2072 replies to this topic

[AplusWebMaster]

FYI...

'Credit/Debit Card temporarily disabled' – PHISH
- https://myonlinesecu...-card-phishing/
18 June 2016 - "There are a few major common subjects in a phishing attempt. Lots of them are either PayPal, your Bank or your Credit Card, with a message saying some thing like :
    Urgent: Your card has been stopped !
    There have been unauthorised or suspicious attempts to log in to your account, please verify
    Your account has exceeded its limit and needs to be verified
    Your account will be suspended !
    You have received a secure message from < your bank>
    We are unable to verify your account information
    Update Personal Information
    Urgent Account Review Notification
    We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address
    Confirmation of Order
    We have temporarily disabled your Credit/Debit Card

The original email looks like this. It will NEVER be a genuine email from PayPal, your Bank or credit card so don’t ever follow the links or fill in the html (webpage) form that comes attached to the email. Note the bad spelling of norepply and the VLSA .COM that is supposed to say visa .com (using lookalike domains is a common trick that phishers use. The English Grammar in the email is just not quite right, so suggesting that this was created by somebody that doesn’t have English as their primary language...

Screenshot: https://myonlinesecu...rd-1024x700.png

This particular phishing campaign starts with an email-with-a-link. The link in this case goes to http ://adistancia.favaloro .edu.ar/themes/landingPage.html where you are invited to enter the case ID from the email:
> https://myonlinesecu..._1-1024x811.png
Without the ID number, you just get an error message:
> https://myonlinesecu...sa_phish_1a.png
If you enter the correct ID you get:
> https://myonlinesecu..._2-1024x760.png
... Which is a typical phishing page that looks very similar to a genuine visa page, if you don’t look carefully at the URL in the browser address bar. This one wants your personal details, Your SSN (US Social Security Number), your credit card and bank details. Many of them are also designed to specifically steal your email, facebook and other social network log in details..."

adistancia.favaloro .edu.ar: 190.12.101.227: https://www.virustot...27/information/
>> https://www.virustot...11c78/analysis/
 

  

[AplusWebMaster]

FYI...

Fake 'Apple ID' SPAM / Phish
- https://myonlinesecu...asons-phishing/
20 June 2016 - "... Apple phishing attempt... 300 copies in the last couple of hours. The subject is one we see regularly 'Your Apple ID has been disabled for security reasons!'... several copies where all the body content is in the subject line & nothing in the body:
From: Apple <apples@ applestuffs .com>
Date: Mon 20/06/2016 11:12
Subject: Your Apple ID has been disabled for security reasons!
Attachment: None

Screenshot: https://myonlinesecu...ns-1024x693.png

The link behind the verify now goes to http ://interwurlitzer .com/write/it.html which -redirects- to
 http ://flyingstart .ca/science/disabled/apple/index.php neither of which look even vaguely like any Apple site so shouldn’t fool anybody... some careless users will click through, not look at the URL in the browser and give all their details:
> https://myonlinesecu...sh-1024x596.png
If you are careless enough or unwise enough to enter your apple ID & password, you get to this page where they ask for all the personal & financial information:
> https://myonlinesecu...ab-754x1024.png
... Watch for any site that invites you to enter -ANY- personal or financial information. It might be an email that says 'you have won a prize' or 'sign up to this website for discounts, prizes and special offers'..."

interwurlitzer .com: 87.229.45.133: https://www.virustot...33/information/
>> https://www.virustot...c7f5b/analysis/

flyingstart .ca: 67.212.91.221: https://www.virustot...21/information/
>> https://www.virustot...7da44/analysis/
___

Fake 'Swift Payment Notice' SPAM - malicious link
- https://isc.sans.edu...l?storyid=21177
2016-06-20 - "Some of our readers reported spam messages related to the recent Swift case. With all the buzz around this story, it looks legitimate to see more and more attackers using this scenario to entice victims to open malicious files. The mail subject is "Swift Payment Notice, pls check" and contains an image of a receipt embedded in an HTML page... The HTML-link-points to a malicious PE file called "SWIFT COPY.exe" (MD5: 6ccabab506ad6a8f13c6d84b955c3037). The file is downloaded from a compromized Wordpress instance and seems to contain a keylogger. Data are sent to onyeoma5050s .ddns .net. The host resolved to 95.140.125.110 but it is not valid anymore (take down already completed?). Even if PE files should be blocked by most web proxies, the current VT score remains low (6/55*) which still makes it dangerous."
* https://www.virustot...2d794/analysis/
___

Fake Dropbox SPAM - js malware
- https://myonlinesecu...ou-scan001-zip/
20 June 2016 - "... an email with the subject of 'Andrew Lumley sent you Scan001.zip' pretending to come from Andrew Lumley via Dropbox <no-reply@ dropbox .com> with a link to a zip file containing 3 identical JavaScript files...

Screenshot: https://myonlinesecu...ip-1024x715.png

20 June 2016: scan001.zip: Extracts to: scan0001.js - Current Virus total detections 3/56*
.. Payload security** shows a download from 69.20.55.160 :80/Scripts/rex7.exe (VirusTotal 3/56[3])
  (Payload Security[4])... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1466428353/

** https://www.reverse....vironmentId=100
Contacted Hosts
69.20.55.160

3] https://www.virustot...sis/1466428353/

4] https://www.reverse....vironmentId=100

69.20.55.160: https://www.virustot...60/information/
>> https://www.virustot...6b8f5/analysis/
___

Fake 'VAT Return' SPAM - macro malware
- https://myonlinesecu...ads-ransomware/
20 June 2016 - "...  an email with the subject of 'VAT Return' pretending to come from noreply@ hmrc .gov.uk with a malicious word doc attachment is another one from the current bot runs...

Screenshot: https://myonlinesecu...rn-1024x450.png

20 June 2016: vat030116-0530161.doc - Current Virus total detections 4/55*.
.. Payload Security[2] shows it downloads http ://xbdev .net/hmrc.zip (VirusTotal 4/56**)... it is Sharik which is a password stealer... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1466424536/

2] https://www.reverse....vironmentId=100

** https://www.virustot...sis/1466429914/

xbdev .net: 208.97.176.242: https://www.virustot...42/information/
>> https://www.virustot...d86f8/analysis/
___

Fake 'PO' SPAM - Java malware attachment
- https://myonlinesecu...s-java-malware/
20 June 2016 - "An email pretending to be an order for scarves with the subject of 'Re: PO' pretending to come from Martina O’Shea <Martinashea@ maf .ae> with a Java jar attachment... One of the  emails looks like:
From: Martina O’Shea <Martinashea@ maf .ae>
Date: Mon 20/06/2016 11:46
Subject: Re: PO
Attachment: 23456445.jar
    Good morning
    Please find attached an order for some scarves
    for delivery to our warehouse in Churchfield,
    Cork.
    Please confirm all scarves are available and a
    delivery date for same.
    Many thanks.
    Kind regards,
    Manager – Buying Administration Dept
    The Kilkenny Group ...

20 June 2016: 23456445.jar - Current Virus total detections 15/56*
 I don’t have Java installed and none of the online analysers ever tell us anything really useful about java files but MALWR** does show several files being dropped or downloaded... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1466389366/

** https://malwr.com/an...TRlYWYwZjU4MzI/
___

JavaScript ransomware
- http://www.trendmicr...nfect-computers
June 16, 2016 - "... ransomware called RAA is composed entirely of JavaScript and has been spreading via email attachments that pretend to be doc files with names like mgJaXnwanxlS_doc_.js. Once the JavaScript is opened, it will encrypt files in the affected machine and demand a ransom amounting roughly to US$250 to get the files. Reportedly, RAA infections display the ransom note in Russian, however, it’s only a matter of time until it’s distributed more widely and localized for other languages. Additionally, the ransomware also infects the victim’s computer by installing Pony, a well-known password-stealing malware embedded in the JavaScript file. This malware can collect browser passwords and other user information from an infected machine, and is usually used by hackers to gather critical information on infected systems. Pony is similar with banking trojans, but its behavior was not manifested in RAA. The RAA ransomware is considered unique because it’s rare to see client-side malware written in web-based languages like JavaScript, which are primarily designed to be interpreted by browsers. Microsoft has previously warned* about a spike in malicious email attachments containing JavaScript files in April 2016. The following month, security researchers alerted about spam emails that delivers and distributes the Locky ransomware via .js attachments. Both Locky and RAA uses JavaScript files as malware downloaders — designed to download and install a traditional malware program. With RAA however, the entire ransomware is written in JavaScript..."
* https://blogs.techne...-to-avoid-them/
"... The spam email contains a .zip or .rar file attachment which carries a malicious JavaScript..."

> http://www.bleepingc...ing-javascript/
 

  

Edited by AplusWebMaster, 20 June 2016 - 12:09 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - malicious attachment
- https://myonlinesecu...invoice_515002/
21 June 2016 - "An email pretending to be a sage invoice with the subject of 'FW: Invoice_515002' coming from  “postmaster@footballplayers19.gq”@ footballplayers19 .gq; on behalf of; Leanna Sage Whitaker  <postmaster@footballplayers19 .gq> with a zip attachment... We have been seeing a few emails over the last couple of weeks from the footballplayers*.g* domains. Some pure spam, some phishing and some malware. It looks like a mailing list that must have some vulnerability to allow external users to be sent emails via them. One of the emails looks like:
From:”postmaster@footballplayers19.gq”@ footballplayers19 .gq; on behalf of; Leanna Sage Whitaker <postmaster@ footballplayers19 .gq>
Date: Tue 21/06/2016 10:05
Subject: FW: Invoice_515002
Attachment:
    Please see attached copy of the original invoice (sage_invoice_131340_711410101502668.pdf).

21 June 2016: sage_invoice_515002_3841674267107.zip: Extracts to: sage_invoice_225224_4233.exe
Current Virus total detections 6/56*.. Payload Security** shows it posts some information to a Ukrainian IP 217.12.199.87... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1466500334/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
217.12.199.87: https://www.virustot...87/information/
___

Fake 'RE:' SPAM - Locky .js attachment
- https://myonlinesecu...-locky-is-back/
21 June 2016 - "It looks like Locky ransomware is back tonight with a series of generic emails pretending to be invoices with the subject of 'RE:' pretending to come from random senders with a zip attachment which downloads what looks suspiciously like Locky Ransomware... None of the auto analysers can effectively decode these encrypted javascripts inside the zips... One of the  emails looks like:
From: Titus Sampson <Sampson.FAC43DD@ melhonretail .com>
Date: Tue 21/06/2016 18:16
Subject: RE:
Attachment: wilbarger_invoice_181696.zip
    Dear wilbarger:
    Please find attached our invoice for services rendered and additional disbursements in the above-
    mentioned matter.
    Hoping the above to your satisfaction, we remain.
    Sincerely,
    Titus Sampson
    General Manager

21 June 2016: wilbarger_invoice_181696.zip: Extracts to: addition-546.js - Current Virus total detections 2/56*
.. I am being told one of sites containing an encrypted Locky binary is easysupport .us/fl85xie ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1466529396/

easysupport .us: 198.58.93.28: https://www.virustot...28/information/
>> https://www.virustot...5d3b2/analysis/
 

  

Edited by AplusWebMaster, 21 June 2016 - 09:44 PM.

[AplusWebMaster]

FYI...

Ransomware decrypter released
- https://www.helpnets...r-apocalypsevm/
June 22, 2016 - "... Emsisoft has added yet another ransomware decrypter tool to its stable: a decrypter for ApocalypseVM*. The tool works on the latest versions of the ransomware in question:
> https://www.helpnets...pocalypseVM.jpg
... The victim can then decide to use it on one, some, or all encrypted files. The tool selects the C: partition of the disk by default, but victims can choose other partitions or files to be decrypted. Emsisoft recommends testing the key first on a few files, then to proceed decrypting the rest if everything goes well with the test..."
* https://decrypter.emsisoft.com
Jun, 18, 2016 - Version: 1.0.0.23
___

Fake 'Corresponding Invoice' SPAM - leads to Locky
- http://blog.dynamoo....ng-invoice.html
22 June 2016 - "This spam has a malicious attachment... leading to Locky ransomware:
    From:    Althea Duke
    Date:    22 June 2016 at 16:00
    Subject:    Corresponding Invoice
    Dear lisa:
    Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
    writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
    by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
    contact me.
    Also, our records show that we have not yet received payment for the previous order of 11 June,
    so I would be grateful if you could send payment as soon as possible. Please find attached the
    corresponding invoice.
    If there is anything else you require, our company would be pleased to help. Looking forward to
    hearing from you soon.
    Yours sincerely
    Althea Duke
    Managing Director

UPDATE: A little bit of analysis, via these automated reports [1] [2].. show some download locations as:
personal-architecture .nl/6gcpaey
ding-a-ling-tel .com/b289dg
plasticsmachine .com/d43ndxna
hyip-all .com/9qwmc65
Various files are dropped, including these samples [6] [7] the latter of which is a three week old version of Locky. Go figure. The comments in this report show C2 servers at:
51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
185.82.216.55 (ITL, Bulgaria)
93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
Three out of those four servers are the -same- as yesterday*.
Recommended blocklist:
51.254.240.48
91.219.29.41
185.82.216.55
93.170.169.188."
* http://blog.dynamoo....tached-our.html

1] https://malwr.com/an...DE1ZmIyMTI5ZTE/

2] https://malwr.com/an...WUyZGE1MjhjMGI/

6] https://virustotal.c...14b76/analysis/

7] https://virustotal.c...9b731/analysis/

- https://myonlinesecu...cky-ransomware/
22 June 2016 - "An email with the subject of 'Corresponding Invoice' pretending to come from random senders with a zip attachment which downloads Locky ransomware... These contain a heavily obfuscated JavaScript inside the zip. It has several layers of obfuscation. The alleged senders name matches the name in the body of the email.  The job title is also random and can be anything from Sales Director, Account Director or any other position that any company might think of... This Blog post* describes how to manually deobfuscate these horridly difficult & tricky JavaScript files.
* https://malcat.moe/?p=53
One of the  emails looks like:
From: Mariano Hoover <Hoover.20718@215-132 .thezone .bg>
Date: Wed 22/06/2016 15:10
Subject: Corresponding Invoice
Attachment: rob_unpaid_673442.zip
    Dear rob:
    Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
    writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
    by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
    contact me.
    Also, our records show that we have not yet received payment for the previous order of 11 June,
    so I would be grateful if you could send payment as soon as possible. Please find attached the
    corresponding invoice.
    If there is anything else you require, our company would be pleased to help. Looking forward to
    hearing from you soon.
    Yours sincerely
    Mariano Hoover
    Regional Sales Director

22 June 2016: rob_unpaid_673442.zip: Extracts to: unpaid-5967.js - Current Virus total detections 2/56**
.. Payload Security*** shows us downloads from totalsportnetwork .com/kpbrp2mq or modelestrazackie .za.pl/zfww8nx  which are encrypted files that get decrypted by the original JavaScript files to give
%TEMP%\OVAkXuGy.exe (VirusTotal 12/55[4]). These encrypted files make it very difficult for an antivirus to prevent download because they are are plain text, albeit in total gibberish to a human reader... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for  a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."

** https://www.virustot...sis/1466604801/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.186.209.5
193.203.99.113

4] https://www.virustot...bbb7f/analysis/
___

Fake 'On Hold Transactions' SPAM - malicious attachment
- https://myonlinesecu...money-services/
22 June 2016 - "An email with the subject of 'On Hold Transactions From 21.06.2016' pretending to come from Saeed Abugharbieh <saeed.abugharbieh@ xpressmoney .com> with a zip attachment that contains a Barys Trojan and a copy of the image in the email. The .exe file drops a JAVA jar file that is most likely Java Jacksbot Trojan...

Screenshot: https://myonlinesecu...ns-1024x552.png

22 June 2016: On Hold Transactions From 21.06.2016.zip: Extracts to: On Hold Transactions From 21.06.2016.exe
Current Virus total detections 15/56*.. MALWR** shows this drops a JAVA.jar file 812594500.jar which appears to be Java Jacksbot Trojan (VirusTotal 29/56***). MALWR[4]... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1466613297/

** https://malwr.com/an...mY1MjY3YmFiMzY/

*** https://www.virustot...sis/1466613895/

4] https://malwr.com/an...2M0MTdhZDJhZjI/
___

Fake 'Payment' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
22 June 2016 - "An email with the subject of 'Payment' pretending to come from random senders with a zip attachment which downloads Locky ransomware... These contain a heavily obfuscated JavaScript inside the zip. It has several layers of obfuscation. The alleged senders name matches the name in the body of the email.  The job title is also random and can be anything from Sales Director, Account Director  or any other position that any company might think of... This Blog post* describes how to manually deobfuscate... JavaScript files. The JavaScript in this one is the -same- as THIS earlier run of Locky downloaders**...
* https://malcat.moe/?p=53

** >> https://myonlinesecu...cky-ransomware/
One of the  emails looks like:
From: Luz Odonnell <Odonnell.198@ frionline .com.br>
Date: Wed 22/06/2016 20:36
Subject: Payment
Attachment: details_rob_440235.zip
    Dear rob,
    Our records show that we have not yet received payment for the previous order #A-440235
    Could you please send payment as soon as possible?
    Please find attached file for details.
    Yours sincerely
    Luz Odonnell
    Head of Maintenance

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
___

Fake 'documents for your reference' PHISH
- https://myonlinesecu...n-owa-phishing/
22 June 2016 - "An email saying 'Please find below documents for your reference kindly sign' pretending to come from gccremittance@ emirates .net.ae is one of the latest -phish- attempts to steal your Outlook Web App log on details which is generally your Microsoft account details...

Screenshot: https://myonlinesecu...ce-1024x471.png

-If- you follow the link http ://intimeshop .com/reviews/cgi-bin/login sure owa/index.html which goes to you get a pop up message:
> https://myonlinesecu...p1-1024x193.png
.. press OK & you go to:
> https://myonlinesecu...p2-1024x536.png
After giving an email address & password you are sent to:
 http ://integrare .inf.br/images/Servicos/process/process.php which is currently giving a 404 error... these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

intimeshop .com: 195.154.232.157: https://www.virustot...57/information/
>> https://www.virustot...14981/analysis/

integrare .inf.br: 177.12.163.97: https://www.virustot...97/information/
___

Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo....tached-our.html
21 June 2016 - "This malicious spam leads to Locky ransomware, something that we haven't seen for several weeks:
    From:    Lilian Fletcher
    Date:    21 June 2016 at 20:01
    Subject:    Re:
    Dear lisa:
    Please find attached our invoice for services rendered and additional disbursements in the above-
    mentioned matter.
    Hoping the above to your satisfaction, we remain.
    Sincerely,
    Lilian Fletcher
    Head of Maintenance

These are being sent out in huge numbers at the moment. Details vary from message to message, but the body text is essentially the same. Attached is a ZIP file containing the words 'addition', 'invoice' or 'services' plus the recipients email address and a number (e.g. lisa_addition_278292.zip) containing a malicious script beginning with the word "addition"... Analysis.. shows that it phones home to:
51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
185.82.216.55 (ITL, Bulgaria)
217.12.223.83 (ITL, Ukraine)
As I mentioned before, this is Locky ransomware which has not been circulating at all since about 31st May.
Recommended blocklist:
51.254.240.48
91.219.29.41
185.82.216.55
217.12.223.83 "

51.254.240.48: https://www.virustot...48/information/
>> https://www.virustot...4e1d3/analysis/

91.219.29.41: https://www.virustot...41/information/
>> https://www.virustot...22a51/analysis/

185.82.216.55: https://www.virustot...55/information/
>> https://www.virustot...c2f8b/analysis/

217.12.223.83: https://www.virustot...83/information/
>> https://www.virustot...1fd5e/analysis/
 

  

Edited by AplusWebMaster, 22 June 2016 - 03:46 PM.

[AplusWebMaster]

FYI...

Fake 'report' SPAM - leads to Locky
- http://blog.dynamoo....-of-report.html
23 June 2016 - "This spam leads to malware:
    From:    Julianne Pittman
    Date:    23 June 2016 at 09:48
    Subject:    Final version of the report
    Dear info,
    Patrica Ramirez asked me to send you the attached Word document, which contains the final version of the report.
    Please let me know if you have any trouble with the file, and please let Patrica know if you have any questions about the contents of the report.
    Kind regards
    Julianne Pittman
    Operations Director (CEO Designate)

The names in each version of the email vary. Attached is a ZIP file with a filename containing some version of the recipients email address and the word "report" which contains in turn a malicious ZIP .js script beginning with the words "unpaid"...
UPDATE... Hybrid Analysis of three sample scripts [1] [2].. show three download locations (you can bet there will be many more):
bptec .ir/kvk9leho
promoresults .com.au/gx4al
boranwebshop .nl/ggc7ld
Each one drops a slightly different binary (VirusTotal results [4] [5]..).. C2 servers are at:
51.254.240.48 (Rackspace, US)
91.219.29.41 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
93.170.169.188 (PE Dunaeivskyi Denys Leonidovich, Ukraine)
The malware uses the path /upload/_dispatch.php on the C2 servers.
Recommended blocklist:
51.254.240.48
91.219.29.41
217.12.223.88
195.123.209.227
93.170.169.188 "
1] https://www.hybrid-a...vironmentId=100

2] https://www.hybrid-a...vironmentId=100

4] https://www.virustot...4773e/analysis/

5] https://www.virustot...591e5/analysis/

- https://myonlinesecu...cky-ransomware/
23 June 2016 - "An email with the subject of 'Final version of the report' pretending to come from random senders with a zip attachment containing a JavaScript file which downloads Locky Ransomware... One of the emails looks like:
From: Jeri Kline <Kline.35895@ moon-maker .com>
Date: Thu 23/06/2016 09:41
Subject: Final version of the report
Attachment: rob_scan_report_094249.zip
    Dear rob,
    Randall Franks asked me to send you the attached Word document, which contains the final version of the report.
    Please let me know if you have any trouble with the file, and please let Randall know if you have any questions about the contents of the report.
    Kind regards
    Jeri Kline
    Key Account Director Municipalities

23 June 2016: rob_scan_report_094249.zip: Extracts to: unpaid-068.js - Current Virus total detections 1/56*
.. Payload security** shows a download of encrypted Locky from
 abligl .com/8v62l4i4 which the JavaScript from the email converts to 2oyWQ1WPdr1i.exe (VirusTotal 4/55***).
 These encrypted files make it very difficult for an antivirus to prevent download because they are just plain text, albeit in total gibberish to a human reader... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1466674224/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
160.153.73.196

*** https://www.virustot...sis/1466674585/

abligl .com: 160.153.73.196: https://www.virustot...96/information/
>> https://www.virustot...9a652/analysis/
___

Fake 'swift copy' SPAM - malspam RTF exploit
- https://myonlinesecu...th-rtf-exploit/
23 June 2016 - "An email with the subject of 'Fwd: Re: TT-USD78600.00' pretending to come from barat.mnupack@ mnubd .com with a malicious word doc attachment is an attempt to exploit CVE-2010-3333 which is a buffer overflow in word RTF files...

Screenshot: https://myonlinesecu...00-1024x447.png

23 June 2016: TRANSFER STATEMENT.doc - Current Virus total detections 15/55*
.. where it is described as CVE-2010-3333[1] exploit which was fixed by Microsoft in 2010/2011...
Update: The download site is http ://www.akkoprint .ro/wp-content/uploads/2016/06/office.exe (VirusTotal 43/55**)
 Payload Security*** ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1466692832/

1] https://web.nvd.nist...d=CVE-2010-3333
Last revised: 09/21/2011

** https://www.virustot...sis/1466711510/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
111.90.144.71

akkoprint .ro: 5.2.228.65: https://www.virustot...65/information/
>> https://www.virustot...7abbb/analysis/
 

  

Edited by AplusWebMaster, 23 June 2016 - 04:47 PM.

[AplusWebMaster]

FYI...

Ransomware epidemic - 2014-2016
- https://securelist.c...e-in-2014-2016/
June 22, 2016 - "... Main findings:
• The total number of users who encountered ransomware between April 2015 and March 2016 rose by 17.7% compared to the previous 12 months (April 2014 to March 2015) – from 1,967,784 to 2,315,931 users around the world;
• The proportion of users who encountered ransomware at least once out of the total number of users who encountered malware rose 0.7 percentage points, from 3.63% in 2014-2015 to 4.34% in 2015-2016;
• Among those who encountered ransomware, the proportion who encountered cryptors rose dramatically – up 25 percentage points, from 6.6% in 2014-2015 to 31.6% in 2015-2016;
• The number of users attacked with cryptors rose 5.5 times, from 131,111 in 2014-2015 to 718,536 in 2015-2016;
• The number of users attacked with Win-lockers decreased 13.03%, from 1,836,673 in 2014-2015 to 1,597,395 in 2015-2016..."
> https://noransom.kaspersky.com/

>> https://cdn.secureli.../2016/06/04.png

> https://www.helpnets...t-700000-users/
June 24, 2016 - "... increase in encryption ransomware attacks, with 718,536 users hit between April 2015 and March 2016. This is an increase of 5.5 times compared to the same period in 2014-2015, showing that crypto-ransomware has become an epidemic..."
___

Piracy extortion SCAM emails
- https://torrentfreak...cribers-160624/
Jun 24, 2016 - "... TorrentFreak was alerted to a takedown notice Lionsgate purportedly sent to a Cox subscriber, for allegedly downloading a pirated copy of the movie Allegiant. Under threat of a lawsuit, the subscriber was asked to pay a $150 settlement fee. This request is unique as neither Lionsgate nor its tracking company IP-Echelon are known to engage in this practice. When we contacted IP-Echelon about Lionsgate’s supposed settlement offer, we heard to our surprise that these emails are part of a large phishing scam, which has at least one large ISPs fooled. 'The notices are fake and not sent by us. It’s a phishing scam', IP-Echelon informed TorrentFreak. For a phishing scam the -fake- DMCA notice does its job well. At first sight the email appears to be legit, and for Cox Communications it was real enough to forward it to their customers... In response, a Cox representative confirmed that the email is real and explained that it was forwarded by the network security team. Apparently, the -phishing-scam- was good enough to have the security experts fooled. TorrentFreak alerted Cox to the -fake- notices but at the time of writing we have yet to receive a response. Whether any other ISPs have fallen for the same scam is unknown at this point..."

  

Edited by AplusWebMaster, 24 June 2016 - 03:36 PM.

[AplusWebMaster]

FYI...

Fake 'DOC' SPAM - leads to Locky
- http://blog.dynamoo....cument4321.html
27 June 2016 - "This rather terse spam run leads to Locky ransomware and appears to come from the sender's own email account (but doesn't*). The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.
* http://blog.dynamoo....yself-spam.html
Some examples:
Subject: DOC541887
Attachment: DOC541887.zip

Subject: document36168
Attachment: document36168.zip

Subject: Document453567810
Attachment: Document453567810.zip

Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:
calcoastlogistics .com/09ujnb76v5?yNVICJbit=nFikKFve
labthanhthanhpg .com/09ujnb76v5?yNVICJbit=nFikKFve
patmagifts .asia/09ujnb76v5?yNVICJbit=nFikKFve
shadowbi .com/09ujnb76v5?yNVICJbit=nFikKFve
www .tmdmagento .com/09ujnb76v5?yNVICJbit=nFikKFve
Detection rates for the dropped binary are 5/54**. The malware phones home to the following IPs:
51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
185.82.216.61 (ITL, Bulgaria)
Recommended blocklist:
51.254.240.48
217.12.223.88
195.123.209.227
185.82.216.61 "
** https://www.virustot...6b8d0/analysis/
___

Fake 'Requested document' SPAM - leads to Locky
- http://blog.dynamoo....d-document.html
27 June 2016 - "This spam comes from various senders, and leads to Locky ransomware:
    From:    Trudy Bonner
    Date:    27 June 2016 at 15:39
    Subject:    Requested document
    Dear [redacted],
    The document you requested is attached.
    Best regards
    Trudy Bonner
    Group Director of Strategy

Attached is a ZIP file containing elements of the recipients email address, the words "document", "doc" or "scanned" plus a random number. Contained within is a random .js script beginning with 'unpaid'. Trusted external analysis (thank you as ever) shows the scripts downloading... The malware phones home to the following hosts:
51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
109.234.35.71 (McHost.ru, Russia)
185.82.216.61 (ITL, Bulgaria)
185.146.169.16 (Pavel Poddubniy aka CloudPro, Russia)
195.123.209.227 (ITL, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)
Lots of ITL recently... you might want to block /24s here instead of single IPs.
Recommended blocklist:
51.254.240.48
109.234.35.71
185.82.216.61
185.146.169.16
195.123.209.227
217.12.223.88
217.12.223.89 "
___

Fake 'Barclays security update' – Phish
- https://myonlinesecu...-phishing-scam/
27 June 2016 - "After the Brexit vote on Thursday, we are starting to see the scammers and phishers using the uncertainty, fear and doubt about the UK and the EU to scam you. The first one today is an email pretending to come from Barclays bank saying New Barclays security update. The original email looks like this:
From: Barclays Online <Barclays@ bt .co.uk>
Date: Mon 27/06/2016 08:01
Subject: New Barclays security update.
    Dear Customer
    Due to security and removal from the EU we have introduce the new look of Barclays Bank security to help maintain our customers profit
    You would be required to re – activate your online banking access to proceed
    Activate Your Online Security
    Thank you for choosing Barclays Bank.©2016

The link behind the activate line goes to http ://whatdoesmybusinessneed .com/wp-admin/hhaa.html and -redirects-
 to another page on the same hacked site  http ://whatdoesmybusinessneed .com/wp-admin/auth/b.htm
where they have a fairly good imitation of a genuine Barclays bank site asking for all the usual personal data, log ins and financial information."

whatdoesmybusinessneed .com: 104.244.124.101: https://www.virustot...01/information/
>> https://www.virustot...c4ba4/analysis/
 

  

Edited by AplusWebMaster, 27 June 2016 - 09:34 AM.

[AplusWebMaster]

FYI...

Fake 'report' SPAM - malicious attachment
- http://blog.dynamoo....hed-report.html
28 June 2016 - "This spam has a weird problem with its apostrophe and comes with a malicious attachment:
    From:    Kris Ruiz
    Date:    28 June 2016 at 10:38
    Subject:    report
    Hi info,
    I致e attached the report you asked me to send.
    Regards
    Kris Ruiz
    Head of Finance UKGI Planning

The details of the sender will vary from message to message. Attached is a ZIP file containing components of the recipient's email address and the words "report" and/or "pdf". Contained within is a malicious .js script file with a name starting with 'swift'. This analysis comes from a trusted third party (thank you again). The script downloads a file... The file is then decrypted (although I don't have a sample yet) and appears to be Locky ransomware. It phones home to the following servers:
109.234.35.71 (McHost.ru, Russia)
185.146.169.16 (Pavel Poddubniy aka Cloudpro LLC, Russia)
193.9.28.254 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
194.31.59.147 (HostBar, Russia)
195.123.209.227 (Layer6 Networks, Latvia)
217.12.223.88 (ITL, Ukraine)
217.12.223.89 (ITL, Ukraine)
Recommended blocklist:
109.234.35.71
185.146.169.16
193.9.28.254
194.31.59.147
195.123.209.227
217.12.223.88
217.12.223.89 "
___

Fake 'Money Certificate' SPAM - java jacksbot Trojan
- https://myonlinesecu...acksbot-trojan/
28 June 2016 - "An email with the subject of 'New Xpress Money Certificate' pretending to come from  xm.ca@ xpressmoney .com with a zip attachment which delivers a java jacksbot Trojan...

Screenshot: https://myonlinesecu...te-1024x536.png

28 June 2016: New Xpress Money Certificate.zip: Extracts to: New Xpress Money Certificate.jar and a copy of the image in the email. Current Virus total detections 24/55*
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1467110905/

.JAR File: "... runs -if- the [Java] JRE is installed on the computer.."
 

 

Edited by AplusWebMaster, 28 June 2016 - 10:21 AM.

[AplusWebMaster]

FYI...

Fake 'Additional Order' SPAM - delivers Java Adwind backdoor Trojan
- https://myonlinesecu...ackdoor-trojan/
29 June 2016 - "An email with the subject of 'Additional Order (Additional Items)' pretending to come from  Ahmed <Ahmed@ malothgroups .com> with a java .jar which is a variant of Java Adwind Trojan. These are very nasty backdoor Remote Access, password stealers...

Screenshot: https://myonlinesecu...ms-1024x668.png

29 June 2016: PO_70386804.jar - Current Virus total detections 15/56*. Payload Security** shows a contact with a Russian IP number 185.17.1.82 which is fairly well known for malicious activity over the last few weeks although nothing appearing on VirusTotal, until today... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1467176037/

** https://www.reverse....vironmentId=100
Contacted Hosts
185.17.1.82: https://www.virustot...82/information/
> https://virustotal.c...e2e47/analysis/
___

Fake 'Financial report' SPAM - malicious attachment
- http://blog.dynamoo....ort-i-have.html
29 June 2016 - "This spam appears to come from various sources, but has a malicious attachment:
    From:    Hester Stanley
    Date:    29 June 2016 at 13:25
    Subject:    Financial report
    Hello [redacted],
    I have attached the financial report you requested.
    Regards
    Hester Stanley
    Chief Executive Officer

Attached is a ZIP file containing some version of the recipient's email address, the words "report" or "freport" or "financial" plus a number. This contains a malicious .js file beginning with "swift". Trusted analysis by another party (thank you as ever) gives download locations... The payload is Locky ransomware, phoning home to the following servers:
93.170.123.219 (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
149.154.159.125 (EDIS, Germany)
151.236.17.45 (EDIS, Germany)
151.236.17.47 (EDIS, Germany)
194.31.59.147 (Hostbar, Russia)
I don't currently have a copy of the payload.
Recommended blocklist:
93.170.123.219
149.154.159.125
151.236.17.45
151.236.17.47
194.31.59.147 "

- https://myonlinesecu...ed-via-malspam/
29 June 2016 - "... continual Locky JavaScript downloaders... Today’s are no different so far coming in 2 batches. 1st about a financial report and the second with a totally blank body saying images, photos or pictures. The 1st ones contain a heavily obfuscated JavaScript inside the zip. It has several layers of obfuscation. The alleged senders name matches the name in the body of the email. The job title is also random and can be anything from Sales Director, Account Director or any other position that any company might think of... They all deliver Ransomware versions that encrypt your files and demand money...

29 June 2016: photo42744.zip: Extracts to: NIKON00061473034407.js - Current Virus total detections 10/54*
.. MALWR** shows a download from http ://www.cristaleriadominguez .com/8y7gvt65v?utajtJu=UwxvtvuRe which was -renamed- on download to spuMCzFlvvg.exe (VirusTotal 6/53***).

29 June 2016: rob_report_xls_227699.zip: Extracts to: swift 7c7.js - Current Virus total detections 2/54[4]
.. MALWR [5] shows a download from http ://www.oemsen.gmxhome .de/sh91u3a which gives an encrypted file that is detected as plain txt or data but gets -converted- by the javascript to ye6WVhz4F2H94WZX.exe (VirusTotal 5/56[6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1467205005/

** https://malwr.com/an...WNmYWVhMzFiMmM/
Hosts
62.42.230.17

*** https://www.virustot...sis/1467202241/

4] https://www.virustot...sis/1467204977/

5] https://malwr.com/an...WI0ZThlMGUwZTg/
Hosts
82.165.62.68

6] https://www.virustot...sis/1467200971/

cristaleriadominguez .com: 62.42.230.17: https://www.virustot...17/information/
>> https://www.virustot...d8743/analysis/

oemsen.gmxhome .de: 82.165.62.68: https://www.virustot...68/information/
>> https://www.virustot...f751b/analysis/
___

Phish - via JavaScript Google
- https://myonlinesecu...ime-not-paypal/
29 June 2016 - "... This one fulfils our worst fears and the entire -phish- is performed on a website that actually is the genuine Google log in page and really makes you believe that you are entering your Google credentials only on the genuine Google page, but in fact you are sending your details to the phisher whilst on the genuine Google site... shortly after publishing this post & reporting the http ://goo .gl/NL4EmV to Google, they -removed- that short URL redirect. However the nwfacilities page is still-active & live and it will be trivial for the phisher to create other short urls on Goo .gl and malspam them out... This is the Genuine Google page that you are on while your browser still has the http ://nwfacilities .top pages & JavaScript still loaded but -hidden- to view completely and performing all the nefarious actions and stealing your information. The only difference between you going to the Google log in page yourself & this one are the words data:text/html, at the start of the url
> https://myonlinesecu...pt-1024x791.png
This only appears to work in Google Chrome because Internet Explorer gives this message and doesn’t know what to do with data:text/html commands in the browser (thankfully). Firefox just gives a blank page until you use the view source option:
> https://myonlinesecu...oogle_phish.png "
 

  

Edited by AplusWebMaster, 29 June 2016 - 04:44 PM.

[AplusWebMaster]

FYI...

Fake 'WeTransfer' SPAM - delivers Cerber ransomware
- https://myonlinesecu...ber-ransomware/
30 June 2016 - "An email with the subject of 'name@ victim domain .tld' has sent you a file via 'WeTransfer' pretending to come from WeTransfer <noreply@ wetransfer .com> with a link to download a zip attachment which downloads Cerber Ransomware. Luckily Cerber doesn’t mass malspam in the same way that Locky does. These Cerber emails tend to be slightly more targeted (spear Phishing) at small business or organisations where IT might not be such a high priority or be so aware...

Screenshot: https://myonlinesecu...le-1024x712.png

The link behind the download goes to
 https ://www.cubbyusercontent .com/pl/Scanned+Documents.zip/_08fa4c28262f424b970037c786caf840 -not- to any WeTransfer page...
30 June 2016: Scanned Documents.zip: Extracts to: 3 identical copies of Scan001.js
 Current Virus total detections 1/53*. MALWR** shows a download of Cerber Ransomware from
 http ://69.24.80.121 /Styles/ie7/header.css which is -not- a css file but a -renamed- .exe file
 (VirusTotal 4/53***).. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1467276692/

** https://malwr.com/an...DQwYTUyMmMxZmU/

*** https://www.virustot...sis/1467276011/

69.24.80.121: https://www.virustot...21/information/
>> https://www.virustot...6dbd9/analysis/
___

Phish - with Blurred Images
- https://isc.sans.edu...l?storyid=21207
Last Updated: 2016-06-30 - "... seeing a lot of phishing emails that try to steal credentials from victims... this time, the scenario is quite different:
- The malicious email contains an HTML body with nice logos and texts pretending to be from a renowned company or service provider. There is a link that opens a page with a -fake- document but -blurred- with a popup login page on top of it. The victim is enticed to enter his/her credentials to read the document. I found samples for most of the well-known office documents. Here are some screenshots:
1] https://isc.sans.edu...isc_blurry1.png

2] https://isc.sans.edu...isc_blurry2.png

3] https://isc.sans.edu...isc_blurry3.png

4] https://isc.sans.edu...isc_blurry4.png
The strange fact is that it is -not- clear which credentials are targeted: Google, Microsoft or corporate accounts? The success of an efficient phishing is to take the victim by the hand and "force" him/her to -disclose- what we are expecting. So, nothing fancy behind this kind of phishing but it’s always interesting to perform further investigations and, for one of them, it was a good idea. Everybody makes mistakes and attackers too! The phishing page was hosted on a Brazilian website. Usually, such material is hosted on a -compromised- CMS like, not mentioning names but Wordpress, Joomla or Drupal. The Apache server had the feature 'directory indexing' enabled making all the files publicly available and, amongst the .php and .js files, a zip archive containing the "package" used by the attackers to build the phishing campaign. It was too tempting to have a look at it. The “blurred” effect was implemented in a very easy way: the -fake- document is a low-resolution screenshot displayed with a higher resolution. Like this:
> https://isc.sans.edu...ges/blurred.jpg
... the presence of a JavaScript function to validate the victim’s email address but also to check the TLD. Is it a targeted attack? The presence of .mil, .edu or .gov is interesting while .com included all major -free- email providers... Then, an HTTP -redirect- is performed to a second page: "phone.html" which mimics a Google authentication page and asks for the user phone number. Here again, POST data are processed via "phone.php" which sends a second email with the victim's phone number. Emails are sent to two addresses (not disclosed here):
    One @gmail .com account
    One @inbox .ru account ..."
AVOID and DELETE.
 

 

Edited by AplusWebMaster, 30 June 2016 - 09:11 AM.

[AplusWebMaster]

FYI...

Fake 'Transactions' SPAM - Java adwind Trojans
- https://myonlinesecu...adwind-trojans/
1 July 2016 - "We are seeing emails -daily- with a zip attachment containing java jar file which are variants of Java Adwind Trojan(1)... There are 2 different emails that arrived overnight both containing the same Java Adwind Trojan, although both having different subjects, senders and file names. For some reason the image that appears in the -body- of the email is also included in the zip files...
1) https://securelist.c...660/adwind-faq/

Screenshot: https://myonlinesecu...se-1024x660.png

The Second email looks like:
From: z.hraahleh@ shift-sg .com <sales@ planetacyber .psi.br>
Date: Fri 01/07/2016 02:44
Subject: Transactions for Amendment
Attachment: PENDING REMITTANCE RECIEPTS FOR APPROVAL.zip  extracts to PENDING REMITTANCE RECIEPTS FOR APPROVAL..jar
kindly find attached listed trasactions for amendment,please do the corrections and send back to us.  thanks

Screenshot: NONE of the email but this logo was in the zip:
> https://myonlinesecu...16/07/logo1.png

1 July 2016: Confirm Transactions.zip: Extracts to: Transactions on Hold.Reason because beneficiary last name is wrong..jar
Current Virus total detections 15/56*. MALWR** shows the usual masses of files created/dropped and entries created on the computer. This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1467206759/

** https://malwr.com/an...jNhMzgyYWQ0OTc/
Hosts
89.163.154.146: https://www.virustot...46/information/

.JAR File: ... runs -if- the [Java] JRE is installed.
 

  

[AplusWebMaster]

FYI...

Fake 'RE: info' SPAM - Cerber Ransomware
- https://myonlinesecu...nknown-malware/
2 July 2016 - "A blank email with the subject of 'RE: info' pretending to come from asisianu@ pauleycreative .co.uk with a zip attachment with a jse file... Update: I am assured that it definitely is Cerber Ransomware... One of the  emails looks like:
From: asisianu@ pauleycreative .co.uk
Date: Sat 02/07/2016 19:40
Subject: RE: info
Attachment: info_1218307442.zip

Body content: Totally blank/empty

2 July 2016: info_1218307442.zip: Extracts to: 5.jse - Current Virus total detections 2/55*
.. PayLoad Security** | MALWR*** shows a download from
  http ://adiidiam .top/admin.php?f=1.jpg (which is -not- a jpg but a .exe file)
 (VirusTotal 1/56[4]) (MALWR[5]) (Payload Security[6])... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine  DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1467464033/

** https://www.reverse....vironmentId=100
Contacted Hosts
202.9.68.138
52.28.98.176
31.184.232.*

*** https://malwr.com/an...zA2M2Y1YTMwMWU/
Hosts
202.9.68.138

4] https://www.virustot...sis/1467471194/

5] https://malwr.com/an...GFiNWY2MzJhZTE/

6] https://www.reverse....vironmentId=100
Contacted Hosts
52.58.188.104
31.184.232.*

adiidiam .top: 66.225.198.20: https://www.virustot...20/information/

>> https://www.virustot...31a4e/analysis/
216.170.126.19: https://www.virustot...19/information/
>> https://www.virustot...68843/analysis/
 

  

Edited by AplusWebMaster, 03 July 2016 - 06:30 AM.

[AplusWebMaster]

FYI...

Fake 'Scanned image' SPAM - delivers Locky
- https://myonlinesecu...livers-locky-2/
4 July 2016  - "An email with the subject of 'Scanned image' pretending to come from random names at your own email domain or company with a malicious word doc macro attachment delivers Locky Ransomware... The email looks like:
From: Random names at your own email domain
Date: Mon 04/07/2016 11:33
Subject: Scanned image
Attachment: 04-07-2016_rndnum(4,9)}}.docm
    Image data has been attached to this email.

4 July 2016: 04-07-2016_rndnum(4,9)}}.docm - Current Virus total detections 6/54*
.. MALWR** shows a download from http ://clear-sky .tk/nb4vervge which is Locky Ransomware although not showing in the sandbox analysis. This means that once again the Locky gang have upped the stakes and changed their anti-analysis/ anti-sandbox protections to make it more difficult to detect and protect against (VirusTotal 3/53***).. DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1467628388/

** https://malwr.com/an...GI0NmRlNjAxOTY/
Hosts
213.239.227.58: https://www.virustot...58/information/
>> https://www.virustot...81d09/analysis/

*** https://www.virustot...sis/1467627485/
 

  

[AplusWebMaster]

FYI...

Fake 'Rechnung' SPAM - downloads Locky
- https://myonlinesecu...cky-ransomware/
5 July 2016 - "An email partly in German and partly in English pretending to be a-mobile-phone-bill with the subject of 'Rechnung 2016-93910' [random numbered] pretending to come from mpsmobile GmbH <info@ mpsmobile .de> with a zip attachment which downloads Locky ransomware... One of the  emails looks like:
From: mpsmobile GmbH <info@mpsmobile .de>
Date: Tue 05/07/2016 10:45
Subject: Rechnung 2016-93910
Attachment: 52751_Rechnung_2016-93910_20160705.zip
    Sehr geehrte Damen und Herren, anbei erhalten Sie das Dokument ‘Rechnung 2016-93910′ im PDF-Format. Um es betrachten und ausdrucken zu können, ist der PDF Reader erforderlich. Diesen können Sie sich kostenlos in der aktuellen Version aus dem Internet installieren. Mit freundlichen Grüssen mpsmobile Team ...
    Dear Ladies and Gentlemen, please find attached document ”Rechnung 2016-93910’ im PDF-Format. To view and print these forms, you need the PDF Reader, which can be downloaded on the Internet free of charge. Best regards mpsmobile GmbH ...

5 July 2016: 52751_Rechnung_2016-93910_20160705.zip: Extracts to: 63227_2016-53001_20160705.js
Current Virus total detections 23/56*. Payload Security** | MALWR*** was unable to find anything but manual analysis shows a download from http ://brewinbooks .com/98uhnvcx4x (VirusTotal 3/53[4]) which looks like Locky Ransomware but MALWR[5] doesn’t show any activity which is probably due to anti-sandbox protection in the file. Other download locations so far found include:
 http ://brazilmart .com/98uhnvcx4x
 http ://brewinbooks .com/98uhnvcx4x
 http ://thecorporate .gift/98uhnvcx4x
 http ://lojaeberlin .com/98uhnvcx4x
 http ://topbag .com.au/98uhnvcx4x
 http ://hangusaxachtay .com/98uhnvcx4x
 http ://flyingcarts .com/98uhnvcx4x
 http ://imbagscanta .com/98uhnvcx4x
 http ://foxprint .ro/98uhnvcx4x
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441173827/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
79.170.44.88
185.106.122.46
185.106.122.38
192.42.116.41
5.196.70.240

*** https://malwr.com/an...jE3N2I4MTczNjQ/

4] https://www.virustot...sis/1467711259/

5] https://malwr.com/an...WMyZGZkNjkyYmI/
___

Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo....e-leads-to.html
5 July 2016 - "This -fake- document scan appears to come from within the victim's own domain but has a malicious attachment.
    From:    administrator8991@ victimdomain .com
    Date:    5 July 2016 at 12:47
    Subject:    Scanned image
    Image data has been attached to this email.

Possibly due to an error in setting up the spam run, there is an attachment named 05-07-2016_rndnum(4,9)}}.docm which contains a malicious macro. We haven't seen much in the way of Word-based malware recently. The two samples I received have VirusTotal detection rates of 5/52* and 6/52**. The Malwr analysis for those samples [1] [2] shows the macro downloading a binary from:
leafyrushy .com/98uhnvcx4x
sgi-shipping .com/98uhnvcx4x
There will be a lot more locations too. This drops a binary with a detection rate of 5/55[3] which appears to be Locky ransomware. Hybrid Analysis[4] shows it phoning home to:
185.106.122.38 (Host Sailor, Romania / UAE)
185.106.122.46 (Host Sailor, Romania / UAE)
185.129.148.6 (MWTV, Latvia)
Host Sailor is a notoriously Black Hat web host, MWTV has is problems too. The payload appears to be Locky ransomware.
Recommended blocklist:
185.106.122.0/24
185.129.148.0/24 "
* https://virustotal.c...sis/1467721871/

** https://virustotal.c...sis/1467721877/

1] https://malwr.com/an...DNkZWYzZDliYTM/
Hosts
209.222.76.2

2] https://malwr.com/an...jlmMWMwZGJjYjk/
Hosts
160.153.74.199

3] https://virustotal.c...634f0/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.106.122.38
185.106.122.46
185.129.148.6
___

Fake 'Quick cash' fraud SCAM/PHISH
- https://myonlinesecu...ns-fraud-scams/
5 July 2016 - "... Instead of the usual spam emails, we are seeing loads of -fake- invoices, all with links to various companies that pass through or redirect the user to
 http ://www.quickcashsystem .biz/?offerID=1062&p=10274a38b6a0b47645075132d8d48c (They are probably affiliate references so the scummy scammers can pay the evil fraudsters who send victims to them). The reference number is different, depending on the “victim’s IP number”. I visited via different proxies and got a different reference number each visit... This all starts off with an email like one of these:
This first one pretends to be an Account Balance Warning from an unnamed bank. All the links go to
 http ://beckham7 .com/lists/link.php?M=28914&N=33&L=18&F=H where you are -redirected- (eventually) to
 http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e where a video immediately starts playing offering you, showing you a big mansion, expensive cars and the chance to make $$$$$.

Screenshot: https://myonlinesecu...m7-1024x733.png

This one pretends to be an electronics invoice and at a first quick glance, you could quite easily mistake it for an Ebay invoice and follow the links to see what on earth has happened, because you don’t remember ordering anything. This one leads to http ://a2cd .com/lists/link.php?M=29114&N=33&L=18&F=H which -redirects- to
 http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
> https://myonlinesecu...-1-1024x608.png
This 3rd example is so generic that almost anyone receiving it would click through to see what or how this mistake could have been made. This goes to
 http ://steps123 .com/lists/link.php?M=29215&N=41&L=20&F=H and -redirects- to
 http ://www.quickcashsystem .biz/?offerID=1062&p=102798821e1ff5eaafa8251b9ba26e :
> https://myonlinesecu...23-1024x580.png
You eventually end up on this page, whichever link you follow to start with:
> https://myonlinesecu...sh-1024x644.png
If you look at the small print at the very bottom of the page, you just see in very light type a link to disclaimer and privacy:
> https://myonlinesecu...laimer_link.png
Following the disclaimer link, you get a page that does warn you “The www .quickcashsystem .biz sales video is fictitious and was produced to portray the potential of the www .quickcashsystem .biz 3rd party signals software. Actors have been used to present this opportunity and it should be viewed for entertainment purposes. We do not guarantee income or success, and example results in the video and anywhere else on this website do not represent an indication of future success or earnings.”

quickcashsystem .biz: 5.189.129.65: https://www.virustot...65/information/
>> https://www.virustot...60189/analysis/
 

  

Edited by AplusWebMaster, 05 July 2016 - 07:57 AM.

[AplusWebMaster]

FYI...

Fake 'random hex numbers' SPAM - Locky ransomware
- http://blog.dynamoo....exadecimal.html
6 July 2016 - "I only have a couple of samples of this very minimalist spam, consisting of just a "Subject" with a random hex number (e.g. 90027696CCCC611D) and a matching .DOCM attachment (e.g. 90027696CCCC611D.docm).
My trusted analysis source (thank you) says that these DOCM files contain a macro (no surprises there) that downloads a binary from the following locations:
blingberry24 .com/90ujn3b8c3
danseduchat .com/90ujn3b8c3
harveyventuresltd .com/90ujn3b8c3
noveltybella .com/90ujn3b8c3
www .proxiassistant-ao .com/90ujn3b8c3
www .sacandolalengua .com/90ujn3b8c3
The payload is Locky ransomware with a detection rate of 3/52*. The same source says that C2 locations are:
89.108.84.42 (Agava JSC, Russia)
148.163.73.29 (GreencloudVPS JSC, Vietnam)
Agava in particular is a regular source of badness, and I would suggest that you consider blocking the entire 89.108.80.0/20 range, or at least this minimum recommended blocklist:
89.108.84.42
148.163.73.29 "
* https://www.virustot...3a2b6/analysis/
___

CryptXXX ransomware updated
- https://isc.sans.edu...l?storyid=21229
2016-07-06 - "When generating exploit kit (EK) traffic earlier today, I noticed a change in post-infection activity on a Windows host infected with CryptXXX ransomware.  This happened after an infection caused by Neutrino EK triggered from the pseudoDarkleech campaign:
Flow chart for Neutrino EK/CryptXXX caused by pseudoDarkleech
> https://isc.sans.edu...ry-image-01.jpg
This morning, the decryption instructions for CryptXXX ransomware looked different. A closer examination indicates CryptXXX has been updated. As I write this, I haven't found anything online yet describing these recent changes, so this diary takes a quick look at the traffic:
An infected Windows desktop from earlier today
> https://isc.sans.edu...y-image-02a.jpg
Details: Today's EK traffic was on 198.71.54.211 using the same domain shadowing technique we've seen before from various campaigns using Neutrino EK... Post-infection traffic was over 91.220.131.147 on TCP port 443 using custom encoding, a method CryptXXX has used since it first appeared earlier this year..."
(More detail at the isc URL above.)

198.71.54.211: https://www.virustot...11/information/
>> https://www.virustot...dea55/analysis/

91.220.131.147: https://www.virustot...47/information/
>> https://www.virustot...a0571/analysis/
 

  

Edited by AplusWebMaster, 07 July 2016 - 05:33 AM.