2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Payment Receipt' SPAM - leads to locky
- https://myonlinesecu...cky-ransomware/
19 Aug 2016 - "... a long line of generic emails delivering Locky ransomware is an email with the subject of  'Payment Receipt' pretending to come from random companies and email addresses with a malicious word doc attachment... One of the emails looks like:
From:  Payment Receipt
Date: Fri 19/08/2016 10:43
Subject:  Payment Receipt
Attachment: PaymentReceipt.docm
    Attached is the copy of your payment receipt.

19 August 2016: PaymentReceipt.docm - Current Virus total detections 7/55*.. MALWR shows a download of an encrypted file from http ://wzukoees.homepage.t-online .de/897fyDnv which is converted by the malicious macro in the word doc to C:\DOCUME~1\User\LOCALS~1\Temp\sys48.tmp (VirusTotal 4/56**)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1471600737/

** https://www.virustot...sis/1471600926/

t-online .de: 2003:2:4:164:217:6:164:162
2003:2:2:40:62:153:159:92
217.6.164.162: https://www.virustot...62/information/
62.153.159.92: https://www.virustot...92/information/
___

Fake 'Report' SPAM - leads to Java Adwind Trojan
- https://myonlinesecu...rs-java-adwind/
19 Aug 2016 - "We continue to see Java Adwind Trojans daily. Today’s example is a slight change to the delivery method from previous Malspam emails that have been using Moneyexpress .com or MoneyGram or other middle eastern money exchange bodies. This one is an email with the subject of 'Unclaimed Commission Report-WUBS' pretending to come from  Shiella F. Doria <shiella.doria@ westernunion .com> with a zip attachment which contains a Java.jar file & an image to make it look “respectable” and genuine. We have seen various -spoofed- Western Union malspam...

Screenshot: https://myonlinesecu...BS-1024x646.png

The image from inside the zip is:
- https://myonlinesecu...ment-Sheet.jpeg

19 August 2016: Unclaimed Commission Report.zip - Extracts to: UN-PROCESSED COMMISSION.jar
Current Virus total detections 30/56*. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1471508188/
___

Ransomware round up
- https://atlas.arbor....ndex#-198932443
Aug 18, 2016 - "... Analysis: ... ransomware developers and infrastructure providers who deliver the packages are continuing to refine their crafts. The addition of a RAT used to target potential banking elements instead of going forward with ransomware -extortion- is a smart addition. Most threat actors behind ransomware tend to utilize one flat ransom across their victim pool. However, some, notably those behind Locky, have paid attention to some of their victims and were able to extort larger sums than the original request once they identified the overall value of the victimized systems. A RAT could allow a smart threat actor to better access their target and move forward with requesting larger sums of money. However, it could simply allow threat actors to leverage more traditional capabilities by capturing banking credentials which in turn could allow them to perform fraudulent withdrawals with potentially larger payouts than had they attempted simple extortion efforts. Nemucod and Locky continue to change their overall operating procedures. The addition of ad-click and backdoor functionality to a ransomware operation can lead to additional revenue streams for threat actors, especially if the ransomware does not impact the -additional- malicious packages, allowing for them to operate unencumbered while the victim decides what course of action to take in response to the ransomware. Most ransomware is best defended against by -never- enabling-macros unless you implicitly trust the source... and maintaining up-to-date backups that are stored offline..."
 

  

Edited by AplusWebMaster, 19 August 2016 - 02:41 PM.

[AplusWebMaster]

FYI...

Fake 'fax' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
22 Aug 2016 - "... first example of malspam word docs with macros delivering Locky ransomware is an email with the subject of 'Today’s fax' pretending to come from random names at your own email domain... The email looks like:
From: name/number at your own email domain
Date: Mon 22/08/2016 10:37
Subject: Today’s fax
Attachment: FAX_5542.DOCM

Body content:  Totally blank/empty

22 August 2016: FAX_5542.DOCM - Current Virus total detections 4/55*.. MALWR** shows a download of an encrypted file from http ://seiwa1202.web. fc2.com/HfgfvhTR5 that is converted by the malicious macro in the word doc to axilans.exe (VirusTotal 4/55***). Payload Security[4] shows this has anti-analysis protection... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1471858624/

** https://malwr.com/an...DRjMTY1N2ZlOGQ/
Hosts
208.71.106.61: https://www.virustot...61/information/
>> https://www.virustot...32839/analysis/

*** https://www.virustot...sis/1471859596/

4] https://www.hybrid-a...vironmentId=100
___

Fake 'Hello' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
22 Aug 2016 - "... next batch of malspam emails delivering locky ransomware is a series of emails with subjects like “Hi”, “Hi There” or “Hello” coming from random names, companies and email addresses with a zip attachment containing a WSF (Windows Scripting File)... The body has various generic phrases as the contents along the lines of:
“Please see the attached report about the monthly progress of our department”
“I am sending you the bills of the goods we delivered to you in the attachment"

22 August 2016: 5772ac1553.zip: Extracts to: export_pdf_ 2c23a43a~.js - Current Virus total detections 2/56*
.. MALWR was unable to get any content from the heavily encoded WSF file (waiting for other analysis but almost certain to be the same locations as Today’s Word version Malware delivery[1]). Payload Security** shows a load of connections to various sites... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1471860907/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.217.149.4
213.229.74.92
185.129.148.19
185.51.247.211
194.67.210.183
51.254.55.171
91.201.202.125

1] https://myonlinesecu...cky-ransomware/
 

  

Edited by AplusWebMaster, 22 August 2016 - 07:28 AM.

[AplusWebMaster]

FYI...

Fake 'Voice Message Notifications' deliver Ransomware
- https://isc.sans.edu...l?storyid=21397
2016-08-23 - "... a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a 'voice mail notification'. Even residential systems can deliver voice message notifications. Here is an example displayed in Microsoft Outlook:
> https://isc.sans.edu...t-voice-msg.gif
Today, I received a wave of emails like the following:
From: voicemail@ rootshell .be
To: [redacted]
Subject: [Vigor2820 Series] New voice mail message from 01422520472 on 2016/08/23 15:55:25
Dear [redacted]:
There is a message for you from 01422520472, on 2016/08/23 15:55:25 .
You might want to check it when you get a chance. Thanks!

The sender is spoofed with the victim domain name.... file was attached to the message... '.wav.zip' extension to lure the user. As usual, the payload is heavily obfuscated and the AV detection ratio is still very low (6/55 at 11:55:00 UTC)[1]. Vigor is UK company building ADSL residential modems[2]. This tends to think that the new wave is targeting residential customers. Here are the C2 servers (for your IDS):
89.42.39.81
213.205.40.169
51.254.55.171
194.67.210.183
185.51.247.211
185.129.148.19
91.201.202.125 "

[1] https://www.virustot...sis/1471949327/
File name: 614007286106.wsf
Detection ratio: 6/55

[2] http://www.draytek.c...gacy/vigor-2820
___

More Fake 'voice mail messages' SPAM - delivers Locky/Zepto
- https://myonlinesecu...pto-ransomware/
23 Aug 2016 - "Today’s Locky/Zepto ransomware malspam emails have come steadily in waves all day long. There have been 2 distinct different subjects and themes, one pretending to be a voice message from your own email domain or company, with the second pretending to be an audit report from a random company. The first is an email with the subject of '[Vigor2820 Series] New voice mail message' from 01443281097 on 2016/08/23 21:01:59 [random telephone number and date/time] pretending to come from voicemail @ your own email address with a zip attachment named something like 'Message_from_01443281097.wav.zip' where the attachment number matches the telephone number in the subject line. The Vigor 2820 Series is an older ADSL Router Firewall aimed at small business users, so we can quite easily see that this campaign of malware spreading is directly aimed at the small business user...

Screenshot: https://myonlinesecu...97-1024x426.png

The second campaign has a subject of 'Audit Report' coming from random senders with a content looking like the below. The name in the body of the email matches the spoofed sender. One of the  emails looks like:
From: Omer Scott <Scott.58115@ bambit .de>
Date: Tue 23/08/2016 15:3
Subject: Audit Report
Attachment: 83543cd11db.zip
    Dear lie
    The audit report you inquired is attached in the mail. Please review and transfer it to the related department.
    King regards,
    Omer Scott

23 August 2016: Message_from_01443281097.wav.zip: Extracts to: 44077640409.wsf
Current Virus total detections 23/56*.. MALWR** shows a download of an encrypted file from either
 http ://danzig.vtrbandaancha .net/HJghjb54?PqzwogvtP=xYWWDkr -or-
 http ://backyard004.web. fc2.com/HJghjb54?PqzwogvtP=xYWWDkr (in this example) which gets converted by the script to wKoYWwOtQ.exe (VirusTotal 6/56***)

23 August 2016: 83543cd11db.zip: Extracts to: audit report 316dd5a1.js
Current Virus total detections 23/56[4].. MALWR[5] shows a download of an encrypted file from either
 http ://sb-11856.fastdl-server .biz/688dak3, http ://newt150.tripod .com/idyeb9 -or-
 http ://dl.sevenseals .ru/ehaq1zw (in this example) which gets converted by the script to NCPcpOkuUfr5AA0.dll (VirusTotal 18/56[6])... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1441173827/

** https://malwr.com/an...DVhZmE2NTcxZGM/
Hosts
200.83.4.62
185.129.148.19
208.71.106.40

*** https://www.virustot...sis/1471961322/

4] https://www.virustot...sis/1441173827/

5] https://malwr.com/an...mNkNzA3MjA4NzM/
Hosts
109.230.252.172
52.52.39.236
77.221.140.226

6] https://www.virustot...sis/1471962605/
___

Fake 'Cancellation' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
23 Aug 2016 - "The next in the series of today’s Locky downloaders is an email with the subject of  'Cancellation' pretending to come from random senders with a zip attachment containing a JavaScript file that pretends to be a pdf... One of the emails looks like:
From: Zachary Flynn <Flynn.94@ football-stats .org>
Date: Tue 23/08/2016 19:00
Subject: Cancellation
Attachment: 2c122b8fa354.zip
    Dear rob,
    Attached is the paper concerning with the cancellation of your current credit card.
    Confirm to us for receiving.
    King regards,
    Zachary Flynn
    Account Manager ...

23 August 2016: 2c122b8fa354.zip: Extracts to: card_cancellation_pdf 5a59aad3.js
Current Virus total detections 4/56*.. MALWR** shows a download of an encrypted file from one of these locations
 http ://sopranolady7 .wang/1cntwk5 | http ://www.leuchten-modelle .de/ink36
 http ://download.apf .asso .fr/87aktsv | http ://gromasgboleslawiec .cba .pl/09n7n
... that is decrypted and transformed into P6dtp6pov8qB.dll (VirusTotal 6/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine  DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1471975535/

** https://malwr.com/an...zU0YTkzZTYyMTU/
Hosts
95.211.144.65
212.18.0.4
91.223.89.200
195.154.81.86

*** https://www.virustot...sis/1471977294/
___

File-in-the-middle Browser hijackers
- https://blog.malware...ddle-hijackers/
Aug 23, 2016 - "We are not sure if this is going to be a new trend among browser-hijackers, but it seems more than a coincidence that we found -two- browser hijackers using a very similar approach to reach their goal of taking victims to the sites of their choice. Both are using one of their own files to act as a file-in-the-middle between the user and the browser... Dotdo Audio: Dotdo is a strain of hijackers that we have discussed before for using different and more “out of bounds” methods to get the job done. I named this variant “audio” because it uses audio advertisements. But that is not our focus here. It’s the replacement of browser executables with their own that raised our interest. The installer -renames- the files firefox.exe and chrome.exe, if present, and adds a number to the filename. It then hides these renamed files and replaces them with its own files:
> https://blog.malware...8/hiddenexe.png
The screenshot above shows you the hidden and renamed Chrome file, in the same folder as the replacement. I changed the settings for hidden files so that we can see them. In a similar screenshot below we can see that the same was done for Firefox:
> https://blog.malware.../hiddenexe2.png
The browsers are -hijacked- to open with traffic-media[dot]co by altering the browser shortcuts for:
    Chrome
    Firefox
    Internet Explorer
    Opera
    Yandex
... Summary: We discussed two hijackers from very different families and using different methods, but they also had a few things in common. They want the victims to hear/see their advertisements and they used a file-in-the-middle between the browser shortcuts and the actual browser in order to alter the browsers behavior to meet their goals..."

traffic-media[dot]co: 195.154.46.150: https://www.virustot...50/information/
>> https://www.virustot...28854/analysis/
___

Email - Security battleground
- http://blog.trendmic...line-extortion/
Aug 23, 2016 - "Emails have become the battleground for the first half of the year in terms of security. It is the number one infection vector that have ushered in 2016’s biggest threats so far — ransomware and business email compromise (BEC). Ransomware infections normally start via email. Based on our findings, -71%- of the known ransomware families’ delivery method is through spam. Looking at the threat trends so far, both ransomware and BEC have proved profitable across the world:
Regional breakdown by volume of ransomware threats:
> https://blog.trendmi...61h-roundup.jpg
Regional breakdown by volume of organizations affected by BEC scams:
> https://blog.trendmi...61h-roundup.jpg
Our telemetry shows that ransomware’s scope is more widespread than BEC as it targets countries in Europe, Middle East, and Africa. The prevalence of BEC scams are higher in the North American region, with fewer countries but more targeted — attackers behind BEC scams most often impersonate and target C-level executives... 58% of the nearly 80 million ransomware threats Trend Micro blocked from January to June 2016 are email-borne ransomware. BEC scams, on the other hand, -all- arrive via email. These factors make the two threats quite formidable, as email remains a firm staple in everyday business. They both also utilize social engineering. In ransomware’s case, it’s for the user to click and run the ransomware attached to their opening email. For BECs, it’s to trick the targeted officer into thinking that their request for a money transfer is legitimate, without the usual malware payload... Knowing that these threats use email as an attack vector, companies should strengthen employee education and invest smartly in email protection. With these, the threat of ransomware and BEC attacks can be greatly reduced..."
 

  

Edited by AplusWebMaster, 23 August 2016 - 03:08 PM.

[AplusWebMaster]

FYI...

Fake 'Statement' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
24 Aug 2016 - "This morning’s first Locky ransomware delivering malspam is an email with the subject of 'Statement' coming from random senders, companies and email addresses with a random named zip attachment  containing a JavaScript file that pretends to be a financial statement... One of the  emails looks like:
From: Ella Gonzales <Gonzales.169@ airtelbroadband .in>
Date: Wed 24/08/2016 10:34
Subject: Statement
Attachment: 25b8ae3a4d.zip
    Hi,
    The monthly financial statement is attached within the email.
    Please review it before processing.
    King regards,
    Ella Gonzales ...

24 August 2016: 25b8ae3a4d.zip: Extracts to: monthly_financial_scan aa9140e0.js
Current Virus total detections 2/56*.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://rejoincomp2 .in/117uuf5h | http ://dokcool.atspace .org/jltqouz
 http ://smilehomeutsumi504.web. fc2.com/by11k6r ... that is converted by the JavaScript to o2OoILn8OHU.dll and autorun (VirusTotal 6/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1472031010/

** https://malwr.com/an...WFkNDQxNDgwYmE/
Hosts
82.197.131.109
208.71.106.49
213.229.74.92

*** https://www.virustot...sis/1472033919/
___

Fake 'Emailing: Image' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
24 Aug 2016 - "A blank email with the subject of 'Emailing: Image15.jpg' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted  HTA file... This set of emails has a zip attachment that extracts to a HTA file... One of the  emails looks like:
From: Raymon <Raymon237@ Your email domain >
Date: Wed 24/08/2016 12:04
Subject: Emailing: Image15.jpg
Attachment: Image15.zip

Body content: Totally blank/Empty

24 August 2016: Image15.zip: Extracts to: 100966743304.hta - Current Virus total detections 2/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to xUztoLUte.exe by the instructions inside the HTA/JavaScript (VirusTotal 2/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1472036751/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
112.140.42.29
213.205.40.169
200.83.4.62
185.129.148.19
51.254.55.171
185.51.247.211
194.67.210.183
91.226.92.208

*** https://www.virustot...sis/1472037488/
 

  

Edited by AplusWebMaster, 24 August 2016 - 07:29 AM.

[AplusWebMaster]

FYI...

Fake 'Fraud Notice' SPAM - Java Adwind Trojans
- https://myonlinesecu...c-xpress-money/
25 Aug 2016 - "... Java Adwind Trojans being delivered by various financial themed emails, we are seeing a new method of distribution of the Java Adwind Trojan using these financial themed emails with the subject of 'Request for Amendment'-XPIN- 2401200221508974 & 2401240241500561 (11) pretending to come from xm.support@ xpressmoney .com <XM SUPPORT> with a word doc attachment that contains the Java Adwind Trojan as an embedded OLE object... One of the emails looks like:
From: xm.support@ xpressmoney .com <XM SUPPORT>
Date: Request for Amendment-XPIN- 2401200221508974 & 2401240241500561 (11)
Subject: Request for Amendment-XPIN- 2401200221508974 & 2401240241500561 (11)
Attachment: Fraud Notice XM.doc
    Dear Sir/Madam,
    We would like to inform you that the transaction mentioned have been flagged from our system although the Xpress Money account is still under review. Please cancel and amend these transactions from your system at the earliest. Details of Transactions is been attached
    Thanks & Warm Regards,
    Prasanth Vasanth Pai
    Specialist Customer Support
    Xpress Money Services Ltd.
    PO Box 170, Abu Dhabi, UAE ...

Screenshot of attached word doc: https://myonlinesecu...oc-1024x419.png

25 August 2016: Fraud Notice XM.doc -  Current Virus total detections 23/56*. MALWR**
If you are unwise enough to double click the alleged pdf files that are -embedded- inside the word doc, then a JAVA.jar – Jacob.jar file will open & run (VirusTotal 23/56***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472103111/

** https://malwr.com/an...zVkMjc1YzJlYTQ/

*** https://www.virustot...sis/1472103307/

Earlier 'Java Adwind' posts: https://myonlinesecu.../?s=Java Adwind
___

BEC scams and ransomware
- https://www.helpnets...ware-bec-scams/
Aug 25, 2016 - "Trend Micro analyzed the trends in attacks and vulnerabilities seen throughout the first half of this year*, and found a rise and impact of attacks, such as a -172- percent increase in ransomware and $3 billion in losses due to business email compromise (BEC) scams so far in 2016..."
(More detail at the URL above.)
Charted: https://www.helpnets...ransomware1.jpg
* http://blog.trendmic...line-extortion/
Aug 23, 2016 - "... Based on our findings, 71% of the known ransomware families’ delivery method is through spam..."
* https://www.trendmic...reports/roundup
Aug 23, 2016 - "... The number of new ransomware families we saw in the first half of 2016 alone has already eclipsed the total 2015 volume by 172%. With ransomware attacks becoming more and more sophisticated and prevalent, we believe that the threat will potentially cause more damage going into the second half of the year..."
___

Tech support scams and Google Chrome tricks
- https://blog.malware...-chrome-tricks/
Aug 25, 2016 - "Tech support scams coming as phishing pages that contain -fake- alerts urging you to call for immediate assistance are common place these days. We collect -hundreds- of such URLs each day and have observed countless tricks to fool users...  for years we have been telling people to double check the URL in the address bar to know if a website is really what it claims to be. When this scam page loads it runs in full-screen mode and prevents the user from easily closing it with an infinite loop of alerts.
Now take a look at the address bar. For all intents and purposes it does look like the legitimate Microsoft website, although the ‘ru-ru’ (Russia) portion of the URL is a fail in an otherwise clever design. (There are other bits of Russian here and there in the source code, which perhaps link to the original author?):
> https://blog.malware...016/08/scam.png
... Tech support -scams- have similar alert windows except we found some that are completely made up. Putting a checkmark and clicking OK actually produces the opposite result of what you’d expect, to keep you more frustrated and ready to throw your computer out the window... It’s safe to say that browser-based tech support scams are not going anywhere any time soon. Sadly, most browsers are brought to their knees with simple bits of JavaScript and non savvy users will simply give up and call the toll free number for assistance (we forgot to mention that all this while a very annoying audio track plays in the background). Call centres located in India (for the most part) are receiving thousands of calls each day from desperate victims prime to be -defrauded- of hundreds of dollars by rogue operators playing the Microsoft technician game. Spotting those scams isn’t always easy though and that is why it’s important to expose them to show their inner workings. To learn more about tech support scams and consult our blacklist of known offenders, please check out our resource page here*."
* https://blog.malware...-support-scams/
 

  

Edited by AplusWebMaster, 25 August 2016 - 01:15 PM.

[AplusWebMaster]

FYI...

Fake 'Voice Message' SPAM - delivers Locky/Zepto
- https://myonlinesecu...rs-locky-zepto/
26 Aug 2016 - "An email with the subject of 'Voice Message from Outside Caller (3m 54s) [random length]'  pretending to come from Peach Telecom <peach_necsv06@ hotmail .com> (random number after peach_necsv) with a zip attachment which downloads Locky/Zepto ransomware... One of the  emails looks like:
From: Peach Telecom <peach_necsv06@ hotmail .com>
Date: Fri 26/08/2016 12:21
Subject: Voice Message from Outside Caller (3m 54s)
Attachment: Outside Caller 08-26-2016 9aaf18b.zip
    Voice Message Arrived on Friday, Aug 26 @ 6:26 AM
    Name: Outside Caller
    Number: Unavailable
    Duration: 3m 54s ...

26 August 2016: Outside Caller 08-26-2016 9aaf18b.zip: Extracts to: 08-26-2016 36ptor06.wsf
Current Virus total detections 9/56*.. MALWR** shows a download of an encrypted file  from one of these locations:
 http ://sewarte.homepage. t-online .de/nb20gjBV?xJNXYWEr=xnGdqHz |
 http ://theramom.web. fc2 .com/nb20gjBV?xJNXYWEr=xnGdqHz |
 http ://seishinkaikenpo .com/nb20gjBV?xJNXYWEr=xnGdqHz
which is transformed by the script to LHOyUOaiiss1.dll (VirusTotal ***). All versions send info back to the control centre at http ://51.254.55.171/data/info.php ...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472210401/

** https://malwr.com/an...2QwYjdlOGNhMTI/
Hosts
210.157.30.70
208.71.106.46
80.150.6.138
51.254.55.171

*** https://www.virustot...sis/1472214673/
___

Fake 'P.O.' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
26 Aug 2016 - "The second batch of today’s Locky ransomware malspam emails is an email with the subject of
'office equipment' coming from random senders with a zip attachment... One of the  emails looks like:
From: Jillian Kirby <Kirby.84@ phantomes .com>
Date: Fri 26/08/2016 11:41
Subject: office equipment
Attachment: 609c171b94a.zip
    Dear wh,
    Please sign the attached purchase of the office equipment. We will send you back the receipt afterward.
    Best regards,
    Jillian Kirby
    Sales Manager

26 August 2016: 609c171b94a.zip: Extracts to: office_equipment ~bced3628.js
Current Virus total detections 4/56*.. MALWR** shows a download of an encrypted file from one of these locations,
 http ://onlybest76 .xyz/1rkyye | http ://all-rides .com/i0gih |
 http :// provincialpw .com/crgrapy | http ://www.mediawareonline .it/yvg6cw |
 http ://www.jansen-consultancy-machines .be/nvbd7rme that is transformed by the script to deliver AzWzM3LegeEcV6.dll (VirusTotal 14/58***). Payload Security[4].. This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472209948/

** https://malwr.com/an...WE3MDhiYmZjODA/
Hosts
195.130.132.84
104.232.35.136
160.153.54.35
173.255.129.128
212.104.43.3

*** https://www.virustot...sis/1472217004/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
160.153.54.35
212.104.43.3
188.127.249.203
138.201.191.196
51.254.55.171
91.226.92.208
___

Fake 'monthly report' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
26 Aug 2016 - "The third of today’s Locky ransomware malspam deliveries is an email with the subject of 'monthly report' coming from random senders, companies and email addresses with a zip attachment... One of the  emails looks like:
From: Tasha Ray <Ray.05187@ flamingjewellery .co.uk>
Date: Fri 26/08/2016 18:16
Subject: monthly report
Attachment: c1195a3663e.zip
    Good evening hyperbolasmappera,
    There were some errors in the monthly report you submitted last week.
    See the highlights in the attachment and please fix as soon as possible.
    Best regards,
    Tasha Ray
    Account Manager ... 

28 August 2016: c1195a3663e.zip: Extracts to: monthly_report_pdf (~41e8df8a).js
Current Virus total detections 6/56*.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://berndburgdorf .de/5x6vdaw | http ://www.valmon .it/ndxec | http ://rejoincomp2 .in/3dv7n |
 http ://abufarha .net/80d4a1j  which is transformed by the script to lh7pIFrXtoRVDe.dll (VirusTotal 19/58***)...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472235308/

** https://malwr.com/an...Tg2NmJjMGE0ZmU/
Hosts
212.40.179.94
104.232.35.136
213.205.40.169
66.147.240.193

*** https://www.virustot...sis/1472237184/
 

  

Edited by AplusWebMaster, 26 August 2016 - 02:53 PM.

[AplusWebMaster]

FYI...

Fake 'Commission' SPAM - leads to Locky
- https://myonlinesecu...delivers-locky/
29 Aug 2016 - ".. the -Locky- onslaught continues its daily attacks with an email with the subject of 'Commission' coming from random companies and senders with a zip attachment that despite the message in the email body saying it is an Excel file actually contains a JavaScript file, although they have half tried to disguise it as an excel file commission_xls (~2a4bfa91).js ... One of the  emails looks like:
From: Minerva Bridges <Bridges.033@ aprilwilkins .com>
Date: Mon 29/08/2016 10:20
Subject: Commission
Attachment: 9dc078a8d54e.zip
    Good morning rob,
    Here is the excel file of the commission you earned last month. Please analyze
    the attachment to confirm the amount.
    Regards,
    Minerva Bridges

29 August 2016: 9dc078a8d54e.zip: Extracts to: commission_xls (~2a4bfa91).js - Current Virus total detections 4/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
  http ://xelagon.50webs .org/8rxv3 | http ://209.237.142.197/~p27j55uk/von90s
  http ://ach-dziennik.cba .pl/kag7pe6 | http ://wangmewang .name/5tr5xeey which is transformed into a working Locky Ransomware file by the JavaScript file yzASo9ubY.dll (VirusTotal 9/58***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472462471/

** https://malwr.com/an...jMwMzNlMTk3OWI/
Hosts
192.151.153.26
213.229.74.92
95.211.144.65
209.237.142.197

*** https://www.virustot...sis/1472464805/
___

Fake 'invoice' SPAM - leads to ransomware
- https://myonlinesecu...pto-ransomware/
39 Aug 2016 - "... series of Locky/Zepto ransomware malspams... an email with the subject of 'Please find attached invoice no: 9087773449' [random numbered] pretending to come from document@ your own email domain with a zip attachment containing a WSF file... One of the  emails looks like:
From: document@ your own email domain
Date: Mon 29/08/2016 10:21
Subject: Please find attached invoice no: 9087773449
Attachment: 03A137a21.zip
    Attached is a Print Manager form.
    Format = Portable Document Format File (PDF) ...

29 August 2016: 03A137a21.zip: Extracts to: sedFki.wsf - Current Virus total detections 7/56*
.. MALWR** shows a download of an encrypted file from one of these locations
 http ://www.imaginarium .home.ro/78yhuinFYs?AUURTj=HtKvHtW
 http ://abcbureautique.abc.perso. neuf .fr/78yhuinFYs?AUURTj=HtKvHtW
 http ://dussartconsulting .com/78yhuinFYs?AUURTj=HtKvHtW ...  which is transformed by the script file to atuBFcBCz1.dll and automatically run (VirusTotal 4/58***). All the versions post home to the control centre at http ://51.255.107.30 /data/info.php to get & store the encryption key used to encrypt your files... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472462824/

** https://malwr.com/an...zUzZGRkYWIwYmE/
Hosts
86.65.123.70
81.196.20.133
91.216.107.228
51.255.107.30

*** https://www.virustot...sis/1472465136/
___

Fake 'mortgage documents' SPAM - lead to Locky
- https://myonlinesecu...delivers-locky/
29 Aug 2016 - "... Locky ransomware malspams... email with the subject of 'mortgage documents' with a zip attachment  containing a WSF file... One of the  emails looks like:
From: Edison Montgomery <Montgomery.25@ cable .net .co>
Date: Mon 29/08/2016 20:16
Subject: mortgage documents
Attachment:
    Dear cazzo, I am attaching the mortgage documents relating to your department.
    They need to be signed in urgent manner.
    Regards,
    Edison Montgomery

29 August 2016: 9aaea06c022a.zip: Extracts to: mortgage_documents.c40bf5a3.wsf
Current Virus total detections 5/56*.. MALWR** seems unable to analyse these and Payload Security has 150+ files in the queue...
Edit: Payload security*** eventually gave me www .qualityacoustic.comcastbiz .net/53ky07h2 which is an encrypted flle which gets transformed by the script to a Locky/Zepto file. Unfortunately Payload security does not give me that file...  This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472498468/

** https://malwr.com/an...2JhNjMxOGY2ODQ/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.87.186.101
51.255.107.30
188.127.249.203
195.64.154.114
138.201.191.196
69.195.129.70
91.226.92.208
___

Locky downloaded as encrypted DLLs
- http://blog.trendmic...encrypted-dlls/
Aug 29, 2016 - "... Locky has, over time, become known for using a wide variety of tactics to spread – including macros, VBScript, WSF files, and now DLLs...  we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign:
> https://blog.trendmi...locky-dll-1.png
... Using a DLL file in this way represents an attempt to try and -evade- behavior monitoring features that are now part of modern endpoint security products. Running as a DLL prevents a new process from being started, making it harder to detect. Other ransomware families (like CrypMIC/CryptXXX) have used this tactic as well, although for Locky this is new. The use of encryption is also meant to strengthen this malware’s ability to hide itself. Without receiving the right parameters from the downloader, no actual malicious file is actually decrypted (and theoretically, detected)..."
 

  

Edited by AplusWebMaster, 29 August 2016 - 06:22 PM.

[AplusWebMaster]

FYI...

Fake 'Body content Blank/empty' SPAM - leads to Locky
- https://myonlinesecu...rs-locky-zepto/
30 Aug 2016 - "The latest of Today’s Locky/Zepto malspams is a -blank- empty email pretending to come from random names at your own email domain with the -subject- similar to 'document, File, Picture, Photo, Image' etc. with a zip attachment containing a WSF file... One of the  emails looks like:
From: random name @ your own email domain
Date:
Subject: Photo
Attachment: PC_20160830_05_84_67_Pro.zip

Body content: Blank/empty

11 May 2016: PC_20160830_05_84_67_Pro.zip: Extracts to: XfTxmMOc.wsf - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from
 http ://gerochan.web. fc2 .com/987nkjh8?RlUTbYrVI=TMGiBgFtfwB amongst others which eventually gets transformed by the script file to XWYLtzfQg1.dll (VirusTotal 5/58***). C2 control which determines the encryption key is
 http ://188.127.249.32 /data/info.php ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472566396/

** https://malwr.com/an...GRlZTk2MTcwYjU/
Hosts
85.12.197.61
208.71.106.49
208.71.106.45
51.255.107.30
188.127.249.32

*** https://www.virustot...sis/1472562174/
___

Fake 'Final payment' SPAM - leads to malware
- https://myonlinesecu...ads-to-malware/
30 Aug 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ hmrcgovuk121 .pw> with a malicious word doc attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky or numerous Cryptolocker versions... The email looks like:
From: angela.fynan@ hmrc.gsi .gov.uk <info@ hmrcgovuk121 .pw>
Date: Tue 30/08/2016 15:08
Subject: Final payment request
Attachment: hmrc_doc_083016_848347734.docm
    Date of issue 30 august 2016
    Reference       K 2058964946
    Sir/Madam
    Final payment request GBP 5,961.34.
    Don’t ignore this letter – you need to pay us now if you want to stop us taking enforcement action against you.
    We contacted you previously asking you to pay the above amount but you still haven’t done so. The attached statement of liability gives a breakdown of what you owe.
    As you’re in the very small minority of people who haven’t paid. We’re treating your case as a priority. If you don’t pay now, we’ll take action to make you pay. The law allows us to enforce debts by seizing your goods and selling them by public auction A regional sheriff officer acting on a summary warrant will do this for us. We can charge fees for this so if you don’t act now it could cost you more money.
    For more information and how to pay us please see attached statement.
    We’ll continue to add interest to the original debt until you pay in full.
    Debt Management
    G McLean
    HMRC ...

Screenshot: https://myonlinesecu...st-1024x562.png

30 August 2016: hmrc_doc_083016_848347734.docm - Current Virus total detections 4/55*
.. MALWR** shows a download from http ://ivanovimportexportltd. co.uk/4.exe (VirusTotal 4/57***) MALWR[4]
... likely to be a password stealer of some sort. Payload Security[5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472565604/

** https://malwr.com/an...jJjMzNlYzBhMGM/
Hosts
137.74.172.30

*** https://www.virustot...sis/1472566995/

4] https://malwr.com/an...2Y3NWRlNTk5NGE/

5] https://www.reverse....vironmentId=100
Contacted Hosts
137.74.172.30
___

Fake 'paycheck' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
30 Aug 2016 - "... series of Malspam delivering -Locky- ransomware is an email with the subject of 'paycheck' coming from random senders, companies and email addresses with a zip attachment... One of the emails looks like:
From: Isabella Holman <Holman.114@ profilerhs .com>
Date: Tue 30/08/2016 18:38
Subject: paycheck
Attachment:
    Hey gold, as you requested, attached is the paycheck for your next month�s salary in advance.
    Sincerely yours,
    Isabella Holman

30 August 2016: e3fa12b0575f.zip: Extracts to: paycheck_pdf_de64ad80.js - Current Virus total detections 6/54*
.. MALWR** shows a download of an encrypted file  from one of these locations:
 http ://malwinstall .wang/1xiolv6 | http ://specialist.homepage. t-online .de/pgtv2
 http ://kikital.web. fc2 .com/amqq7aq6 | http ://solesdearequito. tripod .com/f1bii
 http ://vinciunion. co.th/gfp87 that is converted by the script to a working Locky ransomware 6e8kHAmEE5.dll
  that gets run automatically (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472578893/

** https://malwr.com/an...jRjZGVjNzMyZjA/
Hosts
80.150.6.138
52.52.40.206
208.71.106.48
45.59.114.100
103.246.18.22

*** https://www.virustot...sis/1472579254/
___

Fake 'Server Update' SPAM - drops Java Adwind or Jacksbot
- https://myonlinesecu...nd-or-jacksbot/
30 Aug 2016 - "An email with the subject of 'Unity Link New Server Update' pretending to come from  xm.nl@ unitylink .com <abelen@ unitylink .com> with a zip attachment which contains an executable file 'Updated Unityink Server..exe' and an image, which drop/create various Java.jar files. This is likely to be a Java Adwind or Java Jacksbot version... One of the  emails looks like:
From: xm.nl@ unitylink .com <abelen@ unitylink .com>
Date: Tue 30/08/2016 07:13
Subject: Unity Link New Server Update
Attachment: Unity Link New Server Update.zip
    Dear Agent,
    Find attach New update details with password, kindly sign and branch seal on the attach authorization for security updates.
    Best regards,
    ALAA ELDIN BEBARS
    | Unity Link Operations
    Unity Link services Ltd| P.O. Box 170 ...

Screenshot of image file inside zip: https://myonlinesecu...rver-Update.png

30 August 2016: Unity Link New Server Update.zip: Extracts to: Updated Unityink Server..exe
Current Virus total detections 15/58*. MALWR**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472556607/

** https://malwr.com/an...mI1NzYwNjI3OGI/
___

Opera server breach ...
> https://www.opera.co...reach-incident/
Aug 26, 2016 - "Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised. Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution. We have also sent emails to all Opera sync users to inform them about the incident and ask them to change-the-password for their Opera-sync-accounts. In an abundance of caution, we have encouraged users to also reset-any-passwords to third-party-sites they may have synchronized with the service. To obtain a new password for Opera sync, use the password resetting page:
- https://auth.opera.c...t/lost-password "
 

  

Edited by AplusWebMaster, 30 August 2016 - 12:36 PM.

[AplusWebMaster]

FYI...

Fake 'Scan' SPAM - leads to Locky
- https://myonlinesecu...cky-ransomware/
31 Aug 2016 - "... received a massive malspam run of an email with the subject of 'FW: [Scan] 2016-08-13 15:49:12' [random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file... One of the emails looks like:
From: Bertha <Bertha34@ your own email domain>
Date: Wed 31/08/2016 06:14
Subject: FW: [Scan] 2016-08-13 15:49:12
Attachment: 2016-08-30 436 663 415.zip
   From: “Bertha” <Bertha34@[REDACTED]>
    Sent: 2016-08-13 15:49:12
    To: [REDACTED]
    Subject: [Scan] 2016-08-13 15:49:12
    Sent with Genius Scan for iOS ...

31 August 2016: 2016-08-30 436 663 415.zip: Extracts to: Yd95ozed8.hta - Current Virus total detections 9/56*
.. Payload Security** shows a download of the usual Locky encrypted file from a list of embedded URLs in the decrypted HTA/JavaScript file which is converted to QXkcpj1.dll by the instructions inside the HTA/JavaScript (VirusTotal 19/56***)... This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472620428/

** https://www.reverse....vironmentId=100
Contacted Hosts
210.157.28.18
80.150.6.138
195.208.0.137
95.85.19.195
188.127.249.32
58.158.177.102

*** https://www.virustot...sis/1472623964/
___

Fake 'bank transactions' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
31 Aug 2016 - "... Locky continues with an email with the subject of 'bank transactions' coming from random senders, companies and email addresses with a random named zip attachment containing a JS file... One of the emails looks like:
From: Marlene Carrillo <Carrillo.170@ veloxzone. com.br>
Date: Wed 31/08/2016 07:35
Subject: bank transactions
Attachment: b231f370cf0.zip
    Good morning gold.
    Attached is the bank transactions made from the company during last month.
    Please file these transactions into financial record.
    Yours truly,
    Marlene Carrillo

31 August 2016: b231f370cf0.zip: Extracts to: CC1BB558_bank_transactions.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://www.instalacionesjosearteaga .com/s7yy5 | http ://enigmes4saisons.perso. sfr .fr/dilveh
 http ://mambarambaro .ws/1m202 | http ://www.meta. metro .ru/uumr65 which gets transformed into the Locky ransomware by the script KzgOzqkkKOZ.dll (VirusTotal 7/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472629007/

** https://malwr.com/an...jc4OGI3NTk5MzU/
Hosts
62.42.230.17
86.65.123.70
195.91.160.34
45.59.114.100
158.69.147.88

*** https://www.virustot...sis/1472629326/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.42.230.17
86.65.123.70
95.85.19.195
188.127.249.203
138.201.191.196
188.127.249.32
91.223.180.66

- http://blog.dynamoo....ansactions.html
31 Aug 2016 - "This -fake- financial spam comes with a malicious attachment:
    From:    Rueben Vazquez
    Date:    31 August 2016 at 10:06
    Subject:    bank transactions
    Good morning petrol.
    Attached is the bank transactions made from the company during last month.
    Please file these transactions into financial record.
    Yours truly,
    Rueben Vazquez

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js ... According to the Malwr report of these three samples [1] [2] [3] the scripts download... Each one of those samples drops a -different- DLL... these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain .in .ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers .com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl .ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24 "
1] https://malwr.com/an...Dk0ZmVmZjE5Mzg/

2] https://malwr.com/an...2RmNWEwZDFjY2E/

3] https://malwr.com/an...DViOWM4YTNmOTQ/
___

Fake 'flight tickets' SPAM - delievers Locky
- https://myonlinesecu...delivers-locky/
31 Aug 2016 - "This latest Locky ransomware malspam is a little bit more believable than some recent attempts and might actually fool a few recipients. An email with the subject of 'flight tickets' pretending to come from random companies, senders and email addresses with a random name zip attachment containing a JavaScript file... One of the emails looks like:
From: Wallace Hampton <Hampton.7365@writers-india.com>
Date: Wed 31/08/2016 18:37
Subject: flight tickets
Attachment: 4e0302044044.zip
    Good evening admin.
    I am sending you the flight tickets for your business conference abroad next month.
    Please see the attached and note the date and time.
    Respectfully,
    Wallace Hampton

31 August 2016: 4e0302044044.zip: Extracts to: CE14A812_flight_tickets.js - Current Virus total detections 3/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://roger.pierrieau.perso. sfr .fr/68d8ti | http ://virmalw .name/31fwt4cs
 http ://simo62.web. fc2 .com/yywcdpbu | http ://www.francogatta .it/npoa0lzw which is converted to a working Locky ransomware file & autorun by the script 20mrgwO23alMfJvj.dll (VirusTotal 8/58***). Payload Security[4]...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472665164/

** https://malwr.com/an...2Q2OWU2N2VmOGQ/
Hosts
158.69.147.88
208.71.106.61
195.78.215.76
86.65.123.70

*** https://www.virustot...sis/1472665518/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.99.111.28
208.71.106.61
95.85.19.195
138.201.191.196
188.127.249.203
188.127.249.32
91.223.180.66
69.195.129.70
___

SWIFT discloses more cyber thefts, pressures banks on security
- http://www.reuters.c...t-idUSKCN11600C
Aug 31, 2016 - "SWIFT, the global financial messaging system, on Tuesday disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February's high-profile $81 million heist at Bangladesh Bank. In a private letter to clients, SWIFT said that new cyber-theft attempts - some of them successful - have surfaced since June, when it last updated customers on a string of attacks discovered after the attack on the Bangladesh central bank... The disclosure suggests that cyber thieves may have ramped up their efforts following the Bangladesh Bank heist, and that they specifically targeted banks with lax security procedures for SWIFT-enabled transfers... A SWIFT spokeswoman declined to elaborate on the recently uncovered incidents or the security issues detailed in the letter, saying the firm does not discuss affairs of specific customers. All the victims shared one thing in common: Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers, according to the letter. Accounts of the attack on Bangladesh Bank suggest that weak security procedures there made it easier to hack into computers used to send SWIFT messages requesting large money transfers. The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police..."
___

Hacks steal account details for 60M Dropbox Users
- https://it.slashdot....n-dropbox-users
Aug 31, 2016 - "Hackers have stolen over 60 million account details for online cloud storage platform Dropbox. Although the accounts were stolen during a previously disclosed breach, and Dropbox says it has already forced password resets, it was not known how many users had been affected, and only now is the true extent of the hack coming to light. Motherboard* obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts..."
* https://motherboard....ropbox-accounts
 

  

Edited by AplusWebMaster, 31 August 2016 - 03:28 PM.

[AplusWebMaster]

FYI...

Fake 'Shipping info' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
1 Sep 2016 - "... the Locky onslaught continues with ever increasing frequency and complexity. The first of today’s Malspam is an email with the subject of 'Shipping information' coming from random names, companies and email addresses with a random named zip attachment containing a heavily obfuscated/encrypted JavaScript file... One of the  emails looks like:
From: Celina Mccarty <Mccarty.8737@ spebs .com>
Date: Thu 01/09/2016 09:12
Subject: Shipping information
Attachment: 2020f266fc.zip
    Dear customer,
    Our shipping service is sending the order form due to the request from your company.
    Please fill the attached form with precise information.
    Very truly yours,
    Celina Mccarty

1 September 2016: 2020f266fc.zip: Extracts to: 91CF4D63_shipping_service.js - Current Virus total detections 4/56*
.. MALWR* shows a download of an encrypted file from one of these locations:
 http ://www.oltransservice .org/wxyig4v | http ://kreativmanagement.homepage. t-online .de/anlaok1d
 http ://mambarambaro .ws/1zvqoqf which is transformed by the script to naXFQvt9.dll (VirusTotal 11/58***)
Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472717463/

** https://malwr.com/an...mQwY2JmNWIwOGM/
Hosts
213.205.40.169
192.99.111.28
80.150.6.138

*** https://www.virustot...sis/1472718234/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
213.205.40.169
95.85.19.195
212.109.192.235
5.34.183.211
188.127.249.32
188.127.249.203
91.223.180.66

- http://blog.dynamoo....service-is.html
1 Sep 2016 - "This -fake- shipping email comes with a malicious attachment:
    Subject:     Shipping information
    From:     Charles Burgess
    Date:     Thursday, 1 September 2016, 9:30
    Dear customer,
    Our shipping service is sending the order form due to the request from your company.
    Please fill the attached form with precise information.
    Very truly yours,
    Charles Burgess

The sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js. Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome .de/430j1t
ngenge.web. fc2 .com/vs1qc0
mambarambaro .ws/1zvqoqf
timetobuymlw .in/2dlqalg0
peetersrobin.atspace .com/t2heyor1
www .bioinfotst. cba .pl/u89o4
Between those four reports, there are three -different- DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis* shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx .pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24 "
1] https://malwr.com/an...jlhYjlhNDQ0YjA/
Hosts
82.165.58.83
192.99.111.28
208.71.106.37

2] https://malwr.com/an...zNhZDJjMTUxNTE/
Hosts
82.197.131.109
158.69.147.88
95.211.144.65

3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.165.58.83

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.197.131.109
95.85.19.195
5.34.183.211
212.109.192.235
188.127.249.203
188.127.249.32
91.223.180.66

5] https://virustotal.c...sis/1472720135/

6] https://virustotal.c...sis/1472720153/

7] https://virustotal.c...08380/analysis/

* https://www.hybrid-a...vironmentId=100
Contacted Hosts
82.197.131.109
95.85.19.195
5.34.183.211
212.109.192.235
188.127.249.203
188.127.249.32
91.223.180.66
___

Fake 'invoice' SPAM - leads to Locky
- http://blog.dynamoo....d-attached.html
1 Sep 2016 - "This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.
    Subject:     Please find attached invoice no: 329218
    From:     victim@ victimdomain .tld
    To:     victim@ victimdomain .tld
    Date:     Thursday, 1 September 2016, 12:42
    Attached is a Print Manager form.
    Format = Portable Document Format File (PDF)
    Disclaimer ...

Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download... The payload appears to be Locky ransomware... This is similar to the list here*.
Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24 "
* http://blog.dynamoo....service-is.html
1 Sep 2016
___

Fake 'Travel expense sheet' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
1 Sep 2016 - "... never ending series of Locky downloaders is an email with the subject of 'Travel expense sheet' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the  emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: ea00ba32a5.zip
    Dear karen,
    Here is the travel expense sheet for your upcoming company field trip. Please write down the approximate costs in the attachment.
    Warm wishes,
    Hilario Walton

1September 2016: ea00ba32a5.zip: Extracts to: Travel_expense_sheet_E492D6CB.js - Current Virus total detections 6/56*
.. MALWR shows a download of an encrypted file from one of these locations:
 http ://www .cortesidesign .com/v1vmxyj | http ://www .aktion-zukunft-gestalten .info/hfgo3x
 http ://portadeenrolar .ind.br/rbfr26 | http ://timetobuymlw .in/57h8t6it which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 21/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472753839/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.virustot...sis/1472755942/
___

Cerber dropped via Malvertising
- http://blog.trendmic...a-malvertising/
Aug 31, 2016 - "... The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits. Users are typically -redirected- to these exploit kit servers via ads appearing in a pop-up window after clicking a video to play. This ultimately leads to the download of Cerber. While this malvertisment campaign has affected several countries already, the attack is heavily concentrated in Taiwan. And although this malvertising campaign has been running for months, it was only now that it dropped Cerber 3.0 as its payload. In the case of Magnitude, a simple redirect script was used. Rig, on the other hand, opened a website in the background that contained a screenshot of legitimate US clothing shopping sites, perhaps to make the ad look less suspicious... Cerber demands 1.24 BTC (~US$523, as of March 4, 2016) and gave affected entities seven days. Cerber 3.0 asks for 1 BTC right away, but if the user waits more than five days the ransom doubles to 2 BTC:
> https://blog.trendmi...cerber-v3-3.png
... The most fundamental defense against ransomware is still backing up. With proper backups in place, organizations need not worry about any data loss that may be incurred. At the very least, important files should be backed up on a regular basis. Practice the 3-2-1 rule wherein 3 copies are stored in two different devices, and another one to a safe location. A good defense against malvertising (and exploit kits in general) is to keep the software in use up-to-date with all security patches. This will reduce the risk against a wide variety of attacks, not just ransomware. This includes both the operating system and any applications in use. A security solution that can proactively provide defense against attacks targeting vulnerabilities in the system’s software is also recommended..."
 

  

Edited by AplusWebMaster, 01 September 2016 - 02:04 PM.

[AplusWebMaster]

FYI...

Fake 'old office facilities' SPAM - leads to Locky
- http://blog.dynamoo....facilities.html
2 Sep 2016 - "This spam has a malicious attachment:
    Subject:     old office facilities
    From:     Kimberly Snow (Snow.741@ niqueladosbestreu .com)
    Date:     Friday, 2 September 2016, 8:55
    Hi Corina,
    Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
    Best wishes,
    Kimberly Snow

The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number. Analysis is pending, but this Malwr report* indicates attempted communications to:
malwinstall .wang
sopranolady7 .wang
..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
UPDATE 1: According to this Malwr report** it drops a DLL with a detection rate of 10/58***. Also those mysterious .wang domains appear to be multihomed on the following IPs:
23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)
Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28 "
* https://malwr.com/an...zA3YWRkMzZmNGE/
Hosts
66.85.27.250
23.95.106.195

** https://malwr.com/an...jBhM2I4MTE0OTE/
Hosts
66.85.27.250
23.95.106.195

*** https://virustotal.c...0c5c7/analysis/
VQpnPCqe.dll

- https://myonlinesecu...delivers-locky/
2 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'old office facilities' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the emails looks like:
From: Angelina Nielsen <Nielsen.83382@ parklawnsprinklers .com>
Date: Fri 02/09/2016 08:27
Subject: old office facilities
Attachment: 1fade4423b3a.zip
    Hi Chasity,
    Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
    Best wishes,
    Angelina Nielsen

2 September 2016: 1fade4423b3a.zip: Extracts to: office_facilities_059AB2E9.js - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from http ://malwinstall .wang/ezr08tjd which is transformed by the script to VQpnPCqe.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472801143/

** https://malwr.com/an...jg4OGVhMzAyMDQ/
Hosts
23.95.106.195
66.85.27.250

*** https://www.virustot...sis/1472801991/
___

Fake 'Scanned image' SPAM - leads to Locky
- http://blog.dynamoo....image-from.html
2 Sep 2016 - "This -fake- document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.
    Subject:     Scanned image from MX2310U@ victimdomain .tld
    From:     office@victimdomain.tld (office@ victimdomain .tld)
    To:     webmaster@victimdomain.tld;
    Date:     Friday, 2 September 2016, 2:29
    Reply to: office@ victimdomain .tld [office@ victimdomain .tld]
    Device Name: MX2310U@victimdomain.tld
    Device Model: MX-2310U
    Location: Reception
    File Format: PDF MMR(G4)
    Resolution: 200dpi x 200dpi
    Attached file is scanned image in PDF format.
    Use Acrobat®Reader® ...

Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component... The payload is Locky ransomware, phoning home to:
212.109.192.235/data/info.php [hostname: take. ru .com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers .xyz] (EDIS, Austria)
Recommended blocklist:
212.109.192.235
149.154.152.108 "
___

Fake 'Body content empty/blank' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-zepto/
2 Sep 2016 - "... Locky/Zepto downloaders... empty/blank email with the subject random numbers and either .jpg, gif, pdf, img, docx, tif, png etc. coming as usual from random names @ icloud .com  with a random named zip attachment that is named the -same- as the numbers in the subject line containing a wsf file... One of the emails looks like:
From: Alejandra_6526@ icloud .com
Date: Fri 02/09/2016 12:27
Subject: 26889jpg
Attachment: 26889.zip

Body content: Empty/blank

2 September 2016: 26889.zip: Extracts to: W64pP.wsf - Current Virus total detections 8/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://maxshoppppsr .biz/js/y54g3tr?NxMSERb=asaGYkQ | http ://illaghettodelcircoletto .it/flkekqs?NxMSERb=asaGYkQ
 http ://vimp.hi2 .ro/xqbqjyn?NxMSERb=asaGYkQ which is transformed by the script to vTFEncqFbOk1.dll (VirusTotal 5/58***)
All of them contact the C2 centre http ://149.154.152.108 /data/info.php to get & store the encryption key that is used to encrypt your files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472815578/

** https://malwr.com/an...TljNjI1ODBjNTY/
Hosts
89.42.39.81
195.110.124.188
66.85.27.252
149.154.152.108

*** https://www.virustot...sis/1472817060/
___

Bogus Windows error site - for iPad
- https://blog.malware...indows-fakeout/
2 Sep 2016 - "... The bogus error site is located at:
ipad-error-9023(dot)com
Given the URL, you’d expect to see some sort of iPad related shenanigans taking place –  an interesting twist on the well worn theme of tech-support-scams. Who needs Windows desktops when you can go after the tablet market, right? Unfortunately for our scammers, it all goes a bit wrong in terms of being convincing with that whole iPad URL thing. Let me count the ways... text reads as follows:
    Windows Security Error !
    Your Hard drive will be DELETED if you close this page
    You have a ZEUS virus! Please call Support Now!
    Call Now to Report This Threat.
    Do not Click ‘OK’ button below, doing so will start the hacking process.
... 'didn’t put much thought into this whole iPad thing, did they?...
> https://blog.malware...nal-dialogs.jpg
... a “prevent additional dialog” message from the browser? I’m guessing my PC hasn’t exploded yet. Maybe if I close the box and then hit the OK button:
> https://blog.malware...page-locked.jpg
... While the attempted fakeout up above isn’t one of the best ones we’ve seen, there are plenty out there which succeed in their attempts at convincing device owners that they have a problem. From there, phone calls to “tech support” and payments to have the non-existent virus cleaned up are only a hop, step and jump away. If you think you may have been targeted by such scams – or just want to avoid such antics in the future – feel free to give our guide to Tech Support Scams* a read. It could well save you time and money – and a lot of increasingly infuriating phone calls..."
* https://blog.malware...-support-scams/

ipad-error-9023(dot)com: 107.180.21.58: https://www.virustot...58/information/
>> https://www.virustot...55616/analysis/
 

  

Edited by AplusWebMaster, 02 September 2016 - 11:59 AM.

[AplusWebMaster]

FYI...

Fake 'Credit card receipt' SPAM - leads tp Locky
- https://myonlinesecu...oft-netmsg-dll/
5 Sep 2016 - "... series of Locky downloaders is an email with the subject of 'Credit card receipt' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the  emails looks like:
From: Wilda Hayden <Hayden.80411@ monicamatthews .com>
Date: Mon 05/09/2016 08:29
Subject: Credit card receipt
Attachment: 6aec8732b803.zip
    Dear mrilw,
    We are sending you the credit card receipt from yesterday. Please match the card number and amount.
    Sincerely yours,
    Wilda Hayden
    Account manager

5 September 2016: 6aec8732b803.zip: Extracts to: credit_card_receipt_9F44E80E.js - Current Virus total detections 6/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://darkestzone2 .wang/1i0i75gq | http ://canonsupervideo4k .ws/1bcpr7xx
.. which is transformed by the script to aXZnmnI3ES.dll (VirusTotal 9/57***). This is also downloading the genuine Microsoft netmsg.dll in an attempt to confuse antiviruses and researchers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473060526/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.virustot...sis/1473062169/

- http://blog.dynamoo....you-credit.html
5 Sep 2016 - "This -fake- financial spam has a malicious attachment:
    From:    Tamika Good
    Date:    5 September 2016 at 08:43
    Subject:    Credit card receipt
    Dear [redacted],
    We are sending you the credit card receipt from yesterday. Please match the card number and amount.
    Sincerely yours,
    Tamika Good
    Account manager

The spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k .ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary) ...
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57*. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt .pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55 "
1] https://malwr.com/an...TlhYzZlNGExZjg/
Hosts
107.173.176.4

2] https://malwr.com/an...GIyOTk2MDcyNTk/
Hosts
23.95.106.206
107.173.176.4

3] https://malwr.com/an...GM1NjY0MGNlYWE/
Hosts
107.173.176.4

* https://virustotal.c...7c2f6/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55

5] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
91.211.119.71
185.162.8.101
158.255.6.109
185.154.15.150
188.120.232.55

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.106.206
107.173.176.4
158.255.6.109
185.154.15.150
185.162.8.101
91.211.119.71
___

Malware in '.pub files' SPAM
- https://isc.sans.edu...l?storyid=21443
2016-09-05 - "While searching for new scenarios to deliver their malwares[1][2], attackers launched a campaign to deliver malicious code embedded in Microsoft Publisher[3] (.pub) files. The tool Publisher is less known than Word or Excel. This desktop publishing tool was released in 1991 (version 1.0) but it is still alive and included in the newest Office suite. It is not surprising that it also supports macros. By using .pub files, attackers make one step forward because potential victims don't know the extension ".pub" (which can be interpreted as "public" or "publicity" and make the document less suspicious), Spam filters do -not- block this type of file extension. Finally, researchers are also impacted because their sandbox environments do not have Publisher installed by default, making the sample impossible to analyze! A sample of a malicious .pub file is already available on VT[4] with a low detection score (5/55). Stay safe!"
[1] https://isc.sans.edu...nsomware/21397/
[2] https://isc.sans.edu...ipt File/21423/
[3] https://products.off...om/en/publisher
[4] https://www.virustot...f37fd/analysis/
 

  

Edited by AplusWebMaster, 05 September 2016 - 10:06 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
6 Sep 2016 - "... series of Locky downloaders... an email with the subject of 'Invoice INV0000385774' (random numbers)  coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file... One of the  emails looks like:
From: Earlene conyers <Earlene859@ pickledlizards .com>
Date: Tue 06/09/2016 10:27
Subject: INV0000385774
Attachment: ea00ba32a5.zip
    Please find our invoice attached.

6 September 2016: Invoice_INV0000385774.zip: Extracts to: 14Tf5zYWx67.wsf - Current Virus total detections 6/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://around4percent.web .fc2 .com/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
 http ://zse2 .pl/j8fn3rg3?jXRJazVGV=TBojQIxnjJC | http ://marcotormento .de/j8fn3rg3?jXRJazVGV=TBojQIxnjJC
which is transformed by the script to pfRMaJgsGEL1.exe (VirusTotal 4/58***) which according to MALWR[4] creates/downloads/ drops another encrypted file... Payload Security reports [5] [6]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472753839/

** https://malwr.com/an...TBkNzFhOTgyNWM/
14Tf5zYWx67.wsf
Hosts
208.71.106.48
66.85.27.108
13.107.4.50
216.126.225.149
93.157.100.25
81.169.145.157

*** https://www.virustot...sis/1473154258/

4] https://malwr.com/an...TBiZDk3MWJlMmI/
pfRMaJgsGEL1.exe
Hosts
66.85.27.108
13.107.4.50
216.126.225.149

5] https://www.reverse....vironmentId=100
14Tf5zYWx67.wsf
Contacted Hosts
216.239.120.224
208.71.106.48
66.85.27.108
216.126.225.149

6] https://www.reverse....vironmentId=100
pfRMaJgsGEL1.exe
Contacted Hosts
66.85.27.108
___

Fake 'August invoice' SPAM - Locky
- https://myonlinesecu...ppears-to-fail/
6 Sep 2016 - "... next in the never ending series of Locky downloaders is an email with the subject of 'August invoice' coming as usual from random companies, names and email addresses with a random named zip attachment  containing 2 identical .JS files... One of the emails looks like:
From: Douglas Holmes <Holmes.850@ redbridgeconcern .org>
Date: Tue 06/09/2016 09:50
Subject:  August invoice
Attachment: fe1afed4aa6f.zip
    Hello montag, Brigitte asked me to send you invoice for August. Please look over the attachment and make a payment ASAP.
     Best Regards,
     Douglas Holmes

6 September 2016: fe1afed4aa6f.zip: Extracts to: August_invoice 2AAB15F0. pdf~.js - Current Virus total detections 4/56*
..Update: it looks like Payload security** have tweaked their system and managed to bypass the protection elements in today’s Locky and are now finding & getting the payloads... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473151857/

** https://www.reverse....vironmentId=100
Contacted Hosts
107.173.176.4
23.95.106.220
192.3.150.178
91.211.119.71
158.255.6.109
185.162.8.101
185.154.15.150
188.120.232.55
___

Fake 'Message.. scanner' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
6 Sep 2016 - "... Locky downloaders.. email with the subject of 'Message from “CUKPR0959703' pretending to come from scanner @ your own email domain with a random named zip attachment based on todays date containing a WSF file... One of the  emails looks like:
From: scanner@ ...
Date: Tue 06/09/2016 16:11
Subject: Message from “CUKPR0959703”
Attachment: 20160906221127.zip
    This E-mail was sent from “CUKPR0959703” (Aficio MP C305).
    Scan Date: Tue, 06 Sep 2016 22:11:27 +0700
    Queries to: <scanner@ ...

6 September 2016: 20160906221127.zip: Extracts to: 18YrNk1xk28.wsf - Current Virus total detections 16/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://www.alpstaxi .co .jp/j8fn3rg3?IxurVQb=sHiOGcukdY
 http ://zui9reica.web .fc2 .com/j8fn3rg3?IxurVQb=sHiOGcukdY
which is transformed by the script to mUExMjQPwmL1.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473175613/

** https://malwr.com/an...WIzYjFkNGJiOTI/
Hosts
208.71.106.45
216.126.225.149
8.254.207.14
211.134.181.38
___

Fake 'Suspected Purchases' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
6 Sep 2016 - "... Locky downloaders... email with the subject of 'Suspected Purchases' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files starting with random characters and then Suspected_Purchases_PDF.js ... One of the  emails looks like:
From: Alyssa English <English.55@ heritagehomebuyers .net>
Date: Thu 01/09/2016 19:22
Subject:  Suspected Purchases
Attachment: 3adec1d16a7e.zip
    Dear enrico,
    We have suspected irregular purchases from the company’s account.
    Please take a look at the attached account balance to see the purchase history.
    Best Regards,
    Alyssa English
    Support Manager

6 September 2016: 3adec1d16a7e.zip: Extracts to: FAAD4310 Suspected_Purchases_PDF.js
Current Virus total detections 3/55*. MALWR** shows a download of an encrypted file from one of these locations:
  http ://canonsupervideo4k .ws/2sye3alf
  http ://virmalw .name/uw2vyhpd
  http ://tradesmartcoin .xyz/rwevvv3a
which is transformed by the script to 4fWrgKKcG.dll (VirusTotal 9/58***). This also downloads the genuine Microsoft  netmsg.dll... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473179859/

** https://malwr.com/an...TYzMTFiMWFiNjU/
Hosts
51.255.227.230
185.101.218.49
107.173.176.24

*** https://www.virustot...sis/1473180787/
___

Paypal - PHISH
- https://myonlinesecu...oqued-phishing/
6 Sep 2016 - "... daily -phishing- emails trying to steal your PayPal account. This one is worth mentioning because of the bad spelling and grammar that proves this does not come from an English speaking criminal. The original email looks like this:

Screenshot: https://myonlinesecu...ed-1024x563.png

From: no-reply@ paypal .com
Date: Tue 06/09/2016 14:59
Subject: Your PayPal access bloqued
    
    Dear Customer,
    Your account is temporarily suspended.
    We are working to protect our users against fraud!
    Your account has been selected for verification, we need to confirm that you are the real owner of this account
    To conclude the recovery of his account and service interruption card with number 4*** **** **** ****..
    Please consider that if you do not confirm your data now, we are forced to lock this account for your protection
    Must follow two steps, in case you have any questions during the execution of this process can be supported support team .
    Confirm account NAW
Regards,
Eduard Swards

The link behind 'confirm account NAW' goes to a well known-phishing-site, which has been reported so many times..
  http ://paypal-securidad .com/informations/l/l/Index/
This one wants your personal details, your Paypal account log in details and your credit card and bank details..."

paypal-securidad .com: 192.185.128.24: https://www.virustot...24/information/
>> https://www.virustot...a59e6/analysis/
 

  

Edited by AplusWebMaster, 06 September 2016 - 12:11 PM.

[AplusWebMaster]

FYI...

Fake 'Agreement form' SPAM - leads to Locky
- https://myonlinesecu...leads-to-locky/
7 Sep 2016 - "... series of Locky downloaders... email with the subject of 'Agreement form' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the  emails looks like:
From: Staci Cruz <Cruz.5000@ stluc-esa-bxl .org>
Date: Wed 07/09/2016 09:06
Subject: Agreement form
Attachment: 23ad34e21057.zip
    Hi there,
    [ random name] assigned you to make the payment agreement for the new coming employees.
    Here is the agreement form. Please finish it urgently.
    Best Regards,
    Staci Cruz
    Support Manager

7 September 2016: 23ad34e21057.zip: Extracts to: C3AB68A4 agreement_form_doc.js - Current Virus total detections 3/56*
.. MALWR** was unable to get any downloads but shows connections to
  tradesmartcoin .xyz  216.244.68.195
  virmalw .name  51.255.227.230
  listofbuyersus .co .in
  brothermalw .ws
Payload Security analysis*** which took an extremely long time (unusually) also doesn’t show any direct downloads or files. This is likely to mean that the Locky gang are using an ever more restrictive anti-analysis protection. Payload did detect some more unusually Apt named domains. Contacted Domains: tradesmartcoin .xyz, listofbuyersus .co.in, malwinstall .wang, brothermalw .ws, virmalw .name . Contacted Hosts: 216.244.68.195, 51.255.227.230 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473235341/

** https://malwr.com/an...TY0ZDQ5MWUzZjk/
Hosts
51.255.227.230
216.244.68.195

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.244.68.195
51.255.227.230

- http://blog.dynamoo....m-probably.html
7 Sep 2016 - "This -fake- financial spam leads to malware:
   Subject:     Agreement form
    From:     Marlin Gibson
    Date:     Wednesday, 7 September 2016, 9:35
    Hi there,
    Roberta assigned you to make the payment agreement for the new coming employees.
    Here is the agreement form. Please finish it urgently.
    Best Regards,
    Marlin Gibson
    Support Manager

The name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..
308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js
Automated analysis [1] [2] shows that the scripts... attempt to download a binary from one of the following locations:
donttouchmybaseline .ws/ecf2k1o
canonsupervideo4k .ws/afeb6
malwinstall .wang/fsdglygf
listofbuyersus .co .in/epzugs
Of those locations, only the first three resolve, as follows:
donttouchmybaseline .ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k .ws   51.255.227.230 (OVH, France / Kitdos)
malwinstall .wang       51.255.227.230 (OVH, France / Kitdos) ...
The following also presumably evil sites are also hosted on those IPs:
bookinghotworld .ws
clubofmalw .ws
darkestzone2 .wang
donttouchmybaseline .ws
canonsupervideo4k .ws
malwinstall .wang
wangmewang .name
tradesmartcoin .xyz
virmalw .name
Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:
51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld .ws
clubofmalw .ws
darkestzone2 .wang
donttouchmybaseline .ws
canonsupervideo4k .ws
malwinstall .wang
wangmewang .name
tradesmartcoin .xyz
virmalw .name "
1] https://malwr.com/an...GZlMTc5Yzk0NTE/
Hosts
216.244.68.195
51.255.227.230

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
51.255.227.230
216.244.68.195

'UPDATE: My trusted source (thank you) says that it phones home to the following IPs and URLs:
91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota .org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg .work/data/info.php
balichpjuamrd .work/data/info.php
mvvdhnix .biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti .work/data/info.php
iruglwxkasnrcq .pl/data/info.php
xketxpqxj .work/data/info.php
qkmecehteogblx .su/data/info.php
bbskrcwndcyow .su/data/info.php
nqjacfrdpkiyuen .ru/data/info.php
ucjpevjjl .work/data/info.php
nyxgjdcm .info/data/info.php
In -addition- to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55 '
___

Fake 'Invoice' SPAM - JS malware attachment
- https://myonlinesecu...signed-malware/
7 Sep 2016 - "An email with the subject of 'Invoice 00014904; From CHALICE GOLD MINES LIMITED' [random numbered]  pretending to come from CHALICE GOLD MINES LIMITED <AccountRight@ appsmyob .com> with a link in the email body to  download a zip file containing a .JS file. The .js file downloads a digitally signed .exe file...

Screenshot: https://myonlinesecu...ED-1024x647.png

7 September 2016: 00014904.zip: Extracts to: 00014904.js - Current Virus total detections 2/55*
.. Payload Security**  shows a download from
 littlelionstudio .com/images/LLS-Landing-Image2.jpg which is actually a -renamed- .exe file which gets copied to
2 other file names and locations on the victim computer (VirusTotal 6/57***) |  Payload Security[4]
This file is digitally signed with a valid signature so Windows will allow it to run without alerts from smart screen or other security software:
> https://myonlinesecu...-1-1024x713.png
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473221665/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
209.51.136.27
62.75.195.103
178.255.83.2
91.213.126.113
62.75.195.118
91.213.126.113

*** https://www.virustot...sis/1473215063/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.75.195.103
178.255.83.2
91.213.126.113
62.75.195.118
91.213.126.113
___

Fake 'Free sports player' SPAM - delivers malware via hta files
- https://myonlinesecu...-via-hta-files/
7 Sep 2016 - "... I have seen 3 distinct subject lines:
    ****Dont’t miss this fantastic free sport media player****
    **** You wished you had this sport media player sooner****
    Amazing**** Free “Sport media Player”**
All the emails come from Splayer XXXXX where XXXX can be team, company, player, command, online or any other similar word. The rest of the email address is -spoofed- and random...

Screenshot: https://myonlinesecu...r.-1024x556.png

... I have only found 3 base domains that contain the downloads, with hundreds of different random named folders and player versions. Each version appears to have a slightly different .hta file inside the zip and a strong warning should be given that they are using an unusual method of zipping the hta file so it extracts to computer-root and possibly/probably -autoruns- when you double click the zip:
    http ://splayering .pw/download/ziefmz8dgi7/splayer-rc10.zip
    http ://softship .online/download/6243onsblfasbatsr/splayer-rc21.zip
    http ://itgnome .online/download/bm437mgs37khxmfzdivv/splayer-rc1.zip
> https://myonlinesecu...zip_warning.png

... analysed 1 version of the .hta file so far but I am sure all the others will give similar results.
7 September 2016: splayer-rc10.zip: Extracts to: splayer.hta - Current Virus total detections 2/56*
.. Payload Security** shows a download from splayeracy .online/50d5fdc6-7ed5-4272-b148-fcade183219e/splayer.bin
(VirusTotal 16/58***). Payload Security[4] which shows this is using the same file, file names & behaviour that was described in THIS post[5] which look like some sort of password stealer and backdoor trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473198884/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.3.150.197

*** https://www.virustot...sis/1473199782/

4] https://www.hybrid-a...vironmentId=100

5] https://myonlinesecu...signed-malware/

splayering .pw: 192.3.150.197: https://www.virustot...97/information/
>> https://www.virustot...6761e/analysis/

softship .online: 192.3.150.197: https://www.virustot...97/information/
>> https://www.virustot...e44b3/analysis/

itgnome .online: 192.3.150.197: https://www.virustot...97/information/
>> https://www.virustot...e44b3/analysis/

// … as of 9/8/2016.
 

  

Edited by AplusWebMaster, 08 September 2016 - 06:32 AM.

[AplusWebMaster]

FYI...

Fake 'voice mail' SPAM - Locky
- http://blog.dynamoo....-new-voice.html
8 Sep 2016 - "This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.
    Subject: [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54
    From: voicemail@ victimdomain .tld (voicemail@ victimdomain .tld)
    To: webmaster@ victimdomain .tld
    Date: Thursday, 8 September 2016, 13:15
    Dear webmaster :
        There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
    You might want to check it when you get a chance.Thanks!

Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:
158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman .web .fc2.com/g76gyui
dcqoutlet .es/g76gyui
dpskaunas .puslapiai .lt/g76gyui
fidelitas .heimat .eu/g76gyui
gam-e20 .it/g76gyui
ghost-tony .com.es/g76gyui
josemedina .com/g76gyui
kreativmanagement.homepage. t-online .de/g76gyui
olivier.coroenne.perso .sfr .fr/g76gyui
portadeenrolar .ind .br/g76gyui
sitio655.vtrbandaancha .net/g76gyui
sp-moto .ru/g76gyui
srxrun.nobody .jp/g76gyui
thb-berlin.homepage .t-online .de/g76gyui
tst-technik .de/g76gyui
unimet.tmhandel.com/g76gyui
www .agridiving .net/g76gyui
www .alanmorgan .plus.com/g76gyui
www .aldesco .it/g76gyui
www .alpstaxi .co.jp/g76gyui
www .association-julescatoire .fr/g76gyui
www .bytove.jadro .szm .com/g76gyui
www .ccnprodusenaturiste .home .ro/g76gyui
www .gebrvanorsouw .nl/g76gyui
www .gengokk .co .jp/g76gyui
www .hung-guan .com .tw/g76gyui
www .idiomestarradellas .com/g76gyui
www .laribalta.org/g76gyui
www .mikeg7hen.talktalk .net/g76gyui
www .one-clap .jp/g76gyui
www .radicegioielli .com/g76gyui
www .rioual .com/g76gyui
www .spiritueelcentrumaum .net/g76gyui
www .texelvakantiehuisje .nl/g76gyui
www .threshold-online .co .uk/g76gyui
www .whitakerpd .co.uk/g76gyui
www .xolod-teplo .ru/g76gyui
Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu). Unusually, this version of -Locky- does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above -or- you could monitor for the string g76gyui in your logs.

UPDATE: the Hybrid Analysis of the script can be found here[1]."
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
211.134.181.38
81.24.34.9
62.24.202.31
93.184.220.29
54.192.203.242
___

Fake 'Lloyds Banking' SPAM - .doc malware
- https://myonlinesecu...livers-malware/
8 Sep 2016 - "An email with the subject of 'Lloyds Banking Group encrypted email pretending to come from GRP Lloydsbank Tech <info@ lloydsbanking52 .us> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs... A little bit of digging around tells us that lloydsbanking52 .us was registered about 2 weeks ago...

Screenshot: https://myonlinesecu...il-1024x775.png

8 September 2016: PGPMessage04834838.doc - Current Virus total detections 4/56*
.. Payload Security didn’t find any sites to download the malware.. a manual analysis & de-obfuscation of the macro you can see here original on Pastebin** shows a download from http ://aclawgroup .com .au/2.zip which gives 2.exe (VirusTotal 1/54***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it...

Update: I am being told it is a smoke loader AKA Dofoil[1] which will eventually download another banking Trojan."
1] https://blog.malware...en-still-alive/

 

* https://www.virustot...sis/1473344346/

** http://pastebin.com/ZuRM9iaN

*** https://www.virustot...sis/1473344266/

aclawgroup .com .au: 50.87.145.150: https://www.virustot...50/information/
>> https://www.virustot...c5872/analysis/
___

Quick look at recent malvertising exploit chains
- https://www.zscaler....-exploit-chains
Sep 7, 2016 - "... during our daily exploit kit (EK) tracking, have been seeing some changes in both RIG and Sundown EKs. We recently encountered a malvertising chain serving both EKs on subsequent visits, and decided to compile a quick look at the these cases:
Graph showing the malvertising chains
> https://cdn-3.zscale...ising-graph.PNG
...  they quickly integrated the exploit into the more typical Sundown landing page format. In a more recent episode, Trustwave's Spiderlabs spotted the addition of a fingerprinting code*, however we have not seen this feature in our captured cycles, so the operators may have opted for the simpler, non-fingerprinted landing page since then...
* https://www.trustwav...Way-to-the-Top/
... In the wake of both Angler and Nuclear disappearing, RIG has taken a dominant position in the EK landscape. The RIG operators appear content, however, to iterate more slowly, with changes to the EK itself happening less frequently. That said, RIG EK authors have now made noticable changes to the landing page structure... At this point, it's clear that the exploit kit landscape has been thoroughly shaken up since the disappearance of Angler and Nuclear (as we have covered in our round-ups and other EK-related blogs). This small update is meant to give a quick look at the latest techniques and trends used by RIG and Sundown. We will continue to monitor the situation, and provide updates to the community as usual."
{More detail at the zscaler blogs URL at the top.)
 

  

Edited by AplusWebMaster, 08 September 2016 - 12:21 PM.