FYI...
Fake 'Attached Doc' SPAM - Locky ransomware
- http://blog.dynamoo....c-attached.html
29 Apr 2016 - "This -fake- document scan email appears to come from within the victim's own domain, but it doesn't. Instead it is a simple -forgery- with a malicious attachment. Example subjects include:
Attached Doc
Attached Image
Attached Document
Attached File
Example senders:
epson@ victimdomain .tld
scanner@ victimdomain .tld
xerox@ victimdomain .tld
There is no body text. Attached is a ZIP file with the recipients email address forming part of the name plus a couple of random numbers. These ZIP files contain a variety of -malicious- scripts, the ones that I have seen download a binary from:
emcartaz .net.br/08j78h65e
kizilirmakdeltasi .net/08j78h65e
easytravelvault .com/08j78h65e
64.207.144.148 /08j78h65e
cdn.cs2.pushthetraffic .com/08j78h65e
The VirusTotal detection rate for the dropped binary is 3/55*. That VirusTotal report and this Hybrid Analysis** show subsequent traffic to:
giotuipo .at/api/
giotuipo .at/files/dDjk3e.exe
giotuipo .at/files/VTXhFO.exe
The payload is Locky ransomware. This is hosted on what appears to be a bad server at:
134.249.238.140 (Kyivstar GSM, Ukraine)
Kyivstar is a GSM network, something hosted on this IP is usually a sure sign of a botnet. A lookup of the giotuipo .at domain shows that it is multihomed on many IPs:
109.194.247.26 (ER-Telecom Holding, Russia)
95.189.128.70 (Sibirtelecom, Russia)
79.119.196.161 (RCS & RDS Business, Romania)
5.248.229.186 (Lanet Network Ltd, Ukraine)
188.230.17.38 (Airbites, Ukraine)
134.249.238.140 (Kyivstar, Ukraine)
5.58.29.200 (Lanet Network Ltd, Ukraine)
212.3.103.225 (Apex, Ukraine)
93.95.187.243 (Triolan, Ukraine)
178.151.243.153 (Triolan, Ukraine)
These IPs are likely to be highly dynamic, so blocking them may or may not work. If you want to try, here is a recommended blocklist:
109.194.247.26
95.189.128.70
79.119.196.161
5.248.229.186
188.230.17.38
134.249.238.140
5.58.29.200
212.3.103.225
93.95.187.243
178.151.243.153 "
* https://www.virustot...sis/1461917718/
** https://www.hybrid-a...environmentId=4
- https://myonlinesecu...livering-locky/
29 Apr 2016 - "... another set of emails with -blank- empty bodies pretending to come from scanner@, copier@, epson@, canon@, hp@ and any other copier/printer/scanner/MFD at your-own-domain with one of these subjects 'Attached Doc / Attached File / Attached Image / Attached Document' with a zip attachment is another one trying to download Locky ransomware and other malware files... your email domain is -not- sending these emails. You have -not- been hacked. One of the emails looks like:
From: epson@ thespykiller .co.uk
Date: Fri 29/04/2016 09:15
Subject: Attached Document
Attachment: submit@ thespykiller .co.uk_62693_220554.zip
Body content: Totally blank/empty
29 April 2016: submit@ thespykiller .co.uk_62693_220554.zip : Extracts to: 85006886_575150306.js
Current Virus total detections 4/57*. Payload Security** shows a download of -3- files from
giotuipo .at/files/VTXhFO.exe (VirusTotal 1/56***) and giotuipo .at/files/dDjk3e.exe (VirusTotal 1/56[4]) and
limaoagencia .com.br/08j78h65e (VirusTotal 1/56[5]). Payload Security[6] which is definitely rockloader which normally downloads Locky ransomware. The first 2 files although appear to be .exe files are actually encrypted data that the rockloader uses to perform various tasks. The payload security report indicates that these might be necurs / fareit/ pony related...This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1461917777/
** https://www.reverse....environmentId=4
*** https://www.virustot...sis/1461918182/
4] https://www.virustot...sis/1461918177/
5] https://www.virustot...sis/1461918177/
6] https://www.reverse....environmentId=4
Contacted Hosts
109.235.139.64
134.249.238.140
51.254.240.60
185.130.7.22
___
Fake 'Unpaid Invoice' SPAM - Locky ransomware
- http://blog.dynamoo....der-unpaid.html
29 Apr 2016 - "This -fake- financial spam leads to malware:
From: Janis Faulkner [FaulknerJanis8359@ ono .com]
Date: 29 April 2016 at 11:13
Subject: Second Reminder - Unpaid Invoice
We wrote to you recently reminding you of the outstanding amount of $8212.88 for Invoice number #304667, but it appears to remain unpaid.
For details please check invoice attached to this mail
Regards,
Janis Faulkner
Chief Executive Officer - Food Packaging Company
Attached is a ZIP file with a name similar to unpaid_invoice551.zip which contains a randomly-named script. Oddly, most of the script appears to be text copy-and-pasted from the Avira website:
> https://4.bp.blogspo...avira-blurb.png
The scripts I have seen download slightly different binaries from the following locations:
cafeaparis .eu/f7yhsad
amatic .in/hdy3ss
zona-sezona .com.ua/hj1lsp
avcilarinpazari .com/u7udssd
VirusTotal detection rates are in the range of 8/56 to 10/56 [1] [2].... In addition to those reports, various automated analyses [5] [6]... show that this is Locky ransomware phoning home to:
91.234.32.19 (FOP Sedinkin Olexandr Valeriyovuch / thehost.ua, Ukraine)
83.217.8.155 (Park-web Ltd, Russia)
31.41.44.246 (Relink Ltd, Russia)
89.108.84.155 (Agava Ltd, Russia)
51.254.240.60 (Relink, Russia / OVH, France)
I -strongly- recommend that you block traffic to:
91.234.32.19
83.217.8.155
31.41.44.246
89.108.84.155
51.254.240.60 "
1] https://www.virustot...59792/analysis/
2] https://www.virustot...sis/1461925401/
5] https://www.hybrid-a...environmentId=1
6] https://sandbox.deep...bbddda6f34a980/
- https://myonlinesecu...vira-antivirus/
29 Apr 2016 - "... An email with the subject of 'Second Reminder – Unpaid Invoice' pretending to come from the usual random senders with a zip attachment...
NOTE: although all copies I have seen so far of this particular email has only had the innocent Avira details, it is highly possible that some files will contain a genuine malware. Do-not-open the JS file... You will be infected.
Update: Dynamoo* has seen some copies that do also contain the malware payload - I have also now received a couple with javascript hidden amongst the mass of repeated-Avira-blurb that will deliver Locky ransomware... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* http://blog.dynamoo....der-unpaid.html
29 Apr 2016
___
Fake 'hi prnt' SPAM - JS malware delivers Locky
- https://myonlinesecu...delivers-locky/
29 Apr 2016 - "Another -blank- email with the subject of 'hi prnt' with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: your-own-email-address
Date:
Subject: hi prnt
Attachment: 1708279_830428394.zip
Body content: Completely empty/blank
28 April 2016: 1708279_830428394.zip : Extracts to: 24614230_356663117.js - Current Virus total detections 3/57*
.. Manual analysis shows a download of Locky Ransomware from
gridandgreen .co.th/08j78h65e (VirusTotal **)... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1461947772/
** https://www.virustot...sis/1461946616/
gridandgreen .co.th: 119.59.120.4: https://www.virustot....4/information/
>> https://www.virustot...090b9/analysis/
___
New release of PCI DSS v3.2 is available
- https://isc.sans.edu...l?storyid=21003
2016-04-29 - "A new version of the standard was released today, version 3.2. There are a number of changes that will affect those that need to comply with the standard, especially for service providers. For service providers struggling to move customers away from SSL and weak TLS there is some good news. The deadline for this requirement has been moved to June 30 2018. Service providers will however be required to have a secure environment (i.e. accepting TLS v1.2 or v1.1) by June 30 2016 (yes two months). This shouldn't be to onerous as most service providers will already have this in place. There are a few new requirements in the standard. The majority of these only apply to service providers and relate to ensuring that processes are followed throughout the year rather than a once a year effort. They are 'best practice' until 1 February 2018, after which they -must- be in place. A number of these are also quarterly requirements. They include:
• 3.5.1 – Maintain a documented description of the cryptographic architecture.
• 11.3.4.1 – If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.
• 12.4 – Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program.
• 12.11 – Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures.
The other big change affecting everyone relates to multi factor authentication for administration of the Cardholder Data Environment (CDE). Currently this requirement is only needed when remote access is used to access the CDE. This requirement has now been extended to include ALL administrative access of the CDE. This means that you will need to roll out some form of multi factor authentication for all administrative access to the environment. Other changes in the standard are generally clarifications..."
___
Locky Ransomware Spreads via Flash and Windows Kernel Exploits
- http://blog.trendmic...ernel-exploits/
Apr 28, 2016 - "In early April of this year a zero-day exploit (designated as CVE-2016-1019) was found in Adobe Flash Player. This particular flaw was soon used by the Magnitude Exploit Kit, which led to an Adobe out-of-cycle patch*. This flaw was being used to lead to drive-by download attacks with Locky ransomware as the payload... We recently saw a new -variant- of this attack that added an unusual twist. On top of the Flash exploit, an old escalation of privileges exploit in Windows (CVE-2015-1701) was used to bypass sandbox technologies... The network traffic was consistent with the use of a CVE-2016-1019 exploit. Meanwhile, the downloader used an unusual kernel exploit. It connected to a command-and-control (C&C) server located at 202[.]102[.]110[.]204:80 and installed the Locky ransomware. To do this, it would use several kernel-level system mechanisms: work items, system threads, and asynchronous procedure calls (APC). These do-not-require any files to be created, and allow the malware to be installed onto the system -without- detection. The downloader also hides its malicious behavior at runtime and compromises svchost.exe, the system process used by Windows to host various services. It also checks the version of Windows in use and the date when the vulnerable file (win32k.sys) was modified before attempting the exploit; this may be done to reduce the risk of detection. The exploit may have been used to avoid detection, particularly those using sandboxing technology. In addition, the cloaking behavior based on this kernel exploit adds complexity and makes analysis and sandbox detection more difficult. A code branch found during analysis suggests different kernel exploits may be used for later versions of Windows... We strongly advise users to update their systems with the latest version of Adobe Flash Player*. Keeping software up-to-date is another means of securing your system against exploit attacks. It is also best to always back up your data and avoid paying any ransom as this -doesn’t- guarantee that you will retrieve your files back..."
* https://helpx.adobe..../apsb16-10.html
> https://web.nvd.nist...d=CVE-2016-1019
Last revised: 04/11/2016 - "... as exploited in the wild in April 2016"
Impact Subscore: 10.0
> https://web.nvd.nist...d=CVE-2015-1701
Last revised: 04/01/2016 - "... as exploited in the wild in April 2015"
Impact Subscore: 10.0
202.102.110.204: https://www.virustot...04/information/
>> https://www.virustot...82dc2/analysis/
Edited by AplusWebMaster, 29 April 2016 - 01:40 PM.
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
