2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'AU Fedcourts' SPAM - Malware
- https://isc.sans.edu...l?storyid=21241
2016-07-08 - "Earlier today people have started reporting that they have received a subpoena email from the Australian Federal courts:
> https://isc.sans.edu...ges/Capture.PNG
The email links through to a various compromised sites which -redirect- the user to a federalcircuitcourt .net web server. Once on the web server you are expected to enter a number and the captcha shown before a case.js file is downloaded:
> https://isc.sans.edu/diaryimages/images/fedc-captcha.png  
... feel free to -block- the domain federalcircuitcourt .net in your web proxies. This is -not- a legitimate domain. The federal circuit court has issued a media release:
> http://www.federalci...t/news/mr080716
'Media Release - Spam Warning...
If you receive one of these emails:
    Do not click on any of the links as they may contain viruses or malware
    Delete the item from your inbox and Deleted folder...'"

federalcircuitcourt .net: 192.3.21.105: https://www.virustot...05/information/
>> https://www.virustot...59082/analysis/
104.223.53.210: https://www.virustot...10/information/
>> https://www.virustot...badf1/analysis/
___

Malware masquerades as Firefox update
- https://www.helpnets...erades-firefox/
July 8, 2016 - "Click-ad-fraud Kovter malware, packaged as a legitimate Firefox browser update, is being delivered to unsuspecting victims via drive-by-download attacks. Kovter, which also occasionally installs other malware, has been around for a few years now, and has gone through many changes that keep it a current threat:
> https://www.virustot...d827a/analysis/
'firefox-patch.exe
Detection ratio: 27/53 ...'
Users are advised always to be wary of random pop-ups telling them some software needs an update. Most software by now – and popular browsers especially – have in-software mechanisms for downloading and implementing updates. If, for whatever reason, they don’t want to use it, updates should be picked up directly from the vendors’ official websites or from well-reputed download sites..."
___

Crimeware Shake-up ...
- http://blog.talosint...onnections.html
July 7, 2016 - "For a couple of weeks in June the threat landscape was changed. Several high profile threats fell off the scene, causing a shake-up that hadn't been seen before. For a period of three weeks the internet was safer, if only for a short time. Still to date the Angler exploit kit has not returned and the threat outlook appears to be forever changed... Earlier this month a group of individuals were arrested in Russia. The arrest was linked to a Russian-specific piece of malware named Lurk, a banking trojan that was specifically targeting Russian banks. Due to the malware being restricted to Russia there wasn't a lot of public information regarding the threat itself... The Necurs botnet is back online and delivering both Locky & Dridex. It was down for approximately three weeks, but it's resurgence shows that again these threats are making far too much money to -not- be resilient. In time it's likely all of the major threats that we've seen be hindered or disappear will return:
> https://3.bp.blogspo...meline_blog.png
... There is no way to say for certain that all of these threats are connected, but there is one single registrant account that owned domains attached to all of them. If this one group was running all of these activities this will likely go down as one of the most significant arrests in the history of cybercrime with a criminal organization that was easily earning hundreds of millions of dollars. However, the celebration will be short lived as we've seen in the past, when a group this size is taken down a vacuum is created. All of these threats will come back, in some form or another, and will have learned from the mistakes of their predecessors. The best evidence of this was the author of Blackhole exploit kit being arrested, for a time there was an arms race between exploit kits to see who would take the top spot. That eventually gave rise to Angler, which took the sophistication of exploit kits and drive-by-downloads to a level not seen with Blackhole. We expect the same thing to occur now as Angler and possibly Nuclear leave the threat landscape. Other lesser known kits will likely try to fill the void, which we have already seen with Rig and Neutrino, as well as the new kits that are likely already under development... despite all the variety and different actors making use of these technologies there potentially was a much smaller group responsible for a far larger chunk of the crimeware space than previously estimated..."
___

Cybercrime surpasses traditional crime in UK
- http://www.darkreadi.../d/d-id/1326208
July 8, 2016 - "Cybercrime is currently outpacing traditional crime in the United Kingdom in terms of impact spurred on by the rapid pace of technology and criminal cyber-capability, according to the UK’s National Crime Agency. The trend suggests the need for a more collective response from government, law enforcement, and industry to reduce vulnerabilities and prevent crime, the NCA report says:
> http://www.nationalc...sment-2016/file
... The UK’s Office of National Statistics included cybercrime for the first time in its 2015 annual Crime Survey of England and Wales. The survey estimated that there are 2.46 million cyber incidents and 2.11 million victims of cybercrime in the UK last year... The assessment shows that cybercrime activity is growing fast and evolving, with the threats from Distributed Denial of Service (DDoS) and ransomware attacks increasing significantly in 2015. The threats from DDoS and ransomware attacks have increased, driven by ready access to easy to-use tools and by wider criminal understanding of its potential for profit through extortion. Ransomware attacks have also increased in frequency and complexity, and now include threats to publish victim data online, as well as the permanent encryption of valuable data, the assessment states. The most advanced and serious cybercrime threat to the UK is the direct or indirect result of a few hundred international cybercriminals who target UK businesses to commit highly profitable, malware-facilitated fraud... Under-reporting continues to obscure the full impact of cybercrime in the UK. This shortfall in reporting hampers the ability of law enforcement to understand the operating methods of cyber criminals and most effectively respond to the threat. As a result, the NCA is urging businesses to view cybercrime not only as a technical issue but as a board-level responsibility, and to make use of the reporting paths available to them, sharing intelligence with law enforcement and each other... most security tools have been reversed-engineered and bypassed by cybercriminal crews. So the emphasis should be on intrusion suppression, where security professionals decrease the dwell time the adversaries have to freely roam their organizations networks..."

Fraud News:
- http://www.actionfraud.police.uk/news
 

  

Edited by AplusWebMaster, 10 July 2016 - 07:12 AM.

[AplusWebMaster]

FYI...

Fake 'bill enclosed' SPAM - malspam word doc
- https://myonlinesecu...nknown-malware/
12 July 2016 - "An email with the subject of 'Re: senders name' pretending to come from random senders with a malicious word doc attachment is another one from the current bot runs... There are a multitude of single line body content with this malspam run. Some of the ones I have seen so far include:
    Please find the bill enclosed with this msg. The Payment will be posted in 1 hours.
    Please check the IOU attached to this email. The Transfer should appear in 40 minutes.
    Check the report enclosed with this msg. The Transaction will be posted in 15 minutes
    Find the voucher enclosed with this msg. The Funds will be posted in 5 days
    Find the voucher enclosed with this email. The Transfer should appear within 6 hours
    Find the invoice attached to this message. The Funds will be posted in 4 days
    Please check the report attached to this msg. The Funds will be posted in 5 days
    Check the check attached to this email. The Transaction should appear in 3 days
    Find the bill enclosed with this msg. The Payment will be posted in 5 days
One of the emails looks like:
From: Lacey Jefferson <kithuat4@ centec .vn>
Date: Tue 12/07/2016 06:34
Subject: Re:Lacey Jefferson
Attachment: MF1H6N-Lacey Jefferson.dotm
Please find the bill enclosed with this msg. The Payment will be posted in 1 hours.

12 July 2016: MF1H6N-Lacey Jefferson.dotm - Current Virus total detections 3/55*
.. MALWR** crashes every time. Hybrid Analysis*** also doesn’t show or give any download or dropped files.
Manual attempts using Libre office also crash LIbre office, so it is possible that either the macro is malformed and not running properly or a new anti-analysis protection or a 0 day is being used
- Update: Manual analysis by one of the analysts on Twitter[4] (thanks) has discovered this download
bring-me .in/su.jpg which is a jpg containing Steganographically embedded malware. We are still waiting for fuller analysis to extract the malware from the jpg file. This is normally done by the macro inside the word doc.
- Further Update: to decode jpg & get the Dridex banking Trojan use offset 0x13CC XOR: 0x68
The jpg looks like this screenshot:
> https://myonlinesecu...ng_me_in_su.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1468303224/

** https://malwr.com/an...zk3Yjk1ZWZmMTg/

*** https://www.hybrid-a...vironmentId=100

4] https://twitter.com/...757247642566656

bring-me .in: 213.186.33.18: https://www.virustot...18/information/
>> https://www.virustot...9fdaa/analysis/
___

Fake 'excel file' SPAM - leads to Locky
- http://blog.dynamoo....excel-file.html
12 July 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    Benita Clayton
    Date:    12 July 2016 at 15:04
    Subject:    Fw:
    hi [redacted],
    Here's that excel file (latest invoices) that you wanted.
    Best regards,
    Benita Clayton
    Vice President US Risk Management

Sender details vary from message to message. Attached is a ZIP file containing part of the recipient's email address plus some other elements, within which is a malicious. js script beginning with -SWIFT-. Trusted external analysis (thank you again) shows the scripts download an obfuscated binary... Locky then phones home to one of the following locations:
5.196.189.37 (Just Hosting, Russia / OVH, Ireland)
77.222.54.202 (SpaceWeb CJSC, Russia)
109.234.34.146 (McHost.Ru, Russia)
192.71.249.220 (EDIS, Sweden)
Recommended blocklist:
5.196.189.37
77.222.54.202
109.234.34.0/24
192.71.249.220 "
___

Google notifies users of 4,000 state-sponsored cyber attacks per month ...
- http://www.reuters.c...k-idUSKCN0ZR2IU
Jul 12, 2016 - "A senior executive of Alphabet Inc's Google unit said on Monday that the company was notifying customers of 4,000 state-sponsored cyber attacks per month... Google senior vice president and Alphabet board member Diane Greene mentioned the figure... The internet search leader, which develops the Android mobile system and also offers email and a range of other applications for consumers, has led the way in notifying users of government spying. Others, including Microsoft Corp, have since followed suit. Google had previously said that it had been issuing tens of thousands of warnings every few months and that customers often upgraded their security in response."
___

Using Process Explorer to detect malware
- https://isc.sans.edu...irusTotal/19931
"Did you know you can have all EXEs of running processes scanned with VirusTotal?...
Enable VirusTotal checks... And accept the VirusTotal terms...
(... by default Process Explorer only submits hashes to VirusTotal, not files, unless you explicitly instruct it to submit a file)
... now you can see the VirusTotal scores..."
(More detail at the isc URL above.)
___

Akamai - Network Traffic Overview
> https://www.akamai.c...web-monitor.jsp
July 12, 2016 09:10:28 PM GMT - "44% above normal..."
 

 

Edited by AplusWebMaster, 12 July 2016 - 03:21 PM.

[AplusWebMaster]

FYI...

Fake ransomware SCAM, malware just deletes victims’ files
Tagged as 'Ranscam', Powershell and script-based malware is a botched smash-and-grab
- http://arstechnica.c...-victims-files/
Jul 12, 2016 - "... 'Ranscam' is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for 'encrypted' files that were actually just plain -deleted- by a batch command. 'Once it executes it, it pops up a ransom message looking like any other ransomware', Earl Carter, security research engineer at Cisco Talos, told Ars. 'But then what happens is it forces a reboot, and it just deletes-all-the-files. It doesn't try to encrypt anything — it just -deletes- them all'. Talos discovered* the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address..."
* http://blog.talosint...07/ranscam.html
July 11, 2016 - "... The unfortunate reality is, all of the user’s files have already been deleted and are unrecoverable by the ransomware author as there is no capability built into Ranscam that actually provides recovery functionality. The author is simply relying on 'smoke and mirrors'. in an attempt to convince victims that their files can be recovered in hopes that they will choose to pay the ransom..."
 

  

[AplusWebMaster]

FYI...

Kovter’s persistence methods
- https://blog.malware...angling-kovter/
July 14, 2016 - "Kovter is a click-fraud malware famous from the unconventional tricks used for persistence. It hides malicious modules in PowerShell scripts as well as in registry keys to make detection and analysis difficult... Authors of Kovter put a lot of effort in making their malware stealth and hard to detect. During the initial assessment of some of the Kovter samples we could notice that it is signed by valid Comodo certificate (it was stolen, got revoked later)... After the sample gets deployed, Kovter runs PowerShell and installs itself in the system... Observing it via Process Explorer we can find the command passed to PowerShell. It’s purpose is to execute a code stored in an environment variable (names are random, new on each run)... Conclusion: Thanks to the techniques employed by Kovter, no executable needs to be dropped on the disk – that’s why is known as “fileless”. Even the file to which the initial link leaded does not contain any code to be executed. Instead, it is used just for the flow obfuscation. Running it, in reality leads to running the code stored in the registry, that is sufficient to unpack and re-run the real payload. Persistence used by this malware is creatively designed and exceptional in comparison to most of the malware. Not only it is scattered into several layers, but also obfuscated at every stage and containing tricks that slow down the analysis process..."
(More detail at the malwarebytes URL above.)
___

Exploit kits - cyber-crime marketplace
- http://www.theregist...it_kit_updates/
13 Jul 2016 - "Cybercrooks behind the Sundown Exploit Kit are rapidly updating the hacking tool in a bid to exploit a gap in the market created by the demise of the Angler and Nuclear exploit kits. While RIG and Neutrino have been the primary protagonists in the void left by Angler and Nuclear, Sundown is also vying for an increased share in the exploit kit marketplace. Security researchers at Zscaler ThreatLabZ* reckon the miscreants behind Sundown have accelerated the evolution of what started out as a fairly rudimentary exploit kit since the beginning of 2016. The crooks behind Sundown used stolen code from the rival RIG exploit kit for a short time before subsequently knitting together their own code, security researchers at cloud security firm Zscaler ThreatLabZ report. Elements of the latest version of the cybercrime toolkit include an image referencing the self-styled Yugoslavian Business Network – likely a reference to the infamous Russian Business Network cybercrime group... Exploit kits in general are used to booby-trap websites in order to sling malware at visiting surfers through drive-by-download attacks. The tactic relies on exploiting security holes in typically Windows PCs, browser vulnerabilities and (increasingly) Flash flaws."
* https://www.zscaler....-kits-evolution
 

  

Edited by AplusWebMaster, 14 July 2016 - 02:42 PM.

[AplusWebMaster]

FYI...

Ransomware - Threat Activity Review
- https://atlas.arbor....ndex#-811293044
July 14, 2016 - "... Analysis: Locky ransomware has seen unprecedented distribution attempts over the last week and coupled with the new ability to encrypt systems -without- an internet connection, will likely see successes not previously seen... While casting a wide distribution net and having a well-coded product make for a great potential return on investment, creating less expensive variants can be profitable too. Stampado*, with its low price, could lead to even more individuals attempting to make money with ransomware. While the overall quality of Stampado has yet to be determined, the price tag will potentially lead to substantial purchases and usage. Understanding these new threats in a timely fashion can allow researchers to create mitigations before these new variants see widespread distribution... Currently, there is no magic one stop fix for ransomware threats. However, companies and individuals can thwart ransomware operations by applying system updates in an expedient manner, avoiding macro-enabled documents, avoiding attachments containing JavaScript and by performing routine backups that are maintained offline."
Source: http://www.inforiskt...hilation-a-9255

* https://heimdalsecur...omware-on-sale/
___

Neutrino EK adopts IE flaw
- https://www.fireeye....ts_quickly.html
July 14, 2016 - "A security researcher recently published source code for a working exploit for CVE-2016-0189* and the Neutrino Exploit Kit (EK) quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows. Microsoft patched CVE-2016-0189 in May on Patch Tuesday**. Applying this patch will protect a system from this exploit...."
* https://web.nvd.nist...d=CVE-2016-0189
Last revised: 05/11/2016

MS16-051: Cumulative Security update for Internet Explorer: May 10, 2016
** https://support.micr...n-us/kb/3155533
Last Review: 05/10/2016 17:12:00 - Rev: 1.0
 

 

Edited by AplusWebMaster, 16 July 2016 - 02:07 PM.

[AplusWebMaster]

FYI...

Fake 'bank account report' SPAM - leads to Locky
- http://blog.dynamoo....port-leads.html
18 July 2016 - "This -fake- financial spam has a malicious attachment:
    From     "Boyd Dennis"
    Date     Mon, 18 Jul 2016 11:34:11 +0200
    Subject     bank account report
    How is it going?
    Thank you very much for responding my email in a very short time. Attached is the
    bank account report. Please look at it again and see if you have any disapproval.
    --Yours faithfully,Boyd DennisHSBC HLDGSPhone: +1 (593) 085-57-81, Fax: +1 (593)
    085-57-41

The sender name and details vary, although it all follows the same pattern. Attached is a ZIP file containing elements of the recipients email address and some random digits. Contained within is a .wsf script that downloads a file... I don't have a copy of the payload at present, but it does phone home to:
77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
176.111.63.51 (United Networks Of Ukraine Ltd , Ukraine)
209.126.112.14 (MegaHosterNetwork, Ukraine)
The payload appears to be Locky ransomware.
Recommended blocklist:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14 "

- https://myonlinesecu...cky-ransomware/
18 July 2016 - "... an email with the subject of 'bank account report' pretending to come from random senders with a zip attachment containing a WSF file which downloads Locky Ransomware... One of the emails looks like:
From: Greta Lowe <Lowe.14640@ swimthebridge .com>
Date: Mon 18/07/2016 09:58
Subject: bank account report
Attachment: rob_22285.zip
    Hi
    Thank you very much for responding my email in a very short time. Attached is the bank account report. Please look at it again and see if you have any disapproval.
    —
    Yours truly,
    Greta Lowe
    BT GROUP
    Phone: +1 (371) 956-22-56, Fax: +1 (371) 956-22-38

18 July 2016: rob_22285.zip: Extracts to: account_report 883.wsf - Current Virus total detections 3/55*
.. MALWR** as usual cannot decode or run these Js or WSF files without crashing due to the protections inside them. Payload Security*** shows a download of an encrypted file from my-result .ru/0j1nlpj8 which has to be decrypted by the WSF file to give ypnI2jnqVVbmiz.exe (VirusTotal 3/54[4])... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1468832454/

** https://malwr.com/an...TQ2Nzc2Y2IwNjM/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
95.163.18.88

4] https://www.virustot...sis/1468832994/

my-result .ru: 95.163.18.88: https://www.virustot...88/information/
>> https://www.virustot...1fa7b/analysis/
___

Fake 'Scan**' SPAM - word macro delivers Locky
- https://myonlinesecu...delivers-locky/
18 July 2016 - "... from THIS earlier Malspam[1] delivering Locky ransomware via WSF files inside a zip we are also  seeing a concurrent malspam run using Word Docs with macros. They are very terse and simple emails with a subject of 'Scan******' (random numbers) pretending to come from random senders with a malicious word docm attachment where the attachment name -matches- the subject...
1] https://myonlinesecu...cky-ransomware/
The email looks like:
From: Lynnette <clearke0303@ vinyl-lps .com>
Date: Mon 18/07/2016 11:28
Subject: SCAN0000467
Attachment: SCAN0000467.docm
    Sent from my Samsung device

18 July 2016: SCAN0000467.docm - Current Virus total detections 8/52* - Payload Security** shows a download from yifruit .com/54ghnnuo (VirusTotal 3/55***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1468837749/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
211.149.194.192

*** https://www.virustot...sis/1468836377/

yifruit .com: 211.149.194.192: https://www.virustot...92/information/
>> https://www.virustot...ecaea/analysis/

- http://blog.dynamoo....my-samsung.html
18 JUuly 2016 - "This rather terse spam has a malicious attachment:
    From:    Ila
    Date:    18 July 2016 at 13:01
    Subject:    scan0000511
    Sent from my Samsung device

The sender and subject vary, but the subject seems to be in a format similar to the following:
scan0000511
SCAN000044
COPY00002802
Attached is a .DOCM file with the -same- name as the subject. Analysis by another party (thank you!) shows the macros in the document downloading... The payload is Locky with a detection rate of 4/53*. It phones home to:
77.222.54.202 (SpaceWeb CJSC, Russia)
91.240.86.221 (JSC Server, Russia)
That's a subset of the IPs found here**, so I recommend you block the following IPs:
77.222.54.202
91.240.86.221
176.111.63.51
209.126.112.14 "
* https://www.virustot...cc5b3/analysis/

** http://blog.dynamoo....port-leads.html
___

Compromised Joomla sites are foisting ransomware on visitors
- https://www.helpnets...tes-ransomware/
July 18, 2016 - "Administrators of WP and Joomla sites would do well to check for specific -fake- analytics code injected into their properties, as a ransomware delivery campaign taking advantage of vulnerable sites has been going strong for over a month now... Sucuri CTO Daniel Cid noted*: '... We recommend checking your logs for requests from 46 .183 .219 .91 – if you find requests similar to the ones in this post, consider your website compromised. At this point you should take steps to remove the malware immediately and prevent reinfection.'"
* https://blog.sucuri....omla-sites.html

46.183.219.91: https://www.virustot...91/information/

> https://web.nvd.nist...d=CVE-2015-8562
Last revised: 06/28/2016 - "Joomla! 1.5.x, 2.x, and 3.x before 3.4.6... as exploited in the wild in December 2015."
___

'Delilah' – first 'Insider Threat' Trojan
- http://blogs.gartner...-threat-trojan/
July 14, 2016 - "Criminal recruitment of insiders is becoming an industry now with the release of a new Trojan called “Delilah”. Delilah recruits targeted insiders via social engineering and/or extortion, sometimes using ransomware techniques... Diskin Advanced Technologies (DAT) reports that the bot is delivered to victims via downloads from multiple popular adult and gaming sites... instructions to victims usually involve usage of VPN services, TOR and comprehensive deletion of browser history (probably to remove audit trails). These -bots- still require a high level of human involvement to identify and prioritize individuals who can be -extorted- into operating as insiders at desirable target organizations. Criminals who want to use the bot can also acquire managed social engineering and fraudster services to help them out, in case they lack those specific skills... Organizations should also seek to prevent endpoints from getting infected in the first place by preventing employees from visiting high risk adult and gaming sites using organizational systems... Conclusion: Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web. With Trojans like Delilah, organizations should expect insider recruitment to escalate further and more rapidly. This will only add to the volume of insider threats caused by disgruntled employees selling their services on the Dark Web in order to harm their employers."
 

  

Edited by AplusWebMaster, 18 July 2016 - 09:51 AM.

[AplusWebMaster]

FYI...

Fake 'business analysis' SPAM - .wsf script / ransomware
- http://blog.dynamoo....d-detailed.html
19 July 2016 - "This spam has a malicious attachment. And also mismatched (brackets}.
    From     "Lynnette Slater"
    Date     Tue, 19 Jul 2016 10:47:09 +0200
    Subject     Business Analysis
    Message text
    I attached the detailed business analysis (updated}
    King regards,
    Lynnette Slater
    Briglin Pottery ...

The message will appear to be "from" different individuals, varying from message to message. However, the main part of the body text is always the same. Attached is a ZIP file containing elements of the recipients email address and some random letters and numbers. I have been unable to obtain a copy of the attachment at the moment, but it is likely to be Locky ransomware and if I get further details I will post them here.
UPDATE: My usual trusted source for analysis (thank you) reports that these ZIP files contain a malicious .wsf script which downloads a component... I don't have a decrypted sample of the binary at present, although the C2 locations are reported as:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine, Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
___

Fake 'documents attached' SPAM - malicious attachment
- http://blog.dynamoo....lie-pywell.html
19 July 2016 - "This spam does not come from Abbey Glass UK, but is instead a simple forgery with a malicious attachment:
    From     Natalie Pywell [Natalie.Pywell6@ abbeyglassuk .com]
    Date     Tue, 19 Jul 2016 15:27:20 +0530
    Subject     Documents
    Dear Customer
    Please find your documents attached.
    If you have any questions please reply by email or contact me on 01443 238787.
    Kind regards
    Natalie Pywell
    **This email has generated from an automated system**
    This email has been sent via the Fusemail mail filtering service provided by Pro-Copy
    Limited

The sender's email address varies somewhat. Attached is a randomly named ZIP file which contains a malicious .js script. Analysis is pending, but it looks like Locky ransomware and is probably similar to the one found in this spam run*."
* http://blog.dynamoo....d-detailed.html
19 July 2016
___

Fake 'Documents from work' SPAM - leads to Locky
- http://blog.dynamoo....-from-work.html
19 July 2016 - "This rather terse spam appears to come from the victim themselves (but doesn't). It has a malicious attachment.
    From: recipient@ victim .tld
    To: recipient@victim.tld
    Subject: Documents from work.
    Date:    19 July 2016 at 12:20

There is -no- body text, however there is an attachment named Untitled(1).docm. Analysis by a trusted source (thank you) indicates that the various versions of this attachment download a component... The dropped payload has a detection rate of 3/54* and it phones home to the following locations:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
That's a subset of the locations found here**. The payload is Locky ransomware.
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
* https://www.virustot...7b0db/analysis/

** http://blog.dynamoo....d-detailed.html
19 July 2016

77.222.54.202: https://www.virustot...02/information/
>> https://www.virustot...cfca9/analysis/
194.1.236.126: https://www.virustot...26/information/
>> https://www.virustot...5138c/analysis/
185.117.153.176: https://www.virustot...76/information/
>> https://www.virustot...d49bd/analysis/
176.111.63.51: https://www.virustot...51/information/
>> https://www.virustot...9b353/analysis/
___

Magnitude EK malvertising not affected by slowdown in EK activity
- https://blog.malware...in-ek-activity/
July 19, 2016 - "We have been tracking a malvertising campaign distributing the Cerber ransomware linked to the actor behind the Magnitude exploit kit for months. It will pop on one ad network, then onto another and come back again... Despite a global slowdown in exploit kit activity, this particular distribution channel has remained active and strong... One of this attackers’ favourite spot has been on torrent or streaming sites but also via monetized URL shorteners that use a pay-per-view/click model when people open up a shortened URL and have to wait for an advert to load before getting to their destination. It is no surprise that more ads – and low quality ones especially – means chances of drive-by downloads are dramatically increased... For ad networks to stop this continuing onslaught for good would require no longer accepting risky customers and closing up their platform for arbitrage with unknown buyers. Playing whack-a-mole with crooks wearing many different hats is simply an ineffective solution where malicious ads always end up making it through..."
(Long list of IOC's at the malwarebytes URL above.)
 

  

[AplusWebMaster]

FYI...

Fake 'transaction' SPAM - Java Adwind Trojan
- https://myonlinesecu...malspam-emails/
20 July 2016 - "Overnight we received 2 separate sets of malspam emails both eventually leading to the same Java Adwind Trojan...

Screenshot: https://myonlinesecu...on-1024x568.png

Update: I am also getting some of these 'Pending Sendout Transaction' emails coming through pretending to come from amirmuhammed @almuzaniexchange .ae "
Screenshot: https://myonlinesecu...il-1024x617.png

20 July 2016: Sendout-Copy.zip: Extracts to: Sendout_copy..js - Current Virus total detections 1/54*
.. Payload Security**. This is a JavaScript file that automatically downloads and runs
 http ://ebhar .net/css/new_file_jacob.jar Which is the -same- Java Adwind Trojan as the Java.jar file in the second email.

20 July 2016: Sendout-Report.rar: Extracts to: Sendout-Copy.jar - Current Virus total detections 18/55[3]
.. Payload Security [4].
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1468989481/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.194.169.160

3] https://www.virustot...sis/1468989622/

4] https://www.hybrid-a...vironmentId=100

ebhar .net: 216.194.169.160: https://www.virustot...60/information/
>> https://www.virustot...59851/analysis/
___

CrypMIC ransomware follows CryptXXX ...
- http://blog.trendmic...ollow-cryptxxx/
July 20, 2016 - "... a new ransomware family that mimics CryptXXX in terms of entry point, ransom notes and payment site UIs. CrypMIC’s perpetrators are possibly looking for a quick buck owing to the recent success of CryptXXX...
Comparison of CrypMIC (left) and CryptXXX (right) ransom notes and user interfaces of their payment sites
> https://blog.trendmi...ccryptxxx08.png
CrypMIC and CryptXXX share many similarities; both are spread by the Neutrino Exploit Kit and use the same format for sub-versionID/botID (U[6digits]/UXXXXXX]) and export function name (MS1, MS2). Both threats also employed a custom protocol via TCP Port 443 to communicate with their command-and-control (C&C) servers... The demise of the Angler exploit kit from crypto-ransomware activity has made CryptXXX migrate to Neutrino exploit kit, which have been recently reported to be delivering -other- ransomware families such as CryptoWall, TeslaCrypt, CryptoLocker and Cerber. We have observed that CrypMIC and CryptXXX were distributed by Neutrino interchangeably over the course of a week. CrypMIC was first pushed by Neutrino on July 6th before switching back to delivering CryptXXX 4.001 on July 8th. It started redistributing CrypMIC on July 12th before reverting to CryptXXX the next day. On the same week, Neutrino also distributed Cerber via -malvertising- as well as -other- malware from other cybercriminal groups. By July 14th, Neutrino has started to distribute an apparently newer version of CryptXXX (5.001)... CryptXXX automatically scans the machine for network-drives then proceeds to encrypt files stored on them. CryptXXX 4.001 also downloads and executes an information-stealing module on its process memory — named fx100.dll ... the decryptor created by CrypMIC’s developers has been reported to be not functioning properly. Additionally, paying the ransom only makes businesses and users susceptible to more ransomware attacks. Besides regularly backing up files, keeping systems updated with the latest patches is another means of mitigating the risks of ransomware. A multilayered defense that can secure systems, servers and networks is also recommended..."

> https://www.proofpoi...txxx-ransomware
July 14, 2016 - "... detected an email campaign with document attachments containing malicious macros. If opened, these attachments download and install CryptXXX ransomware..."
___

Business sites hijacked to deliver ransomware ...
- http://arstechnica.c...pto-ransomware/
7/19/2016, 5:56 PM - "If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for*. These sites are -redirecting- visitors to a -malicious- website that attempts to install CryptXXX — a strain of cryptographic ransomware first discovered in April. The sites were most likely exploited by a botnet called SoakSoak* or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea**. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin. In this recent wave of compromises, SoakSoak planted code that -redirects- visitors to a website hosting the Neutrino Exploit Kit... Even as those organizations try to regain control of their websites, others are likely to be rapidly compromised because of the vast number of sites that are behind on patching site add-ons like WordPress plugins."
* https://storify.com/...yptxxx-ransomwa

** https://www.invincea...xxx-ransomware/
 

  

Edited by AplusWebMaster, 20 July 2016 - 10:50 AM.

[AplusWebMaster]

FYI...

'Authorize your Twitter account' - phishing scam
- https://blog.malware...-phishing-scam/
July 21, 2016 - "... a phish targeting people who desire Twitter verification. The fake site, located at
twitterverifiy(dot)verifiy(dot)ml
... poses as an app to be authorised, but is simply out to -steal- login credentials. Take note of the rather unique spelling of “verify” in the URL, too:
> https://blog.malware...itter-phish.jpg
After hitting the “Authorize app” button, the victim is redirected off to the real Twitter website. At this point, the scammers are free to do what they like with the stolen account. One assumes the scammers behind this one aren’t really paying attention to who they send their messages to (and the screenshot cuts off the username of the spam account, so we can’t see what else they’re up to). Suffice to say, if you have your Direct Messages open to all then potentially you could receive a missive such as the one above. Verification has a specific process attached to it, and although it’s currently changing, you definitely won’t get  a blue tick next to your Username by giving permission to phish pages posing as non-existent apps. No matter who you are, now matter how involved in issues of privacy and / or security you may be, there’s always the possibility you could get caught out by a clever scam. Keep your wits about you, and steer clear of “too good to be true” offers..."
 

 

[AplusWebMaster]

FYI...

Fake 'sorry' SPAM - malicious attachment
- http://blog.dynamoo....rry-that-i.html
22 July 2016 - "This spam has a malicious attachment:
    From: "Lizzie Carpenter"
    Subject: sales report
    Date: Fri, 22 Jul 2016 21:38:25 +0800
    I am truly sorry that I was not available at the time you called me yesterday.
    I attached the report with details on sales figures.
    Best of luck,
    Lizzie Carpenter
    SCHRODER GLOBAL REAL ESTATE SEC LTD ...

The sender is randomly generated. Attached is a ZIP file combining elements of the recipients email address and a random number, which in turn contains a malicious .wsf script beginning with "sales report". In a change from recent malware runs, the script does -not- directly download a binary from a remote location but instead has the entire binary executable Base64 encoded in the script. This executable has a detection rate of 4/54* and trusted analysis says that it is Locky ransomware, phoning home to:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
176.111.63.51/upload/_dispatch.php (United Networks of Ukraine Ltd, Ukraine)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176
176.111.63.51 "
* https://virustotal.c...sis/1469197692/
___

Fake 'Fedex label' SPAM - .docm leads to Locky
- https://myonlinesecu...cky-ransomware/
22 July 2016 - "An email with the subject of 'PO5' pretending to come from Mary Leons <mary.leons@ airmenzies .com> with a malicious word doc attachment which downloads Locky ransomware... The email looks like:
From: Mary Leons <mary.leons@ airmenzies .com>
Date: Fri 22/07/2016 10:04
Subject: PO5
Attachment: 906569711935.docm
    Hi
    Please see Fedex label as attached
    Kindest Regards
    Mary Leons
    Customer Service Supervisor | Air Menzies International ...

22 July 2016: 906569711935.docm - Current Virus total detections 10/55*
.. MALWR** shows a download from http ://dillerator.chat .ru/09yhbvt4 (VirusTotal 6/53***).
Other download locations for today’s Locky version include [duplicate's removed]:
    http ://allmusic .c0.pl/09yhbvt4
allmusic .c0.pl: 95.211.144.65: https://www.virustot...65/information/
    http ://delta5.homepage.t-online .de/09yhbvt4
t-online .de:
2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92
217.6.164.162: https://www.virustot...62/information/
62.153.159.92: https://www.virustot...92/information/
    http ://dillerator.chat .ru/09yhbvt4
chat .ru: 195.161.119.85: https://www.virustot...85/information/
    http ://files.igamingbusiness .co.uk/09yhbvt4
igamingbusiness .co.uk: 109.108.132.162: https://www.virustot...62/information/
    http ://fotouniek.grafi-offshore .com/09yhbvt4
grafi-offshore .com: 85.214.152.145: https://www.virustot...45/information/
    http ://hxt.50webs .com/09yhbvt4
50webs .com: 198.23.53.64: https://www.virustot...64/information/
    http ://mizosiri3.web.fc2 .com/09yhbvt4
fc2 .com: 52.41.146.181: https://www.virustot...81/information/
54.187.26.65: https://www.virustot...65/information/
    http ://okumachiryouin.yu-yake .com/09yhbvt4
yu-yake .com: 112.140.42.29: https://www.virustot...29/information/
    http ://pamm-invest .ru/09yhbvt4
pamm-invest .ru: 81.177.135.251: https://www.virustot...51/information/
    http ://tattoo-studio .nl/09yhbvt4
tattoo-studio .nl: 80.69.86.210: https://www.virustot...10/information/
    http ://www.gerichtszeichnungen .de/09yhbvt4
gerichtszeichnungen .de: 2a01:238:20a:202:1148::
81.169.145.148: https://www.virustot...48/information/
    http ://www.moran10.karoo .net/09yhbvt4
karoo .net: Could not find an IP address for this domain name.
    http ://www.silvotecna .co.cl/09yhbvt4
silvotecna .co.cl: Could not find an IP address for this domain name.
    http ://www.sirigor.republika .pl/09yhbvt4
republika .pl: 213.180.150.17: https://www.virustot...17/information/
 

... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1469178299/

** https://malwr.com/an...DdjODViYmNiOGU/
Hosts
195.161.119.85

*** https://www.virustot...sis/1469188310/
 
dillerator.chat .ru: 195.161.119.85: https://www.virustot...85/information/
>> https://www.virustot...6bb6c/analysis/
___

Fake 'Invoice/Credit/Statement' SPAM - leads to Locky
- https://myonlinesecu...leads-to-locky/
22 July 2016 - "... an email with the subject of 'VP Invoice/Credit/Statement – H10040' pretending to come from Prism Server Account <accounts@ vpplc .com> with a malicious word doc attachment which downloads Locky ransomware...
The email looks like:
From: Prism Server Account <accounts@ vpplc .com>
Date: Fri 22/07/2016 10:27
Subject: VP Invoice/Credit/Statement – H10040
Attachment: INVOICE.DOCM
    Please find document(s) attached.
    The attached file(s) are in Adobe PDF format. Use Adobe Acrobat Reader or equivalent to view the file(s)...

This attachment downloads the same Locky ransomware as described in this post* from the same locations... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://myonlinesecu...cky-ransomware/
___

HelpDesk Upgrade Outlook Web - PHISH
- https://myonlinesecu...b-app-phishing/
22 July 2016 - "... many small companies and even ISPs do outsource IT support and email to 3rd parties and an end user never really is sure who the email provider actually is... slightly more believable than many others and it is quite easy to fall for it...

Screenshot: https://myonlinesecu...il-1024x676.png

The -link- in the email goes to:
  http ://xprs.imcreator .com/free/icthelpdesk/password
... which looks like this:
> https://myonlinesecu...te-1024x535.png "

imcreator .com: 97.74.141.1: https://www.virustot....1/information/
 

  

Edited by AplusWebMaster, 22 July 2016 - 11:50 AM.

[AplusWebMaster]

FYI...

Fake 'Emailing: Photo - Document' SPAM - malicious attachment
- http://blog.dynamoo....25-07-2016.html
25 July 2016 - "This spam appears to come from various senders within the victim's own domain, but this is a simple forgery. It has a malicious attachment:
    From:    Rebeca [Rebeca3@ victimdomain .tld]
    Date:    25 July 2016 at 10:16
    Subject:    Emailing: Photo 25-07-2016, 34 80 10
    Your message is ready to be sent with the following file or link
    attachments:
    Photo 25-07-2016, 34 80 10 ...

Attached is a .rar archive with a name matching the subject. Inside is a malicious .js script beginning with "Photo 25-07-2016".
An alternative -variant- comes with a malicious -Word- document:
    From:    Alan [Alan306@ victimdomain .tld]
    Date:    25 July 2016 at 12:40
    Subject:    Emailing: Document 25-07-2016, 72 35 48
    Your message is ready to be sent with the following file or link
    attachments:
    Document 25-07-2016, 72 35 48 ...

The attachment is this case is a .DOCM filed named in a similar way as before. This analysis is done by my usual trusted source (thank you). These scripts and macros download a component... The payload here is Locky ransomware, and it phones home to the following addresses:
77.222.54.202/upload/_dispatch.php (SpaceWeb CJSC, Russia)
194.1.236.126/upload/_dispatch.php (Internet Hosting Ltd, Russia)
185.117.153.176/upload/_dispatch.php (Marosnet, Russia)
Recommended blocklist:
77.222.54.202
194.1.236.126
185.117.153.176 "

77.222.54.202: https://www.virustot...02/information/
>> https://www.virustot...cfca9/analysis/
194.1.236.126: https://www.virustot...26/information/
>> https://www.virustot...5138c/analysis/
185.117.153.176: https://www.virustot...76/information/
>> https://www.virustot...d49bd/analysis/
 

  

Edited by AplusWebMaster, 25 July 2016 - 07:20 AM.

[AplusWebMaster]

FYI...

Fake 'Attached Image' SPAM - leads to Locky
- http://blog.dynamoo....e-leads-to.html
26 July 2016 - "This spam appears to come from the user's own email address, but this is just a simple forgery. It has a malicious attachment.
    From:    victim@ victimdomain .tld
    To:    victim@ victimdomain .tld
    Date:    26 July 2016 at 10:27
    Subject:    Attached Image ...

Attached is a ZIP file with a name apparently made up of random numbers, containing a malicious .js script with another random number... In this example* the script downloads a malicious binary from:
www .isleofwightcomputerrepairs .talktalk .net/okp987g7v
There will be -many- other scripts with different download locations and perhaps other binaries. The file downloaded is Locky ransomware with a detection rate of 4/54**. The Hybrid Analysis*** for the dropped file shows it phoning home to:
31.41.47.41/upload/_dispatch.php (Relink Ltd, Russia)
91.234.35.216/upload/_dispatch.php (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
Recommended blocklist:
31.41.47.41
91.234.35.216 "
* https://malwr.com/an...WY0ZmFhZjEzZWY/
Hosts
62.24.202.31

** https://virustotal.c...daf25/analysis/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.234.35.216
31.41.47.41

- https://myonlinesecu...-email-address/
26 July 2016 - "An email with the subject of 'Attached Image' pretending to come from your own email address with a zip attachment which downloads Locky Ransomware... One of the  emails looks like:
From: your own email address
Date: Tue 26/07/2016 10:22
Subject: Attached Image
Attachment: 0324923_02.zip ...

26 July 2016: 0324923_02.zip: Extracts to: 753707_02.js - Current Virus total detections 8/54*
.. MALWR** shows a download of xxxx from
 http ://exploromania4x4club .ro/okp987g7v?tKLWyjuj=PrkWVPasbrS which gave me lnHLopubGiz.exe (VirusTotal 5/54***).
Hybrid Analysis[4] . This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1469524580/

** https://malwr.com/an...DdkMTNhNGY2OWM/
Hosts
89.42.216.118
*** https://www.virustot...sis/1469524971/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.42.216.118: https://www.virustot...18/information/
>> https://www.virustot...ac66e/analysis/
31.41.47.41: https://www.virustot...41/information/
91.234.35.216: https://www.virustot...16/information/
___

Fake 'list of activities' SPAM - leads to Locky
- http://blog.dynamoo....ties-leads.html
26 July 2016 - "This -fake- business spam has a malicious attachment:
    From     "Penelope Phelps"
    Date     Tue, 26 Jul 2016 23:02:43 +1100
    Subject     list of activities
    Hello,
    Attached is the list of activities to help you arrange for the coming presentation.
    Please read it carefully and write to me if you have any concern.
    Warm regards,
    Penelope Phelps
    ALLIED MINDS LTD
    Security-ID ...

The sender's name, company and 'Security-ID' vary. Attached is a ZIP file with elements of the recipient's email address in, containing a malicious .wsf script... This Malwr report* and this Hybrid Analysis** show this particular sample downloading from:
akva-sarat.nichost .ru/bokkdolx
There will be -many- other download locations in addition to this. The downloaded file is Locky ransomware with a detection rate of 8/55***. Further analysis is pending, however it is quite likely that this sample uses the -same- C2 servers as seen earlier today[4]."
* https://malwr.com/an...TdiYzRjMmY0NjQ/
Hosts
195.208.0.150

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.208.0.150: https://www.virustot...50/information/
>> https://www.virustot...0300d/analysis/

*** https://virustotal.c...429e2/analysis/

4] http://blog.dynamoo....e-leads-to.html
___

Ransomware 2.0 ...
- http://www.techrepub...the-enterprise/
July 26, 2016 - ... profits from ransomware are making it one of the fastest growing types of malware and new versions could negatively impact entire industries, according to a Cisco report
"... Cisco used data from its customers to create the report, since there are more than 16 billion web requests that go through the Cisco system daily, with nearly 20 billion threats blocked -daily- and with more than 1.5 million unique malware samples daily, which works out to 17 new pieces of malware every second..."
 

  

Edited by AplusWebMaster, 26 July 2016 - 01:15 PM.

[AplusWebMaster]

FYI...

Fake 'Sent from my Samsung' SPAM - leads to Locky
- http://blog.dynamoo....samsung_27.html
27 July 2016 - "This spam comes in a few different variations:
    From:    Lottie
    Date:    27 July 2016 at 10:38
    Subject:    scan0000510
    Sent from my Samsung device

The subject can be "SCAN", "scan" or "COPY" with a random number. Attached is a .DOCM file with a name that matches the subject. This file contains a malicious macro which downloads a component... The dropped file is Locky ransomware and it has a detection rate of 2/52*. It phones home to the following locations:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
(Thank you to my usual source for this data) There is nothing of value in the 5.9.253.160/27 range, and several IPs appear to have been hosting malware in the past.
Recommended blocklist:
5.9.253.160/27
178.62.232.244 "
* https://www.virustot...7dfda/analysis/

5.9.253.173: https://www.virustot...73/information/
>> https://www.virustot...5d145/analysis/
178.62.232.244: https://www.virustot...44/information/
>> https://www.virustot...e9b6e/analysis/
___

Fake 'updated details' SPAM - malicious attachment
- http://blog.dynamoo....is-updated.html
27 July 2016 - "This spam has a malicious attachment:
    Subject:     updated details
    From:     Faith Davidson (Davidson.43198@ optimaestate .com)
    Date:     Wednesday, 27 July 2016, 11:13
    Attached is the updated details about the company account you needed
    King regards
    Faith Davidson ...

The spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample* shows the script download from:
beauty-jasmine .ru/6dc2y
There will be -many- more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55**. Analysis of this payload is pending, however the C2 servers may well be the same as found here***."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.208.1.120: https://www.virustot...20/information/
>> https://www.virustot...0ed8c/analysis/

** https://virustotal.c...a5de3/analysis/

*** http://blog.dynamoo....samsung_27.html
 

 

Edited by AplusWebMaster, 27 July 2016 - 01:48 PM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo....k-attached.html
28 July 2016 - "This -fake- financial spam leads to malware:
    Subject:     Invoice
    From:     Kendall Harrison (Harrison.59349@ chazsmedley .com)
    Date:     Thursday, 28 July 2016, 10:33
    Hello,
    Please check the attached invoice and confirm me if I sent the right data
    Yours sincerely,
    Kendall Harrison
    320907cb16fbe856062a081d4f925b39cb3f007b8818d40dd3

The name of the sender and the hexadecimal number at the bottom varies. Attached is a randomly-named ZIP file which in the sample I analysed contains a malicious .wsf script beginning with the word "redacted". The Malwr analysis* for the partially deobfuscated script and this Hybrid Analysis** show this particular sample downloading from:
83.235.64.44/~typecent/xvsb58
This drops a malicious Locky ransomware binary with a detection rate of 7/55***. Analysis of this binary is pending.
UPDATE: Thank you to my usual source for this analysis... C2 locations:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
193.124.180.6/upload/_dispatch.php (Marosnet, Russia)
139.59.147.0/upload/_dispatch.php (Digital Ocean, Germany)
Recommended blocklist:
178.62.232.244
193.124.180.6
139.59.147.0 "
* https://malwr.com/an...mM5Y2Q3NGQwNmM/
Hosts
83.235.64.44

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.235.64.44: https://www.virustot...44/information/
>> https://www.virustot...fe541/analysis/

*** https://virustotal.c...23f9e/analysis/
___

Fake 'Self Billing Statement' SPAM - leads to Locky
- http://blog.dynamoo....-statement.html
28 July 2016 - "This -fake- financial spam comes with a malicious attachment:
    From     Kathryn Smith [kathryn@ powersolutions .com]
    Date     Thu, 28 Jul 2016 16:21:41 +0530
    Subject     Self Billing Statement

I do not know if there is any body text at present. Attached is a file with a name similar to 'Self Billing Statement_431.zip' which contains a similarly named malicious script (e.g. Self Billing Statement_4424.js).
Analysis by a trusted party shows that these scripts download a component...
This originally dropped this payload* since updated to this payload**, both of which are Locky ransomware.
The C2 servers to -block- are exactly the -same- as found in this earlier spam run***."
* https://www.virustot...95000/analysis/

** https://www.virustot...1f36d/analysis/

*** http://blog.dynamoo....k-attached.html
 

  

Edited by AplusWebMaster, 28 July 2016 - 06:52 AM.

[AplusWebMaster]

FYI...

Fake 'Bank account record' SPAM - leads to Locky
- http://blog.dynamoo....cord-leads.html
29 July 2016 - "This -fake- financial spam leads to malware:
    Subject:     Bank account record
    From:     Stephen Ford (Ford.24850@ aworkofartcontracting .com)
    Date:     Friday, 29 July 2016, 10:56
    Good morning,
    Did you forget to finish the Bank account record?
    Read the attachment and let me know if there is anything I didn't make clear.
    Yours sincerely,
    Stephen Ford
    57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe

The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attached is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record"...
According to the Hybrid Analysis* on that script and Malwr report** on a partly deobfuscated version the script downloads a binary from:
oleanderhome .com/q59ldt5r
This dropped binary has a detection rate of 5/55*** and is presumably Locky ransomware, but automated analysis is inconclusive [1] [2]. The is also traffic to kassa.p0 .ru which is more of a puzzle and doesn't look particularly malicious****. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs. If I get more information on this I will post it here."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
195.216.243.102
107.180.50.233

** https://malwr.com/an...DY4MzFlMTJhNGE/
Hosts
195.216.243.102: https://www.virustot...02/information/
107.180.50.233: https://www.virustot...33/information/
>> https://www.virustot...c0e6e/analysis/

*** https://virustotal.c...b0c13/analysis/

**** https://urlquery.net...d=1469786112022

1] https://www.hybrid-a...vironmentId=100

2] https://malwr.com/an...zVmOTE5MjZjMzA/

 

UPDATE: My trusted source (thank you) gives the following... C2 servers are the same as found here*.
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139 "
* http://blog.dynamoo....-anonymous.html
29 July 2016
___

Fake 'Voicemail' SPAM - leads to Locky
- http://blog.dynamoo....-anonymous.html
29 July 2016 - "This -fake- voicemail spam has a malicious attachment:
    From     SureVoIP [voicemailandfax@ surevoip .co.uk]
    Date     Fri, 29 Jul 2016 17:47:41 +0700
    Subject     Voicemail from Anonymous <Anonymous> 00:02:15
    Message From "Anonymous" AnonymousCreated: Fri, 29 Jul 2016 19:45:15 +0900Duration:
    00:02:37Account: victimdomain .tld

The attachment is in the format msg_7b40ef3f-90a3-c2c7-2858-f9041f1023de.zip containing a malicious .wsf script with a name similar to account record =B5D=.wsf...
The downloaded binary is Locky ransomware, phoning home to:
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands) [hostname:vps-110775.freedomain .in.ua]
91.195.12.143/upload/_dispatch.php (PE Astakhov Pavel Viktorovich, aka host4 .biz, Ukraine)
91.230.211.139/upload/_dispatch.php (Optizon Ltd, Russia) [hostname:evradikfreeopti .ru]
Recommended blocklist:
178.62.232.244
91.195.12.143
91.230.211.139 "

178.62.232.244: https://www.virustot...44/information/
>> https://www.virustot...e9b6e/analysis/
91.195.12.143: https://www.virustot...43/information/
>> https://www.virustot...257dd/analysis/
91.230.211.139: https://www.virustot...39/information/
>> https://www.virustot...d29a4/analysis/
___

Recent Activity - RIG Exploit Kit
- https://atlas.arbor....index#233459834
July 28, 2016 - "... Analysis: In the wake of the disappearance of the previously successful Angler exploit kit and Nuclear Exploit Kit, cybercrime continues through other kits such as Neutrino, RIG, Sundown and others although campaign activity as recently as June has been lower volume compared to the time period when Angler and Nuclear were active... It is likely that this exploit kit traffic will increase over time, as prior users of other exploit kits migrate."
> https://blog.malware...-kit-campaigns/
 

  

Edited by AplusWebMaster, 30 July 2016 - 07:54 AM.