen in the case of SheYun, a search engine created specifically to make leaked data to users available. Over the last few years, we have been keeping track of the shift of prices of goods and services traded in the Chinese underground. Previously, we saw compromised hosts, DDoS attack tools services, and remote access Trojans (RATs) being sold. Today, social engineering tools have been added to the market.
Carding devices: Cash transactions are slowly becoming a thing of the past, as evidenced by the adoption of electronic and mobile payment means.
• PoS skimmers - Tampered PoS devices are sold to resellers who may or may not know that these devices are rigged. Some PoS skimmers come with an SMS-notification feature that allows the cybercriminal to access the stolen data remotely every time the device is used.
• ATM skimmers – Commonly sold on B2B websites, these fraud-enabling devices allowed fraudsters to carry out bank fraud and actual theft. The devices have keypad overlays that are used to steal victims’ PINs.
• Pocket skimmers – These small, unnoticeable magnetic card readers can store track data of up to 2,048 payment cards. They do not need to be physically connected to a computer or a power supply to work. All captured data can be downloaded onto a connected computer..."
___

PoS malware hit 54 Starwood luxury hotels
- http://net-security....ews.php?id=3158
23.11.2015 - "Starwood Hotels & Resorts, the international hotel chain that owns and operates hotels under the Westin, Sheraton, W Hotels, St. Regis, and Le Méridien brands, has announced on Friday that point of sale systems at 54 of its hotels in North America have been compromised... They also said that they cannot identify individual affected customers based on the payment card data the company has available, and advised people who stayed at one of their North American properties between November 7, 2014 and June 30, 2015 (for more specific periods of compromise, check out the provided list*), to check their payment card statements to see if they used a card at the hotel(s) during a relevant time period.
* http://www.starwoodh.../Hotel_List.pdf
... They offered no more details about how many customers have had their info compromised, how the breach was discovered, and when. The announcement came four days after Marriott International, another huge hospitality company, announced it would purchase Starwood Hotels & Resorts, creating thus the world's largest hotel company."
** http://www.bizjourna...ood-hotels.html
___

21% of Brits have been hit by cyber gits
- http://www.theinquir...t-by-cyber-gits
Nov 23 2015 - "ACCORDING TO A REPORT from Deloitte*, one in five British people has been the victim of a security breach... The report says that the ongoing explosion in business and consumer data presents an increasingly tempting target for those with evil intent. It warns companies that most consumers expect them to take responsibility for protecting their data. However, it adds that most consumers do not have a clue what that means... 'Our 2015 report found that 84 percent of consumers expect companies to be held responsible for ensuring the security of user data and personal information online'... Deloitte found that two-thirds of punters would pull their personal data out of firms if they could do so easily, while 52 percent are -not- happy with the way their data is used. Only about a third said that they are aware of the fact that their data is taken and used. Thirteen percent were completely clueless on collection. These people are reading the wrong websites..."
* http://www2.deloitte...der-attack.html
 

  

Edited by AplusWebMaster, 23 November 2015 - 03:21 PM.

[AplusWebMaster]

FYI...

Fake 'Billing' SPAM - Cryptowall
- http://blog.dynamoo....gstatement.html
24 Nov 2014 - "This -fake- financial spam leads to ransomware:
    From:    Scrimpsher [mumao82462308wd@ 163 .com]
    Date:    24 November 2015 at 16:57
    Subject:    Serafini_Billing_Statement 2003
    Signed by:    163 .com
    Hi Please see attached a copy of your statement for the month of Nov 2015
    Sincerely
    Lynda Ang

As with many recent ransomware attacks, this appears to have been sent through webmail (it really is from 163 .com, it is -not- being spoofed). Attached is a file Statement.zip which contains a malicious javascript statement.js ... [vT 7/53*]  which then downloads a component from:
46.30.45.73 /mert.exe
That IP belongs to Eurobyte LLC in Russia. I recommend that you -block- it. This is saved as %TEMP%\122487254.exe and it has a VirusTotal detection rate of 5/55**... The application's icon and metadata is designed to make it look like a copy of VNC, but instead the VirusTotal detection indicates that it is Cryptowall. This Hybrid Analysis report*** demonstrates the ransomware in action most clearly..."
> https://2.bp.blogspo.../cryptowall.png
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1448391057/

** https://www.virustot...sis/1448390921/

*** https://www.hybrid-a...environmentId=1

46.30.45.73: https://www.virustot...73/information/

- http://centralops.ne...ainDossier.aspx
163 .com
aliases     
addresses
123.58.180.8: https://www.virustot....8/information/
123.58.180.7: https://www.virustot....7/information/
___

Fake 'Scan' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
24 Nov 2015 - "An email with the subject of 'Scan as requested' pretending to come from Melissa O’Neill <adminoldbury@ newhopecare .co.uk> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ed-1024x718.png

24 November 2015: 20151009144829748.doc - Current Virus total detections 5/53*
... Downloads Dridex banking malware from
http ://afrodisias .com .tr/7745gd/4dgrgdg.exe (VirusTotal 4/55**)
Update: other download locations discovered include
www .costa-rica-hoteles-viajes .com/~web/7745gd/4dgrgdg.exe and janaduchanova .wz .cz/7745gd/4dgrgdg.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448358595/

** https://www.virustot...sis/1448359094/
TCP connections
89.108.71.148: https://www.virustot...48/information/
88.221.14.130: https://www.virustot...30/information/

- http://blog.dynamoo....ed-melissa.html
24 Nov 2015 - "... This has a VirusTotal detection rate of 4/55*. That VT analysis and this Malwr analysis** and these two Hybrid Analysis reports [1] [2] show network traffic to:
157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)
88.86.117.153 (SuperNetwork, Czech Republic) ...
Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12
88.86.117.153 "
* https://www.virustot...sis/1448361171/
TCP connections
89.108.71.148: https://www.virustot...48/information/
88.221.14.130: https://www.virustot...30/information/

** https://malwr.com/an...DA5NGFiYzQzYTE/

1] https://www.hybrid-a...environmentId=1

2] https://www.hybrid-a...environmentId=1
___

Fake 'FED Wire' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
24 Nov 2015 - "The second batch of malspam today using malicious office docs with macros is an email with the subject of 'IMPORTANT. FDIC. FED Wire and ACH Restrictions" pretending to come from FDIC, Federal Reserve Bank <administration@ usfederalreservebank .com> with a malicious Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...estrictions.png

24 November 2015: aes_E851174777E.xls - Current Virus total detections 3/56*  
The MALWR analysis shows us that it downloads various files from a combination of http ://rmansys .ru/utils/inet_id_notify.php and http ://s01.yapfiles .ru/files/1323961/435323.jpg .
 The only file I get that is malicious is test.exe that looks like it was -renamed- from the 435323.jpg on download by the macro inside this office doc. (VirusTotal 5/56**). I am unsure what malware this actually is, but is doesn’t look like it is Dridex... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448364813/

** https://www.virustot...sis/1448365505/
TCP connections
89.108.101.61: https://www.virustot...61/information/
90.156.241.111: https://www.virustot...11/information/
217.197.126.52: https://www.virustot...52/information/

- http://blog.dynamoo....serve-bank.html
24 Nov 2015 - "This spam does -not- come from the Federal Reserve Bank, but is instead a simple -forgery- with a malicious attachment... According to this Malwr report[1] it drops all sorts of files including _iscrypt.dll [VT 0/54*] and 2.exe [VT 2/54**] which is analysed in this Malwr report[2] and this Hybrid Analysis report[3]. It is unclear as to what it does (ransomware? remote access trojan?), but it appears that the installation may be password protected...
Recommended blocklist:
185.26.97.120
90.156.241.111
89.108.101.61
95.27.132.170
217.197.126.52
88.147.168.112
217.19.105.3
UPDATE: This Hybrid Analysis report[4] shows various web pages popping up from the Excel spreadsheet, including MSN and Lidl. The purpose of this is unknown."
* https://www.virustot...sis/1448378403/

** https://www.virustot...sis/1448378422/

1] https://malwr.com/an...WU5NmM1NTk3MzQ/

2] https://malwr.com/an...TA2MWE0MTAwM2Y/

3] https://www.hybrid-a...environmentId=1

4] https://www.hybrid-a...nvironmentId=1]
___

Fake 'Abcam Despatch' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
24 Nov 2015 - "The 3rd set today of malspam emails using malicious office docs is an email with the subject of 'Abcam Despatch [CCE5303255]' pretending to come from orders@ abcam .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ch-1024x550.png

24 November 2015: invoice_1366976_08-01-13.xls - Current Virus total detections 6/56*
... which is actually a zip file that when extracted gives you -several- docs or xls files [1] [2]  [3] [4] [5] [6]. MALWR analysis of some of them show that they contact & download a Dridex banking malware from these locations amongst others:
http ://janaduchanova .wz.cz/7745gd/4dgrgdg.exe  (VirusTotal 1/55**)
http ://afrodisias.com .tr/7745gd/4dgrgdg.exe
http ://www.costa-rica-hoteles-viajes .com/~web/7745gd/4dgrgdg.exe
http ://biennalecasablanca .ma/7745gd/4dgrgdg.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448365689/

1] https://www.virustot...sis/1448365924/

2] https://www.virustot...sis/1448366059/

3] https://www.virustot...sis/1448366422/

4] https://www.virustot...sis/1448366042/

5] https://www.virustot...sis/1448366042/

6] https://www.virustot...sis/1448361214/

** https://www.virustot...sis/1448365319/
TCP connections
89.108.71.148: https://www.virustot...48/information/
191.234.4.50: https://www.virustot...50/information/

- http://blog.dynamoo....cce5303255.html
24 Nov 2015 - "... The attachment name is invoice_1366976_08-01-13.xls ... This binary has a detection rate of 2/55* and phones home to the following IPs (according to this**):
157.252.245.32 (Trinity College Hartford, US)
89.108.71.148 (Agava Ltd, Russia)
89.32.145.12 (Elvsoft SRV, Romania / Coreix, UK)..
Recommended blocklist:
157.252.245.32
89.108.71.148
89.32.145.12 "
* https://www.virustot...sis/1448369154/
TCP connections
89.108.71.148: https://www.virustot...48/information/
191.234.4.50: https://www.virustot...50/information/

** https://www.hybrid-a...environmentId=1
 

  

Edited by AplusWebMaster, 24 November 2015 - 01:54 PM.

[AplusWebMaster]

FYI...

Fake Paypal PHISH
- http://myonlinesecur...opped-phishing/
25 Nov 2015 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
• Urgent: Your card has been stopped !
• There have been unauthorised or suspicious attempts to log in to your account, please verify
• Your account has exceeded its limit and needs to be verified
• Your account will be suspended !
• You have received a secure message from < your bank>
• We are unable to verify your account information
• Update Personal Information
• Urgent Account Review Notification
• We recently noticed one or more attempts to log in to your PayPal account  from a foreign IP address
• Confirmation of Order
The original email looks like this. It will NEVER be a genuine email from  PayPal or Your Bank so don’t ever follow the links or fill in the html ( webpage) form that comes attached to the email.

Screenshot1: http://myonlinesecur...ed-1024x675.png

Screenshot2: http://myonlinesecur...te-1024x531.png

If you fill in the email address and password you get:
Screenshot3: http://myonlinesecur..._2-1024x519.png
... Which is a typical phishing page that looks very similar to a  genuine PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."
___

Fake 'NatWest' phish
- http://myonlinesecur...twest-phishing/
25 Nov 2015 - "An email with the subject of 'Service status – NatWest' pretending to come from NatWest <natwest@ bt .net> is one of the phishing scams I have seen today... it is worth mentioning because it combines 2 different approaches. 1st it has a link in the body of the email and 2nd it attaches a html page inviting you to open it... Any Natwest customer would or should know that emails would -never- come from natwest@ bt .net but hundreds of recipients will still click-on-the-link or open the html page because it is there & they ain’t thinking right and they -always- click on every email they get...

Screenshot: http://myonlinesecur...st-1024x631.png
The link in this case goes to http ://www .voyageitalie .com/N/n.html which -redirects- to: http ://www .paragonpakistan .pk/site/home/
The attached html file simply says <META HTTP-EQUIV=”Refresh” CONTENT=”0; url= http ://www .voyageitalie .com/N/n.html”> so sending you to the site which looks like:
> http://myonlinesecur...e-1024x1014.png
... All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email or click-the-link in the email..."
___

DRIDEX SPAM ...
- http://blog.trendmic...nst-us-targets/
Nov 25, 2015
Distribution of victims, October 13 to November 23
> https://blog.trendmi...dex-chart-2.jpg
Spam used to spread DRIDEX - 1
> https://blog.trendmi...surrects_06.jpg
Spam used to spread DRIDEX - 2
> https://blog.trendmi...surrects_07.jpg
"... DRIDEX botnets that have been around as early as August 2014... development further validates previous findings that the DRIDEX botnet was -not- totally taken down..."
___

Security Bug in Dell PCs shipped since August 2015
- http://krebsonsecuri...pped-since-815/
Nov 24, 2015 - "All new Dell laptops and desktops shipped since August 2015 contain a serious security vulnerability that exposes users to online eavesdropping and malware attacks. Dell says it is prepping a fix for the issue... Dell says the eDellRoot certificate was installed on all new desktop and laptops shipped from August 2015 to the present day. According to the company, the certificate was intended to make it easier for Dell customer support to assist customers in troubleshooting technical issues with their computers..."

malware samples signed by eDellRoot
- http://myonlinesecur...d-by-edellroot/
25 Nov 2015

Dell Windows Systems Pre-Installed TLS Root CA
- https://isc.sans.edu...l?storyid=20411
Last Updated: 2015-11-24

Response - eDellroot Certificate / Dell Corporate blog
- http://en.community....oot-certificate
23 Nov 2015

Dell Computers Contain CA Root Certificate Vulnerability
- https://www.us-cert....e-Vulnerability
Nov 24, 2015

>> http://arstechnica.c...s-removal-tool/
Nov 24, 2015
___

Ransomware safety tips - online retailers
- http://net-security....ews.php?id=3162
25.11.2015 - "Cybercriminals have developed a destructive new form of ransomware that targets online retailers. They scan websites for common vulnerabilities and use them to install malware that encrypts key files, images, pages and libraries, as well as their backups. The criminals behind these attacks then hold them hostage, and website operators must pay a ransom in anonymous cryptocurrency to unlock the files..."
(More at the URL above.)
___

FBI has lead in probe of 1.2 billion stolen Web credentials: documents
- http://www.reuters.c...N0TD2YN20151124
Nov 24, 2015 - "A hacker who once advertised having access to user account information for websites like Facebook (FB.O) and Twitter (TWTR.N) has been linked through a Russian email address to the theft of a record 1.2 billion Internet credentials, the FBI said in court documents. That hacker, known as "mr.grey," was identified based on data from a cybsecurity firm that announced in August 2014 that it had determined an alleged Russian crime ring was responsible for stealing information from more than 420,000 websites, the documents said. The papers, made public last week by a federal court in Milwaukee, Wisconsin, provide a window into the Federal Bureau of Investigation's probe of what would amount to the largest collection of stolen user names and passwords. The court papers were filed in support of a search warrant the FBI sought in December 2014 and that was executed a month later related to email records. The FBI investigation was prompted by last year's announcement by Milwaukee-based cybersecurity firm Hold Security that it obtained information that a Russian hacker group it dubbed -CyberVor- had stolen the 1.2 billion credentials and more than 500 million email addresses. The FBI subsequently found lists of domain names and utilities that investigators believe were used to send spam, the documents said. The FBI also discovered an email address registered in 2010 contained in the spam utilities for a "mistergrey," documents show. A search of Russian hacking forums by the FBI found posts by a "mr.grey," who in November 2011 wrote that if anyone wanted account information for users of Facebook, Twitter and Russian-based social network VK, he could locate the records. Alex Holden, Hold Security's chief information security officer, told Reuters this message indicated mr.grey likely operated or had access to a database that amassed stolen data from computers via malware and viruses.
Facebook and Twitter declined comment. The FBI declined to comment, and U.S. Justice Department had no immediate comment. The probe appears to be distinct from another investigation linked to Hold Security's reported discovery that 420,000 websites, including one for a JPMorgan Chase & Co (JPM.N) corporate event, were -targeted- by the Russian hackers. In a case spilling out of the discovery of the JPMorgan breach, U.S. prosecutors this month charged three men with engaging in a cyber-criminal enterprise that stole personal information from more than 100 million people. Prosecutors accused two Israelis, Gery Shalon and Ziv Orenstein, and one American, Joshua Samuel Aaron, of being involved in a variety of schemes fueled by hacking JPMorgan and 11 other companies. An indictment in Atlanta federal court against Shalon and Aaron names as a defendant an unidentified hacker believed to be in Russia."
> http://www.nytimes.c...redentials.html
 

  

Edited by AplusWebMaster, 25 November 2015 - 01:29 PM.

[AplusWebMaster]

FYI...

Fake 'Payment' SPAM - leads to Dridex
- http://blog.dynamoo....-to-dridex.html
26 Nov 2015 - "I have only seen one version of this -spam- message so far:
    From:    Basia Slater [provequipmex@ provequip .com .mx]
    Date:    26 November 2015 at 12:00
    Subject:    GVH Payment
    I hope you had a good weekend.
    Please check the payment confirmation attached to this email. The Transaction should appear on your bank in 2 days.
    Basia Slater
    Accountant
    Comerica Incorporated

This sample had a document name of I654WWFR3C6.doc which has a VirusTotal detection rate of 6/55*, containing this malicious macro... The Malwr report** for this version indicates a download from:
harbourviewnl .ca/jo.jpg?6625
According to that Malwr report, it drops a file YSpq2bkGVIi5yaPcv6667.exe (MD5 6c14578c2b77b1917b3dee9da6efcd56) which has a detection rate of 1/53***. The Hybrid Analysis report[4] and Malwr report[5] for that indicates malicious traffic to:
94.73.155.10 (Telekomunikasyon Anonim Sirketi, Turkey)
199.175.55.116 (VPS Cheap INC, US)
Note that 94.73.155.12 is mentioned in this other Dridex report today[6], both IPs form part of a small subnet of  94.73.155.8/29 suballocated to one "Geray Timur Akkurt"... an additional download location of:
gofishretail .com/jo.jpg?[4-digit-random-number]
with an additional C2 location of:
113.30.152.170 (Net4india , India)
Recommended blocklist:
94.73.155.8/29
199.175.55.116
113.30.152.170 "
* https://www.virustot...sis/1448541871/

** https://malwr.com/an...jY2MzgyYjhhMWY/

*** https://www.virustot...sis/1448543018/

4] https://www.hybrid-a...environmentId=1

5] https://malwr.com/an...WY0YTQwZTJhYzM/

6] http://blog.dynamoo....t-si528880.html
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....t-si528880.html
26 Nov 2015 - "This -fake- invoice does not come from Hider Food Imports Ltd but is instead a simple -forgery- with a malicious attachment.
    From     Lucie Newlove [lucie@ hiderfoods .co.uk]
    Date     Thu, 26 Nov 2015 16:03:04 +0500
    Subject     Invoice Document SI528880
    Please see attached Invoice Document SI528880 from HIDER FOOD IMPORTS LTD.
    ARE YOU AWARE THAT OUR NEW WEBSITE IS NOW AVAILABLE?
    Please contact our Sales Department for details.
    Hider Food Imports Ltd
    REGISTERED HEAD OFFICE
    Wiltshire Road,
    Hull
    East Yorkshire
    HU4 6PA
    Registered in England  Number : 842813 ...

The attached file is SI528880.xls of which I have seen just one sample with a VirusTotal detection rate of 2/54*, and it contains this malicious macro... which according to this Hybrid Analysis report** downloads a malicious component from:
naceste2.czechian .net/76t89/32898u.exe
This executable has a detection rate of just 1/54*** and... shows network traffic to the following IPs:
94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
8.253.44.158 (Level 3, US)
37.128.132.96 (Memset, UK)
91.212.89.239 (Uzinfocom, Uzbekistan)
185.87.51.41 (Marosnet, Russia)
42.117.2.85 (FPT Telecom Company, Vietnam)
192.130.75.146 (Jyvaskylan Yliopisto, Finland)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
5.63.88.100 (Centr, Kazahkstan)
The payload is probably the Dridex banking trojan...
Recommended blocklist:
94.73.155.12
191.234.4.50
8.253.44.158
37.128.132.96
91.212.89.239
185.87.51.41
42.117.2.85
192.130.75.146
195.187.111.11
5.63.88.100 "
* https://www.virustot...sis/1448535919/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...sis/1448537540/
 

  

Edited by AplusWebMaster, 26 November 2015 - 10:10 AM.

[AplusWebMaster]

FYI...

Fake 'Tax Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
27 Nov 2015 - "An email with the subject of 'Aline: Tax Invoice #40525' pretending to come from Bruce Sharpe <bruce@ alinepumps .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:

    Good day, Please find attached Tax Invoice as requested. Many thanks for your call. Bruce Sharpe.

27 November 2015 : Tax Invoice_40525_1354763307792.doc - Current Virus total detections 0/55*
Malwr Analysis** show us it downloads Dridex banking malware from
 http ://www .alpenblick-beyharting .de/76f6d5/54sdfg7h8j.exe (VirusTotal 1/55***). Other download sites so far discovered include hostingunlimited .co.uk/76f6d5/54sdfg7h8j.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448615839/

** https://malwr.com/an...TM1ZDU0NjRiYTk/

*** https://www.virustot...sis/1448615736/
TCP connections
94.73.155.12: https://www.virustot...12/information/
8.254.218.126: https://www.virustot...26/information/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....van-jarman.html
27 Nov 2015 - "This -fake- invoice does not come from Sportsafe UK Ltd but is instead a simple -forgery- with a malicious attachment.
    From     Ivan Jarman [IJarman@ sportsafeuk .com]
    Date     Fri, 27 Nov 2015 17:21:27 +0530
    Subject     Invoice
    Sent 27 NOV 15 09:35
    Sportsafe UK Ltd
    Unit 2 Moorside
    Eastgates
    Colchester
    Essex
    CO1 2TJ
    Telephone 01206 795265
    Fax 01206 795284

I have received several copies of the spam with the same attachment named S-INV-BROOKSTRO1-476006.doc with a VirusTotal detection rate of 1/54* and which contains this malicious macro... This Malwr report** shows the macro downloads from:
kidsmatter2us .org/~parentsm/76f6d5/54sdfg7h8j.exe
The executable has a detection rate of 3/55**. The Hybrid Analysis report*** shows network traffic to:
198.57.243.108 (Unified Layer, US)
94.73.155.12 (Telekomunikasyon Anonim Sirketi, Turkey)
77.221.140.99 (ZAO National Communications / Infobox.ru, Russia)
37.128.132.96 (Memset, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
217.160.110.232 (1&1, Germany)
202.137.31.219 (Linknet, Indonesia)
91.212.89.239 (Uzinfocom, Uzbekistan)
The payload is probably the Dridex banking trojan.
Recommended blocklist:
198.57.243.108
94.73.155.8/29
77.221.140.99
37.128.132.96
37.99.146.27
217.160.110.232
202.137.31.219
91.212.89.239 "

> https://malwr.com/an...zkwNmFkNzkxOGE/

kidsmatter2us .org: 198.57.243.108: https://www.virustot...08/information/
> https://www.virustot...e1683/analysis/

- http://myonlinesecur...rd-doc-malware/
27 Nov 2015
"... 27 November 2015: S-INV-BROOKSTRO1-476006.doc - Current Virus total detections *
... Downloads the 3rd different -Dridex- version that I have seen today from

http ://kidsmatter2us .org/~parentsm/76f6d5/54sdfg7h8j.exe (VirusTotal **)..."
* https://www.virustot...sis/1448627008/

** https://www.virustot...sis/1448627380/
___

Fake 'Transfer' SPAM - malicious attachment
- http://blog.dynamoo....m-services.html
27 Nov 2015 - "This malicious email sample was sent in by a contact (thank you), and contains a malicious attachment:
    From: Integrated Petroleum Services
    Sent: Friday, November 27, 2015 10:24 AM
    Subject: Transfer
    Hello,
    Please find attached the transfer order sent on Friday 27.
    Best Regards
    Hugo

Attached is a file 20151126-291-transfer.xls (VT 1/53*) containing this malicious macro... which (according to this Malwr report**) downloads from:
pathenryiluminacion.i8 .com/76f6d5/54sdfg7h8j.exe
This binary has a VirusTotal detection rate of 3/55***. The payload is the same as found in this spam run[4]."
* https://www.virustot...sis/1448630394/

** https://malwr.com/an...zkwNmFkNzkxOGE/

*** https://www.virustot...sis/1448630483/

4] http://blog.dynamoo....van-jarman.html

64.136.20.56: https://www.virustot...56/information/
> https://www.virustot...d47cc/analysis/
___

Older Dell devices affected by eDellRoot ...
- http://www.computerw...ertificate.html
Nov 26, 2015 - "... Tests performed inside a Windows 10 virtual machine revealed that the DSDTestProvider certificate gets left behind on the system when the Dell System Detect tool is uninstalled... users who want to remove it from their system must do so -manually- after they uninstall DSD. This can be done by pressing the Windows key + r, typing certlm.msc and hitting Run. After allowing the Microsoft Management Console to execute, users can browse to Trusted Root Certification Authorities > Certificates, locate the DSDTestProvider certificate in the list, right click on it and delete it..."

> http://www.dell.com/...en/19/SLN300321

>> https://dellupdater....DellCertFix.exe
___

Holiday Phishing Scams and Malware Campaigns
- https://www.us-cert....lware-Campaigns
Nov 26, 2015 - "... Ecards from unknown senders may contain -malicious- links. Fake advertisements or shipping notifications may deliver -infected- attachments. Spoofed email messages and fraudulent posts on social networking sites may request support for phony causes..."
(More at the us-cert URL above.)

- http://research.zsca...ware-scams.html
Nov 27, 2015 - "... the trend in phishing activity tends to rise with the amount of online shopping traffic, which comes with the added risk of -scammers- taking advantage of a consumers better judgement..."

Beware the holiday scams coming to your email inbox
- http://www.infoworld...mail-inbox.html
Nov 28, 2015
 

  

Edited by AplusWebMaster, 29 November 2015 - 07:41 AM.

[AplusWebMaster]

FYI...

Fake 'Order Accepted' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
30 Nov 2015 - "An email with the subject of 'Order PC299139PPS Accepted' pretending to come from CVLink <noreply@ contractvehicles .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ed-1024x561.png

30 November 2015: PC299139PPS.doc - Current Virus total detections 1/55*  
MALWR analysis** shows us it downloads what looks like a Dridex banking malware from
http ://members.chello .at/~antitrack_legend/89u87/454sd.exe (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448873990/

** https://malwr.com/an...WQzMTc2ODExZmI/

*** https://www.virustot...sis/1448873756/
___

Fake 'Message' SPAM - malware attachment
- http://blog.dynamoo....ssage-from.html
30 Nov 2015 - "I have only one sample of this rather terse email with -no- body text:
    From:    scan@ victimdomain
    Reply-To:    scan@ victimdomain
    To:    hiett@ victimdomain
    Date:    30 November 2015 at 09:22
    Subject:    Message from mibser_00919013013

The spam appears to originate from within the victim's own domain, but it does not. In the sample I saw, the attachment was named Smibser_00915110211090.xls, had a VirusTotal detection rate of 3/54* and contained this malicious macro... According to this Hybrid Analysis report** and this Malwr report*** the macro downloads a malicious executable from:
velitolu .com/89u87/454sd.exe
This binary has a detection rate of 3/55****. Automated report tools [1] [2] show network traffic to:
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
42.117.2.85 (FPT Telecom Company, Russia)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
5.63.88.100 (Centr, Kazakhstan)
The payload is likely to be the Dridex banking trojan...
Recommended blocklist:
94.73.155.12
42.117.2.85
89.189.174.19
5.63.88.100 "
* https://www.virustot...sis/1448880036/

** https://www.hybrid-a...environmentId=2

*** https://malwr.com/an...WUzODBiODNhNTk/

**** https://www.virustot...sis/1448880465/

1] https://malwr.com/an...WY4ZDU5MDIzOTk/

2] https://www.hybrid-a...environmentId=1
___

Fake 'QUICKBOOKS' SPAM - leads to malware
- http://blog.dynamoo....quickbooks.html
Nov 30, 2015 - "This -fake- Intuit QuickBooks spam leads to malware:
    From:    QUICKBOOKS ONLINE [qbservices@ customersupport .intuit .com]
    Date:    30 November 2015 at 10:42
    Subject:    INTUIT QB
    As of November 5th, 2015, we will be updating the browsers we support. We encourage you to upgrade to the latest version for the best online experience. Please proceed the following link, download and install the security update for all supported browsers to be on top with INTUIT online security!
    InTuIT. | simplify the business of life
    © 2015 Intuit Inc. All rights reserved. Intuit and QuickBooks are registered trademarks of Intuit Inc. Terms and conditions, features, support, pricing, and service options subject to change without notice.

Screenshot: https://3.bp.blogspo...s400/intuit.png

The spam is almost identical to this one[1] which led to Nymaim ransomware:
> http://www.welivesec...ng-its-welcome/
 In this particular spam, the email went to a landing page at updates .intuitdataserver-1 .com/sessionid-7ec395d0628d6799669584f04027c7f6 which then attempts to download a -fake- Firefox update*. This executable has a VirusTotal detection rate of 3/55**... The Hybrid Analysis report*** shows the malware attempting to POST to mlewipzrm .in which is multihomed on:
89.163.249.75 (myLoc managed IT AG, Germany)
188.209.52.228 (BlazingFast LLC, Ukraine / NForce Entertainment, Romania)
95.173.164.212 (Netinternet Bilgisayar ve Telekomunikasyon San. ve Tic. Ltd. Sti., Turkey)
The nameservers for mlewipzrm .in are NS1 .REBELLECLUB .NET and NS2 .REBELLECLUB .NET which are hosted on the following IPs:
210.110.198.10 (KISTI, Korea)
52.61.88.21 (Amazon AWS, US) ...
As far as I can tell, these domains are hosted on the following IPs:
52.91.28.199 (Amazon AWS, US)
213.238.170.217 (Eksen Bilisim, Turkey)
75.127.2.116 (Foroquimica SL / ColoCrossing, US)
I recommend that you -block- the following IPs and/or domains:
52.91.28.199
213.238.170.217
5.135.237.209
196.52.21.11
75.127.2.116
210.110.198.10
52.61.88.21
89.163.249.75
188.209.52.228
95.173.164.212 ..."
(More listed at the dynamoo URL above.)
* https://urlquery.net...d=1448887234353

** https://www.virustot...sis/1448887362/
flashplayer19_ga_update.exe - 3/55

*** https://www.hybrid-a...environmentId=1

1] http://blog.dynamoo....m-leads-to.html
___

Fake 'Message' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
30 Nov 2015 - "An email with the subject of 'Message from mibser_00919013013' pretending to come from scan@ your own email domain with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email has a totally -blank- body and just an XLS (Excel spreadsheet) attachment...

30 November 2015: Smibser_00915110211090.xls - Current Virus total detections 4/55*
... Download’s Dridex banking malware from
dalamantransferservicesrentacar .com/89u87/454sd.exe (VirusTotal 1/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448888284/

** https://www.virustot...sis/1448889035/
TCP connections
94.73.155.12: https://www.virustot...12/information/
191.234.4.50: https://www.virustot...50/information/
___

Fake 'Invoice Attached' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
30 Nov 2015 - "An email with the subject of 'Invoice Attached' pretending to come from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Good morning,
    Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
    Thank you!
    Mr. Susie Weber
    Accounting Specialist| USBank, GH Industrial Co., Ltd

30 November 2015: invoice_details_68171045.xls - Current Virus total detections 1/55*
 MALWR analysis** shows us that it downloads http ://gallinda28trudi .com/v12/free17ld.exe (VirusTotal 3/55***) which is a Nymain Ransomware as described by Dynamoo****... The XLS macro drops/creates a UpdateWinrar.js that instructs the victim’s computer to download the file & rename it as %temp%\UpdOffice.exe then automatically run it, so making you think that it is an Office update if you see any alerts about the file running... DO NOT enable macros or editing, no matter how plausible the instructions appear to be:
> http://myonlinesecur...ls-1024x602.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448892567/

** https://malwr.com/an...DhiOGIxZjAyZjI/
Hosts: 31.184.234.5: https://www.virustot....5/information/

*** https://www.virustot...sis/1448887816/
FlashPlayerUpdate.exe

**** http://blog.dynamoo....quickbooks.html
___

Fake 'Sales Invoice' SPAM - malicious attachment
- http://blog.dynamoo....-opi599241.html
30 Nov 2015 - "This -fake- financial spam is not from James F Kidd, but is instead a simple -forgery- with a malicious attachment:
    From:    orders@ kidd-uk .com
    Date:    30 November 2015 at 13:42
    Subject:    Sales Invoice OP/I599241 For ANDSTRAT (NO.355) LTD
     Please see enclosed Sales Invoice for your attention.
     Regards from Accounts at James F Kidd
     ( email: accounts@ kidd-uk .com )

I have seen a single copy of this spam with an attachment invoice574206_1.doc which has a VirusTotal detection rate of 3/55*. This Malwr report** indicates that in this case there may be an error in the malicious macro. The Hybrid Analysis report is inconclusive. This document is presumably attempting to drop the Dridex banking trojan...
UPDATE: I have received two more samples, one names invoice574206/1.pdf and the other invoice574206/1.doc. Both are Word documents (so the one with the PDF extension will not open). The VirusTotal detection rates are 7/54[3] and 4/55[4]. One of these two also produces an error when run. The working attachment (according to this Malwr report[5] and Hybrid Analysis report[6]) downloads a malicious binary from:
bjdennehy .ie/~upload/89u87/454sd.exe
This has a VirusTotal detection rate of 3/54[6]... Automated analysis tools... show malicious traffic to:
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
91.223.9.70 (Elive Ltd, Ireland)
41.136.36.148 (Mauritius Telecom, Mauritius)
185.92.222.13 (Choopa LLC, Netherlands)
42.117.2.85 (FPT Telecom Company, Vietnam)
195.187.111.11 (Szkola Glowna Gospodarstwa Wiejskiego, Poland)
37.128.132.96 (Memset Ltd, UK)
37.99.146.27 (Etihad Atheeb Telecom Company, Saudi Arabia)
41.38.18.230 (TE Data, Egypt)
89.189.174.19 (Sibirskie Seti Novokuznetsk, Russia)
122.151.73.216 (M2 Telecommunications Group Ltd, Australia)
185.87.51.41 (Marosnet Telecommunication Company LLC, Russia)
217.197.159.37 (NWT a.s., Czech Republic)
41.56.123.235 (Wireless Business Solutions, South Africa)
91.212.89.239 (Uzinfocom, Uzbekistan)...
Recommended blocklist:
94.73.155.12
103.252.100.44
89.108.71.148
91.223.9.70
41.136.36.148
185.92.222.13
42.117.2.85
195.187.111.11
37.128.132.96
37.99.146.27
41.38.18.230
89.189.174.19
122.151.73.216
185.87.51.41
217.197.159.37
41.56.123.235
91.212.89.239 "
(More detail at the dynamoo URL above.)
* https://www.virustot...sis/1448893229/

** https://malwr.com/an...jUzNjQzYzc5ZTQ/

3] https://www.virustot...sis/1448894274/

4] https://www.virustot...sis/1448894280/

5] https://malwr.com/an...mRlMDg5NWUyMzE/

6] https://www.hybrid-a...environmentId=1
___

Fake 'Paypal' phish...
- http://myonlinesecur...aypal-phishing/
30 Nov 2015 - "An email saying 'Your Access Is Limited' coming from PayPal Team <scanner@ modainpelle .com>
While at first glance this appears to be a typical PayPal phish, there are a few differences... There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
• Your Access Is Limited
• Urgent: Your card has been stopped !
• There have been unauthorised or suspicious attempts to log in to your account, please verify
• Your account has exceeded its limit and needs to be verified
• Your account will be suspended !
• You have received a secure message from < your bank>
• We are unable to verify your account information
• Update Personal Information
• Urgent Account Review Notification
• We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
• Confirmation of Order
The original email looks like this. It will NEVER be a genuine email from PayPal or Your Bank so don’t ever follow the links or fill in the html (webpage) form that comes attached to the email.
The link in this case goes to http ://www .hocine1990.ehost-services239 .com/index/ ... This particular phishing campaign starts with an email with a link...

Screenshot: http://myonlinesecur...sh-1024x740.png
The website looks similar to this typical example of a PayPal phishing site:
> http://myonlinesecur...te-1024x531.png
If you fill in the email address and password you get an intermediate page apologising for any inconvenience  looking like:
> http://myonlinesecur...sh-1024x524.png
Then get sent on to a page looking like this one from an earlier PayPal Phish:
> http://myonlinesecur..._2-1024x519.png
Which is a typical phishing page that looks very similar to a -genuine- PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."
 

 

Edited by AplusWebMaster, 30 November 2015 - 10:10 AM.

[AplusWebMaster]

FYI...

Fake 'Card Receipt' SPAM - malicious attachment
- http://blog.dynamoo....acey-smith.html
1 Dec 2015 - "This -fake- financial spam does not come from AquAid, but is instead a simple -forgery- with a malicious attachment. Poor AquAid were hit by the same thing several time earlier this year.
    From     "Tracey Smith" [tracey.smith@ aquaid .co.uk]
    Date     Tue, 01 Dec 2015 10:54:15 +0200
    Subject     Card Receipt
    Hi
    Please find attached receipt of payment made to us today
    Regards
    Tracey
    Tracey Smith| Branch Administrator
    AquAid | Birmingham & Midlands Central
    Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
    Telephone:        0121 525 4533
    Fax:                  0121 525 3502
    Mobile:              07795328895
    Email:               tracey.smith@ aquaid .co.uk ...

Attached is a file CAR014 151238.doc which comes in at least two different versions with a VirusTotal detection rate of 3/55 for both [1] [2]. According to these Malwr reports [3] [4] the macro in the document downloads a file from one of the following locations:
rotulosvillarreal .com/~clientes/6543f/9o8jhdw.exe
data.axima .cz/~krejcir/6543f/9o8jhdw.exe
This binary has a detection rate of 3/54*. The Malwr report** for that file shows that it phones home to:
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
There are other bad IPs in the 94.73.155.8 - 94.73.155.15 range, so I strongly recommend that you -block- all traffic to 94.73.155.8/29. These two Hybrid Analysis reports [5] [6] also show malicious traffic to the following IPs:
89.248.99.231 (Interdominios S.A., Spain)
103.252.100.44 (PT. Drupadi Prima, Indonesia)
89.108.71.148 (Agava Ltd, Russia)
221.132.35.56 (Post and Telecom Company, Vietnam)
78.24.14.20 (VSHosting s.r.o., Czech Republic)
The payload here is probably the Dridex banking trojan...
Recommended blocklist:
94.73.155.8/29
89.248.99.231
103.252.100.44
89.108.71.148
221.132.35.56
78.24.14.20 "
1] https://www.virustot...sis/1448964063/

2] https://www.virustot...sis/1448964077/

3] https://malwr.com/an...GUyOGQ0MWQ0ZWE/

4] https://malwr.com/an...GE5NzMxMWUxY2Y/

* https://www.virustot...sis/1448964517/

** https://malwr.com/an...TFiMDU3MDE3Zjk/

5] https://www.hybrid-a...environmentId=1

6] https://www.hybrid-a...environmentId=1
___

Fake 'Request for payment' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
1 Dec 2015 - "An email with the subject of 'Request for payment (PGS/73329)' pretending to come from PGS Services Limited <rebecca@ pgs-services .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...29-1024x541.png

1 December 2015: 3-6555-73329-1435806061-3.doc - Current Virus total detections 4/55*
 MALWR** shows me that it downloads http ://cru3lblow.xf .cz/6543f/9o8jhdw.exe (VirusTotal 1/52***) which looks like a revised/updated Dridex binary... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448972343/

** https://malwr.com/an...WQ1MjgxOGYyODk/
88.86.117.154: https://www.virustot...54/information/

*** https://www.virustot...sis/1448972854/
TCP connections
157.252.245.29: https://www.virustot...29/information/
23.14.92.19: https://www.virustot...19/information/
94.73.155.12: https://www.virustot...12/information/
> https://www.virustot...7d2fd/analysis/

- http://blog.dynamoo....or-payment.html
1 Dec 2015 - "This spam email is confused. It's either about a watch repair or property maintenance. In any case, it has a malicious attachment...
From: PGS Services Limited [rebecca@ pgs-services .co.uk]
Date: 1 December 2015 at 12:06
Subject: Request for payment (PGS/73329)...
RST Support Services Limited
Rotary Watches Ltd...
Full details are attached to this email in DOC format...

Attached is a file 3-6555-73329-1435806061-3.doc which comes in at least three different versions... The payload is probably the Dridex banking trojan...
Recommended blocklist:
94.73.155.8/29
89.32.145.12
221.132.35.56
157.252.245.29 "
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
1 Dec 2015 - "An email with the subject of 'Invoice #96914158 – Fastco' coming from Antoine Lambert <LambertAntoine85@ tellas .gr> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    Here is the Fastco Corp. Invoice we talked about earlier today. Please cost code and get it back to me.
    Thanks, Antoine Lambert

... coming from random compromised email accounts and have random invoice numbers...
1 December  2015: INVOICE_96914158.doc - Current Virus total detections 2/56*
 This word doc contains a base64 encoded ole object which MALWR** shows us contacts
http ://31.210.119.169 /superman/kryptonite.php and downloads clarkent.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1448981594/

** https://malwr.com/an...DA3MjQ4ODU0ZmI/

*** https://www.virustot...sis/1448982333/
TCP connections
157.252.245.27: https://www.virustot...27/information/
191.234.4.50: https://www.virustot...50/information/
 

  

Edited by AplusWebMaster, 01 December 2015 - 09:56 AM.

[AplusWebMaster]

FYI...

Fake 'Purchase Order' SPAM - malicious attachment
- http://blog.dynamoo....24658-gina.html
2 Dec 2015 - "This -fake- financial spam is not from CliniMed Limited but is instead a simple -forgery- with a malicious attachment:
    From     Gina Harrowell [gina.harrowell@ clinimed .co.uk]
    Date     Wed, 02 Dec 2015 01:53:41 -0700
    Subject     Purchase Order 124658
    Sent 2 DEC 15 09:18
    CliniMed Ltd
    Cavell House
    Knaves Beech Way
    Loudwater
    High Wycombe
    Bucks
    HP10 9QY ...

Attached is a file P-ORD-C-10156-124658.xls which I have seen two versions of (VirusTotal results [1] [2]) which contain a malicious macro... which according to these automated analysis reports [3] [4] [5] [6] pulls down an evil binary from:
det-sad-89 .ru/4367yt/p0o6543f.exe
vanoha.webzdarma .cz/4367yt/p0o6543f.exe
There may be other versions of the Excel document with different download locations, but the payload will be the same. This has a VirusTotal detection rate of 1/55* and those previous reports plus this Malwr report** indicate malicious network traffic to the following IPs:
193.238.97.98 (PJSC Datagroup, Ukraine)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
89.32.145.12 (Elvsoft SRL, Romania / Coreix, UK)
The payload is probably the Dridex banking trojan...
Recommended blocklist:
193.238.97.98
94.73.155.8/29
89.32.145.12 "
1] https://www.virustot...sis/1449050700/

2] https://www.virustot...sis/1449050710/

3] https://malwr.com/an...GMzNTFmNThjMDk/

4] https://malwr.com/an...2RlODVmNTcxNjg/

5] https://www.hybrid-a...environmentId=1

6] https://www.hybrid-a...environmentId=1

* https://www.virustot...sis/1449050819/
TCP connections
193.238.97.98: https://www.virustot...98/information/
90.84.59.27: https://www.virustot...27/information/

** https://malwr.com/an...WQ0OTBkMDhlZjA/

- http://myonlinesecur...dsheet-malware/
2 Dec 2015
Screenshot: http://myonlinesecur...58-1024x686.png

25 February 2015: P-ORD-C-10156-124658.xls - Current Virus total detections 5/55*
 MALWR analysis** shows us that it downloads what looks like Dridex Banking malware from
 http ://vanoha.webzdarma .cz/4367yt/p0o6543f.exe (VirusTotal 1/55***)...
* https://www.virustot...sis/1449050502/

** https://malwr.com/an...GMzNTFmNThjMDk/

*** https://www.virustot...sis/1449051414/
TCP connections
193.238.97.98: https://www.virustot...98/information/
90.84.59.27: https://www.virustot...27/information/
___

Fake 'Payment Request' SPAM - malicious attachment
- http://blog.dynamoo....nt-request.html
2 Dec 2015 - "This -fake- financial spam is not from Aline Pumps but is instead a simple -forgery- with a malicious attachment. In any cases Aline are an Australian company, they would -not- be sending out invoices in UK pounds.
     From:    Bruce Sharpe [bruce@ alinepumps .com]
    Date:    2 December 2015 at 09:44
    Subject:    Aline Payment Request
    ATTENTION: ACCOUNTS PAYABLE
    Dear Sir/Madam,
    Overdue Alert
    Our records show that your current balance with us is £2795.50 of which £2795.50 is still overdue.
    Your urgent attention and earliest remittance of this amount would be appreciated.
    We value your business and we would like to resolves any issues as quickly as possible. I am personally available on (02) 8508 4900 or bruce@ alinepumps .com
    Sincerely,
    Bruce Sharpe - Accounts Receivable ...

Attached is a file Statement_1973_1357257122414.doc which comes in at least three versions (although I have only seen two), with VirusTotal results of 4/55 [1] [2] and automated analysis [3] [4] shows download locations of:
pivarimb .wz.cz/4367yt/p0o6543f.exe
allfirdawhippet .com/4367yt/p0o6543f.exe
apparently there is another download location of
sebel .fr/4367yt/p0o6543f.exe
In any case, the downloaded binary is the same and has a detection rate of 3/55*. The Malwr analysis** and this Hybrid Analyis*** shows it phoning home to:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you -block- traffic to that IP."
1] https://www.virustot...sis/1449054590/

2] https://www.virustot...sis/1449054600/

3] https://malwr.com/an...DM4YWNmNDA1OWU/

4] https://malwr.com/an...jFkMjI0NjViNjY/

* https://www.virustot...sis/1449054750/

** https://malwr.com/an...WZjYmViMGQwMjc/

*** https://www.hybrid-a...environmentId=1

- http://myonlinesecur...dsheet-malware/
2 Dec 2015 - "Following on from last week’s Malspam run* pretending to come from Aline pumps is today’s email with the subject of 'Aline Payment Request' pretending to come from Bruce Sharpe <bruce@ alinepumps .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
* http://myonlinesecur...rd-doc-malware/

Screenshot: http://myonlinesecur...st-1024x575.png

2 December 2015: Statement_1973_1357257122414.doc - Current Virus total detections 4/56*
MALWR analysis** shows us that it downloads Dridex Banking malware from
 http ://pivarimb.wz .cz/4367yt/p0o6543f.exe (VirusTotal ***). This is an updated version from today’s earlier malspam run[1] of malicious office docs with macros..."
* https://www.virustot...sis/1449053035/

** https://malwr.com/an...jFkMjI0NjViNjY/
88.86.117.153
193.238.97.98
191.234.4.50

*** https://www.virustot...sis/1449053672/
TCP connections
193.238.97.98
8.254.218.62

1] http://myonlinesecur...dsheet-malware/
___

Fake 'November Invoice' SPAM - JS malware
- http://myonlinesecur...are-teslacrypt/
2 Dec 2015 - "An email with the subject of 'November Invoice' #37330118 [random numbered] pretending to come from random names and senders with a zip attachment is another one from the current bot runs... The content of the email says:
    Hello ,
    Please review the attached copy of your Electronic document.
    A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
    Thank you for your business.

2 December 2015: invoice_37330118.zip: Extracts to: INVOICE_main_BD3847636213.js
Current Virus total detections 2/54* which downloads a Teslacrypt ransomware from
 http ://74.117.183.84 /76 .exe (VirusTotal 3/55**) and tries to contact a combination of these sites
 ccfinance .it  | ecaequeeessa .com | schonemaas .nl | cic-la-banque .org and either download additional malware or upload stolen data from your computer (MALWR***). Our friends over at Techhelplist[1] have posted a fuller breakdown of this one... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1449062157/

** https://www.virustot...sis/1449062699/

*** https://malwr.com/an...DUwNmMxZmFhZTg/

74.117.183.84: https://www.virustot...84/information/
> https://www.virustot...96395/analysis/

1] https://techhelplist...invoice-malware

- http://blog.dynamoo....e-60132748.html
2 Dec 2015 - "... Attached is a file invoice_60132748.zip which contains a malicious obfuscated script INVOICE_main_BD3847636213.js... and this downloads a malicious file from:
74.117.183.84 /76.exe?1
... The Malwr report* and Hybrid Analysis** indicates that this communicates with the following compromised domains:
ccfinance .it
ecaequeeessa .com
schonemaas .nl
cic-la-banque .org
Both those reports indicate that this is the Teslacrypt ransomware:
> http://1.bp.blogspot.../teslacrypt.png
Furthermore, the Hybrid Analysis report** also shows other traffic to:
tsbfdsv.extr6mchf .com
alcov44uvcwkrend .onion .to
rbtc23drs.7hdg13udd .com ...
Recommended blocklist:
74.117.183.84
5.39.222.193
ccfinance .it
ecaequeeessa .com
schonemaas .nl
cic-la-banque .org
extr6mchf .com
alcov44uvcwkrend .onion .to
7hdg13udd .com "
* https://malwr.com/an...GQ2MTYxOWQ5ZjI/

** https://www.hybrid-a...environmentId=1
___

Fake 'Adler Invoice' SPAM - malicious attachment
- http://blog.dynamoo....oice-no-uk.html
2 Dec 2015 - "This -fake- financial spam does not come from Adler Manufacturing Limited but is instead a simple forgery. It is meant to have a malicious attachment, but all of the samples I have seen are malformed.
    From:    service@ adlerglobal .com
    Date:    2 December 2015 at 11:36
    Subject:    Your Adler Invoice No. UK 314433178 IN
    Dear Customer,
    Thank you very much for having placed your order with Adler.
    Your goods have been shipped. Please see attached invoice for payment of
    your order.
    For your convenience, you will find several payment methods described on the
    attached invoice (please be sure to include your Adler Order #).
    If you have any questions, feel free to contact us.
    Best Regards,
    Your Adler Customer Service Team...

Supposedly attached is a document MD220EML.XLS but instead all the samples I see just have a Base 64 encoded section instead. Shame. If you go to the effort of decoding them, they are two moderately detected malicious documents (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from:
vanoha.webzdarma .cz/4367yt/p0o6543f.exe
det-sad-89 .ru/4367yt/p0o6543f.exe
These download locations were seen earlier, but the payload has -changed- to one with a detection rate of 4/55*. Those earlier Malwr reports indicate malicious traffic to:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you -block- traffic to that IP. The payload is likely to be the Dridex banking trojan."
1] https://www.virustot...sis/1449064630/

2] https://www.virustot...sis/1449064641/

3] https://malwr.com/an...2NiYWVkYTZkNDY/

4] https://malwr.com/an...WNlYTgwOTBjZWQ/

* https://www.virustot...sis/1449064895/
___

Fake 'Shell E-bill' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
2 Dec 2015 - "The bad actors are either getting lazy or concentrating their efforts on old email templates that have attracted good returns previously. There seems to be a theme of reusing old email templates this week but this one from last year without even bothering to change the date is sheer idleness by the bad actor sending them. An email with the subject of 'Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014' pretending to come from Fuel Card Services <adminbur@ fuelcardgroup .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
    Please note that this message was sent from an unmonitored mailbox which is unable to accept replies. If you reply to this e-mail your request will not be actioned. If you require copy invoices, copy statements, card ordering or card stopping please e-mail support@ fuelcardservices .com quoting your account number which can be found in the e-mail below...
    E-billing
    From: adminbur@ fuelcardservices .com
    Sent: Wed, 02 Dec 2015 19:25:57 +0530
    To: [REDACTED]
    Subject: Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014
    Account: B500101
    Please find your e-bill 0765017 for 30/10/2015 attached.
    To manage you account online please click xxxxx
    If you would like to order more fuel cards please click xxxxx
    If you have any queries, please do not hesitate to contact us.
    Regards
    Cards Admin.
    Fuel Card Services Ltd
    T 01282 410704
    F 0844 870 9837 ...

2 December 2015: ebill0765017.doc - Current Virus total detections 6/55*
MALWR** The word docs are the same as described in todays earlier malspam runs... however the Dridex malware downloaded from http ://sebel .fr/4367yt/p0o6543f.exe is an -updated- variant (VirusTotal 4/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1449064154/

** https://malwr.com/an...DAyOGRiYWI2NWU/

*** https://www.virustot...sis/1449064895/

sebel .fr: 213.186.33.19: https://www.virustot...19/information/
> https://www.virustot...67cdd/analysis/

- http://blog.dynamoo....ard-e-bill.html
2 Dec 2015  - "... The attachment is name ebill0765017.doc and it comes in two different versions. The payload appears to be -identical- to this spam run* earlier today. The payload is the Dridex banking trojan."
* http://blog.dynamoo....nt-request.html
___

Fake 'Paypal' phish...
- http://myonlinesecur...aypal-phishing/
2 Dec 2015 - "The phishing bots have got a bit confused today and can’t decide if they are imitating PayPal or HMRC to steal your money and identity. An email saying 'Dear Paypal Customer' pretending to come from online-service @hmrc .gov .uk ...

Screenshot: http://myonlinesecur...er-1024x550.png
The link in this case goes to http ://blood4u .org/apple .com which has an -old- style PayPal log-in page:
> http://myonlinesecur...sh-1024x519.png
The red warning in the URL bar shows that Internet Explorer smart filter knows about it & alerts to it being -fake- and dangerous, which is a typical phishing page that looks very similar to a genuine old style PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."

blood4u .org: 108.179.232.158: https://www.virustot...58/information/
> https://www.virustot...734e7/analysis/
 

  

Edited by AplusWebMaster, 02 December 2015 - 03:01 PM.

[AplusWebMaster]

FYI...

Fake 'Scanned image' SPAM - malicious attachment
- http://blog.dynamoo....m-mx-2600n.html
3 Dec 2015 - "This -fake- scanned image document appears to come from within the victim's own domain, but it is in fact just a simple -forgery- with a malicious attachment.
    From:    no-reply@ victimdomain .tld
    Date:    3 December 2015 at 08:12
    Subject:    Scanned image from MX-2600N
    Reply to: no-reply@ victimdomain .tld [no-reply@ victimdomain .tld]
    Device Name: Not Set
    Device Model: MX-2600N
    Location: Not Set
    File Format: DOC MMR(G4)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in DOC format.
    Use Microsoft®Word® of Microsoft Systems Incorporated
    to view the document.

Attached is a file named no-reply@victimdomain.tld_20151203_3248.doc which I have seen just a single sample of so far with a VirusTotal detection rate of 2/55*, and which contains this malicious macro... Automated analysis tools [1] [2] show that the macro downloads a component from the following location:
vinsdelcomtat .com/u5y432/h54f3.exe
There will probably be other versions of the document downloading from other locations, but for the moment the binary will be the same. This has a detection rate of 3/55** and this Malwr report*** shows that it communicates with a known bad IP of:
193.238.97.98 (PJSC DATAGROUP, Ukraine)
I strongly recommend that you -block- traffic to that IP. The payload is most likely to be the Dridex banking trojan."
* https://www.virustot...sis/1449134658/

1] https://malwr.com/an...TdmMzI4YmEzM2Y/

2] https://www.hybrid-a...environmentId=1

** https://www.virustot...sis/1449135336/

*** https://malwr.com/an...GI0NmFiODA1ZDI/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....om-datanet.html
3 Dec 2015 - "This -fake- financial email does not come from Datanet but is instead a simple -forgery- with a malicious attachment:
    From:    Holly Humphreys [Holly.Humphreys@ datanet .co.uk]
    Date:    3 December 2015 at 08:57
    Subject:    Invoice from DATANET the Private Cloud Solutions Company
    Dear Accounts Dept  :
    Your invoice is attached, thank you for your business.
    If you have any queries please do not hesitate to contact us.
    Regards ...
    Holly Humphreys
    Operations
    Datanet - Hosting & Connectivity...

I have seen only one sample of this spam with an attachment with a somewhat interesting name of C:\\Users\\HOLLY~1.HUM\\AppData\\Local\\Temp\\Inv_107666_from_DATANET.CO..xls which saves on my computer as C__Users_HOLLY~1.HUM_AppData_Local_Temp_Inv_107666_from_DATANET.CO..xls. This contains this malicious macro... and has a VirusTotal detection rate of 3/55*. According to this Malwr report** and this Hybrid Analysis*** the XLS file downloads a malicious binary from:
encre .ie/u5y432/h54f3.exe
There will probably be other versions of this document downloading from other locations too. This has a VirusTotal detection rate of just 1/55**** and that report plus this Malwr report[5] indicate malicious network traffic to:
162.208.8.198 (VPS Cheap, US / Sulaiman Alfaifi, Saudi Arabia)
94.73.155.12 (Cizgi Telekomunikasyon Anonim Sirketi, Turkey)
78.47.66.169 (Hetzner, Germany)
The payload is almost definitely the Dridex banking trojan.
Recommended blocklist:
162.208.8.198
94.73.155.8/29
78.47.66.169
UPDATE: I have seen another version of the document... and a VirusTotal result of 3/54[6]. According to this Malwr report[7] it downloads from:
parentsmattertoo .org/u5y432/h54f3.exe "
* https://www.virustot...sis/1449136696/

** https://malwr.com/an...GRjNTVkYzA0ZTM/

*** https://www.hybrid-a...environmentId=2

**** https://www.virustot...sis/1449136696/

5] https://www.hybrid-a...environmentId=2

6] https://www.virustot...sis/1449137162/

7] https://malwr.com/an...GI0ZDYxOWNjNzg/

- http://myonlinesecur...dsheet-malware/
3 Dec 2015
"... one from the current bot runs...:
3 December  2015: C___Users__HOLLY~1.HUM__AppData__Local__Temp__Inv_107666_from_DATANET.CO..xls
Current Virus total detections 3/55* -  MALWR** tells us that it downloads http ://encre .ie/u5y432/h54f3.exe (VirusTotal 1/55***) which is likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1449138312/

** https://malwr.com/an...GRjNTVkYzA0ZTM/

*** https://www.virustot...sis/1449137162/
TCP connections
94.73.155.12: https://www.virustot...12/information/
8.254.218.14: https://www.virustot...14/information/
78.47.66.169: https://www.virustot...69/information/
___

Fake 'ICM - Invoice' SPAM - malicious attachment
- http://blog.dynamoo....voice-2393.html
3 Dec 2015 - "This -fake- financial spam does not come from Industrial Cleaning Materials but is instead a simple -forgery- with a malicious attachment:
    From     "Industrial Cleaning Materials (ICM)" [sales@ icmsupplies .co.uk]
    Date     Thu, 03 Dec 2015 18:22:34 +0700
    Subject     ICM - Invoice #2393
    Dear Customer,
    Please find invoice 2393 attached.
    Kind Regards,
    ICM
    Industrial Cleaning Materials ...

I have seen two version of the attachment order_2393.doc with VirusTotal results of 2/54 [1] [2] and the Malwr reports [3] [4] show that they download a component from:
www .ofenrohr-thermometer .de/u5y432/h54f3.exe
ante-prima .com/u5y432/h54f3.exe
This has a VirusTotal detection rate of 1/53*. The payload appears to be the -same- as the one in this spam run earlier today** and looks like the Dridex banking trojan."
1] https://www.virustot...sis/1449142268/

2] https://www.virustot...sis/1449142290/

3] https://malwr.com/an...TAwNGViNjBmYjc/

4] https://malwr.com/an...DJhYWU0MWU0NDY/

* https://www.virustot...sis/1449142424/
TCP connections
94.73.155.12: https://www.virustot...12/information/
8.254.218.14: https://www.virustot...14/information/
78.47.66.169: https://www.virustot...69/information/

** http://blog.dynamoo....om-datanet.html

- http://myonlinesecur...rd-doc-malware/
3 Dec 2015 - "... another one from the current bot runs...
3 December 2015 : order_2393.doc - Current Virus total detections 2/52*
 MALWR** shows a download from http ://www.ofenrohr-thermometer .de/u5y432/h54f3.exe (VirusTotal 0/47**) which is the same Dridex banking Trojan from today’s other malspam runs... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1449141906/

** https://www.virustot...sis/1449142424/
TCP connections
94.73.155.12: https://www.virustot...12/information/
8.254.218.14: https://www.virustot...14/information/
78.47.66.169: https://www.virustot...69/information/
___

Apple Account Audit – Phish...
- http://myonlinesecur...audit-phishing/
3 Dec 2015 - "An email saying 'Apple Account Audit' coming from Apple <secure@ icloudresources .co.uk> is a -phishing- email that is designed to steal your Apple/ITunes account details as well as your credit card & other bank details. This one wants your personal details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details...

Screenshot: http://myonlinesecur...it-1024x722.png

The link in the email goes to http ://itunesconsumerhelp .com/myicloud/?email=victim@ victimdomain .com
-If- you -open- the attached html file you see a webpage looking like:
> http://myonlinesecur...h1-1024x579.png
... the phisher has set up the website so that unless you either click through from the email or insert a email address in the format they require, you get a -fake- domain ['Account'] suspended notice..."
> http://myonlinesecur...ed-1024x453.png
The emails come from real newly created domains that sound and look like genuine Apple domains. The emails all have proper SPF and DKIM headers to help them get-past-spam-filters... All of these emails use Social engineering tricks to persuade you to open-the-attachments that come with the email..."
___

Facebook Phish...
- https://blog.malware...free-video-app/
Dec 3, 2015 - "... Recently, we’ve seen a campaign... -baiting- users with a -free- “Facebook video application”:
> https://blog.malware...sp-original.png
... It asks for the user’s account credentials in order to access this so-called app. Once they are provided, the fake Facebook page saves the data onto a PHP page on its domain. We’ve seen a similar campaign hosted on another fake Facebook page, facebookstls[DOT]com:
> https://blog.malware...015/12/stls.png
... Should you encounter the above pages, or something similar, steer clear. We also advise our readers who are unfamiliar with -phishing- campaigns on Facebook and what to do if they realized that their credentials have been -stolen- to refer to this page* on the Help Center section**..."
* https://www.facebook...17910864998172/

** https://www.facebook.com/help/

facebookstls[DOT]com: 185.86.210.113: https://www.virustot...13/information/

Close named site: http://trafficlight....facebooksk.info
"... Scammers can set up -fake- escrow websites and -fake- shipping companies. While promising to provide escrow services, once payment is made, the -fake- escrow website will take the money and disappear. These -scams- work hand in hand with fake shipping companies and target small businesses, such as restaurants, catering companies, etc. While purchasing large quantities of products, the scammers use stolen credit card numbers or counterfeit checks to complete the sale, and request that the items be shipped with a private third party shipping company, which only accepts payments through some wire transfer service..."
 

  

Edited by AplusWebMaster, 03 December 2015 - 09:57 AM.

[AplusWebMaster]

FYI...

Fake 'receipt' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
4 Dec 2015 - "An email with the subject of 'receipt of payment' pretending to come from Perpetual Watchservices <perpetualwatchservices@ yahoo .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hi ,
    thank you for payment , please find attachment with receipt.
    Best regards,
    Irina
    PWS LTD
    41-A Great Underbank
    Stockport
    SK1 1NE
    Opening Times: Monday- Friday 8:30-4:30
    0161-480-90880161-480-9088

4 December 2015: Receipt-13764(1).doc - Current Virus total detections 4/54*
... hybrid analysis** shows us that it downloads what looks like a Dridex banking Trojan from
 gwsadmin.globalwinestocks .com/325r3e32/845t43f.exe (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1449224485/

** https://www.hybrid-a...environmentId=2

*** https://www.virustot...sis/1449224741/
 

  

[AplusWebMaster]

FYI...

Fake 'Shipping Doc' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 Dec 2015 - "An email that appears to come form Transglobal Express with the subject of 'Transglobal Express – Shipping Documentation (TG-1569311)' pretending to come from sales@ transglobalexpress .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...11-1024x599.png

7 December 2015: 1569311-1Z2X12A50495162278.doc - Current Virus total detections 7/55*
MALWR** tells us it downloads http ://www.lama .rs/87tr65/43wedf.exe Which is likely to be the Dridex banking Trojan (VirusTotal 1/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1449481851/

** https://malwr.com/an...TIyOWQ5MDEzMjU/

*** https://www.virustot...sis/1449482026/
TCP connections
23.113.113.105: https://www.virustot...05/information/
13.107.4.50: https://www.virustot...50/information/

- http://blog.dynamoo....al-express.html
7 Dec 2015 - "... -fake- shipping spam does not come from Transglobal Express but is instead a simple -forgery- with a malicious attachment...
Attached is a file 1569311-1Z2X12A50495162278.doc which in the samples I have seen has a detection rate of 7/55* and which contains this malicious macro... According to this Malwr report**, the macro downloads a binary from:
www .lama .rs/87tr65/43wedf.exe
This has a VirusTotal detection rate of just 1/54***. Those two reports plus this Hybrid Analysis[4] indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
I strongly recommend that you -block- traffic to that IP. The payload here is almost definitely the Dridex banking trojan."
* https://www.virustot...sis/1449482367/

** https://malwr.com/an...TIyOWQ5MDEzMjU/

*** https://www.virustot...sis/1449482582/
TCP connections
23.113.113.105: https://www.virustot...05/information/
13.107.4.50: https://www.virustot...50/information/

4] https://www.hybrid-a...environmentId=1
___

Fake 'Apple receipt' SPAM - malicious attachment
- http://blog.dynamoo....from-apple.html
7 Dec 2015 - "This -fake- receipt does not come from an Apple Store, but is instead a simple -forgery- with a malicious attachment:
    From:    manchesterarndale@ apple .com
    Date:    7 December 2015 at 09:43
    Subject:    Your receipt from Apple Store, Manchester Arndale
    Thank you for shopping at the Apple Store.
    To tell us about your experience, click here.

Attached is a file emailreceipt_20150130R2155644709.xls which in the sample I analysed has a VirusTotal detection rate of 6/53*. According to this Malwr report**, the attachment downloads a malicious binary from:
steveyuhas .com/~steveyuhas/87tr65/43wedf.exe
This has a VirusTotal detection rate of precisely zero***. Those reports indicate network traffic to:
23.113.113.105 (AT&T Internet Services, US)
This is the -same- IP as seen in this earlier spam run[4], and I strongly recommend that you -block- it. The payload is likely to be the Dridex banking trojan."
* https://www.virustot...sis/1449485846/

** https://malwr.com/an...DA1YzQyZDE2YjY/

*** https://www.virustot...sis/1449486079/
TCP connections
23.113.113.105: https://www.virustot...05/information/
13.107.4.50: https://www.virustot...50/information/

4] http://blog.dynamoo....al-express.html

- http://myonlinesecur...dsheet-malware/
7 Dec 2015 - "An email with the subject of 'Your receipt from Apple Store, Manchester Arndale' pretending to come from manchesterarndale@ apple .com with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: http://myonlinesecur...le-1024x381.png

7 December 2015: emailreceipt_20150130R2155644709.xls - Current Virus total detections 6/55*
MALWR shows us that it downloads from http ://steveyuhas .com/~steveyuhas/87tr65/43wedf.exe which looks to be an -updated- version of what is probably the Dridex banking Trojan (VirusTotal **)..."
* https://www.virustot...sis/1449485130/

** https://www.virustot...sis/1449486079/
TCP connections
23.113.113.105: https://www.virustot...05/information/
13.107.4.50: https://www.virustot...50/information/
___

Fake 'Payment Advice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 Dec 2015 - "An email with the subject of 'Payment Advice For Vendor0000113915' pretending to come from LBRichmondRemittance@ richmond .gov.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    The London Borough of Richmond upon Thames Accounts Payable team, are pleased to announce we can now e-mail your remittance advice.
    Please find attached a remittance advice for a payment you will receive in the next 2 working days.
    If this is not the preferred email address you wish to receive remittance advises, please could you
    email accounts.payable@ richmond .gov.uk quoting your vendor number (found on remittance
    attached) and details of your preferred email address so we can update our records.
    Please Note
    Remittances sent from LB Richmond Remittance will include payments made on behalf of:
    Achieving for Children
    LBRuT Local Authority
    LBRuT Pension Fund
    SW Middlesex Crematorium Board ...

7 December 2015: Payment Advice For Vendor0000113915.DOC London Borough of Richmond
Current Virus total detections 7/55* which is the -same- downloader (although renamed) which downloads the -same- Dridex banking Trojan from the -same- locations as previously described in this earlier post**..."
* https://www.virustot...sis/1449489721/
Latest: 1569311-1Z2X12A50495162278.doc

** http://myonlinesecur...dsheet-malware/
___

Reader’s Digest... other WP Sites Compromised, Push Angler EK
- https://blog.malware...push-angler-ek/
Nov 26, 2015 - "Update 12/01: Reader’s Digest contacted us and said they are working on the site’s security.
We’re seeing another uptick in WordPress compromises, using a slightly different modus operandi than the EITest campaign we recently blogged about, being responsible for a large number of infections via the Angler exploit kit. The attack consists of a -malicious- script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit. Site owners that have been affected should keep in mind that those -injected- scripts/URLs will vary over time, although they are all using the same pattern...The website of popular magazine Reader’s Digest is one of the victims of this campaign and people who have visited the portal recently should make sure they have not been infected. The payload we observed at the time of capture was Bedep which loaded Necurs a backdoor Trojan, but that of course can change from day to day...
> https://blog.malware.../2015/11/rd.png
... IOCs: Redirectors (non exhaustive list)..."
(More detail at the malwarebytes URL above.)

Also: http://arstechnica.c...itors-for-days/
Nov 30, 2015 - "... people can be exposed to drive-by malware attacks even when visiting sites they know and trust. It's always a good idea to install security updates as soon as they become available. Readers are also advised to consider uninstalling Flash, Java, and other browser extensions from their computers, or alternatively to use them only on a handful of important sites that require it. For the time being, people should assume Reader's Digest -isn't- safe to visit. This post will be updated if that status changes."
 

  

Edited by AplusWebMaster, 07 December 2015 - 11:14 AM.