2072 replies to this topic

[AplusWebMaster]

FYI...

Fake Facebook emails deliver malware / phish ...
- http://net-security....ews.php?id=3191
21.01.2016 - "A new spam campaign is targeting Facebook users. It uses the same approach as the recent one aimed at WhatsApp users, and Comodo researchers* believe that the authors of both campaigns are likely the same. The -fake- emails are made to look like an official communication from the popular social network, and their goal is to make the victims believe they have received a voice message..."
* https://blog.comodo....malware-attack/
Jan 21, 2016 - "... As part of a random -phishing- campaign, cybercriminals were sending -fake- emails representing the information as official WhatsApp content to spread malware when the attached “message” was clicked on. Now, researchers at the Threat Research Lab have identified a very similar phishing campaign targeted at businesses and consumers who use Facebook – most likely designed by the same cyber criminals who developed the WhatsApp malware. And just like the WhatsApps malware, the new Facebook malware tries to represent itself as an email from Facebook which states there is a new message for the recipient. The email address and sender’s name tries to brand itself as Facebook, but the sender’s email address is from different domains and not in any way related with the Facebook company... The malware in the email itself is in a .zip file, sent as an attachment. Inside the zip file there is an executable file. Upon executing the file (e.g. clicking on the attachment), the malware will automatically replicate itself into “C:\” directory and add itself into an auto-run in the computer’s registry, spreading the malware. Additionally, like the WhatsApp malware, the engineers have Comodo have also identified this new Facebook malware as a variant of the “Nivdort” malware** family... A screen grab of the -malicious- email has been captured below:
> https://blog.comodo....ads/Nivdort.png

** https://file-intelli...81d3f0dbad90efd
___

Fake '201552 ebill' SPAM - malicious attachment
- http://blog.dynamoo....invoicecom.html
21 Jan 2016 - "This -fake- financial email comes with a malicious attachment.
    From     invoices@ ebillinvoice .com
    Date     Thu, 21 Jan 2016 15:13:36 +0530
    Subject     201552 ebill
    Customer No         : 8652
    Email address       : [redacted]
    Attached file name  : 8652_201552.DOC
    Dear customer
    Please find attached your invoice for 201552.
    To manage your account online - please visit Velocity...

There are at least -three- different versions of the attachment 8652_201552.doc (VirusTotal results [1] [2] [3])
for which the Malwr reports [4] [5] [6] indicate downloads from the following locations:
phaleshop .com/8h75f56f/34qwj9kk.exe
bolmgren .com/8h75f56f/34qwj9kk.exe
return-gaming .de/8h75f56f/34qwj9kk.exe
montaj-klimat .ru/8h75f56f/34qwj9kk.exe [spotted here*]
This binary has an MD5 of f23c05c44949c6c8b05ab54fbd9cee40 and a detection rate of 2/54**. Those reports indicate that it phones home to.
216.224.175.92 (SoftCom America Inc., US)
A contact (thank you) also pointed out some other locations the malware phones home to
216.59.16.175 (Immedion LLC, US / Virtuaserver Informica Ltda, Brazil)
216.117.130.191 (Advanced Internet Technologies Inc., US)
202.69.40.173 (Gerrys Information Technology (pvt) Ltd, Pakistan)
The payload is the Dridex banking trojan, being sent by botnet 220.
Recommended blocklist:
216.224.175.92
216.59.16.175
216.117.130.191
202.69.40.173 "
1] https://www.virustot...sis/1453373816/

2] https://www.virustot...sis/1453373886/

3] https://www.virustot...sis/1453373898/

4] https://malwr.com/an...2ExNGEyMThlODk/

5] https://malwr.com/an...jNlNDQ2OTlmZjE/

6] https://malwr.com/an...GE2NDAwODY3OWU/

* http://blog.dynamoo....ntkeyscouk.html

** https://www.virustot...sis/1453374873/
TCP connections
216.224.175.92: https://www.virustot...92/information/

- http://myonlinesecur...rd-doc-malware/
21 Jan 2016 - "An email with the subject of '201552 ebill' pretending to come from invoices@ ebillinvoice .com with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: invoices@ ebillinvoice .com
Date: Thu 21/01/2016 09:37
Subject: 201552 ebill
    Customer No         : 8652
    Email address       : rob@ securityandprivacy .co.uk
    Attached file name : 8652_201552.DOC
    Dear customer
    Please find attached your invoice for 201552.
    To manage your account online – please visit Velocity...

21 January 2016: 8652_201552.DOC - Current Virus total detections 4/54*
... this will download Dridex banking malware from [ return-gaming .de/8h75f56f/34qwj9kk.exe ]  (VirusTotal 2/55**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453370622/

** https://www.virustot...sis/1453371930/
TCP connections
216.224.175.92: https://www.virustot...92/information/
13.107.4.50: https://www.virustot...50/information/
___

Fake 'Telephone Bill' SPAM - malicious attachment
- http://blog.dynamoo....phone-bill.html
21 Jan 2016 - "This -fake- financial spam has a malicious attachment.
    From     "The Billing Team" [noreply@ callbilling .co.uk]
    Date     Thu, 21 Jan 2016 11:44:19 +0100
    Subject     Your Telephone Bill Invoices & Reports
    Please see the attached Telephone Bill & Reports.
    Please use the contact information found on the invoice if you wish to contact your
    service provider.
    This message was sent automatically...

I have only seen a single sample of this email, with an attachment Invoice_316103_Jul_2013.doc which has a detection rate of 2/53*. The Malwr report** for that document shows a download location of:
bolmgren .com/8h75f56f/34qwj9kk.exe
That is one of the locations found with this earlier spam run***, and the payload is the Dridex banking trojan."
* https://www.virustot...sis/1453376703/

** https://malwr.com/an...GE0Y2JlZWY0Y2Q/
195.128.175.9
216.224.175.92
13.107.4.50

*** http://blog.dynamoo....invoicecom.html

- http://myonlinesecur...dsheet-malware/
21 Jan 2016 - "An email with the subject of 'Your Telephone Bill Invoices & Reports' pretending to come from The Billing Team <noreply@ callbilling .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: The Billing Team <noreply@ callbilling .co.uk>
Date: Thu 21/01/2016 10:20
Subject: Your Telephone Bill Invoices & Reports
    Please see the attached Telephone Bill & Reports.
    Please use the contact information found on the invoice if you wish to contact your service provider.
    This message was sent automatically...

21 January 2016: Invoice_316103_Jul_2013.doc - Current Virus total detections 2/54*
This will also download Dridex banking malware from
http ://return-gaming .de/8h75f56f/34qwj9kk.exe which is the -same- download site as today’s other concurrent malspam run**..."
* https://www.virustot...sis/1453371806/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Replacement Keys' SPAM - malicious attachment
- http://blog.dynamoo....ntkeyscouk.html
21 Jan 2016 - "This spam has a malicious attachment. It does not come from admin@ replacementkeys .co.uk but is instead a simple -forgery- with a malicious attachment.
    From     Replacement Keys [admin@ replacementkeys .co.uk]
    Date     Thu, 21 Jan 2016 17:15:08 +0530
    Subject     =?utf-8?B?TmV3IE9yZGVyICMgMTAwMTE0MDAw?=
    Order Received!
    We will send you another email when it has been dispatched . If you have any questions about your order please reply to this email. Your order confirmation is below. Thank you for ordering from us.
    Thank you again,
    Replacement Keys

Attached is a file INVOICEPaid_100114000.xls of which I have only seen a single variant. The VirusTotal detection rate is 4/53* and the Malwr report** indicates a download location from:
montaj-klimat .ru/8h75f56f/34qwj9kk.exe
The binary dropped is identical to the one in this earlier spam run*** and it leads to the Dridex banking trojan."
* https://www.virustot...sis/1453377591/

** https://malwr.com/an...mQ5NTU0NjcyZGY/

*** http://blog.dynamoo....invoicecom.html

- http://myonlinesecur...dsheet-malware/
21 Jan 2016 - "An email with the subject of 'New Order # 100114000' pretending to come from Replacement Keys <admin@ replacementkeys .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Replacement Keys <admin@ replacementkeys .co.uk>
Date: Thu 21/01/2016 12:21
Subject: New Order # 100114000
    Order Received!
    We will send you another email when it has been dispatched ...

21 January 2016: logmein_pro_receipt.xls - Current Virus total detections 4/52*
Downloads Dridex from http ://www .bridge-freunde-colonia .de/8h75f56f/34qwj9kk.exe (VirusTotal 1/49**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453379373/

** https://www.virustot...sis/1453382710/
___

Fake 'Healthcare' SPAM - malicious attachment
- http://blog.dynamoo....thcare-ltd.html
21 Jan 2016 - "This -fake- financial spam does not come from Gompels Healthcare Ltd but is instead a simple -forgery- with a malicious attachment.
    From:    Gompels Healthcare ltd [salesledger@ gompels .co.uk]
    Date:    21 January 2016 at 12:57
    Subject:    Gompels Healthcare Ltd Invoice
    Hello
    Please see attached pdf file for your invoice
    Thank you for your business [/i]

The attachment is named fax00375039.doc and it comes in at least two different versions (VirusTotal [1] [2]) and the Malwr reports [3] [4] show download locations from:
return-gaming .de/8h75f56f/34qwj9kk.exe
phaleshop .com/8h75f56f/34qwj9kk.exe
That marks it out as Dridex 220, similar to this spam run*. However, the executable has -changed- from earlier and now has an MD5 of 95a1e02587182abfa66fdcf921ee476e and a zero detection rate at VirusTotal**. However, the malware still phones home to the same IP of 216.224.175.92 as before."
1] https://www.virustot...sis/1453381421/

2] https://www.virustot...sis/1453381734/

3] https://malwr.com/an...jAzNTg1ZDNjNjE/
82.165.218.65
216.224.175.92
8.254.249.78

4] https://malwr.com/an...2EyZWU3M2VjNmU/
112.78.2.113
216.224.175.92
184.28.188.186

* http://blog.dynamoo....invoicecom.html

**  https://www.virustot...sis/1453381954/

216.224.175.92: https://www.virustot...92/information/

phaleshop .com: 112.78.2.113: https://www.virustot...13/information/

- http://myonlinesecur...rd-doc-malware/
21 Jan 2016 - "An email with the subject of 'Gompels Healthcare Ltd Invoice' pretending to come from Gompels Healthcare ltd <salesledger@ gompels .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Gompels Healthcare ltd <salesledger@gompels.co.uk>
Date: Thu 21/01/2016 13:12
Subject: Gompels Healthcare Ltd Invoice
Hello
Please see attached pdf file for your invoice
Thank you for your business

21 January 2016: fax00375039.DOC - Current Virus total detections 5/54*
Downloads Dridex banking malware from
http ://phaleshop .com/8h75f56f/34qwj9kk.exe which is the -same- Dridex payload as described HERE**..."
* https://www.virustot...sis/1453383052/

** http://myonlinesecur...dsheet-malware/
 

  

Edited by AplusWebMaster, 21 January 2016 - 11:18 AM.

[AplusWebMaster]

FYI...

Fake 'scanner' SPAM - malicious attachment
- http://blog.dynamoo....icaminolta.html
22 Jan 2016 - "At the moment there is a heavy spam run pushing the Dridex banking trojan, pretending to be from a multifunction device or scanner.
    Subject:    Message from KONICA_MINOLTA
    Subject:    Message from MFD
    Subject:    Message from scanner
The spam appears to come from within the victim's own domain, from one of the following email addresses:
    MFD@ victimdomain .tld
    scanner@ victimdomain .tld
    KONICA_MINOLTA@ victimdomain .tld
This is just a simple forgery. It doesn't mean that you organisation has been compromised.. it really is a very simple trick. In all cases the attachment is named SKM_4050151222162800.doc, which appears to come in -three- versions... reports... indicate executable download locations at:
www .showtown-danceband .de/ghf56sgu/0976gg.exe
ausonia-feng-shui .de/ghf56sgu/0976gg.exe
gahal .cz/ghf56sgu/0976gg.exe
This binary has a detection rate of 1/54* and that VirusTotal report plus this Malwr report** show it phoning home to:
192.241.207.251 (Digital Ocean Inc., US)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan, sent by botnet 220."
* https://www.virustot...sis/1453454938/
TCP connections
192.241.207.251: https://www.virustot...51/information/
89.149.175.18: https://www.virustot...18/information/

** https://malwr.com/an...mM5NzA0ODM2NmQ/
192.241.207.251: https://www.virustot...51/information/
8.254.207.46: https://www.virustot...46/information/

- http://myonlinesecur...rd-doc-malware/
22 Jan 2016 - "An email with the subject of 'Message from KONICA_MINOLTA' (or Message from MFD or any other scanner or printer) pretending to come from scanner@ <your email domain> on behalf of MFD@ <victim domain> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: scanner@ malware-research .co.uk; on behalf of; MFD@ malware-research .co.uk
Date: Fri 22/01/2016 08:56
Subject: Message from KONICA_MINOLTA or Message from MFD or Message from Scanner

Body content: totally empty body
22 January 2016: SKM_4050151222162800.doc - Current Virus total detections 3/54*
Downloads Dridex banking malware from http ://ausonia-feng-shui .de/ghf56sgu/0976gg.exe
(VirusTotal **). Other download locations from different versions of this maldoc attachment are: www .showtown-danceband .de/ghf56sgu/0976gg.exe and gahal .cz/ghf56sgu/0976gg.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453452819/

** https://www.virustot...sis/1453453469/
TCP connections
192.241.207.251: https://www.virustot...51/information/
89.149.175.18: https://www.virustot...18/information/
___

Fake 'mathforum' SPAM - JS malware
- http://myonlinesecur...org-js-malware/
22 Jan 2016 - "An email with the subject of 'hi' coming from gshatford <gshatford@ mathforum .org> (probably -compromised- servers, that will be sending these out from multiple email addresses) with a zip attachment is another one from the current bot runs... The content of the email simply says:
    DATE:1/22/2016 7:47:24 AM

22 January 2016: yu.zip: Extracts to: invoice_SCAN_1pMVj.js - Current Virus total detections 5/53*
[MALWR**] [WEPAWET***] which downloads 80.exe (virus total 2/55[4]) from a combination of these sites memyselveandi .com/80.exe | deempheal .com/80.exe - These have previously been teslacrypt/cryptowall or similar ransomware... it definitely is a password stealer and ransomware version [MALWR[5]].
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an innocent file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1453449215/

** https://malwr.com/an...mY0MzViM2IwMDg/
51.255.10.132

*** https://wepawet.isec...3fd0932&type=js

4] https://www.virustot...sis/1453449556/
TCP connections
144.76.253.225: https://www.virustot...25/information/
182.50.147.1: https://www.virustot....1/information/

5] https://malwr.com/an...DdhNjkyZjNjOTI/
144.76.253.225
182.50.147.1
185.24.99.98
176.106.190.60
94.23.247.172
104.28.5.189
69.73.182.201
___

Fake 'tracking info' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
22 Jan 2016 - "An email with the subject of 'UKMail 988271023 tracking information' pretending to come from no-reply@ ukmail .com with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: no-reply@ ukmail .com
Date: Fri 22/01/2016 12:15
Subject: UKMail 988271023 tracking information
    UKMail Info!
    Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
    Please view the information about your parcel, print it and go to the post office to receive your package.
    Warranties
    UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service.
    Where the law prevents such exclusion and implies conditions and warranties into this contract,
    where legally permissible the liability of UKMail for breach of such condition,
    guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again.
If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping.
You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
Best regards,
UKMail

22 January 2016: 988271023-PRCL.xls - Current Virus total detections 4/55*
This will download Dridex banking malware from
http ://www .stijnminne .be/ghf56sgu/0976gg.exe (VirusTotal 1/54**)... Dridex malware was seen in some examples of THIS earlier malspam run***, which was malspammed out in -several- waves throughout the morning. Note: Dridex updates frequently throughout the day..."
* https://www.virustot...sis/1453464516/

** https://www.virustot...sis/1453462957/
0976gg.exe
TCP connections
192.241.207.251: https://www.virustot...51/information/
89.149.175.18: https://www.virustot...18/information/

*** http://myonlinesecur...rd-doc-malware/

- http://blog.dynamoo....3-tracking.html
22 Jan 2016 - "This -fake- delivery email is not from UKMail but is instead a simple -forgery- with a malicious attachment:

    From:    no-reply@ ukmail .com
    Date:    22 January 2016 at 12:14
    Subject:    UKMail 988271023 tracking information
    UKMail Info!
    Your parcel has not been delivered to your address January 21, 2016, because nobody was at home.
    Please view the information about your parcel, print it and go to the post office to receive your package...
    If you don't receive a package within 30 working days UKMail will charge you for it's keeping.
    You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
    Best regards,
    UKMail

The attachment is named 988271023-PRCL.xls which appears to come in at least two variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a malicious executable from:
www .stijnminne .be/ghf56sgu/0976gg.exe
raeva .com.ua/ghf56sgu/0976gg.exe
This binary has a detection rate of 4/54*. It is the -same- payload as found in this earlier spam run**."
1] https://www.virustot...sis/1453467080/

2] https://www.virustot...sis/1453467094/

3] https://malwr.com/an...jcxNjM4MDBlZDg/
91.234.32.117
192.241.207.251
13.107.4.50

4] https://malwr.com/an...WFkN2Q5Nzc1Mjg/
195.130.132.84
192.241.207.251
184.25.56.42

* https://www.virustot...sis/1453467328/
0976gg.exe
TCP connections
192.241.207.251: https://www.virustot...51/information/
89.149.175.18: https://www.virustot...18/information/

** http://blog.dynamoo....icaminolta.html
 

  

Edited by AplusWebMaster, 22 January 2016 - 08:09 AM.

[AplusWebMaster]

FYI...

Fake 'E-mail-Account Update' SPAM – PHISH ...
- http://myonlinesecur...pdate-phishing/
24 Jan 2016 - "A slightly different -phishing- email today, that pretends to be a notice from your email provider saying that you 'need to update your email'. All the ones I have seen are addressed to different names at different email domains...

Screenshot: http://myonlinesecur...te-1024x615.png

The links behind all the links go to http ://www .clavadelriverlodge .co.za/images/upgrade/index.php?email=name@ victimdomain .com, where they have set up rather a clever attempt to get your email log in details. They already have your email address and want the -password- to go along with it.
The site does a fairly good imitation of a Cpanel page with a processing bar that gradually increases to 100%. The name on the page is dynamically created based on the email address in the referral. The phishers have gone to quite a lot of trouble and effort with this one. Luckily Internet Explorer smart filter knows about it & warns you with a bright red Address bar in your browser. Unfortunately Chrome & Firefox haven’t caught up yet:
> http://myonlinesecur...ge-1024x599.png

... Watch for -any- site that invites you to enter ANY personal, log in or financial information... All of these emails use Social engineering tricks to persuade you to open the -attachments- or follow the -links- that come with the email..."

clavadelriverlodge .co.za: 192.185.174.108: https://www.virustot...08/information/
 

  

Edited by AplusWebMaster, 24 January 2016 - 07:37 AM.

[AplusWebMaster]

FYI...

Fake 'Direct Debit' SPAM - doc/xls malware
- http://myonlinesecur...rd-doc-malware/
25 Jan 2016 - "... mass Dridex malspams. The first is an email with random  subject of 'Direct Debit Mandate' from [random companies] pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Ezekiel Holcomb <HolcombEzekiel7086@ acttv .in>
Date: Mon 25/01/2016 09:10
Subject: Direct Debit Mandate from Thames Water Authority
    Good morning
    Please attached Direct Debit Mandate from Thames Water Authority;
    complete, sign and scan return at your earliest convenience.
    Kind regards,
    Ezekiel Holcomb
    TEAM SUPPORT
    Thames Water Authority ...

25 January 2016 : SharpC1889@acttv.in_4430446.doc - Current Virus total detections 3/52*
MALWR** shows it downloads Dridex from http ://109.234.35.80 /konfetka/roschen.php which gave me a file named mancity.exe (VirusTotal ***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453712908/

** https://malwr.com/an...DljYTIyMjUzMDM/
109.234.35.80

*** https://www.virustot...sis/1453713995/

109.234.35.80: https://www.virustot...80/information/
___

Fake 'Order PO' SPAM - malware
- http://myonlinesecur...000731-malware/
25 Jan 2016 - "An email with the subject of Order PO # 10000731' pretending to come from Parkcom Co.ltd <simpark@ parkcom .co.kr> with a zip attachment is another one from the current bot runs... The email looks like:
From: Parkcom Co.ltd <simpark@ parkcom .co.kr>
Date: Mon 25/01/2016 03:39
Subject: Order PO # 10000731
Attachment:  PO _ 10000731.zip
Body content:
    Dear Customer,
    Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment,We need this Order urgently. kindly confirm the PO and send PI asap.
    Thank you.
    Ms. Sim Park ...

Todays Date: PO _ 10000731.zip: Extracts to: PO # 10000731.exe - Current Virus total detections 9/54*
I don’t actually know what this one does. The detections are all generic detections. MALWR crashed.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1453717414/
TCP connections
23.206.38.87: https://www.virustot...87/information/
 

  

Edited by AplusWebMaster, 25 January 2016 - 02:13 PM.

[AplusWebMaster]

FYI...

Payment data security - at risk...
- http://net-security....ld.php?id=19369
26 Jan 2016 - "With acceptance of mobile and other new forms of payments expected to double in the next two years, a new global study shows a critical need for organizations to improve their payment data security practices. This is according to a recent survey of more than 3,700 IT security practitioners from more than a dozen major industry sectors conducted by the Ponemon Institute for Gemalto*... 54% of those surveyed said their company had a security or data breach involving payment data, four times in past two years in average. This is not surprising given the security investments, practices and procedures highlighted by the surveyed respondents:
- 55% said they did -not- know where all their payment data is stored or located.
- Ownership for payment data security is -not- centralized with 28% of respondents saying responsibility is with the CIO, 26% saying it is with the business unit, 19% with the compliance department, 15% with the CISO, and 14% with other departments.
- 54% said that payment data security is -not- a top five security priority for their company with only one third (31%) feeling their company allocates enough resources to protecting payment data.
- 59% said their company -permits- third party access to payment data and of these only 34% utilize multi-factor authentication to secure access.
- Less than half of respondents (44%) said their companies use end-to-end encryption to protect payment data from the point of sale to when it is stored and/or sent to the financial institution.
- 74% said their companies are either -not- PCI DSS compliant or are only partially compliant.
...  the study found that nearly three quarters (72%) of those surveyed believe these new payment methods are putting payment data at risk and 54% do not believe or are unsure their organization’s existing security protocols are capable of supporting these platforms..."

* http://blog.gemalto....obile-payments/
26 Jan 2016
___

Fake 'Refund' SPAM - JS malware
- http://myonlinesecur...hen-js-malware/
26 Jan 2016 - "Another run of Nemucod downloaders today starting with an email with the subject of 'Refund for the Purchase' – Kevin Cohen [random names] pretending to come from random senders and random email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Kevin Cohen <fonenzo@ teletu .it>
Date: Tue 26/01/2016 06:21
Subject: Refund for the Purchase – Kevin Cohen.
Attachment: Kevin Cohen.zip
    We are sorry to tell you, however, the item you have purchased is not available at the moment. In the file enclosed you can see the details about the refund policy.

26 January 2016: Kevin Cohen.zip - Extracts to: Kevin Cohen.js - Current Virus total detections 6/55*  
which WEPAWET** shows us downloads 3 files
http ://dertinyanl .com/img/script.php?tup1.jpg which is renamed to 3330263.exe (VirusTotal 4/54[3])
http ://dertinyanl .com/img/script.php?tup2.jpg which is renamed to 4441845.exe (VirusTotal 3/53[4])
http ://dertinyanl .com/img/script.php?tup3.jpg which is renamed to 5553619.exe (VirusTotal 3/54[5])
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an innocent file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453800745/

** https://wepawet.isec...011c552&type=js

3] https://www.virustot...sis/1453801558/

4] https://www.virustot...sis/1453801571/

5] https://www.virustot...sis/1453801579/

Nemucod malware spreads ransomware Teslacrypt:
- http://www.welivesec...t-around-world/
___

Fake 'Bill' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
26 Jan 2016 - "An email with the subject of 'Fwd: Bill to Grant Morgan' coming from random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Grant Morgan <rafael.kamal@ compume .com.eg>
Date: Tue 26/01/2016 05:25
Subject: Fwd:Bill to Grant Morgan.
Attachment: 20MEPRZ8WBE.doc
Body content:
    Hello.
    Please check the report attached. In order to avoid fine for delay you need to pay within 48 hours.
    Best regards
    Grant Morgan
-or-
    Good morning.
    Please see the invoice in attachment. In order to avoid penalty for delay you should pay in 24 hours.
    Thanks
    Barrett Watkins

26 January 2016: 20MEPRZ8WBE.doc - Current Virus total detections 2/54*
... Hybrid Analysis** eventually gave me 209743.exe (VirusTotal 3/45***) downloaded from
 icenails .ro/imgwp.jpg?LJGKKxdZEHWYMi=38 .
>> http://myonlinesecur...01/WP_image.png
The bad actors behind this campaign are using a new-macro-style which is long and even more complicated than previous ones... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453787886/

** https://www.hybrid-a...environmentId=1
Contacted Hosts
188.214.17.162
110.138.108.142

*** https://www.virustot...sis/1453812606/

icenails .ro: 188.214.17.162: https://www.virustot...62/information/
> https://www.virustot...cbceb/analysis/
___

Fake 'Heating Invoice' SPAM - malicious attachment
- http://blog.dynamoo....innovation.html
26 Jan 2016 - "This -fake- financial email is not from Alpha Heating Innovation but is instead a simple
-forgery- with a malicious attachment:
    From     Kurt Sexton
    Date     Tue, 26 Jan 2016 10:59:05 -0500
    Subject     =?UTF-8?B?UmVtaXR0YW5jZSBBZHZpY2UgNTk2M0U5?=
    For the attention of Accounts Receivable,
    We are attaching an up to date remittance advice detailing the latest payment on
    your account.
    Please contact us on the email address below if you would like your remittance sent
    to a different email address, or have any queries regarding your remittance.
    Kind regards,
    Kurt Sexton
    Best Regards,
    Kurt Sexton
    Credit Controller - Alpha Heating Innovation ...

The names of the sender and reference numbers will vary. I have only seen -two- different variants of the attachment, in the format remittance_advice5963E9.doc (VirusTotal [1] [2]) but there are probably more. Analysis is pending... It does seem to have some characterstics of a Dridex downloader."
1] https://www.virustot...sis/1453824210/
4/54 - remittance_adviceB177B0.doc

2] https://www.virustot...sis/1453824233/
4/54 - remittance_advice5963E9.doc

Labels: DOC, Dridex, Malware, Spam, Viruses

- http://myonlinesecur...rd-doc-malware/
26 Jan 2016 - "An email with the subject of 'Remittance Advice 17B6D1' (random numbers) pretending to come from random email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Leonardo Bryan <BryanLeonardo1689@ thedogofnashville .com>
Date: Tue 26/01/2016 14:57
Subject: Remittance Advice 17B6D1
Attachment: remittance_advice00AAD7.doc
    For the attention of Accounts Receivable,
    We are attaching an up to date remittance advice detailing the latest payment on your account.
    Please contact us on the email address below if you would like your remittance sent to a different email address, or have any queries regarding your remittance.
    Kind regards,
    Leonardo Bryan
    Best Regards,
    Leonardo Bryan
    Credit Controller – Alpha Heating Innovation...

26 January 2016: remittance_advice00AAD7.doc - Current Virus total detections 4/54*
Waiting for analysis. It is likely to be the Dridex banking malware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453825399/
___

TurboTax Phish
- https://security.int...alert.php?a=329
1/25/2016 - "People are receiving -fake- emails with the title containing their name. Below is a copy of the email people are receiving:
> https://security.int...sh201252016.jpg
... Do -not- open the attachment in the email... attempts to fraudulently obtain sensitive information..."

- https://security.int...alert.php?a=328
1/25/2016 - " People are receiving -fake- emails with the title "Access to prior year returns is locked". Below is a copy of the email people are receiving:
> https://security.int...sh101252016.jpg
... Do -not- open the attachment in the email... attempts to fraudulently obtain sensitive information..."

... more here:
>> https://security.int...rity-alerts.php
 

 

Edited by AplusWebMaster, 26 January 2016 - 02:19 PM.

[AplusWebMaster]

FYI...

Fake 'New Order' SPAM - malicious attachment
- http://blog.dynamoo....lle-ludlow.html
27 Jan 2016 - "This -fake- financial spam does not come from DS Smith Plc, but is instead a simple forgery with a malicious attachment.
    From     Michelle Ludlow [Michelle.Ludlow@ dssmith .com]
    Date     Wed, 27 Jan 2016 17:27:22 +0800
    Subject     New Order
    Hi
    Please see attached for tomorrow.
    Thanks
    Michelle Ludlow
    Customer Services Co-Ordinator - Packaging Services
    Packaging Division ...

So far I have seen two different variants of the attachment doc4502094035.doc (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] download a malicious executable from the following locations:
vinagps .net/54t4f4f/7u65j5hg.exe
trendcheckers .com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 5/53*. Those two Malwr reports and the VirusTotal report show the malware phoning home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
I strongly recommend that you -block- traffic to that IP. The payload is probably the Dridex banking trojan and this looks consistent with botnet 220 activity."
1] https://www.virustot...sis/1453887313/

2] https://www.virustot...sis/1453887331/

3] https://malwr.com/an...DZhYjNiNGZjN2I/

4] https://malwr.com/an...2I0M2U3MDM0MmY/

* https://www.virustot...sis/1453887706/
TCP connections
119.160.223.115: https://www.virustot...15/information/
104.86.110.240: https://www.virustot...40/information/

- http://myonlinesecur...dsheet-malware/
27 Jan 2016 - "An email with the subject of 'New Order' pretending to come from Michelle Ludlow <Michelle.Ludlow@ dssmith .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...er-1024x650.png

27 January 2016: doc4502094035.doc - Current Virus total detections 5/53*  
MALWR** - Downloads http ://vinagps .net/54t4f4f/7u65j5hg.exe
It is almost certain to be Dridex banking Trojan  (VirusTotal 4/54***)
I am informed that an alternate download site is trendcheckers .com/54t4f4f/7u65j5hg.exe
[The Auto Analysers at payload security are under very-heavy-load this morning with hundreds of files queued and long delays. I assume the bad actors are deliberately flooding them to slow down analysis] ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453886419/

** https://malwr.com/an...DZhYjNiNGZjN2I/
112.213.95.154
119.160.223.115
13.107.4.50

*** https://www.virustot...sis/1453886821/
TCP connections
119.160.223.115: https://www.virustot...15/information/
104.86.110.240: https://www.virustot...40/information/
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
27 Jan 2016 - "An email with the subject of 'Invoice 9210' pretending to come from Dawn Salter <dawn@ mrswebsolutions .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...er-1024x802.png

27 January 2016: 9210.doc - Current Virus total detections 1/55*
This downloads Dridex banking Trojan from
http ://www .hartrijders .com/54t4f4f/7u65j5hg.exe (VirusTotal 1/55**)
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453901338/

** https://www.virustot...sis/1453902011/


- http://blog.dynamoo....awn-salter.html
27 Jan 2016 - "... The attachment is named 9210.doc which I have seen come in -three- versions... The Malwr reports for those... shows executable download locations at:
www .cityofdavidchurch .org/54t4f4f/7u65j5hg.exe
www .hartrijders .com/54t4f4f/7u65j5hg.exe
grudeal .com/54t4f4f/7u65j5hg.exe
This binary has a detection rate of 1/53*... Hybrid Analysis of the binary shows that it phones home to:
119.160.223.115 (Loxley Wireless Co. Ltd., Thailand)
This is the -same- IP as seen in this earlier spam run**, I recommend you -block- it."
* https://www.virustot...sis/1453903737/

** http://blog.dynamoo....lle-ludlow.html
___

Fake 'Enterprise Invoices' SPAM - malicious attachment
- http://blog.dynamoo....e-invoices.html
27 Jan 2016 - "This -fake- financial spam does not come from Enterprise Security Distribution (South West) Limited but is instead a simple -forgery- with a malicious attachment.
    From:    Vicki Harvey
    Date:    27 January 2016 at 15:30
    Subject:    Enterprise Invoices No.91786
    Please find attached invoice/s from
    Enterprise Security Distribution (South West) Limited
    Unit 20, Avon Valley Business Park
    St Annes Road
    St Annes
    Bristol
    BS4 4EE
    Vicki Harvey
    Accountant ...

The name of the sender and references will vary. There seem to be -several- different versions of the attachment named in a format Canon-mf30102A13A@ altel .kz_2615524.xls ... Analysis of the attachments is pending... attempted downloads from:
109.234.35.37 /californication/ninite.php
5.189.216.105 /californication/ninite.php
This binary has a -zero- detection rate at VirusTotal*. That VirusTotal report and this Malwr report** indicate network traffic to:
8.254.218.46 (Level 3, US)
I strongly recommend that you -block- traffic to that IP. This will be some variant of the Dridex banking trojan."
* https://www.virustot...sis/1453913182/
ninite.exe

** https://malwr.com/an...zZkYzc0NGRkM2E/
109.234.35.37
103.224.83.130
8.254.249.78

- http://myonlinesecur...dsheet-malware/
27 Jan 2016 - "... garbled mishmash with an email with no subject coming from random senders with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... All the attachments start with the name of a scanner or multifunctional printer/scanner device, then have the -alleged- senders email domain and then random numbers so this one is called twist-scanA56CC@ fotosdeguarras .com_2782255.xls . The email looks like:
From: Maggie Nolan <NolanMaggie95043@ fotosdeguarras .com>
Date: Wed 27/01/2016 16:25
Subject: Enterprise Invoices No.84984  ( random numbers)
Attachment: twist-scanA56CC@ fotosdeguarras .com_2782255.xls
Please find attached invoice/s from
Enterprise Security Distribution (South West) Limited
Unit 20, Avon Valley Business Park
St Annes Road
St Annes
Bristol
BS4 4EE
Maggie Nolan
Accountant ...

27 January 2016: twist-scanA56CC@ fotosdeguarras .com_2782255.xls - Current Virus total detections 0/52*
MALWR** shows a download from http ://109.234.35.37 /californication/ninite.php which gave me FCGVJHads.exe
(VirusTotal 0/55***) the file looks wrong for Dridex, so I will be guided by antivirus responses as to what it actually is... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453912101/

** https://malwr.com/an...jAxYmNjODY0NmU/
109.234.35.37
103.224.83.130
13.107.4.50

*** https://www.virustot...sis/1453912539/
TCP connections
103.224.83.130: https://www.virustot...30/information/
8.254.218.46: https://www.virustot...46/information/
___

'WorldRemit Transaction' phish
- http://myonlinesecur...ction-phishing/
27 Jan 2016 - "A high proportion of phishing attempts involve PayPal, your Bank, Credit Card or another money transfer service. This one is a money transfer service that I have never previously heard of: 'WorldRemit'...

Screenshot: http://myonlinesecur...l2-1024x455.png

The Second one pretends to be a request to review your service on Trust Pilot:

Screenshot: http://myonlinesecur...l1-1024x550.png

-All- the links in -both- emails go to http ://www.simplyyankeecosmetics .com/wellsfargo.com/cgi-bin/direct.php  which -redirects- to either http ://syscross .com/fb/inc/index.html or http ://www.cinit .com.mx/cli/httpswww .worldremit.comsend/LoginPage.htm
[I am sure that as the actual phish sites get blocked or taken down, these phishers will set up, yet another redirect from the first site]... Where you end up on a webpage looking like this, where some of the links are part of the phish, but some go to the genuine https ://www.worldremit .com/  web site:
> http://myonlinesecur...sh-1024x546.png
If you fill in the email-address and password you get -bounced- on to the genuine site..."

simplyyankeecosmetics .com: 192.185.78.193: https://www.virustot...93/information/
>> https://www.virustot...19560/analysis/
 

  

Edited by AplusWebMaster, 27 January 2016 - 11:47 AM.

[AplusWebMaster]

FYI...

Fake 'Purchase Order' SPAM - doc malware
- http://myonlinesecur...malware-dridex/
28 Jan 2016 - "An email with the subject of 'IKEA Purchase Order [2001800526]' with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: order@ ibxplatform .com
Date: Thu 28/01/2016 10:24
Subject: IKEA Purchase Order  [2001800526]
Attachment: Purchase_Order_Number__2001800526.doc
    This message contains a Purchase Order from IKEA. If you have any questions regarding this Purchase Order and its contents, we kindly ask you to contact your customer directly.
    If this message is incomplete or not readable, feel free to refer to our contact details below.
    Please do not reply to this message! ...

28 January 2016: Purchase_Order_Number__2001800526.doc - Current Virus total detections 2/54*
MALWR shows a download of Dridex Banking malware from
 http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
 http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe (VirusTotal 5/54**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1453980691/

** https://www.virustot...sis/1453981023/
TCP connections
198.50.234.210
5.178.43.10: https://www.virustot...10/information/
119.160.223.115: https://www.virustot...15/information/

astigarragakomusikaeskola .com: 82.98.134.155: https://www.virustot...55/information/

ponpes-alhijrah .sch.id: 119.235.255.242: https://www.virustot...42/information/
___

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 Jan 2016 - "An email with the subject of 'Invoice' pretending to come from Hayley Stoakes <hayley@ whirlowdale .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Hayley Stoakes <hayley@ whirlowdale .com>
Date: Thu 28/01/2016 11:44
Subject: Invoice
Attachment: 96413.DOC
    Thank you for your order. Your Invoice – 96413 – is attached.

26 January 2016: 96413.DOC - Current Virus total detections 2/54*
.. which is exactly the -same- malware downloader as described in this earlier post** and downloads the -same- Dridex banking Trojan from the -same- locations
 http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
 http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe ..."
* https://www.virustot...sis/1453986418/

** http://myonlinesecur...malware-dridex/
___

Fake 'PAYMENT CONFIRMATION' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
28 Jan 2016 - "An email with the subject of 'PAYMENT CONFIRMATION' pretending to come from Lesley Mawson <LMawson@ agrin .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Lesley Mawson <LMawson@ agrin .co.uk>
Date: Thu 28/01/2016 13:11
Subject: PAYMENT CONFIRMATION
    For the attention of the accounts department.
    Please find attached a copy of our payment to you.
    Kind regards
    Lesley
    Lesley Mawson
    A.I.P. Ltd
    9 Wassage Way, Hampton Lovett Ind Estate, Droitwich. WR9 0NX

28 January 2016: PAYMENT VOUCHER.DOC - Current Virus total detections 2/54*
.. which is exactly the -same- malware downloader as described in this earlier post** and downloads an
-updated- Dridex banking Trojan from the -same- locations
 http ://astigarragakomusikaeskola .com/nuyff45d/87tf23w.exe or
 http ://ponpes-alhijrah .sch.id/nuyff45d/87tf23w.exe (VirusTotal 2/53***) which despite comments on VT shows none of the typical characteristics of common ransomware and looks much more like a Dridex banking Trojan..."
* https://www.virustot...sis/1453986418/

** http://myonlinesecur...malware-dridex/

*** https://www.virustot...sis/1453986791/
___

iCloud Phish - used to activate Stolen iPhones
- https://blog.malware...olen-iphones-2/
Jan 28, 2016 - "... Losing a device or getting it stolen can be disastrous, way beyond the monetary loss. Apple has a nifty feature which allows to remotely erase-and-lock your phone if you ever faced that problem and wanted to make sure your personal information would not fall into the wrong hands. At the same time, this renders the device -useless- for those not in possession of your ID and password:
> https://blog.malware...01/activate.png
'Find My iPhone Activation Lock'
> https://support.appl.../en-ca/HT201365
This is an -inconvenience- for thieves who may want to resell those stolen phones on the black market, but crooks never lack imagination and seem to have found a way to circumvent this protection... a user claimed that -after- her iPhone was stolen, she proceeded to wipe-it and put it in 'Lost Mode', to prevent anyone from using it. Shortly after, she received a message letting her know the phone had been found -but- that she needed to go to a website and verify her Apple ID first. The site was an almost exact -replica- of Apple’s official iCloud.com and loaded fine in Safari (-no- security/phishing warning):
>> https://blog.malware...6/01/safari.png
... not many people would suspect this is a -fraudulent- website. Add to this the euphoria of knowing your precious phone was allegedly found, and proceeding to enter your Apple ID and password seems like a no brainer - Sadly, the website is a -fake- and the information entered in it is directly relayed to the crooks who stole your phone... There were several other domains residing on the same server (104.149.141.56):
    find.apple-service .me
    www .my-icloud .help
    your.icloud-service .help
We have reported this phishing scam to Apple since Safari did -not- flag the website as -dangerous- at the time of writing... Users should be particularly careful of schemes that leverage the emotions involved with the theft or loss of their devices. Online crooks have no shame in abusing their victims twice to get what they want."

104.149.141.56: https://www.virustot...56/information/
___

Business Email Compromise - Fraud ...
- http://blog.trendmic...w-do-you-start/
Jan 26, 2016 - "What will you do if an executive in your company gives you instructions to wire money for a business expense? On email? In a world where cybercriminals devise devious social engineering and computer intrusion schemes to fool employees into wiring money, enterprises run a very serious -risk- of getting -scammed- via email. This emerging global threat is known as the 'business email compromise (BEC)' and it has already victimized 8,179 companies in 79 countries between October 2013 and August 2015 alone*:
* https://www.ic3.gov/...827-1.aspx#ref2
... Multiple warnings were issued by the FBI as to these types of emails in the past year alone. The FBI notes the targets to be companies working with foreign suppliers and/or those that regularly perform wire transfer payments. By February last year, the total number of reported victims had reached 2,126 and the money lost amounted to roughly US $215 million. Come August, the victim numbers have ballooned to 8,179, the money lost added to nearly US $800 million. How can you protect your company from becoming a part of this statistic?
- Know the Basics...
- Familiarize with Past Scams...
- Gear Up Against BEC Threats...
... install email security solutions to block known BEC-related malware before they come in..."
(More detail at the trendmicro URL above.).
 

  

Edited by AplusWebMaster, 28 January 2016 - 03:59 PM.

[AplusWebMaster]

FYI...

Fake 'Despatch Note' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2016 - "An email with the subject of 'Despatch Note FFGDES34309' pretending to come from Foyle Food Group Limited <accounts@ foylefoodgroup .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Foyle Food Group Limited <accounts@ foylefoodgroup .com>
Date: Fri 29/01/2016 09:17
Subject: Despatch Note FFGDES34309
Attachment: FFGDES34309.doc
    Please find attached Despatch Note FFGDES34309

29 January 2016: FFGDES34309.doc - Current Virus total detections 5/54*
Downloads Dridex banking malware from jjcoll .in/56gf/g545.exe (VirusTotal 2/54**)
Other download locations include http ://romana .fi/56gf/g545.exe and
 http ://clickchiropractic .com/56gf/g545.exe
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454062970/

** https://www.virustot...sis/1454062183/

jjcoll .in: 198.12.152.113: https://www.virustot...13/information/

romana .fi: 217.78.212.183: https://www.virustot...83/information/

clickchiropractic .com: 50.87.150.204: https://www.virustot...04/information/

- http://blog.dynamoo....fgdes34309.html
29 Jan 2016 - "This -fake- financial spam is not from Foyle Food Group Limited but is instead a simple -forgery- with a malicious attachment:
   From     Foyle Food Group Limited [accounts@ foylefoodgroup .com]
    Date     Fri, 29 Jan 2016 17:58:37 +0700
    Subject     Despatch Note FFGDES34309
    Please find attached Despatch Note FFGDES34309

... The attachment is FFGDES34309.doc which comes in three different variants, downloading from:
jjcoll .in/56gf/g545.exe
romana .fi/56gf/g545.exe
clickchiropractic .com/56gf/g545.exe
This has... a detection rate of 6/49*. According to my contact, this phones home to:
85.143.166.200 (Pirix, Russia)
103.245.153.70 (OrionVM, Australia)
144.76.73.3 (Hetzner, Germany)
This drops the Dridex banking trojan. The behaviour is consistent with botnet 220."
Recommended blocklist:
85.143.166.200
103.245.153.70
144.76.73.3 "
* https://www.virustot...09a5f/analysis/
TCP connections
85.143.166.200: https://www.virustot...00/information/
8.254.218.30: https://www.virustot...30/information/
___

Fake 'Scanned image' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
29 Jan 2016 - "An email with the subject of 'Scanned image from copier@ victimdomain .tld' pretending to come from copier@ victimdomain .tld with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: copier@ victmdomain .tld
Date: Fri 29/01/2016 11:02
Subject: Scanned image from copier@ victimdomain .tld
Attachment: copier@ ...co.uk_20160129_084903.doc
Body content:
    Reply to: copier@ ...co.uk <copier@ ...co.uk>
    Device Name: COPIER
    Device Model: MX-2310U
    File Format: DOC (Medium)
    Resolution: 200dpi x 200dpi
    Attached file is scanned document in DOC format...

29 January 2016: copier@ ...co.uk_20160129_084903.doc - This is exactly the -same- malware which downloads the -same- Dridex banking malware from the -same- locations as described in this earlier post*..."
* http://myonlinesecur...rd-doc-malware/
___

Fake 'Resume' SPAM - malicious attachment
- http://blog.dynamoo....-resumertf.html
29 Jan 2016 - "This spam leads to malware:
    From:    Laurena Washabaugh [washabaugh .1946@ rambler .ru]
    Date:    29 January 2016 at 10:10
    Subject:    Quick Question
    Signed by:    rambler .ru
    What's going on?
    I was visting your website on 1/29/2016 and I'm very interested.
    I'm currently looking for work either full time or as a intern to get experience in the field.
    Please review my CV and let me know what you think.
    Best regards,
    Laurena Washabaugh

The attachment is named Resume.rtf, but is it actually a DOCX file with a malicious macro... the document has a VirusTotal detection rate of 9/54*... but these automated analyses [1] [2] [3] show it phoning home to:
89.248.166.131 (Quasi Networks, Seychelles)
I recommend that you -block- traffic to that IP..."
* https://www.virustot...sis/1454068566/

1] https://malwr.com/an...zkxZDEzNWM1Y2U/

2] https://www.hybrid-a...environmentId=1

3] https://www.hybrid-a...environmentId=4

89.248.166.131: https://www.virustot...31/information/

- http://myonlinesecur...dsheet-malware/
29 Jan 2016 - "An email with the subject of 'Quick Question' pretending to attach a -resume- coming from random senders with a malicious word rtf attachment which is actually a word docx file is another one from the current bot runs... The email looks like:
From: Robbi Aguinaldo <aguinaldo.1993@ rambler .ru>
Date: Fri 29/01/2016 08:18
Subject: Quick Question
Attachment: Resume.rtf
    Howdy
    I was visting your website on 1/29/2016 and I’m very interested.
    I’m currently looking for work either full time or as a intern to get experience in the field.
    Please review my CV and let me know what you think.
    In appreciation,
    Robbi Aguinaldo

29 January 2016: Resume.rtf - Current Virus total detections 0/55*

* https://www.virustot...sis/1449129718/
.. which downloads the following files:
http ://89.248.166.131/jer.jpg?810  (Currently unavailable)

> 89.248.166.131: https://www.virustot...31/information/
http ://91.224.161.116/clv002/f32.bin (VirusTotal 0/55**) which the malicious macro alters/decodes/creates several of the below files:
> cccyk7m15911_1.exe
- https://www.virustot...sis/1454087239/

> http ://192.227.181.211/foru.exe saved as: cigiquk79yycc7.exe
- https://www.virustot...sis/1454087310/

>FASDA.exe
- https://www.virustot...sis/1454087462/

> http ://89.248.166.131/1.exe saved as: m3q3c5s79uy5k95.exe
- https://www.virustot...sis/1454087618/

> MQERY.exe
- https://www.virustot...sis/1454087665/

... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... DO NOT click on it or try to open it..."
** https://www.virustot...sis/1449129718/

rambler .ru: 81.19.93.6: https://www.virustot....6/information/
81.19.77.5: https://www.virustot....5/information/
81.19.77.6: https://www.virustot....6/information/
81.19.93.5: https://www.virustot....5/information/
> https://www.virustot...894bd/analysis/
0/66
___

HSBC internet banking services down after cyber attack
- http://www.reuters.c...r-idUSKCN0V71BO
Jan 29, 2016 - "HSBC is working with law enforcement to catch those behind a cyber attack that forced its personal banking websites in the UK to shutdown, its second major service outage this month, the bank said on Friday. Europe's largest lender said it had "successfully defended" its systems against a distributed denial of service (DDoS) attack but it was experiencing fresh threats, impeding full restoration of its services... The outage began on Friday morning and online services were still down by 1630 GMT (11:30 a.m. ET). DDoS attacks are often used by cyber criminals trying to disrupt businesses and companies with significant online activities..."
___

GitHub Blog:
Update on 1/28 service outage:
- https://github.com/b...-service-outage
Jan 29, 2016 - "On Thursday, January 28, 2016 at 00:23am UTC, we experienced a severe service outage that impacted GitHub.com... A brief power disruption at our primary data center caused a cascading failure that impacted several services critical to GitHub.com's operation. While we worked to recover service, GitHub.com was unavailable for two hours and six minutes. Service was fully restored at 02:29am UTC. Last night we completed the final procedure to fully restore our power infrastructure..."
 

  

Edited by AplusWebMaster, 29 January 2016 - 02:14 PM.

[AplusWebMaster]

FYI...

Fake 'Order Processed' SPAM - malicious attachment
- http://blog.dynamoo....ed-noreply.html
1 Feb 2016 - "This -fake- financial spam does not come from Duration Windows but is instead a simple -forgery- with a malicious attachment:
    From     NoReply-Duration Windows [noreply@ duration .co.uk]
    Date     Mon, 01 Feb 2016 04:21:03 -0500
    Subject     Order Processed.
    Dear Customer,
    Please find details for your order attached as a PDF to this e-mail.
    Regards,
    Duration Windows
    Sales Department ...

I have only seen a single sample of this spam with an attachment V9568HW.doc which has a detection rate of 5/54*... likely to be the Dridex banking trojan.
UPDATE: The Malwr analysis** shows that the document downloads a malicious executable from:
www .peopleond-clan .de/u56gf2d/k76j5hg.exe
This has a VirusTotal detection rate of 4/54*** and those reports plus this Hybrid Analysis[4] show it phoning home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustot...sis/1454322319/

** https://malwr.com/an...DZlYjk0YzlhOWU/

*** https://www.virustot...sis/1454323739/

4] https://www.hybrid-a...environmentId=4

- http://myonlinesecur...rd-doc-malware/
1 Feb 2016 - "An email with the subject of 'Order Processed' ... with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: NoReply-Duration Windows <noreply@ duration .co.uk>
Date: Mon 01/02/2016 10:16
Subject: Order Processed.
Attachment: V9568HW.doc
    Dear Customer,
    Please find details for your order attached as a PDF to this e-mail.
    Regards, Duration Windows Sales Department ...

1 February 2016: V9568HW.doc - Current Virus total detections 4/55*  
MALWR** shows downloads Dridex banking malware from
 http ://iamnickrobinson .com/u56gf2d/k76j5hg.exe (VirusTotal 3/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454322062/

** https://malwr.com/an...GZlZDdhMzY3NmQ/
74.86.19.136: https://www.virustot...36/information/
185.24.92.236: https://www.virustot...36/information/
13.107.4.50: https://www.virustot...50/information/

*** https://www.virustot...sis/1454325006/
TCP connections
185.24.92.236: https://www.virustot...36/information/
2.22.22.113: https://www.virustot...13/information/
___

Fake 'Invoice INV19' SPAM - malicious attachment
- http://blog.dynamoo....23456-from.html
1 Feb 2016 - "This spam appears to originate from a -variety- of companies with -different- references. It comes with a malicious attachment.
    From:    Marisol Barrett [BarrettMarisol04015@ victimdomain .tld]
    Date:    1 February 2016 at 08:39
    Subject:    Invoice 48014 from JKX OIL & GAS
    Dear Customer,
    Your invoice appears below. Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Marisol Barrett ...

From:    Oswaldo Browning [BrowningOswaldo507@ victimdomain .tld]
Date:    1 February 2016 at 09:38
Subject:    Invoice 865272 from J P MORGAN PRIVATE EQUITY LTD
Dear Customer,
Your invoice appears below. Please remit payment at your earliest convenience.
Thank you for your business - we appreciate it very much.
Sincerely,
Oswaldo Browning
J P MORGAN PRIVATE EQUITY LTD ...

The attachment is in the format INV19 - 865272.doc (it always starts with "INV19" and then has the -fake- reference number). There are at least -three- different versions...
UPDATE 2: The Malwr analysis of three of the attachments [1] [2] [3] shows download locations of:
31.131.24.203/indiana/jones.php
31.41.45.23/indiana/jones.php
These IPs can be considered as -malicious- and belong to:
31.131.24.203 (PE Skurykhin Mukola Volodumurovuch, Ukraine)
31.41.45.23 (Relink LTD, Russia)
This drops a -malicious- binary with a detection rate of 2/53*. This phones home to:
185.24.92.229 (System Projects, LLC, Russia)
This spam appears to be the Dridex banking trojan (botnet 120 perhaps).
Recommended blocklist:
185.24.92.229
31.131.24.203
31.41.45.23 "
1] https://malwr.com/an...TViOGNlMzQyMWE/

2] https://malwr.com/an...DM3MWU0OTI2YTk/

3] https://malwr.com/an...TA1OWQ5YTA0OWE/

* https://www.virustot...8b31/analysis/#

- http://myonlinesecur...malware-broken/
1 Feb 2016 - "An email with the subject of 'Invoice' (random number) from Random companies pretending to come from random names at your own email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

1 February 2016: INV19 – 882596.doc - Current Virus total detections 2/54*  
MALWR** shows a download from http ://31.41.45.23/indiana/jones.php
which gave me crypted120med.exe (VirusTotal 2/53***)..."
* https://www.virustot...sis/1454319886/

** https://malwr.com/an...zM0Zjg1ZmM1NGU/

*** https://www.virustot...sis/1454322842/
___

Fake 'Scanned image' SPAM - malicious attachment
- http://blog.dynamoo....image-from.html
1 Feb 2016 - "This -fake- document scan appears to originate from within the victim's own domain, but it doesn't. Instead this is a simple -forgery- with a malicious attachment.
From:    copier@ victimdomain .tld
Date:    1 February 2016 at 12:11
Subject:    Scanned image from copier@ victimdomain .tld
Reply to: copier@ victimdomain .tld [copier@ victimdomain .tld]
Device Name: COPIER
Device Model: MX-2310U
File Format: DOC (Medium)
Resolution: 200dpi x 200dpi
Attached file is scanned document in DOC format...

I have seen two different versions of the attached document, named in a format copier@ victimdomain .tld_20160129_084903.doc. The detection rate for both is 6/54 [1] [2] and the Malwr report* for one of them shows the macro downloading from:
dulichando .org/u56gf2d/k76j5hg.exe
This executable has a detection rate of 4/53** and the Hybrid Analysis reports*** that it phones home to:
185.24.92.236 (System Projects LLC, Russia)
I strongly recommend that you -block- traffic to that IP. The payload is Dridex, as seen here****."
1] https://www.virustot...sis/1454332258/

2] https://www.virustot...sis/1454332268/

* https://malwr.com/an...mZiZTM0NDY3YjY/

** https://www.virustot...sis/1454332659/

*** https://www.hybrid-a...environmentId=4

**** http://blog.dynamoo....ed-noreply.html
 

  

Edited by AplusWebMaster, 01 February 2016 - 09:57 AM.

[AplusWebMaster]

FYI...

Fake 'Order Dispatch' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
2 Feb 2016 - "An email with the subject of 'Order Dispatch: AA608034' (random order numbers) pretending to come from aalabels <customercare45660@ aalabels .com> (random customercare numbers) with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...34-1024x549.png

2 February 2016: invoice_AA608034.doc - Current Virus total detections 4/52*
Downloads Dridex Banking malware from
hebenstreit .us.com/5h4g/0oi545gfgf.exe (VirusTotal 3/51**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

* https://www.virustot...347d8/analysis/

** https://www.virustot...sis/1454402505/
TCP connections
91.239.232.145: https://www.virustot...45/information/
90.84.59.9: https://www.virustot....9/information/

- http://blog.dynamoo....h-aa207241.html
2 Feb 2016 - "This -fake- financial spam is not from aalabels .com but is instead a simple -forgery- with a malicious attachment.

Screenshot: https://3.bp.blogspo...40/aalabels.png

The sender's email address and detail will vary from email to email, however they all follow the same format. Attached is a file with a name along the lines of invoice_AA123456.doc which comes in at least -three- different versions... Malwr reports... show the macro in the documents downloading from one of the folllowing locations:
timestyle .com.au/5h4g/0oi545gfgf.exe
hebenstreit .us.com/5h4g/0oi545gfgf.exe
fillingsystem .com/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/52*... Malwr reports show it phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I would strongly recommend -blocking- traffic to that IP, or indeed you can probably block the entire 91.239.232.0/22 range will no ill effects."
* https://www.virustot...sis/1454404870/
91.239.232.145: https://www.virustot...45/information/
90.84.59.9: https://www.virustot....9/information/
___

Fake 'New order' SPAM - malware
- http://myonlinesecur...206754-malware/
2 Feb 2016 - "An email with the subject of 'New order Enquiry 206754' pretending to come from Corcom Co ltd <corcom@ bnisyariah .co.id> with a zip attachment is another one from the current bot runs... The email looks like:
From: Corcom Co ltd <corcom@ bnisyariah .co.id>
Date: Tue 02/02/2016 03:13
Subject:  New order Enquiry 206754
Attachment: Enquiry 206754.zip
    Dear Customer,
    Find attached our purchase order. Kindly quote us best price and send
    us proforma invoice asap, so that we can proceed with the necessary
    payment,We need this Order urgently. kindly confirm the PO and send PI
    asap.
    Thank you.
    Ms. Sim Rabim
    Jl. M.H. Thamrin 59 Jakarta 10350 ? Indonesia ...

2 February 2016: Enquiry 206754.zip: Extracts to: Enquiry 206754.exe - Current Virus total detections 14/52*
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will be hidden instead of showing it as the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454400171/
___

Fake 'PURCHASE' SPAM - malicious attachment
- http://blog.dynamoo....2016-d1141.html
2 Feb 2016 - "This spam does not come from Flower Vision but is instead a simple -forgery- with a malicious attachment:
    From:    sales@ flowervision .co.uk
    Date:    2 February 2016 at 08:28
    Subject:    PURCHASE 02/02/2016 D1141
    FLOWERVISION
    Internet Order Confirmation
    Page
    1/1 ...

Attached is a file SALES_D1141_02022016_164242.xls which I have seen just one version of, with a detection rate of 1/50*. This Hybrid Analysis** shows the macro in the spreadsheet downloading from:
www .torinocity .it/5h4g/0oi545gfgf.exe
This binary has a detection rate of 5/51***, and is the same payload as seen earlier****."
* https://www.virustot...sis/1454406875/

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...sis/1454407813/
TCP connections
91.239.232.145: https://www.virustot...45/information/
90.84.59.9: https://www.virustot....9/information/

**** http://blog.dynamoo....h-aa207241.html

- http://myonlinesecur...malware-dridex/
2 Feb 2016 - "An email with the subject of 'PURCHASE 02/02/2016 D1141' pretending to come from sales@ flowervision .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...41-1024x586.png

25 February 2015: SALES_D1141_02022016_164242.xls ...
Downloads Dridex from same locations as today’s earlier Malspam*. This one is
http ://www .fabian-enkenbach .de/5h4g/0oi545gfgf.exe (VirusTotal 5/51**)..."
* http://myonlinesecur...dsheet-malware/

** https://www.virustot...sis/1454407813/
TCP connections
91.239.232.145: https://www.virustot...45/information/
90.84.59.9: https://www.virustot....9/information/
___

Fake 'RB0081 INV' SPAM - malicious attachment
- http://blog.dynamoo....2039-sales.html
2 Feb 2016 - "This -fake- financial spam does not come from Leathams but is instead a simple -forgery- with a malicious attachment.
    From:    Sales invoice [salesinvoice@ leathams .co.uk]
    Reply-To:    "no-reply@ leathams .co.uk" [no-reply@ leathams .co.uk]
    Date:    2 February 2016 at 13:15
    Subject:    RB0081 INV2372039
    Dear Sir/Madam,
    Please find attached your sales invoice(s) for supplied goods.  Please process for payment as soon as possible.
    In the event that you have a query - please direct your query...

Attached is a malicious document Leathams Ltd_INV2372039.doc which comes in at least -two- different versions... The Malwr analysis for one of those samples shows a download from:
fillingsystem .com/5h4g/0oi545gfgf.exe
This is similar to a spam run earlier, but now the payload has changed to one with a detection rate of precisely zero*... The payload is the Dridex banking trojan.
UPDATE: Automated analysis [1] [2] shows the executable phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend -blocking- traffic to that IP, or the whole /22 in which it resides."
* https://www.virustot...sis/1454419546/
0/53

1] https://malwr.com/an...GQyMzM5YWZhMTM/

2] https://www.hybrid-a...environmentId=1

- http://myonlinesecur...rd-doc-malware/
2 Feb 2016 - "An email with the subject of 'RB0081 INV2372039' pretending to come from Sales invoice <salesinvoice@ leathams .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Sales invoice <salesinvoice@ leathams .co.uk>
Date: Tue 02/02/2016 12:13
Subject: RB0081 INV2372039
Attachment: Leathams Ltd_INV2372039.doc
    Dear Sir/Madam,
    Please find attached your sales invoice(s) for supplied goods. Please process for payment as soon as possible.
    In the event that you have a query – please direct your query...

2 February 2016: Leathams Ltd_INV2372039.doc - Current Virus total detections 4/54*
downloads Dridex banking malware from the same locations as today’s earlier malspams**. This example connects to http ://fillingsystem .com/5h4g/0oi545gfgf.exe which delivers an updated Dridex version to the earlier ones (VirusTotal 0/53***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454417962/

** http://myonlinesecur...dsheet-malware/

*** https://www.virustot...sis/1454419046/
 

  

Edited by AplusWebMaster, 02 February 2016 - 09:45 AM.

[AplusWebMaster]

FYI...

Turning Off Specific Files from Previewing in the Microsoft Outlook Reading Pane
- http://windowsitpro....ok-reading-pane

Block Certain File Types from Opening in Associated Office Applications
- http://windowsitpro....ce-applications

>> http://myonlinesecur...-macro-viruses/
3 Feb 2016
___

Security flaws discovered in smart toys and kids' watches
- http://net-security....ld.php?id=19404
3 Feb 2016 - "Rapid7 researchers* have unearthed serious flaws in two 'Internet of Things' devices:
• The Fisher-Price Smart Toy, a "stuffed animal" type of toy that can interact with children and can be monitored via a mobile app and WiFi connectivity, and
• The hereO GPS Platform, a smart GPS toy watch that allows parents to track their children's physical location.
In both cases the problem was with the authentication process, i.e. in the platform's web service (API) calls. In the first instance, the API calls were not appropriately verified, so an attacker could have sent unauthorized requests and extract information such as customer details, children's profiles, and more... In the second instance, the flaw allowed attackers to gain access to the family's group by adding an account to it, which would allow them to access the family member's location, location history, etc. "We have once again been able to work with vendors to resolve serious security issues impacting their platforms and hope that vendors considering related products are able to take note of these findings so that the overall market can improve beyond just these particular instances," noted Mark Stanislav, manager of global services at Rapid7*... "
* https://community.ra...eo-gps-platform
Feb 2, 2016
___

Fake 'Free Travel Lottery' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
3 Feb 2016 - "An email with the subject of 'Free Travel Lottery Drawing' pretending to come from VIATOR.COM <winners@ viator .com> with a malicious word doc attachment is another one from the current bot runs.. The email looks like:
From: VIATOR .COM <winners@ viator .com>
Date: Wed, 3 Feb 2016 16:14
Subject: Free Travel Lottery Drawing
Attachment: winner_81.doc
    ATripAdvisor®Company
    Unforgettable time in the place where summer never ends!
    We held a lottery drawing among the customers of our travel agency Viator!
    Free travel for 2 persons to a Paradise Island Koh-Samui, in Kingdom of Thailand for 10 days! Travel insurance included!
    2,500,000 our customers took participation in the lottery. Only 250 winners!
    To learn more about the tour and your Winner Bonus become familiar with the attached document...

3 February 2015: winner_81.doc - Current Virus total detections 1/54*
MALWR** shows downloads http ://finiki45toget .com/post/511plvk.exe (virustotal 2/52***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454514245/

** https://malwr.com/an...2Y5NzZiNzc3ODg/
163.20.136.189: https://www.virustot...89/information/
>> https://www.virustot...d588a/analysis/

*** https://www.virustot...sis/1454512889/
___

Fake 'Invoice (SI-523)' SPAM - malicious attachment
- http://blog.dynamoo....invoice-si.html
3 Feb 2016 - "This -fake- financial spam does not come from GS Toilet Hire but is instead a simple -forgery- with a malicious attachment. In other words, if you open it.. [don't].
    From:    GS Toilet Hire [donotreply@ sageone .com]
    Date:    3 February 2016 at 09:12
    Subject:    GS Toilet Hire - Invoice (SI-523) for £60.00, due on 28/02/2016
    Good morning
    Thank you for your business - we're pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.
    Full details, including payment terms, are included.
    If you have any questions, please don't hesitate to contact us.
    Kind regards,
    Linda Smith
    Office, GS Toilet Hire ...

I have seen two samples of this, both with an attachment named Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip which contains a malicious Javascript file with a name like invoice_id6395788111.js. The two samples that I have seen have low detection rates... containing some highly obfuscated scripts... which... downloads a binary from one of the following locations:
obstipatie..nu/43rf3dw/34frgegrg.exe
bjhaggerty..com/43rf3dw/34frgegrg.exe
(also www .ni-na27.wc.shopserve .jp/43rf3dw/34frgegrg.exe ...)
This type of download indicates that this is Dridex 220, it is unusual for it to be spammed out with a Javascript-in-ZIP format rather than a malicious Office macro... The binary... shows the malware phoning home to:
91.239.232.145 (Hostpro Ltd, Ukraine)
I strongly recommend that you -block- all traffic to that IP, and possibly the 91.239.232.0/22 block in which it resides.
UPDATE: The same spam is being sent out with a more traditional DOC attachment, Sales_Invoice_SI-523_GS Toilet Hire.doc which comes in at least two different variants (VirusTotal [1] [2]) which according to these Malwr reports [3] [4] downloads a binary from the following locations:
xinchunge .com/xinchunge.com/43rf3dw/34frgegrg.exe
taukband .com/43rf3dw/34frgegrg.exe
This is a different binary from before, with a detection rate of 4/53*. It still phones home to the same location."
1] https://www.virustot...sis/1454494549/

2] https://www.virustot...sis/1454494559/

3] https://malwr.com/an...WZhMTkwZmRlYzE/
98.143.159.150
91.239.232.145
13.107.4.50

4] https://malwr.com/an...mQwMGQwZjczZDU/
192.186.239.3
91.239.232.145
184.25.56.44

* https://www.virustot...f3f67/analysis/

- http://myonlinesecur...ding-to-dridex/
3 Feb 2016 - "... an email with the subject of 'GS Toilet Hire – Invoice (SI-523) for £60.00, due on 28/02/2016' pretending to come from GS Toilet Hire <donotreply@ sageone .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...60-1024x515.png

- or: http://myonlinesecur...on-1024x515.png

3 February 2016: Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip - Extracts to: invoice_id2677432297.js
Current Virus total detections 2/54*. MALWR**
3 February 2016: Sales_Invoice_SI-523_GS Toilet Hire.doc - VirusTotal 3/52***
downloads what looks like -Dridex- from xinchunge .com/xinchunge.com/43rf3dw/34frgegrg.exe
(VirusTotal 4/53[4])
obstipatie .nu/43rf3dw/34frgegrg.exe
bjhaggerty .com/43rf3dw/34frgegrg.exe
taukband .com/43rf3dw/34frgegrg.exe
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454491705/

** https://malwr.com/an...mFiN2FjNjdiYjA/
46.17.1.250

*** https://www.virustot...sis/1454492103/

4] https://www.virustot...sis/1454493882/
___

Fake 'Invoice MOJU' SPAM - malicious attachment
- http://blog.dynamoo....9-accounts.html
3 Feb 2016 - "This -fake- financial spam comes with a malicious attachment. It does not come from Moju Ltd but is instead a simple -forgery- with a malicious attachment:
    From:    Accounts [message-service@ post.xero .com]
    Date:    3 February 2016 at 09:04
    Subject:    Invoice MOJU-0939
    Hi,
    Here's invoice MOJU-0939 for 47.52 GBP. For last weeks delivery.
    The amount outstanding of 47.52 GBP is due on 25 Feb 2016.
    If you have any questions, please let us know.
    Thanks,
    Moju Ltd

I have only seen one sample of this, with an attachment named Invoice MOJU-0939.zip containing a malicious script invoice_id4050638124.js that has detection rate of 2/53* and which according to this Malwr report** downloads a binary from:
www .ni-na27.wc.shopserve .jp/43rf3dw/34frgegrg.exe
This payload is the same as seen in this concurrent spam run***."
* https://www.virustot...4b867/analysis/

** https://malwr.com/an...jdlYmU4NWFhNDQ/
210.160.220.144

*** http://blog.dynamoo....invoice-si.html

- http://myonlinesecur...malware-dridex/
3 Feb 2016 - "An email with the subject of 'Invoice MOJU-0939' pretending to come from Accounts <message-service@ post.xero .com> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...39-1024x497.png

3 February 2016:  Invoice MOJU-0939.zip: Extracts to: invoice_id6174018044.js
Current Virus total detections 2/52*. MALWR** which downloads what looks like Dridex banking malware from http ://obstipatie .nu/43rf3dw/34frgegrg.exe  (VirusTotal 3/54***)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454489431/

** https://malwr.com/an...mFiN2FjNjdiYjA/

*** https://www.virustot...sis/1454490157/
TCP connections
91.239.232.145: https://www.virustot...45/information/
13.107.4.50: https://www.virustot...50/information/
___

Fake 'Attached Image' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
3 Feb 2016 - "... another email with the subject of 'Attached Image' pretending to come from canon@ victimdomain .tld with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: canon@ victimdomain .tld
Date: Wed 03/02/2016 10:38
Subject: Attached Image
Attachment: 1690_001.xls

Body content: Blank

3 February 2016: 1690_001.xls - Current Virus total detections 2/52*
.. same Dridex macro dropper, downloading the -same- Dridex banking malware that was described in this earlier post** from -same- locations. This one was from
best-drum-set .com/43rf3dw/34frgegrg.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454500546/

** http://myonlinesecur...ding-to-dridex/

- http://blog.dynamoo....from-canon.html
3 Feb 2016 - "This spam pretends to come from the victim's own domain, but it doesn't. Instead it is a simple -forgery- with a malicious attachment.
    From:    canon@ victimdomain .tld
    Date:    3 February 2016 at 12:09
    Subject:    Attached Image

There is no body text. Attached is a file 1690_001.xls of which I have seen a single variant with a detection rate of 9/54*. The Hybrid Analysis** shows it downloading an executable from:
best-drum-set .com/43rf3dw/34frgegrg.exe
This has a detection rate of 6/51 and is the -same- binary as used in this other spam attack today***."
* https://www.virustot...sis/1454501819/

** https://www.hybrid-a...environmentId=4
192.254.190.17

*** http://blog.dynamoo....invoice-si.html
___

Tesco 'shop for free' – phish
- http://myonlinesecur...-free-phishing/
3 Feb 2016 - "An email saying 'Tesco is giving you a chance to shop for free' pretending to come from Tesco .com <info@ sets .com> is one of the latest phishing emails trying to -steal- your Tesco bank details... This one -only- wants your personal details, Tesco log-in details and your credit card and bank details... some of the screen shots are from this new phish, but others have been re-used from  older versions that I have already blogged about, but are identical except for the site name in the URL bar. If you follow that link you see a webpage looking like:
> http://myonlinesecur...s1-1024x606.jpg
Then you get a page asking to verify your mobile phone number:
>> http://myonlinesecur..._2-1024x689.png
After filling in that page you then get this one:
>>> http://myonlinesecur...-1-1024x517.png
Then this comes up... Any 5 digit number entered in the box gets you to the next page:
>>>> http://myonlinesecur..._4-1024x568.png
Then you get a page asking for password and Security number... After you fill in your Security number and password you get a page looking like this, where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... eventually it auto -redirects- you to the genuine Tesco bank site... -All- of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

  

Edited by AplusWebMaster, 03 February 2016 - 01:34 PM.

[AplusWebMaster]

FYI...

Fake 'January balance' SPAM - malicious attachment
- http://blog.dynamoo....nce-alison.html
4 Feb 2016 - "This -fake- financial spam does not come from J. Thomson Colour Printers, but is instead a simple -forgery- with a malicious attachment:
    From     Alison Smith [ASmith056@ jtcp .co.uk]
    Date     Thu, 04 Feb 2016 10:52:21 +0300
    Subject "January balance £785"
    Hi,
    Thank you for your recent payment of £672.
    It appears the attached January invoice has been missed off of your payment. Could
    you please advise when this will be paid or if there is a query with the invoice?
    Regards
    Alison Smith
    Assistant Accountant ...

The poor company being spoofed has already been hit by this attack recently... The email address of the sender varies from message to message. Attached is a file IN161561-201601.js which comes in at least -five- different versions (VirusTotal 0/53[1]..). This is a highly obfuscated script... and automated analysis of the various scripts [6].. shows that the macro downloads from the following locations (there may be more):
ejanla .co/43543r34r/843tf.exe
cafecl .1pworks.com/43543r34r/843tf.exe
This binary has a detection rate of 2/52* and phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
Note that the whole 62.76.184.0/21 block is a haven for malware, but it does also have some legitimate Russian customers. You might want to consider blocking the entire range if your users don't need to visit Russian websites. The payload is the Dridex banking trojan, and although it is unusual to see a plain .js file spammed out like this, it is consistent with botnet 220."
1] https://www.virustot...sis/1454576263/

6] https://www.hybrid-a...environmentId=1

* https://www.virustot...sis/1454577822/
TCP connections
62.76.191.108
13.107.4.50

- http://myonlinesecur...ers-js-malware/
4 Feb 2016 - "... once again spoofing Alison Smith of J Thomson Colour Printers with an email with the subject of  'January balance £785' pretending to come from Alison Smith <ASmith5AC@ jtcp .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...85-1024x761.png

4 February 2016: IN161561-201601.js - Current Virus total detections 0/52*
MALWR** shows a download from http ://ejanla .co/43543r34r/843tf.exe which is highly likely to be Dridex banking malware. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454576306/

** https://malwr.com/an...DdhNWE5OGEzN2Y/
23.229.207.163
62.76.191.108
13.107.4.50
___

Fake 'Swift Copy' SPAM - doc malware
- http://myonlinesecur...4-1761-exploit/
4 Feb 2016 - "An email with the subject of 'Re: Swift Copy' pretending to come from Kim Raymonds <kimraymonds@ sssup .it> (probably random email addresses) with a malicious word doc attachment is another one from the current bot runs... This is using CVE-2014-1761 exploit* in unpatched versions of office and it doesn’t matter if you have macros turned off or not. If you are -not- patched, then you WILL be infected by this.  
* https://web.nvd.nist...d=CVE-2014-1761- 9.3 (HIGH)
You also need to read the bottom paragraph of THIS page** to use additional settings to protect yourself against this & similar exploits...
** http://myonlinesecur...-macro-viruses/
The email looks like:
From: Kim Raymonds <kimraymonds@ sssup .it>
Date: Thu 04/02/2016 10:27
Subject: Re:Swift Copy
Attachment: Swift Copy.doc
    Dear
    My boss requested i should send the swift copy to you.
    Pls see the attached.
    Have a great day!
    Thanks,
    Kim Raymonds
    Office Manager

4 February 2016 : Swift Copy.doc - Current Virus total detections 23/52*
MALWR** shows it downloads http ://andersonken479 .pserver .ru/doc.exe (VirusTotal 16/54***) which is some sort of banking Trojan and password stealer. One additional trick being played on you to infect you, is the downloaded doc.exe has an icon looking like a word doc, so if you accidentally open the original swift copy.doc, the doc.exe gets silently downloaded in background and is supposed to autorun..."
* https://www.virustot...sis/1454405380/

** https://malwr.com/an...zlmMzBmYjg0MTU/
91.202.12.139: https://www.virustot...39/information/
>> https://www.virustot...9d4c3/analysis/

*** https://www.virustot...sis/1454514020/
___

Fake 'Fuel Card E-bill' SPAM - malicious attachment
- http://blog.dynamoo....ard-e-bill.html
4 Feb 2016 - "This -fake- financial spam does not come from Fuel Card Services Ltd but is instead a simple
-forgery- with a malicious attachment:
    From     "Fuel Card Services" [adminbur@ fuelcardgroup .com]
    Date     Thu, 04 Feb 2016 04:29:24 -0700
    Subject     BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016 ...
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click ...
If you would like to order more fuel cards please click ...
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin.
Fuel Card Services Ltd ...

I have only seen one sample with an attachment named ebill0200442.xls which contains this malicious macro... which is different to recent Dridex macros, and is similar to one first seen yesterday. According to this Malwr report it downloads an executable from:
www .trulygreen .net/43543r34r/843tf.exe
... also reported is as a download location is:
www .mraguas .com/43543r34r/843tf.exe
If you look at the details of the Malwr report, it seems that the the script does creates a LOT of files all over the place. The dropped executable has a detection rate of 4/52* and according to this Hybrid Analysis** shows that it phones home to:
62.76.191.108 (Clodo-Cloud / IT-House, Russia)
This is the same IP address as seen earlier, put the payload has now changed. Blocking that IP would be wise, and I would suggest that blocking 62.76.184.0/21 is probably worth considering too.
* https://www.virustot...8bc6d/analysis/

** https://www.hybrid-a...environmentId=4

- http://myonlinesecur...dsheet-malware/
4 Feb 2016 - "... an email with the subject of 'BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016' pretending to come from 'Fuel Card Services <adminbur@ fuelcardgroup .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Fuel Card Services <adminbur@ fuelcardgroup .com>
Date: Thu 04/02/2016 12:31
Subject: BP Fuel Card E-bill 0200442 for Account B216552 31/01/2016
Attachment: ebill0200442.xls ...
Account: B216552
Please find your e-bill 0200442 for 31/01/2016 attached.
To manage you account online please click ...
If you would like to order more fuel cards please click ...
If you have any queries, please do not hesitate to contact us.
Regards
Cards Admin...

4 February 2016: ebill0200442.xls - Current Virus total detections 4/52*
This will download Dridex banking Trojans from
http ://www .mraguas .com/43543r34r/843tf.exe  (VirusTotal 4/52**)
Other locations so far discovered include
http ://clothesmaxusa .com/43543r34r/843tf.exe
http ://cluster007.ovh .net/~lelodged/43543r34r/843tf.exe
http ://69.61.48.46 /43543r34r/843tf.exe
http ://www .trulygreen .net/43543r34r/843tf.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454588668/

** https://www.virustot...sis/1454588381/
___

Fake Amazon Mail - Phish ...
- https://blog.malware...nt-information/
Feb 4, 2016 - "From the mailbox: a -fake- Amazon mail which attempts to persuade the lucky recipient that they have the chance to win £10 in return for completing a quick survey. The mail, titled “ΙD: 569369943” and claiming to be from “members support” / message@ notice-amazon(dot)com, reads as follows:
'As a valued customer we would like to present you with an opportunity to make a quick buck. We are offering £10 each to a selected number of customers in exchange for completing a quick survey relating to our service. Your opinions and thoughts are vital in order for us to provide the best possible service..'
> https://blog.malware...amznsignin0.jpg
... the link directed eager clickers from what looked to be a compromised home and gardens website (now offline) to:
amazon-update-account-awd547324897457(dot)tube-gif-converter(dot)com/Login(dot)php
... where the site asked for Amazon login credentials:
>> https://blog.malware...amznsignin1.jpg
After this, the next page requested full-payment-information including address, phone number, credit card details, sort code / bank-account-number and “security question” too. At time of writing, both the initial redirection site and the phishing page(s) are both down for the count. Of course, scammers will likely resurrect this fake Amazon £10 survey reward / swipe your banking information tactic elsewhere so it pays to have an idea what they’re up to at all times. At this point, we’d usually suggest looking out for the green padlock / verified identity advice typically given near the end of a “Don’t get phished” blog. However, HTTPS isn’t deployed across the entirety of Amazon – only the pages where it’s really needed, such as login / payment and so on. All the same, it’s good practice to check for a green padlock / identity information anytime you’re asked to login or submit potentially sensitive data. Follow these simple steps, and you’re probably going to be safe from this type of attack. As a final tip, be very wary around emails claiming you’ve been entered into surveys or competitions – and if you see well known brands sending you odd mails about “making a quick buck”, you may want to run the other way."

notice-amazon(dot)com: 172.99.89.200: https://www.virustot...00/information/
 

  

Edited by AplusWebMaster, 04 February 2016 - 11:45 AM.

[AplusWebMaster]

FYI...

Fake 'Scanned file' SPAM – JS malware
- http://myonlinesecur...malware-dridex/
8 Feb 2016 - "An email with the subject of 'Scanned file from Optivet Referrals' pretending to come from Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com> on behalf of Optivet Referrals <reception@ optivet .com> with a .JS attachment is another one from the current bot runs... The email looks like:
From: Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of; Optivet Referrals <reception@ optivet.com>
Date: Mon 08/02/2016 08:08
Subject: Scanned file from Optivet Referrals
Attachment: 4060395693402.tiff.js
    Dear Sir/Madam
    Please find attached a document from Optivet Referrals.  
    Yours faithfully
    The Reception Team at Optivet.
    Optivet Referrals Ltd. Company Reg. No. 06906314. Registered office: Calyx House, South Road, Taunton, Somerset. TA1 3DU
    Optivet Referrals Ltd. may monitor email traffic data and also the content of email for the purposes of security and staff training.
    This message is private and confidential. If you have received this message in error, please notify us and remove it from your system...

8 February 2016: 4060395693402.tiff.js - Current Virus total detections 1/54*
MALWR** shows it downloads Dridex banking Trojan from http ://zuhr-kreativ .com/98876hg5/45gt454h
(VirusTotal 0/55***) which is downloaded as a text file and the javascript file  renames it to pVSgp3Qo.scr (or other random named scr file) and automatically runs it (virustotal 3/54[4]). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454922441/

** https://malwr.com/an...2JkNTlkYThjMTE/
50.87.89.243
188.40.224.73
184.28.188.112

*** https://www.virustot...sis/1454923278/

4] https://www.virustot...sis/1454923099/
TCP connections
188.40.224.73: https://www.virustot...73/information/
13.107.4.50: https://www.virustot...50/information/
___

Fake 'Invoices' SPAM - malicious attachment
- http://blog.dynamoo....umentation.html
8 Feb 2016 - "This -fake- financial spam does not come from Crosswater Holdings, but it is instead a simple -forgery- with a malicious attachment:
    From:    CreditControl@ crosswater .co.uk
    Date:    8 February 2016 at 10:34
    Subject:    Accounts Documentation - Invoices
    Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
    If you have any queries please do not hesitate to contact the Credit Controller who deals with your account...

Attached is a malicious script ~13190.js which comes in at least two different variants (VirusTotal [1] [2]). According to automated analysis [3]... these scripts download from:
hydroxylapatites7.meximas .com/98876hg5/45gt454h
80.109.240.71 /~l.pennings/98876hg5/45gt454h
This drops an executable with a detection rate of 3/53[4] which appears to phone home** to:
188.40.224.73 (NoTag, Germany)
I strongly recommend that you -block- traffic to that IP address. The payload is likely to be the Dridex banking trojan."
1] https://www.virustot...sis/1454938464/

2] https://www.virustot...sis/1454938475/

3] https://malwr.com/an...mJlYzhmOGQ4ODA/
31.170.165.165
31.170.160.60

* https://www.virustot...sis/1454938652/

** https://www.hybrid-a...environmentId=4
80.109.240.71: https://www.virustot...71/information/
188.40.224.73: https://www.virustot...73/information/
___

Fake 'Scanned Referral' SPAM - JS malware
- http://myonlinesecur...malware-dridex/
8 Feb 2016 - "An email with the subject of 'Scanned file from Optivet Referrals' pretending to come from Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of Optivet Referrals <reception@ optivet .com> with a .JS attachment is another one from the current bot runs... The email looks like:
From: Optivet Referrals <reception@ mail13.wdc04.mandrillapp .com>; on behalf of; Optivet Referrals <reception@ optivet .com>
Date: Mon 08/02/2016 08:08
Subject: Scanned file from Optivet Referrals
Attachment: 4060395693402.tiff.js
    Dear Sir/Madam
    Please find attached a document from Optivet Referrals.  
    Yours faithfully
    The Reception Team at Optivet...

8 February 2016: 4060395693402.tiff.js - Current Virus total detections 1/54*  
MALWR** shows it downloads Dridex banking Trojan from http ://zuhr-kreativ .com/98876hg5/45gt454h
(VirusTotal 0/55***) which downloaded is downloaded as a text file and the javascript file -renames- it to pVSgp3Qo.scr (or other random named scr file) and automatically runs it (virustotal 3/54[4]). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like an image file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1454922441/

** https://malwr.com/an...2JkNTlkYThjMTE/
50.87.89.243
188.40.224.73
184.28.188.112

*** https://www.virustot...sis/1454923278/

4] https://www.virustot...sis/1454923099/
___

'IoT'hings not always so somforting
- http://blog.talosint.../trane-iot.html
Feb 8, 2015 - "Over the past few years, the Internet of Things (IoT) has emerged as reality with the advent of smart refrigerators, smart HVAC systems, smart TVs, and more. Embedding internet-enabled devices into everything presents new opportunities in connecting these systems to each other, making them "smarter" and making our lives more convenient than ever before. Despite the new possibilities, there are major concerns about the IoT which inspire a legitimate question: 'What happens if it's not 'done right' and there are major vulnerabilities with the product?'. The unfortunate truth is that securing internet-enabled devices is not always a high priority among vendors and manufacturers. Some manufactures do not have the necessary infrastructure to inform the public about security updates or to deliver them to devices. Other manufacturers are unaccustomed to supporting products past a certain time, even if a product's lifespan may well exceed the support lifecycle. In other cases, the lack of a secure development lifecycle or a secure public portal to report security defects makes it near impossible for researchers to work with a vendor or manufacturer. These problems expose users and organizations to greater security risks and ultimately highlight a major problem with the Internet of Things. What does this mean for the average user? For starters, a smart device on their home or office network could contain -unpatched- vulnerabilities. Adversaries attacking the weakest link could exploit a vulnerable IoT device, then move laterally within an organization's network to conduct further attacks. Additionally, patching vulnerable devices can be complicated, if not impossible, for the average user or for those who are not technically savvy. For organizations that maintain large amounts of IoT devices on their network, there may not be a way to update a device that scales, creating a nightmare scenario... Despite these advancements and added convenience, we should not consider security as an afterthought. Nor should vendors and manufacturers, as the consequences could result in major, real-world repercussions (as opposed to those that exist solely on TV)..."
More detail at the talosintel URL above.)
 

  

Edited by AplusWebMaster, 08 February 2016 - 03:57 PM.

[AplusWebMaster]

FYI...

Fake -blank subject- SPAM - malicious attachment
- http://myonlinesecur...malware-dridex/
Feb 9, 2016 - "... an email with no subject pretending to come from accounts_do_not_reply@ aldridgesecurity .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: accounts_do_not_reply@ aldridgesecurity .co.uk
Date: Tue 09/02/2016 08:07
Subject:  NONE
Attachment: document2016-02-09-103153.doc
Body content:
    Accounts

9 February 2016: document2016-02-09-103153.doc - Current Virus total detections 5/54*
Downloads Dridex banking malware from http ://promo.clickencer .com/4wde34f/4gevfdg (VirusTotal 0/54**) which is saved/downloaded as a text file and converted to label8.exe (VirusTotal 0/54***) by the macro and then autorun -  MALWR[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455008860/

** https://www.virustot...sis/1455010031/

*** https://www.virustot...sis/1455010031/

4] https://malwr.com/an...DkwMmI4NWQ5NTg/
66.7.195.81
50.56.184.194
184.25.56.42

- http://blog.dynamoo....m-accounts.html
Feb 9, 2016 - "This rather terse spam does not come from Aldridge Security but it is instead a simple forgery with a malicious attachment. There is no subject.
    From     [accounts_do_not_reply@ aldridgesecurity .co.uk]
    Date     Tue, 09 Feb 2016 10:31:14 +0200
    Subject    
    Accounts

I have only seen a single sample with an attachment document2016-02-09-103153.doc which has a VirusTotal detection rate of 5/54*. Automated analysis [1] [2] shows that it downloads a malicious executable from:
promo.clickencer .com/4wde34f/4gevfdg
This has a detection rate of 5/54**. Those analyses indicates that the malware phones home to:
50.56.184.194 (Rackspace, US)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustot...sis/1455011714/

1] https://malwr.com/an...DkwMmI4NWQ5NTg/

2] https://www.hybrid-a...environmentId=4

** https://www.virustot...sis/1455011714/
___

Fake 'statement' SPAM - doc malware jpg
- http://myonlinesecur...ted-from-a-jpg/
9 Feb 2016 - "An email with the subject of 'Fw:Nibh Donec Est LLC. statement' pretending to come from random senders at random email addresses with a malicious word doc attachment is another one from the current bot runs... The company in the subject matches the company in the body. The subjects vary but are all related to statements. Some subjects include:
Fw:Nibh Donec Est LLC. statement
Fwd:Quis Massa Mauris PC. statement
Re:Tellus Aenean LLP – statement
Aliquet Lobortis LLC – statement
The email looks like:
From: Brittany Hood <gerados@gerados .info>
Date: Tue 09/02/2016 06:06
Subject: Fw:Nibh Donec Est LLC. statement
Attachment: 62YDP.doc
    Please find attached a statement
    Best regards
    Nibh Donec Est LLC
    Brittany Hood

9 February 2016: 62YDP.doc - Current Virus total detections 2/54*
MALWR** shows a download from http ://inroadsdevelopment .us/ht.jpg?RZ9lqw4jFWvx=35 which delivers ht.jpg (VirusTotal 9/53***) which is decoded by a combination of the -macro- in the word doc and a dropped/extracted VBS file 12047.vbs (VirusTotal 1/51[4]) to give you 1204745.exe (VirusTotal 5/54[5])...
inroadsdevelopment .us: 192.185.16.61: https://www.virustot...61/information/
>> https://www.virustot...9c1cd/analysis/
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1454998395/

** https://malwr.com/an...DMwN2IwNjUzNzY/

*** https://www.virustot...sis/1454998178/

4] https://www.virustot...sis/1454999501/

5] https://www.virustot...sis/1454999510/
 

  

Edited by AplusWebMaster, 09 February 2016 - 07:44 AM.

[AplusWebMaster]

FYI...

Fake 'SERVICE SHEET' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
10 Feb 2016 - "An email with the subject of 'Emailing: MX62EDO 10.02.2016' pretending to come from documents@ dmb-ltd .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: documents@ dmb-ltd .co.uk
Date: Wed 10/02/2016 08:18
Subject: Emailing: MX62EDO  10.02.2016
Attachment: MX62EDO  10.02.2016.doc
    Your message is ready to be sent with the following file or link
    attachments:
    MX62EDO 10.02.2016 SERVICE SHEET
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments. Check your e-mail
    security settings to determine how attachments are handled...

10 February 2016: MX62EDO  10.02.2016.doc - Current Virus total detections 5/54*
MALWR** shows us a download of Dridex banking malware from
http ://g-t-c .co.uk/09u8h76f/65fg67n (VirusTotal 0/54***) Which is once again as seen in previous runs this last week, downloaded as a text file and -renamed- by the macro and saved to \%temp%\label8.exe where it is autorun (VirusTotal 4/54[4])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455095855/

** https://malwr.com/an...WM5ZWIwMmM2NGU/
185.11.240.14
87.229.86.20
13.107.4.50

*** https://www.virustot...sis/1455096865/

4] https://www.virustot...sis/1455097168/
TCP connections
87.229.86.20: https://www.virustot...20/information/
13.107.4.50: https://www.virustot...50/information/

- http://blog.dynamoo....o-10022016.html
10 Feb 2016
"... Recommended blocklist:
87.229.86.20
50.56.184.194
144.76.73.3 "
___

Fake 'New Doc 115' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
10 Feb 2016 - "... an email with the subject of 'New Doc 115' pretending to come from admin <ali73_20081475@ yahoo .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: admin <ali73_20081475@ yahoo .co.uk>
Date: Wed 10/02/2016 11:02
Subject: New Doc 115
Attachment: New Doc 115.doc
    Sent from Yahoo Mail on Android

10 February 2016: New Doc 115.doc - Current Virus total detections 5/54*
.. -same malware- and -same- download locations as today’s earlier malspam run** ..."
* https://www.virustot...sis/1455101427/

** http://myonlinesecur...rd-doc-malware/
___

Fake 'Message' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
10 Feb 2016 - "... an email with the subject of 'Message from KMBT_C224' pretending to come from copier @ your own company or email domain with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: copier@ victimdomain .tld
Date: Wed 10/02/2016 12:20
Subject: Message from KMBT_C224
Attachment: SKMBT_C22416020417390.xls

Body content: Empty

10 February 2016: SKMBT_C22416020417390.xls - Current Virus total detections 5/54*
MALWR** shows what should be a download of Dridex banking malware from
 http ://toptut .ru/09u8h76f/65fg67n - however when I tried, I got a '404 not found'.
NOTE: there -will- be other download locations in different versions of this... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455110388/

** https://malwr.com/an...WJkMDAyNTRlMDc/
85.10.201.19

toptut .ru: 85.10.201.19: https://www.virustot...19/information/
___

Fake 'DHL' SPAM - Teslacrypt
- http://myonlinesecur...are-teslacrypt/
10 Feb 2016 - "An email with the subject of 'DHL DeliverNow Notification Card on lost shipment (Third Notification)' pretending to come from DHL DeliverNow Network <zkfwgyh@ grafeia-teleton-kyriakidis .gr> (probably random email addresses with sender spoofed as DHL) with a zip attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...n--1024x769.png

25 February 2016: DHL_Notification_card.zip: Extracts to: file.zip which extracts to invoice_m7BNUn.js
Current Virus total detections 3/55*. MALWR** shows a download of what looks like Teslacrypt from either http ://fromjamaicaqq .com/26.exe or http ://greetingsfromitaff .com/26.exe (VirusTotal 4/55***).
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1455124017/

** https://malwr.com/an...jdhZTg5N2E2OGQ/
173.82.74.197
192.3.186.222

*** https://www.virustot...sis/1455124442/
 

  

Edited by AplusWebMaster, 10 February 2016 - 01:44 PM.