2072 replies to this topic

[AplusWebMaster]

FYI...

AMEX - Phish...
- http://myonlinesecur...g-attempt-fail/
28 Dec 2015 - "... An email with the subject of 'Confirm Your Account Profile! 12/28/2015' pretending to come from American Express Online <narobiprojectors@ inbox .com> (I have received several this afternoon/evening, all pretending to come from different names @ inbox .com)...

Screenshot: http://myonlinesecur...15-1024x563.png

The -attached- HTML page which is complete with bad spelling mistakes and looks glaringly wrong would attempt to send your information (-if- you were unwise enough to fill in the page) to
http ://fantasticvacationhomes .com/verification3.php
> http://myonlinesecur...sh-1024x693.png "

fantasticvacationhomes .com: 192.185.141.50: https://www.virustot...50/information/
___

Straight2Bank - Phish...
- http://myonlinesecur...anges-phishing/
28 Dec 2015 - "An email saying 'Straight2Bank Website changes' pretending to come from Straight2Bank <Milan.Colquhoun@ s2b.standardchartered .com> is one of today’s phishing attempts. I have received loads of these this morning and they are using several -different- phish sites... The link in the email directs you to a -fake site-, if you look at the fake website, you would be very hard-pressed to tell the difference from the fake one and the genuine site. The -only- way is look at the address bar and in the -Genuine- bank site, when using Internet Explorer the entire address bar is in green. (in Chrome or Firefox, only the padlock symbol on the left of the browser is green):

Screenshot: http://myonlinesecur...ty-1024x758.png

... previous versions of phish attempts against this bank they only asked for passwords, log in details and pin numbers and didn’t ask for any other personal information... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."
 

  

[AplusWebMaster]

FYI...

Most vulnerabilities in 2015: Mac OS X, iOS, and Flash
- http://venturebeat.c...-ios-and-flash/
Dec 31, 2015 - "Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities. Rounding out the top five are Adobe’s Flash Player, with 314 vulnerabilities; Adobe’s AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities.
For comparison, last year the top five (in order) were: Microsoft’s Internet Explorer, Apple’s Mac OS X, the Linux Kernel, Google’s Chrome, and Apple’s iOS. These results come from CVE Details*, which organizes data provided by the National Vulnerability Database (NVD). As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures... the 2015 list of the top 50 software products** in order of total distinct vulnerabilities..."
* http://www.cvedetail...s.php?year=2015

** http://1u88jj3r4db2x...top_50_2015.png

Top 50 list of products categorized by company - Graphic:
> http://1u88jj3r4db2x...ompany_2015.png
 

Edited by AplusWebMaster, 02 January 2016 - 03:26 PM.

[AplusWebMaster]

FYI...

Evil network: 199.195.196.176/29...
- http://blog.dynamoo....7629-roman.html
4 Jan 2016 - "199.195.196.176/29 is a small bunch of IPs hosting browser-hijacker sites, belonging to Hosting Services, Inc. in Utah and suballocated to a customer. Several domains are flagged by Google as leading to PUAs or malware [1] [2] [3] [4] [5] [6], and almost all those domains also have anonymous registrations... Blocking 199.195.196.176/29 or monitoring traffic to it might detect infected hosts, that appear to have a bunch of per-install crapware and other stuff installed."
(More detail at the dynamoo URL above.)
1] https://www.google.c...edownloader.biz

2] https://www.google.c...smile-files.com

3] https://www.google.c...press-files.com

4] https://www.google.c...edownloader.com

5] https://www.google.c...own4loading.net

6] https://www.google.c...-downloader.net

> http://centralops.ne...ainDossier.aspx
network:Network-Name:Dedicated Server
network:IP-Network:199.195.196.176/29
network:IP-Network-Block:199.195.196.176 - 199.195.196.183
network:Org-Name:Alyabiev, Roman
network:Street-Address:pr. Molodeznoi 7 kv. 101
network:City:Kemerovo
network:State:
network:Postal-Code:650044
network:Country-Code:RU ...
___

Ransom32: The first javascript ransomware
- https://isc.sans.edu...l?storyid=20569
2016-01-04 - "... new variant and this one has been built using javascript. This malware -fakes- the NW.js framework. Once installed, connects to its C&C server on TOR network port 85 to get the bitcoin address and the crypto key used for encryption. This trend is not new and we have seen how malware is being built more and more sophisticated to avoid being detected by any antimalware control at the endpoint. You have to integrate endpoint security with network security and correlate any possible alerts that might indicate an incident happening, like a computer being connected to TOR network."
More info at: http://blog.emsisoft...ipt-ransomware/
 

  

Edited by AplusWebMaster, 04 January 2016 - 04:06 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM -  malicious attachment
- http://blog.dynamoo....1-49934798.html
6 Jan 2016 - "This -fake- financial spam has a malicious attachment. The sender's names, reference numbers and attachment names vary. Here is one example:
    From:    Bertha Sherman
    Date:    6 January 2016 at 09:29
    Subject:    Invoice-205611-49934798-CROSSHILL SF
    Dear Customer,
    Please find attached Invoice 02276770 for your attention.
    Should you have any Invoice related queries please do not hesitate to
    contact either your designated Credit Controller or the Main Credit Dept. on
    01635 279370.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Credit Dept' ...

I have seen at least -four- different attachments with names in a format similar to invoice40201976.doc... Malwr reports... show that the malware contained within POSTs to:
37.46.130.53 /jasmin/authentication.php
179.60.144.21 /jasmin/authentication.php
195.191.25.138 /jasmin/authentication.php
Those reports also show communication to other suspect IPs, giving:
94.158.214.45 (Noviton Ltd , Russia)
78.47.119.93 (Hetzner, Germany)
2.61.168.116 (Sibirtelecom, Russia)
37.46.130.53 (JSC Server, Russia)
179.60.144.21 (Veraton Projects Ltd, Netherlands)
195.191.25.138 (Hostpro Ltd, Ukraine)
This Hybrid Analysis* also shows similar characteristics. The macro drops a file tsx3.exe with a detection rate of 7/55**. The Malwr report*** doesn't give any particlar insight as to what this is, but it is likely to be a banking trojan or ransomware. There are two other similar spam campaigns at the same time [1] [2], one of which POSTs to a McHost .RU IP in Russia:
109.234.34.224 /jasmin/authentication.php ...
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* https://www.hybrid-a...environmentId=2

** https://www.virustot...sis/1452075219/

*** https://malwr.com/an...DlkMmRhMmZjZWY/

1] http://blog.dynamoo....ia20114520.html

2] http://blog.dynamoo....ation-from.html

- http://myonlinesecur...dsheet-malware/
6 Jan 2016 - "An email with the subject of 'Invoice-205611-88038421-CROSSHILL SF' coming from random email addresses and senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

6 January 2016: invoice88038421.doc - Current Virus total detections 2/56*
MALWR** shows tsx3.exe downloaded from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal 6/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452072516/

** https://malwr.com/an...DI1YzExMWZjNGY/

*** https://www.virustot...sis/1452073223/
___

Fake 'Penalty Charge Notice' SPAM - malicious attachment
- http://blog.dynamoo....ia20114520.html
6 Jan 2016 - "This -fake- financial spam comes with a malicious attachment. The sender's name, reference numbers and attachment names vary. It seems to be closely related to this spam run*.
     From:    Viola Carrillo
    Date:    6 January 2016 at 09:53
    Subject:    Invoice for IA20114520
    To Whom It May Concern,
    Please find attached an invoice relating to Penalty Charge Notice Number IA20114520 along with a copy of the contravention.
    In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.
    Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.
    Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.

I have seen two variants of the attachment (VirusTotal results [1] [2]) and these two Malwr reports [3] [4] indicate identical characteristics to the payload in this spam run* which is also being sent out today."
* http://blog.dynamoo....1-49934798.html

1] https://www.virustot...sis/1452076482/

2] https://www.virustot...sis/1452076495/

3] https://malwr.com/an...DFhMGY0OWUxNGQ/
195.191.25.138
78.47.119.93
13.107.4.50

4] https://malwr.com/an...GNmMDYwMzNlNWQ/
195.191.25.138
78.47.119.93
13.107.4.50

- http://myonlinesecur...dsheet-malware/
6 Jan 2016 - "The second of today’s Dridex downloaders... pretends to be a penalty-charge-notification is an email with the subject of 'Invoice for IA20122439' (random numbers) pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

6 January 2016 : invoice20122439.doc - Current Virus total detections 2/56*  
MALWR** shows us a download of tsx3.exe from http :// 109.234.34.224/jasmin/authentication.php
... this is the -same- Dridex payload as described in today’s slightly earlier Malspam run***..."
* https://www.virustot...sis/1452076028/

** https://malwr.com/an...zhmNjFkY2JjZjc/
109.234.34.224
78.47.119.93
13.107.4.50

*** http://myonlinesecur...dsheet-malware/
___

Fake 'Payment notification' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
6 Jan 2016 - "The Third of today’s Dridex downloaders... pretends to be an energy statement is an email with the subject of 'Payment notification from Third Energy Services Limited' coming from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Blair Maldonado <MaldonadoBlair76939@ ewb-mn .org>
Date: Wed 06/01/2016 10:29
Subject: Payment notification from Third Energy Services Limited
Body content:
    Payment notification from Third Energy Services Limited
    Third Energy Services Limited
    Registered in England & Wales. Registered number: 50380220.
    Registered office: 7th Floor. Portland House, Bressenden Place, London, UK, SW1E 5BH
    Tel: 01944 759904 ot 0207 0420 800
    This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Third Energy. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone...

6 January 2016: remit50380220.doc - Current Virus total detections 2/55*
MALWR** once again shows a download of tsx3.exe from http :// 195.191.25.138/jasmin/authentication.php which is the -same- Dridex banking malware as described in today’s earlier malspam runs [1] [2]..."
* https://www.virustot...sis/1452076128/

** https://malwr.com/an...WY0NWM2YmMxMjM/
195.191.25.138
94.158.214.45
78.47.119.93
13.107.4.50
2.61.168.116

1] http://myonlinesecur...dsheet-malware/

2] http://myonlinesecur...dsheet-malware/

- http://blog.dynamoo....ation-from.html
6 Jan 2016 - "This -fake- financial email comes with a malicious attachment.
    From:    Addie Caldwell
    Date:    6 January 2016 at 10:31
    Subject:    Payment notification from Third Energy Services Limited
    Payment notification from Third Energy Services Limited...

... -three- different versions of the attachment (in the format remit85752524.doc or similar)... similar characteristics to this spam run* plus this additional URL:
109.234.34.224 /jasmin/authentication.php
This IP is allocated to McHost .RU in Russia and can be considered as malicious. The payload is unknown, but is possible Dridex.
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* http://blog.dynamoo....1-49934798.html
___

Fake 'BACS PAYMENT' SPAM - malicious attachment
- http://blog.dynamoo....cs-payment.html
6 Jan 2016 - "This -fake- financial spam comes with different sender names, reference details and attachment names. However, in all cases the attachment is malicious.
    From:    Forrest Cleveland
    Date:    6 January 2016 at 11:23
    Subject:    STA19778072 - BACS PAYMENT
    Importance: High
    Hello,
    Wasn’t sure who to email.
    I don’t know if you have been asked but Statestrong Products Ltd are making one payment today for two cars. Could you let me know when it is in the account please as these are both collections tomorrow...

So far I have seen -three- different attachment variants... same general characteristics as this spam run*. However in this case the dropped file tsx3.exe has been updated and the -new- version has a detection rate of 6/54**. The Malwr report*** indicates very similar traffic to before.
Recommended blocklist:
94.158.214.45
78.47.119.93
2.61.168.116
37.46.130.53
179.60.144.21
195.191.25.138
109.234.34.224 "
* http://blog.dynamoo....1-49934798.html

** https://www.virustot...sis/1452080581/

*** https://malwr.com/an...2I1NjIxYjcyNTc/
78.47.119.93
165.254.102.181

- http://myonlinesecur...dsheet-malware/
6 Jan 2016 - "The 4th of today’s Dridex malspam downloaders... email with the subject of 'STA37626091 – BACS PAYMENT' (random numbers) coming from random email addresses and senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...NT-1024x535.png

6 January 2016: remit37626091.doc - Current Virus total detections *
MALWR** shows us it once again downloads tsx3.exe which looks like Dridex banking malware from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal ***) this looks like an updated version from earlier, but Dridex is known to update at frequent intervals throughout the day, often as frequently as -hourly- ..."
* https://www.virustot...sis/1452079135/

** https://malwr.com/an...TY2NzAzODk3NTA/
37.46.130.53
78.47.119.93
13.107.4.50

*** https://www.virustot...sis/1452078831/
___

Fake 'Unilet Invoice' SPAM - malicious attachment
- http://blog.dynamoo....e-67940597.html
6 Jan 2016 - "This fake invoice seems to be a bit confused as to who is sending it. It has a malicious attachment.
    From:    Desiree Doyle
    Date:    6 January 2016 at 12:29
    Subject:    Unilet Invoice 67940597
    Hello,
    Please find attached another invoice to pay please by BACS.
    Thanks
    Desiree Doyle
    Accounts Department
    -----Original Message-----
    From: Desiree Doyle
    Sent: 06 January 2016 12:30
    To: Desiree Doyle
    Subject: Scanned from a Xerox Multifunction Device
    Please open the attached document. It was scanned and sent to you using a Xerox Multifunction Device.
    Attachment File Type: pdf, Multi-Page
    Multifunction Device Location: Melbury House-MG01
    Device Name: 7225 ...

The attachment has a random name in the format remit41071396.doc and I have seen -three- different versions with quite low detection rates [1] [2] [3]. The Malwr reports for these [4] [5] [6] indicate that it has the -same- behaviour as the spam documented here*, dropping a file tsx.exe ..."
1] https://www.virustot...sis/1452084584/

2] https://www.virustot...sis/1452084616/

3] https://www.virustot...sis/1452084631/

4] https://malwr.com/an...WQ3NWI1ZDQ5MGQ/
37.46.130.53
2.61.168.116
78.47.119.93
13.107.4.50
94.158.214.45

5] https://malwr.com/an...TU4YTNhNzVmNjY/
179.60.144.21

6] https://malwr.com/an...2EwNGE4NzQxZDU/
37.46.130.53
78.47.119.93
13.107.4.50

* http://blog.dynamoo....1-49934798.html

- http://myonlinesecur...rd-doc-malware/
6 Jan 2016 - "Yet another Dridex downloader coming in an email with the subject of 'Unilet Invoice 58520927' (random numbers) pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...27-1024x518.png

6 January 2016: remit58520927.doc - Current Virus total detections 2/56*
MALWR** once again shows us tsx3.exe being downloaded from http :// 37.46.130.53/jasmin/authentication.php (VirusTotal 6/54***) -Same- Dridex Banking malware as THIS earlier malspam[4]..."
* https://www.virustot...sis/1452083864/

** https://malwr.com/an...2JjYjk5ODBlNGI/
37.46.130.53
78.47.119.93
13.107.4.50

*** https://www.virustot...sis/1452083988/

4] http://myonlinesecur...dsheet-malware/
___

Facebook “Page Disabled” Phish - wants your Card Details
- https://blog.malware...r-card-details/
Jan 6, 2015 - "Fake Facebook Security pages are quite a common sight, and there’s a “Your page will be disabled unless…” -scam- in circulation at the moment on random Facebook comment sections which you should steer clear of. The scam begins with a message like this:
Warning!!!
Your page will be disabled.
Due to your page has been reported by other users.
Please re-confirm your page in order to avoid blocking. You violate our terms of service. If you are the original owner of this account, please re-confirm your account in order to avoid blocking.
If the multiple exclamation marks and generally terrible grammar didn’t give the game away, the following request certainly might:
To complete your pages account please confirm Http below:
https(dot)lnkd(dot)in/bNF9BUY?Facebook.Recovery.page
"Attention"
If you do not confirm, then our system will automatically block your account and you will not be able to use it again.
Thank you for the cooperation helping us improve our service.
The Facebook Team

... Google Safe Browsing flags the final destination as a dubious website: and fires up a “Deceptive site ahead” warning:
> https://blog.malware...kefacebook1.jpg
... After harvesting your Facebook credentials, they then go after payment information:
> https://blog.malware...kefacebook3.jpg
... Should the victim enter their information and hit the button, they’ll be forwarded on to the real Facebook Security Facebook page. There’s also a “Confirm Paypal” button which leads to a phish for -that- service, too:
> https://blog.malware...kefacebook4.jpg
The above page is located at:
report-fanpage(dot)gzpot(dot)com/Next/paypal(dot)com(dot)htm
Make no mistake, this is one phishing scam that could cost you a lot more than your Facebook login. Should you be sent any attempts at panicking you into entering your logins on a so-called “Security Page”, you should give both destination URL and comment sender a very wide berth."

> https://www.virustot...7d6a8/analysis/

report-fanpage.gzpot .com: 31.170.166.81: https://www.virustot...81/information/
> https://www.virustot...796a9/analysis/
 

  

Edited by AplusWebMaster, 06 January 2016 - 12:46 PM.

[AplusWebMaster]

FYI...

Malvertising - Pop-under Ads sends CryptoWall4
- https://blog.malware...s-cryptowall-4/
Jan 7, 2016 - "We have caught a new malvertising campaign on the PopAds network launching the Magnitude exploit kit via pop-under ads. A pop-under is an ad window that appears behind the main browser window and typically remains open until the user manually closes it. Unsuspecting victims running -outdated- versions of the Flash Player were immediately infected with the CryptoWall ransomware. This campaign started around January 1st with ads mostly placed on various adult and video streaming sites and lead to an increase in Magnitude EK activity. Infection flow overview:
    serve.popads .net/servePopunder.php?cid={redacted}
    {redacted}.name/
    Magnitude EK domain ...
According to our data, this attack mainly targeted European users:
> https://blog.malware.../01/graphic.png
CryptoWall 4 infection: Once a system is infected, personal files are encrypted and usable as indicated in the dreaded CryptoWall ransom page:
> https://blog.malware.../ransompage.png
To recover pictures, documents and other import files, users are asked to pay in order to receive a “decryption” key... Prevention: Ransomware is one particular type of malware where prevention and backups are more important than ever. Since this particular attack relies on web exploits to infect the machine, it is crucial to keep your browser and related plugins up-to-date. You may also want to consider disabling or removing the Flash Player altogether since it has suffered a high number of zero-day exploits in recent history (even the latest version was vulnerable)..."
popads .net: 184.154.76.140: https://www.virustot...40/information/

- http://www.csoonline...ts-encrypt.html
Jan 7, 2016
___

Fake 'Angel Springs' SPAM - malicious attachment
- http://blog.dynamoo....ments-from.html
7 Jan 2016 - "This -fake- financial spam comes with a malicious attachment. The name of the sender varies, as does the reference number in the subject field that matches the attachment name.
    From:    Leonor Stevens
    Date:    7 January 2016 at 10:13
    Subject:    Your Latest Documents from Angel Springs Ltd [1F101177]
    Dear Customer,
    Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we've invested in upgrading our billing systems to make things a little easier for you.
    Here's a few ways we've made it easier for you:
        Your new documents are now attached to your email. You don't have to follow a link now to get to your documents...

The three samples I have sent for analysis... show an initial communication with:
176.103.62.108 /ideal/jenny.php
91.223.88.205 /ideal/jenny.php
These IPs belong to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
I note that 91.223.88.204 also hosts some bad things.. and the entire 176.103.48.0/20 block has a history of evil-ness... Note that there are probably other download locations. Check back later if you are interested.
These malicious documents drop a binary geroin.exe which has a detection rate of 3/54*. The Malwr report** for this shows it phoning home to:
78.47.119.93 (Hetzner, Germany)...
Recommended blocklist:
176.103.48.0/20
91.223.88.204/30
78.47.119.93 "
* https://www.virustot...sis/1452162035/

** https://malwr.com/an...DdjZTdmZGM4NDQ/

- http://myonlinesecur...dsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Your Latest Documents from Angel Springs Ltd [090190F1]' (random characters) pretending to come from random names and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From:Shanna Bolton <BoltonShanna6995@ dsldevice .lan>
Date:Thu 07/01/2016 08:57
Subject: Your Latest Documents from Angel Springs Ltd [090190F1] ...
    Dear Customer,
    Please find attached your latest document (s). You may have noticed that we have changed the way you receive your new attached documents from Angel Springs. Following feedback from our customers we’ve invested in upgrading our billing systems to make things a little easier for you.
    Here’s a few ways we’ve made it easier for you:
    Your new documents are now attached to your email. You don’t have to follow a link now to get to your documents...

7 January 2016: 090190F181854503.doc - Current Virus total detections 2/54*
... downloads geroin.exe which looks like Dridex banking malware from http ://91.223.88.205 /ideal/jenny.php (VirusTotal 3/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452161327/

** https://www.virustot...sis/1452162035/
___

Fake 'Ibstock Group Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Invoice 38178369 19/12 4024.80' pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...80-1024x746.png

7 January 2016: invoice38178369.doc - Current Virus total detections *
Downloads the -same Dridex banking malware from http ://193.201.227.12 /ideal/jenny.php as described in this slightly earlier post:
> http://myonlinesecur...dsheet-malware/
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452163655/

- http://blog.dynamoo....47665-1912.html
7 Jan 2016 - "This -fake- financial spam is not from the Ibstock Group but instead contains a malicious attachment. It is closely related to this spam* which was sent out earlier today.
    From:    Amber Smith
    Date:    7 January 2016 at 10:38
    Subject:    Invoice 01147665 19/12 £4024.80 ...
Many thanks for the payment. There’s just one invoice that hasn’t been paid and doesn’t seem to have a query against it either.
Its invoice  01147665  19/12  £4024.80  P/O ETCPO 35094
Can you have a look at it for me please?
Thank-you !
Kind regards
Amber Smith
Credit Control
Finance Department
Ibstock Group ...

The sender's name varies, as does the reference number which matches the name of the attachment. I have seen three unique samples so far... show these documents communicating with:
193.201.227.12/ideal/jenny.php
91.223.88.205/ideal/jenny.php
176.103.62.108/ideal/jenny.php
IPs are allocated to:
176.103.62.108 (Ivanov Vitaliy Sergeevich, Ukraine)
91.223.88.205 (Private Person Anton Malyi, Ukraine)
193.201.227.12 (PE Tetyana Mysyk, Ukraine)
As before, a binary geroin.exe is dropped which communicates with:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan. The recommended blocklist and sample MD5s can be found in this post*."
* http://blog.dynamoo....ments-from.html
___

Fake 'Close Invoice Finance Limited' SPAM - malicious attachment
- http://blog.dynamoo....ce-finance.html
7 Jan 2016 - "This fake financial spam comes with a malicious attachment:
    From:    Carey Cross
    Date:    7 January 2016 at 11:35
    Subject:    Close Invoice Finance Limited Statement 1/1
    Dear Customer,
    Please find attached your latest statement from Close Brothers Invoice Finance.
    Your username is 05510/0420078
    Your password should already be known to you...
    Regards
    Close Brothers Invoice Finance

The sernder's name will vary, as will the attachment name. I have only seen a single sample at the moment with a detection rate of 2/54*. Functionally, the payload is identical to that found in this earlier spam run**, and it drops the Dridex banking trojan."
* https://www.virustot...sis/1452167385/

** http://blog.dynamoo....ments-from.html

- http://myonlinesecur...dsheet-malware/
7 Jan 2016 - "... an email with the subject of 'Close Invoice Finance Limited Statement 1/1' pretending to come from random email addresses and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

7 January 2016: invEF362145.doc - Current Virus total detections 2/56*
Downloads the -same- Dridex banking malware from http :// 193.201.227.12/ideal/jenny.php as described in today’s earlier posts  [1] [2]..."
* https://www.virustot...sis/1452168289/

1] http://myonlinesecur...dsheet-malware/

2] http://myonlinesecur...dsheet-malware/
 

  

Edited by AplusWebMaster, 07 January 2016 - 11:57 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
8 Jan 2016 - "An email with the subject of 'Invoice from DSV 7FF6AB68, ARIA (UK) LTD, 61694956, Customer ref: ALEX MUNRO, SE/GB' pretending to come from random senders and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Melba Schneider <SchneiderMelba36@ euro-net .pl>
Date: Fri 08/01/2016 10:47
Subject: Invoice from DSV 7FF6AB68 , ARIA (U K) LTD, 61694956, Customer ref: ALEX MUNRO, SE/GB
    Invoice/Creditnote no.:           7FF6AB68
    Total Amount: GBP 60,00
    Due Date:                    28.01.2016
    If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
    Please see attached document.
    Best Regards
    Melba Schneider
    DSV Road Limited
    Scandinavia House ...

8 January 2016: logmein_pro_receipt.xls - Current Virus total detections 1/54*  
MALWR** shows us a download of hram.exe from http :// 194.28.84.79/softparade/spanish.php which looks like Dridex banking malware (virusTotal 4/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016  and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452250187/

** https://malwr.com/an...Dc2NDJjOThkYmI/
194.28.84.79
78.47.119.93

*** https://www.virustot...sis/1452250858/

- http://blog.dynamoo....v-723a36b7.html
8 Jan 2016 - "This -fake- financial spam is not from DSV Road Limited but is instead a simple forgery with a malicious attachment.
    From:    Hoyt Fowler
    Date:    8 January 2016 at 10:49
    Subject:    Invoice from DSV 723A36B7 , ARIA (U K) LTD, 04995672, Customer ref: ALEX MUNRO, SE/GB
    Invoice/Creditnote no.: 723A36B7
    Total Amount:   GBP 60,00
    Due Date:               28.01.2016
    If you have any questions to this invoice/creditnote please contact the person written in the upper right corner of the invoice.
    Please see attached document.
    Best Regards
    Hoyt Fowler
    DSV Road Limited
    Scandinavia House ...

... In this case, the attachment was named INV-SE723A36B7.doc and had a VirusTotal detection rate of 1/55*. According to this Malwr report**, the sample attempts to download a further component:
194.28.84.79 /softparade/spanish.php
There will most likely be a couple of other download locations too (check back later for more). This IP address belongs to Hostpro in Ukraine. Those other locations are likely to be in Ukraine too. A file named hram.exe is dropped onto to target system with a detection rate of 4/54***. The Malwr report indicates that this communicates with:
78.47.119.93 (Hetzner, Germany)
This is a -critical- IP to block, as we also saw it in use yesterday. The payload is most likely the Dridex banking trojan...
Recommended blocklist:
78.47.119.93
194.28.84.79 "
* https://www.virustot...sis/1452252108/

** https://malwr.com/an...TFkYTFiY2RmODQ/
194.28.84.79
78.47.119.93

*** https://www.virustot...sis/1452252679/
___

'Let’s Encrypt'... abused by Malvertisers
- http://blog.trendmic...y-malvertisers/
Jan 6, 2016 - "... the potential for 'Let’s Encrypt' being -abused- has always been present. Because of this, we have kept an eye out for -malicious- sites that would use a Let’s Encrypt certificate. Starting on December 21, we saw activity going to a malvertising server, with traffic coming from users in Japan. This campaign led to sites hosting the Angler Exploit Kit, which would download a banking Trojan (BKDR_VAWTRAK.AAAFV) onto the affected machine:
Daily hits to malvertising server:
> https://blog.trendmi...ncrypt-2-01.png
... The malvertisers used a technique called “domain shadowing”. Attackers who have gained the ability to create subdomains under a legitimate domain do so, but the created subdomain leads to a server under the control of the attackers. In this particular case, the attackers created ad.{legitimate domain}.com under the legitimate site... Traffic to this created subdomain was protected with HTTPS and a Let’s Encrypt certificate... The domain hosted an ad which appeared to be related to the legitimate domain to disguise its traffic. Parts of its redirection script have also been moved from a JavaScript file into a .GIF file to make identifying the payload more difficult. Anti-AV code similar to what we found in the September attack is still present. In addition, it uses an open DoubleClick -redirect- ... users should also be aware that a “secure” site is -not- necessarily a safe site, and we also note that the best defense against exploit kits is still keeping software up-to-date to minimize the number of vulnerabilities that may be exploited..."

> http://news.netcraft...fraudsters.html

> http://news.netcraft...2016/09/pie.png

Fraudulent Digital Certificates
- https://technet.micr...ty/2607712.aspx

> https://www.fdic.gov...4/fil2704a.html
 

  

Edited by AplusWebMaster, 08 January 2016 - 11:22 AM.

[AplusWebMaster]

FYI...

Russian ISP prevents Cisco from Shutting Down Cybercriminal Gang
- http://yro.slashdot....ercriminal-gang
Jan 09, 2016 - "Cisco's Talos research team* has managed to identify and partially shut down a cyber-criminal group that is using the RIG exploit kit to infect users with spambots via a malvertising campaign**. Their investigation led them back to Russian ISP Eurobyte, who didn't bother answering critical emails and allowed the campaign to go on even today. In October 2015, Cisco's researchers also thwarted the activity of another group of cyber-criminals that made around $30 million from distributing ransomware."
* http://blog.talosint...compromise.html
Jan 7, 2016 - "... when a provider is notified of malicious activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response led Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough."

** http://news.softpedi...ng-498667.shtml
___

LLoyds bank - 'update to our mobile banking app' – Phish
- http://myonlinesecur...-phishing-scam/
9 Jan 2016 - "... Today’s example is an email received with a subject of 'UPDATE NOTIFICATION' pretending to come from Lloyds plc <info@ glc .com>. Mobile apps and mobile banking is the new big thing and banks are encouraging users to use mobile banking... This one wants your personal bank log-in details in order to steal all your money. Many of them are also designed to specifically steal your email, facebook and other social network log in details... The original email looks like this, It will NEVER be a genuine email from Your bank, or any other financial body so don’t ever follow the link or fill in the html (webpage) form that comes attached to the email... If you are unwise enough to follow the link which goes to http ://toxicwingsli .com/op.htm and then -redirects- you to http ://joelcomm .net/wp-content/l10yds/1e9644d8cb4d7dc77c5770ae1b84b3fa/ you see a webpage looking like the genuine Lloyds log in page, look carefully at the url in the top bar and you can see it isn’t Lloyds at all but a fake site:

Screenshot: http://myonlinesecur...sh_webpage1.png

If you still haven’t realised that it is a phishing attempt and give them your username & password, you will be sent to the next page which asks for your memorable information. You then get bounced on to the genuine Lloyds Bank site..."

toxicwingsli .com: 166.62.118.179: https://www.virustot...79/information/

joelcomm .net: 23.235.226.77: https://www.virustot...77/information/
 

  

Edited by AplusWebMaster, 10 January 2016 - 10:12 AM.

[AplusWebMaster]

FYI...

Fake 'latest invoice' SPAM - malicious attachment
- http://blog.dynamoo....voice-from.html
11 Jan 2016 - "This -fake- financial spam does not come from UKFast but is instead a simple -forgery- with a malicious attachment.
    From     UKFast Accounts [accounts@ ukfast .co.uk]
    Date     Mon, 11 Jan 2016 11:00:10 +0300
    Subject     Your latest invoice from UKFast No.1228407

I am unable to determine what the body text is at the moment. In this case, the attachment was named Invoice-1228407.doc and has a VirusTotal detection rate of 3/54*. The Malwr report** shows that the malicious macro... downloads an executable from:
www .vmodal .mx/5fgbn/7tfr6kj.exe
This binary has a detection rate of 2/54***... This Malwr report[4] for the dropped file indicates network traffic to:
114.215.108.157 (Aliyun Computing Co, China)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustot...sis/1452505104/

** https://malwr.com/an...zgxNGVmYzQyZDU/
185.21.134.14
114.215.108.157
13.107.4.50

*** https://www.virustot...sis/1452505941/
TCP connections
114.215.108.157: https://www.virustot...57/information/
8.253.82.158: https://www.virustot...58/information/
110.77.142.156: https://www.virustot...56/information/

4] https://malwr.com/an...TE4ZWQ1NTA2Mzg/

- http://myonlinesecur...dsheet-malware/
11 Jan 2016 - "An email with the subject of 'Your latest invoice from UKFast No.1228407' pretending to come from UKFast Accounts <accounts@ ukfast .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: UKFast Accounts <accounts@ukfast.co.uk>
Date: Mon 11/01/2016 09:00
Subject: Your latest invoice from UKFast  No.1228407
    Hi,
    Thank you for choosing UKFast. Please find attached your latest invoice. You can also download it.
    As you have chosen to pay by Direct Debit there’s nothing more you need to do, payment will be taken on or after the date stated on your invoice.
    Should you have any queries relating to this invoice please raise an invoice query from within MyUKFast. Alternatively you can contact us on 0845 458 3535.
    Remember you can view all your invoices, set who should receive these alerts and much more all via MyUKFast.
    Kind Regards ...

11 January 2016: Invoice-1228407.doc - Current Virus total detections 3/54*  
downloads Dridex banking malware from http ://www .vmodal .mx/5fgbn/7tfr6kj.exe (VirusTotal 1/55**)
... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452505104/

** https://www.virustot...sis/1452507654/
TCP connections
114.215.108.157: https://www.virustot...57/information/
8.253.82.158: https://www.virustot...58/information/
110.77.142.156: https://www.virustot...56/information/
___

Fake 'E-Service' SPAM - malicious attachment
- http://blog.dynamoo....europe-ltd.html
11 Jan 2016 - "This -fake- financial spam does not come from E-Service (Europe) Ltd but is instead a simple -forgery- with a malicious attachment:
    From     Andrew Williams [andrew.williams@ eurocoin .co.uk]
    Date     Mon, 11 Jan 2016 17:07:38 +0700
    Subject     E-Service (Europe) Ltd Invoice No: 10013405
    Dear Customer,
    Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
    to make payment for all transactions on or before their due date.
    Please contact E-Service (Europe) if you have any issues or queries preventing your
    prompt payment ...

E-Service have been exceptionally quick about posting an update on their Twitter page*.
* https://twitter.com/...496655831625728
However, they have -not- been hacked at all as it is trivially easy to forge an email message. The attachment is a malicious Excel spreadsheet which leads to the Dridex banking trojan. So far, I have seen -five- different versions of the attachment, all named Invoice 10013405.XLS ... The Malwr reports for the attachment... show that the macro in the spreadsheet downloads a file from the following locations:
arellano .biz/5fgbn/7tfr6kj.exe
pastorsschoolinternational .org/5fgbn/7tfr6kj.exe
www.c0-qadevtest .net/5fgbn/7tfr6kj.exe
This dropped file has a detection rate of 1/55**. It is the -same- binary as found in this earlier spam run*** which phones home to:
114.215.108.157 (Aliyun Computing Co, China)
This is an IP that I strongly recommend blocking..."
** https://www.virustot...sis/1452509215/
TCP connections
114.215.108.157
8.253.82.158
110.77.142.156

*** http://blog.dynamoo....voice-from.html

- http://myonlinesecur...dsheet-malware/
11 Jan 2016 - "An email with the subject of 'E-Service (Europe) Ltd Invoice No: 10013405' pretending to come from  with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Andrew Williams <andrew.williams@ eurocoin .co.uk>
Date: Mon 11/01/2016 10:22
Subject: E-Service (Europe) Ltd Invoice No: 10013405
    Dear Customer,
    Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you to make payment for all transactions on or before their due date.
    Please contact E-Service (Europe) if you have any issues or queries preventing your prompt payment...

11 January 2016: loInvoice 10013405.XLS - Current Virus total detections 7/54*
Downloads from http ://arellano .biz/5fgbn/7tfr6kj.exe which the -same- Dridex banking malware as described in this slightly earlier post**..."
* https://www.virustot...sis/1452509257/

** http://myonlinesecur...dsheet-malware/
___

Fake 'Kaseya Invoice' SPAM - malicious attachment
- http://blog.dynamoo....e-1ed0c068.html
11 Jan 2016 - "This -fake- financial email has a malicious attachment:
    From:    Terry Cherry
    Date:    11 January 2016 at 10:48
    Subject:    Kaseya Invoice - 1ED0C068
    Dear Accounts Payable,
    Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.
    Our bank details for wire transfer are included on the attached invoice.
    Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@ kaseya .com) for assistance with adding card details through our portal.
    Please do not hesitate to let us know if you have any questions.
    Thanks again for your patronage.
    Sincerely,
    Terry Cherry
    Kaseya Customer Invoicing ...

The sender's name, references and attachments may vary. This appears to be a spam from Dridex 120, and it is a characteristic that there is a very-large-number-of-variants of the attachments. In this case, I analysed three different attachments with detection rate of about 2/55 [1].. and which according to these Malwr reports [4]..  downloads a binary from the following locations:
5.189.216.10 /montana/login.php
77.246.159.154 /montana/login.php
109.234.39.40 /montana/login.php
All of these IPs should be considered to be malicious:
5.189.216.10 (LLHost Inc, Netherlands)
77.246.159.154 (JSC Server, Russia)
109.234.39.40 (McHost.ru, Russia)
A binary named trap.exe ... a detection rate of 5/54[7] is downloaded. According to this Malwr report[8] the executable phones home to:
78.47.119.93 (Hetzner, Germany)
The payload is the Dridex banking trojan.
Recommended blocklist:
78.47.119.93
5.189.216.10
77.246.159.154
109.234.39.0/24 "
1] https://www.virustot...sis/1452510008/

4] https://malwr.com/an...TdkM2UwM2FjY2M/

7] https://www.virustot...sis/1452510360/

8] https://malwr.com/an...mNmNWU4ZjQyOWM/

- http://myonlinesecur...dsheet-malware/
11 Jan 2016 - "An email with the subject of 'Kaseya Invoice – DD5A9977' pretending to come from random names, companies and random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Alvin Fry <FryAlvin59518@ attrazioneviaggi .it>
Date: Mon 11/01/2016 11:00
Subject: Kaseya Invoice – DD5A9977
    Dear Accounts Payable,
    Thank you for your purchase of Kaseya Licenses. Attached please find our invoice for your purchase under the K2 Software Catalog.
    Our bank details for wire transfer are included on the attached invoice.
    Should you wish to submit payment via credit card, please contact our customer service department (billing-cs@ kaseya .com) for assistance with adding card details through our portal.
    Please do not hesitate to let us know if you have any questions.
    Thanks again for your patronage...

11 January 2016: Invoice-19071543.doc - Current Virus total detections 2/55*
downloads the -same- Dridex banking malware form the same locations as described in THIS post**..."
* https://www.virustot...sis/1452515923/

** http://myonlinesecur...dsheet-malware/
___

Fake 'Invoice-11JAN15' SPAM - leads to malware
- http://blog.dynamoo....3771728-gb.html
11 Jan 2016 - "This rather generic looking spam email leads to malware:
    From:    Raleigh Frazier [FrazierRaleigh8523@ amnet .net.au]
    Date:    11 January 2016 at 11:20
    Subject:    Invoice-11JAN15-53771728-GB
    Dear Customer,
    Please find attached Invoice 53771728 for your attention.
    Should you have any Invoice related queries please do not hesitate to
    contact either your designated Credit Controller or the Main Credit Dept. on
    02051 2651180.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Credit Dept'

The name of the sender, references and attachment name varies. There are at least -three- different variations of the attachment, probably more. Detection rates are approximately 2/55*... and these Malwr reports [4].. indicate that the behaviour is very similar to the one found in this spam run**."
* https://www.virustot...sis/1452511471/

4] https://malwr.com/an...jgyMmIxZDBiODc/

** http://blog.dynamoo....e-1ed0c068.html
 

  

Edited by AplusWebMaster, 11 January 2016 - 07:23 AM.

[AplusWebMaster]

FYI...

Fake 'Lattitude Invoice' SPAM - malicious attachment
- http://blog.dynamoo....ude-global.html
12 Jan 2016 - "This -fake- financial spam comes from random senders and with different reference details. It does not come from Lattitude Global Volunteering but is instead a simple -forgery- with a malicious attachment.
    From:    Darius Green
    Date:    12 January 2016 at 09:33
    Subject:    Lattitude Global Volunteering - Invoice - 3FAAB65
    Dear customer,
    Please find attached a copy of your final invoice for your placement in Canada.
    This invoice needs to be paid by the 18th January 2016.
    Due to recent increases on credit card charges, we prefer that you make a payment for your invoice on a bank transfer  our bank details are.
    You must provie your invoice number or account reference when you make the payment in order for us to allocate the payment to your account.
    Account Name:  Lattitude Global Volunteering
    Bank:                        Barclays Bank
    Sort Code:              20-71-03
    Account No.           20047376
    IBAN:                        GB13BARC20710320047376
    SWIFBIC:                  BARCGB22
    Kind regards
    Luis Robayo
    Accounts Department
    Lattitude Global Volunteering ...

I have personally only seen two samples so far with detection rates of 2/55 [1] [2]. These two Malwr reports [3] [4] plus some private sources indicate that the attachments download from the following locations:
31.131.20.217/shifaki/indentification.php
185.125.32.39/shifaki/indentification.php
5.34.183.41/shifaki/indentification.php
5.149.254.84/shifaki/indentification.php
This is characteristic of spam sent by the Dridex 120 botnet. All the IPs can be considered to be -malicious- and should be blocked.
31.131.20.217 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
185.125.32.39 (Sembol Internet Hizmetleri ve Dis Ticaret Ltd, Turkey)
5.34.183.41 (ITL Company, Ukraine)
5.149.254.84 (Fortunix Networks, Netherlands)
A file kfc.exe is dropped onto the target system which has a detection rate of 6/52*... Those previous Malwr reports indicate that it phones home to a familiar IP of:
78.47.119.93 (Hetzner, Germany)
Recommended blocklist:
78.47.119.93
31.131.20.217
185.125.32.39
5.34.183.41
5.149.254.84 "
1] https://www.virustot...sis/1452594409/

2] https://www.virustot...sis/1452594427/

3] https://malwr.com/an...ThhZmQyMDYxMjM/

4] https://malwr.com/an...TMxM2Q2NjM3ZjM/

* https://www.virustot...sis/1452595124/

- http://myonlinesecur...dsheet-malware/
12 Jan 2016 - "An email with the subject of 'Lattitude Global Volunteering – Invoice – AF6643A' (random numbers) pretending to come from random names, companies and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

12 January 2016: Invoice – AF6643A.doc - Current Virus total detections 2/54*
MALWR analysis** shows it downloads Dridex banking malware from http :// 5.149.254.84/shifaki/indentification.php named as 120CR.exe Which looks suspiciously familiar from recent days (VirusTotal 6/54***)..."
* https://www.virustot...sis/1452591731/

** https://malwr.com/an...WE5MDRkZDE0MGU/
5.149.254.84
78.47.119.93

*** https://www.virustot...sis/1452592072/
___

Fake 'payment' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
12 Jan 2016 - "An email with the subject on the -theme- of payment, transaction, Transfer coming from random email addresses and random people with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... These malicious word docs appear to based on the Black Energy dropper described HERE:
> https://isc.sans.edu... Dropper/20601/
The email looks like:
From: Random senders like Hermione Acevedo <info@ gistparrot .com> or Avye Brown <werbeteam@ gmx .de>
Date: Tue 12/01/2016 06:02
Subject: Random subjects like Fwd: MGU  Transaction, AI  Transaction, VL  Payment, AJ  Transfer
    Good morning
    Please find the receipt attached to this message. The Transaction will be posted on your account in two days.  
    Regards
    Hermione Acevedo
-Or-
    Good Day
    Please check the invoice enclosed with this message. The Transaction will be posted on your bank within 1-2 days.  
    Best regards
    Avye Brown

12 January 2016: 51U5P05W22P34.doc - Current Virus total detections 1/54*  
ReverseIT analysis**. These are very -different- to previous macro word docs. This one contacts
crechemploi .be/wpl.jpg?ICpz8scC0AI=35 (VirusTotal 0/54***) and downloads an -image- file wpl.jpg which is extremely large 245kb for a small image. It looks like it has embedded -malware- inside it which in this example is named 3088239.exe (VirusTotal 2/55[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452581898/

** https://www.reverse....environmentId=1
195.154.231.179: https://www.virustot...79/information/
104.224.128.163: https://www.virustot...63/information/

*** https://www.virustot...sis/1452584610/

4] https://www.virustot...sis/1452585387/

crechemploi .be: 195.154.231.179: https://www.virustot...79/information/
___

Fake 'Payment Advice' SPAM - malicious attachment
- http://blog.dynamoo....0002014343.html
12 Jan 2016 - "This -fake- financial spam is not from Wipro but is instead a simple -forgery- with a malicious attachment.
    From:    Bhavani Gullolla [bhavani.gullolla1@ wipro .com]
    Date:    12 January 2016 at 09:51
    Subject:    Payment Advice - 0002014343
    Dear Sir/Madam,
    This is to inform you that we have initiated the electronic payment through our Bank.
    Please find attached payment advice which includes invoice reference and TDS deductions if any.
    Transaction Reference :
    Vendor Code :9189171523
    Company Code :WT01
    Payer/Remitters Reference No :63104335
    Beneficiary Details :43668548/090666
    Paymet Method : Electronic Fund Transfer
    Payment Amount :1032.00
    Currency :GBP
    Processing Date :11/01/2016 ...

The attachment is randomly-named in the format 9705977867.doc which I have seen in two different versions with detection rates of 5/54 [1] [2], and according to the Malwr reports [3] [4] they both download a -malicious- binary from:
hotpointrepair .info/u5y4g3/76u54g.exe
This download location is characteristic of the Dridex 220 botnet. The downloaded binary has a detection rate of 4/55* and this Malwr report** shows network traffic to:
199.231.189.9 (Interserver Inc, US)
I strongly recommend that you -block- this IP address..."
1] https://www.virustot...sis/1452596943/

2] https://www.virustot...sis/1452596954/

3] https://malwr.com/an...zA0NWIwOGJlZDg/
66.147.242.93
199.231.189.9
8.254.249.78

4] https://malwr.com/an...mY2OGExYWVmZjk/
66.147.242.93
199.231.189.9
184.28.188.195

* https://www.virustot...sis/1452597607/

** https://malwr.com/an...zNhOWM3MmZlMDU/
199.231.189.9
13.107.4.50

hotpointrepair .info: 66.147.242.93: https://www.virustot...93/information/
> https://www.virustot...611b3/analysis/
___

Fake 'Sales Invoice' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
12 Jan 2016 - "An email with the subject of 'Sales Invoice SIN040281 from Charbonnel et Walker Limited' pretending to come from Corinne Young <corinne.young@ charbonnel .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ed-1024x464.png

12 January 2016: SIN040281.DOC - Current Virus total detections 4/55*
Downloads Dridex banking malware from http ://hotpointrepair .info/u5y4g3/76u54g.exe (VirusTotal 1/55**)
-same- Dridex malware as other malspam runs. Note: Dridex updates frequently during the day, so you might get a different malware version... DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...21-1024x412.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452601210/

** https://www.virustot...sis/1452599104/
TCP connections
199.231.189.9: https://www.virustot....9/information/
13.107.4.50: https://www.virustot...50/information/

hotpointrepair .info: 66.147.242.93: https://www.virustot...93/information/
> https://www.virustot...611b3/analysis/
___

'LloydsLink online website changes' - PHISH
- http://myonlinesecur...anges-phishing/
12 Jan 2016 - "... Today’s example is an email received with a subject of 'LloydsLink online website changes' pretending to come from LloydsLink online <Hugo.Batzold@ lloydslink.online .lloydsbank .com>.
We have been seeing these sort of emails for -numerous- banks recently... Note the 0 instead of the o in the second Lloyds. you see a webpage looking identical to the genuine Lloydslink log-in page, look carefully at the url in the top bar and you can see it isn’t Lloyds at all but a -fake- site:

Screenshot: http://myonlinesecur...am-1024x365.png

If you still haven’t realised that it is a phishing attempt and give them your username & password, you will then get bounced on to the -genuine- Lloyds Bank site:
> https://lloydslink.o...gon/Logon.xhtml
... and think that you just didn’t enter details correctly or mistyped a digit and need to re-enter them and won’t even pay any attention, until you get the dreaded letter or phone call saying someone has emptied your bank account. All of these emails use Social engineering tricks to persuade you to follow the links or open the attachments that come with the email..."
___

Ransom32 – the malicious package
- https://blog.malware...icious-package/
Jan 11, 2016 - "Ransom32 is a new ransomware implemented in a very atypical style. Emisoft provides a good description of its functionality here:
> http://blog.emsisoft...ipt-ransomware/
... we will focus on some implementation details of the malicious package. Ransom32 is delivered as an executable, that is in reality a autoextracting WinRAR archive. By default it is distributed as a file with .scr extension:
> https://blog.malware...ansom32_scr.png
The WinRAR script is used to drop files in the specified place and autorun the unpacked content... Installation directory created in %TEMP%... The unpacked content consist of following files:
> https://blog.malware...m32_content.png
chrome.exe spoofs Google’s browser, but in reality it is an element responsible for preparing and running the Node JS application (that is the -main- part of the ransomware). After the chrome.exe is run from the %TEMP% folder, it installs the above files into %APPDATA% -in folder Chrome Browser:
> https://blog.malware...1/installed.png
... After encrypting the files, the ransom nag-window is displayed. The gui is generated by javascript, with the layout defined by the included CSS:
> https://blog.malware...om32_screen.png
The internet connection is operated via included Tor client – renamed to rundll32.exe ...
Conclusion: In the past, malware authors cared mostly about small size of their applications – that’s why early viruses were written in assembler. Nowadays, technologies used and goals have changed. The most important consideration is not the size, but the ability to imitate legitimate applications, for the purpose of avoiding detection. Authors of Ransom32 went really far in this direction. Their package is huge in comparison to typical samples. It consists of various elements, including legitimate applications – i.e the tor client (renamed to rundll32.exe). The technology that they have chosen for the core – Node JS – is a complete change of direction from the malware written in low-level languages. However, compiled Java Script (although it works about 30 percent slower than not compiled) is not very popular and there is lack of tools to analyze it – which makes it a good point for malware authors, who gain some level of code protection..."
(More detail at the malwarebytes URL at the top.)
 

  

Edited by AplusWebMaster, 12 January 2016 - 08:18 AM.

[AplusWebMaster]

FYI...

MS account security info verification – Phish
- http://myonlinesecur...ation-phishing/
13 Jan 2016 - "... phishing attempts against Microsoft office and outlook accounts. This one starts with an email with the subject 'Microsoft account security info verification' pretending to come from Microsoft <security-noreply@ account .microsoft .com> . One of the major common subjects in this sort of phishing attempt is 'Your password will expire soon' or 'update your email' or something very similar. This one wants only wants your  email / Microsoft account log in details...

Screenshot: http://myonlinesecur...on-1024x550.png

The link behind the 'Upgrade Now' is http ://tenga .my/wp-content/outnew/index.php?email=victim@doamain.com. If you are unwise enough to follow the link you see a webpage looking like:
> http://myonlinesecur...in-1024x542.png
... which is a very good imitation of a genuine Microsoft 365 log on page. If you do fill in the email and password, you immediately get sent to the genuine Office 365 log on page and you just think that you might have entered the email or password incorrectly and do it again. All of these emails use Social engineering tricks to persuade you to follow links or open the attachments that come with the email..."

tenga .my: 181.224.159.177: https://www.virustot...77/information/
> https://www.virustot...my/information/
___

Fake 'Scanned Document' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
13 Jan 2016 - "An email with the subject of 'Scanned Document MRH Solicitors' pretending to come from Color @ MRH Solicitors <color93@ yahoo .co.uk> (random color numbers) with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email looks like:
From: Color @ MRH Solicitors <color93@ yahoo .co.uk>
Date: Wed 13/01/2016 08:26
Subject: Scanned Document
    Find the attachment for the scanned Document

13 January 2016: ScannedDocs122151.xls - Current Virus total detections 7/54*
Downloads Dridex banking malware from http ://armandosofsalem .com/l9k7hg4/b4387kfd.exe (VirusTotal 3/56**)...
DO NOT follow the advice they give to enable macros or enable editing to see the content. Most of these malicious word documents either appear to be totally blank or look something like these images when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365:
> http://myonlinesecur...achment_id=5895
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452675230/

** https://www.virustot...sis/1452675552/

armandosofsalem .com: 192.254.189.167: https://www.virustot...67/information/

- http://blog.dynamoo....-color-mrh.html
13 Jan 2016 - "... The Hybrid Analysis* of the dropped binary shows attempted network traffic to the following domains:
exotelyxal .com
akexadyzyt .com
ekozylazal .com
These are hosted on an IP worth blocking:
158.255.6.128 (Mir Telematiki Ltd, Russia)"
* https://www.hybrid-a...environmentId=4
b4387kfd.exe
___

Fake 'Order' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
13 Jan 2016 - "An email with the subject of 'Order 0046/033777 [Ref. MARKETHILL CHURCH]' pretending to come from JOHN RUSSELL <John.Russell@ yesss .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...CH-1024x966.png

13 January 2016: Order 0046_033777 [Ref. MARKETHILL CHURCH].doc - Current Virus total detections 6/55*
MALWR** shows a download from http ://amyzingbooks .com/l9k7hg4/b4387kfd.exe which will be a Dridex banking malware (VirusTotal 2/55***). This site was used in earlier Dridex downloads today but -different- versions were offered... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452694400/

** https://malwr.com/su...mQ4YTdhOWY2NDA/

*** https://www.virustot...sis/1452695776/
TCP connections
85.25.200.103: https://www.virustot...03/information/

- http://blog.dynamoo....033777-ref.html
13 Jan 2016 - "... This binary has a detection rate of 4/53*. The Hybrid Analysis** shows the malware phoning home to:
85.25.200.103 (PlusServer AG, Germany)
I recommend that you -block- traffic to that IP."
* https://www.virustot...sis/1452699929/

** https://www.hybrid-a...environmentId=1
 

  

Edited by AplusWebMaster, 13 January 2016 - 10:33 AM.

[AplusWebMaster]

FYI...

Fake 'scanner' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
14 Jan 2016 - "An empty or blank email with the subject of 'Message from local network scanner' pretending to come from jpaoscanner at your own email domain with a malicious word doc attachment is another one from the current bot runs... The attachment to these are named Scann16011310150.docf . Note the F after the doc which effectively makes them useless because windows doesn’t know what to do with them and asks you. They will open in Word, if you tell them to, and do contain a malicious macro that will infect you.  
Update: a second batch a few minutes after the first run now has a proper word doc attachment, although the body is still -blank- . The email looks like:
From: jpaoscanner@ ....co.uk
Date:Thu 14/01/2016 10:52
Subject: Message from local network scanner

Body content: EMPTY

12 January 2016: Scann16011310150.docf - Current Virus total detections 2/53*  
downloads Dridex banking malware from 199.59.58.162 :80 /~admin1/786h5g4/9787g4fr4.exe (VirusTotal 3/56**)
(reverseIT***)
12 January 2016: Scann16011310150.doc - Current Virus total detections 3/54[4]
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452768488/

** https://www.virustot...sis/1452770219/

*** https://www.reverse....environmentId=1
Contacted Hosts:
199.59.58.162: https://www.virustot...62/information/
188.138.88.14: https://www.virustot...14/information/

4] https://www.virustot...sis/1452769443/

- http://blog.dynamoo....al-network.html
14 Jan 2016 - "This -fake- document scan comes with a malicious attachment.
    From:    jpaoscanner@ victimdomain .tld
    Date:    14 January 2016 at 10:45
    Subject:    Message from local network scanner

There is no body text, and the email appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a file Scann16011310150.docf which comes in at least -five- different versions...
Hybrid Analysis shows one of the samples in action, downloading a binary from:
www .willsweb .talktalk .net/786h5g4/9787g4fr4.exe
This has a detection rate of 3/55*. That same analysis reports that it phones home to:
188.138.88.14 (PlusServer AG, France)...I strongly recommend that you -block- traffic to that IP..."
* https://www.virustot...sis/1452771350/
TCP connections
188.138.88.14: https://www.virustot...14/information/
13.107.4.50: https://www.virustot...50/information/
___

800 risk experts from 40 countries identify the top global business risks
- http://net-security....ld.php?id=19327
14 Jan 2016
> http://www.net-secur...cs-012016-1.jpg

>> http://www.net-secur...cs-012016-2.jpg
___

Evil network: 46.30.40.0/21...
- http://blog.dynamoo....te-llc-and.html
13 Jan 2016 23:23 - "... From looking around, it seemed that whoever Eurobyte rented servers to had an unhealthy interest in CryptoWall and the Angler EK. Eurobyte is a Russian hosting company, which in turn is a customer of Webzilla in the Netherlands... there are -thousands- of subdomains hosted in the 46.30.40.0/21 range, where the main domain (e.g. www) is hosted in a completely -different- location. The subdomains are then used to host malware such as the Angler Exploit Kit... What appears to be going on here is a domain shadowing attack on a massive scale[1], primarily leading victims to exploit kits. There do appear to be some genuine Russian-language sites hosted in this block. But if you don't tend to send visitors to Russian sites, I would very strongly recommend -blocking- 46.30.40.0/21 from your network... The attack is known sometimes as 'domain shadowing'... While researching this topic, I discovered that Talos had done some similar work* which also pointed a finger at Eurobyte and their very lax control over their network."
* http://blog.talosint...compromise.html
Jan 7, 2016 - "... when a provider is notified of -malicious- activity it is their responsibility to at least acknowledge the abuse and work to validate and, if legitimate, take the system offline. Webzilla did just that in our experience, but Eurobyte has not. This lack of response lead Talos to make the decision to blacklist large portions of the provider's network to ensure that our customers are protected since reporting the abuse alone is not enough."

1] http://blogs.cisco.c...owing#shadowing
 

 

Edited by AplusWebMaster, 14 January 2016 - 04:37 PM.

[AplusWebMaster]

FYI...

Fake 'order #7738326' SPAM - malicious attachment
- http://blog.dynamoo....38326-from.html
15 Jan 2016 - "This -fake- financial spam does not come from The Safety Supply Company but is instead a simple -forgery- with a malicious attachment:
    From:    Orders - TSSC [Orders@ thesafetysupplycompany .co.uk]
    Date:    15 January 2016 at 09:06
    Subject:    Your order #7738326 From The Safety Supply Company
    Dear Customerl
    Thank you for your recent purchase.
    Please find the details of your order through The Safety Supply Company attached to this email.
    Regards,
    The Sales Team

So far I have seen just a single sample, with an attachment Order.doc which has a VirusTotal detection rate of 4/55*... likely to be the Dridex banking trojan. This Hybrid Analysis** on the first sample shows it downloading from:
149.156.208.41 /~s159928/786585d/08g7g6r56r.exe
That download IP belongs to Academic Computer Centre CYFRONET AGH, Poland. This executable also seems to commicate with:
216.117.130.191 (Advanced Internet Technologies Inc., US)
41.38.18.230 (TE Data, Egypt)
5.9.37.137 (Hetzner, Germany)
I have now seen another version of the DOC file [VT 4/54***] which has similar characteristics[4]... This related spam run gives some additional download locations:
nasha-pasika .lviv .ua/786585d/08g7g6r56r.exe
arm .tv/786585d/08g7g6r56r.exe
Sources also tell me that there is one at:
204.197.242.166 /~topbun1/786585d/08g7g6r56r.exe
Recommended blocklist:
88.208.35.71
216.117.130.191
116.12.92.107
46.32.243.144
195.96.228.199
161.53.144.25
41.38.18.230
204.197.242.166
149.156.208.41 "
* https://www.virustot...sis/1452849120/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...sis/1452849706/

4] https://www.hybrid-a...environmentId=1

- http://myonlinesecur...dsheet-malware/
15 Jan 2016 - "An email with the subject of 'Your order #7738326 From The Safety Supply Company' pretending to come from 'Orders – TSSC <Orders@ thesafetysupplycompany .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Orders – TSSC <Orders@ thesafetysupplycompany .co.uk>
Date: Fri 15/01/2016 09:20
Subject: Your order #7738326 From The Safety Supply Company
    Dear Customerl
    Thank you for your recent purchase.
    Please find the details of your order through The Safety Supply Company attached to this email.
    Regards,
    The Sales Team

15 January 2016: Order.doc - Current Virus total detections 4/54*
downloads Dridex banking malware from 149.156.208.41 /~s159928/786585d/08g7g6r56r.exe (VirusTotal 2/53**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1452851905/

** https://www.virustot...sis/1452851228/
___

SPAM with damaged or broken office doc or XLS attachments
- http://myonlinesecur...xls-attachment/
15 Jan 2016 - "The Dridex bots are still not having a good day today. The -3rd- malformed/damaged/broken malspam is an email with the subject of 'Statement pretending to come from Kelly Pollard <kelly.pollard@ carecorner .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... Some malformed  or misconfigured email servers might attempt to fix the broken email and actually deliver a working copy.
The damaged/broken attachment has a name something like Statement 012016.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc, unlike the earlier ones. VirusTotal Detections 7/55* which will attempt to download Dridex banking malware... (waiting for analysis) please check back later..."
* https://www.virustot...sis/1452864034/
Statement 012016.doc

- http://blog.dynamoo....ment-kelly.html
15 Jan 2016 - "This fake financial spam is meant to have a malicious attachment, but it is corrupt:
    From     Kelly Pollard [kelly.pollard@ carecorner .co.uk]
    Date     Fri, 15 Jan 2016 13:56:01 +0200
    Subject     Statement
    Your report is attached in DOC format.
    Kelly Pollard
    Marketing Manager ...

The attachment is named Statement 012016.doc but due to an error in the email it is corrupt, and is either zero length or will produce garbage. If it were to work, it would produce a payload similar to that found here* and here**, namely the Dridex banking trojan. This is the -third- corrupt Dridex run today..."
* http://blog.dynamoo....ge-from-mx.html
15 Jan 2015
** http://blog.dynamoo....eservation.html
15 Jan 2015
 

 

Edited by AplusWebMaster, 15 January 2016 - 10:16 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice January' SPAM - malicious attachment
- http://blog.dynamoo....uary-baird.html
18 Jan 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers but is instead a simple -forgery- with a malicious attachment.
    From     "A . Baird" [ABaird@ jtcp .co.uk]
    Date     Mon, 18 Jan 2016 16:17:20 +0530
    Subject     Invoice January
    Hi,
    We have been paid for much later invoices but still have the attached invoice as
    outstanding.
    Can you please confirm it is on your system and not under query.
    Regards
      Alastair Baird
      Financial Controller ...

Because the email has an error in it, the attachment cannot be downloaded or will appear to be corrupt. This follows on from a similar bunch of corrupt spam messages on Friday... The payload is meant to be the Dridex banking trojan...
UPDATE: A source (thank you!) tells me that the various versions of the document should download a binary from one of the following locations:
emirelo .com/786585d/08g7g6r56r.exe
esecon .com.br/786585d/08g7g6r56r.exe
outago .com/786585d/08g7g6r56r.exe
This binary has an MD5 of 971b9f7a200cff489ee38011836f5240 and a VirusTotal detection rate of 3/54*. The same source identifies the following C2 servers which are worth blocking:
192.232.204.53 (WebSiteWelcome, US)
110.77.142.156 (CAT BB Net, Thailand)
216.117.130.191 (Advanced Internet Technologies Inc, US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
Recommended blocklist:
192.232.204.53
110.77.142.156
216.117.130.191
202.69.40.173 "
* https://www.virustot...c4bcf/analysis/
TCP connections
192.232.204.53: https://www.virustot...53/information/
13.107.4.50: https://www.virustot...50/information/

- http://myonlinesecur...xls-attachment/
18 Jan 2016 - "The Dridex bots are -still- not having a good day today. On Friday they sent -3- different  malformed/damaged /broken malspams. Today, the first damaged/malformed broken one is an email with the subject of 'Invoice January- pretending to come from A . Baird <ABaird@ jtcp .co.uk> with a -damaged- attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The -damaged/broken- attachment has a name something like INV-IN174074-2016-386.doc
Downloading this one from quarantine on my server gives what looks like a genuine word doc..
VirusTotal Detections 5/55* which will attempt to download Dridex banking malware from
[emirelo .com/786585d/08g7g6r56r.exe] (VirusTotal 3/54**)  Payload Security /Reversit Analysis***
The email looks like:
From: A . Baird <ABaird@ jtcp .co.uk>
Date: Mon 18/01/2016 09:45
Subject: Invoice January
    Hi,
    We have been paid for much later invoices but still have the attached invoice as outstanding.
    Can you please confirm it is on your system and not under query.
    Regards
    Alastair Baird
    Financial Controller ...

This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run -will- infect you. Modern versions of Microsoft office, that is Office 2010, 2013, 2016 and Office 365 should be automatically set to higher security to protect you...
By default protected view is enabled and  macros are disabled, UNLESS you or your company have enabled them.  If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you...
DO NOT follow the advice they give to enable macros or enable editing to see the content..."
* https://www.virustot...sis/1453114324/

** https://www.virustot...sis/1453115492/
192.232.204.53: https://www.virustot...53/information/
13.107.4.50: https://www.virustot...50/information/

*** https://www.reverse....environmentId=1
Contacted Hosts
194.24.228.5: https://www.virustot....5/information/
192.232.204.53: https://www.virustot...53/information/
___

Fake 'Statements' SPAM - malicious attachment
- http://blog.dynamoo....nts-alison.html
18 Jan 2016 - "This -fake- financial email does not come from J Thomson Colour Printers but is instead a simple forgery with a malicious attachment.
    From     Alison Smith [ASmith@ jtcp .co.uk]
    Date     Mon, 18 Jan 2016 18:27:36 +0530
    Subject     Statements
    Sent 12 JAN 16 15:36
    J Thomson Colour Printers
    14 Carnoustie Place
    Glasgow
    G5 8PB ...

Attached is a file S-STA-SBP CRE (0036).xls which is actually -corrupt- due to a monumental failure by the bad guys. The payload is meant to be the Dridex banking trojan, but since -Friday- the attachments have been messed up and will either appear to be garbage or zero length. The payload itself should look similar to this one*, also spoofing the same company."
* http://blog.dynamoo....uary-baird.html

- http://myonlinesecur...xls-attachment/
18 Jan 2016 - "...  damaged/broken attachment has a name something like S-STA-SBP CRE (0036).xls ... it would if fixed, download -Dridex- from the same locations as today’s earlier malspam runs..."
___

LastPass - Phish...
- https://www.seancass...e/lostpass.html
2016-01-18 - "... discovered a -phishing- attack against LastPass that allows an attacker to steal a LastPass user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass. I call this attack 'LostPass'... Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well:
> https://www.seancass...tpass_login.png
...
> https://www.seancass...astpass_2fa.png
... Here's an image of LastPass and LostPass for Firefox on Windows 8 side-by-side. Which one is which?:
> https://www.seancass...ass_firefox.png "
 

  

Edited by AplusWebMaster, 18 January 2016 - 09:41 AM.

[AplusWebMaster]

FYI...

Fake 'Insurance' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
19 Jan 2016 - "The Dridex bots are still having problems again today. Their latest attempt is an email with the subject of 'Thank you for purchasing from Cheaper Travel Insurance – 14068156' pretending to come from info87@ Resellers.insureandgo .com (the info number is random) with a malicious word doc attachment is another one from the current bot runs... While they appear to have fixed the malware attachments, they instead have introduced a new bug and are sending broken emails with -garbled- content... when corrected it will look something like this:

Screenshot: http://myonlinesecur...APER-TRAVEL.png

19 January 2016: 14068156.doc - Current Virus total detections 4/55*
[MALWR**] attempts to download Dridex banking malware from
http :// www .cnbhgy .com/786585d/08g7g6r56r.exe but seems to be having problems and timing out... Update: it eventually downloaded (VirusTotal 2/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453193244/

** https://malwr.com/an...mQ1MDFjYmNiNDc/
123.1.157.76
216.59.16.175
13.107.4.50

*** https://www.virustot...sis/1453194356/
TCP connections
216.59.16.175
8.254.218.14

- http://blog.dynamoo....purchasing.html
19 Jan 2016 - "This -fake- financial spam comes with a malicious attachment:

Header screenshot: http://www.insureand...aper_header.jpg
Your policy number: MF/CP/205121/14068156
Dear customer, Thank you for buying your travel insurance from Cheaper.
Your policy documents are attached.
Date: 18/01/2016
Amount: £849.29
Quote number: 21272810
Policy number: MF/CP/205121/14068156 ...

The sender appears to be from info[some-random-number]@ Resellers.insureandgo .com, but it is just a simple forgery. Attached is a malicious Word document that I have seen -five- different versions... download locations as:
www .cnbhgy .com/786585d/08g7g6r56r.exe
seaclocks .co .uk/786585d/08g7g6r56r.exe
mosaicambrosia .com/786585d/08g7g6r56r.exe
This has a VirusTotal result of 3/54*.... combined with this Hybrid Analysis** show traffic to:
216.59.16.175 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
195.96.228.199 (Bulgarian Academy Of Sciences, Bulgaria)
200.57.183.176 (Triara.com, S.A. de C.V., Mexico)
62.109.133.248 (Ignum s.r.o, Czech Republic)
103.23.154.184 (Ozhosting.com Pty Ltd, Australia)
41.38.18.230 (TE Data, Egypt)
202.137.31.219 (Linknet, Indonesia)
176.53.0.103 (Network Devices, Turkey)
The payload is the Dridex banking trojan, and this activity is consistent with the botnet 220 campaign...
Recommended blocklist:
216.59.16.175
195.96.228.199
200.57.183.176
62.109.133.248
103.23.154.184
41.38.18.230
202.137.31.219
176.53.0.103

* https://www.virustot...sis/1453194985/
TCP connections
216.59.16.175
8.254.218.14

** https://www.hybrid-a...environmentId=4
___

Fake 'Payment overdue' SPAM -  malicious attachment
- http://blog.dynamoo....nt-overdue.html
19 Jan 2016 - "This -fake- financial spam does not come from the Daily Mail, but is instead a simple -forgery- with a malicious attachment:
    From     Raashida Sufi [Raashida.Sufii@ dmgmedia .co.uk]
    Date     Tue, 19 Jan 2016 11:40:37 +0300
    Subject     Daily Mail - Payment overdue
    Hi,
    I have currently taken over from my colleague Jenine so will be your new POC going
    forward.
    I have attached an invoice that is currently overdue for £360.00. Kindly email me
    payment confirmation today so we can bring your account up to date?
    Kind Regards
    Rash Sufi ...

I have seen -three- different versions of the malicious attachment Invoice.doc (VirusTotal results 4/53[1]...). The Malwr analysis of these documents [4]... shows that the payload is identical to the Dridex banking trojan described here*."
1] https://www.virustot...sis/1453197760/

4] https://malwr.com/an...WI0MGM2ODM3ZGY/
23.229.242.73
216.59.16.175
13.107.4.50

* http://blog.dynamoo....purchasing.html

- http://myonlinesecur...rd-doc-malware/
19 Jan 2016 - "... an email with the subject of 'Daily Mail – Payment overdue'... with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...ue-1024x775.png

19 January 2016: Invoice.doc - Current Virus total detections 4/53*
This will download Dridex banking malware [ http :// www .cnbhgy .com/786585d/08g7g6r56r.exe ] which is the same location and malware as today’s earlier malspam run**..."
* https://www.virustot...sis/1453195633/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Remittance Advice' SPAM - malicious attachment
- http://blog.dynamoo....e-1b859e37.html
19 Jan 2016 - "This -fake- financial does not come from Bellingham + Stanley but is instead a simple -forgery- with a malicious attachment. Reference numbers and sender names will vary.
    From:    Adeline Harrison [HarrisonAdeline20@ granjacapital .com.br]
    Date:    19 January 2016 at 09:45
    Subject:    Remittance Advice 1B859E37
    For the attention of Accounts Receivable,
    We are attaching an up to date remittance advice detailing the latest payment on your account.
    Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
    Kind regards,
    Adeline Harrison ...

I have seen at least -four- different variations of the attachment, named in the format remittance_advice14DDA974.doc ... Malwr reports... show those samples communicating with:
http :// 179.60.144.19/victor/onopko.php
http :// 5.34.183.127/victor/onopko.php
Those IPs are:
179.60.144.19 (Veraton Projects, Netherlands)
5.34.183.127 (ITL Company, Ukraine)
UPDATE 1:  this related spam run also downloads from:
91.223.88.206/victor/onopko.php
This is allocted to "Private Person Anton Malyi" in Ukraine. A file aarab.exe is dropped... [VT 4/53*] which appears to communicate** with:
198.50.234.211 (OVH, Canada)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, this attack is consistent with botnet 120.
UPDATE 2: This other Dridex 120 spam run[1] uses different download locations:
46.17.100.209 /aleksei/smertin.php
31.131.20.217 /aleksei/smertin.php
The dropped "aarab.exe" file is also different... and a detection rate of just 2/54***.
Recommended blocklist:
198.50.234.211
179.60.144.19
5.34.183.127
91.223.88.206
46.17.100.209
31.131.20.217 "
* https://www.virustot...sis/1453202263/

** https://malwr.com/an...TcxZmNhYjNkNjk/
198.50.234.211
13.107.4.50

1] http://blog.dynamoo....advice-for.html

*** https://www.virustot...sis/1453211427/

- http://myonlinesecur...rd-doc-malware/
19 Jan 2016 - "Dridex is definitely back with a vengeance today. The latest one of a long line is an email with the subject of 'Remittance Advice For Invoice 04050722' from C-Tech (random numbers) pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Carey Lucas <LucasCarey44@ search4what .com>
Date: Tue 19/01/2016 09:41
Subject: Remittance Advice For Invoice 04050722 From C-Tech
    Dear Accounts
    Please find attached our current remittance advice.
    Kind Regards
    Carey Lucas MAAT
    Accounts Assistant ...

19 January 2016: C-Tech Remittance04050722.doc - Current Virus total detections 3/55*
downloads an -updated- Dridex banking malware from the ones described in this earlier run** from
 http :// 46.17.100.209 /aleksei/smertin.php or http :// 31.131.20.217 /aleksei/smertin.php (VirusTotal 2/54***)
Each attempt at download seems to give me a -different- named file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453211898/

** http://myonlinesecur...dsheet-malware/

*** https://www.virustot...sis/1453211427/
aarab.exe

46.17.100.209: https://www.virustot...09/information/

31.131.20.217: https://www.virustot...17/information/
___

Twitter is back up ...
- http://www.theinquir...er-major-outage
Jan 19 2016 - "... Twitter was down for a decent time this morning. Long enough for people to start noticing and complaining about it on things like Facebook and in person... Twitter's status page*, which is presented through Yahoo's Tumblr, shows a trio of recent incidents..."
* http://twitterstatus.tumblr.com/
___

2016 Cisco Annual Security Report
- http://blogs.cisco.c...security-report
Jan 19, 2016 - "Our just-released 2016 Cisco Annual Security Report (ASR*) presents a challenging cybersecurity landscape: cyber defense teams are fighting to keep up with rapid global digitization while trying to integrate dozens of vendor solutions, speed up detection, and educate their organizations from top to bottom... attackers grow more bold, flexible, and resilient by the day, setting up professional infrastructures that look a lot like what we’d find in legitimate businesses. On the global front, we see fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks... This years’ ASR reveals that attackers increasingly use legitimate online resources to launch their malicious campaigns. Though the news might speak to zero-day attacks, hackers also continue to deploy age-old malware to take advantage of weak spots such as unpatched servers. Aging infrastructure opens up green-field attack surfaces while uneven or inconsistent security practices remain a challenge... Other key insights from the 2016 ASR include a growing encryption trend (particularly HTTPS) for web traffic, which often provides a false sense of security to users—and for companies, potentially cloaks suspicious activity. We are also seeing more use of compromised WordPress servers to support ransomware, bank fraud, and phishing attacks. Alarmingly, between February and October 2015, the number of compromised WordPress installations used by cybercriminals grew by more than 221%... Increased attention, measurable results, added resilience, and focusing on what we can control are all possible now – so let’s capitalize on the moment before it’s too late."
(More detail at the cisco URL above.)
* http://www.cisco.com...yCode=001031952
 

  

Edited by AplusWebMaster, 19 January 2016 - 03:26 PM.

[AplusWebMaster]

FYI...

 

The 25 worst passwords of 2015
- https://nakedsecurit...-make-the-list/
20 Jan 2016
> https://sophosnews.f...d-rank-list.png
___
 

Fake 'Tax Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
20 Jan 2016 - "The Dridex bots seem to have fixed their problems with this email pretending to be a tax invoice with the subject of 'Tax Invoice IN092649' pretending to come from Karin Edwards <karin.edwards@ batonlockuk .com> with a malicious word doc or Excel XLS spreadsheet attachment which downloads Dridex banking Trojan/Malware... The email looks like:
From: Baton Lock Ltd <karin.edwards@ batonlockuk .com>
Date:Wed 20/01/2016 10:36
Subject: Tax Invoice IN092649
    Tax Invoice IN092649 from Baton Lock Ltd.
    Best Regards
    Karin Edwards
    Baton Lock Ltd

20 January 2016: Tax Invoice IN092649.DOC - Current Virus total detections 3/54*
Downloads Dridex banking malware... [I expect it to be the same locations as this earlier run[1] and will update if there is any difference]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453285912/

1] http://myonlinesecur...xls-attachment/

- http://blog.dynamoo....2649-karin.html
20 Jan 2016 - "This -fake- financial spam is not from Baton Lock Ltd but is instead a simple -forgery- with a malicious attachment.
    From:    Karin Edwards [karin.edwards@ batonlockuk .com]
    Date:    20 January 2016 at 09:34
    Subject:    Tax Invoice IN092649
    Tax Invoice IN092649 from Baton Lock Ltd.
    Best Regards
    Karin Edwards
    Baton Lock Ltd

Attached is a file Tax Invoice IN092649.DOC which comes in at least two different versions (VirusTotal results [1] [2]) which according to these Malwr reports [3] [4] downloads from:
www .lassethoresen .com/98jh6d5/89hg56fd.exe
www .helios .vn/98jh6d5/89hg56fd.exe
The dropped file is Dridex, the same as used in this campaign*."
* http://blog.dynamoo....on-its-way.html

1] https://www.virustot...sis/1453286684/

2] https://www.virustot...sis/1453286698/

3] https://malwr.com/an...WRjMmMwM2MyNTE/
198.173.254.216
37.49.223.235
62.221.68.80
216.224.175.92
13.107.4.50

4] https://malwr.com/an...jI3NDgzZTNiOGY/
103.28.38.14
216.224.175.92
13.107.4.50
___

Fake 'Invoice / Credit Note' SPAM - malicious attachment
- http://blog.dynamoo....redit-note.html
20 Jan 2016 - "This -fake- financial spam is not from Express Newspapers but is instead a simple -forgery- with a malicious attachment:
    From:    georgina.kyriacoumilner@ express .co.uk
    Reply-To:    hannah.johns@ express .co.uk
    Date:    20 January 2016 at 14:28
    Subject:    Invoice / Credit Note Express Newspapers (S174900)
    Please find attached Invoice(s) / Credit Note(s) from Express Newspapers...
    N.B. Please do not reply to this email address as it is not checked.
    Kind Regards,
    Express Newspapers...

Attached is a file S174900.DOC which comes in at least three different versions... and the Malwr reports for those... shows the following download locations:
www .helios .vn/98jh6d5/89hg56fd.exe [404 error]
202.191.112.60 /~n02022-1/98jh6d5/89hg56fd.exe
www .lassethoresen .com/98jh6d5/89hg56fd.exe
These are the same locations as seen here*, but now the payload has -changed- ... and a detection rate of 1/54**. The malware still phones home to
216.224.175.92 (SoftCom America Inc, US) which I recommend you -block-"
* http://blog.dynamoo....on-its-way.html

** https://www.virustot...sis/1453307125/
TCP connections
216.224.175.92
13.107.4.50

- http://myonlinesecur...-macro-malware/
20 Jan 2016 - "... an email that pretends to be an invoice/credit note from express newspapers with the subject of 'Invoice / Credit Note Express Newspapers (S174900)' pretending to come from georgina.kyriacoumilner@ express .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...00-1024x609.png

20 January 2016: S174900.DOC - Current Virus total detections 1/53*
Downloads Dridex from www .lassethoresen .com/98jh6d5/89hg56fd.exe and I am sure other versions of this attachment will download from all the other Dridex locations today** ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453306851/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Letter-response' SPAM - malicious attachment
- http://blog.dynamoo....205-letter.html
20 Jan 2016 - "...  this -fake- financial email isn't from Tim or Plan4Print (aka Excel Colour Print) at all, but is a simple -forgery- with a malicious attachment.
    From     Tim Speed [Tim@ plan4print .co.uk]
    Date     Wed, 20 Jan 2016 14:33:24 +0300
    Subject     Emailing: 120205 Letter-response A3 2-2
    Hi
    Please find estimate attached for Letter-response A3 2-2
    Kind regards
    Tim Speed
    Estimator / Account Handler ..

Attached is a file 120205 Letter-response A3 2-2.doc of which I have seen just a single sample, with a VirusTotal result of 3/54*. The Malwr report** shows it downloading from:
www .lassethoresen .com/98jh6d5/89hg56fd.exe
This is the same malicious binary as used in this earlier attack***. The payload is the Dridex banking trojan."
* https://www.virustot...sis/1453293437/

** https://malwr.com/an...zc5Y2UyYjFiMjc/
198.173.254.216
216.224.175.92
8.253.44.158

*** http://blog.dynamoo....on-its-way.html

- http://myonlinesecur...rd-doc-malware/
20 Jan 2016 - "... an email with the subject of 'Emailing: 120205 Letter-response A3 2-2' pretending to come from Tim Speed <Tim@plan4print .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...-2-1024x676.png

20 January 2016: 120205 Letter-response A3 2-2.doc - Current Virus total detections 3/54*
Downloads an -updated- Dridex version from today’s earlier ones from http ://www.helios .vn/98jh6d5/89hg56fd.exe (VirusTotal 1/54**) I am sure all the other same locations*** will also be used in different version of this attachment..."

* https://www.virustot...sis/1453296447/

** https://www.virustot...sis/1453296242/
TCP connections
216.224.175.92: https://www.virustot...92/information/
13.107.4.50: https://www.virustot...50/information/

*** http://myonlinesecur...xls-attachment/
___

Fake 'Order Confirmation' SPAM - doc/xls attachment
- http://myonlinesecur...xls-attachment/
20 Jan 2016 - "The Dridex bots are back to having another bad day. Over the last few days they have sent numerous different malformed/damaged/broken malspams. Today, the first one is a damaged/malformed/broken one is an email with the subject of 'Emailed Order Confirmation – 94602:1' pretending to come from DANE THORNTON <dane@ direct-electrical .com> with a damaged attachment that is supposed to be a malicious word doc or XLS spreadsheet attachment... The damaged/broken attachment has a name something like Order_94602~1.doc . It would if fixed, download Dridex. The email looks like:
From: DANE THORNTON <dane@ direct-electrical .com>
Date: Wed 20/01/2016 08:55
Subject: Emailed Order Confirmation – 94602:1
DANE THORNTON

This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

- http://blog.dynamoo....iled-order.html
20 Jan 2016 - "This -fake- financial spam is meant to have a malicious attachment.
    From     "DANE THORNTON" [dane@ direct-electrical .com]
    Date     Wed, 20 Jan 2016 16:31:21 +0800
    Subject     Emailed Order Confirmation - 94602:1
    --
    DANE THORNTON

Attached is a file Order_94602~1.doc which in all the samples I have seen has been attached incorrectly to the email, and it will either appear to be zero length or garbage. The payload is meant to be the Dridex banking trojan, but this is the latest of several incidents lately where the bad guys have screwed up..."
___

MSN - More Malware via Malvertising
- https://blog.malware...a-malvertising/
Jan 19, 2015 - "Malvertisers are once again abusing ad technology platform AdSpirit and exposing visitors of the MSN homepage to malware. These attacks appeared to have been primarily focused on Germans users via an ad for Lidl, one of the Germany’s leading supermarkets. This is not the first time we have caught malvertising on MSN or via AdSpirit. Each time, we spot telltale signs of suspicious activity with advertiser domains freshly created a few days prior the attack or hiding behind the CloudFlare service.
Perhaps the only surprise here was to find -different- exploit kits than the usual Angler EK to carry out the execution to the malware payload. In two separate incidents, we observed the RIG and Neutrino exploit kits... While we did not collect the payload in these specific attacks, other similar captures of RIG during the same time frame show that -CryptoWall-ransomware- was downloaded onto vulnerable machines:
> https://blog.malware..._Cryptowall.png
We immediately notified AdSpirit about those incidents which were confirmed and addressed promptly. AppNexus also deactivated the offending ad objects and will be doing a further review about these attacks. To prevent these malvertising infections please ensure that your computer is up-to-date and that you are running the right security tools to mitigate those attacks..."
___

Trojan for Linux takes screenshots
- https://news.drweb.c...&c=5&lng=en&p=0
Jan 19, 2016 - "Malware for Linux becomes more and more diverse. Among them are spyware programs, ransomware, and Trojans designed to carry out DDoS attacks. Doctor Web security researchers examined yet another cybercriminals’ creation dubbed Linux.Ekoms.1. This Trojan can periodically take screenshots and download different files to a compromised machine. Once launched, Linux.Ekoms.1 checks whether one of subfolders in the home directory contains files with specified names. If it fails to find any, it randomly chooses a subfolder to save its own copy there. Then, the Trojan is launched from new location. If successful, the malicious program establishes connection to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted. Every 30 seconds the Trojan takes a screenshot and saves it to a temporal folder in the JPEG format. If the file is not saved, the Trojan tries to save it in the BMP format. The temporary folder is downloaded to the server in specified intervals..."
 

  

Edited by AplusWebMaster, 20 January 2016 - 03:14 PM.