FYI...
Fake 'Unpaid Invoice' SPAM - JS malware
- http://myonlinesecur...com-js-malware/
11 Feb 2016 - "An email with the subject of 'INT242343 Unpaid Invoice – Your Services May Be Suspended' pretending to come from payments <payments@ wavenetuk .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: payments <payments@ wavenetuk .com>
Date: Thu 11/02/2016 08:38
Subject: INT242343 Unpaid Invoice – Your Services May Be Suspended
Attachment: OutstandingStatement201602111650.js
PLEASE NOTE: THIS IS A NO REPLY EMAIL ACCOUNT
Dear Customer Please find attached to this email your statement You can view the invoices listed on our e-billing site at www .netbills .co.uk If you have any queries regarding use of the e-billing site or this statement please call us on 08444 12 7777.
Accounts Department Wavenet Group Incorporating – Titan Technology, Centralcom and S1 Network Services Tel 08444127777 ...
11 February 2016: OutstandingStatement201602111650.js - Current Virus total detections 0/54*
MALWR** shows a download of Dridex banking malware from
http ://aforbescompany .com/09u8h76f/65fg67n which once again is a text file that the javascript saves to & renames to %Temp%\sREKjVas.scr or another random named file (VirusTotal 2/55***)
Other download locations so far discovered include: http ://gp-training .net/09u8h76f/65fg67n ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1455183429/
** https://malwr.com/an...DUxMmJmODY2MWQ/
69.89.31.158
87.229.86.20
184.25.56.44
*** https://www.virustot...sis/1455183938/
TCP connections
87.229.86.20: https://www.virustot...20/information/
88.221.14.11: https://www.virustot...11/information/
- http://blog.dynamoo....id-invoice.html
11 Feb 2016 - "This spam does not come from Wavenet Group but is instead a simple -forgery- with a malicious attachment:
From payments [payments@ wavenetuk .com]
Date Thu, 11 Feb 2016 15:14:59 +0530
Subject INT242343 Unpaid Invoice - Your Services May Be Suspended
PLEASE NOTE: THIS IS A NO REPLY EMAIL ACCOUNT
Dear Customer
Please find attached to this email your statement
You can view the invoices listed on our e-billing site at www .netbills .co.uk
If you have any queries regarding use of the e-billing site or this statement please
call us on 08444 12 7777.
Accounts Department
Wavenet Group
Incorporating - Titan Technology, Centralcom and S1 Network Services
Tel 08444127777 ...
I have only seen a single sample of this with an attachment OutstandingStatement201602111650.js which has a VirusTotal detection rate of 0/53*. The Malwr analysis shows that this script downloads an executable from:
gp-training .net/09u8h76f/65fg67n
There are probably a few other download locations. This binary has a detection rate of 2/54**. The Malwr report also indicates that it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
* https://www.virustot...sis/1455185997/
** https://www.virustot...sis/1455186992/
TCP connections
87.229.86.20: https://www.virustot...20/information/
88.221.14.11: https://www.virustot...11/information/
___
Fake 'Confirmation' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
11 Feb 2016 - "An email with the subject of 'Confirmation' pretending to come from sales@ writeonltd .co.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecur...td-1024x775.png
11 February 2016: Sales_Order_Confirmation__Priced_SORD00137058.doc - Current Virus total detections 5/55*
MALWR** is once again showing an attempted download from
http ://maraf0n.vv .si/09u8h76f/65fg67n which is giving a 404 not found and diverts to Russian hosting company home page... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455188335/
** https://malwr.com/an...mUxY2EzODVlMzE/
31.170.164.132: https://www.virustot...32/information/
31.170.160.60: https://www.virustot...60/information/
___
Fake 'Office Direct' SPAM - doc malware
- http://myonlinesecur...rd-doc-malware/
11 Feb 2016 - "An email with the subject of 'UK Office Direct A/C OD04450155' pretending to come from office@ ukofficedirect .co.uk with a malicious word doc attachment is another one from the current bot runs...
Screenshot: http://myonlinesecur...55-1024x767.png
11 February 2016: Invoice_INV8000288979.doc - Current Virus total detections 5/54*
MALWR** shows an attempted download from http ://maraf0n.vv .si/09u8h76f/65fg67n but like all the others this morning is giving a 404 and redirects to Russian hosting company home page... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455187463/
** https://malwr.com/an...2ExMDM3MmUzZGE/
31.170.164.132: https://www.virustot...32/information/
31.170.160.60: https://www.virustot...60/information/
___
Fake 'Scan' SPAM - malicious attachment
- http://blog.dynamoo....650-please.html
11 Feb 2016 - "This -fake- document -scan- leads to malware. It appears to originate from within the victim's own domain, but it is just a simple forgery.
From: scanner@ victimdomain .tld
Date: 11 February 2016 at 10:24
Subject: Scan from KM1650
Please find attached your recent scan
Attached is a file =SCAN7318_000.DOC which seems to come in several different varieties (sample VirusTotal results [1]..). The Malwr reports [4].. indicate the the macro in the document downloads a malicious executable from:
maraf0n.vv .si/09u8h76f/65fg67n
www .sum-electronics .co.jp/09u8h76f/65fg67n
The dropped executable has a detection rate of 2/54*. As with this earlier spam run** it phones home to:
87.229.86.20 (ZNET Telekom Zrt, Hungary)
-Block- traffic to that IP. The payload is the Dridex banking trojan."
1] https://www.virustot...sis/1455191710/
4] https://malwr.com/an...zAzZDg0YWIxMWY/
* https://www.virustot...sis/1455192649/
TCP connections
87.229.86.20: https://www.virustot...20/information/
>> https://www.virustot...923cb/analysis/
88.221.14.11: https://www.virustot...11/information/
** http://blog.dynamoo....id-invoice.html
___
Fake 'Sage Pay Invoice' SPAM - xls malware
- http://myonlinesecur...dsheet-malware/
11 Feb 2016 - "An email with the subject of 'Your Sage Pay Invoice INV00318132' pretending to come from Sagepay EU <accounts@ sagepay .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Sagepay EU <accounts@ sagepay .com>
Date: Thu 11/02/2016 13:01
Subject: Your Sage Pay Invoice INV00318132
Attachment: INV00318132_V0072048_12312014.xls
Please find attached your invoice.
We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones. You should have already received an email that outlined the changes, however if you have any questions please contact ...
11 February 2016: INV00318132_V0072048_12312014.xls - Current Virus total detections 4/54*
MALWR** shows a download of Dridex banking malware from
http ://www .phraseculte .fr/09u8h76f/65fg67n (VirusTotal 3/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1455199262/
** https://malwr.com/an...2MyNjE0ODA2ZmY/
46.21.207.156
84.38.67.231
13.107.4.50
*** https://www.virustot...sis/1455198516/
TCP connections
84.38.67.231: https://www.virustot...31/information/
>> https://www.virustot...af65b/analysis/
104.86.111.136: https://www.virustot...36/information/
- http://blog.dynamoo....ay-invoice.html
11 Feb 2016 - "... a simple -forgery- with a malicious attachment... Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least -11-). The VirusTotal detection rate for a subset of these is 6/54[1]... Only a single Malwr report* seemed to work, indicating the macro downloading from:
www .phraseculte .fr/09u8h76f/65fg67n
This dropped executable has a detection rate of 3/54**. The Malwr report shows it phoning home to:
84.38.67.231 (ispOne business GmbH, Germany)
I strongly recommend that you -block- traffic to that IP. The payload is the Dridex banking trojan."
1] https://www.virustot...023ee/analysis/
* https://malwr.com/an...2MyNjE0ODA2ZmY/
46.21.207.156
84.38.67.231
13.107.4.50
** https://www.virustot...sis/1455203414/
TCP connections
84.38.67.231: https://www.virustot...31/information/
>> https://www.virustot...af65b/analysis/
104.86.111.136: https://www.virustot...36/information/
___
We might use your 'IoT stuff' to spy on you ...
- https://nakedsecurit...-james-clapper/
Feb 11, 2016 - "... think that it could be 'Big Brother' doing the eyeballing, be it through your internet-connected fridge, your toothbrush, or your TV... the Internet of Things, or IoT: that collection of connected gadgets that have plenty of 'neat-o!' factor but which, all too often, are pockmarked with security holes:
> https://nakedsecurit...ant-to-get-off/
... IoT refers to a whole class of day-to-day 'things' that are now being offered with built-in network connectivity. These everyday objects can directly hook into the internet, all on their own, rather than needing to first be plugged into a computer connected to the internet. The emergence of the IoT has been accompanied by a torrent of stories about security researchers and malicious hackers breaking into all manner of objects... We’ve seen issues with connected kettles, TVs, lightbulbs, thermostats, refrigerators and baby monitors that have all been designed without adherence to the information security principle of least privilege:
> https://en.wikipedia...least_privilege
But one person’s security hole is another person’s opportunity. To intelligence agencies, IoT devices could illuminate an environment that they claim is 'going dark' due to new forms of encryption being used in consumer products and services... Wired* quoted remarks he made at a summit for In-Q-Tel, the CIA’s venture capital firm:
'Transformational' is an overused word, but I do believe it properly applies to these technologies, particularly to their effect on clandestine tradecraft' ..."
* http://www.wired.com...aeus-tv-remote/
___
Malware Found in 3rd Party App Stores
- http://blog.trendmic...rty-app-stores/
Feb 10, 2016 - "... Because some users have concerns with the app giant Google Play, they choose to download apps from third-party stores. For instance, there are no region locks for apps in some third-party app stores. Some developers of paid apps even partner with third-party app stores with purchase capability to give those who download from the partnered store considerable discounts. Third-party app stores can also be the preferred store due to its popularity in a specific region. Android users have to keep in mind that installing apps from these third-party app stores requires users to allow the installation from 'unknown sources'. Malicious apps have a history of popping up from these third party websites, a reason why it is often recommended that Android users -must- stick to Google Play. Because of Google’s security measures, we believe it is the safest platform for downloading apps. It is worth noting, however, that third-party app stores are implementing means to tighten their security. Malicious apps were recently seen making the rounds in some third-party app stores. They spoof popular apps, increasing the chances of getting selected and downloaded. These include popular mobile games, mobile security apps, camera apps, music streaming apps, and so on. They even share the exact same package and certification with their Google Play counterpart... However, the malware only downloads and installs other apps -without- the user’s knowledge. These secretly downloaded apps will then present themselves as ads luring users to downloading other apps from time to time. It can also be used to collect user data and forward them to the attacker. Based on the data from our Trend Micro Mobile App Reputation Service, there are -1,163- malicious APKs detected as ANDROIDOS_ LIBSKIN.A. In addition, between January 29 and February 1, malicious apps detected as this malware have been downloaded in -169- countries and can be found in -four- third party app stores, namely Aptoide, Mobogenie, mobile9, and 9apps. We have already contacted these stores and informed them about these threats, but as of this writing, we have yet to receive any confirmation from their end...
> https://blog.trendmi...ous-apps-01.png
... The popups lure users into clicking-unwanted-apps. Clicking-on-the-ads may not necessarily lead the user to the respective app or site. Other than that, ANDROIDOS_ LIBSKIN.A can also collect users’ data and send them back to a remote malicious user. This includes data about the user’s phone, subscription IDs, device ID, language, network type, apps running, network name, and so on... we do warn users to approach downloading apps with caution. One option that users may do to avoid downloading fake apps is to download the app from the developer’s website. They may also check the -reputation- of the store before downloading anything..."
Edited by AplusWebMaster, 11 February 2016 - 03:27 PM.