2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Updated Statement' SPAM - malicious attachment
- http://blog.dynamoo....nt-2323191.html
8 Dec 2015 - "This -fake- financial spam does not come from Buildbase but is instead a simple -forgery- with a malicious attachment.
    From:    David Lawale [David.Lawale@ buildbase .co.uk]
    Date:    8 December 2015 at 10:58
    Subject:    Updated Statement - 2323191
    Hi,
    Please find attached copy updated statement as your account has 3 overdue incoices. Is there any reasons why they haven’t yet been paid?
    Kind Regards
    David
    David Lawale | Credit Controller | Buildbase ...

Attached is a file 151124142451_0001.xls which I have seen come in -two- versions so far (VirusTotal results [1] [2]). Analysis of this malware is pending, but it most likely leads to the Dridex banking trojan."
1] https://www.virustot...sis/1449572556/

2] https://www.virustot...sis/1449572877/
UPDATE 2: According to the comments in this post and also some other sources, the the macros download from:
gulteknoofis .com/76re459/98uy76t.exe
kinderdeszorns .de/76re459/98uy76t.exe
agencjareklamowalodz .com/76re459/98uy76t.exe
This has a detection rate of 4/55*... the malware phones home to:
216.189.52.147 (High Speed Web/Genesis 2 Networks, US)
23.113.113.105 (AT&T, US)
221.132.35.56 (Ho Chi Minh City Post and Telecom Company, Vietnam)
78.47.66.169 (Hetzner, Germany)
Recommended blocklist:
216.189.52.147
23.113.113.105
221.132.35.56
78.47.66.169 "
* https://www.virustot...sis/1449578058/

- http://myonlinesecur...dsheet-malware/
8 Dec 2015 - "An email with the subject of 'Updated Statement – 2323191' pretending to come from David Lawale <David.Lawale@ buildbase .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

8 December 2015 : 151124142451_0001.xls - Current Virus total detections 6/54* (VT2 - 6/54**)
Updated: This downloads http ://gulteknoofis .com/76re459/98uy76t.exe -or-
 http ://agencjareklamowalodz .com/76re459/98uy76t.exe (VirusTotal 3/55***) Which is almost certainly Dridex banking Trojan..."
* https://www.virustot...44113/analysis/

** https://www.virustot...sis/1449572877/

*** https://www.virustot...sis/1449575422/
TCP connections
216.189.52.147: https://www.virustot...47/information/
104.86.111.136: https://www.virustot...36/information/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....oice-sales.html
8 Dec 2015 - "This -fake- financial spam does not come from EXB (UK) Ltd but is instead a simple -forgery- with a malicious attachment.
    From:    Sales [sales@ exbuk .co.uk]
    Date:    8 December 2015 at 12:03
    Subject:    EXB (UK) Ltd Invoice
    Dear Sirs,
    Please find attached our invoice, Thank you for your order
    Best Wishes
    EXB (UK) Ltd

Attached is a Word document named Invoice 1195288 from EXB (UK) Limited.doc which comes in at least -three- different versions (VirusTotal results [1] [2] [3]) and which contain a complex macro... that fails to run in automated analysis tools... The payload (if it works) is likely to be the Dridex banking trojan."
1] https://www.virustot...sis/1449576023/

2] https://www.virustot...sis/1449576032/

3] https://www.virustot...sis/1449576039/

- http://myonlinesecur...dsheet-malware/
8 Dec 2015 - "An email with the subject of 'EXB (UK) Ltd Invoice' pretending to come from Sales <sales@ exbuk .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

8 December 2015: Invoice 1195288 from EXB (UK) Limited.doc - Current Virus total detections 6/55*
... It is highly likely that it will download the -same- Dridex banking malware from the same locations as today’s earlier malspam**..."
* https://www.virustot...sis/1449576427/

** http://myonlinesecur...dsheet-malware/
___

Fake 'Invoice' SPAM – JS malware Teslacrypt
- http://myonlinesecur...are-teslacrypt/
8 Dec 2015 - "An email with the subject of 'Invoice from CimQuest INGEAR' coming from random senders and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
    Dear Customer ,
    Please review the attached copy of your Invoice (number: NI16157660) for an amount of $400.46.
    Thank you for your business

2 September 2015: invoice_copy_16157660.zip: Extracts to: doc_H4QPKCVlWBE.js
Current Virus total detections 2/56* - MALWR** tells us it downloads 840135.exe teslacrypt malware (VirusTotal 3/55***) and the associated txt and html files telling you how to pay-the-ransom to recover your files.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1449577730/

** https://malwr.com/an...zY4Zjk1Yjg1OWI/
50.63.210.1: https://www.virustot....1/information/
78.47.139.102: https://www.virustot...02/information/
173.201.96.1: https://www.virustot....1/information/

*** https://www.virustot...sis/1449576976/
___

Fake 'Courier Service invoice' SPAM - JS malware
- http://myonlinesecur...are-js-malware/
8 Dec 2015 - "An email with the subject of 'Invoice #CS-34169266' [random numbered] pretending to come from a random named Courier Service with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Customer
    Your invoice appears below. Please remit payment at your earliest convenience.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    Louie Gomez Courier Service

All the names of the alleged senders matches the name in the body of the email although none are courier services. All the sender email addresses are random...
8 December 2015: invoice_copy_34169266.zip: Extracts to: invoice_SCAN_InT9b.js
Current Virus total detections 4/55*. MALWR analysis** shows it downloads what looks like a genuine Avira installation from one of these sites prestakitchen .com and acsbrokerage .com...
Update: Some -other- versions of these JavaScript downloaders attached to similar emails pretending to be courier invoices are downloading what looks like a teslacrypt malware. One location is 46.151.52.197 /85.exe [VirusTotal 3/55***for js downloader] [MALWR[4]] [VirusTotal for 85.exe 2/55[5]]
[malwr[6] for 85.exe].. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1449601718/

** https://malwr.com/an...jc0ZjlhYTM0NGU/
63.247.90.80
185.93.187.90
184.168.138.1
169.54.129.13
8.254.249.94
23.5.245.163
23.222.171.250
23.222.166.108

*** https://www.virustot...sis/1449601551/

4] https://malwr.com/an...GNkYmM4NGVjZDg/
46.151.52.197
78.47.139.102
89.161.139.233
83.143.81.14
50.62.123.1
50.63.71.1
192.163.250.195

5] https://www.virustot...sis/1449605987/

6] https://malwr.com/an...mYzZmU1ODhmODM/
78.47.139.102
89.161.139.233
83.143.81.14
50.62.123.1
50.63.71.1
192.163.250.195
 

  

Edited by AplusWebMaster, 08 December 2015 - 03:36 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - js malware teslacrypt
- http://myonlinesecur...are-teslacrypt/
9 Dec 2015 - "An email with the subject of 'Your order #89518498 – Corresponding Invoice #42E64A46' [random numbered] pretending to come from a random named Sales Department Manager at Fretter Inc. with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Valued Customer,
    We are pleased to inform you that your order #89518498 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
    We would highly appreciate if you sent your payment promptly. For your information, don’t hesitate to check the invoice enclosed to this letter or contact us directly.
    In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.
    We look forward to your remittance and will the dispatch the goods.
    Thank you for choosing our services we sincerely hope to continue doing business with you again.
    Sincerely,
    Evan Hampton
    Sales Department Manager
    Fretter Inc. ...

All the names of the alleged senders matches the name in the body of the email although -none- are genuine sales department mangers. All the sender email addresses are random...
9 December 2015: copy_invoice_89518498.zip: Extracts to: invoice_copy_XEmx4n.js
Current Virus total detections 2/53*. MALWR analysis** shows it downloads and automatically runs http ://softextrain64 .com/86.exe (virustotal 3/55***) a Teslacrypt ransomware Trojan that encrypts your files. If you look at the malwr analysis it shows the virtual machine being encrypted which shows how dangerous these ransomware Trojans are. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1449666881/

** https://malwr.com/an...WNhYTMxMjU1NWE/
192.227.158.229
78.47.139.102
83.143.81.14
50.62.123.1
50.63.71.1
192.163.250.195
173.201.96.1
89.161.139.233

*** https://www.virustot...sis/1449666957/

softextrain64 .com: 194.135.83.55: https://www.virustot...55/information/
192.227.158.229: https://www.virustot...29/information/
>> https://www.virustot...ba301/analysis/

>> https://en.wikipedia...wiki/TeslaCrypt

>>> http://blogs.cisco.c...alos/teslacrypt
___

- http://myonlinesecur...are-teslacrypt/
9 Dec 2015 - "An email with the subject of 'Invoice #62579723 from DataCorp Inc' [random numbered]  pretending to come from  a random named Junior accountant at DataCorp Inc with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Customer,
    Reference nr. 62579723-2801
    Our internal records show that you have an outstanding balance dating on your account. Previous invoice was for $987.34 and have yet to receive your payment.
    You can find the copy of the invoice enclosed to this letter.
    In case if you have already transferred the payment you can disregards this payment notice. In all other case, please be so kind and forward us the amount stated in full until the end of the month.
    As our agreement indicates, all outstanding balances after 30 days are subject to the 7% interest fee.
    Thank you in advance for your cooperation.
    Sincerely,
    Leif Valentine
    Junior Accountant
    DataCorp Inc. ...

All the names of the alleged senders matches the name in the body of the email although -none- are genuine junior accountants. All the sender email addresses are random...
9 December 2015: copy_invoice_62579723.zip: Extracts to: invoice_copy_KEoHWB.js
Current Virus total detections 5/54*. MALWR analysis** shows it downloads and automatically runs
 http ://softextrain64 .com/86.exe (virustotal 3/55***) a Teslacrypt ransomware Trojan that encrypts your files. This 86.exe is -different- to today’s earlier version[4] although the -same- download locations. This is another one of the spoofed icon files..."
* https://www.virustot...sis/1449691313/

** https://malwr.com/an...GQzYjg5ZGI4MzY/
192.3.52.235
78.47.139.102
83.143.81.14

*** https://www.virustot...sis/1449689393/

4] http://myonlinesecur...are-teslacrypt/
___

Fake 'order' SPAM - leads to Teslacrypt ransomware
- http://blog.dynamoo....teslacrypt.html
9 Dec 2015 - "This email claims to be from the long-dead retailer Fretter Inc, but it is not. Instead it comes with a -malicious- attachment leading to Teslacrypt ransomware.
    From:    Tonia Graves [GravesTonia8279@ ikom .rs]
    Date:    9 December 2015 at 14:50
    Subject:    Your order #11004118 - Corresponding Invoice #B478192D
    Dear Valued Customer,
    We are pleased to inform you that your order #11004118 has been processed and ready to be dispatched. However, according to our records, above mentioned invoice is still unpaid.
    We would highly appreciate if you sent your payment promptly. For your information, don't hesitate to check the invoice enclosed to this letter or contact us directly.
    In case if you have already sent your payment, please disregards this letter and kindly allow us up to 3 business days to clear the incoming payment.
    We look forward to your remittance and will the dispatch the goods.
    Thank you for choosing our services we sincerely hope to continue doing business with you again.
    Sincerely,
    Tonia Graves
    Sales Department Manager
    Fretter Inc. ...

There sender's name and the reference numbers change in each version. Attached is a file copy_invoice_11004118.zip which in turn contains a malicious script [VT 5/54*] which in the sample I investigated was named invoice_iU9A2Y.js... The Malwr report** for that script shows it downloading from:
softextrain64 .com/86.exe?1
The script itself shows an alternate location of:
46.151.52.197 /86.exe?1
This has a VirusTotal detection rate of 3/55***. A Malwr report[4] on just the executable plus this Hybrid Analysis report[5] shows it connecting to:
gjesdalbrass .no
It also tries to identify the IP address of the host by connecting to http ://myexternalip .com/raw which is a benign service that you might consider to be a good indicator of compromise. You can see in the screenshots of that Malwr report that this is ransomware - specifically Teslacrypt.
Recommended blocklist:
gjesdalbrass .no
softextrain64 .com
46.151.52.197 "
* https://www.virustot...sis/1449689090/

** https://malwr.com/an...jRiMGQyMzhhOTM/

*** https://www.virustot...sis/1449689393/

4] https://malwr.com/an...jRiMGQyMzhhOTM/

5] https://www.hybrid-a...environmentId=1

___

News Site “The Independent” Hacked, Leads to TeslaCrypt Ransomware
- http://blog.trendmic...pto-ransomware/
Dec 8, 2015 - "The blog page of one of the leading media sites in the United Kingdom, The Independent has been compromised, which may put its millions of readers at risk of getting infected with ransomware. We have already informed 'The Independent' about this security incident. However, the site is still currently compromised and users are -still- at risk. It should be noted that only the blog part of the website – which uses WordPress – is impacted; the rest of The Independent’s online presence seem unaffected. WordPress is a very popular blogging platform that has seen more than its fair share of attacks and compromises from threat actors and cybercriminals looking to infect users... Angler Exploit Kit is the most active exploit kit to date that integrated Abobe Flash zero-day vulnerabilities related to the Hacking Team leak... tracked the number of hits to the TDS between compromised sites leading to Angler EK (not just The Independent blog) and have seen as many as -4,000- hits a day. The real number could be bigger...
Number of  users redirected from compromised sites leading to Angler EK
> https://blog.trendmi...ndent_graph.png
Updated on December 8, 2015, 7:15 PM PST (UTC -8): We have edited this entry to reflect the current status of communications with The Independent and the current threat. As of this writing, the site is -still- compromised and serving various malware threats to users."
 

  

Edited by AplusWebMaster, 09 December 2015 - 03:42 PM.

[AplusWebMaster]

FYI...

Fake 'Payment Notice' SPAM - leads to ransomware
- http://blog.dynamoo....st-payment.html
10 Dec 2015 - "This -fake- financial spam does not come from the long-defunct Foreman & Clark, but instead it comes with a malicious attachment that leads to ransomware.
    From:    Harlan Gardner
    Date:    10 December 2015 at 08:48
    Subject:    Reference Number #20419955, Last Payment Notice
    Dear Client,
    This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $8,151.
    Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.
    Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
    In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.
    Thank you beforehand for your attention to this case.
    Looking forward to hearing back from you.
    Sincerely,
    Harlan Gardner
    Sales Manager
    Foreman&Clark Ltd...

In the sample I saw, the attachment was named copy_invoice_20419955.zip which contained this malicious obfuscated script which has a VirusTotal detection rate of 2/55*. When deobfuscated it becomes a bit clearer as to what it does, with an attempted download from:
46.151.52.196 /86.exe?1
softextrain64 .com/86.exe?1
This pattern is the same as the spam run yesterday**. The downloaded binary has an MD5 of 42b27f4afd1cca0f5dd2130d3829a6bc, a detection rate of 5/55*** and the Malwr report[4] indicates that it pulls data from the following domains:
graysonacademy .com
grassitup .com
grupograndes .com
crown.essaudio .pl
garrityasphalt .com
gjesdalbrass .no
The characteristics of this malware indicate the Teslacrypt ransomware.
Recommended blocklist:
46.151.52.196
softextrain64 .com
gjesdalbrass .no
graysonacademy .com
grassitup .com
grupograndes .com
crown.essaudio .pl
garrityasphalt .com "
* https://www.virustot...sis/1449741728/

** http://blog.dynamoo....teslacrypt.html

*** https://www.virustot...sis/1449742342/
TCP connections
78.47.139.102: https://www.virustot...02/information/
83.143.81.14: https://www.virustot...14/information/

4] https://malwr.com/an...jVjYTI0YThhNjI/
___

Fake 'STMT' SPAM - malicious attachment
- http://blog.dynamoo....c12-120106.html
10 Dec 2015 - "This -fake- financial email does not come from MAM Software but is instead a simple forgery with a malicious attachment.
    From:    accounts@ mamsoft .co.uk [statements@ mamsoft .co.uk]
    Date:    10 December 2015 at 11:35
    Subject:    STMT ACWL-15DEC12-120106
    The following are attached to this email:
    XACWL-15DEC12-120106.DOC

Attached is a file XACWL-15DEC12-120106.DOC which I have only seen one variant of so far, with a VirusTotal detection rate of 6/54*. According to the Malwr analysis**, it downloads a file from:
life.1pworks .com/76t7h/76gjk.exe
There will probably be other versions of the document with different download locations. This executable has a detection rate of 2/54*** and according to this Malwr report[4] it contacts:
136.145.86.27 (University Of Puerto Rico, Puerto Rico)
Other analysis is pending, in the meantime I recommend that you -block- traffic to that IP. The payload is probably the Dridex banking trojan."
* https://www.virustot...sis/1449747380/

** https://malwr.com/an...2I2ZTU5MzU3ZDI/

*** https://www.virustot...sis/1449747675/

4] https://malwr.com/an...WQwNDIwN2RmYWQ/
136.145.86.27
13.107.4.50
___

Fake 'Order' SPAM - malicious attachment
- http://blog.dynamoo....knowledged.html
10 Dec 2015 - "This -fake- financial spam does not come from Touchstone Lighting but is instead a simple -forgery- with a malicious attachment.
    From:    sales@ touchstonelighting .co.uk
    Date:    10 December 2015 at 12:02
    Subject:    Order 311286 Acknowledged

There is -no- body text. Attached is a malicious Word document 'Order Acknowledgement.doc' which appears to be exactly the -same- as the payload used for this spam run*."
* http://blog.dynamoo....c12-120106.html
___

Fake 'Scanned doc' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
10 Dec 2015 - "An email with the subject of 'Scanned document from MX-4100N' pretending to come from MX-4100N <mx-4100n@'your email domain> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Reply to: “MX-4100N” <mx-4100n@ victimcompany>
    Device Name: Not Set
    Device Model: MX-4100N
    Location: Not Set
    File Format: XLS MMR(G4)
    Resolution: 200dpi x 200dpi
    Attached file is scanned document in XLS format.

... these are -not- coming from your own company or email domain.
10 December 2015: mx-4100n@[redacted]_20151210_141946.xls - Current Virus total detections 3/55*
Downloads Dridex banking Trojan from jin.1pworks .com/76t7h/76gjk.exe (VirusTotal 6/55**). There appear to be -several- different subdomains of 1pworks .com delivering this malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1449764254/

** https://www.virustot...sis/1449764179/

1pworks .com: 120.136.10.15: https://www.virustot...15/information/
___

Fake 'Last Payment' SPAM - teslacrypt ransomware
- http://myonlinesecur...acrypt-malware/
10 Dec 2015 - "An email with the subject of 'Reference Number #45285286, Last Payment Notice' [random numbered] pretending to come from  a random named Junior accountant at Foreman&Clark Ltd. with a zip attachment is another one from the current bot runs... The content of the email says :
    Dear Client,
    This e-mail is pursuant to your contract with Foreman&Clark Ltd. for our services date November 15, 2015 for the amount of $2,396.
    Your failure to pay as per the December 1, 2015 invoice equals to the breach of our contract.
    Please, acknowledge the receipt of this e-mail within three business days. Please, make your payment to the corresponding account, stated in the invoice attached no later than January 2, 2016.
    In case you fail to respond to this e-mail we well be compelled to pursue all the necessary legal actions.
    Thank you beforehand for your attention to this case.
    Looking forward to hearing back from you.
    Sincerely,
    Karen Wood
    Sales Manager
    Foreman&Clark Ltd...

10 December 2015: copy_invoice_45285286.zip: Extracts to:  invoice_gnEDzT.js
Current Virus total detections 2/55*. MALWR analysis** shows it downloads and automatically runs http ://softextrain64 .com/80.exe (virustotal ***) a Teslacrypt ransomware Trojan that encrypts your files. This domain was involved in a similar attack yesterday but at time of posting appears to be down. Alternative download locations from yesterday are still -live- and issuing malware so some versions of the javascript file -will- download a working teslacrypt. So far I got 46.151.52.196 /86.exe (virustotal5/55[4]) 80.exe (virustotal4/54[5])... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1449741728/

** https://malwr.com/an...WE5OTgxMDY5Nzc/
185.117.72.65
78.47.139.102
83.143.81.14

*** https://www.virustot...sis/1449742342/

4] https://www.virustot...sis/1449742342/

5] https://www.virustot...sis/1449765933/
 

  

Edited by AplusWebMaster, 10 December 2015 - 03:56 PM.

[AplusWebMaster]

FYI...

Fake 'Payment' SPAM - teslacrypt ransomware
- http://myonlinesecur...ypt-ransomware/
11 Dec 2015 - "An email with the subject of 'Payment Nr: 63679716/E219EC3C' [random numbered] pretending to come from random names at random companies with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Client,
    Our finance department has processed your payment, unfortunately it has been declined.
    Please, double check the information provided in the invoice down below and confirm your details.
    Thank you for understanding.

All the sender email addresses are random...
11 December 2015: SCAN_invoice_06630453.zip: Extracts to: invoice_6bOnJR.js
Current Virus total detections 1/51*. MALWR analysis*** shows it downloads and automatically runs http ://46.151.52.231 /87.exe  (virustotal 7/53***) a Teslacrypt ransomware Trojan that encrypts your files. This domain was involved in a similar attack previously and earlier yesterday. This current series of teslacrypt droppers try to contact soft2webextrain .com for the malware...
Update: soft2webextrain .com is -live- again and currently downloading soft2webextrain .com/87.exe ... Be aware the bad actors controlling these domains regularly update this malware at random periods throughout the day and night to try to bypass antivirus detections. They are using varying 2 digit numbers between 80 and 89 and each different number delivers a different file#. The 3 sites delivering this series of Teslacrypt currently are:
    soft2webextrain .com/87.exe
    softextrain64 .com/86.exe
    46.151.52.231 /87.exe
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1449787904/

** https://malwr.com/an...DdjNDMxMjQ3M2I/
46.151.52.231
78.47.139.102
213.185.88.133

*** https://www.virustot...sis/1449814119/

- http://blog.dynamoo....37ba2deb0f.html
11 Dec 2015 - "I have only seen one sample of this -fake- invoice spam, so it is possible that the invoice references and sender names are randomly generated.
    From:    Jarvis Miranda
    Date:    11 December 2015 at 08:25
    Subject:    Invoice #66626337/BA2DEB0F
    Dear Client,
    Our finance department has processed your payment, unfortunately it has been declined.
    Please, double check the information provided in the invoice down below and confirm your details.
    Thank you for understanding.

In the sample I saw, the attached file was named SCAN_invoice_66626337.zip which contained a malicious javascript... with a VirusTotal detection rate of 5/54*... it is trying to download a binary from:
soft2webextrain .com/87.exe?1
46.151.52.231 /87.exe?1
This behaviour can be seen in these automated reports [1] [2]. The downloaded executable has a detection rate of 6/55**... This Malwr report[3] gives a clearer indication of what the binary is doing, attempting to pull information from:
kochstudiomaashof .de
The screenshots[3] indicate clearly that this is ransomware, specifically Teslacrypt.
Note that the soft2webextrain .com domain is on the -same- server as softextrain64 .com seen yesterday, so 185.118.64.183 (CloudSol LLC, Russia) can be considered to be malicious.
UPDATE: I didn't spot originally that the "soft2webextrain .com" website is -multhomed- with another IP address on 149.202.234.190 which is an OVH IP allocated to a customer "Dmitry Shestakov" an which forms a small block of 149.202.234.188/30 which is probably also worth blocking.
UPDATE 2: I made an error with one of the IP addresses and specified 185.118.64.183 and it should have been 185.118.64.182.
Recommended blocklist:
185.118.64.182
149.202.234.188/30
46.151.52.231
kochstudiomaashof .de "
* https://www.virustot...sis/1449828974/

1] https://malwr.com/an...zhhZGRkNTc1OTk/
46.151.52.231
78.47.139.102
213.185.88.133

2] https://www.hybrid-a...environmentId=1

3] https://malwr.com/an...DE3ZmQxNzFjM2Y/
78.47.139.102
213.185.88.133

** https://www.virustot...sis/1449829134/
___

Malvertising Attacks via Nuclear EK Pushes Ransomware
- https://blog.malware...hes-ransomware/
Dec 11, 2015 - "We’ve been monitoring a malvertising campaign very closely as it really soared during the past week. The actors involved seem to be the same as the ones behind the self-sufficient Flash malverts/exploits we’ve documented before and reported by security researcher Kafeine* (Spartan EK).
* http://malware.dontn...-2015-7645.html
One single domain (easy-trading.biz) is relaying all traffic to other ‘ad networks’ and ultimately to the Nuclear exploit kit. That domain still hosts the malicious Flash file (CVE-2015-7645) that it previously used in standalone attacks. Now instead, it points its traffic directly to Nuclear EK, which also attempts to exploit CVE-2015-7645 as seen in the picture below:
> https://blog.malware...15/12/MBAE1.png
This malvertising campaign receives traffic from multiple sources, including the AdCash ad network which we promptly informed. According to our telemetry, this attack is accounting for about -half- of -all- malvertising activity we are seeing now. Interestingly, most victims from this campaign are outside of the US and UK and mainly in certain parts of Europe and South America. The payload distributed by the exploit kit is a downloader which retrieves several over pieces of malware including ransomware..."
(More detail at the malwarebytes URL above.)

45.63.13.175: https://www.virustot...75/information/
>> https://www.virustot...e2475/analysis/

104.131.212.117: https://www.virustot...17/information/
___

LATENTBOT...
- https://www.fireeye....t_trace_me.html
Dec 11, 2015 - "... recently uncovered LATENTBOT, a new, highly-obfuscated BOT that has been in-the-wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless. Through our Dynamic Threat Intelligence (DTI), we have observed multiple campaigns targeting multiple industries in the United States, United Kingdom, South Korea, Brazil, United Arab Emirates, Singapore, Canada, Peru and Poland – primarily in the financial services and insurance sectors. Although the infection strategy is not new, the final payload dropped – which we named LATENTBOT – caught our attention since it implements several layers of obfuscation, a unique exfiltration mechanism, and has been very successful at infecting multiple organizations..."
(More detail at the fireeye URL above.)
___

LLoyd’s Bank - Phish...
- https://blog.malware...-phish-attempt/
Dec 11, 2015 - "... steer clear of the following phishing email, which plays on the “We noticed you’re logged in from different locations, and now you have to do something about it” trick to entice potential victims into logging in on a site they should avoid:
> https://blog.malware...lloydphish1.jpg
... Clicking-the-link will take them to
mok-tr(dot)com/why/new/index(dot)html phishing page:
> https://blog.malware...lloydphish2.jpg
Despite showing a copy of a LLoyd’s login page and displaying numerous clickable links, -none- of them work save for the part asking for credentials – what you’re looking at is essentially one large .png file with a login box jammed in the middle. The page asks for User ID, Password and Memorable Word before -redirecting- them to the real Lloyd’s website... they don’t go down the route of so many other similar phishes and ask for bank details or other personal information... One other potentially related thing to note: a common piece of advice to ensure you’re on the correct banking website is to look for the green padlock*, which will let you know if the connection to the site is encrypted (and often give additional information about site ownership). In this case, the Lloyd’s Banking Group website – lloydsbankinggroup(dot)com – has -no- HTTPs, because there’s nowhere on the site where you’d need to do any logging in / sending of personal information. It’s there to give general information about the financial services group, their brands and other relevant information...
* https://support.mozi...ction-is-secure
... the LLoyd’s Bank website (where you’d actually login and do bank related activities) located at lloydsbank(dot)com -does- ...
> https://blog.malware.../lloydcert2.jpg
... please ensure that you navigate to your banking portal of choice directly and -always- treat a supposed bank login page missing a HTTPs padlock with suspicion..."
___

Basic ASLR - not in 3 A-V's...
- http://it.slashdot.o...ad-a-common-bug
Dec 10, 2015 - "Basic ASLR was -not- implemented in 3 major antivirus makers, allowing attackers to use the antivirus itself towards attacking Windows PCs. The bug, in layman terms, is: the antivirus would select the same memory address space every time it would run. If attackers found out the memory space's address, they could tell their malicious code to execute in the same space, at the same time, and have it execute with root privileges, which most antivirus have on Windows PCs. It's a basic requirement these days for software programmers to -use- ASLR (Address Space Layout Randomization) to -prevent- their code from executing in predictable locations. Affected products: AVG, McAfee, Kaspersky. All "quietly" issued fixes."
___

Spy Banker Trojan Telax abusing Google Cloud Servers
- http://research.zsca...ax-abusing.html
Dec 10, 2015 - "... malware authors are leveraging Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which is responsible for downloading and installing Spy Banker Trojan Telax. The attackers are using social engineering tactics, such as offering coupon vouchers and free software applications like WhatsApp and Avast antivirus, to lure the end user into downloading and installing the malicious payload. Social networking sites Facebook and Twitter are primarily being used to spread a shortened URL (using bit.ly service) that points to a Google Cloud Server hosting the malicious payload with .COM or .EXE file extensions... The malware authors are actively pushing out new versions of Telax (latest version 4.7) binaries and are abusing Google Cloud Servers to host the payload for infection. There is no vulnerability exploit being used in this campaign and the attackers are solely relying on social engineering to infect the end users..."
(More detail at the URL above.)
 

  

Edited by AplusWebMaster, 12 December 2015 - 06:38 AM.

[AplusWebMaster]

FYI...

Fake 'Scan' SPAM - malicious attachment
- http://blog.dynamoo....amsung-mfp.html
14 Dec 2015 - "This -fake- scanned document does not come from Cardiff Galvanizers but is instead a simple -forgery- with a malicious attachment.
    From:    Gareth Evans [gareth@ cardiffgalvanizers .co.uk]
    Date:    14 December 2015 at 10:43
    Subject:    FW: Scan from a Samsung MFP
    Regards
    Gareth
    -----Original Message-----
    Please open the attached document. It was scanned and sent to you using a
    Samsung MFP. For more information on Samsung products and solutions, please
    visit http ://www .samsungprinter .com.
    This message has been scanned for malware...

I have seen just a single sample of this, named Untitled_14102015_154510.doc and with a VirusTotal detection rate of 7/54*. It contains a malicious macro... which according to this Malwr report** downloads a malicious binary from:
test1.darmo .biz/437g8/43s5d6f7g.exe
There will probably be other versions of the document downloading from the same location. The binary has a VirusTotal detection rate of 1/54***. Those two reports plus this Hybrid Analysis[4] indicate network traffic to the following malicious IPs:
199.7.136.84 (Megawire, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
202.69.40.173 (Gerrys Information Technology (PVT) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is likely to be the Dridex banking trojan...
Recommended blocklist:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169 "
* https://www.virustot...sis/1450090998/

** https://malwr.com/an...GNmMGMwYWQwZWM/

*** https://www.virustot...sis/1450091531/

4] https://www.hybrid-a...environmentId=1

- http://myonlinesecur...dsheet-malware/
14 Dec 2015
14 December 2015: Untitled_14102015_154510.doc - Current Virus total detections 7/54*  
"MALWR** tells us that it downloads what looks like Dridex banking Trojan from
test1 .darmo .biz/437g8/43s5d6f7g.exe (VirusTotal 1/53***)..."
* https://www.virustot...sis/1450090998/

** https://malwr.com/an...GNmMGMwYWQwZWM/

*** https://www.virustot...sis/1450092293/
___

Fake 'resume' SPAM - JS malware cryptowall
- http://myonlinesecur...ume-js-malware/
14 Dec 2014 - "An email coming from random names and random email addresses pretending to be a resume with a zip attachment is another one from the current bot runs... The content of the email says :
    Hi, my name is Kent Mckay
    Please find my resume in the attachment
    Thank you,
    Kent Mckay

14 December 2015: Kent Mckay.zip: Extracts to: Kent Mckay.js
Current Virus total detections 0/54*  which  MALWR** shows us downloads -3- files  from
 http ://updatemicrosoft2015 .ru/exe/ 1.jpg (virus total 3/54***) and 2.jpg  (VirusTotal 2/55[4]) 3.jpg (virustotal 4/55[5]) and posts to http ://updateserviceavast .ru/p/gate.php and http ://bademlik .com/4XQIPH.php?g=lzm39hr73u5jiah. The js downloader -renames- the downloaded jpg files to .exe and auto runs them.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1450092597/

** https://malwr.com/an...mE3N2EwNjI3NDY/
89.252.41.9
213.238.171.181
91.209.96.118

*** https://www.virustot...sis/1450083835/

4] https://www.virustot...sis/1450083847/

5] https://www.virustot...sis/1450083824/
___

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
14 Dec 2015 - "An email with the subject of 'Invoice 14 12 15' pretending to come from THUNDERBOLTS LIMITED <enquiries@ thunderbolts .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email which must be confused because the attachment is an XLS ( Excel) spreadsheet simply says:

    This message contains 2 pages in PDF format.

14 December 2015: fax00163721.xls - Current Virus total detections 5/54*
MALWR** shows us it downloads http ://exfabrica .org/437g8/43s5d6f7g.exe which is the -same- Dridex banking malware as described in today’s other malspam run*** involving malicious office docs with macros...  DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450093861/

** https://malwr.com/an...GEzYTRjNzAxM2Q/
46.165.204.143
199.7.136.84
184.28.188.186

*** http://myonlinesecur...dsheet-malware/

- http://blog.dynamoo....e-14-12-15.html
14 Dec 2015 - "This terse fake financial spam is -not- from the awesomely-named Thunderbolts Limited but is instead a simple forgery with a malicious attachment:
    From:    THUNDERBOLTS LIMITED [enquiries@ thunderbolts .co.uk]
    Date:    14 December 2015 at 11:15
    Subject:    Invoice 14 12 15
    This message contains 2 pages in PDF format.

Curiously, the bad guys have gone as far as to include a -fake- header to make it look like a fax:
X-Mailer: ActiveFax 3.92
Attached is a file fax00163721.xls which is fairly obviously -not- a PDF document. So far I have seen two versions of this with a detection rate of 6/55 [1] [2] and which these Malwr reports [3] [4] indicate download a malicious binary from:
exfabrica .org/437g8/43s5d6f7g.exe
test-cms.reactive .by/437g8/43s5d6f7g.exe
This binary has a detection rate of 0/54*. That VirusTotal report and this Hybrid Analysis** both show traffic to:
199.7.136.84 (Megawire, Canada)
This malware is likely to be Dridex. Given that it is similar to the one found here***, I would recommend blocking network traffic to:
199.7.136.84
221.132.35.56
202.69.40.173
78.47.66.169 "
1] https://www.virustot...sis/1450099936/

2] https://www.virustot...sis/1450099949/

3] https://malwr.com/an...GEzYTRjNzAxM2Q/

4] https://malwr.com/an...jgzYzdhOGRlMDg/

* https://www.virustot...sis/1450100026/

** https://www.hybrid-a...environmentId=1

*** http://blog.dynamoo....amsung-mfp.html
___

Fake 'Invoice 15069447' SPAM - macro malware
- http://myonlinesecur...-macro-malware/
14 Dec 2015 - "An email with the subject of 'Invoice 15069447' from Cleansing Service Group pretending to come from CSG <accounts@ csg .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-1-1024x330.png

14 December 2015: 15069447.doc - Current Virus total detections 8/54*
MALWR is timing out so I am unable to fully determine the payload, but the VirusTotal report indicates that it is the -same- downloader that was spammed out earlier under different names, so it is a high probability that it is the -same- Dridex banking Trojan as described in today’s earlier malspam run**
Note: the Dridex malware -does- get regularly updated on the compromised delivery servers and it is very common to see 8 or 10 slightly different versions throughout the day... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450097979/

** http://myonlinesecur...dsheet-malware/
___

Fake 'invoice_scan' SPAM - malicious attachment
- http://blog.dynamoo....-burke-bcp.html
14 Dec 2015 - "This -fake- invoice comes with a malicious attachment:
    From:    Israel Burke [BurkeIsrael850@ business .telecomitalia .it]
    Date:    14 December 2015 at 15:00
    Subject:    Israel Burke
    Dear Customer:
    Attached please find an invoice(s) for payment.  Please let us know if you have any questions.
    We greatly appreciate your business!
    Israel Burke
    BCP Transportation, Inc.

I have only seen one sample of this, it is possible that the company name and sender names are randomly generated. The attachment in this case was named invoice_scan_76926455.doc and has a detection rate of 3/55*. Despite the name, this is -not- a Word document but is an XML document... containing ActiveMIME data. The Malwr report** for this indicates network traffic to:
109.234.34.224 (McHost.Ru, Russia)
80.96.150.201 (SC-Nextra Telecom SRL, Romania)
That Malwr report shows a dropped binary named qqqew.exe which has a VirusTotal detection rate of 5/55***. I am not certain of the payload, but I suspect that this Word document is dropping -Upatre- leading to the Dyre banking trojan...
Recommended blocklist:
109.234.34.224
80.96.150.201 "
* https://www.virustot...sis/1450109838/

** https://malwr.com/an...TRlZWYyODNjMjQ/
109.234.34.224
80.96.150.201
184.28.188.192

*** https://www.virustot...sis/1450110752/
___

Fake 'order #83472521' SPAM - JS malware Teslacrypt
- http://myonlinesecur...are-teslacrypt/
14 Dec 2015 - "An email with the subject of 'Your order #83472521' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Valued Customer,
    This letter was sent to you as a formal notice that you are obligated to repay our company the sum of 2,932$ which was advanced to you from our company on October 16, 2015.
    Please, find the invoice enclosed down below.
    This amount must be repaid until the date of maturity to payment obligation, December 28, 2015 and you have failed to repay our company the same despite repeated requests for this payment.
    Thank you in advance for your prompt attention to this matter. We look forward to your remittance. If you have any questions, please do not hesitate to contact us.
    Sincerely,
    Emanuel Lyons
    11 Money Way
    Pittsburgh, PA 15226

14 December 2015: invoice_83472521_scan.zip: Extracts to: invoice_copy_KRe6PE.js
Current Virus total detections 2/54*  which downloads Teslacrypt ransomware from
 miracleworld1 .com/91.exe  (VirusTotal 5/54**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1450106174/

** https://www.virustot...26372/analysis/

miracleworld1 .com: 5.178.71.5: https://www.virustot....5/information/
> https://www.virustot...f582a/analysis/
83.69.233.102: https://www.virustot...02/information/
___

Fake 'Last Payment Notice' SPAM - JS malware teslacrypt
- http://myonlinesecur...are-teslacrypt/
14 Dec 2015 - "An email with the subject of 'Reference Number #63481002, Last Payment Notice' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs... The content of the email says :
    Dear Customer,
    We regret to inform you that due to your unpaid debt amount of $745.47 to Sandor Inc., from November 31, 2015 we have passed your case to the court.
    Your prompt attention is required to resolve this issue.
    Attached you can find your invoice and case information to review.

14 December 2015: invoice_63481002_scan.zip: Extracts to: invoice_ss4vYy.js
Current Virus total detections 3/54* which downloads Teslacrypt ransomware from either firstwetakemanhat .com/91.exe or miracleworld1 .com/91.exe (VirusTotal 5/54**) Which is the -same- teslacrypt ransomware as described in this slightly earlier run today***. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1450113436/

** https://www.virustot...26372/analysis/

*** http://myonlinesecur...are-teslacrypt/

firstwetakemanhat .com: 84.200.69.60: https://www.virustot...60/information/
> https://www.virustot...8b5df/analysis/
193.150.0.78: https://www.virustot...78/information/
> https://www.virustot...46cf6/analysis/
___

Fake 'invoice #92277208' SPAM - JS malware Teslacrypt
- http://myonlinesecur...are-teslacrypt/
14 Dec 2015 - "An email with the subject of 'Agri Basics invoice #92277208 and 92277209' [random numbered]  coming from random email addresses and names with a zip attachment is another one from the current bot runs... The content of the email says :
    Please find attached invoice #92277208.
    Have a nice day
    Matthew Daniels
    Accounts Receivable
    320 Golden Shore, Suite 350
    Long Beach, CA 90802

The name of the Accounts receivable matches the alleged sender...
14 December 2015: invoice_92277208_scan.zip: Extracts to:  invoice_SCAN_kHps3.js
Current Virus total detections 4/56*  which downloads teslacrypt ransomware from either firstwetakemanhat .com/91.exe or miracleworld1 .com/91.exe (VirusTotal 1/56**) this is an -updated- teslacrypt from today’s earlier runs***. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1450119089/

** https://www.virustot...sis/1450124215/
TCP connections
78.47.139.102: https://www.virustot...02/information/
69.175.2.106: https://www.virustot...06/information/

*** http://myonlinesecur...are-teslacrypt/
___

'Outlook account has been disabled' - MS PHISH ...
- http://myonlinesecur...abled-phishing/
14 Dec 2015 - "We are seeing a lot of phishing attempts against Microsoft office and outlook accounts. This one starts with an email with the subject 'Microsoft outlook account has been disabled' pretending to come from Contact <admin@ 'microsoftexchangee'.com>. One of the major common subjects in this sort of phishing attempt is 'Your password will expire soon' or 'update your email' or something very similar. This one wants only wants your email / Microsoft account login details... The original email simply says:

    Your Microsoft outlook account has been disabled
    Please reactive it : Click here

The link behind the click here starts with a Google short URL link https ://goo .gl/hFbJ9K which sends you invisibly to http ://clameurs.dijon .fr/wp-content/plugins/wp-calameo/net.html which then automatically sends you without anybody realising you even went via a -hidden- link to http ://www.microsoft-outlook .link/network/login_/  which can very easily be mistaken for a genuine Microsoft site. The domain the emails come from also can be easily mistaken for a genuine Microsoft domain... you see a webpage looking like:
> http://myonlinesecur...in-1024x542.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... it is a straight forward attempt, like this one, to -steal- your personal, bank, credit card or email and social networking login details..."
 

  

Edited by AplusWebMaster, 14 December 2015 - 03:05 PM.

[AplusWebMaster]

FYI...

Fake 'Unpaid Invoice' SPAM - leads to Teslacrypt
- http://blog.dynamoo....r-89044096.html
15 Dec 2015 - "This -fake- financial spam comes with a malicious attachment.
    From:    Carol Mcgowan
    Date:    15 December 2015 at 09:09
    Subject:    Reference Number #89044096, Notice of Unpaid Invoice
    Dear Valued Customer,
    It seems that your account has a past due balance of $263,49. Previous attempts to collect the outstanding amount have failed.
    Please remit $263,49 from invoice #89044096 within three days or your account will be closed, any outstanding orders will be cancelled and this matter will be referred to a collection agency.
    The payment notice is enclosed to the letter down below.

Attached is a file invoice_89044096_scan.doc which has a VirusTotal detection rate of 2/54*, and which contains this malicious macro... which attempts to download a binary from the following location:
thewelltakeberlin .com/92.exe
This domain was registered only today, and at the moment is not resolving properly. The payload here is likely to be Teslacrypt... Nameservers are dns1.saymylandgoodbye .in and dns2.saymylandgoodbye .in hosted on 5.178.71.5 (Serverius, Netherlands) and 83.69.233.102 (Awax Telecom, Russia)...
Recommended minimum blocklist:
thewelltakeberlin .com
83.69.233.102
5.178.71.5
UPDATE: There is a good analysis of this malware at TechHelpList** including the C2 domains involved."
* https://www.virustot...sis/1450174494/

** https://techhelplist...invoice-malware
___

Fake 'Order' SPAM -  malicious attachment
- http://blog.dynamoo....xx20000584.html
15 Dec 2015 - "This rather brief spam does -not- come from Petty Wood but is instead a simple -forgery- with a malicious attachment:
    From:    Nicola Hogg [NHogg@ pettywood .co.uk]
    Date:    15 December 2015 at 10:14
    Subject:    Order PS007XX20000584

There is -no- body text, but instead there is an attachment PS007XX20000584 - Confirmation with Photos.DOC which has a VirusTotal detection rate of 5/55* and it contains a malicious macro... which (according to this Malwr report**) downloads a binary from:
kutschfahrten-friesenexpress .de/8iy45323f/i87645y3t23.exe
There are probably other versions of the document with different download locations. This malicious executable has a detection rate of 2/54*** and between them these three reports [1] [2] [3] indicate malicious traffic to:
199.7.136.84 (Megawire Inc, Canada)
221.132.35.56 (Ho Chi Minh City Post And Telecom Company, Vietnam)
The payload here is likely to be the Dridex banking trojan...
Recommended blocklist:
199.7.136.84
221.132.35.56 "
* https://www.virustot...sis/1450176653/

** https://malwr.com/an...mFkZGUwOWZjMTc/

*** https://www.virustot...sis/1450176769/

1] https://www.virustot...sis/1450176769/

2] https://malwr.com/an...DI2MjZjYzc3MTI/

3] https://www.hybrid-a...environmentId=1
___

Fake 'Voucher' SPAM - malicious attachment
- http://blog.dynamoo....cher-ach-2.html
15 Dec 2015 - "This -fake- financial spam does not come from Affordable Car Hire but is instead a simple -forgery- with a malicious attachment.
    From:    Reservations [res@ affordablecarhire .com]
    Date:    15 December 2015 at 11:50
    Subject:    Invoice for Voucher ACH-2-197701-35
    Affordable Car Hire
    Payment Link For BookingACH-2-197701-35
    Please find attached your invoice for reservation number ACH-2-197701-35 ...

I have only seen a single sample, with an attachment ACH-2-197701-35-invoice.xls which has a VirusTotal detection rate of 3/54*. According to this Malwr report, it downloads a malicious binary from:
usahamanfaat .com/8iy45323f/i87645y3t23.exe
The payload here is the Dridex banking trojan, and it is identical to the one found in this spam run**."
* https://www.virustot...sis/1450182473/

** http://blog.dynamoo....xx20000584.html
___

Fake 'Invoice Attached' SPAM - malicious attachment
- http://blog.dynamoo....e-attached.html
15 Dec 2015 - "This -fake- financial spam has a malicious attachment:
    From:    Ernestine Harvey
    Date:    15 December 2015 at 11:34
    Subject:    Invoice Attached
    Good morning,
    Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
    Thank you!
    Mr. Ernestine Harvey
    Accounting Specialist| Bank of America, N.A., Cabot Oil & Gas Corp.

The sender name varies randomly, except in the email they are all signed "Mr." even if they have female names... The attachments are named in the format invoice_12345678_scan.doc - the filenames are randomly-generated and indeed every attachment seems to be unique. Typical VirusTotal detection rates are around 3/54*... attempted downloads from:
modern7technologiesx0 .tk/x1656/dfiubgh5.exe
forbiddentextmate58 .tk/x1656/ctruiovy.exe
temporary777winner777 .tk/x1656/fdgbh44b.exe
former12futuristik888 .tk/x1656/fdgjbhis75.exe
Note that these are all .TK domains.. and they are all hosted on exactly the same server of 31.184.234.5 (GTO Ltd, Montenegro). A look at VirusTotal's report for that IP* gives another malicious domain of:
servicexmonitoring899 .tk
I would suggest that the entire 31.184.234.0/24 range looks pretty questionable.
Anyway, the downloaded binary has a VirusTotal detection rate of 4/55** and the comments indicate that rather surprisingly this is the Nymaim ransomware [5]. The Hybrid Analysis*** indicates network traffic to xnkhfbc .in on 200.195.138.156 (Szabo & Buhnemann, Brazil). But in fact that domain seems to move around a lot and has recently been seen on the following IPs:
41.224.12.178 (Orange Tunisie Internet, Tunisia)
51.255.59.248 (OVH, France)
78.107.46.8 (Corbina Telecom, Russia)
95.173.163.211 (Netinternet, Turkey)
118.102.239.53 (Dishnet, India)
140.116.161.33 (TANET, Taiwan)
185.114.22.214 (Osbil Technology Ltd., Turkey)
192.200.220.42 (Global Frag Networks, US)
200.195.138.156 (Szabo & Buhnemann Ltda, Brazil)
210.150.126.225 (HOSTING-NET, Japan)
There are a bunch of bad domains associated with this malware but the only other one that seems to be active is oxrdmfdis.in.
Recommended blocklist:
31.184.234.5
41.224.12.178
51.255.59.248
78.107.46.8
95.173.163.211
118.102.239.53
140.116.161.33
185.114.22.214
192.200.220.42
200.195.138.156
210.150.126.225
xnkhfbc.in
oxrdmfdis.in
UPDATE: A source tells me (thank you) that servicexmonitoring899 .tk is now resolving to 78.129.252.19 (iomart, UK) that has also recently hosted these following domains:
google-apsm .in
specre .com
ganduxerdesign .com
www .ganduxerdesign .com
upmisterfliremsnk .net
tornishineynarkkek .org
tornishineynarkkek2 .org
Some of these domains are associated with Rovnix[4]."

* https://www.virustot....5/information/

** https://www.virustot...sis/1450185850/

*** https://www.hybrid-a...environmentId=1

4] https://blogs.mcafee...le-time-checks/

5] http://www.welivesec...ng-for-trouble/
___

Tainted network: vds24 .net on OVH
- http://blog.dynamoo....-shestakov.html
15 Dec 2015 - "vds24 .net (apparently belonging to "Dmitry Shestakov ") is a Russian reseller of OVH servers that has come up on my radar a few times in the past few days [1] [2] [3] in connection with domains supporting Teslacrypt malware and acting as landing pages for the Angler exploit kit. Curious as to what was hosted on the vds24 .net I set about trying to find out their IP address ranges. This proved to be somewhat difficult as they are spread in little chunks throughout OVH's IP space. I managed to identify:
5.135.58.216/29
5.135.254.224/29
51.254.10.128/29
51.254.162.80/30
51.255.131.64/30
149.202.234.116/30
149.202.234.144/30
149.202.234.188/30
149.202.237.68/30
176.31.24.28/30
178.32.95.152/29
178.33.200.128/26
Then using a reverse DNS function, I looked up all the domains associated with those ranges (there were a LOT) and then looked the see which were active plus their SURBL and Google ratings... There may well be legitimate domains in this range, but out of 1658 domains identified, 1287 (77.6%) are flagged by SURBL as being spammy. Only 11 (0.7%) are identified as malicious, but in reality I believe this to be much higher. In particular, the following IP ranges seem to be clearly bad from those ratings:
51.254.10.131
51.254.162.81
51.255.131.66
51.255.142.101
149.202.234.190
149.202.237.68
178.33.200.138
I can see -61- active IPs in the vds24 .net range, so perhaps it is only a small proportion. However, depending on your network stance, you may want to consider blocking -all- the IP ranges specified above just to be on the safe side."
1] http://blog.dynamoo....2345678-11.html

2] http://blog.dynamoo....37ba2deb0f.html

3] https://twitter.com/...310855559503872
___

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo....remittance.html
15 Dec 2015 - "This -fake- financial spam comes with a malicious attachment:
    From:    Kristina Salinas
    Date:    15 December 2015 at 14:59
    Subject:    Rockspring Remittance Advice - WIRE
    Dear Customer,
    Please find attached your Remittance Details for the funds that will be deposited to your bank account on December 15th.
    Rockspring Capital is now sending through the bank the addenda information including your remit information.
    If you are not seeing your addenda information in your bank reporting you may have to contact your local bank representative.
    Accounts Payable

Attached is a malicious document with a -random- name. I have only seen one sample so far with a VirusTotal detection rate of 3/55*. The Malwr report** indicates that -same- behaviour as this earlier spam run*** which is dropping Nymaim ransomware."
* https://www.virustot...sis/1450192082/

** https://malwr.com/an...2Y0ZTU5N2NhZjI/
31.184.234.5

*** http://blog.dynamoo....e-attached.html
 

 

Edited by AplusWebMaster, 15 December 2015 - 11:26 AM.

[AplusWebMaster]

FYI...

Fake 'e-Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Dec 2015 - "An email with the subject of 'Your e-Invoice(s) from Barrett Steel Services Ltd' pretending to come from samantha.morgan@ barrettsteel .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Customer,
    Please find attached your latest Invoice(s).
    Kind Regards,
    Samantha Morgan,
    Barrett Steel Services Ltd,
    Phone: 01274654248
    Email: samantha.morgan@ barrettsteel .com
    PS
    Have you considered paying by BACS ? Our details can be found on the attached invoice.
    Please reply to this email if you have any queries.
    You can use the link below to perform an Experian credit check...

16 December2015:e-Invoice Barrett Steel Services Ltd.doc - Current Virus total detections 4/54*
MALWR** shows us this downloads what looks like Dridex banking Trojan from http ://wattplus .net/98g654d/4567gh98.exe (VirusTotal 4/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450263394/

** https://malwr.com/an...TljOWI0ODk3Mjg/
181.224.138.100
199.7.136.84

*** https://www.virustot...sis/1450263681/

- http://blog.dynamoo....oices-from.html
16 Dec 2015 - "This -fake- financial spam does not come from Barrett Steel Services Ltd but is instead a simple -forgery- with a malicious attachment:
    From:    samantha.morgan@ barrettsteel .com
    Date:    16 December 2015 at 09:44
    Subject:    Your e-Invoice(s) from Barrett Steel Services Ltd
    Dear Customer,
    Please find attached your latest Invoice(s).
    Kind Regards,
    Samantha Morgan,
    Barrett Steel Services Ltd,
    Phone: 01274654248
    Email: samantha.morgan@ barrettsteel .com
    PS
    Have you considered paying by BACS ?  Our details can be found on the attached invoice.
    Please reply to this email if you have any queries...

Attached is a file e-Invoice Barrett Steel Services Ltd.doc which I have seen just a single variant of, with a VirusTotal detection rate of 4/54* which according to this Malwr analysis** downloads a malicious binary from the following location:
wattplus .net/98g654d/4567gh98.exe
This downloaded binary has a detection rate of 4/53*** and according to this Malwr report[4] it attempts to contact:
199.7.136.84 (Megawire, Canada)
I strongly recommend that you -block- traffic to that IP. Other analysis is pending. The payload is almost definitely the Dridex banking trojan."
* https://www.virustot...sis/1450263394/

** https://malwr.com/an...mZjMGI3MzhlMTc/
199.7.136.84

*** https://www.virustot...sis/1450263681/

4] https://malwr.com/an...mZjMGI3MzhlMTc/
199.7.136.84
___

Fake 'Your Order' SPAM - malicious attachment
- http://blog.dynamoo....your-order.html
16 Dec 2015 - "This -fake- financial spam is not from John S. Shackleton (Sheffield) Ltd but is instead a simple -forgery- with a malicious attachment. It is the second spam in a day pretending to be from a steel company.
From Jonathan Carroll [Jonathan@ john-s-shackleton .co.uk]
Date Wed, 16 Dec 2015 11:11:09 -0000
Subject Documentation: Your Order Ref: SGM249/013
Your Order: SGM249/013
Our Order: 345522
Advice Note: 355187
Despatch Date: 22/12/15
Attachments:
s547369.DOC Shackleton Invoice Number 355187
John S. Shackleton (Sheffield) Ltd
4 Downgate Drive
Sheffield
S4 8BU
Tel: 0114 244 4767
Fax: 0114 242 5965 ...

I have only seen a single sample of this spam, with an attachment s547369.DOC which has a VirusTotal detection rate of 4/55*. According to this Malwr Report** it downloads a malicious binary from:
bbbfilms .com/98g654d/4567gh98.exe
This binary has a detection rate of 4/53*** and is the -same- payload as found in this spam run[4], leading to the Dridex banking trojan."
* https://www.virustot...sis/1450264586/

** https://malwr.com/an...zYxZThmOTI5NjE/
199.91.68.54
199.7.136.84

*** https://www.virustot...sis/1450264859/

4] http://blog.dynamoo....oices-from.html

- http://myonlinesecur...-macro-malware/
16 Dec 2015 - "An email with the subject of 'Documentation: Your Order Ref: SGM249/013' pretending to come from Jonathan Carroll <Jonathan@'john-s-shackleton'.co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Your Order: SGM249/013 Our Order: 345522 Advice Note: 355187 Despatch Date: 22/12/15 Attachments: s547369.DOC Shackleton Invoice Number 355187
    John S. Shackleton (Sheffield) Ltd
    4 Downgate Drive
    Sheffield
    S4 8BU
    Tel: 0114 244 4767
    Fax: 0114 242 5965 ...

16 December 2015: s547369.DOC - Current Virus total detections 4/56*
MALWR shows us this downloads what looks like Dridex banking Trojan from  http ://bbbfilms .com/98g654d/4567gh98.exe which is the -same- malware as described in this slightly earlier malspam run** of malicious Office docs..."
* https://www.virustot...sis/1450261722/

** http://myonlinesecur...dsheet-malware/
___

Fake 'Invoice No. 4515581' SPAM - macro malware
- http://myonlinesecur...-macro-malware/
16 Dec 2015 - "An email with the subject of 'Invoice No. 4515581' [random numbers] pretending to come from Sharon Samuels <sharons775@ brunel-promotions .co.uk> the numbers after sharons are random so almost everybody gets a -different- sharons sender number @ brunel-promotions .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Good morning
    Please find attached your latest invoice, for your attention.
    Please be advised that your goods have been despatched for delivery.
    Regards
    Sharon
    Calendars and Diaries of Bristol Limited...

16 December 2015: IN4515581.xls - Current Virus total detections 4/55*
MALWR** shows us that it downloads Dridex banking Trojan from http ://printempsroumain .org/98g654d/4567gh98.exe which appears to be a slightly different version from today’s earlier Malspam run. Dridex does update frequently throughout the day and changes file # regularly to try to avoid antivirus detections..."
* https://www.virustot...sis/1450270016/

** https://malwr.com/an...jg1OTE0YjdiOTI/
194.24.228.5
199.7.136.84
___

Fake 'Unpaid Invoice' SPAM - leads to Teslacrypt
- http://blog.dynamoo....voice-from.html
16 Dec 2015 - "This -fake- financial spam is -not- from Staples or Realty Solutions but is instead a simple -forgery- with a malicious attachment.
    From:    Virgilio Bradley
    Date:    16 December 2015 at 14:37
    Subject:    Unpaid Invoice from Staples Inc., Ref. 09846839, Urgent Notice
    Dear Valued Customer,
    This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $767,90 which was advanced to you from our company on November 21st, 2015.
    You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.
    Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015.
    Regards,
    Virgilio Bradley
    Customer Service Department
    Realty Solutions
    182 Shobe Lane
    Denver, CO 80216

The names, amounts and reference numbers -change- from email to email. The attachment has the same name of the reference (e.g. invoice_09846839_copy.doc) but despite this I have only seen one version with a VirusTotal detection rate of just 1/55*. According to this Malwr report**, the macro in the document downloads a binary from:
iamthewinnerhere .com/97.exe
This appears to be Teslacrypt ransomware and it has a detection rate of 5/53***. Unlike some other malware, the domain iamthewinnerhere .com has been registered specifically to host this malware, and is located on:
185.69.152.145 (Hosting Ukraine Ltd, Ukraine)
84.200.69.60 (Ideal-Hosting UG, Germany) ...
Recommended minimum blocklist:
iamthewinnerhere .com
185.69.152.145
84.200.69.60 "
* https://www.virustot...sis/1450277884/

** https://malwr.com/an...zdlYmRjYjg5YmY/
185.69.152.145
78.47.139.102

*** https://www.virustot...sis/1450278299/
TCP connections
78.47.139.102: https://www.virustot...02/information/
192.254.189.98: https://www.virustot...98/information/

- http://myonlinesecur...ypt-ransomware/
16 Dec 2015 - "An email with the subject of 'Unpaid Invoice' from Staples Inc., Ref. 80053334, Urgent Notice' [random numbers] coming from random senders and email addrresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Valued Customer,
    This letter is a formal notice to you taking in consideration the fact that you are obligated to repay our company the sum of $155,74 which was advanced to you from our company on November 21st, 2015.
    You now have two options: forward your payment to our office by January 17, 2016 or become a party in a legal action. Please be advised that a judgment against you will also damage your credit record.
    Please acknowledge the receipt of the invoice attached and the e-mail, no later than December 31, 2015...

16 December 2015: invoice_80053334_copy.doc - Current Virus total detections 0/53*
MALWR** shows us that this downloads from iamthewinnerhere .com/97.exe (VirusTotal 6/54***) which appears to be Teslacrypt ransomware rather than the usual Dridex we have been seeing with these office macros. Unlike a lot of other currently spreading malware which is being delivered through compromised sites, the domain iamthewinnerhere .com has been registered specifically to host this malware..."
* https://www.virustot...sis/1450281302/

** https://malwr.com/an...zdlYmRjYjg5YmY/
185.69.152.145
78.47.139.102

*** https://www.virustot...sis/1450278299/
TCP connections
78.47.139.102: https://www.virustot...02/information/
192.254.189.98: https://www.virustot...98/information/
___

Fake 'account past due' SPAM - office macro / teslacrypt ransomware
- http://myonlinesecur...ypt-ransomware/
16 Dec 2015 - "An email with the subject of 'Your account has a debt and is past due' coming from random senders and email addrresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Dear Customer,
    Our records show that your account has a debt of $612.{rand(10,99)}}. Previous attempts of collecting this sum have failed.
    Down below you can find an attached file with the information on your case.

16 December 2015: invoice_10166218_copy.doc - Current Virus total detections 2/55*
MALWR** shows us that this downloads from iamthewinnerhere .com/80.exe (VirusTotal 11/54***) which appears to be Teslacrypt ransomware rather than the usual Dridex we have been seeing with these office macros. Unlike a lot of other currently spreading malware which is being delivered through compromised sites, the domain iamthewinnerhere .com has been registered specifically to host this malware... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450282241/

** https://malwr.com/an...GY0MzE1OTQxNTg/
185.69.152.145
78.47.139.102
192.254.189.98
192.185.21.121
162.144.12.170
72.167.1.1
192.254.250.243
78.110.50.123

*** https://www.virustot...428cd/analysis/
TCP connections
78.47.139.102: https://www.virustot...02/information/
192.254.189.98: https://www.virustot...98/information/
___

'You have been hacked' – Phish...
- http://myonlinesecur...nly-apps_email/
16 Dec 2015 - "... this email message which is very weird and appears to be a phishing attempt that spectacularly fails:

Screenshot: http://myonlinesecur...il-1024x635.png

... The alleged registrant Michael Huber has also been spotted in at least 1 previous scam and phishing attempt [1] with -fake- details:
1] https://www.phishtan...7&frame=details
Address lookup
canonical name     only-apps .com
addresses
146.0.74.182: https://www.virustot...82/information/
89.35.134.132: https://www.virustot...32/information/
... The sending email address just tracks back to what looks like a scummy email marketing scam site:
> http://myonlinesecur...-1-1024x599.png
appseeking .com: 62.75.194.45: https://www.virustotal.com/en/ip-address/62.75.194.45/information/ "
___

'Your PayPal account has been limited' – Phish
- http://myonlinesecur...mited-phishing/
16 Dec 2015 - "Quite a big PayPal phishing spam run today saying 'Your PayPal account has been limited' pretending to come from PayPal <confirmagain@ ppservice .com>...

Screenshot: http://myonlinesecur...il-1024x757.png

The link in this case goes to http ://hiperkarma .hu/vsase/savdm/ligofren.htm which -redirects- you to http ://www .adventurehaliburton .com/message/newone/websrc.htm?cmd=-submit?IOF4U3OFTN9CT98GJV945MJVG945IIIRTHMJOGGVRTOVJ4G5OC589V459JERGTMOGVJKLDV48934C57654CERI54VGTR which has an old style PayPal log in page looking like this screenshot:
> http://myonlinesecur...sh-1024x662.png
... Which is a typical phishing page that looks very similar to a genuine old style PayPal update page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, your Paypal account log in details and your credit card and bank details along with mother’s maiden name and other info to -steal- your identity. Many of them are also designed to specifically -steal- your email, facebook and other social network log in details..."
 

  

Edited by AplusWebMaster, 16 December 2015 - 11:35 AM.

[AplusWebMaster]

FYI...

Fake '12/16 A Invoice' SPAM - office malware
- http://myonlinesecur...office-malware/
17 Dec 2015 - "An email pretending to be a broadband invoice with the subject of '12/16 A Invoice' coming from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    Hi,
    Please find attached a recharge invoice for your broadband.
    Many thanks,
    Valeria Larson

The name of the alleged sender matches the name in the body of the email. All the attachment invoice numbers are random...
17 December 2015: invoice63548716.doc - Current Virus total detections 0/52*
... contains an embedded object in base64 encoded format which is most likely Upatre which MALWR** shows us contacts http ://109.234.37.214 /chicken/bacon.php and downloads and automatically runs luxary.exe (VirusTotal 3/54***) The MALWR analysis[4] is somewhat inconclusive but might suggest Dridex or Dyre banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents appear to be blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...a9b99/analysis/

** https://malwr.com/an...zk2NWNiOTJjNDc/
5.9.99.35
109.234.37.214
80.96.150.201
184.25.56.93

*** https://www.virustot...sis/1450340515/

4] https://malwr.com/an...jJiYzEwZmVmZjk/
80.96.150.201
184.25.56.100

- http://blog.dynamoo....16-invoice.html
17 Dec 2015 - "This -fake- financial spam leads to malware:
    From:    Kelley Small
    Date:    17 December 2015 at 08:39
    Subject:    12/16 A Invoice
    Hi,
    Please find attached a recharge invoice for your broadband.
    Many thanks,
    Kelley Small

The sender's name is randomly generated... There is an attachment in the format invoice36649009.doc where the number is randomly generated. This comes in at least -six- different versions but they do not appear to be uniquely generated (VirusTotal results [1] [2]...). Detection rates are close to zero. The Malwr reports for those documents is a mixed bag [3] [4]..., but overall they spot data being POSTed to:
179.60.144.18 /chicken/bacon.php
91.203.5.169 /chicken/bacon.php
Sources tell me there is another download location of:
195.191.25.145 /chicken/bacon.php
Those IPs are likely to be malicious and belong to:
179.60.144.18 (Veraton Projects Ltd, Netherlands)
91.203.5.169 (Denis Pavlovich Semenyuk / TutHost, Ukraine)
195.191.25.145 (Hostpro Ltd, Ukraine)
They also GET from:
savepic .su/6786586.png
A file karp.exe is dropped with an MD5 of 1fbf5be463ce094a6f7ad345612ec1e7 and a detection rate of 3/54[5]. According to this Malwr report[6] this communicates with:
80.96.150.201 (SC-Nextra Telecom SRL, Romania)   
It's not clear what the payload is, but probably some sort of banking trojan such as Dridex.
Recommended blocklist:
80.96.150.201
179.60.144.18
91.203.5.169
195.191.25.145
savepic .su "
1] https://www.virustot...sis/1450341961/

2] https://www.virustot...sis/1450341971/

3] https://malwr.com/an...2MxYjZhODdmZWM/

4] https://malwr.com/an...2ZhODhkNmM3NmQ/

5] https://www.virustot...sis/1450342614/

6] https://malwr.com/an...Tk0MjY0Y2I3ODQ/
___

Fake 'Fuel Card Invoice' SPAM - malicious attachment
- http://blog.dynamoo....right-fuel.html
17 Dec 2015 - "This -fake- financial email is not from Right Fuel Card Company but is instead a simple forgery with a malicious attachment.
    From:    Right Fuel Card Company [invoice@ rightfuelcard .co.uk]
    Date:    17 December 2015 at 11:11
    Subject:    Your Latest Right Fuel Card Invoice is Attached
    Please find attached your latest invoice.
    PLEASE ALSO NOTE OUR NEW OPENING HOURS ARE:
    Monday - Thursday 9am - 5pm
    Friday 9am - 3pm...
    Should you have any queries please do not hesitate to call us on 0845 625 0153 (Calls to this number cost 5 pence per minute plus your telephone company's access charge) or via email to info@rightfuelcard.co.uk.
    Regards
    Customer Services
    The Right Fuelcard Company Limited

Attached is a file A01CardInv1318489.xls - at present I only have a single sample of this. VirusTotal is down at the moment so I cannot tell you the detection rate. The Malwr analysis* shows behaviour consistent with several Dridex runs going on this morning, with a download from:
infosystems-gmbh .de/65dfg77/kmn653.exe
The payload is the Dridex banking trojan, and is identical to the payload here[1], here[2] and here[3]."
* https://malwr.com/an...WRmNDI0MjcyN2Q/
217.69.162.183
151.80.142.33

1] http://blog.dynamoo....nsport-for.html

2] http://blog.dynamoo....y-sent-you.html

3] http://blog.dynamoo....s-pc-world.html

- http://myonlinesecur...dsheet-malware/
17 Dec 2015 - "An email with the subject of 'Your Latest Right Fuel Card Invoice is Attached' pretending to come from Right Fuel Card Company <invoice@ rightfuelcard .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ed-1024x549.png

17 December 2015: A01CardInv1318489.xls - Current Virus total detections *
MALWR** shows it downloads http ://ghsoftware .de/65dfg77/kmn653.exe which is the -same- Dridex banking malware as today’s earlier malspam run***..."
*

** https://malwr.com/an...jE5OTk4ZjU0ZTk/
82.165.100.180
151.80.142.33

*** http://myonlinesecur...dsheet-malware/
___

Fake 'Required your attention' SPAM – js malware telsacrypt
- http://myonlinesecur...-to-teslacrypt/
17 Dec 2015 - "An email with the subject of 'Required your attention' coming from random email addresses and names with a zip attachment is another one from the current bot runs... The content of the email says:
    Dear Partner,
    As per your request, we have made special prices for you, which leave us only a very small margin.
    Kindly find attached the prices with your personal discount, and if you need anything else, dont hesitate to contact us.
    Our best wishes, The sales team

17 December 2015: SCAN_PRICES_64904074.zip - Extracts to: invoice_copy_CYcpbM.js
Current Virus total detections 7/53* ... which downloads teslacrypt ransomware from either
whatdidyaysay .com/80.exe -or- iamthewinnerhere .com/80.exe (VirusTotal 1/53**). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected.,,"
* https://www.virustot...sis/1450348471/

** https://www.virustot...662b1/analysis/

whatdidyaysay .com: A temporary error occurred during the lookup...

iamthewinnerhere .com: 5.178.71.10: https://www.virustot...10/information/

- http://blog.dynamoo....-attention.html
17 Dec 2015 - "This spam email has a malicious attachment:
    From:    Brittany Quinn
    Date:    17 December 2015 at 10:52
    Subject:    Required your attention
    Dear Partner,
    As per your request, we have made special prices for you, which leave us only a very small margin.
    Kindly find attached the prices with your personal discount, and if you need anything else, don’t hesitate to contact us.
    Our best wishes, The sales team

The sender's name varies from email to email, as does the name of the attachment but it in a format similar to SCAN_PRICES_01106759.zip. Contained within is a malicious obfuscated Javascript with a detection rate of 6/54* which is a bit clear when deobfuscated, and it downloads from:
whatdidyaysay .com/97.exe?1
iamthewinnerhere .com/97.exe?1
This has a detection rate of 3/53**. Automated analysis is inconclusive [1] [2] but this is Teslacrypt and is likely to be similar in characteristics to this spam run***."
* https://www.virustot...sis/1450353478/
invoice_752WwU.js

** https://www.virustot...sis/1450353720/
97.exe

*** http://blog.dynamoo....s-debt-and.html

1] https://www.hybrid-a...environmentId=1

2] https://malwr.com/an...GY4MGM2Yzg1YzQ/
___

Fake 'PHS documents' SPAM - malicious attachment
- http://blog.dynamoo....uments-are.html
17 Dec 2015 - "This convincing-looking -fake- financial email does -not- come from PHS, but is instead a simple forgery with a malicious attachment:
    From:    PHSOnline [documents@ phsonline .co.uk]
    Date:    17 December 2015 at 11:48
    Subject:    Your new PHS documents are attached
Dear Customer
Due to a temporary issue with delivering your document(s) via your online account, please find the attached in DOC format for your convenience.
We apologize for you being unable to view your accounts and documents online in the usual manner. Please note that, in the interim, we will continue to deliver documents in this manner until the issue is fully resolved.
Regards
PHS Group

Effectively, this is a re-run of this spam from October*. I have only seen a single sample of this. There is a malicious Excel document attached, G-A0287580036267754265.xls with a VirusTotal detection rate of 4/54**. According to the Malwr report*** this attempts to download a binary from:
infosystems-gmbh .de/65dfg77/kmn653.exe
At present, this download location 404s but other versions of the document will probably have different download locations. The payload is the Dridex banking trojan, as seen several times today [1] [2]..."
* http://blog.dynamoo....uments-are.html

** https://www.virustot...sis/1450354676/

*** https://malwr.com/an...2M0N2IxMTQzNjY/

1] http://blog.dynamoo....nsport-for.html

2] http://blog.dynamoo....y-sent-you.html

infosystems-gmbh .de: 217.69.162.183: https://www.virustot...83/information/
> https://www.virustot...96aa5/analysis/

- http://myonlinesecur...dsheet-malware/
17 Dec 2015 - "An email with the subject of 'Your new PHS documents are attached' pretending to come from PHSOnline <documents@ phsonline .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ed-1024x561.png

17 December 2015: G-A0287580036267754265.xls - Current Virus total detections 4/54*
 MALWR** shows us that it downloads Dridex banking malware from
http ://dirkjraab .de/65dfg77/kmn653.exe (VirusTotal 4/51***) Which is the same as these 2 earlier spam runs [1] [2]..."
* https://www.virustot...sis/1450353861/

** https://malwr.com/an...2EzNzY5YTkwMjc/
185.21.102.30
151.80.142.33

*** https://www.virustot...sis/1450351607/
TCP connections
117.239.73.244: https://www.virustot...44/information/
8.253.82.158: https://www.virustot...58/information/

1] http://myonlinesecur...dsheet-malware/

2] http://myonlinesecur...dsheet-malware/
 

  

Edited by AplusWebMaster, 17 December 2015 - 11:36 AM.

[AplusWebMaster]

FYI...

PUPs Masquerade as Installer for Antivirus and Anti-Adware
- https://blog.malware...nd-anti-adware/
Dec 18, 2015 - "... two pieces of programs claiming to be two different security software, being housed in a domain purporting to be a safe antivirus download hub. The destination in question, however, has been known to serve a -fake- Malwarebytes installer. The domain is antivirus-dld[DOT]com, and users must avoid visiting it or -block- it with their browsers. Below are screenshots of its subdomains where users can supposedly download the AVG and AdwCleaner programs:
1. https://blog.malware...2015/12/avg.png
...
2. https://blog.malware.../adwcleaner.png
... -both- installers show differences in file names and hashes, they exhibit more identical markings than what we see on the surface... AV engines detect these as variants of the SoftPulse family... As this “Thank you” GUI window is displayed, the supposed program, in this case AVG, is then downloaded and installed automatically. Users can’t see this happening at first because the installer’s GUI is overlaying the real program’s GUI:
> https://blog.malware...15/12/avg05.png
Immediately after installation, the default browser opens to reveal an advertisement of an online dating site. We reckon that various ads are randomized:
> https://blog.malware...15/12/avg06.png
Clicking -any- of these links directs users to magno2soft[DOT]com, a domain that the Google Chrome browser blocks, tagging it as malicious. Additionally, we did a quick look up of their “24/7 free support” phone number—(+1) 844 326 2917—to see if something comes up. It turns out that this number is also used by -other- domains... We have also noted that their contents are also identical to Magno2soft’s. Be advised to -not- visit these sites as some of them automatically download an executable file... Domains like antivirus-dld[DOT]com may only appear legitimate, but they’re just hubs distributing pieces of software you may not want lurking in your hard drive."

antivirus-dld[DOT]com: 23.229.195.163: https://www.virustot...63/information/

magno2soft[DOT]com: 178.33.154.37: https://www.virustot...37/information/
> https://www.virustot...d9b8c/analysis/
 

  

Edited by AplusWebMaster, 19 December 2015 - 10:12 AM.

[AplusWebMaster]

FYI...

Angler EK drops TeslaCrypt via recent Flash Exploit
- https://blog.malware...are-newexploit/
Dec 19, 2015 - "On December 18, security company Fortinet blogged* about a possible new variant of the CryptoWall ransomware distributed via spam. Around the same time we discovered that the Angler exploit kit was also pushing this new ‘variant’. However it is not CryptoWall... but rather TeslaCrypt. Files are encrypted and appended with a .vvv extension. In order to recover those files, victims must pay $500USD or face the risk of seeing this amount double within less than a week...
> https://blog.malware...wcryptowall.png
Angler EK uses a very recently patched flaw in Adobe Flash Player up to version 19.0.0.245** (CVE-2015-8446), making it the most lethal exploit kit at the moment..."
> https://www.virustot...sis/1450545960/
TCP connections
78.47.139.102: https://www.virustot...02/information/
107.180.50.210: https://www.virustot...10/information/
109.232.216.57: https://www.virustot...57/information/

* http://blog.fortinet...ant-in-the-wild

** http://malware.dontn...sh-1900245.html

>> http://forums.whatth...=93035&p=873518

*** https://www.adobe.co...re/flash/about/
 

 

Edited by AplusWebMaster, 20 December 2015 - 07:33 AM.

[AplusWebMaster]

FYI...

Fake 'INVOICE' SPAM – doc/xls malware
- http://myonlinesecur...dsheet-malware/
21 Dec 2015 - "... An email with the subject of 'Invoice' pretending to come from Brenda Howcroft <accounts@ swaledalefoods .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ce-1024x778.png

21 December 2015: Invoice 14702.doc - Current Virus total detections 1/53*
... waiting for analysis to complete on this but it is almost certain to be a downloader for Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450699970/

- http://blog.dynamoo....a-howcroft.html
21 Dec 2015 - "This -fake- financial spam does not come from Swaledale Foods but is instead a simple -forgery- with a malicious attachment.
    From:    Brenda Howcroft [accounts@ swaledalefoods .co.uk]
    Date:    21 December 2015 at 10:46
    Subject:    INVOICE
    Your report is attached in DOC format.
    To load the report, you will need the free Microsoft® Word® reader, available to download...
 Many thanks,
Brenda Howcroft
Office Manager
t 01756 793335 sales
t 01756 790160 accounts ...

Attached is a file Invoice 14702.doc which comes in at least -9- different versions... sources say that at least some versions download from the following locations:
110.164.184.28 /jh45wf/98i76u6h.exe
getmooresuccess .com/jh45wf/98i76u6h.exe
rahayu-homespa .com/jh45wf/98i76u6h.exe
This dropped file has a detection rate of 6/54*. The Hybrid Analysis report** plus some other sources indicate network traffic to:
199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
78.47.66.169 (Hetzner, Germany)
The payload is the Dridex banking trojan...
Recommended blocklist:
199.7.136.88
151.80.142.33
202.69.40.173
78.47.66.169 "
* https://www.virustot...sis/1450707029/
TCP connections
199.7.136.88
13.107.4.5

** https://www.hybrid-a...environmentId=1
___

Backdoors in Juniper's firewalls ...
- http://net-security....ld.php?id=19259
21 Dec 2015

>> https://isc.sans.edu...l?storyid=20521
Last Updated: 2015-12-21 - "We decided to move to raise our "Infocon" to yellow over the backdoor in Juniper devices. We decided to do this for a number of reasons:
- Juniper devices are popular, and many organizations depend on them to defend their networks
- The "backdoor" password is now -known- and exploitation is trivial at this point. [2]
- With this week being a short week for many of us, addressing this issue -today- is critical.
Who is effected by this issue? Juniper devices running ScreenOS 6.3.0r17 through 6.3.0r20 are affected by the -fixed- backdoor password (CVE-2015-7755). [1]
Juniper devices running ScreenOS 6.2.0r15 through 6.2.0r18 and ScreenOS 6.3.0r12-6.3.0r20 are affected by the VPN decryption problem (CVE-2015-7756). [1] ... There are two distinct issues. First of all, affected devices can be accessed via telnet or ssh using a specific "backdoor" password. This password can not be removed or changed unless you apply Juniper's patch..."
(More detail at the isc URL above.)
1] https://kb.juniper.n...713&actp=search

2] https://community.ra...cation-backdoor

Other references:
> https://www.imperial...19/juniper.html

>> https://gist.github....350f2a91bd8ed3f

- https://www.us-cert....visory-ScreenOS
Dec 17, 2015

 

Exploit attempts - Juniper Backdoor...
- https://isc.sans.edu...l?storyid=20525
Last Updated: 2015-12-22 00:19:29 UTC - "We are detecting numerous login attempts against our ssh honeypots using the ScreenOS backdoor password. Our honeypot doesn't emulate ScreenOS beyond the login banner, so we do not know what the attackers are up to, but some of the attacks appear to be "manual" in that we do see the attacker trying different commands. We saw the first attempt at 17:43:43 UTC..."
___

DHL - Phish...
- http://myonlinesecur...l-dhl-phishing/
21 Dec 2015 - "An email with the subject of 'SHIPPING DOCUMENT & INV-BL' coming from Ionel Ghenade <ionel_ghenade@ yahoo .com> is a phishing attempt to gain log in details for your DHL account...  I don’t suppose many recipients will actually have a DHL account, although some will. This email does come from Yahoo. I do not know whether the sender has had his account hacked or it is a yahoo account created just for this phishing attempt. If your DHL account does get compromised, they will use it to send illegal and -stolen- goods at your expense and you will be held responsible for that... The email has a mass of recipients in the to: box (about 100) so that is the first warning or a mass spam and something wrong. The content simply says:
    Hello,
    THE DHL DOCUMENT HAS BEEN SENT TO YOU AS AS DIRECTED.
    Regards

... And has a html attachment to the email that at first glance appears to be a PDF attachment. If you are unwise enough to open the attachment. the first thing you see is a JavaScript pop up alerting you with this message:
    Encripted DHL file, Your Email has been configured To view Document information, Sign in to continue!
> http://myonlinesecur...hl_js_popup.png
Press OK and you get:
> http://myonlinesecur...in-1024x917.png
Which of course looks like a DHL log in page, if you don’t look at the web address in the URL bar. In this case it is a local file on your computer, not a webpage. If you enter any email address and password, you are then sent to the genuine DHL site. This scam works because of the windows default behaviour to hide file extensions. In this case without the final extension HTML showing, you are mislead into thinking that it is a PDF file... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .html file it really is, so making it much more likely for you to accidentally open it..."
___

Password checks... ??
- http://myonlinesecur...sswords-secure/
21 Dec 2015 - "We keep seeing sites that offer to check your passwords and make sure they are safe and secure. One that popped up on Twitter today is:
- http://www.sbrcentre...r_Password.html
This aims to educate you and suggest how long it would take to crack your password. Entering -any- password on any of these sites is a total mistake. All these sites that tell you how long and secure your password is, are pure snake oil and a high rating means absolutely -nothing- in the real world. First look at the site. It uses standard HTTP -not- an encrypted HTTPS connection, so in the event you have any problems on your network, anything you send to that site can be easily intercepted. Secondly, even though they say that they do not retain any passwords, how do you know that is true. A misconfiguration can easily store every password in plain text for any hacker to obtain and potentially track back to you. I made up a password to test it:
> http://myonlinesecur..._1-1024x546.png
...
> http://myonlinesecur..._2-1024x548.png
... Check it out with a -fake- password but don’t rely on being safe because of that fake password. Most breaches come because of errors or user interaction not having a short password. Having a long, complicated password that would, take 17 trillion years to crack does not mean you are safe. A high proportion of password hacks either come from the website that holds your password and it doesn’t matter if it is 2 characters long or 20000 characters long, if the site doesn’t encrypt stored passwords and keep them in plain text for any hacker to get hold of via security holes in that site. The other primary password loss method is YOU, when you enter details on a -fake- website or respond to a -phishing- email and give away all your passwords or log in information’s. In many cases a long complicated password is a detriment because you cannot remember it and write it down on a sticky note pinned to the monitor for everyone to see. Either use a password manager or use an easy to remember pass -phrase- or combination or words that mean something to you & no-one else, rather than a single word."
 

  

Edited by AplusWebMaster, 21 December 2015 - 11:09 PM.

[AplusWebMaster]

FYI...

Fake 'fax' SPAM - JS malware
- http://myonlinesecur...ine-js-malware/
22 Dec 2015 - "An email with the subject of 'You have received fax, document 00979545' [random numbered]  pretending to come from Interfax Online <incoming@ interfax .net> with a zip attachment is another one from the current bot runs... The content of the email says :
    A new fax document for you.
    You can find your fax document in the attachment.
    Scanned in:           50 seconds
    File name:             task-00979545.doc
    Sender:               Gerald Daniels
    File size:             252 Kb
    Pages sent:           3
    Resolution:           200 DPI
    Date of scan:         Mon, 21 Dec 2015 19:39:17 +0300
    Thank you for using Interfax!

2 September 2015: task-00979545.zip: Extracts to: task-00979545.doc.js
Current Virus total detections 10/54*. MALWR shows us it downloads -2- malware files 3009102.exe (virus total 4/53**) and 1af9fcbe48b1f[1].gif (VirusTotal 5/52***) and 1 innocent file from http ://martenmini .com/counter/? (long list of random characters). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1450770443/

** https://www.virustot...sis/1450751819/

*** https://www.virustot...sis/1450771087/
___

Fake 'New Account' SPAM - malicious attachment
- http://blog.dynamoo....-gas-ac-no.html
22 Dec 2015 - "This -fake- financial email is not from TopSource, Trinity Restaurants or British Gas (the email seems a bit confused), but is instead a simple -forgery- with a malicious attachment.
    From:    trinity [trinity@ topsource .co.uk]
    Date:    22 December 2015 at 10:36
    Subject:    British Gas - A/c No. 602131633 - New Account
    Hi ,
    Please refer to the attached invoice from British Gas, the account number on it is different from all the account numbers that we currently have in the system. Can you confirm if this is a new account so that we will create this in system.
    Thanks & Regards,
    Pallavi Parvatkar ...

Attached is a file British Gas.doc with... a VirusTotal detection rate of 2/54*. Analysis of the document is pending, however it will most likely drop the Dridex banking trojan.
UPDATE: These automated analyses [1] [2] show that the malicious document downloads from:
weddingme .net/786h8yh/87t5fv.exe
This has a VirusTotal detection rate of 3/54**. All those reports indicate malicious traffic to:
199.7.136.88 (Megawire, Canada)
151.80.142.33 (OVH, France)
The payload looks like Dridex...
Recommended blocklist:
199.7.136.88
151.80.142.33 "
* https://www.virustot...sis/1450781888/

1] https://www.hybrid-a...environmentId=2

2] https://malwr.com/an...jRkZjk4OTJkNWQ/

** https://www.virustot...sis/1450782995/
TCP connections
199.7.136.88
90.84.59.19

- http://myonlinesecur...dsheet-malware/
22 Dec 2015
Screenshot: http://myonlinesecur...nt-1024x690.png

22 December 2015 : British Gas.doc - Current Virus total detections 2/54*
Reverse it** shows a download of what looks like Dridex banking Trojan from
weddingme .net/786h8yh/87t5fv.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450781888/

** https://www.reverse....environmentId=1

*** https://www.virustot...sis/1450781177/
TCP connections
199.7.136.88
90.84.59.19
___

Fake 'PAYMENT RECEIVED' SPAM - malicious attachment
- http://blog.dynamoo....t-received.html
22 Dec 2015 - "This -fake- financial spam does not come from Les Caves de Pyrene but is instead a simple -forgery- with a malicious attachment.
    From:    Avril Sparrowhawk [Avril.Sparrowhawk@lescaves.co.uk]
    Date:    22 December 2015 at 11:14
    Subject:    CWIH8974 PAYMENT RECEIVED
    Good afternoon
    Thanks very much for your payment we recently from you, however there was a missed invoice.  Can you just confirm this will be included in the next payment run, or whether there were any queries with this particular invoice?
    I have attached the invoice for your reference.
    Kind regards
    Avril
    Avril Sparrowhawk
    Credit Controller
    Les Caves De Pyrene
    Pew Corner
    Old Portsmouth Road
    Artington
    Guildford
    GU3 1LP
    ' +44 (0)1483 554784
    6 +44  (0)1483 455068 ...

Attached is a malicious document CWIH8974.doc of which I have seen just a single sample with a VirusTotal detection rate of 2/54*. There may be other variations of the document, but in this case it downloads a malicious binary from:
secure.novatronica .com/786h8yh/87t5fv.exe
This has a VirusTotal detection rate of 2/53** and is the -same- payload as found in this earlier spam run***, leading to the Dridex banking trojan."
* https://www.virustot...sis/1450784063/

** https://www.virustot...sis/1450784374/
TCP connections
199.7.136.88
90.84.59.19

*** http://blog.dynamoo....-gas-ac-no.html

- http://myonlinesecur...wnloads-dridex/
22 Dec 2015
Screenshot: http://myonlinesecur...ED-1024x753.png

22 December 2015: CWIH8974.doc - Current Virus total detections *
 Payload Security Hybrid analysis** shows it downloads a Dridex banking Trojan from
 secure.novatronica .com/786h8yh/87t5fv.exe which is the -same- payload as today’s earlier malspam run***..."
* https://www.virustot...sis/1450784063/

** https://www.hybrid-a...environmentId=2

*** http://myonlinesecur...dsheet-malware/
___

Fake 'new payment terms' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
22 Dec 2015 - "An email with various subjects based around the theme of invoices or payments coming from random email addresses and senders with a zip attachment is another one from the current bot runs... Some of the subjects seen include:
    ATT: / new payment terms and payment
    Invoice Updated: # 15/12/2015 from DXB International, Inc.
    FW: Payment for Invoice
The contents of the emails vary with each email and it is totally -random- which combination of subject and email body you will get. The attachment name remains consistent. Some of the ones I have seen include:
    We appreciate your business.
    Kind Regards,
    Marketing and Sales Manager
    Jimmie McCoy
-Or-
    Receipts attached. Thank you
Sales Manager
Peter Skinner
-Or-
    I have two sets as samples ready to ship Invoice # 0311683, 1 box, 1 lbs, $46.28 Please let us know how you want us to ship these goods.
    Thanks & Best Regards,
    Payroll Supervisor
    Frederick Castillo ...

22 December 2015: Inv#186;-1089-12-2015_PDF.zip: Extracts to: Inv._Nº-1089-12-2015_PDF.exe
Current Virus total detections 2/54*. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1450791506/
___

Fake 'MUST READ' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
22 Dec 2015 - "An email with the subject of 'MUST READ! Police hunt missing terror suspect last seen in Camden!' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...en-1024x712.png

22 December 2015: suspect details 44165680.doc - Current Virus total detections 4/54*
MALWR** shows a download from http ://31.41.44.224 /portal/portal.php which is named as govuk.exe
(VirusTotal 2/54***). I am not certain what the payload actually is yet and am awaiting full analysis.
Update: fast work from the host of 31.41.44.224 https ://www .cishost .ru/ who took down the malware very quickly... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450796426/

** https://malwr.com/an...2M4NTU0YjFmN2M/

*** https://www.virustot...sis/1450796555/
portal.exe

31.41.44.224: https://www.virustot...24/information/
___

HSBC - Phish...
- https://blog.malware...rrently-locked/
Dec 22, 2015 - "Customers of HSBC should -avoid- the following URL, which is (most likely) part of an email based phishing campaign. While we don’t have an example of an email to hand, we can certainly shine some light on the website itself which is:
hsbc-message(dot)com
... in the hopes of helping you to avoid a nasty surprise this holiday season:
> https://blog.malware...hsbclocked1.jpg
... They urge visitors to click next (because hey, that form expires today!) and continue with the process, which is little more than a straight lunge for payment information:
> https://blog.malware...hsbclocked2.jpg
... To be specific: Card number, expiration date, card verification code, and finally the ATM PIN number. After this, the victim is shown a “We’ll get back to you in 24 hours” message before being forwarded on to a HSBC website:
> https://blog.malware...hsbclocked3.png
From a quick scan of various websites, it seems HSBC scams are all the rage right now [1], [2], [3], [4] so please be extra careful with your logins. Scammers are always looking for a way to grab some fast cash, and regardless of whether they approach you by email, SMS or phonecall..."
1] https://twitter.com/...108831940870144

2] https://www.instagra...m/p/_XvF5ypr4M/

3] https://www.instagra...m/p/_W6zn3nX-A/

4] http://www.scamcallf...raud-35513.html

hsbc-message(dot)com: 98.139.135.129: https://www.virustot...29/information/
 

  

Edited by AplusWebMaster, 22 December 2015 - 11:01 AM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - malicious attachment
- http://blog.dynamoo....industrial.html
23 Dec 2015 - "This -fake- invoice has a malicious attachment:
    From:    Rachael Murphy
    Date:    23 December 2015 at 13:05
    Subject:    Christmas Industrial Decorating invoice-50473367)
    Good afternoon,
    Please find attached 1 invoice for processing.
    Regards and Merry Christmas!
    Rachael Murphy
    Financial Manager ...
    This email has been scanned by the Symantec Email Security.cloud service.

The sender's name and reference number varies, the attachment is in the format invoice45634499.doc and it comes in at least -three- different versions (VirusTotal results [1] [2] [3]). Analysis is pending, the payload is likely to be the Dridex banking trojan."
1] https://www.virustot...8920d/analysis/

2] https://www.virustot...5a591/analysis/

3] https://www.virustot...5d665/analysis/

- http://myonlinesecur...dsheet-malware/
23 Dec 2015 - "An email with the subject of 'Christmas Industrial Decorating invoice-22306947)' pretending to come from random senders and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
    From: Tony Monroe <MonroeTony50@ bors-spic .ro>
    Date: Wed 23/12/2015 12:56
    Subject: Christmas Industrial Decorating invoice-22306947) (random numbers)
    Good afternoon,
    Please find attached 1 invoice for processing.
    Regards and Merry Christmas!
    Tony Monroe
    Financial Manager ...

23 December 2015: invoice22306947.doc - Current Virus total detections 2/54*
... automatic analysis is inconclusive but it appears to have the same payload as described in THIS post** which is most likely to be Dridex banking Trojan..."
* https://www.virustot...sis/1450875552/

** http://myonlinesecur...dsheet-malware/
___

Fake 'Fee Invoice' SPAM - malicious attachment
- http://blog.dynamoo....ian-acc-no.html
23 Dec 2015 - "This -fake- financial spam comes with a malicious attachment. The sender's name and reference number is randomly generated.
    From:    Josie Ruiz
    Date:    23 December 2015 at 11:38
    Subject:    FW: Meridian (Acc. No. 51588088) - Professional Fee Invoice
    Dear Sir/Madam,
    Re:  Meridian Professional Fees
    Please find attached our fee note for services provided, which we trust meets with your approval.
    Payment should be made to Meridian International VAT Consulting Ltd. within the agreed payment terms.
    We look forward to your remittance in due course.
    Yours sincerely
    Josie Ruiz
    Financial CEO ...

The attachment has the same reference number as the subject, and there are at least -five- different versions... likely to be the Dridex banking trojan.
UPDATE 1: Hybrid Analysis of some of the samples [1] [2] shows some download locations:
146.120.89.92 /volkswagen/bettle.php
109.234.34.164 /volkswagen/bettle.php
Those IPs belong to:
146.120.89.92 (Ukrainian Internet Names Center LTD, Ukraine)
109.234.34.164 (McHost.Ru Inc, Russia)
This is actually an executable with a detection rate of 4/53*. The purpose of this executable is unknown, but it is certainly malicious. Analysis is still pending.
UPDATE 2: This Threat Expert report** and this Hybrid Analysis*** both report traffic to a presumably hacked server at:
104.131.59.185 (Digital Ocean, US)
Recommended blocklist:
104.131.59.185
146.120.89.92
109.234.34.164 "
* https://www.virustot...sis/1450879468/

** http://www.threatexp...a19fd795a748e57

*** https://www.hybrid-a...environmentId=4

1] https://www.hybrid-a...environmentId=1

2] https://www.hybrid-a...environmentId=4

- http://myonlinesecur...dsheet-malware/
23 Dec 2015
Screenshot: http://myonlinesecur...ce-1024x771.png

23 December 2015: invoice63835341.doc - Current Virus total detections 2/54*
... according to Dynamoo** this downloads from 109.234.34.164 /volkswagen/bettle.php which gave me a file called bettle.exe (VirusTotal ***)..."
* https://www.virustot...sis/1450873882/

** http://blog.dynamoo....ian-acc-no.html

*** https://www.virustot...sis/1450879468/
___

Fake 'Invoice 70146427' SPAM - malicious attachment
- http://blog.dynamoo....e-70146427.html
23 Dec 2015 - "This -fake- financial spam comes with a malicious attachment. It does -not- come from uksafetymanagement .co.uk but is instead a simple forgery.
    From:    Claire Carey
    Date:    23 December 2015 at 12:01
    Subject:    UKSM Invoice 70146427
    Good time of day,
    Thank you for choosing UK Safety Management Ltd. to carry out your Portable Appliance Testing.
    Please find enclosed your invoice.
    Claire Carey...

The sender's name and reference number are randomly generated. Attached is a file in the format invoice29111658.doc which comes in at least -three- different versions... Analysis of the documents is pending. However, this is likely to be the Dridex banking trojan. The payload appears to be the -same- as the one found in this spam run*."
* http://blog.dynamoo....ian-acc-no.html
___

Fake 'chasing payment' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
23 Dec 2015 - "An email with the subject of 'REAL Digital chasing payment 6910.47' pretending to come from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...nt-1024x589.png

23 December 2015: invoice21891491.doc - Current Virus total detections 2/53*
ReverseIt analysis** is inconclusive and doesn’t show any payload, However it is likely to be the Dridex banking trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1450873320/

** https://www.reverse....environmentId=4
___

Tis the season for shipping and phishing
- https://securelist.c...g-and-phishing/
Dec 23, 2015 - "... delivery services send email notifications and provide shipment tracking systems. However, this type of communication also creates the ideal conditions for cybercriminals to send phishing messages in the name of major delivery services, and we end up with an increase in the number of these messages. The fraudsters have a clear aim: to trick unwitting users into downloading a malicious program or entering their confidential data on a phishing site. For example, one scam message detected by Kaspersky Lab asked the user to fill in and sign a delivery form in order to receive a shipment. The message had a DOC file attached to it containing the exploit Exploit.MSWord.Agent.gg, which allowed the cybercriminal to, among other things, gain remote access to the infected computer:
> https://securelist.c...shing_eng_1.png
In another -scam- message the fraudsters write that the shipment is already at a DHL office, but the courier cannot deliver it because the delivery address is unclear. The recipient is asked to follow a link within 48 hours and enter the shipment number on the tracking page; otherwise, the shipment will be returned to the sender:
> https://securelist.c...shing_eng_2.png
A closer inspection reveals that none of the links in the message lead to the DHL site; instead they all point to the same URL packed with the help of a URL shortening service. Another typical fraudster trick is also used in the email – the victim is warned there is a limited amount of time to react (in this case, 48 hours). If the user fails to follow the link in time, the shipment will be returned to the sender. The plan is simple – distract users with warnings about the urgency of doing something quickly rather than giving them time to think things through logically. If unwitting users follow the link, they are taken to a specially crafted site in the corporate style of DHL, and are prompted to type in their login credentials to enter the shipment tracking system:
> https://securelist.c...shing_eng_3.png
... A similar situation exists around FedEx, another large delivery service provider. Kaspersky Lab has detected multiple phishing messages sent in the name of this company:
> https://securelist.c...shing_eng_4.png
There’s nothing new about this scheme – the victim enters account credentials on a crafted site in order to view information about a shipment:
> https://securelist.c...shing_eng_5.png
The fact that this site is -fraudulent- and has nothing to do with FedEx is clear from the URL in the browser address bar. The conclusion that can be made from the examples given above is that you shouldn’t be too trusting or inattentive while you are online. Never follow links in email messages; it’s safer if you manually type the URL of the required site in your browser address bar. Whenever a page prompts you to enter confidential data, always check the URL in the address bar first. If anything looks suspicious in the URL or in the website design, think-twice before entering any personal data. Last but not least, always keep your security software up to date; it should also include an anti-phishing tool that will help you keep your data confidential, and your money safe. That way, you will be in a good mood for the holidays."
___

Joomla 3.4.7 released
- https://www.joomla.o...7-released.html
21 Dec 2015 - "Joomla! 3.4.7 is now available. This is a -security- release for the 3.x series of Joomla which addresses a -critical- security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.6 release..."

Installing Joomla
> https://docs.joomla....stalling_Joomla

Upgrade Packages
> https://github.com/j...eases/tag/3.4.7

- https://www.us-cert....rity-Update-CMS
Dec 22, 2015
 

  

Edited by AplusWebMaster, 23 December 2015 - 04:13 PM.

[AplusWebMaster]

FYI...

Domain renewal SCAM
- http://myonlinesecur...n-renewal-scam/
24 Dec 2015 - "Many (almost all of us) that have websites and .com domain names and haven’t chosen to use domain privacy will regularly get -scam- messages like this one, trying to fool us into thinking we have to pay these scammers to renew our domain name. They deliberately make it look & sound like a genuine domain renewal and hope that you won’t look carefully at the small print and see it is an SEO scam.
-Don’t- pay it and dump it in the bin:
Screenshot: http://myonlinesecur...domain_scam.png "
___

PayPal phish ...
- http://myonlinesecur...aypal-phishing/
24 Dec 2015 - "A slightly different PayPal phishing spam run today saying 'Your Access Is restricted ✔' pretending to come from PayPal <jhon@ cilegonfab.co.id>. There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like :
    Urgent: Your card has been stopped !
    Your Access Is restricted ✔
    Your PayPal account has been limited
    You sent a payment of $xxxx USD/GBP/ Euro to some company or person
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    Confirmation of Order ...

Screenshot: http://myonlinesecur...ed-1024x773.png

The link in this case goes to https ://updateinfo .fwd.wf/gb-uk/scr/?q=login&email=youremail@example .com
Note: the HTTPS Secure SSL login which is unusual for a phishing site and shows the effort that the phishers are starting to go to, in order to persuade you to give them your details:
> http://myonlinesecur...sh-1024x575.png
Which is a typical phishing page that looks very similar to a genuine PayPal log in page, if you don’t look carefully at the URL in the browser address bar. One feature of note is the way the phishers try to block known anti-phishing or antivirus companies from getting to the page. I used the default email address they conveniently inserted and invented a random password and ended up with this 404 page... If I use a “genuine” email with a random password, I get this page (split into 2 screenshots for clarity):
> http://myonlinesecur..._3-1024x541.png
...
> http://myonlinesecur..._4-1024x568.png
... This one wants your personal details, your Paypal account log in details and your credit card and bank details along with mother’s maiden name and other info to steal your identity. Many of them are also designed to specifically steal your facebook and other social network log in details..."
___

Tesco bank phish ...
- http://myonlinesecur...-bank-phishing/
24 Dec 2015 - "An email with the subject 'Your Recent Attempt to Transfer Funds' pretending to come from Tesco Bank is a currently spreading a phishing attempt. There are a few major common subjects in a phishing attempt. Lots of them are involve your Bank or Credit Card... This particular phishing campaign starts with an email with a link (all the social media icons in the email do go to genuine Tesco bank social media sites or to a company called Payoneer who say “Payoneer empowers global commerce by connecting businesses, professionals, countries and currencies with its innovative cross-border payments platform.”):

Screenshot: http://myonlinesecur...ds-1024x636.png
Sends you to:
> http://myonlinesecur...sh-1024x602.png
If you fill in a user name you get a page asking for password and security number:
> http://myonlinesecur..._1-1024x561.png
Fill in that and you get to a typical phishing page.This one wants your personal details, your account log in details and your credit card and bank details. Many of them are also designed to specifically -steal- your email, Facebook and other social network log in details:
> http://myonlinesecur..._2-1024x693.png
... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."
 

  

Edited by AplusWebMaster, 24 December 2015 - 08:22 AM.

[AplusWebMaster]

FYI...

Fake 'WhatsApp' SPAM - malware
- http://myonlinesecur...ed-aud-malware/
27 Dec 2015 - "An email appearing to be a WhatsApp notification with the subject of 'A sound memo has been received aud' pretending to come from WhatsApp <peter.kroell@ towncountry .at> (random email addresses) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ud-1024x585.png

27 December 2015: mabella12.zip: Extracts to: gully.exe - Current Virus total detections 19/54*
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1451228525/
TCP connections
50.63.202.44: https://www.virustot...44/information/
98.139.135.129: https://www.virustot...29/information/
108.166.170.106: https://www.virustot...06/information/
208.100.26.234: https://www.virustot...34/information/
141.8.225.124: https://www.virustot...24/information/
173.201.93.128: https://www.virustot...28/information/
 

  

Edited by AplusWebMaster, 27 December 2015 - 11:03 AM.