Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93098 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

SPAM frauds, fakes, and other MALWARE deliveries...


  • Please log in to reply
2072 replies to this topic

#1651 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 11 February 2016 - 06:02 AM

FYI...

Fake 'Unpaid Invoice' SPAM - JS malware
- http://myonlinesecur...com-js-malware/
11 Feb 2016 - "An email with the subject of 'INT242343 Unpaid Invoice – Your Services May Be Suspended' pretending to come from payments <payments@ wavenetuk .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: payments <payments@ wavenetuk .com>
Date: Thu 11/02/2016 08:38
Subject: INT242343 Unpaid Invoice – Your Services May Be Suspended
Attachment: OutstandingStatement201602111650.js
    PLEASE NOTE:  THIS IS A NO REPLY EMAIL ACCOUNT
    Dear Customer         Please find attached to this email your statement You can view the invoices listed on our e-billing site at www .netbills .co.uk If you have any queries regarding use of the e-billing site or this statement please call us on 08444 12 7777.
    Accounts Department Wavenet Group Incorporating – Titan Technology, Centralcom and S1 Network Services Tel 08444127777 ...


11 February 2016: OutstandingStatement201602111650.js - Current Virus total detections 0/54*
MALWR** shows a download of Dridex banking malware from
http ://aforbescompany .com/09u8h76f/65fg67n which once again is a text file that the javascript saves to & renames to %Temp%\sREKjVas.scr or another random named file (VirusTotal 2/55***)
Other download locations so far discovered include: http ://gp-training .net/09u8h76f/65fg67n ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1455183429/

** https://malwr.com/an...DUxMmJmODY2MWQ/
69.89.31.158
87.229.86.20
184.25.56.44


*** https://www.virustot...sis/1455183938/
TCP connections
87.229.86.20: https://www.virustot...20/information/
88.221.14.11: https://www.virustot...11/information/

- http://blog.dynamoo....id-invoice.html
11 Feb 2016 - "This spam does not come from Wavenet Group but is instead a simple -forgery- with a malicious attachment:
    From     payments [payments@ wavenetuk .com]
    Date     Thu, 11 Feb 2016 15:14:59 +0530
    Subject     INT242343 Unpaid Invoice - Your Services May Be Suspended
    PLEASE NOTE:  THIS IS A NO REPLY EMAIL ACCOUNT
    Dear Customer
            Please find attached to this email your statement
    You can view the invoices listed on our e-billing site at www .netbills .co.uk
    If you have any queries regarding use of the e-billing site or this statement please
    call us on 08444 12 7777.
    Accounts Department
    Wavenet Group
    Incorporating - Titan Technology, Centralcom and S1 Network Services
    Tel 08444127777 ...


I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53*. The Malwr analysis shows that this script downloads an executable from:
gp-training .net/09u8h76f/65fg67n
There are probably a few other download locations. This binary has a detection rate of 2/54**. The Malwr report also indicates that it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustot...sis/1455185997/

** https://www.virustot...sis/1455186992/
TCP connections
87.229.86.20: https://www.virustot...20/information/
88.221.14.11: https://www.virustot...11/information/
___

Fake 'Confirmation' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
11 Feb 2016 - "An email with the subject of 'Confirmation' pretending to come from sales@ writeonltd .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...td-1024x775.png

11 February 2016: Sales_Order_Confirmation__Priced_SORD00137058.doc - Current Virus total detections 5/55*
MALWR** is once again showing an attempted download from
http ://maraf0n.vv .si/09u8h76f/65fg67n which is giving a 404 not found and diverts to Russian hosting company home page... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455188335/

** https://malwr.com/an...mUxY2EzODVlMzE/
31.170.164.132: https://www.virustot...32/information/
31.170.160.60: https://www.virustot...60/information/
___

Fake 'Office Direct' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
11 Feb 2016 - "An email with the subject of 'UK Office Direct A/C OD04450155' pretending to come from office@ ukofficedirect .co.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...55-1024x767.png

11 February 2016: Invoice_INV8000288979.doc - Current Virus total detections 5/54*
MALWR** shows an attempted download from http ://maraf0n.vv .si/09u8h76f/65fg67n but like all the others this morning is giving a 404 and redirects to Russian hosting company home page... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455187463/

** https://malwr.com/an...2ExMDM3MmUzZGE/
31.170.164.132: https://www.virustot...32/information/
31.170.160.60: https://www.virustot...60/information/
___

Fake 'Scan' SPAM - malicious attachment
- http://blog.dynamoo....650-please.html
11 Feb 2016 - "This -fake- document -scan- leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.
    From:    scanner@ victimdomain .tld
    Date:    11 February 2016 at 10:24
    Subject:    Scan from KM1650
    Please find attached your recent scan


Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1]..). The Malwr reports [4].. indicate the the macro in the document downloads a malicious executable from:
maraf0n.vv .si/09u8h76f/65fg67n
www .sum-electronics .co.jp/09u8h76f/65fg67n
The dropped executable has a detection rate of 2/54*. As with this earlier spam run** it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
-Block- traffic to that IP. The payload is the Dridex banking trojan."
1] https://www.virustot...sis/1455191710/

4] https://malwr.com/an...zAzZDg0YWIxMWY/

* https://www.virustot...sis/1455192649/
TCP connections
87.229.86.20: https://www.virustot...20/information/

>> https://www.virustot...923cb/analysis/
88.221.14.11: https://www.virustot...11/information/

** http://blog.dynamoo....id-invoice.html
___

Fake 'Sage Pay Invoice' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
11 Feb 2016 - "An email with the subject of 'Your Sage Pay Invoice INV00318132' pretending to come from  Sagepay EU <accounts@ sagepay .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Sagepay EU <accounts@ sagepay .com>
Date: Thu 11/02/2016 13:01
Subject: Your Sage Pay Invoice INV00318132
Attachment: INV00318132_V0072048_12312014.xls
    Please find attached your invoice.
    We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones. You should have already received an email that outlined the changes, however if you have any questions please contact ...


11 February 2016: INV00318132_V0072048_12312014.xls - Current Virus total detections 4/54*
MALWR** shows a download of Dridex banking malware from
http ://www .phraseculte .fr/09u8h76f/65fg67n (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455199262/

** https://malwr.com/an...2MyNjE0ODA2ZmY/
46.21.207.156
84.38.67.231
13.107.4.50


*** https://www.virustot...sis/1455198516/
TCP connections
84.38.67.231: https://www.virustot...31/information/
>> https://www.virustot...af65b/analysis/
104.86.111.136: https://www.virustot...36/information/

- http://blog.dynamoo....ay-invoice.html
11 Feb 2016 - "...  a simple -forgery- with a malicious attachment... Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least -11-). The VirusTotal detection rate for a subset of these is 6/54[1]...  Only a single Malwr report* seemed to work, indicating the macro downloading from:
www .phraseculte .fr/09u8h76f/65fg67n
This dropped executable has a detection rate of 3/54**. The Malwr report shows it phoning home to:
84.38.67.231 (ispOne business GmbH, Germany)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
1] https://www.virustot...023ee/analysis/

* https://malwr.com/an...2MyNjE0ODA2ZmY/
46.21.207.156
84.38.67.231
13.107.4.50


** https://www.virustot...sis/1455203414/
TCP connections
84.38.67.231: https://www.virustot...31/information/
>> https://www.virustot...af65b/analysis/
104.86.111.136: https://www.virustot...36/information/
___

We might use your 'IoT stuff' to spy on you ...
- https://nakedsecurit...-james-clapper/
Feb 11, 2016 - "... think that it could be 'Big Brother' doing the eyeballing, be it through your internet-connected fridge, your toothbrush, or your TV...  the Internet of Things, or IoT: that collection of connected gadgets that have plenty of 'neat-o!' factor but which, all too often, are pockmarked with security holes:
> https://nakedsecurit...ant-to-get-off/
... IoT refers to a whole class of day-to-day 'things' that are now being offered with built-in network connectivity. These everyday objects can directly hook into the internet, all on their own, rather than needing to first be plugged into a computer connected to the internet. The emergence of the IoT has been accompanied by a torrent of stories about security researchers and malicious hackers breaking into all manner of objects... We’ve seen issues with connected kettles, TVs, lightbulbs, thermostats, refrigerators and baby monitors that have all been designed without adherence to the information security principle of least privilege:
> https://en.wikipedia...least_privilege
 But one person’s security hole is another person’s opportunity. To intelligence agencies, IoT devices could illuminate an environment that they claim is 'going dark' due to new forms of encryption being used in consumer products and services... Wired* quoted remarks he made at a summit for In-Q-Tel, the CIA’s venture capital firm:
    'Transformational' is an overused word, but I do believe it properly applies to these technologies, particularly to their effect on clandestine tradecraft' ..."
* http://www.wired.com...aeus-tv-remote/
___

Malware Found in 3rd Party App Stores
- http://blog.trendmic...rty-app-stores/
Feb 10, 2016 - "... Because some users have concerns with the app giant Google Play, they choose to download apps from third-party stores. For instance, there are no region locks for apps in some third-party app stores. Some developers of paid apps even partner with third-party app stores with purchase capability to give those who download from the partnered store considerable discounts. Third-party app stores can also be the preferred store due to its popularity in a specific region. Android users have to keep in mind that installing apps from these third-party app stores requires users to allow the installation from 'unknown sources'. Malicious apps have a history of popping up from these third party websites, a reason why it is often recommended that Android users -must- stick to Google Play. Because of Google’s security measures, we believe it is the safest platform for downloading apps. It is worth noting, however, that third-party app stores are implementing means to tighten their security. Malicious apps were recently seen making the rounds in some third-party app stores. They spoof popular apps, increasing the chances of getting selected and downloaded. These include popular mobile games, mobile security apps, camera apps, music streaming apps, and so on. They even share the exact same package and certification with their Google Play counterpart... However, the malware only downloads and installs other apps -without- the user’s knowledge. These secretly downloaded apps will then present themselves as ads luring users to downloading other apps from time to time. It can also be used to collect user data and forward them to the attacker. Based on the data from our Trend Micro Mobile App Reputation Service, there are -1,163- malicious APKs detected as ANDROIDOS_ LIBSKIN.A. In addition, between January 29 and February 1, malicious apps detected as this malware have been downloaded in -169- countries and can be found in -four- third party app stores, namely Aptoide, Mobogenie, mobile9, and 9apps. We have already contacted these stores and informed them about these threats, but as of this writing, we have yet to receive any confirmation from their end...
> https://blog.trendmi...ous-apps-01.png
... The popups lure users into clicking-unwanted-apps. Clicking-on-the-ads may not necessarily lead the user to the respective app or site. Other than that, ANDROIDOS_ LIBSKIN.A can also collect users’ data and send them back to a remote malicious user. This includes data about the user’s phone, subscription IDs, device ID, language, network type, apps running, network name, and so on... we do warn users to approach downloading apps with caution. One option that users may do to avoid downloading fake apps is to download the app from the developer’s website. They may also check the -reputation- of the store before downloading anything..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 11 February 2016 - 03:27 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#1652 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 12 February 2016 - 06:51 AM

FYI...

Fake 'DVSA' SPAM - malcious attachment
- http://blog.dynamoo....sa-receipt.html
12 Feb 2016 - "This spam email does not come from a UK government agency, but is instead a simple -forgery- with a malcious attachment. Note that the sender's email address seems to vary slightly, but all are spoofed to come from vosa.gsi .gov.uk.
    From     FPO.CC.15@ vosa.gsi .gov.uk
    Date     Fri, 12 Feb 2016 12:47:20 +0300
    Subject     DVSA RECEIPT
    Good afternoon
    Please find attached your receipt, sent as requested.
    Kind regards
    (See attached file)
    Fixed Penalty Office
    Driver and Vehicle Standards Agency ...


Attached is a file Fixed Penalty Receipt.docm which comes in at least -ten- different variants... I captured two samples with detection rate of about 3/54 [1] [2] and the Malwr reports for those [3] [4] indicate the macro in the document downloads a malicious executable from:
raysoft .de/09u8h76f/65fg67n
xenianet .org/09u8h76f/65fg67n
steinleitner-online .net/09u8h76f/65fg67n [reported here (5)]
This dropped file has a detection rate of 5/54* ... This Hybrid Analysis report** indicates subsequent traffic to:
192.100.170.19 (Universidad Tecnologica de la Mixteca, Mexico)
87.229.86.20 (ZNET Telekom Zrt, Hungary)
84.38.67.231 (ispOne business GmbH, Germany)
The payload is the Dridex banking trojan.
Recommended blocklist:
192.100.170.19
87.229.86.20
84.38.67.231
"
1] https://www.virustot...sis/1455274179/

2] https://www.virustot...sis/1455275696/

3] https://malwr.com/an...DI2MTUyM2E5MjQ/

4] https://malwr.com/an...jRiMTQyODdhMzA/

5] https://www.virustot...sis/1455274504/

* https://www.virustot...sis/1455274504/

** https://www.hybrid-a...environmentId=4
___

Fake 'Fuelcard' SPAM - doc/xls malware
- http://myonlinesecur...heet-malware-2/
12 Feb 2016 - "An email with the subject of 'Your latest invoice' from The Fuelcard Company UK Ltd pretending to come from customerservice@ fuelcards .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: customerservice@ fuelcards .co.uk
Date: Fri 12/02/2016 10:16
Subject: Your latest invoice from The Fuelcard Company UK Ltd
Attachment: invoice.xls
    Please find your latest invoice attached.
    If you have any queries please do not hesitate to contact our Customer Service Team at customerservice@fuelcards.co.uk
    Regards
    The Fuelcard Compa
    The Fuelcard Company UK Ltd ...


12 February 2016: invoice.xls - Current Virus total detections 5/53*
MALWR** shows a download of what is almost certainly Dridex Banking Trojan from
http ://web82 .snake.kundenserver42 .de/09u8h76f/65fg67n (VirusTotal 5/53***)
Other download locations include: http ://raysoft .de/09u8h76f/65fg67n
http ://steinleitner-online .net/09u8h76f/65fg67n
http ://www .xenianet .org/09u8h76f/65fg67n
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455275820/

** https://malwr.com/an...WUxZGJjNTA2OTQ/
195.93.200.140
192.100.170.19
13.107.4.50


*** https://www.virustot...sis/1455276505/
TCP connections
192.100.170.19
13.107.4.50
87.229.86.20


- http://blog.dynamoo....voice-from.html
12 Feb 2016 - "... Hybrid Analysis* shows that this particular sample downloads from:
legismar .com/09u8h76f/65fg67n
This is the -same- executable as found in this earlier spam run**."
* https://www.hybrid-a...environmentId=4

** http://blog.dynamoo....sa-receipt.html
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 12 February 2016 - 09:15 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1653 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 15 February 2016 - 07:19 AM

FYI...

Fake 'Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
15 Feb 2016 - "An email with the subject of 'Invoice (w/e 070216)' pretending to come from Kelly Pegg <kpegg@ responserecruitment .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Kelly Pegg <kpegg@ responserecruitment .co.uk>
Date: SKM_C3350160212101601 .docm
Subject: Invoice (w/e 070216)
Attachment: SKM_C3350160212101601.docm
    Good Afternoon
    Please find attached invoice and timesheet.
    Kind Regards
    Kelly


15 February 2016: SKM_C3350160212101601.docm - Current Virus total detections 7/54*
MALWR** shows a download of Dridex banking Trojan from
 http ://216.158.82.149 /09u8h76f/65fg67n (VirusTotal 4/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455537274/

** https://malwr.com/an...zk2OTlkYmIyMWU/
216.158.82.149: https://www.virustot...49/information/
>> https://www.virustot...aa391/analysis/
5.45.180.46
13.107.4.50

*** https://www.virustot...sis/1455536293/
TCP connections
5.45.180.46
13.107.4.50

- http://blog.dynamoo....0216-kelly.html
15 Feb 2016 - "... Attached is a file SKM_C3350160212101601.docm which comes in -several- different variants. The macro in the document attempts to download a malicious executable from:
216.158.82.149 /09u8h76f/65fg67n
sstv.go .ro/09u8h76f/65fg67n
www .profildigital .de/09u8h76f/65fg67n
This dropped a malicious executable with a detection rate of 6/54* which according to these automated analysis tools [1] [2] calls home to:
5.45.180.46 (B & K Verwaltungs GmbH, Germany)
I strongly recommend that you -block- traffic to that address. The payload is the Dridex banking trojan."
* https://www.virustot...9433c/analysis/
TCP connections
5.45.180.46: https://www.virustot...46/information/
>> https://www.virustot...385ee/analysis/
13.107.4.50: https://www.virustot...50/information/

1] https://malwr.com/an...TEyNDBjODRiNmI/
5.45.180.46
184.25.56.44

2] https://www.hybrid-a...environmentId=4
___

Fake 'Overdue Invoice' SPAM - malicious attachment
- http://blog.dynamoo....ice-012345.html
15 Feb 2016 - "This malicious spam appears to come from many different senders and companies. It has a malicious attachment:
    From:    Brandi Riley [BrandiRiley21849@ horrod .com]
    Date:    15 February 2016 at 12:20
    Subject:    Overdue Invoice 089737 - COMS PLC
    Dear Customer,
    The payment is overdue. Your invoice appears below. Please remit payment at your earliest convenience.
    Thank you for your business - we appreciate it very much.
    Sincerely,
    Brandi Riley
    COMS PLC


Attached is a file in the format INVOICE-UK865916 2015 NOV.doc which comes in several different versions (VirusTotal results [1] [2] [3]). The Hybrid Analysis* shows an attempted download from:
node1.beckerdrapkin .com/fiscal/auditreport.php
This is hosted on an IP that you can assume to be malicious:
193.32.68.40 (Veraton Projects, BZ / DE)
The dropped executable (detection rate 4/54**) then phones home to:
194.58.92.2 (Reg.Ru Hosting, Russia)
202.158.123.130 (Cyberindo Aditama, Indonesia)
185.24.92.229 (System Projects LLC, Russia)
The payload is the Dridex banking trojan.
Recommended blocklist:
193.32.68.40
194.58.92.2
202.158.123.130
185.24.92.229
"
1] https://www.virustot...sis/1455541445/

2] https://www.virustot...sis/1455541455/

3] https://www.virustot...8e6b1/analysis/

* https://www.hybrid-a...environmentId=4

** https://www.virustot...sis/1455542606/
TCP connections
202.158.123.130: https://www.virustot...30/information/
81.52.160.146: https://www.virustot...46/information/
185.24.92.229: https://www.virustot...29/information/
>> https://www.virustot...f02fa/analysis/
___

Dyre Trojan - gone dark...
- https://securityinte...sted-in-moscow/
Feb 9, 2016 - "... Reuters reports* that a police raid took place in November 2015 in a downtown Moscow high-rise. The operation reportedly took place inside the offices of a film distribution and production company called 25th Floor, which is, ironically, in the midst of producing a movie called 'Botnet', loosely based on a 2010 cybercrime case... IBM X-Force researchers indicate that Dyre, which has been a constantly evolving threat, fell silent in November 2015. According to IBM Trusteer, malware infection rates dropped sharply in mid-November, with new user infections appearing in the single digits per day at most. Beyond the drop in new infections, which signified the halt of spam/exploit kit campaigns, Dyre’s configuration-update-servers and its real-time-webinjection-server were -both- disconnected from the Internet as the malware ceased generating attempted fraudulent transactions. A week later, in late November, Dyre’s redirection attack servers also went dark:
> https://static.secur...cks_Flatten.png
It has been close to three months now since Dyre went silent. This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time; in September 2015, Dridex, too, went silent for almost a month. But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble. And trouble is apparently what befell the Dyre crew in Moscow last November. Dyre is considered one of the most advanced banking Trojans active in the wild today. Beyond the technical level of its attacks, Dyre is prolific in different parts of the globe and has made its mark as the most active Trojan family in 2015, according to IBM Trusteer data:
> https://static.secur...Top_Bankers.png
If the gang operating Dyre has indeed been apprehended in Russia, the event will go down as one of the most significant cybercrime busts in history. More than its magnitude in terms of the fraud losses that will be spared, it will be one of the most noteworthy operations carried out against cybercrime on Russian soil by Russian authorities... Dyre’s absence will also give a bigger market share to other malware like Dridex, for example, which, according to IBM X-Force researchers, has been enhancing its attack methods to match Dyre’s and focusing on high-value business and corporate accounts in the U.K. and the U.S., which closely resembles Dyre’s path through the year before the raid..."  
* http://www.reuters.c...e-idUSKCN0VE2QS
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 15 February 2016 - 01:38 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1654 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 16 February 2016 - 06:44 AM

FYI...

Fake 'Remittance Advice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
16 Feb 2016 - "An email with the subject of 'Remittance Advice : Tue, 16 Feb 2016 16:55:29 +0800' pretending to come from fmis@ oldham .gov.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: fmis@ oldham .gov.uk
Date: Tue 16/02/2016 08:55
Subject: Remittance Advice : Tue, 16 Feb 2016 16:55:29 +0800
Attachment: 201602_4_2218.docm
Confidentiality: This email and its contents and any attachments are intended
only for the above named. As the email may contain confidential or legally privileged information,
if you are not, or suspect that you are not, the above named or the person responsible
for delivery of the message to the above named, please delete or destroy the
email and any attachments immediately.
Security and Viruses: This note confirms that this email message has been
swept for the presence of computer viruses...


16 February 2016: 201602_4_2218.docm - Current Virus total detections 5/54*
MALWR** shows a download of Dridex banking Trojan from
 http ://lepeigneur .power-heberg .com/09u8h76f/65fg67n (VirusTotal 4/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455613213/

** https://malwr.com/an...2IyMzJhNDFhNDA/
91.238.72.69
151.248.117.140
184.25.56.42


*** https://www.virustot...sis/1455613578/
TCP connections
151.248.117.140: https://www.virustot...40/information/
>> https://www.virustot...2767c/analysis/
104.86.111.136: https://www.virustot...36/information/

- http://blog.dynamoo....remittance.html
16 Feb 2016 - "... This spam is related to this one*. Automated analysis of the samples [1]... plus some private sources indicate download locations for this and other related campaigns today at:
labelleflowers .co.uk/09u8h76f/65fg67n
lepeigneur.power-heberg .com/09u8h76f/65fg67n
yurtdisiegitim .tv/09u8h76f/65fg67n
hg9.free .fr/09u8h76f/65fg67n
jtonimages.perso.sfr .fr/09u8h76f/65fg67n
test.blago .md/09u8h76f/65fg67n
This file has a detection rate of 3/54**. According to those reports, it phones home to:
151.248.117.140 (Reg.ru, Russia)
87.229.86.20 (Znet Telekom, Hungary)
50.56.184.194 (Rackspace, US)
Recommended blocklist:
151.248.117.140
87.229.86.20
50.56.184.194
"
* http://blog.dynamoo....t-accounts.html

1] https://malwr.com/an...mNjODZlYmU0NTA/
91.238.72.69

** https://www.virustot...sis/1455625563/
___

Fake 'receipt' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
16 Feb 2016 - "An email with the subject of 'receipt' pretending to come from Accounts <accounts@ aacarpetsandfurniture .co.uk> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Accounts <accounts@ aacarpetsandfurniture .co.uk>
Date: Tue 16/02/2016 08:22
Subject: receipt
Attachment: CCE06102015_00000.docm
    Please find attached receipt
    Kind Regards
    Christine ...


16 February 2016: CCE06102015_00000.docm - Current Virus total detections 5/54*
.. it will be downloading Dridex probably from -same- locations as today’s other versions (.. waiting for analysis and will update later)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455615125/

- http://blog.dynamoo....t-accounts.html
16 Feb 2016 - "This -fake- financial spam does not come from AA Carpets and Furniture, but is instead a simple -forgery- with a malicious attachment:
    From     "Accounts" [accounts@ aacarpetsandfurniture .co.uk]
    Date     Tue, 16 Feb 2016 02:15:52 -0700
    Subject     receipt
    Please find attached receipt
    Kind Regards
    Christine ...


Attached is a file CCE06102015_00000.docm of which I have only seen a single sample, with a detection rate of 5/54*. Analysis is pending, however this would appear to be the Dridex banking trojan."
* https://www.virustot...sis/1455618478/
___

Fake 'Invoice-J' SPAM - malicious attachment
- http://blog.dynamoo....j-06593788.html
16 Feb 2016 - "This -fake- financial spam does not come from Apache Corporation but instead is a simple -forgery- with a malicious attachment.
    From:    June Rojas [RojasJune95@ myfairpoint .net]
    Date:    16 February 2016 at 09:34
    Subject:    ATTN: Invoice J-06593788
    Dear nhardy,
    Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.
    Let us know if you have any questions.
    We greatly appreciate your business!
    June Rojas ...


Other versions of this spam may come from other corporations. In the single sample I have seen there is an attached file invoice_J-06593788.doc ... This Dridex run exhibits a change in behaviour from previous ones. I acquired three samples of the spam run and ran the Hybrid Analysis report on them [1]... and it shows that the macro dowloads from one of the following locations:
www .southlife .church/34gf5y/r34f3345g.exe
www .iglobali .com/34gf5y/r34f3345g.exe
www .jesusdenazaret .com.ve/34gf5y/r34f3345g.exe ...
Each one phones home to a -different- location, the ones I have identified are:
109.234.38.35 (McHost.ru, Russia)
86.104.134.144 (One Telecom SRL, Moldova)
195.64.154.14 (Ukrainian Internet Names Center, Ukraine)
That last sample phones home to:
91.195.12.185 (PE Astakhov Pavel Viktorovich, Ukraine)
... according to this Hybrid Analysis*.
Recommended blocklist:
109.234.38.0/24
86.104.134.128/25
195.64.154.14
91.195.12.185
"
1] https://www.hybrid-a...environmentId=4

* https://www.hybrid-a...environmentId=4
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 16 February 2016 - 09:30 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1655 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 17 February 2016 - 06:31 AM

FYI...

Fake 'random invoices' SPAM - doc/xls malware
- http://myonlinesecur...dsheet-malware/
17 Feb 2017 - "... 2 concurrent runs of malspam this morning both with similar email subjects about -invoices- pretending to come from random companies with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The 1st email looks like:
From: Daniel Barnett <tmdana@ bezeqint .net>
Date: Wed 17/02/2016 05:50
Subject: Fw:Vel Faucibus Institute Last Invoice
Attachment: AKDYH0NQ.doc  (versions vary in size between 230kb and 245kb)
    Hi
    Please review the invoice in attachment. To eliminate penalty you need to pay within 48 hours.
    Best regards
    Daniel Barnett
    Vel Faucibus Institute


The 2nd email where the attachment name matches the subject looks like:
From: Rosie Shannon <ShannonRosie30676@ association-freudienne .be>
Date: Wed 17/02/2016 06:56
Subject: Invoice 2016-71041044 ( random numbers)
Attachment: SCAN_INVOICE_2016_71041044.doc  ( 46kb)
    Hi rob,
    Here’s invoice 2016-71041044 for 93,79 USD for last weeks delivery.
    The amount outstanding of 400,72 USD is due on 23 Feb 2016.
    If you have any questions, please let us know.
    Thanks,
    Rosie Shannon ...


17 February 2016: AKDYH0NQ.doc - Current Virus total detections 2/55*. Waiting for analysis.
17 February 2016: SCAN_INVOICE_2016_71041044.doc - Current Virus total detections 2/54**
No conclusive result from MALWR... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455698505/

** https://www.virustot...sis/1455695702/
___

Fake 'Updated Invoice' SPAM - malicious attachment
- http://blog.dynamoo....-neque-llc.html
17 Feb 2017 - "This malware spam may come from several different companies, but I have only a single sample. It is notable for the -mis-spelling- of "Macros" as "Macroses" in the document.
From:    Fletcher Oliver [angel@ jiahuan .com.tw]
Date:    17 February 2016 at 06:23
Subject:    Fwd:Accumsan Neque LLC Updated Invoice
Good morning
Please check the bill in attachment. In order to avoid fine you have to pay in 12 hours.
Best regards
Fletcher Oliver
Accumsan Neque LLC


Attached is a document Q7FX9ZH.doc with the distinctive text: Attention! To view this document, please turn on the Edit mode and Macroses!
> https://2.bp.blogspo...00/macroses.png
Needless to say, enabling Edit mode and Macroses is a Very-Bad-Idea. The VirusTotal detection rate for this file is just 2/54*. Hybrid Analysis [1] [2] shows that the macro first downloads from:
www .design-i-do .com/mgs.jpg?OOUxs4smZLQtUBK=54
This looks to be an unremarkable JPEG file..
> https://2.bp.blogspo...Q/s1600/mgs.jpg
(Note that I have munged the JPEG slightly to stop virus scanners triggering). As far as I can tell, the JPEG actually contains data that is decrypted by the macro (a technique called steganography). A malicious VBS is created... and a malicious EXE file is dropped with a VirusTotal result of 7/54**.
Automated analysis of the dropped binary [3] [4] shows that it phones home to:
216.59.16.25 (Immedion LLC, US / VirtuaServer Informica Ltda, Brazil)
I strongly recommend that you -block- traffic to that IP. Payload is uncertain, but possibly the Dridex banking trojan."
* https://www.virustot...sis/1455699463/

1] https://www.hybrid-a...environmentId=1

2] https://www.hybrid-a...environmentId=4

** https://www.virustot...sis/1455701128/
TCP connections
216.59.16.25
72.247.177.174


3] https://www.hybrid-a...environmentId=1

4] https://malwr.com/an...mQ4NTZjM2QwNTI/
216.59.16.25
8.254.249.78

___

Fake bilingual SPAM - Locky ransomware
- http://blog.dynamoo....2016-11365.html
17 Feb 2016 - "This -bilingual- spam does not come from mpsmobile but is instead a simple -forgery- with a malicious attachment.
... (English version)
Dear Ladies and Gentlemen,
please find attached document 'Rechnung 2016-11365' im DOC-Format. To view and print these forms, you need the DOC Reader, which can be downloaded on the Internet free of charge.
Best regards
mpsmobile GmbH...


In the sample I saw, the attachment was named 19875_Rechnung_2016-11365_20160215.docm and has a VirusTotal detection rate of 5/54*. According to this Malwr report** the binary attempts to download the Locky ransomware (seemingly a product of those behind the Dridex banking trojan). It attempts to download a binary from:
feestineendoos .nl/system/logs/7623dh3f.exe?.7055475
This dropped file has a detection rate of 3/53***. Analysis of the file is pending, but overall this has been made more complicated because the Locky installer calls out to a number of domains, many of which actually appear to have been sinkholed. Machines infected with Locky will display a message similar to this:
> https://4.bp.blogspo...nstructions.png
Unfortunately, the only known way to recover from this is to -restore- files from offline -backup- once the infection has been removed from the PC.
UPDATE: Another version plopped into my inbox, VT 7/54[4] and according to this Malwr report[5], it downloads from:
nadeenk .sa/system/logs/7623dh3f.exe?.7055475
This variant POSTs to a server at:
46.4.239.76 (Myidealhost .com  / Hetzner, Germany)
It is likely that the C2 server (identified in the previous report) is:
85.25.149.246 (PlusServer AG, Germany)
Recommended blocklist:
85.25.149.246
46.4.239.76
"
* https://www.virustot...sis/1455715572/

** https://malwr.com/an...TZlOWY0NDg1M2Q/
Hosts
195.20.11.76: https://www.virustot...76/information/
195.22.28.197: https://www.virustot...97/information/
195.22.28.222: https://www.virustot...22/information/
104.238.173.18: https://www.virustot...18/information/
69.195.129.70: https://www.virustot...70/information/
85.25.149.246: https://www.virustot...46/information/

*** https://www.virustot...sis/1455716319/

4] https://www.virustot...sis/1455717484/

5] https://malwr.com/an...zU0MDEzMzgyMjM/
Hosts
185.79.250.2: https://www.virustot....2/information/
46.4.239.76: https://www.virustot...76/information/

85.25.149.246: https://www.virustot...46/information/
>> https://www.virustot...d1301/analysis/
46.4.239.76: https://www.virustot...76/information/
>> https://www.virustot...4d20c/analysis/
___

Fake 'tracking documents' SPAM - Locky Ransomware
- http://myonlinesecur...cky-ransomware/
17 Feb 2016 - "An email with the subject of 'tracking documents' pretending to come from cmsharpscan3175@ gmail .com <cmsharpscan6395@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: cmsharpscan3175@ gmail .com <cmsharpscan6395@ gmail .com>
Date: Wed 17/02/2016 12:39
Subject: tracking documents
Attachment: cmsharpscan@ gmail .com_20160217_132046.docm
    Reply to: cmsharpscan@ gmail .com <cmsharpscan@ gmail .com>
    Device Name: Not Set
    Device Model: MX-2640N
    Location: Not Set
    File Format: DOC (Medium)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in DOC format.


25 February 2016: cmsharpscan@ gmail .com_20160217_132046.docm - Current Virus total detections 5/54*
MALWR** shows us connections to several sites where Locky ransomware is delivered and info sent back . http ://olvikt.freedomain.thehost .com.ua/admin/js/7623dh3f.exe (VirusTotal 2/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455716522/

** https://malwr.com/an...jM2MjIyYzIxNGU/
176.114.0.200: https://www.virustot...00/information/
69.195.129.70: https://www.virustot...70/information/
85.25.149.246: https://www.virustot...46/information/

*** https://www.virustot...sis/1455717353/
TCP connections
195.22.28.196: https://www.virustot...96/information/
195.22.28.222: https://www.virustot...22/information/
195.22.28.198: https://www.virustot...98/information/
185.26.105.244: https://www.virustot...44/information/
69.195.129.70: https://www.virustot...70/information/
85.25.149.246: https://www.virustot...46/information/

- http://blog.dynamoo....-documents.html
17 Feb 2016 - "This -fake- document scan spam has a malicious attachment:
   From:    cmsharpscan3589@ gmail .com
    Date:    17 February 2016 at 14:32
    Subject:    tracking documents
    Reply to: cmsharpscan@ gmail .com [cmsharpscan@ gmail .com]
    Device Name: Not Set
    Device Model: MX-2640N
    Location: Not Set
    File Format: DOC (Medium)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in DOC format.


I have only seen a single sample of this with an attachment cmsharpscan@ gmail .com_20160217_132046.docm which has a VirusTotal detection rate of 7/54*. According the the Malwr analysis** of the document, the payload is the Locky ransomware and is -identical- to the earlier attach described here***."
* https://www.virustot...sis/1455720732/

** https://malwr.com/an...mNiZDBiNDcyYmM/
Hosts
185.79.250.2: https://www.virustot....2/information/
195.22.28.197: https://www.virustot...97/information/
195.22.28.222: https://www.virustot...22/information/
195.22.28.198: https://www.virustot...98/information/
104.238.173.18: https://www.virustot...18/information/
69.195.129.70: https://www.virustot...70/information/
85.25.149.246: https://www.virustot...46/information/

*** http://blog.dynamoo....2016-11365.html
___

Dridex botnet - now also spreading ransomware
- https://www.helpnets...ing-ransomware/
Feb 17, 2016 - "... the botnet is segregated into a number of subnets, each likely operated by a different team of attackers, and they continue to mount campaigns that will swell the number of infected machines and to exploit the stolen banking information:
> https://www.helpnets...bnet-dridex.jpg
...  its likely that, barring a comprehensive takedown, the group(s) behind the botnet will continue to pose a threat throughout 2016...  one of the subnets – 220 – seems to have temporarily switched to sending out spam email delivering the Bartallex downloader, which then downloads the Locky crypto ransomware. Palo Alto Networks researchers* suspect “there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping filenames, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky.” Spamming campaigns aimed at delivering the Dridex banking Trojan are many and massive – many -millions- of emails are sent out per day... The criminals mainly target English-speaking regions. Dridex is capable of stealing banking details of customers of nearly -300- financial institutions in wealthy countries, mostly the US, European and several Asia-Pacific countries."
* http://researchcente...e-distribution/
Feb 16, 2016 - "... We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54%). For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined:
> http://researchcente...ky3-500x374.png
Industry analysis for targeting reveals expected indiscriminant distribution within impacted countries; however, Higher Education, Wholesale and Retail, and Manufacturing make up over a third of observed targeting... Defending against ransomware first requires a focus on the basics of a strong security posture: security awareness and the hardening and patching of systems... To further reduce associated risks, layered preventive controls are a must..."
___

WordPress Compromise Campaign - Nuclear EK to Angler EK
- https://blog.malware...k-to-angler-ek/
Feb 17, 2016 - "A couple of weeks ago we blogged about an attack against WordPress-sites initially discovered by Denis Sinegubko over at Sucuri. The campaign is still going on but quickly evolved, as reported by DeepEnd Research*, with a change in its URL pattern from “/admedia/” to “/megaadvertize/”. According to our honeypot data, this change happened around Feb. 4th and has been active as ever since. Besides some pattern changes in the URL, the redirection mechanism is different from the initial campaign as well as its payload. Indeed the Admedia campaign was pushing the Nuclear exploit kit whereas this one is delivering Angler... Compromised WordPress sites are injected with a malicious blurb which is appended to -all- JavaScript files. The blurb is obfuscated -twice- before it can be human readable and reveal that its purpose is to silently load an external-malicious-URL. This URL, which bears the “MegaAdvertize” trademark, performs a fingerprint of the visitor’s machine before proceeding any further. Only people running the Internet-Explorer-browser and using a screen resolution -greater- than 800×600 (honeypot evasion) are the intended target... The payload dropped in this particular instance is TeslaCrypt. We tested this attack without Anti-Exploit to allow the malware to be downloaded... We will continue to monitor this malware campaign as we expect it to evolve again..."
* http://www.deependre...iated-with.html
___

HP Enterprise identifies top risks for businesses
- http://www.securityn...sinesses-today/
Feb 17, 2016

> http://www.theinquir...rprise-security
Feb 17, 2016
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 17 February 2016 - 04:31 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1656 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 18 February 2016 - 05:36 AM

FYI...

Fake 'Invoice' SPAM - Locky ransomware
- http://blog.dynamoo....e-20161802.html
18 Feb 2016 - "This -fake- financial spam spoofs different senders and different companies, with a different reference number in each.
    From:    Devon Vincent
    Date:    18 February 2016 at 08:14
    Subject:    Copy of Invoice 20161802-99813731
    Dear [redacted],
    Please find attached Invoice 20161802-99813731 for your attention.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Devon Vincent
    Tenet Healthcare Corporation ...
    =================
From:    Elvia Saunders
Date:    18 February 2016 at 09:19
Subject:    Copy of Invoice 20161802-48538491
Dear [redacted],
Please find attached Invoice 20161802-48538491 for your attention.
For Pricing or other general enquiries please contact your local Sales Team.
Yours Faithfully,
Elvia Saunders
The PNC Financial Services Group, Inc. ...


I have seen two variants of the document (VirusTotal [1] [2]). Analysis of the documents is pending, however it is likely to be the Dridex banking trojan.
UPDATE 1: There is a second variant of the spam with essentially the same (undefined) payload:
    From:    Heather Ewing
    Date:    18 February 2016 at 08:41
    Subject:    Invoice
    Dear Sir/Madam,
    I trust this email finds you well,
    Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us.
    Best Regards,
    Heather Ewing
    The Bank of New York Mellon Corporation ...


In this case the attachment was named Invoice51633050.doc - automated analysis is inconclusive. An examination of the XML attachment... indicates that it may be malformed.
UPDATE 2: A contact (thank you) analysed one of the samples and found that the document downloaded an executable from:
killerjeff.free .fr/2/2.exe
According to this Malwr report* this is the Locky ransomware, and it phones home to:
95.181.171.58 (QWARTA LLC, Russia)
69.195.129.70 (Joes Data Center, US)
I suspect that the second one may be a sinkhole, but there should be no problem if you block:
95.181.171.58
69.195.129.70

UPDATE 5: ... Malwr reports on all the available samples... various versions of Locky seem to call back to:
95.181.171.58 (QWARTA LLC, Russia)
31.41.47.37 (Relink Ltd, Russia)
185.14.30.97 (ITL, Ukraine / Serverius, Netherlands)
69.195.129.70 (Joes Datacenter, US)
I have omitted what appear to be obvious sinkholes.
Recommended blocklist:
95.181.171.58
31.41.47.37
185.14.30.97
69.195.129.70
"
1] https://www.virustot...sis/1455787094/

2] https://www.virustot...sis/1455787228/

* https://malwr.com/an...DljZmZlNWVjMDI/
Hosts
69.195.129.70
95.181.171.58


- http://myonlinesecur...dsheet-malware/
18 Feb 2016 - "A German language email with the subject of 'Per E-Mail senden: Rechnung-54-110090.xls (random numbers)' pretending to come from MTC Hof – MTC GmbH <mtc-hof@ mtc-handy .de> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: MTC Hof – MTC GmbH <mtc-hof@mtc-handy.de>
Date:
Subject: Per E-Mail senden: Rechnung-54-110090.xls
Attachment: Rechnung-54-110090.xls


Body content: Totally blank
18 February 2016: Rechnung-54-110090.xls - Current Virus total detections 7/55*
So far automatic analysis in inconclusive... the -same- that Dynamoo describes** about today’s slightly earlier run of random invoice malspam..."
* https://www.virustot...sis/1455790340/

** http://blog.dynamoo....e-20161802.html
___

Fake 'Payment' SPAM - Locky ransomware
- http://blog.dynamoo....nce-cottle.html
18 Feb 2016 - "This very widespread spam run comes with a malicious attachment which drops the Locky ransomware. Note that the email address has a random number appended to it:
    From:    Laurence Cottle [lcottle60@ gmail .com]
    Date:    18 February 2016 at 13:35
    Subject:    Payment
    Hi
    Any chance of getting this invoice paid, please?
    Many thanks
    Laurence


Attached is a file unnamed document.docm which comes in several different versions. Third-party analysis (thank you!) reveals that there are download locations at:
acilkiyafetgulertekstil .com/system/logs/7647gd7b43f43.exe
alkofuror .com/system/engine/7647gd7b43f43.exe
merichome .com/system/logs/7647gd7b43f43.exe
organichorsesupplements .co.uk/system/logs/7647gd7b43f43.exe
shop.zoomyoo .com/image/templates/7647gd7b43f43.exe
tutikutyu .hu/system/logs/7647gd7b43f43.exe
vipkalyan .com.ua/system/logs/7647gd7b43f43.exe
This dropped a malicious binary with a detection rate of 3/55*, since updated to one with a detection rate of 4/55**... The malware phones home to:
195.154.241.208 /main.php
46.4.239.76 /main.php
94.242.57.45 /main.php
kqlxtqptsmys .in/main.php
cgavqeodnop .it/main.php
pvwinlrmwvccuo .eu/main.php
dltvwp .it/main.php
uxvvm .us/main.php
wblejsfob .pw/main.php
Out of those, the most supect IPs are:
195.154.241.208 (Iliad / Online S.A.S., FR)
46.4.239.76 (myidealhost.com / Hetzner, DE)
94.242.57.45 (Vstoike.com / Fishnet Communications, RU)
69.195.129.70 (Joes Datacenter LLC, US)
Recommended blocklist:
195.154.241.208
46.4.239.76
94.242.57.45
69.195.129.70
"
* https://www.virustot...6acc0/analysis/

** https://www.virustot...e16f3/analysis/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 18 February 2016 - 08:29 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1657 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 19 February 2016 - 05:22 AM

FYI...

Released today - Good read:
Banking Botnets: The Battle Continues
- https://www.securewo...attle-continues
19 Feb 2016
___

Fake 'Invoice FEB' SPAM - Locky ransomware
- http://myonlinesecur...dsheet-malware/
19 Feb 2016 - "An email with the subject of 'Invoice FEB-51829253 (random numbers)' pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Tracy Osborn <OsbornTracy63422@ thehottomato .com>
Date: Fri 19/02/2016 12:05
Subject: Invoice FEB-51829253
Attachment: invoice_feb-79754078.doc
    Good morning,
    Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
    If you have any questions please let us know.
    Thank you!
    Tracy Osborn
    Accounting Specialist


19 February 2016: invoice_feb-79754078.doc - Current Virus total detections 3/56*
MALWR** shows a download from http ://www .proteusnet .it/6/6.exe (VirusTotal 8/55***) which is Locky ransomware created and distributed by the Dridex gangs... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455888998/

** https://malwr.com/an...Tk2ZjdlNzEwZGQ/
Hosts
217.72.102.113
85.25.138.187


*** https://www.virustot...sis/1455889149/

- http://blog.dynamoo....56789-from.html
19 Feb 2016 - "This -fake- financial spam comes from random senders, the attachment is malicious and drops the Locky ransomware:
From:    Kenya Becker
Date:    19 February 2016 at 11:59
Subject:    Invoice FEB-92031923
Good morning,
Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
If you have any questions please let us know.
Thank you!
Kenya Becker
Accounting Specialist ...


Attached is a file with a semirandom name similar to invoice_feb-92031923.doc (Sample VirusTotal report 2/55*) which contains an XML (file)... Malwr analysis of these samples [1] [2] shows it downloading a malicious executable from:
ratgeber-beziehung .de/5/5.exe
www .proteusnet .it/6/6.exe
If recent patterns are followed, there will be several different download locations with -different- versions of the file at each.. The binaries has a detection rate of 7/55** and 6/54***... Malwr reports [3]... indicate that it phones home to:
85.25.138.187 (PlusServer AG, Germany)
31.41.47.3 (Relink Ltd, Russia)
Other samples are being analysed, but in the meantime I recommend that you -block- traffic to:
85.25.138.187
31.41.47.3
...
UPDATE 1: Some additional download locations from these Malwr reports [3]...:
ecoledecorroy .be/1/1.exe
animar .net.pl/3/3.exe
luigicalabrese .it/7/7.exe ...
UPDATE 2: Two other locations are revealed in these Malwr reports [4] [5]:
http ://lasmak .pl/2/2.exe
http ://suicast .de/4/4.exe "
* https://www.virustot...sis/1455887101/

1] https://malwr.com/an...Dc3ZWQ1MzVlZjQ/
Hosts
217.72.102.113
31.41.47.37


2] https://malwr.com/an...TdhZTM4NjFkMmI/
Hosts
109.237.140.6
85.25.138.187


** https://www.virustot...sis/1455887497/

*** https://www.virustot...sis/1455888443/

3] https://malwr.com/an...DYzYzk3MWRmZDE/
Hosts
46.252.153.77
85.25.138.187


4] https://malwr.com/an...jg3OWFjM2E5MGE/
Hosts
212.69.64.100
31.41.47.37


5] https://malwr.com/an...mJhYzZmNjY4NGU/
Hosts
46.30.212.56
85.25.138.187

___

Fake 'Unpaid Invoice' SPAM - Locky ransomware
- http://blog.dynamoo....350-credit.html
19 Feb 2016 - "This -fake- financial spam does not come from Thistle Removals but is instead a simple -forgery- with a malicious attachment.
    From     credit control [invoices@ thistleremovals .co.uk]
    Date     Fri, 19 Feb 2016 17:52:49 +0200
    Subject     Unpaid Invoice #350
    Message text
    Please see attached letter and a copy of the original invoice.


Attached is a file with a semi-random-name, e.g. RG026052317614-SIG.zip which contains a malicious script. This script then downloads an executable from the -same- locations as found here*, dropping a malicious executable with a detection rate of 10/55** (changed from earlier today). Third party analysis (thank you) indicates that this then phones home to the following locations:
91.121.97.170 /main.php (OVH, France)
46.4.239.76 /main.php (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
31.184.233.106 /main.php (Virty.io, Russia)
The payload is the Locky ransomware.
Recommended blocklist:
91.121.97.170
46.4.239.64/27
31.184.233.106
"
* http://blog.dynamoo....nr-2016131.html

** https://www.virustot...115fd/analysis/
___

Fake 'Rechnung Nr. 2016_131' SPAM - Locky ransomware
- http://blog.dynamoo....nr-2016131.html
19 Feb 2016 - "This German language spam does not comes from LFW Ludwigsluster but is instead a simple -forgery- with a malicious attachment. The sender's email address is somewhat randomised, as is the name of the attachment.
From:    fueldner1A0@ lfw-ludwigslust .de
Date:    19 February 2016 at 09:10
Subject:    Rechnung Nr. 2016_131
Sehr geehrte Damen und Herren,
bitte korrigieren Sie auch bei der Rechnung im Anhang den Adressaten:
LFW Ludwigsluster Fleisch- und Wurstspezialitäten
GmbH & Co.KG
Vielen Dank!
Mit freundlichen Grüßen
Anke Füldner ...


Attached is a file with a format similar to RG460634280127-SIG.zip which contains a malicious javascript in the format RG6459762168-SIG.js or similar. At the moment, I have seen two samples, both with -zero- detection rates at VirusTotal [1] [2]. Malwr analysis* of one of the samples shows that a binary is downloaded from:
mondero .ru/system/logs/56y4g45gh45h
Other samples probably have different download locations. This executable has a detection rate of 7/53** and it appears to drop another executable with a relatively high detection rate of 26/55***. Both the VirusTotal and Malwr reports indicate that this is the Locky ransomware from the people who usually push Dridex.
The malware phones home to:
46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
But in fact the entire 46.4.239.64/27 range looks pretty bad and I recommend that you -block- it...
UPDATE: An additional analysis from a trusted source (thank you). Download locations are:
mondero .ru/system/logs/56y4g45gh45h
tcpos .com .vn/system/logs/56y4g45gh45h
www .bag-online .com/system/logs/56y4g45gh45h
The malware phones home to:
46.4.239.76 /main.php
94.242.57.45 /main.php
wblejsfob .pw/main.php
kqlxtqptsmys .in/main.php
cgavqeodnop .it/main.php
pvwinlrmwvccuo .eu/main.php
dltvwp .it/main.php
uxvvm .us/main.php
The active C2s (some may be sinkholes) appear to be:
46.4.239.76 (Dmitry Melnik, Ukraine / Myidealhost.com aka Hetzner, Germany)
94.242.57.45 (vstoike.com / Fishnet Communications, Russia)
185.46.11.239 (Agava Ltd, Russia)
69.195.129.70 (Joes Datacenter, US)
Analysis those C2 locations give a recommended blocklist of:
46.4.239.64/27
94.242.57.45
185.46.11.239
69.195.129.70
"
1] https://www.virustot...sis/1455877852/

2] https://www.virustot...sis/1455877999/

* https://malwr.com/an...DkyMzdlZGU5ZDI/

** https://www.virustot...sis/1455878753/

*** https://www.virustot...sis/1455878570/

> http://myonlinesecur...-de-js-malware/
19 Feb 2016
"... Screenshot: http://myonlinesecur...31-1024x775.png

... it is likely to be either Dridex banking malware or the new Locky ransomware which uses the Dridex delivery network. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake 'Our new Order' SPAM - PDF malware
- http://myonlinesecur...ke-pdf-malware/
19 Feb 2016 - "An email with the subject of 'Our new Order' pretending to come from Benalin CO LTD <jkt-genmbox@ benline .co.id> with an executable file that is named to look like a PDF file attachment is another one from the current bot runs... The email looks like:
From: Benalin CO LTD <jkt-genmbox@benline .co.id>
Date: Fri 19/02/2016 09:30
Subject: Our new Order
Attachment: PO_160136_pdf
    Dear Customer,
    Find attached our purchase order. Kindly quote us best price and send us proforma invoice asap, so that we can proceed with the necessary payment,We need this Order urgently. kindly confirm the PO and send PI asap.
    thank you.
    Graha Paramita Building 12th Floor
    Jalan Denpasar Raya Blok D-2
    Kav.8, Kuningan
    Jakarta 12940, Indonesia ...


25 February 2016: PO_160136_pdf - Current Virus total detections 7/55* . MALWR**
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1455874178/

** https://malwr.com/an...WNjMTI2NTY2OTE/
___

Phishy Accountant... doesn’t Add Up
- https://blog.malware...-doesnt-add-up/
Feb 19, 2016 - "We’ve recently come across a -phish- aimed at people working in / related to accounting firms, sent from a -compromised- accountant’s email address leading to a -fake- Google Docs page. The email reads as follows:
> https://blog.malware...untantspam1.jpg
'Subject Important - For your review
Hello, I've shared some files with you on Google Drive.
Please, click on the E-Document to download the file.
Best regards

The -bogus- link would take potential victims to:
espaciovitalhn(dot)com/cpa/
> https://blog.malware...untantspam2.jpg
The site reads as follows:
'To view shared files and folders
You are required to sign in with your email address to access shared files and folders'

The -fake- login page casts a wide net, offering up login fields for Gmail, Yahoo Mail, Hotmail, AOL and “other”. You’ll notice the “CPA” in the URL – this would be related to Certified Public Accountants. Given the potentially sensitive data accountants have access to on a daily basis, angling for their logins could result in a nice-little-haul for the scammers. Anybody dealing with finance tends to be a hot target for -fake- mails containing Ransomware files*, but it’s worth remembering the more straightforward scams are still out there ready to strike. As always, some basic security precautions pay dividends here – note the -lack- of HTTPs on the above screenshot, which is (almost always) a sign that the site is a phish. You should always-be-highly-suspicious of -any- email you didn’t request directing you to a login page –  that (plus the -missing- green padlock) certainly hits high on the “Back away slowly” meter..."
* http://blog.dynamoo....56789-from.html

espaciovitalhn(dot)com: 72.167.131.7: https://www.virustot....7/information/
>> https://www.virustot...4bbee/analysis/
___

Surge in IRS E-mail Schemes - 2016 Tax Season - Tax Industry Also Targeted
- https://www.irs.gov/...y-Also-Targeted
Feb. 18, 2016 - "The Internal Revenue Service renewed a consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season. The -emails- are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. E-mails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information. Variations of these -scams- can be seen via text messages, and the communications are being reported in every section of the country... This tax season the IRS has observed fraudsters more frequently asking for personal tax information, which could be used to help file -false- tax returns... The IRS has seen an increase in reported phishing and malware schemes, including:
• There were 1,026 incidents reported in January, up from 254 from a year earlier.
• The trend continued in February, nearly doubling the reported number of incidents compared to a year ago. In all, 363 incidents were reported from Feb. 1-16, compared to the 201 incidents reported for the entire month of February 2015.
• This year's 1,389 incidents have already topped the 2014 yearly total of 1,361, and they are halfway to matching the 2015 total of 2,748.
...  tax professionals are also reporting phishing scams that are seeking their online credentials to IRS services, for example the IRS Tax Professional PTIN System. Tax professionals are also reporting that many of their clients are seeing the e-mail schemes... It is important to keep in mind the IRS generally does -not- initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels..."
(More detail at the IRS URL above.)
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 19 February 2016 - 02:09 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1658 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 22 February 2016 - 08:30 AM

FYI...

Fake 'Rechnung Nr. 88971' SPAM - malicious doc attachment
- http://myonlinesecur...rd-doc-malware/
22 Feb 2016 - "... an email written in German language pretending to be from an ADVANCED COURIER with the subject of 'Rechnung Nr. 88971 vom 15.02.2016' pretending to come from Volker Maier <MaierVolker8742@ malware-research .co.uk> (I think it is probably a random name at your own email domain) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Volker Maier <MaierVolker8742@ malware-research .co.uk>
Date:
Subject: Rechnung Nr. 88971 vom 15.02.2016
Attachment: Rechnung88971_3974069.doc
    Sehr geehrte Damen und Herren,  
    in der Anlage erhalten Sie unsere Rechnung 88971 vom 15.02.2016 im MS-Office Word Format. Diese Reifen sind per DPD an Sie unterwegs.
    Bitte drucken Sie diesen Beleg für Ihre weitere Verwendung und für Ihre Unterlagen aus.  
    Bitte beachten ! Dieser Beleg ist das Orginalexemplar !
    Mit freundlichen Grüßen
    Volker Maier
    ADVANCED COURIER


22 February 2016: Rechnung88971_3974069.doc - Current Virus total detections 1/56*
MALWR** shows a download from http ://main.americaafricatradeshowandconference .com/feel/good.php which gave me loader.med.120.exe (VirusTotal 34/56***) which looks like a typical Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456146779/

** https://malwr.com/an...DYwNmJlNjEyMjU/
Hosts
37.46.133.164
192.100.170.12
13.107.4.50


*** https://www.virustot...sis/1456146232/
___

Fake 'BoA Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
22 Feb 2016 - "An email appearing to be a Bank of America Invoice or statement with the subject of 'Invoice Attached' coming from admin@ mastershell .ru with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: admin@ mastershell .ru
Date: Tue 23/02/2016 08:20  ( received at 16.30 gmt)
Subject: Invoice Attached
Attachment: invoice_321112.doc
    Good morning,
    Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice. If you have any questions please let us know.
    Thank you!
    Mr. Jakes Jordaan J.D. Accounting Specialist| Bank of America, The Jordaan Law Firm, PLLC
    Banking products are provided by Bank of America, N.A. and affiliated banks, Members FDIC and wholly owned subsidiaries of Bank of America Corporation.
    Investment and insurance products ...


22 February 2016: invoice_321112.doc - Current Virus total detections 3/51*
MALWR** shows a download from http ://amoretanointrodano31 .com/posts/amr507.exe (virustotal 4/56***) Which is being indentified as Nymaim ransomware... Dridex/Locky -does- update at frequent intervals during the day, so you might get a different version of this nasty Ransomware or banking, password stealer Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456155179/

** https://malwr.com/an...zRhZmY4ZTRhOGU/
Hosts
96.251.21.189: https://www.virustot...89/information/
>> https://www.virustot...81c6d/analysis/

*** https://www.virustot...sis/1456158904/
___

Locky: Clearly Bad Behavior
- https://labsblog.f-s...y-bad-behavior/
2016.02.22 - "... Locky’s most common infection vector has been via e-mail. A word document attachment is sent out claiming to be an invoice. When opened, the document appears scrambled and prompts the recipient to enable macros in order to view, and -if- they do so, an executable (ladybi.exe) gets dropped and starts encrypting data files using 128-bit AES encryption..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 23 February 2016 - 07:55 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1659 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 24 February 2016 - 05:16 AM

FYI...

Fake 'VAT Invoice' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
24 Feb 2016 - "An email appearing to be a British Gas vat invoice with the subject of 'VAT Invoice – Quote Ref: ES0142570' pretending to come from CardiffC&MFinance <CardiffC&MFinance@ centrica .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...70-1024x546.png

24 February 2016: archive-0910001923884.docm - Current Virus total detections 3/56*
Payload Security** shows it downloads skropotov .ru/system/logs/87h754.exe (VirusTotal 5/55***). This almost certainly will be either Dridex banking Trojan or Locky Ransomware which is distributed via the Dridex botnet and gangs...  Other download locations discovered include:
school62 .dp .ua/new_year/balls/87h754.exe
designis .com .ua/admin/images/87h754.exe
armo .sk/system/logs/87h754.exe
eyesquare .tn/system/logs/87h754.exe
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

* https://www.virustot...sis/1456307598/

** https://www.reverse....environmentId=4
Host Address
78.108.80.77
80.86.91.232
62.109.133.248
176.53.0.103


*** https://www.virustot...sis/1456308031/
TCP connections
80.86.91.232: https://www.virustot...32/information/
13.107.4.50: https://www.virustot...50/information/

- http://blog.dynamoo....-quote-ref.html
24 Feb 2016 - "This -fake- financial spam is not from British Gas/Centrica but is instead a simple -forgery- with a malicious attachment.
    From:    CardiffC&MFinance [CardiffC&MFinance@ centrica .com]
    Date:    24 February 2016 at 09:09
    Subject:    VAT Invoice - Quote Ref: ES0142570
    Good Afternoon,
    Please find attached a copy of the VAT invoice as requested.
    Regards
    Tracy Whitehouse
    Finance Team
    British Gas Business ...


... there is an attached file named archive-0910001923884.docm which has a VirusTotal detection rate of 3/55*. Analysis of this document is pending, but it is likely to drop either the Dridex banking trojan or Locky ransomware."
* https://www.virustot...sis/1456309444/
UPDATE 1: The Hybrid Analysis[1] of the document plus the VirusTotal scan of the dropped EXE look like Dridex. The download location for that document was:
skropotov .ru/system/logs/87h754.exe
C2 to block:
80.86.91.232 (PlusServer, Germany)..."
1] https://www.hybrid-a...environmentId=4

skropotov .ru: 78.108.80.77: https://www.virustot...77/information/
>> https://www.virustot...a5abc/analysis/

80.86.91.232: https://www.virustot...32/information/
___

Fake 'Ikea order' SPAM - doc malware
- http://myonlinesecur...-doc-malware-2/
24 Feb 2016 - "An email that appears to be an Ikea order with the subject of 'Thank you for your order!'  pretending to come from DoNotReply@ ikea .com with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... Many of these are coming in corrupt with the attachment embedded inside the email body as a base 64 attachment. Some mail servers will automatically fix them, but others will deliver them as non working... The email looks like:
From: DoNotReply@ ikea .com
Date: Wed 24/02/2016 10:50
Subject: Thank you for your order!
Attachment: IKEA receipt 656390.docm
    IKEA UNITED KINGDOM
    Order acknowledgement:
    To print, right click and select print or use keys Ctrl and P.
    Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost: £122.60
Delivery date: 24-02-2016
Delivery method: Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number: 607656390
Order time: 8:31am GMT
Order/Invoice date: 24-02-2016 ...


24 February 2016: IKEA receipt 656390.docm - Current Virus total detections 3/56*
I am waiting for analysis. This will almost certainly turn out to download either Dridex banking Trojan or Locky Ransomware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456311298/

- http://blog.dynamoo....u-for-your.html
24 Feb 2016 - "This fake financial spam is not from IKEA, but it instead a simple forgery. I can only assume that it is meant to have a malicious attachment, but due to a formatting error it may not be visible.
From:    DoNotReply@ ikea .com
Date:    24 February 2016 at 09:56
Subject:    Thank you for your order!
IKEA
IKEA UNITED KINGDOM
Order acknowledgement:
To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost: £122.60
Delivery date: 24-02-2016
Delivery method: Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number: 607656390
Order time: 8:31am GMT
Order/Invoice date: 24-02-2016 ...


The intention here is either to drop the Dridex banking trojan or Locky ransomware. If you see an attachment, do -not- open it... UPDATE: Third-party analysis confirms that the attachments are broken and will not work in many mail clients. However, if they did the payload would be identical to this*."
* http://blog.dynamoo....-quote-ref.html
___

Fake 'Order Conf' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
24 Feb 2016 - "... an email with the subject of 'Order Conf. 3360069' pretending to come from Abigail Jones <ajones@ designersguild .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Abigail Jones <ajones@ designersguild .com>
Date: Wed 24/02/2016 11:09
Subject: Order Conf. 3360069
Attachment: Order Conf__3360069_22_02_2016.docm
    Please see attached


24 February 2016: Order Conf__3360069_22_02_2016.docm - Current Virus total detections 3/55*
Waiting for analysis but this is almost certain to download either Dridex Banking Trojan or Locky Ransomware for the -same- locations in today’s earlier Malspam runs** with Word docs***... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456312210/

** http://myonlinesecur...rd-doc-malware/

*** http://myonlinesecur...-doc-malware-2/
___

Evil network: 184.154.28.72/29 ...
- http://blog.dynamoo....ko-cipovic.html
24 Feb 2016 - "liveadexchanger .com is an advertising network with a questionable reputation* currently hosted on a Google IP of 146.148.46.20. The WHOIS details are -anonymous-, never a good sign for an ad network. Seemingly running ads on the scummiest websites, liveadexchanger .com does things like trying to install fake-Flash-updates on visitors computers, as can be seen from this URLquery report**... you might find the screenshot missing because of the complex URL, so here it is..
> https://3.bp.blogspo...ake-flash-2.jpg
That landing page is on alwaysnewsoft.traffic-portal .net (part of an extraordinarily nasty network at 184.154.28.72/29) which then forwards unsuspecting visitors to a -fake- download at intva31.peripheraltest .info  which you will not be surprised to learn is hosted at the adware-pusher's favourite host of Amazon AWS. Of the 567 sites that have been hosted in this /29 (not all are there now), 378 of them are tagged-as-malicious in some way by Google (67%) and 157 (28%) are also tagged by SURBL as being malicious in some way. Overall then, 74% are marked as malicious by either Google or SURBL, which typically means that they just haven't caught up yet with the other bad domains... I would recommend the following blocklist:
liveadexchanger .com
184.154.28.72/29
"
(More detail at the dynamoo URL above.)
* https://www.google.c...adexchanger.com

** https://urlquery.net...d=1456327368298
___

Fake 'Scanned image' SPAM - JS malware
- http://myonlinesecur...ain-js-malware/
24 Feb 2016 - "An email with the subject of 'Scanned image' pretending to come from admin  <southlands3452@ victim domain .tld> with a zip attachment is another one from the current bot runs... The email looks like:
From: admin <southlands3452@ victim domain .tld>
Date: Wed 24/02/2016 15:43
Subject: Scanned image
Attachment:
    Image data in PDF format has been attached to this email.


24 February 2016: 24-02-2016-00190459.zip: Extracts to: PD7755363543.js - Current Virus total detections 0/56*
which downloads Locky ransomware from same locations in this earlier post**. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1456327535/

** http://myonlinesecur...8306-js-malware
"...demo2.master-pro .biz/plugins/ratings/87h754 which is a text file that is saved as kEGQvyeDi.exe
(virustotal ***)
*** https://www.virustot...sis/1456322392/

demo2.master-pro .biz: 81.177.140.123: https://www.virustot...23/information/
>> https://www.virustot...5ad49/analysis/

- http://blog.dynamoo....image-data.html
24 Feb 2016 - "This -fake- document scan has a malicious attachment. It appears to come from within the victim's own domain, but this is a malicious forgery.
    From:    admin [southlands71@ victimdomain .tld]
    Date:    24 February 2016 at 15:25
    Subject:    Scanned image
    Image data in PDF format has been attached to this email.


... As this Hybrid Analysis shows*, the payload is the Locky ransomware. The dropped binary has a detection rate of just 2/55**.
Those reports show the malware phoning home to:
5.34.183.136 (ITL, Ukraine)
I strongly recommend that you -block- traffic to that IP."
* https://www.hybrid-a...environmentId=1

** https://www.virustot...sis/1456331864/
TCP connections
5.34.183.136: https://www.virustot...36/information/
>> https://www.virustot...426ac/analysis/
___

More Fake 'random invoice's SPAM - Dridex or Locky ransomware
- http://myonlinesecur...cky-ransomware/
24 Feb 2016 - "...  flooded again this afternoon with emails about invoices and remittance advices pretending to come from random companies and random email addresses with a malicious word doc attachment... (more) from the current bot runs... There are -3- distinct email templates spreading. All mention the name of the alleged sender in the body. The  1st email that mentions a randomly chosen well known company in the body looks like:
From: Patty Reese <ReesePatty0497@une .net.co>
Date: Wed 24/02/2016 16:59
Subject: February Invoice #079732
Attachment: INV00849 – 079732.doc
    Hello ,  
    Please review the attached copy of your Electronic document.
    A paper copy of this document is being mailed, but this email is being sent in addition for your convenience.
    Thank you for your business,
    Patty Reese
    Wahl Canada Inc...


24 February 2016: INV00849 – 079732.doc - Current Virus total detections 1/53[1]
Downloads svrapp02.smoothiewarehouse .info/fecha/esberando.php which gave me scrooge.exe (VirusTotal 3/56[2])
24 February 2016: Invoice_ref-39513520.doc - Current Virus total detections 1/56[3]
downloads Locky ransomware from s536335847.mialojamiento .es/4/4.exe (VirusTotal 4/56[4])
24 February 2016: remittance_advice6BEFBC.doc - Current Virus total detections 1/55[5]
downloads Locky ransomware from svrapp02.cubicgrains .com/fecha/esberando.php (VirusTotal 3/56[6])..
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...4d744/analysis/

2] https://www.virustot...sis/1456334642/
TCP connections
31.41.47.37: https://www.virustot...37/information/

3] https://www.virustot...sis/1456333034/

4] https://www.virustot...sis/1456334033/
TCP connections
51.254.19.227: https://www.virustot...27/information/

5] https://www.virustot...sis/1456334810/

6] https://www.virustot...sis/1456334642/
TCP connections
31.41.47.37: https://www.virustot...37/information/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 24 February 2016 - 03:14 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1660 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 25 February 2016 - 05:51 AM

FYI...

Fake 'Doc attached' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
25 Feb 2016 - "An email with the subject of 'Document No 1076196' pretending to come from Accounts at your own domain with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Accounts <accounts@ victim domain .tld>
Date:
Subject: Document No 1076196
Attachment: Document No 1076196.xls
    Thanks for using electronic billing
    Please find your document attached
    Regards
    Accounts


25 February 2016: Document No 1076196.xls - Current Virus total detections 5/56*
Hybrid analysis** shows it downloads demo2.master-pro .biz/images/flags/76ghby6f45.exe.
It is almost certain that this is either Dridex banking Trojan or Locky ransomware. Locky is distributed via the Dridex botnet... Other download locations discovered so far include:
http ://mysite.dp .ua/adminka/jqvmap/76ghby6f45.exe and:
sepadugroup .com .my/system/logs/76ghby6f45.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456394222/

** https://www.hybrid-a...environmentId=4
Host Address
81.177.140.123: https://www.virustot...23/information/
>> https://www.virustot...14278/analysis/
91.236.4.234: https://www.virustot...34/information/
___

Fake 'FW: INVOICE' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
25 Feb 2016 - "An email with the subject of 'FW: INVOICE- 1442049 ( random numbers)' pretending to come from Maddi Cross <maddi.cross@ your own email domain> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs... The email looks like:
From: Maddi Cross <maddi.cross@ victim domain . tld>
Date: Thu 25/02/2016 10:17
Subject: FW: INVOICE- 1442049
Attachment: INVOICE-6154119.docm
    With Kind Regards,
    Maddi Cross
    Customer Service Team Leader ...


25 February 2016: INVOICE-6154119.docm - Current Virus total detections 6/56*
Downloads sepadugroup .com.my/system/logs/76ghby6f45.exe (VirusTotal 2/56**). It is almost certain to download either Dridex banking Trojan or Locky Ransomware, which are both using the -same- distribution network... Other download locations with same file names so far discovered include:
http ://mysite.dp .ua/adminka/jqvmap/76ghby6f45.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456396242/

** https://www.virustot...sis/1456396563/

sepadugroup .com.my: 167.114.103.208: https://www.virustot...08/information/
>> https://www.virustot...c0c5a/analysis/

mysite.dp .ua: 176.114.0.200: https://www.virustot...00/information/
>> https://www.virustot...33f18/analysis/
___

Fake 'Attached Image' SPAM - doc malware
- http://myonlinesecur...cky-ransomware/
25 Feb 2016 - "... an email with the subject of 'Attached Image' pretending to come from scanner@ your own email domain with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: scanner@ Victim domain. tld
Date: Thu 25/02/2016 11:00
Subject: Attached Image
Attachment: 2156_001.docm


Body content: is totally blank

25 February 2016: 2156_001.docm - Current Virus total detections 6/56*
Waiting for analysis. It is almost certain to download either Dridex banking Trojan or Locky Ransomware from the -same-locations- described in today’s earlier posts [1] [2], which are both using the -same- distribution network, file names and methods of infection... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456398208/

1] http://myonlinesecur...rd-doc-malware/

2] http://myonlinesecur...dsheet-malware/
___

Fake 'BACS' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
25 Feb 2016 - "An email with the subject of 'BACS Remittance Advice (25/02/16)' pretending to come from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Annette Rojas <RojasAnnette913@ fiber .net .id>
Date: Thu 25/02/2016 14:02
Subject: BACS Remittance Advice (25/02/16)
Attachment: BACS_remittance_advice_0339266.doc
    Please find attached your remittance advice.
    If you do have any queries regarding this remittance advice, please contact:
    Threadneedle (Supplier Reference beginning TP) ...


25 February 2016: BACS_remittance_advice_0339266.doc - Current Virus total detections 2/56*
Hybrid analysis** shows it downloads serveur.wininstall .co/colombian/cocaina.php - which gave me crypted120med.exe (virustotal 1/55***). This will be either Dridex or Locky Ransomware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456407906/

** https://www.reverse....environmentId=4
Host Address
91.223.88.209
>> https://www.virustot...7431c/analysis/
81.93.151.248
188.40.224.76


*** https://www.virustot...sis/1456409978/
TCP connections
188.40.224.76: https://www.virustot...76/information/
104.86.110.240: https://www.virustot...40/information/
___

Fake 'Scanned Invoice' SPAM - doc/xls malware
- http://myonlinesecur...rd-doc-malware/
25 Feb 2016 - "An email with the subject of 'Scanned Invoice' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... It looks like these criminal gangs are distributing Dridex in the mornings this week and switch to Locky ransomware in the afternoons... The email looks like:
From:Katheryn Garner <GarnerKatheryn5049@ beyondbackyards .com>
Date: Thu 25/02/2016 16:14
Subject: Scanned Invoice
Attachment:
    Dear erek ,
    Scanned Invoice in Microsoft Word format has been attached to this email.
    Thank you!
    Katheryn Garner
    Sales Manager


25 February 2016: SCAN_Invoice_erek.doc - Current Virus total detections 2/56*
.. downloads insittu .com/2/2.exe which is Locky ransomware (virustotal 3/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456416843/

** https://www.virustot...sis/1456417770/
TCP connections
51.254.19.227: https://www.virustot...27/information/

insittu .com: 192.185.147.147: https://www.virustot...47/information/
>> https://www.virustot...aee8f/analysis/
___

Magnitude EK - Malvertising ...
- https://blog.malware...tising-deja-vu/
Feb 24, 2016 - "...  witnessed an increase in the number of malvertising incidents involving the Magnitude exploit kit. The last time we blogged about this was in mid November 2015 and we attributed the event to the fact that Magnitude EK had just integrated a newer Flash exploit (CVE-2015-7645). We fast-forward a few months and see that things haven’t changed one bit:
    Same ad network (Propeller Ads Media)
    Newer Flash exploit (CVE-2015-8651)
    CryptoWall
We see the use of “redirectors” which obfuscate the URL to Magnitude... While reviewing this attack, we also spotted a similar malvertising attack via another ad network (AdsTerra)... We reported both campaigns to the respective ad networks.
- IOCs: Ad networks:
terraclicks[.]com: 198.134.112.232: https://www.virustot...32/information/
>> https://www.virustot...f73c9/analysis/
onclickads[.]net:
78.140.191.90: https://www.virustot...90/information/
78.140.191.110: https://www.virustot...10/information/
88.85.82.172: https://www.virustot...72/information/
78.140.191.80: https://www.virustot...80/information/
78.140.191.69: https://www.virustot...69/information/
78.140.191.109: https://www.virustot...09/information/
88.85.82.171: https://www.virustot...71/information/
206.54.165.192: https://www.virustot...92/information/
78.140.191.89: https://www.virustot...89/information/
206.54.165.193: https://www.virustot...93/information/
78.140.191.70: https://www.virustot...70/information/
- Redirectors:
discount-shop[.]org: 'A temporary error occurred during the lookup...'
freewellgames[.]biz: 185.49.69.88: https://www.virustot...88/information/
>> https://www.virustot...39bc7/analysis/
onlinewellgame[.]com: 'A temporary error occurred during the lookup...'
mov-3s[.]com: 'A temporary error occurred during the lookup...'

Payload (CryptoWall): e5c3fa1f1b22af46bf213ed449f74d40 "
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 25 February 2016 - 12:59 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

    Advertisements

Register to Remove


#1661 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 26 February 2016 - 05:42 AM

FYI...

Fake 'Invoice/Credit Note' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
26 Feb 2016 - "An email with the subject of 'Corporate Direct (Europe) Ltd Invoice/Credit Note Attached' pretending to come from Sharron Blevins <Blevins.Sharron04@ corpteluk .com> (These are actually random names at corpteluk .com) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Sharron Blevins <Blevins.Sharron04@ corpteluk .com>
Date: Fri 26/02/2016 08:42
Subject: Corporate Direct (Europe) Ltd Invoice/Credit Note Attached
Attachment: UK_2871159073.doc
    DO NOT DELETE
    Dear Sir or Madam
    Please find your invoice attached.
    If you have any queries regarding your account please do not hesitate to contact us.
    Thank you for your business.
    Corporate Telecommunications Accounts.
    Joanna Monks
    Credit Control ...


26 February 2016: UK_2871159073.doc - Current Virus total detections 4/56*
MALWR** shows us a download of Dridex banking Trojan from
 http ://5.149.248.225 /britishairaways/takeoff.php which gave me 120.exe (VirusTotal 1/55***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456479676/

** https://malwr.com/an...DRmMDM4YTIyY2Q/
5.149.248.225: https://www.virustot...25/information/
81.93.151.248
184.25.56.42


*** https://www.virustot...sis/1456480745/
TCP connections
81.93.151.248: https://www.virustot...48/information/
13.107.4.50: https://www.virustot...50/information/
___

Fake 'Active Discount' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
26 Feb 2016 - "An email with the subject of 'Active Discount Transaction – 60126092105029/1'  pretending to come from Lloyds Bank plc <supplier.finance@ lloydsbanking .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Lloyds Bank plc <supplier.finance@ lloydsbanking .com>
Date: Fri 26/02/2016 09:28
Subject: Active Discount Transaction –  60126092105029/1
Attachment: 60126092105029_1.docm
    This message is to inform that the following event happened or action is required in the Lloyds Bank plc system
    Event/Action Description : Active Discount Transaction – 60126092105029/1
    Date : Feb 26, 2016
    Number of Invoices : 5
    Total Amount : 595.78
    Discount Amount : 592.88  ...


26 February 2016: 60126092105029_1.docm - Current Virus total detections 4/55*
MALWR** shows a download of what looks like Dridex banking Trojan from
 http ://autoshara .com.ua/system/logs/76tg654viun76b which is a text file that is renamed/saved as a .exe and autorun (VirusTotal ***). The Comments in Virus total show other download locations as
http ://www .westport .in/vqmod/xml/76tg654viun76b
http ://glavmedmag .ru/system/logs/76tg654viun76b ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456482256/

** https://malwr.com/an...GE0MzVhMjJmZTY/
193.169.189.202
91.236.4.234
23.216.10.177


*** https://www.virustot...sis/1456481804/
TCP connections
203.162.141.13: https://www.virustot...13/information/
23.63.98.17: https://www.virustot...17/information/
___

Fake 'Your Order' SPAM - malicious attachment
- http://blog.dynamoo....r-has-been.html
26 Feb 2016 - "This spam does -not- come from Harrison Products but is instead a simple -forgery- with a malicious attachment:
   From     warehouse | Harrison [warehouse@ harrisonproducts .net]
    Date     Fri, 26 Feb 2016 18:07:04 +0500
    Subject     Your Order has been despatched from Harrison
    Dear Customer
    Thank you for your valued Order, your Despatch Confirmation is attached
    If there are any queries relating to this delivery please contact our Customer Service
    Team on 01451 830083 or email sales@ harrisonproducts .net
    Kind Regards
    The Harrison Products Team ...


I have seen only one sample of this with an attachment named Order ref. 16173.xls which has a VirusTotal detection rate of 6/55*. This Malwr report** plus this Hybrid Analysis*** for that sample shows a binary being downloaded from:
thetoyshop .by/system/logs/76tg654viun76b
There are probably other download locations too. This dropped file has a detection rate of 3/52[4]. Those two reports indicate that this is the Dridex banking trojan. It phones home to:
203.162.141.13 (VietNam Data Communication Company, Vietnam)
I strongly recommend that you -block- traffic to that IP."
* https://www.virustot...sis/1456493060/

** https://malwr.com/an...DUzMzI3MWM3ZGU/

*** https://www.hybrid-a...environmentId=4

4] https://www.virustot...sis/1456493451/
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 26 February 2016 - 08:40 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1662 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 29 February 2016 - 10:42 AM

FYI...

Facebook Video SPAM... and 'Leaked' iPhone
- https://blog.malware...-leaked-iphone/
Feb 29, 2016 - "Spam posts on Facebook are nothing new. Since videos continue to be a staple form of entertainment — a whopping 8-billion views-per-day according to last year’s numbers — within the social network ecosystem, video spam has become a particular nuisance. From -shock- videos of supposed bears tearing people apart to celebrity deaths to mermaids, one can almost say they have seen it all. However, it is -uncommon- nowadays to find video spam that is sexually graphic in nature... :
> https://blog.malware.../fb-comment.png
The above was posted as a reply to an innocent update made by a family member of the poster. We’re fairly certain that s/he didn’t knowingly post it themselves, too, because clicking the Facebook App page link below the video preview photo -redirects- one to a page that -claims- to be one of Facebook’s:
fb-moviews[DOT]com, as seen:
> https://blog.malware...eoshotindie.png
... Whether one provides their info to the page or not, clicking “Masuk” (or “Enter” in English) allows the affected user’s account to do two things: (1) it shares the original poster’s video link and (2) it replies to posts with the video link including some -garbled- text and URL. At the same time, fb-moviews -redirects- users to a site where users won’t be seeing any videos... specifically presented with the page (screenshot below) about a -leak- of a rumored new iPhone smartphone, which has been making rounds in big news outlets today:
> https://blog.malware...2/iphone365.png
... We have said this before... again: Be careful what-you-click..."

fb-moviews[DOT]com: 104.18.51.45: https://www.virustot...45/information/
104.18.50.45: https://www.virustot...45/information/
___

Fake 'Invoice' SPAM - malicious attachment
- http://blog.dynamoo....05215-dear.html
29 Feb 2016 - "This fake financial email (sent to "Dear costumer") has a malicious attachment.
    From:    Velma hodson
    Date:    29 February 2016 at 16:49
    Subject:    Invoice #16051052/15
    Dear costumer,
    You are receiving this informational letter because of the fact that you have a debt totaling $157,54 due to late payment of invoices dating March ‘15.
    In attachment you will find a reconciliation of the past 12 months (year 2015).
    Please study the file and contact us immediately to learn what steps you should take to avoid the accrual of penalties.


I have only seen a single sample with an attachment named Invoice_ref-16051052.zip which in turn contains a malicious script invoice_kOUEsX.js ... The script has a VirusTotal detection rate of 2/55* and these automated analysis tools [1] [2] show that it attempts to download a binary from the following locations:
ohiyoungbuyff .com/69.exe?1
helloyungmenqq .com/69.exe?1
The domain names have a similar theme, indicating that the -servers- are malicious. It might be worth blocking:
91.196.50.241 (EuroNet, Poland)
50.3.16.250 (Eonix, US)
This Malwr report** shows that the dropped payload is ransomware, calling home to the following domains:
biocarbon .com.ec
imagescroll .com
I recommend that you -block- traffic to those domains plus the two IPs, giving a recommended blocklist of:
91.196.50.241
50.3.16.250
biocarbon .com.ec
imagescroll .com
music.mbsaeger .com
stacon .eu
"
* https://www.virustot...sis/1456771424/

1] https://malwr.com/an...jIwZjQ0MDNlYWU/

2] https://www.hybrid-a...environmentId=4

** https://malwr.com/an...DVhNjkyNWUyMGY/
Hosts
192.185.39.66
62.210.141.228
76.125.213.205
188.116.9.2

___

Fake 'Scanned image' SPAM - malicious attachment
- http://blog.dynamoo....ge-data_29.html
29 Feb 2016 - "This -fake- document scan has a malicious attachment:
    From:    admin [ands21@ victimdomain .tld]
    Date:    29 February 2016 at 19:05
    Subject:    Scanned image
    Image data in PDF format has been attached to this email.


The email appears to originate from within the victim's own domain. Attached is a randomly-named file with a format similar to 2016022936833473.zip containing a malicious script with a name somewhat like SCAN000469497.js  I have seen three different versions of the attached scripts with detection rates of around 1/55 [1]... The Malwr reports for those [4] [5] [6] show download locations at:
www .notebooktable .ru/system/logs/7ygvtyvb7niim.exe
svetluchok .com.ua/admin/images/7ygvtyvb7niim.exe [404]
mansolution .in.th/system/logs/7ygvtyvb7niim.exe
This appears to be Locky ransomware with a detection rate of just 3/55*. Those Malwr reports also indicate C&C servers at:
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
185.14.29.188 (ITL aka UA Servers, Ukraine)
Note that one of the download locations is 404ing. There may be other download locations that I am not aware of, however I recommend that you block-all-traffic to:
51.254.19.227
185.14.29.188
"

1] https://www.virustot...sis/1456774937/

4] https://malwr.com/an...GU0NjgwOTYyNTY/
195.208.1.116
185.14.29.188


5] https://malwr.com/an...GQxYmExZTZlY2E/
176.114.0.200

6] https://malwr.com/an...TI5OTFhZTdiYTU/
103.233.192.226
51.254.19.227


* https://www.virustot...2ef0e/analysis/
TCP connections
51.254.19.227: https://www.virustot...27/information/
___

Berkeley - again becomes victim of cyberattack
- http://www.zdnet.com...of-cyberattack/
Feb 29, 2016 - "The University of California, Berkeley, has admitted to a second data breach which may have exposed the data of 80,000 people to misuse. Current and former students, faculty members and vendors linked to the university are among those who have been warned about the incident, which took place through financial management software which contained a security flaw, allowing an attacker - or group - to access internal services.The attack took place in late December, 2015. The entry point the attacker used was the Berkeley Financial System (BFS), which the university was in the process of patching. According to UC Berkeley, the software is used for purchases and non-salary payments... while there is no evidence the personal information belonging to thousands of people was accessed or stolen, the system which was compromised was used to store Social security and bank account numbers... The FBI and other law enforcement agencies have been notified. The university is warning those affected to stay on the lookout for "misuse" of their data - which could lead to identity theft, for example - and is offering free credit monitoring to help potential victims keep an eye on their affairs..."
___

Snapchat hit by phishing scam
- http://blog.snapchat...o-our-employees
Feb 28, 2016 - "... Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information. Unfortunately, the phishing email wasn’t recognized for what it was –a scam– and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed... Within four hours of this incident, we confirmed that the phishing attack was an isolated incident and reported it to the FBI. We began sorting through which employees–current and past– may have been affected. And we have since contacted the affected employees and have offered them two years of free identity-theft insurance and monitoring. When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong. To make good on that last point, we will redouble our already rigorous training programs around privacy and security in the coming weeks. Our hope is that we never have to write a blog post like this again..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 29 February 2016 - 04:39 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1663 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 01 March 2016 - 06:42 AM

FYI...

Fake 'March Invoice' SPAM - Locky ransomware
- http://blog.dynamoo....lkan-dream.html
1 Mar 2016 - "This -fake- financial spam can't make up its mind which month it is for.
    From:    Caitlin Velez
    Date:    1 March 2016 at 11:50
    Subject:    March Invoice
    Hi,
    Attached is the November invoice.
    Thanks!
    Caitlin Velez
    Customer Service
    Balkan Dream Properties ...


So far I have seen just one sample of this, so it is possible that other companies are being spoofed as well. Attached is a file INV09BEE9.zip which in turn contains a malicious script statistics_60165140386.js. This has a detection rate of precisely zero*. This Malwr report** shows that it is the Locky ransomware, download a binary from:
intuit.bitdefenderdistributor .info/intrabmw/get.php
This is hosted on a bad webserver at..
93.95.100.141 (Mediasoft ekspert, Russia)
..and it then phones home to..
5.34.183.195 (ITL / UA Servers, Ukraine)
There are probably other download locations. My contacts tell me that these are C2 servers for an earlier German-language campaign, it is possible they are being used here. Block 'em anyway..
31.184.197.119 (Petersburg Internet Network ltd., Russia)
51.254.19.227 (Dmitrii Podelko, Russia / OVH, France)
91.219.29.55 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
Recommeded blocklist:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
93.95.100.141
"
* https://www.virustot...sis/1456833407/

** https://malwr.com/an...2ZhZGQxZDg4N2I/

- http://myonlinesecur...cky-ransomware/
1 Mar 2016 - "... an email with the subject of 'March Invoice' pretending to come from random names, companies and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Grace Buckley <BuckleyGrace41@ jackvalan .com>
Date: Tue 01/03/2016 11:51
Subject: March Invoice
Attachment: INVBEAC8E.zip
    Hi,
    Attached is the November invoice.  
    Thanks!  
    Grace Buckley
    Customer Service
    MONTANARO UK SMALLER COS INVESTM TR ...


1 March 2016: INVBEAC8E.zip: Extracts to: statistics_60165140386.js - Current Virus total detections 0/56*
MALWR** shows it downloads http ://intuit.bitdefenderdistributor .info/intrabmw/get.php which gave me
lohi.exe (VirusTotal 5/54***). This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1456833183/

** https://malwr.com/an...2ZhZGQxZDg4N2I/
93.95.100.141
5.34.183.195


*** https://www.virustot...sis/1456832632/
TCP connections
185.14.29.188: https://www.virustot...88/information/
___

Fake 'Your Order' SPAM - Locky ransomware
- http://myonlinesecur...cky-ransomware/
1 Mar 2016 - "An email with the subject of 'Delay with Your Order #200C189B, Invoice #37811753' [random numbered] pretending to come from Random names, companies and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Joel Barron <BarronJoel28@ softranstech .com>
Date: Tue 01/03/2016 11:30
Subject: Delay with Your Order #200C189B, Invoice #37811753
Attachment: order_copy_200C189B.zip
    Dear Valued Customer,
    It is very unpleasant to hear about the delay with your order #200C189B, but be sure that our department will do its best to resolve the problem. It usually takes around 7 business days to deliver a package of this size to your region.
    The local post office should contact your as soon as they will receive the parcel. Be sure that your purchase will be delivered in time and we also guarantee that you will be satisfied with our services.
    Thank you for your business with our company.
    Joel Barron
    Sales Manager


1 March 2016: order_copy_200C189B.zip: Extracts to: readme_692768919.js - Current Virus total detections 0/56*
MALWR** shows what looks like a download of Locky Ransomware from
 http ://sitemar.ro/5/92buyv5 ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1456831819/

** https://malwr.com/an...DUzZjg0ZmY1ZmU/
Hosts
89.38.241.66
185.14.29.188


- http://blog.dynamoo....omer-it-is.html
1 Mar 2016 - "This strangely worded spam leads to the Locky ransomware:
    From     =cU3RlZmFuaWUgU3VsbGl2YW4=?= [SullivanStefanie68750@numericable .fr]
    Date     Tue, 01 Mar 2016 13:40:48 +0200
    Subject     =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICM3QjZCN0UwOCwgSW52b2ljZSAjMzI1ODMzNDY=?=
    Dear ValuedCustomer,
    It is very unpleasant to hear about the delay with your order #7B6B7E08, but be sure
    thatour department will do its best to resolve the problem.It usually takes around7
    business days to deliver a package of this size to your region.
    The local post office should contact your as soon as they will receive theparcel.Be
    sure that your purchase will be delivered in time and we alsoguarantee that you will
    be satisfied with our services.
    Thank you for your business with our company.
    Stefanie Sullivan
    Sales Manager


All the samples I have seen have slightly -mangled- headers. The sender name varies. Attacked is a ZIP file named in a similar format to order_copy_7B6B7E08.zip which contains a malicious script named something like:
important_181031694.js
warning_659701636.js
statistics_466026824.js
I have seen -six- different samples so far with zero detection rates [1]... and which according to these analysis [7]... attempt to download a Locky binary from:
sitemar .ro/5/92buyv5
pacificgiftcards .com/3/67t54cetvy
maisespanhol .com.br/1/8y7h8bv6f
Those binaries phone home to:
5.34.183.195/main.php
31.184.197.119/main.php
Those C&C servers are the same as I mentioned in this spam run* and I suggest you -block- traffic to:
5.34.183.195
31.184.197.119
51.254.19.227
91.219.29.55
"
1] https://www.virustot...96de8/analysis/

7] https://malwr.com/an...GVjZmNlNTM4NWY/

* http://blog.dynamoo....lkan-dream.html
___

Fake 'MX62EDO' SPAM - malicious attachment
- http://blog.dynamoo....o-01032016.html
1 Mar 2016 - "This -fake- document scan has a malicious attachment. It appears to come from within the victim's own domain.
    From:    documents@ victimdomain .tld
    Date:    1 March 2016 at 13:43
    Subject:    Emailing: MX62EDO 01.03.2016
    Your message is ready to be sent with the following file or link
    attachments:
    MX62EDO  01.03.2016 SERVICE SHEET
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments.  Check your e-mail
    security settings to determine how attachments are handled.
    This email has been checked for viruses by Avast antivirus software...


I have seen two samples so far, with an attachment that has a similar name to MX62EDO20160301538482.zip which contains a malicious randomly-named script (e.g. PK5293425659.js). Detection rates on the scripts are fairly low [1] [2]. According to these Malwr reports [3] [4] the payload is the Locky ransomware. These two samples download malicious binaries from:
tianshilive .ru/vqmod/xml/87yhb54cdfy.exe
ubermensch .altervista.org/system/logs/87yhb54cdfy.exe
In turn, these attempt to phone home to:
31.184.197.119 /main.php
5.34.183.195 /main.php
These are the -same- C&C servers as seen here*."
1] https://www.virustot...b9efa/analysis/

2] https://www.virustot...sis/1456840115/

3] https://malwr.com/an...mUxNTAwMWE1NWI/
Hosts
5.101.152.42
31.184.197.119


4] https://malwr.com/an...DFmMWU2NTQ2ZjI/
Hosts
176.9.24.196
5.34.183.195


* http://blog.dynamoo....omer-it-is.html
___

Tesco Bank - 'Interest Rate And Tax' Phish
- http://myonlinesecur...d-tax-phishing/
1 Mar 2016 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal or your Bank or Credit Card.. This one from Tesco is no exception... The link in this case goes to:
 http ://grupomathile .com.br/hhaa/hhaa.html  which -redirects- to:
 http ://agapechurchindia .org/jss/tesco/tesco/Log.htm  
This particular phishing campaign starts with an email with-a-link:

Screenshot: http://myonlinesecur...ax-1024x511.png

If you fill in the user name you get sent on to a series of pages asking for more information:
> http://myonlinesecur...x1-1024x558.png
... which is a typical phishing page that looks very similar to a genuine Tesco Bank page, if you don’t look carefully at the URL in the browser address bar..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 01 March 2016 - 08:20 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1664 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 02 March 2016 - 06:14 AM

FYI...

Fake 'Invoices' SPAM - malicious attachment
- http://blog.dynamoo....utstanding.html
2 Mar 2016 - "These randomly-generated financial spam emails come with a malicious attachment:
     From:    Buckminster U. Petty
    Date:    2 March 2016 at 07:55
    Subject:    Outstanding Invoice
    Please check the receipt attached to this message. The Transaction will be posted on your account within 48 hours.
    ----------
    From:    Astra B. Fuller
    Date:    2 March 2016 at 08:08
    Subject:    Fwd: ZYL Invoice
    Please find the payment details attached to this message. The Transfer should appear on your account in 2 days.
    ----------
    From:    Audrey U. Oneil
    Date:    2 March 2016 at 07:34
    Subject:    Re: Sales Invoice
    Please review the invoice attached to this message. The Transfer should appear on your bank in 48 hours.


Attached is a randomly-named file with an -RTF- extension which is actually a -DOCX- file in disguise. I have seen three different attachments with detection rates of 1/55 [1] [2] [3] and the Malwr reports for those [4] [5] [6] show the macro contained within downloading from the following locations:
thevillagelounge .nl/e.jpg?LnRiNLIoPC3=55
creeko .com/d.jpg?GIk1nRWM0r27m5Ss=50
creeko .com/d.jpg?GIk1nRWM0r27m5Ss=8
The VirusTotal results for the two unique binaries dropped are 3/55 [7] [8] but automated analysis.. is inconclusive. It looks rather like -ransomware- but I cannot confirm this."
1] https://www.virustot...sis/1456908576/

2] https://www.virustot...sis/1456908593/

3] https://www.virustot...sis/1456908601/

4] https://malwr.com/an...zA2NjU4OGQ4YjA/
Hosts
172.231.69.95
209.242.233.7: https://www.virustot....7/information/

5] https://malwr.com/an...2M3MmRjYTFmOGY/
Hosts
172.231.69.95
209.242.233.7: https://www.virustot....7/information/

6] https://malwr.com/an...2Y1NTQ2MzAyM2E/
Hosts
172.231.69.95
178.251.196.62: https://www.virustot...62/information/

7] https://www.virustot...sis/1456909038/

8] https://www.virustot...sis/1456909051/

creeko .com: 209.242.233.7: https://www.virustot....7/information/

thevillagelounge .nl: 178.251.196.62: https://www.virustot...62/information/
___

Fake 'Package' SPAM – JS malware/ransomware
- http://myonlinesecur...-to-ransomware/
2 Mar 2016 - "An email with the subject of 'Package # 16049177' [random numbered] that matches the attachment and the number in the body of the email, pretending to come from random email addresses, names and companies with a zip attachment is another one from the current bot runs... The email looks like:
From: Alyson cockcroft <cockcroftAlyson2993@ arc-performance .com> ( random senders)
Date: Wed 02/03/2016 10:14
Subject: Package # 16049177
Attachment: Invoice_ref-16049177.zip
    Dear Client,
    Your replacement package was shipped 5 days ago and is now being transferred to your local post office.
    The package identification number is # 16049177 , please double-check the information on it in the file attached below.
    We are grateful for your purchase from our shop and are very sorry for the inconvenience.


2 March 2016: Invoice_ref-16049177.zip: Extracts to: invoice_scan_EdcJqY.js - Current Virus total detections 5/56*
MALWR** shows a download of what looks like Teslacrypt rather than Locky ransomware based on the file names and locations from either http ://ohelloweuqq .com/69.exe or http ://soclosebutyetqq .com/69.exe
(VirusTotal 4/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1456913677/

** https://malwr.com/an...zA1YTEwNzQ5M2I/
104.232.35.31: https://www.virustot...31/information/
91.196.50.241: https://www.virustot...41/information/

*** https://www.virustot...sis/1456916592/
TCP connections
194.228.3.204: https://www.virustot...04/information/
___

Fake 'Invoice Copy' SPAM - doc macro/ransomware
- http://myonlinesecur...cky-ransomware/
2 Mar 2016 - "An email with the subject of 'Invoice Copy' pretending to come from random senders with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Jerrod Parker <ParkerJerrod02870@ kabel-deutschland .de>
Date: Wed 02/03/2016 10:15
Subject:  Invoice Copy
Attachment: scan_559376.doc
    Dear Customer,
    Please make sure you send payment for your parcel to avoid any inconvenience. Open the attached file to review the confirmation listing.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    Jerrod Parker
    Account Manager

-Or:
Dear User,
Your order will be shipped shortly, we apologize for the troubles. Please, review the invoice in the attached file.
Thank you for your business – we appreciate it very much.
Sincerely,
Johnnie Newman
Project Manager


2 March 2016: scan_559376.doc - Current Virus total detections 6/55*
MALWR shows a download from http ://cabanasestina .ro/num/5buybbtyu8 ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456917614/

cabanasestina .ro: 188.213.205.89: https://www.virustot...89/information/
>> https://www.virustot...a6cb4/analysis/
___

Fake 'remittance advice' SPAM - JS malware/ransomware
- http://myonlinesecur...-to-ransomware/
2 Mar 2016 - "An email pretending to be a remittance advice for the payment made on the 19th Feb 2015 from Hillsong Church London with a random subject of 'MEARS GROUP March Invoice #17577' [random numbered] and random company names pretending to come from random senders with a zip attachment is another one from the current bot runs... The name of the alleged sender matches the name in the email body... The email looks like:
From: Osvaldo West <West.Osvaldo736@ ttml .co.in>
Date: Wed 02/03/2016 12:16
Subject: MEARS GROUP March Invoice #17577
Attachment: Hillchurch-C7EA2.zip or Hillsong-914FCE.xls
    Hi there,
    Please find the remittance advice for the payment made on the 19th Feb 2015 from Hillsong Church London.
    Please let me know if there are any queries.
    Kind regards,
    Osvaldo West ...


2 March 2016: Hillchurch-C7EA2.zip: Extracts to: TR914740032016.js  Current Virus total detections 3/56*
MALWR** shows a download from http ://doaemdpmekd.securalive .eu/8fjvimkel1/c987ah8j9ei1.php (VirusTotal 2/55***)
 which gave me readme.exe ...
2 March 2016 : Hillsong-914FCE.xls - Current Virus total detections 2/55[4]
 which is being detected as a Dridex downloader. -Both- Locky Ransomware and Dridex banking Trojans use the -same- download mechanisms and until you actually see the payload, it is impossible to tell whether it is Dridex or Locky.. MALWR shows a download from http ://oimedoaeklmrf.giftcardnanny .ca/nu2o3mk4/c987ah8j9ei1.php which gave me likeaboss.exe (VirusTotal 2/56[5]).. this is the -same- malware file as the js version so is more likely to actually be Dridex rather than Locky... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1456921684/

** https://malwr.com/an...jA3NWU1ZTJlZjc/
Hosts
193.201.227.90: https://www.virustot...90/information/
24.172.94.181
13.107.4.50: https://www.virustot...50/information/

*** https://www.virustot...sis/1456922055/
TCP connections
24.172.94.181
13.107.4.50: https://www.virustot...50/information/

4] https://www.virustot...sis/1456922090/

5] https://www.virustot...sis/1456922631/
TCP connections
24.172.94.181
13.107.4.50: https://www.virustot...50/information/

doaemdpmekd.securalive .eu: 193.201.227.90: https://www.virustot...90/information/

oimedoaeklmrf.giftcardnanny .ca: 193.201.227.90

- http://blog.dynamoo....ong-church.html
2 Mar 2016 - "... the body text is from a church..
    Hi there,
    Please find the remittance advice for the payment made on the 19th Feb 2015 from
    Hillsong Church London...


... all these locations are on the same server (and are the same binary), hosted on:
193.201.227.90 (PE Tetyana Mysyk, Ukraine)
According to VirusTotal*, there are a few -hijacked- GoDaddy subdomains on that IP. This method is a little unusual for this type of attack... this Hybrid Analysis** show the malware phoning home to:
24.172.94.181 (Time Warner Cable, US)
It isn't entirely clear what the payload is, but it is probably Dridex or possibly some form of ransomware.
Recommended blocklist:
193.201.227.90
24.172.94.181
"
* https://www.virustot...90/information/

** https://www.hybrid-a...environmentId=4
___

Fake 'March Invoice' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
2 Mar 2016 - "An email with the subject of 'ENABLES IT GROUP PLC March Invoice #39903' (random company names and invoice numbers) pretending to come from random names with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Ina Wolfe <Wolfe.Ina680@ intex .in>
Date:
Subject: ENABLES IT GROUP PLC March Invoice #39903
Attachment: Hillsong-838834.xls
    Afternoon,
    Please find attached a copy of our bank details.
    If we can be of further assistance then please do not hesitate to contact me
    Many thanks,
    Ina Wolfe
    Credit Controller
    Le Mark Self-Adhesive Ltd. ...


2 March 2016: Hillsong-838834.xls -  When renamed to zip & extracted you get SCAN7420032016.js (VirusTotal 3/56*)
 MALWR shows a download from http ://aoieofnv.lotnine .com/8fjvimkel1/c987ah8j9ei1.php which is the -same- malware as described in THIS post**... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456931124/

** http://myonlinesecur...-to-ransomware/

aoieofnv.lotnine .com: 193.201.227.90: https://www.virustot...90/information/
___

Fake 'Invoice Scan/copy' SPAM - doc macro malware
- http://myonlinesecur...-macro-malware/
2 Mar 2016 - "An email with the subject of 'Payment Confirmation / Invoice Scan / Invoice copy' pretending to come from random email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Gavin Gaines <GainesGavin739@ iconpln .net.id>
Date: Wed 02/03/2016 14:07
Subject: Payment Confirmation / Invoice Scan / Invoice copy
Attachment: scan_174761.doc
    Dear Customer,
    Please review the attached copy of your Electronic document.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    Gavin Gaines
    Account Manager

-Or:
    Dear Member,
    The mistake made will be compensated promptly, please do not worry. Please
    take a look at the file attached as it contains all the information.
    Thank you for your business – we appreciate it very much.
    Sincerely,
    Marisol Lara
    Account Manager


2 March 2016: scan_174761.doc - Current Virus total detections 6/56*
 MALWR isn’t showing any download on this one but that might be due to analysis protection more than anything else... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1456927470/
___

Fake 'Whitehouse paperwork' SPAM - JS malware / Locky ransomware
- http://myonlinesecur...cky-ransomware/
2 Mar 2016 - "An email with the subject of 'Whitehouse paperwork' pretending to come from 'Admin' at your own email domain with a zip attachment is another one from the current bot runs... The email looks like:
From: admin <admin@ victimdomain .tld>
Date: Wed 02/03/2016 14:48
Subject: Whitehouse paperwork
Attachment: 201603021282046970.zip
    This E-mail was sent from “RNPDD9C46” (Aficio MP C2500).
    Scan Date: Wed, 02 Mar 2016 19:18:02 +0430


2 March 2016: 201603021282046970.zip: Extracts to:OR5121206096.js - Current Virus total detections 6/56*
 MALWR shows a download from http ://cocowashi .com/system/logs/76tr5rguinml.exe (VirusTotal 4/56**) which is locky ransomware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1456933931/

** https://www.virustot...sis/1456934341/
TCP connections
109.237.111.168: https://www.virustot...68/information/

cocowashi .com: 50.118.112.2: https://www.virustot....2/information/
>> https://www.virustot...3d99b/analysis/
___

Fake 'Order reference' SPAM - JS malware/Teslacrypt
- http://myonlinesecur...-to-teslacrypt/
2 Mar 2016 = "An email with the subject of 'Order reference # 58087317' [random numbered] pretending to come from random email addresses, companies and names with a zip attachment is another one from the current bot runs... The email looks like:
From: Felecia niven <nivenFelecia41@ neukoelln-arcaden .de>
Date: Wed 02/03/2016 17:09
Subject:  Order reference # 58087317
Attachment: Invoice_ref-58087317.zip
    Dear Customer,
    We apologize for the troubles with your parcel # 58087317 and can assure you that this mistake will not be happening again.
    Please, check the information on this case in the attachment.
    Taking in consideration the problem on your order we also included info on your bonus of $483,35 , which you may use during your next order.


2 March 2016: Invoice_ref-58087317.zip: Extracts to: invoice_copy_wvpthP.js - Current Virus total detections 9/56*
 MALWR** shows a download from http ://soclosebutyetqq .com/80.exe or http ://ohelloweuqq .com/80.exe
(VirusTotal 4/56***) Which is almost certainly Teslacrypt ransomware.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a safe file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1456942781/

** https://malwr.com/an...WJiMDI4NmY2YzE/
Hosts
104.232.35.31: https://www.virustot...31/information/
>> https://www.virustot...0b20f/analysis/
173.82.74.197: https://www.virustot...97/information/

*** https://www.virustot...sis/1456942277/
TCP connections
194.228.3.204: https://www.virustot...04/information/

soclosebutyetqq .com: 173.82.74.197: https://www.virustot...97/information/
91.196.50.241: https://www.virustot...41/information/
>> https://www.virustot...a2241/analysis/
ohelloweuqq .com: 104.232.35.31: https://www.virustot...31/information/
50.3.16.250: https://www.virustot...50/information/
>> https://www.virustot...2e9b7/analysis/
___

Fake 'Visa benefits, rewards' leads to TeslaCrypt ransomware
- http://www.symantec....rypt-ransomware
01 Mar 2016 - "... recently observed a -spam-campaign- offering -fake- Visa rewards and benefits as -bait- to deliver -ransomware- to recipients’ computers. The email in this particular campaign purports to come from 'Visa Total Rewards' and provides details about the benefits of using Visa credit cards. Attached to the email is an archive file which poses as a -whitepaper- containing more information about the supposed rewards and benefits offered by the program. If the recipient opens the attachment, they will see only an obfuscated JavaScript file (detected as JS.Downloader):
> http://www.symantec....gure1-email.png
If the recipient is fooled into opening the JavaScript file, the script downloads a -variant- of the TeslaCrypt ransomware (detected as Trojan.Cryptolocker.N) from the specified URL and runs it. A few minutes later, a message is displayed stating that all of the user’s files have been encrypted and payment in Bitcoin is required to decrypt the files:
> http://www.symantec....ure-2-tesla.png
The ransomware provides more information to victims on a personalized home page and demands a payment of US$500 (or 1.2 bitcoins) within 160 hours of infection in order to unlock the encrypted files. If the transaction is not made within the specified time frame, the price doubles to $1,000. This page provides a contact form that offers assistance in case of payment issues or any other problems the victims may run into. There is also an opportunity to decrypt a single file for no fee to prove that the files can be properly decrypted:
> http://www.symantec....figure3-pay.png
The vast majority of the spam is being distributed to English-speaking countries, with the UK (40 percent) and the US (36 percent) most targeted. Other regions around the globe are affected as well:
> http://www.symantec....pie-chart_0.png
... Tips on protecting yourself from ransomware:
•Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
•Always keep your security software up to date to protect yourself against any new variants of malware.
•Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
•Delete any suspicious-looking emails you receive, especially if they contain links or attachments..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 02 March 2016 - 01:24 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.


#1665 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • Authentic Member
  • PipPipPipPipPipPipPip
  • 10,472 posts
  • Interests:... The never-ending battle for Truth, Justice, and the American way.

Posted 03 March 2016 - 06:18 AM

FYI...

Fake 'FreePDF' SPAM - doc malware
- http://myonlinesecur...-macro-malware/
3 Mar 2016 - "An email with the subject of 'FreePDF: 1922110915192.doc' pretending to come from Worrall, Antony <Ant.Worrall@ cmco .eu> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...eu-1024x556.png

3 March 2016: 1922110915192.docm - Current Virus total detections 3/56*
 MALWR** shows a download from http ://corsian .com/system/logs/98yh87b564f.exe which looks like Dridex banking Trojan from the MALWR quick overview, but might be  some sort of ransomware (VirusTotal 4/55***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1457001459/

** https://malwr.com/an...TYzNzY4MDViNTA/
Hosts
173.0.136.57
188.40.224.78
8.254.249.78


*** https://www.virustot...sis/1457001741/
TCP connections
188.40.224.78: https://www.virustot...78/information/
8.253.82.30: https://www.virustot...30/information/

- http://blog.dynamoo....0025984doc.html
3 Mar 2015 - "This -fake- financial spam has a malicious attachment.
From     "Worrall, Antony" [Ant.Worrall@ cmco .eu]
Date     Thu, 03 Mar 2016 14:25:14 +0430
Subject     FreePDF: 1922110025984.doc


Atached is a randomly-named file that matches the reference in the subject. The payload appears to be the Dridex banking trojan, as seen in this earlier spam run*."
* http://blog.dynamoo....-no-173535.html
___

Fake 'Receipt' SPAM - malicious attachment
- http://blog.dynamoo....-no-173535.html
3 Mar 2015 - "This spam does not come from KM Media Group but it is instead a simple -forgery- with a malicious attachment:
From     Sally Webb [swebb@thekmgroup .co.uk]
Date     Thu, 03 Mar 2016 10:58:07 +0100
Subject     Receipt - Order No 173535
regards,
Sally
*Sally Webb*
Recruitment Media Sales Executive
KM Media Group
DDI : 01622 794500 ...


Attached is a file Receipt - Order No 173535.docm which comes in several different versions with detection rates around 3/55*. Analysis from another source (thank you) gives download locations... The initial payload has a detection rate of 4/55** which has now been -updated- with a -new- payload with a similar detection rate. My source says that this is Dridex botnet 220 (not Locky) with C&C servers at:
188.40.224.78 (Hetzner / NoTaG Community, Germany)
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.40.224.78
78.108.93.186
87.106.8.177
91.236.4.234
"
* https://www.virustot...6c76f/analysis/

** https://www.virustot...6ce97/analysis/
TCP connections
188.40.224.78
8.253.82.30

___

Fake 'Order Delay' SPAM - JS malware leading to Teslacrypt
- http://myonlinesecur...-to-teslacrypt/
2 Mar 2016 - "An email with the subject of 'Order Delay – Package Ref. 91063856' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs... The email looks like:
From: Ernestine simister <simisterErnestine49836@ mail.vistony .com>
Date: Thu 03/03/2016 16:52
Subject: Order Delay – Package Ref. 91063856
Attachment: Invoice_ref-91063856.zip
    Respected Customer,
    The delay of your parcel ref. # 91063856 cannot be controlled due to the unstable weather conditions in our region.
    We are doing everything we can to arrange the best shipping time for your package.
    Please check the information on your purchase in the attached file. There your will also find the info on the new delivery time.
    Sincerely,
    Sales Department Manager ...


3 March 2016: Invoice_ref-91063856.zip: Extracts to: invoice_SCAN_WxapPe.js Current Virus total detections 3/56*
 MALWR** shows a download from http ://isthereanybodyqq .com/69.exe?1 or
http ://ujajajgogoff .com/69.exe?1 (currently down) which is Teslacrypt ransomware (VirusTotal 4/54***)
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457023881/

** https://malwr.com/an...jZhMGNjZjA5Yjk/
Hosts
50.3.16.250
173.82.74.197
173.201.145.1
108.167.143.8
50.62.66.1


*** https://www.virustot...sis/1457024955/

isthereanybodyqq .com: 173.82.74.197: https://www.virustot...97/information/
>> https://www.virustot...5849f/analysis/
91.196.50.241
78.135.108.94

ujajajgogoff .com: 204.44.84.21: https://www.virustot...21/information/
162.211.67.244
___

Fake 'Hyperama' SPAM - JS malware leads to Locky ransomware
- http://myonlinesecur...cky-ransomware/
3 Mar 2016 - "An email with a random numbered subject pretending to come from Administrator <tward9232@ hyperama .com> (random numbers afterward) with a zip attachment is another one from the current bot runs... The email looks like:
From: Administrator <tward9232@ hyperama .com>
Date: Mon 18/01/2016 15:26
Subject: 8912179-99
Attachment: doc0022386.zip
    Tracey Ward
    Purchase Ledger
    Hyperama ...


3 March 2016: Edoc0022386.zip: Extracts to: DOC7797628157.js - Current Virus total detections 23/56*
 MALWR** shows a download of Locky ransomware from http ://anro.kiev .ua/vqmod/vqcache/4trf3g45.exe
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441173827/

** https://malwr.com/an...DlhMDVmMGVmOGE/
Hosts
77.87.194.146: https://www.virustot...46/information/
>> https://www.virustot...e6d01/analysis/
192.121.16.196: https://www.virustot...96/information/

anro.kiev .ua: 77.87.194.146
___

Phishing surges, file-sharing takes lead as most targeted industry of Q1
- http://www.hotforsec...f-q1-13472.html
Mar 03, 2016 - "Phishing through file-sharing services has soared in the past three months, making cloud-based file distribution services the most targeted sector of the first quarter of the year, Bitdefender found. Globally, file-sharing is being used to spread phishing scams more than the retail and payment industries, the traditional favorites of hackers. Almost one-in-five-malicious-URLs uses a file-sharing service to deliver malicious payloads to users, recent Bitdefender data shows.
Top 10 Most Targeted Industry Sectors for Internet Phishing
> http://www.hotforsec...rt1-768x380.jpg
What the technique lacks in innovation is compensated for by the ease of use and popularity of consumer-grade sharing services. In the past year, Dropbox reached 400 million users who stored 35 billion Microsoft Office files, while Google Drive had 190 million in 2014. As importantly, file-sharing and cloud storage services lack security features to filter harmful content. This helps attackers hide their malware-infected files without a trace... The typical infection flow goes like this: the user receives a genuine-looking email that advises users to click-on-an-embedded-link to view an attached document. The link -redirects- the user to a phishing page hosted on the provider’s domain. The page asks for the user’s credentials, then captures and sends the data to cyber-criminals over SSL. SSL certificates ensure data on a website is submitted in a secure manner, but they do -not- guarantee the site itself is safe. Thus, hackers are taking advantage, buying cheap SSL certificates and using them on phishing websites to appear legitimate... Scammers are usually after more than just cloud storage credentials; the malicious URLs can trick users into downloading file-encrypting ransomware, for instance. And the hazard has become significantly more serious as new ransomware iterations can seize control over files stored on cloud services..."
 

:ph34r: :ph34r:   <_<


Edited by AplusWebMaster, 03 March 2016 - 02:15 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

Related Topics



6 user(s) are reading this topic

0 members, 6 guests, 0 anonymous users