Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
FYI...
Fake 'info' SPAM - JS malware downloads Locky
- https://myonlinesecu...ownloads-locky/
4 May 2016 - "A -blank- email with the subject of 'info' pretending to come from asisianu@ pauleycreative .co.uk with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: asisianu@ pauleycreative .co.uk
Date: Wed 04/05/2016 14:20
Subject: info
Attachment: info.zip
Body content: Totally blank/empty
4 May 2016: info.zip: Extracts to: document_copy.js - Current Virus total detections 5/57*
.. MALWR** shows a download of Locky ransomware from
http ://tasox .eu/v/log.php?f=403 (VirusTotal 5/57***). I was unable to get any malware myself direct from the website. The downloaded malware came from MALWR.
Update: It looks like this is actually part of the recent Angler kit malspam campaign, where the gate link is malspammed out. Then it -redirects- via an -iframe- to another site then bounces on the Angler site, where it downloads Locky or whichever other Malware/Trojan/Ransomware it wants to infect you or compromise you with... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1462350988/
** https://malwr.com/an...GM4YWVmODEyMGU/
Hosts
212.47.208.164: https://www.virustot...64/information/
>> https://www.virustot...afe12/analysis/
138.201.95.72: https://www.virustot...72/information/
*** https://www.virustot...sis/1462351541/
TCP connections
31.184.197.126: https://www.virustot...26/information/
___
Fake 'scan10001' SPAM - JS malware delivers Locky
- https://myonlinesecu...livers-locky-b/
4 May 2016 - "An email with the subject of 'Emailing: scan10001' pretending to come from Ahmed Al-Zamil <ahmed.al-zamil@ torathuna .com> with a zip attachment is another one from the current bot runs which downloads Locky ransomware... One of the emails looks like:
From: Ahmed Al-Zamil <ahmed.al-zamil@ torathuna .com>
Date: Wed 04/05/2016 12:16
Subject: Emailing: scan10001
Attachment: scan10001.rar
Your message is ready to be sent with the following file or link
attachments:
scan10001
Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments. Check your e-mail
security settings to determine how attachments are handled.
4 May 2016: scan10001.rar: Extracts to: 2016-80506_2016052.js - Current Virus total detections 23/56*
... downloads Locky ransomware from
kochgruppe-franken .de/09u87tgy (VirusTotal 3/56**) which is exactly the -same- Locky version as described in THIS earlier post[1], so they will be using the same download locations in both campaigns... This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a DOC or other normal file instead of the .exe/JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441173827/
** https://www.virustot...sis/1462360492/
1] https://myonlinesecu...-macro-malware/
kochgruppe-franken .de: 81.169.145.160: https://www.virustot...60/information/
>> https://www.virustot...2388d/analysis/
___
Fake 'transaction history' SPAM - JS malware downloads Locky
- https://myonlinesecu...-it-js-malware/
4 May 2016 - "An email with the subject of 'RE: ' pretending to come from random names & email addresses with a zip attachment is another one from the current bot runs which downloads Locky ransomware... has a massive 525kb js file inside the zip. The zip actually contains 3 identical copies of the same file... One of the emails looks like:
From: Zackary Ramsey <RamseyZackary1901@ anno1911 .nl>
Date:Wed 04/05/2016 16:21
Subject: Re:
Attachment: transactions_632.zip
Hi, beavers
Your balance and recent transaction history is attached to this mail. Please verify it
Regards,
Zackary Ramsey
4 May 2016: transactions_632.zip: Extracts to: 51434_51434.js - Current Virus total detections 1/56*
.. MALWR** shows a download of Locky ransomware from
http ://richmondsofa .com/v6yhsa (VirusTotal 5/56***).. The basic rule is NEVER open any attachment to an email, unless you are expecting it...:
* https://www.virustot...sis/1462376280/
** https://malwr.com/an...zE3Zjc1ZDU1Yjg/
Hosts
46.30.212.96: https://www.virustot...96/information/
>> https://www.virustot...d3183/analysis/
185.22.67.108: https://www.virustot...08/information/
*** https://www.virustot...sis/1462376825/
TCP connections
185.22.67.108
___
CBS-affiliated TV Stations expose Visitors to Angler EK / Malvertising
- https://blog.malware...er-exploit-kit/
May 4, 2016 = "A rogue advertiser managed to subvert the Taggify self-serve ad platform to push the Angler exploit kit to unsuspecting visitors of two CBS affiliated TV stations. One in St. Louis called KMOV, and the other WBTV, is located in Charlotte, North Carolina. This malvertising attack leveraged a familiar technique of -hijacking- GoDaddy accounts to create various subdomains pointing to malicious servers. These are used to host the ad content (JavaScript, image, etc.) but also to hide malicious code and alternate between clean and infected adverts depending on multiple factors (time of day, user agent, IP blacklist, etc). While the main malvertising domain was actually parked (its name was registered but there is no relevant content) the subdomain is happily hosting an ad banner:
> https://blog.malware...n_subdomain.png
Web crawlers and scanners will be served the ‘normal’ ad banner, genuine users will be handed an extraneous iframe, -redirecting- to the infamous Angler exploit kit:
> https://blog.malware...016/05/Flow.png
Attack flow:
Publisher: kmov .com
Ad platform: data.rtbfy .com/rtb2?{redacted}
Rogue advertiser: som.barkisdesign .com/creatives/tag.js?cp=309505341&domain=kmov .com
Angler EK: parkwateavereverende .fredricholmgren .se/sinuously/0679/31/74/283325.html?utm_source=kmov .com
The Angler exploit kit has been known to actively push its own version of ransomware, dubbed CryptXXX as well as other types of malware via the Bedep Trojan. The best line of defense against malvertising and ransomware attacks remains a combination of safe practices (regular updates, backups) and layered protection (Anti-Malware, Anti-Exploit). We have informed the ad platform, publisher and GoDaddy about this attack which was still ongoing at the time of posting.
IOCs:
som .barkisdesign .com
199.255.137.197: https://www.virustot...97/information/
parkwateavereverende .fredricholmgren .se: 46.30.212.217:
- https://www.virustot...17/information/
>> https://www.virustot...03d5a/analysis/
___
Big data breaches found at major Email services
- http://www.reuters.c...s-idUSKCN0XV1I6
May 4, 2016 - "Hundreds-of-millions of -hacked- usernames and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru (MAILRq.L), Russia's most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security*. It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago.
Holden was previously instrumental in uncovering some of the world's biggest known data breaches, affecting tens of millions of users at Adobe Systems (ADBE.O), JPMorgan (JPM.N) and Target (TGT.N) and exposing them to subsequent cyber crimes. The latest discovery came after Hold Security researchers found a young Russian hacker bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials that ended up totaling 1.17 billion records. After eliminating duplicates, Holden said, the cache contained nearly 57 million Mail.ru accounts - a big chunk of the 64 million monthly active email users Mail.ru said it had at the end of last year. It also included tens of millions of credentials for the world's three big email providers, Gmail, Microsoft and Yahoo, plus hundreds of thousands of accounts at German and Chinese email providers..."
* http://holdsecurity....llector_breach/
> http://arstechnica.c...ta-is-98-bogus/
May 6, 2016
Edited by AplusWebMaster, 08 May 2016 - 09:55 AM.
