2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Order Confirmation' SPAM - leads to Locky
- https://myonlinesecu...delivers-locky/
9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order Confirmation 9226435' [random number] coming as usual from random companies, names and email addresses with a random named zip attachment containing an HTA file... One of the  emails looks like:
From: Meagan carnochan <Meagan4@ insightsundertwo .com>
Date: Fri 09/09/2016 09:01
Subject: Order Confirmation 9226435
Attachment: Ord9226435.dzip  extracts to 2015jozE.hta
    This message is intended only for the individual or entity to which it is
    addressed and may contain information that is private and confidential. If
    you are not the intended recipient, you are hereby notified that any
    dissemination, distribution or copying of this communication and its
    attachments is strictly prohibited.

9 September 2016: Ord9226435.dzip: Extracts to: 2015jozE.hta - Current Virus total detections 5/55*
.. Payload Security** shows a download of an encrypted file from walkerandhall .co .uk/7832ghd?TtrISozIzi=CemUQBnTyeQ
which is transformed by the script to a working locky version. Unfortunately Payload security isn’t showing the converted /decrypted file amongst the downloads although the screenshots definitely show locky... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473408597/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
5.10.105.44
52.32.150.180
93.184.220.29
54.192.203.56

- http://blog.dynamoo....tion-xxxxx.html
9 Sep 2016 - "This -fake- financial spam leads to malware:
    From:    Ignacio le neve
    Date:    9 September 2016 at 10:31
    Subject:    Order Confirmation 355050211
     --
    This message is intended only for the individual or entity to which it is
    addressed and may contain information that is private and confidential. If
    you are not the intended recipient, you are hereby notified that any
    dissemination, distribution or copying of this communication and its
    attachments is strictly prohibited.

The name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip. Contained within the ZIP file is a malicious .HTA script with a random name... This simply appears to be an encapsulated Javascript... my trusted source (thank you) says that the various scripts download from...
(many random URLs listed at the dynamoo URL above)...
The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a ...
This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above -or- monitoring/blocking access attempts with 7832ghd in the string.
UPDATE: The Hybrid Analysis* of one of the scripts does not add much except to confirm that this is ransomware."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.196.41
93.114.64.41
50.112.202.19
72.21.91.29
54.192.203.144
___

Fake 'MS account - Unusual sign-in activity' malspam using JSE - delivers Locky
- https://myonlinesecu...delivers-locky/
9 Sep 2016 - "... this being used to spread Locky ransomware is a step in the wrong direction. This sort of email ALWAYS catches out the unwary. To make it even worse a JSE file is an encoded/encrypted jscript file that runs in the computer properly but is unreadable to humans (looks like garbled text) and because of the garbled txt the majority of antiviruses do -not- see it as a threat. Jscript is a Microsoft specific interpretation of JavaScript. They use email addresses and subjects that will entice a user to read the email and open the attachment. Locky tries new techniques on a small scale to “test the waters” - we have seen several similar small scale attacks this week. They will use the results & returns from them to tweak and refine the techniques before mass malspamming them...

Screenshot: https://myonlinesecu...ty-1024x414.png

9 September 2016: 24549.zip: Extracts to: 24549.jse - Current Virus total detections 3/56*
.. Payload Security** shows a download from sonysoftn .top/log.php?f=3.bin which gave me log.exe (VirusTotal 20/57***).
Payload Security[4]. Many antiviruses are only detecting this malware heuristically (generic detections based on the NSIS packer used to create it). All indications suggest that it is a new variant of Locky ransomware. The IP numbers and sites it contacts have been used this week in other Locky ransomware versions. The problems are coming in the anti-analysis protections that Locky appear to have built-in to the new version of their horrifically proliferate ransomware. Although Payload security does show screenshots of a Locky ransomware file. NOTE: For some weird reason screenshots and images on payload security are -not- showing up in Internet explorer, although they do in Chrome and Firefox... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473349038/

** https://www.reverse....vironmentId=100
Contacted Hosts
155.94.209.82
91.211.119.71
158.255.6.109
185.162.8.101
52.32.150.180
93.184.220.29
54.192.203.50

*** https://www.virustot...sis/1473398861/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.162.8.101
158.255.6.109
91.211.119.71
52.34.245.108
93.184.220.29
54.192.203.209
52.33.248.56
___

Fake 'Documents Requested' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
9 Sep 2016 - "... Locky downloaders... an email with the subject of 'Documents Requested' or 'FW: Documents Requested' pretending to come from a random name at your own email domain or company with a zip file named either Untitled(6).zip or newdoc(1).zip containing a HTA file (random numbers)... One of the emails looks like:
From: random name at your own email domain or company
Date: Fri 09/09/2016 14:03
Subject: FW:Documents Requested
Attachment: Untitled(6).zip
    Dear addy,
    Please find attached documents as requested.
    Best Regards,
    Gilbert

9 September 2016: Untitled(6).zip: Extracts to: 2809tib.hta - Current Virus total detections 6/58*
.. Payload Security** shows a download of an encrypted file from stylecode .co .in/7832ghd?KQWbOiH=QuwOGqnGpyL
 which is transformed by the script to UcyxmkpQ1.dll (VirusTotal 21/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473420208/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
43.242.215.197
50.112.202.19
93.184.220.29
54.192.13.29

*** https://www.virustot...sis/1472755942/
 

  

Edited by AplusWebMaster, 09 September 2016 - 08:19 AM.

[AplusWebMaster]

FYI...

Fake 'Budget report' SPAM - leads to Locky
- http://blog.dynamoo....t-leads-to.html
12 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    Lauri Gibbs
    Date:    12 September 2016 at 15:11
    Subject:    Budget report
    Hi [redacted],
    I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.
    With many thanks,
    Lauri Gibbs

Attached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:
921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js
The scripts are highly obfuscated however the Hybrid Analysis* and Malwr report** show that it downloads a component from:
lookbookinghotels .ws/a9sgrrak
trybttr .ws/h71qizc
These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked. A DLL is dropped with a detection rate of about 8/57*** [3] [4] which appears to phone home to:
51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte .ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy .ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia) ...
Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101 "
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.95.106.223
95.85.29.208
46.173.214.95
91.214.71.101
51.255.105.2
185.154.15.150

** https://malwr.com/an...TYzZTFkODlmODM/
Hosts
23.95.106.223

1] http://blog.dynamoo....you-credit.html

2] http://blog.dynamoo....facilities.html

*** https://virustotal.c...sis/1473694538/

3] https://virustotal.c...sis/1473694538/

4] https://virustotal.c...sis/1473694540/
___

Avoid: BofA, Wells Fargo - SMS Phishing
- https://blog.malware...o-sms-phishing/
Sep 12, 2016 - "It always pays to be cautious where -unsolicited- text messages are concerned, as conniving phishers don’t always stick to the tried and tested route of email scams. For example, here’s two random texts sent out to one of our burner phones:
> https://blog.malware.../bofa-phish.jpg
...
> https://blog.malware...wells-phish.jpg
The targets here are customers of Bank of America and Wells Fargo. The messages read as follows:
    BofA customer your account has been disabled!!!
    Please read this readmybank0famerica.cipmsg-importantnewalertt(dot)com

I think I’d probably be faintly worried if my otherwise sober and business-like bank started sending out messages with more than two exclamation marks in a sentence, but even without that, observant recipients would notice they also added an extra “t” onto the end of “alert”. The other message reads as follows:
The other message reads as follows:
    (wells fargo) important message from security department! Login
    vigourinfo(dot)com/secure.well5farg0card(dot)html
The above URL -redirects- clickers to the below website:
denibrancheau(dot)com/drt/w311sfg0/
> https://blog.malware...lls-phish-2.jpg
The phishers want a big slice of personal information, including name, DOB, driving license, social security number, mother’s maiden name, address, city, zipcode, card information, ATM PIN number, and even an email address.
All this, from a simple text... SMS phishing is not new, but it does snag a lot of victims. Random messages from your “bank” asking you to visit a link should be treated with suspicion, especially if those links ask you to login. Banks are certainly not the only target of SMS phishers, but they’re one of the more valuable bullseye for scammers to sink their teeth into. Whether receiving messages by email, text, or phone, your logins are only as safe as you make them – don’t make it easy for bank phishers and delete that spam."

readmybank0famerica.cipmsg-importantnewalertt(dot)com: A temporary error occurred during the lookup...

vigourinfo(dot)com/secure.well5farg0card(dot)html: 166.62.26.11: https://www.virustot...11/information/

denibrancheau(dot)com/drt/w311sfg0/ : 173.236.178.135: https://www.virustot...35/information/
 

  

Edited by AplusWebMaster, 12 September 2016 - 10:41 AM.

[AplusWebMaster]

FYI...

Fake 'Tax invoice' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Tax invoice' coming as usual from random companies, names and email addresses  with a random named/numbered zip attachment containing 2 identical .WSF files. Payload Security* shows an error in the downloaded file so it might not actually deliver the Locky ransomware or it might be that it will not run on a sandbox or VM... One of the  emails looks like:
From: Anne Fernandez <Fernandez.8581@ starfamilymedicine .com>
Date: Tue 13/09/2016 10:12
Subject: Tax invoice
Attachment: 1a45b45d76ed.zip
    Dear Client,
    Attached is the tax invoice of your company. Please do the payment in an urgent manner.
    Best regards,
    Anne Fernandez

13 September 2016: 1a45b45d76ed.zip: Extracts to: tax_invoice_scan PDF.316AA.wsf
Current Virus total detections 5/56**.. Payload Security shows a download of an encrypted file from  smilehymy .com/f72gngb which is transformed by the script to c2BwHrtql2.dll (VirusTotal 9/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.249.164.116
95.85.29.208
91.214.71.101
51.255.105.2
185.154.15.150
46.173.214.95
217.187.13.71

** https://www.virustot...sis/1473758776/

*** https://www.virustot...sis/1473759502/

- http://blog.dynamoo....invoice-of.html
13 Sep 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject:     Tax invoice
    From:     Kris Allison (Allison.5326@ resorts .com.mx)
    Date:     Tuesday, 13 September 2016, 11:22
    Dear Client,
    Attached is the tax invoice of your company. Please do the payment in an urgent manner.
    Best regards,
    Kris Allison

The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:
adzebur .com/dsd7gk  [37.200.70.6] (Selectel Ltd, Russia)
duelrid .com/b9m1t [not resolving]
madaen .net/e3ib4f   [143.95.252.28] (Athenix Inc, US)
morningaamu .com/6wdivzv [not resolving]
smilehm .com/f72gngb [not resolving]
The payload then phones home... Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71 "
___

Fake 'Accounts Documentation' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
13 Sep 2016 - "... Locky downloaders... an email with the subject of 'Accounts Documentation – Invoices' pretending to come from CreditControl @ your own email domain with a random named zip attachment containing an .HTA file... One of the  emails looks like:
From: CreditControl@...
Date: Tue 13/09/2016 10:22
Subject: Accounts Documentation – Invoices
Attachment: ~0166.zip
    Please find attached the invoice(s) raised on your account today. If you have more than one invoice they will all be in the single attachment above.
    If you have any queries please do not hesitate to contact the Credit Controller who deals with your account.
    Alternatively if you do not know the name of the Credit Controller you can contact us at:
    CreditControl@...
    Please do not reply to this E-mail as this is a forwarding address only.

13 September 2016: ~0166.zip: Extracts to: 22FrDra16.hta - Current Virus total detections 6/56*
.. Payload Security** shows a download of an encrypted file from
 goldenladywedding .com/vdG76VUY76rjnu?CHhjpz=zhXHhhwS which is transformed by the script to a working Locky ransomware (unfortunately Payload Security does not show or allow us to download the actual file)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1472753839/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.94.100
93.184.220.29
54.192.203.254
___

Fake 'Equipment receipts' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Equipment receipts' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the  emails looks like:
From: Stacey Aguirre <Aguirre.535@ coopenet .com.ar>
Date: Tue 13/09/2016 17:36
Subject: Equipment receipts
Attachment: 5926f98c2d8d.zip
    Good day hyperbolasmappera, Molly asked you to file the office equipment receipts.
    Here is the photocopying equipment receipts purchased last week.
    Please send him the complete file as soon as you finish.
     Best regards,
    Stacey Aguirre

13 September 2016: 5926f98c2d8d.zip: Extracts to: Equipment receipts 66BF9A.wsf - Current Virus total detections 5/55*
.. Payload Security** shows a download of an encrypted file from latexuchee .net/c4i03t which is transformed by the script to B6fKnUsSQfkrS.dll (VirusTotal 10/58***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473785537/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
31.210.120.153
51.255.105.2
95.85.29.208
217.187.13.71

*** https://www.virustot...sis/1473786095/
 

  

Edited by AplusWebMaster, 13 September 2016 - 12:43 PM.

[AplusWebMaster]

FYI...

Fake 'Account report' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Account report' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files...  Payload Security[1] shows an error in running the dll file... One of the emails looks like:
From: Kimberley Witt <Witt.0236@ shopscissors .com>
Date: Wed 14/09/2016 08:31
Subject: Travel expense sheet
Attachment: 667b8951c871.zip
    Dear nohdys, we have detected the cash over and short in your account.
    Please see the attached copy of the report.
    Best regards,
    Kimberley Witt
    e-Bank Manager

14 September 2016: 667b8951c871.zip: Extracts to: Account report 2311EEF4.wsf - Current Virus total detections 5/55**
.. MALWR*** unable to get any content. Payload security[1] shows a download of an encrypted file from
 maydayen .net/l835ztl which is transformed by the script to RjN1UKDIQLzodBg.dll (VirusTotal 21/58[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10

** https://www.virustot...sis/1473838191/

*** https://malwr.com/an...DJlYTkxNTFlYWI/

4] https://www.virustot...sis/1472755942/
___

Fake 'Delivery Confirmation' SPAM - delivers Locky/Zepto
- https://myonlinesecu...ers-lockyzepto/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Delivery Confirmation: 00336499' [random numbers] coming as usual from ship-confirm@ random companies, names and email addresses with a random named zip attachment containing a .JS file. These are slightly better done than some recent ones. The attachment number Shipping Notification matches the subject Delivery Confirmation number... One of the  emails looks like:
From: ship-confirm@ laughlinandbowen .com
Date: Wed 14/09/2016 10:55
Subject: Delivery Confirmation: 00336499
Attachment: Shipping Notification 00336499.zip
    PLEASE DO NOT REPLY TO THIS E-MAIL. IT IS A SYSTEM GENERATED MESSAGE.
    Attached is a pdf file containing items that have shipped
    Please contact us if there are any questions or further assistance we can provide

14 September 2016: Shipping Notification 00336499.zip: Extracts to: WOIMKE51915.js
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from one of these locations:
 http ://adventurevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU | http ://morerevista .com/hjy93JNBasdas?TVwzUk=tqFSMMU
which is transformed by the script to TKuAgcqe3.dll (VirusTotal 6/57***)... There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473847035/

** https://malwr.com/an...TljOTFmNjkxYTk/
Hosts
204.93.163.87
23.236.238.227

*** https://www.virustot...sis/1473848281/
___

Fake 'Renewed License' SPAM - more Locky
- https://myonlinesecu...delivers-locky/
14 Sep 2016 - "... Locky downloaders... an email with the subject of 'Renewed License' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .WSF files... One of the  emails looks like:
From: Stella Henderson <Henderson.70579@ siamesegear .com>
Date: Wed 14/09/2016 17:58
Subject: Renewed License
Attachment: 4614d82776.zip
    Here is the company’s renewed business license.
    Please see the attached license and send it to the head office.
    Best regards,
    Stella Henderson
    License Manager

14 September 2016: 4614d82776.zip: Extracts to: renewed business license 3D956A.wsf
Current Virus total detections 2/55*. MALWR** seems unable to cope with WSF files like this. Payload Security*** shows a download of an encrypted file from moismdheri .net/jqpxub which is transformed by the script to a working locky file, which unfortunately isn’t being shown or made available... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473872609/

** https://malwr.com/an...zM1MzE3ZjhlNzY/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
37.200.70.6
52.32.150.180
93.184.220.29
54.192.203.123
___

Fake 'payment copy' SPAM - delivers Locky/Zepto
- https://myonlinesecu...rs-locky-zepto/
13 Sep 2016 - "... Locky downloaders.. an email with the subject of 'payment copy' coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file. The email body has -no- content except 'Best Regards' and the alleged senders name... One of the  emails looks like:
From: Eddie screen <Eddie450@ hidrolats .lv>
Date: Tue 13/09/2016 22:02
Subject: payment copy
Attachment: PID6650.zip
     —
    Best Regards, _________
    Eddie screen

13 September 2016: PID6650.zip: Extracts to: OCRXIB2826.wsf - Current Virus total detections 7/56*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://allchannel .net/jpqhvig?eGkOBjIQFz=dEVDXjWYjjH | http ://feechka .ru/wdxwxoa?eGkOBjIQFz=dEVDXjWYjjH
 http ://jonathankimsey .com/rptyswr?eGkOBjIQFz=dEVDXjWYjjH
which is transformed by the script to yvXjbqxs1.dll (VirusTotal 7/58***). Payload security[4] is showing a different dll downloaded & converted... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473800782/

** https://malwr.com/an...jIzMjQyNDJmNjk/
Hosts
94.73.146.80
5.61.32.143
143.95.41.185

*** https://www.virustot...sis/1473801197/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.73.146.80
5.61.32.143
143.95.41.185
52.24.123.95
93.184.220.29
54.192.203.254
91.198.174.192
91.198.174.208
52.33.248.56
 

 

Edited by AplusWebMaster, 14 September 2016 - 01:50 PM.

[AplusWebMaster]

FYI...

Fake 'financial report' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
15 Sep 2016 - "...  Locky downloaders... an email with the subject of 'financial report' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .JS file... One of the  emails looks like:
From: Lenora Preston <Preston.03846@ tarquinm .com>
Date: Thu 15/09/2016 09:13
Subject: financial report
Attachment: b3fe1958be4e.zip
    Annabelle is urging you to get the financial report done within this week.
    Here are some accounting data I have collected. Please merge it into your report.
    Best regards,
    Lenora Preston

15 September 2016: b3fe1958be4e.zip: Extracts to: financial report 6AD1543.js - Current Virus total detections 3/55*
.. MALWR** shows a download of an encrypted file from http ://wyvesnarl .info/1gtqiyj which is transformed by the script to bNvbVc5R8fy.dll (VirusTotal 15/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473927705/

** https://malwr.com/an...zJlMWZlMTZhNjM/
Hosts
37.200.70.6

*** https://www.virustot...sis/1473928074/
___

Fake 'SCAN' SPAM - delivers Locky/Zepto
- https://myonlinesecu...rs-locky-zepto/
15 Sep 2016 - "... Locky downloaders... an email with the subject of 'SCAN' coming from logistics@ random companies, names and email addresses with a random named zip attachment starting with SCAN _ todays date containing a WSF file... One of the  emails looks like:
From: Elaine woolley <logistics@ kemindo-international .com>
Date: Thu 15/09/2016 10:37
Subject: Scan
Attachment: SCAN_20160915_8952113428.zip
    Elaine woolley
    Logistics Department
    ALGRAFIKA SH.P.K ...

15 September 2016: SCAN_20160915_8952113428.zip: Extracts to: QATZEQE1822.wsf - Current Virus total detections 6/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://lullaby-babies .co.uk/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC
 http ://iassess .net/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC
 http ://techboss .net/afdIJGY8766gyu?EAiVvPQk=DvRgYPfvxC which is transformed by the script to
 UloAJcCuAfq1.dll (VirusTotal 6/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473932344/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.virustot...sis/1473932910/
___

Bitcoin Phishing
- https://blog.opendns...hing-next-wave/
Sep 15, 2016 - "... Through this investigation, we found more than 280 Bitcoin phishing domains, so it is clear here that your Bitcoins are under attack. Additionally, criminals are using different methods and tricks to stay under the radar, such as using reverse proxy services to hide the IPs serving the illegal content..."
(More at the opendns URL above.)
 

  

Edited by AplusWebMaster, 15 September 2016 - 11:07 AM.

[AplusWebMaster]

FYI...

Fake 'request' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
16 Sep 2016 - "... Locky downloaders... an email with the subject of 'Re: request' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 identical .JS files... One of the  emails looks like:
From: Leroy Dillard <Dillard.65@ airtelbroadband .in>
Date: Fri 16/09/2016 08:15
Subject: Re: request
Attachment: 819533a5b1ac.zip
    Dear adkins, as you inquired, here is the invoice from September 2016.
    Let me know whether it is the correct invoice number you needed or not.

16 September 2016: 819533a5b1ac.zip: Extracts to: september_2016_details_~2CB6B4~.js
Current Virus total detections 1/55*. Payload Security** shows a download of an encrypted file from
 satyrwelf .net/27d4l09which is transformed by the script to a working locky ransomware file. Unfortunately Payload security does not show or download the file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474009965/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10
52.32.150.180
93.184.220.29
54.192.203.192
52.33.248.56
___

Fake 'Booking confirmation' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
15 Sep 2016 8:39 pm - "... Locky downloaders... an email with the subject of 'Booking confirmation' coming as usual from random companies, names and email addresses with a random named zip attachment containing 2 files. 1 is a .JS file. The other is a 4kb file with a single character name that is full of 0 byte padding... One of the  emails looks like:
From: Avery Moses <Moses.17671@ domainedelunard .com>
Date: Thu 15/09/2016 19:58
Subject: Booking confirmation
Attachment: 426c7ce21e1.zip
    Hi there allan.dickie, it’s Avery. I booked the ticket for you yesterday.
    See the attachment to confirm the booking.
     King regards,
     Avery Moses

15 September 2016: 426c7ce21e1.zip: Extracts to: Booking confirmation ~0D68BA0~.js
Current Virus total detections 1/54*. Payload Security** shows a download of an encrypted file from
 satyrwelf .net/27d4l09 which is transformed by the script to a working locky ransomware file. Unfortunately Payload security does not show or download the file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1473966399/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10
52.32.150.180
93.184.220.29
54.192.203.192
52.33.248.56
___

Locky download locations 2016-09-16
- http://blog.dynamoo....2016-09-16.html
16 Sep 2016 - "I haven't had a chance to look at Locky today, but here are the current campaign download locations (thanks to my usual source)..
(Many domain-names shown at the dynamoo URL above.)
The first two lists are legitimate hacked sites, the last list are hosted on the following two IPs which are -definitely- worth blocking:
178.212.131.10 (21 Century Telecom Ltd, Russia)
37.200.70.6 (Selectel Ltd, Russia) "

178.212.131.10: https://www.virustot...10/information/
>> https://www.virustot...94461/analysis/
37.200.70.6: https://www.virustot....6/information/
>> https://www.virustot...f8c1a/analysis/
___

Email tips - from Malwarebytes ...
- https://blog.malware...ware-infection/
"... Read emails with an-eagle-eye. Check the sender’s address. Is it from the actual company he or she claims? Hover over links provided in the body of the email. Is the URL legit? Read the language of the email carefully. Are there weird line breaks? Awkwardly constructed sentences that sound foreign? And finally, know the typical methods of communication for important organizations. For example, the IRS will never contact you via email. When in doubt, call your healthcare, bank, or other potentially-spoofed organization directly.
> Bonus mobile phone tip: Cybercriminals love spoofing banks via SMS/text message or -fake- bank apps. Do not confirm personal data via text, especially social security numbers. Again, when in doubt, contact your bank directly..."
___

Amex users hit with phish offering anti-phish
- https://www.helpnets...ing-protection/
Sep 15, 2016 - "American Express users are being actively targeted with phishing emails impersonating the company and advising users to create an 'American Express Personal Safe Key' to improve the security of their accounts:
> https://www.helpnets...fekey-email.jpg
Users who fall for the scheme are directed to a -bogus- Amex login page (at http ://amexcloudcervice .com/login/). Once they enter their user ID and password, they are taken to a bogus page that ostensibly leads them trough the SafeKey setup process. The victims are asked to input their Social Security number, date of birth, mother’s maiden name, mother’s date of birth, their email address, the Amex card info and identification number, and the card’s expiration date and 3-digit code on the back of the card:
> https://www.helpnets...bogus-setup.jpg
The victims will be taken through the setup process even if they enter incorrect login credentials. And, after they finish entering all the information asked of them, they are redirected to the legitimate Amex website, making them believe they were using it the whole time..."

amexcloudcervice .com: 104.255.97.117: https://www.virustot...17/information/
104.36.80.16: https://www.virustot...16/information/
___

Ransomware Trends
- https://atlas.arbor....index#337041686
Sep 15, 2016 - "... Analysis: Money is seemingly easy to make with ransomware and more variants continue to appear. $121 million in six months is no longer out of the realm of possibility with larger variants possibly making more and in less time. Developers are keen to exploit large-scale business and hospital networks, in hopes of taking advantage of deeper pockets. As they move forward, more traditional malware spreading methods will likely be employed, including web app vulnerability scanning and SQL database vulnerability scans. Ransomware-as-a-Service is quickly becoming popular. These service offerings significantly lower the barrier of entry so that almost anyone can now take advantage of this criminal activity. Unlike other malware-as-a-service offerings that usually charge fees upfront for access, most ransomware services are simply affiliate based, aiming to gain as many customers as possible in hopes of compromising more victims. These ransomware services have no monetary barrier to entry, only that most of the customers distribute their packages themselves. Ransomware may be growing leaps and bounds but the same basic mitigation principles exist. Users are encouraged to avoid unsolicited emails and attachments, -never- enable macros in documents unless you have a legitimate reason to, maintain up-to-date system backups that are stored offline, and update systems with the latest patches and security elements as quickly as possible..."
___

Azure outage...
- https://azure.micros...status/history/
9/15 ...
 

  

Edited by AplusWebMaster, 17 September 2016 - 06:25 AM.

[AplusWebMaster]

FYI...

Fake 'Express Parcel service' SPAM - leads to Locky
- http://blog.dynamoo....el-service.html
19 Sep 2016 - "This spam has a malicious attachment:
    From:    Marla Campbell
    Date:    19 September 2016 at 09:09
    Subject:    Express Parcel service
    Dear [redacted], we have sent your parcel by Express Parcel service.
    The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
    Thank you.

Attached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing. The Hybrid Analysis* for one sample shows a download location of:
178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)
There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra .pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)
It drops a DLL with a detection rate of 8/54*.

 

UPDATE: These Hybrid Analysis reports of other samples [1] [2]... show -other- download locations... All of these domains are hosted on evil IPs:
178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)...

Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10

91.194.250.131 "
The last one listed in italics is part of the update.

* https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.194.250.131
46.38.52.225
195.64.154.202
91.223.88.209

** https://virustotal.c...sis/1474275264/

1] https://www.hybrid-a...vironmentId=100

2] https://www.hybrid-a...vironmentId=100
___

Fake 'Order' SPAM - leads to Locky
- https://myonlinesecu...leads-to-locky/
19 Sep 2016 - "... Locky downloaders... an email with the subject of 'Order: 19487600/00 – Your ref.:11893 [random order number, random reference number] coming as usual from random companies, names and email addresses with a macro enabled word doc attachment...

Screenshot: https://myonlinesecu...93-1024x624.png

19 September 2016: OffOrd_19487600-00-35879-972570.docm - Current Virus total detections 11/55*
.. MALWR** shows a download of an encrypted file from http ://sarayutechnologies .com/67SELbosjc358
 which is transformed by the macro to chrendokss.dll and autorun (VirusTotal 8/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474284844/

** https://malwr.com/an...TY3ZDExNTExM2Q/
Hosts
89.163.249.205

*** https://www.virustot...sis/1474288204/

- http://blog.dynamoo....0-your-ref.html
19 Sep 2016 - "This -fake- financial spam has a malicious attachment that leads to Locky ransomware.
    Subject:     Order: 28112610/00 - Your ref.: 89403
    From:     Melba lochhead (SALES1@ krheadshots .com)
    Date:     Monday, 19 September 2016, 16:05
    Dear customer,
    Thank you for your order.
    Please find attached our order confirmation.
    Should you be unable to open the links in the document, you can download the latest version of Adobe Acrobat Reader for free...
    Should you have any further questions, do not hesitate to contact me.
    Kind Regards,
    Melba lochhead
    Internal Sales Advisor - Material Handling Equipment Parts & Accessories...

I have only seen a single sample so far, but I understand that reference numbers and names vary. Attached is a malicious .DOCM file with a name in the format OffOrd_87654321-00-1234567-654321.docm, my trusted source says that the various versions download a component...
(Many domain-names listed at the dynamoo URL above.)
It drops a DLL which had a moderate detection rate earlier[8/57]*. This version of Locky does -not- communicate with C2 servers, so if you want to block or monitor traffic perhaps you should use the string 67SELbosjc358."
* https://www.virustot...f0417/analysis/
chrendokss.dll.3860.dr
 

  

Edited by AplusWebMaster, 19 September 2016 - 09:39 AM.

[AplusWebMaster]

FYI...

Fake 'Tracking data' SPAM - leads to Locky
- http://blog.dynamoo....a-leads-to.html
20 Sep 2016 - "This spam has a malicious attachment leading to Locky ransomware:
    From:    Loretta Gilmore
    Date:    20 September 2016 at 08:31
    Subject:    Tracking data
    Good afternoon [redacted],
    Your item #9122164-201609 has been sent to you by carrier.
    He will arrive to you on 23th of September, 2016 at noon.
    The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached. 

The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name...
UPDATE: Hybrid Analysis of various samples [1] [2].. shows the script downloading from various locations... All of these are hosted on:
178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)
The malware then phones home to the following locations:
91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx .xyz/data/info.php  [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)
A DLL is dropped with a detection rate of 13/57*.
Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202 "
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10
91.223.88.205
176.103.56.105
46.38.52.225
195.64.154.202
91.223.88.209

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
178.212.131.10
46.38.52.225
91.223.88.205
176.103.56.105
195.64.154.202
91.223.88.209

* https://virustotal.c...6e7e2/analysis/
RwjjKUw5U4bU.dll
___

Evil network: 178.33.217.64/28 ... exploit kit
- http://blog.dynamoo....6428-et-al.html
20 Sep 2016 - "This customer of OVH appears to be registered with -fake- details, and are distributing-malware via a block at 178.33.217.64/28. Currently, the following IPs are distributing some sort of unidentified exploit kit:
178.33.217.64
178.33.217.70
178.33.217.71
178.33.217.78
178.33.217.79
A list of the domains associated with those IPs can be found here [pastebin*]... Checking the evolution-host .com... an invalid address with a different street number from before and an Irish telephone number... The Evolution Host website appears to have no contact details at all. RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block -all- of them:
91.134.220.108/30
92.222.208.240/28
149.202.98.244/30
176.31.223.164/30
178.33.217.64/28 "
* http://pastebin.com/9QGvmRVt
___

Fake 'documents' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-zepto/
20 Sep 2016 - "... Locky downloaders... an email with the subject of 'documents' pretending to come from random names @ cableone .net with a random named zip attachment containing a WSF file... One of the  emails looks like:
From: Brandi theakston <Brandi.theakston@ cableone .net>
Date: Tue 20/09/2016 14:27
Subject: documents
Attachment: 5040_98991330.zip
    —
    Brandi theakston
    Office Manager
    Box Rentals LLC
    Sanibel Executive Suites
    Crestwood Apts.
    Cleveland Apts...

20 September 2016: 5040_98991330.zip: Extracts to: YPBUJSS17703.wsf - Current Virus total detections 5/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://steyjixie .net/yCTb6zqTQ?bJiuYAR=nFrDER | http ://writewile .su/CTb6zqTQ?bJiuYAR=nFrDER
 http ://wellyzimme .com/CTb6zqTQ?bJiuYAR=nFrDER which is transformed by the script to NTlCmBVJkD1.dll
(VirusTotal 9/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474375101/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.virustot...sis/1474383107/
___

Fake 'Out of stock' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
20 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Out of stock' coming as usual from random companies, names and email addresses with a random named zip attachment containing a.JS file... One of the  emails looks like:
From: Steven Goodman <Goodman.55291@ 70-static.tedata .net>
Date: Tue 20/09/2016 20:25
Subject: Out of stock
Attachment: 050f0ba31ac.zip
    Dear [REDACTED], we are very sorry to inform you that the item you requested is out of stock.
    Here is the list of items similar to the ones you requested.
    Please take a look and let us know if you would like to substitute with any of them.

20 September 2016: 050f0ba31ac.zip: Extracts to: updated order ~3F369A12~ pdf.js - Current Virus total detections 4/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://vumdaze .com/pknjo995 | http ://youthmaida .net/7ewhtm6  which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474400445/

** https://malwr.com/an...mRlOGY5N2JhODk/
Hosts
95.173.164.205
178.212.131.10

*** https://www.virustot...sis/1474398913/
___

'Just For Men' website - serves malware
- https://blog.malware...serves-malware/
Sep 20, 2016 - "The website for Just For Men, a company that sells various products for men as its name implies, was serving malware to its visitors. Our automated systems detected the drive-by download attack pushing the RIG exploit kit, eventually distributing a password stealing Trojan. In this particular attack chain we can see that the homepage of justformen[.]com has been injected with obfuscated code. It belongs to the EITest campaign* and this gate is used to perform the -redirection- to the exploit kit. EITest is easy to recognize (although it has changed URL patterns) for its use of a Flash file in its redirection mechanism.
* https://blog.malware...lware-campaign/
RIG EK has now taken over Neutrino EK as the most commonly used and seen toolkit in the wild... We replayed the attack in our lab as shown in the video below:
>
... We reported this incident to Combe, the parent company for Just For Men. Between the time we collected our traffic capture and writing of this blog, we noticed the site had changed. As of now, the site is running the latest version of WordPress according to this scan from Sucuri** and does not appear to be compromised any more..."
** https://sitecheck.su.../justformen.com
... C2 callbacks:
217.70.184.38: https://www.virustot...38/information/
Country: FR / Autonomous System: 29169 (Gandi SAS)
173.239.23.228: https://www.virustot...28/information/
Country: US / Autonomous System: 27257 (Webair Internet Development Company Inc.)

... see "Latest detected URLs" shown in the virustotal links.
___

Fake AV on Google Play ...
- https://blog.malware...to-google-play/
Sep 19, 2016 - "Every once in a while, a -fake- antivirus pops up on the Google Play store. Most of the time, it’s just a fake scanner that doesn’t detect anything because it doesn’t actually look for anything to detect. Show a scan that simply lists all the apps on your device and it’s pretty easy to look legit. They serve up some -ads- for revenue, and you are given the false sense your phone isn’t infected — kind of a win-win unless you actually want malicious apps to be detected/removed. These apps are often ignored by real AV scanners because, technically, they aren’t doing anything malicious. It’s only when malicious intent is found that these apps are classified as bad. With a clean design and look, Antivirus Free 2016 could very easily be confused for a legitimate AV scanner:
> https://blog.malware...Screenshot1.png
...
> https://blog.malware...Screenshot4.png
Looking deeper though, one would see its true intent. To start, 'Antivirus Free 2016' is given permission to read, write, send, and receive SMS messages. It isn’t usual for an AV scanner to have receive SMS permission; but to read, write, or send SMS is another story. Unfortunately, any code that deals with SMS has been obfuscated/removed from being seen. The app’s receiver and service names, such as com.xxx.message.service.receiver.SmsReceiver, com.xxx.message.service.receiver.MmsReceiver, and com.xxx.message.service.RespondService, containing these codes raises enough suspicion on their own. What isn’t hidden in the code is the use of a complex decryption algorithm used to -hide- a URL and a string named “remotePackageName”. This could possibly be used to download and install -other- apps onto the device. According to our records, 'Antivirus Free 2016' is seen in the Google Play Store between August 14th to the 31st of this year, but has been removed since. Because of its extensive malicious intent, we have classified it as Android/Trojan.FakeAV. The act of using a -fake- Antivirus product to infect customers is far from a new trick. Still, it’s scary to think that a product that is meant to protect you can be the one doing the most damage. Make sure to do your research while picking a good AV product..."
 

  

Edited by AplusWebMaster, 20 September 2016 - 03:04 PM.

[AplusWebMaster]

FYI...

Fake 'Receipt' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
21 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt 40247' from The Music Zoo pretending to come from The Music Zoo <shipping3363@ themusiczoo .com> with a random numbered zip attachment (that matches the subject number) containing a .WSF file... One of the  emails looks like:
From: The Music Zoo <shipping3363@ themusiczoo .com>
Date: Wed 21/09/2016 03:54
Subject: Receipt 40247 from The Music Zoo
Attachment: Receipt 40247.zip
    Thank you for your order!  Please find your final sales receipt attached to
    this email.
    Your USPS Tracking Number is: 1634888147633172932951
    This order will ship tomorrow and you should be able to begin tracking
    tomorrow evening after it is picked up. If you have any questions or
    experience any problems, please let us know so we can assist you.  Thanks
    again and enjoy!
    Thanks,
    The Music Zoo ...

21 September 2016: Receipt 40247.zip: Extracts to: IOABB32501.wsf - Current Virus total detections 17/54*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://awaftaxled .com/JHG67g32udi?DnzmQJqbM=ncEcxrIem | http ://uphershoji .net/JHG67g32udi?DnzmQJqbM=ncEcxrIem
which is transformed by the script to rg4V0yhh8iC.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474436523/

** https://malwr.com/an...2IxNjUxMGI2ZmY/
Hosts
62.84.69.75: https://www.virustot...75/information/
Domains
awaftaxled .com: 193.150.247.12: https://www.virustot...12/information/
uphershoji .net: 62.84.69.75

*** https://www.virustot...sis/1474435608/
___

Those never-ending waves of Locky malspam
- https://isc.sans.edu...l?storyid=21505
2016-09-21 - "Malicious spam (malspam) campaigns sending Locky ransomware are nothing new. We see reports of it on a near daily basis [1, 2]. But last month, Locky ransomware changed. It used to be downloaded as an executable file, but now it's being implemented as a DLL [3].... The malspam all contained zip archives as file attachments. Those zip archives contained either a .js file or a .wsf file. The .js files contain JavaScript and can be run with Windows Script Host by double-clicking the file. The .wsf file extension is used for a Windows Script File. These .wsf files can also be run by double-clicking on them in a Windows environment... some of these emails make it through, and people still get infected.  All it takes is one message, one Windows host without enough protective measures, and one person willing to start clicking away. A solid strategy for any sort of ransomware is to make-regular-backups of any important files. Remember to test those backups, so you're certain to recover your data. These .js and .wsf files are -designed- to download Locky and run the ransomware as a DLL..."
1] http://blog.dynamoo....rch/label/Locky

2] https://myonlinesecu...o.uk/tag/locky/

3] http://www.bleepingc...led-from-a-dll/
 

  

Edited by AplusWebMaster, 21 September 2016 - 11:53 AM.

[AplusWebMaster]

FYI...

Fake 'Receipt of payment' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Receipt of payment' coming as usual from random companies, names and email addresses with a random numbered zip attachment containing a HTA file...

Screenshot: https://myonlinesecu...nt-1024x636.png

22 September 2016: (#721632093) Receipt.zip: Extracts to: A2LOCTI1203.hta - Current Virus total detections 7/54*
.. MALWR** is unable to analyse HTA files. Payload Security*** shows a download of an encrypted file from
 ringspo .com/746t3fg3 which is transformed by the script to a working locky file. Unfortunately Payload security free version does not show us or allow download of the locky ransomware itself... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474506588/

** https://malwr.com/an...jBhZmU3NzExMWI/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.205.36.188
52.24.123.95
93.184.220.29
52.85.173.119
___

Fake 'Package #..' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
22 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Package #DH4946376' [random numbers] pretending to come from DHL but actually coming as usual from random email addresses with a random named zip attachment containing a .JS file... One of the  emails looks like:
From: DHL Express <Murray.64@ yj .By>
Date: Thu 22/09/2016 12:03
Subject: Package #DH4946376
Attachment: 4023cd96fe5.zip
    Dear helloitmenice,
    The package #DH4946376 you ordered has arrived today. There is some confusion in the address you provided.
    Please review the address in the attached order form and confirm to us. We will deliver as soon as we receive your reply.
    —–
    Beulah Murray
    DHL Express Support

22 September 2016: 4023cd96fe5.zip: Extracts to: package dhl express ~0EAD6~.js - Current Virus total detections 6/55*
.. MALWR** shows a download of an encrypted file from:
 http ://affordabledentaltours .com/g8xa1lt which is transformed by the script to UNDLiWCqgT.dll (VirusTotal 8/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474542522/

** https://malwr.com/an...jgwN2YwMWYwOTM/
Hosts
69.162.148.70: https://www.virustot...70/information/

*** https://www.virustot...sis/1474544725/
___

RAR to JavaScript: Ransomware - Email attachments
- http://blog.trendmic...il-attachments/
Sep 22, 2016 - "... Based on our analysis, 71% of known ransomware families arrive via email... Over the first half of the year, we observed how cybercriminals leveraged file types like JavaScript, VBScript, and Office files with macros to evade traditional security solutions... Trend Micro has already blocked and detected 80-million-ransomware-threats during the first half of the year; 58% of which came from email attachments. Throughout this year, we followed Locky’s spam campaign and how its ever changing email file attachments contributed to its prevalence. Based on our monitoring, the rising number of certain file types in email attachments is due to Locky. The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky:
> https://blog.trendmi...9/Months-01.jpg
In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download -other- ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments — which could explain how WSF became the second file type attachment most used by threats. With WSF, two different scripting languages can be combined. The tactic makes it difficult to detect since it’s not a file type that endpoint solutions normally monitor and flag as malicious. Cerber was also spotted using this tactic in May 2016:
> https://blog.trendmi...ar-Graph-01.jpg
The latest strains of Locky were seen using DLLs and .HTA file attachments for distribution purposes. We surmise that malware authors abuse the .HTA file extension as it can bypass filters, given that it is not commonly known to be abused by cybercriminals:
> https://blog.trendmi..._copy_locky.jpg
Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat... One critical aspect of a ransomware attack is its delivery mechanism. Once ransomware-laced emails enter the network and execute on the system, they can encrypt important files..."

"The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Rising Tides of SPAM
> http://blog.talosint...es-of-spam.html
Sep 21, 2016 - "...  According to CBL*, the last time spam volumes were this high was back in mid-2010:
* http://www.abuseat.org/totalflow.html
... An internal graph generated by SpamCop which illustrates the overall size of the SpamCop Block List (SCBL) over the past year. Notice how the SCBL size hovers somewhere under 200K IP addresses pre-2016, and more recently averages closer to 400K IP addresses, spiking to over 450K IPs in August:
> https://1.bp.blogspo...640/image01.png
... We cannot predict the future and stop spam attacks before they start. Therefore, in any reasonably well-designed spam campaign there will always exist a very narrow window of time between when that spam campaign begins, and when anti-spam coverage is deployed to counter that campaign. In most anti-spam systems, this "window of opportunity" for spammers may be on the order of seconds or even minutes. Rather than make their email lists more targeted, or deploying snowshoe style techniques to decrease volume and stay under the radar, for these spammers it has become a race. They transmit as much email as cyberly possible, and for a short time they may successfully land malicious email into their victims' inboxes. For evidence of this, we need not look very far. Analyzing email telemetry data from the past week, we can readily see the influence of these high-volume spam campaigns:
> https://4.bp.blogspo...640/image00.jpg
... Conclusion: Email threats, like any other, constantly evolve. As we grow our techniques to detect and block threats, attackers are simultaneously working towards evading detection technology. Unfortunately there is no silver bullet to defending against a spam campaign. Organizations are encouraged to build a layered set of defenses to maximize the chances of detecting and blocking such an attack. Of course, whenever ransomware is involved, offline backups can be -critical- to an organization's survival. Restoration plans need to be regularly reviewed -and- tested to ensure no mistakes have been made and that items have not been overlooked. Lastly, reach out to your users and be sure they understand that strange attachments are -never- to be trusted!"
 

  

Edited by AplusWebMaster, 22 September 2016 - 08:51 AM.

[AplusWebMaster]

FYI...

Fake 'Transactions' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
23 Sep 2016 - "... Locky downloaders... an email with the subject of 'Transactions details' coming as usual from random companies, names and email addresses  with a random named zip attachment containing a .JS file named Transactions details scan {random characters}.js... One of the  emails looks like:
From: Lora Mooney <Mooney.771@ gallerystock .com>
Date: Fri 23/09/2016 06:35
Subject: Transactions details
Attachment: 9fc2fd82d4e.zip
    Dear xerox.774, this is from the bank with reference to your email yesterday.
    As you requested, attached is the scan of all the transactions your account made in September 2016.
    Please let us know if you need further assistance.
    —
    Lora Mooney
    Credit Controller ...

23 September 2016: 9fc2fd82d4e.zip: Extracts to: Transactions details scan 358AD50.js
Current Virus total detections 6/55*. MALWR** shows a download of an encrypted file from
 http ://prospower .com/kqp479c7 which is transformed by the script to L12I1sh9pd9X2.dll (VirusTotal 11/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474609615/

** https://malwr.com/an...WM3YWJjODM0OWQ/
Hosts
207.7.95.142

*** https://www.virustot...sis/1474609924/
___

Fake 'Photo' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-zepto/
23 Sep 2016 - "... Locky downloader with a blank/empty email with the subject of 'Photo from Ryan (random name)' coming as usual from random companies, names and email addresses  with a random named zip attachment named along the lines of  IMG- today’s/yesterday’s date - 2 characters and several numbers .zip containing a WSF file. The “photo from” name  in the subject matches the alleged senders name... One of the  emails looks like:
From: Ryan nock <Ryan9244@ gmail .com>
Date: Fri 23/09/2016 00:51
Subject: Photo from Ryan
Attachment: IMG-20160922-WA000752.zip

Body content: Totally blank/empty

23 September 2016: IMG-20160922-WA000752.zip: Extracts to: AGRN0718.wsf - Current Virus total detections 9/55*
.. MALWR** shows a download of an encrypted file from one of these locations:
 http ://allcateringservices .in/8rcybi43?rRffpf=NrdcbOsmH | http ://klop .my/8rcybi43?rRffpf=NrdcbOsmH
 http ://williamstarnetsys .org/8rcybi43?rRffpf=NrdcbOsmH which is transformed by the script to
 raDSyGb1.dll (VirusTotal 8/57***). These WSF files post back to C&C http ://94.242.57.152 /data/info.php
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474598473/

** https://malwr.com/an...zkzZDNlZDA2OTk/
Hosts
103.231.41.127
103.8.25.156
142.4.4.160
94.242.57.152

*** https://www.virustot...sis/1474605834/
___

Fake 'Document' SPAM - delivers Locky
- https://myonlinesecu...rs-locky-zepto/
23 Sep 2016 - "... another set of blank/empty emails with the subject of 'Document from Horacio (random name)' pretending to come from random names @ gmail .com with a malicious word doc attachment delivers Locky ransomware... These are NOT coming from Gmail... One of the email looks like:
From: Horacio minto <Horacio92942@ gmail .com>
Date: Fri 23/09/2016 11:06
Subject: Document from Horacio
Attachment:DOC-20160923-WA0008360.docm

Body content: Totally empty/blank

23 September 2016: DOC-20160923-WA0008360.docm - Current Virus total detections 8/55*. Malwr** shows a download of an encrypted file from http ://rutlandhall .com/bdb37 which is transformed by the macro to hupoas.dll
(VirusTotal 10/57***) posts back to C&C at http ://158.255.6.129 /data/info.php ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.c...0a421/analysis/

** https://malwr.com/an...zE5ZDdjOGUyMzU/
Hosts
217.160.5.7
94.242.57.152
158.255.6.129

*** https://www.virustot...sis/1474629008/
 

  

Edited by AplusWebMaster, 23 September 2016 - 09:15 AM.

[AplusWebMaster]

FYI...

Locky changed - now an .odin extension
- https://myonlinesecu...odin-extension/
26 Sep 2016 - "... the file extension to the encrypted files which is now .odin . They are still using .wsf files inside zips today... first series pretends to come from your-own-domain with a subject of:
Re: Documents Requested and the body saying:
    Dear [redacted],
    Please find attached documents as requested.
    Best Regards,
    [redacted]

The second series comes from random senders with a subject of 'Updated invoice #[random number]' and random names, job positions and companies in the body with a body content:
    Our sincere apology for the incorrect invoice we sent to you yesterday.
    Please check the new updated invoice #3195705 attached.
    We apologize for any inconvenience.
    ——-
    Socorro Bishop
    Executive Director Marketing PPS ...

See MALWR* which does show the encrypted files and Payload Security** which does not but shows the downloads...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://malwr.com/an...zY4YmNiZmNmNmI/
Hosts
94.23.97.227
62.173.154.240

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
94.23.97.227
62.173.154.240
5.196.200.247
86.110.118.114
52.34.245.108

- https://blog.opendns...latest-persona/
Sep 26, 2016
 

  

Edited by AplusWebMaster, 27 September 2016 - 10:06 AM.

[AplusWebMaster]

FYI...

Locky malware office rtf files - new delivery method
- https://myonlinesecu...dual-passwords/
27 Sep 2016 - "... a major change this morning in what I assume is a Locky or Dridex delivery system. The files come as RTF files but each rtf file has an individual password. None of the online automatic analysers or Virus Total, see any malicious content, because they cannot get past the password. Once you insert the password, you can then get to the macro, but I haven’t managed to decode it..
Update: I am being told it is Dridex, but am waiting on confirmation via analysis by several other researchers.
Once you insert the password you see a file looking like this. (This was opened in LIbre Office and not Microsoft word for safety reasons, where there is no enable content button):
> https://myonlinesecu...ce-1024x590.png
... Individual passwords for the file names inside the zips are:
Final Notice#i4qb43c.rtf   tRgHs8UOo
Invoice-a00h.rtf    TVOS3v8
Statementj34f-69g_%l13te91u.rtf    xpaGK1x0r
We are seeing various subjects on these emails all using random names in subject line that matches the name of the alleged sender, including:
    Fwd:Invoice from Driscoll Welch
    Fw:Final Notice from Zane Reyes
    Marvin Yates Statement
    Re:Bill from Richard Contreras
    Statement from Lionel Roth
    Howard Cantrell Notice
They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. One of the  emails looks like:
From: Driscoll Welch <emma.qe@ ntlworld .com>
Date: Tue 27/09/2016 08:47
Subject: Fwd:Invoice from Driscoll Welch
Attachment: Invoice-a00h.rtf
    The Transfer should appear within 2 days. Please check the document attached.  
    You may also need Document Pwd: TVOS3v8
    Driscoll Welch

DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
___

Fake 'Post For Amendment' SPAM - Java Adwind Trojan
- https://myonlinesecu...rs-java-adwind/
27 Sep 2016 - "We continue to see Java Adwind Trojans daily.. This one is an email with the subject of
'Post For Amendment' pretending to come from danny.chunn@ westernunion .com <accounts@ petnet .com.ph> with a genuine PDF attachment which contains a link, that when clicked downloads a rar file containing a Java.jar file... The particular difference is the PDF attachment is a genuine PDF which pretends to be a notice from Google Drive to download another PDF. The actual link-behind-the-download is -not- to Google drive but to a hacked/compromised WordPress site
 https ://www.makgrills .com/wp-content/Transaction-Ref0624193.rar
which downloads the rar file containing the Java Adwind Trojan. Note the HTTPS: The RAR file extracts to Agent Sendout Report.PDF.Doc.XLS.TXT.jar and if you have the windows default setting of “don’t show file extensions” set, you will think it is either a plain text file. The malspammer has added belts & braces though by naming it as report.PDF.Doc.XLS.TXT ... WARNING: Java Adwind is a very dangerous remote access backdoor Trojan, that has cross OS capabilities and can potentially run and infect any computer or operating system including windows, Apple Mac, Android and Linux. It however can only be active or infect you if you have Sun/Oracle Java installed*...
* https://www.theguard...jack-technology
... One of the emails looks like:
From: danny.chunn@ westernunion .com <accounts@ petnet .com.ph>
Date: Mon 26/09/2016 09:41
Subject: Post For Amendment
Attachment: Transaction-Ref06214193.pdf
    Agent,
    View and post request for amendment. The Western union transaction is returned from a recieving agent. Details of the transaction has been attached
    Thanks & Regards,
    Danny Chunn
    Asst Mgr|Operations
    Branch Operations,
    Western Union Money Transfer
    Door – 26,Street- 920,Roudat Al Khail
    P O Box ? 5600,Doha,State of Qatar ...

The PDF when opened looks like this image which pretends to say that you need to click the link to download the PDF from Goggle Drive:
[ spoof_google_drive ]
> https://myonlinesecu...oogle_drive.png

27 September 2016: Transaction-Ref06214193.pdf: downloads: Transaction-Ref0624193.rar which extracts to
  Agent Sendout Report.PDF.Doc.XLS.TXT.jar - Current Virus total detections 16/55* for .jar file...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474955483/
___

Fake 'Attached:Scan' SPAM - leads to Locky
- http://blog.dynamoo....and-others.html
27 Sep 2016 - "This -fake- scanned document leads to Locky ransomware:
    Subject:     Attached:Scan(70)
    From:     Zelma (Zelma937@ victimdomain .tld)
    To:     victim@ victimdomain .tld;
    Date:     Tuesday, 27 September 2016, 14:15

There does not appear to be any body text. My trusted source tells me that the subject is a combination of the words Attached/Copy/File/Emailing and Document/Receipt/Scan plus a random two-digit number. Attached is a ZIP file with a name similar to the subject, containing a malicious .wsf script. This script then downloads components...
(Long list at the dynamoo URL above.)
The payload is Locky ransomware, phoning home to:
5.196.200.247/apache_handler.php (OVH, Ireland / Just Hosting, Russia)
62.173.154.240/apache_handler.php (JSC Internet-Cosmos, Russia)
uiwaupjktqbiwcxr .xyz/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
rflqjuckvwsvsxx .click/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
dypvxigdwyf .org/apache_handler.php  [69.195.129.70] (Joe's Datacenter, US)
ntqgcmkmnratfnwk .org/apache_handler.php
wababxgqgiyfrho .su/apache_handler.php
ytqeycxnbpuygc .ru/apache_handler.php
ocuhfpcgyg .pl/apache_handler.php
cifkvluxh .su/apache_handler.php
sqiwysgobx .click/apache_handler.php
yxmagrdetpr .biz/apache_handler.php
xnoxodgsqiv .org/apache_handler.php
vmibkkdrlnircablv .org/apache_handler.php
Recommended blocklist:
5.196.200.0/24
62.173.154.240
86.110.118.114 "
___

RIG EK on large malvertising campaign
- https://blog.malware...ising-campaign/
Sep 27, 2016 - "... spotted a malvertising attack on popular website answers .com (2 million visits daily) via the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub .com). Some visitors that browsed the knowledge-based website were exposed to the fraudulent and malicious advert and could have been infected -without- even having to click on it:
> https://blog.malware...16/09/flow2.png
... In early September we noticed a change in how RIG drops its malware payload. Rather than using the iexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary... domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to -bypass- traditional defences at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel. Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs... Indicators of compromise:

ads.retradio .com: 184.168.165.1: https://www.virustot....1/information/
63.141.242.35: https://www.virustot...35/information/

RIG Exploit Kit Distributing CrypMIC Ransomware
- https://atlas.arbor....ndex#1789371819
Sep 22, 2016
 

  

Edited by AplusWebMaster, 27 September 2016 - 12:41 PM.

[AplusWebMaster]

FYI...

Fake 'Document' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Document No 25845584' (random numbers) pretending to come from  random names at accounts@ your-own-email-domain or company with a random named zip attachment containing an hta file... One of the  emails looks like:
From: random names at accounts@your own email domain or company
Date: Wed 28/09/2016 01:38
Subject: Document No 25845584
Attachment: Document No 25845584.zip
    Thanks for using electronic billing
    Please find your document attached
    Regards
    MAVIS CAWLEY

28 September 2016: Document No 25845584.zip: Extracts to: GVJL2720.hta - Current Virus total detections 16/55*
MALWR** was unable to get any payload or find any download sites. Payload Security*** shows a download of an encrypted filedatalinks .ir/g76vub8 which is transformed by the script to a working Locky binary. (Unfortunately Payload Security does not show the actual file or allow it to be downloaded in the free web version)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475037203/

** https://malwr.com/an...WI5MjI0NmZiZTg/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
144.76.172.200
52.24.123.95
52.85.209.134
52.33.248.56
128.241.90.219
___

Locky download and C2 locations ...
- http://blog.dynamoo....ns-2016-09.html
28 Sep 2016 - "It's one of those day where I haven't been able to look at Lock much, but here is some analysis of download locations from my usual trusted source.
Binary download locations:
(Long list of domain names at the dynamoo URL above.)...
C2s:
176.103.56.98/apache_handler.php (PE Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
194.67.208.69/apache_handler.php [hostname: billy676.myihor.ru] (Marosnet, Russia)
46.8.45.169/apache_handler.php [hostname: grant.zomro.com] (Zomro, Russia)
kgijxdracnyjxh .biz/apache_handler.php  [69.195.129.70] (Joe's Datacenter, US)
rluqypf .pw/apache_handler.php  [86.110.118.114] (Takewyn.com, Russia)
ehkhxyvvcpk .biz/apache_handler.php  [45.63.98.158] (Vultr Holdings, UK)
ufyjlxiscap .info/apache_handler.php
kdbbpmrdfnlno .pl/apache_handler.php
jlhxyspgvwcnjb .work/apache_handler.php
dceaordeoe .ru/apache_handler.php
gisydkcsxosyokkuv .work/apache_handler.php
mqlrmom .work/apache_handler.php
wfgtoxqbf .biz/apache_handler.php
ndyevynuwqe .su/apache_handler.php
vgcfwrnfrkkarc .work/apache_handler.php
Recommended blocklist:
176.103.56.98
194.67.208.69
46.8.45.169
86.110.118.114
45.63.98.158 "
___

Fake 'Neopost documents' SPAM - Locky – Odin version
- https://myonlinesecu...y-odin-version/
28 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Neopost documents' 0000888121970 coming as usual from random companies, names and email addresses with a random named zip attachment containing a WSF file...

Screenshot: https://myonlinesecu...st-1024x730.png

28 September 2016: 0000888121970_statement_000088812197051.zip: Extracts to: ZQSA4705.wsf
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from one of these locations:
 http ://bigballsincowtown .com/67fgbcni?gjGmIb=KpIHjmIwkWU
 http ://lucianasaliani .com/67fgbcni?gjGmIb=KpIHjmIwkWU
which is transformed by the script to aCOldXqKQqm2.dll (VirusTotal 6/57***) posts back to C&C
 http ://194.67.208.69 /apache_handler.php - Payload Security[4] shows a lot more C2 connections... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475081527/

** https://malwr.com/an...WY5NTJjMzA0NGE/
Hosts
69.89.27.246
174.127.104.173
70.40.220.107
176.103.56.98
194.67.208.69

*** https://www.virustot...sis/1475077530/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
69.89.27.246
174.127.104.173
176.103.56.98
194.67.208.69
45.63.98.158
86.110.118.114
___

Something evil on 69.64.63.77
- http://blog.dynamoo....n-69646377.html
28 Sep 2016 - "This appears to be some sort of exploit kit leveraging hacked sites, for example:
    [donotclick]franchidiscarpa[.]com/index.php
    --> [donotclick]j8le7s5q745e[.]org/files/vip.php?id=4
You can see this EK infecting a legitimate site in this URLquery report*. The IP address appears to be a customer of ServerYou... Country: UA ...
These other domains are hosted on the same IP:
[donotclick]j8le7s5q745e .org
[donotclick]3wdev4pqfw1u .org
[donotclick]fg1238tq38le .net
All of those domains are registered to:
.. Registrant Country: RU ...
It looks like there might be a fair amount of activity to the IP at the moment, judging by the number of URLquery reports, so it might well be worth blocking."
* http://urlquery.net/...d=1475082161540
77.81.224.215: https://www.virustot...15/information/

69.64.63.77: https://www.virustot...77/information/
>> https://www.virustot...a9a84/analysis/
___

Fake 'Clients accounts' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
27 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Clients accounts' coming as usual from random companies, names and email addresses with a random named zip attachment containing a wsf file... One of the  emails looks like:
From: Lon Kane <Kane.84@ fixed-189-180-187-189-180-32.iusacell .net>
Date: Thu 01/09/2016 19:22
Subject:Clients accounts
Attachment: a966ea5acc18.zip
    Dear monika.griffithe,
    I attached the clients’ accounts for your next operation.
    Please look through them and collect their data. I expect to hear from you soon.
    Lon Kane
    VP Finance & Controller ...

27 September 2016: a966ea5acc18.zip: Extracts to: Clients accounts 32C58E xls.wsf
Current Virus total detections 8/55*. MALWR**... Payload Security*** shows a download of an encrypted file from
 techskillscenter .net/zenl0z which is transformed by the script to 2Ez76BlaytMAH.dll (VirusTotal 6/57[4]) Unusually, Payload Security describes this dll file as informative, rather than malicious, which would normally mean it has some sort of anti-analysis/sandbox protection to it... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1474996887/

** https://malwr.com/an...WZkYjY3MTE0MDI/
Hosts
213.205.40.169
186.202.126.199
81.169.145.224
158.69.147.88
66.85.27.250

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.247.251.145
5.196.200.247
94.242.55.225
86.110.118.114
69.195.129.70

4] https://www.virustot...sis/1474997682/
 

 

Edited by AplusWebMaster, 28 September 2016 - 02:38 PM.

[AplusWebMaster]

FYI...

Fake 'Bill' SPAM - leads to Locky
- http://blog.dynamoo....ments-bill.html
29 Sep 2016 - "This spam leads to Locky ransomware. The sample I have seen have no body text, but have subjects in the format:
Bill for documents 31564-29-09-2016
 Bill for parcel 08388-28-09-2016
 Bill for papers 657-29-09-2016

Each subject has a random number appended by the date. Attached is a RAR archive file with a name similar to Bill 657-29-09-2016.rar containing a malicious .js script which downloads...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following servers:
194.67.208.69/apache_handler.php (Marosnet, Russia)
89.108.83.45/apache_handler.php (Agava, Russia)
Payload detection for the version analysed was 16/56* but there could be an updated payload by now.
Recommended blocklist:
194.67.208.69
89.108.83.45 "
* https://www.virustot...44a00/analysis/

- https://myonlinesecu...ers-locky-odin/
29 Sep 2016 - "... Locky downloaders with a series of blank/empty emails with the basic subject of 'Bill for documents' 57608-28-09-2016 pretending to come from no reply @ random companies, with a semi- random named .rar  attachment containing a .JS file. These are using the new .Odin file extension on the encrypted files.. The MALWR report* shows contact with an attempted download of Net framework and some sort of mapping... The subjects vary with each email. They all start with 'bill' for and either documents, paper or parcel the a series of random numbers and the date, looking something like:
    Bill for documents 57608-28-09-2016
    Bill for papers 9341672-28-09-2016
    Bill for parcel 422-29-09-2016

... One of the  emails looks like:
From: no-reply@ simplyorganic .com
Date: Thu 29/09/2016 00:44
Subject: Bill for documents 57608-28-09-2016
Attachment: Bill 57608-28-09-2016.rar

Body content: totally blank

29 September 2016: Bill 57608-28-09-2016.rar: Extracts to: Bill 5100-4868433109.js
Current Virus total detections 8/53**. MALWR* shows a download of an encrypted file from one of these locations:
 http ://g2cteknoloji .com/8g74crec?rnhaXNpMuW=MWIKgpzUlE which is transformed by the script to ErUxQjD1.dll
(VirusTotal 9/57***) shows C2 on http ://89.108.83.45 /apache_handler.php  and also shows various other script files. Payload Security[4] shows a few other C2 servers... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://malwr.com/an...zQ1ZWMyYWMyNWQ/
Hosts
185.26.144.135
194.67.208.69
89.108.83.45

** https://www.virustot...sis/1475114609/

*** https://www.virustot...sis/1475120852/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.26.144.135
89.108.83.45
194.67.208.69
45.63.98.158
69.195.129.70
52.42.26.69
52.84.40.221
___

Fake 'Debit Card blocked' SPAM - leads to Locky
- http://blog.dynamoo....cked-leads.html
29 Sep 2016 - "The attachment on this spam email leads to Locky ransomware:
    From: "Ambrose Clements"
    Subject: Temporarily blocked
    Date: Thu, 29 Sep 2016 13:37:53 +0400
    Dear [redacted]
    this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
    We attached the scan of transactions. Please confirm whether you made these transactions.

Attached is a ZIP file with a name similar to debit_card_93765d0d7.zip containing a malicious .WSF script with a random name. These scripts (according to my source) download...
(Many domain names listed at the dynamoo URL above.)
The decoded malware then phones home to:
195.123.210.11/apache_handler.php [hostname: by-f.org] (Mobicom Ltd, Latvia)
91.200.14.93/apache_handler.php [hostname: ef4bykov.example.com] (SKS-LUGAN, Ukraine)
185.117.155.20/apache_handler.php [hostname: v-jc.pro] (Marosnet, Russia)
xpcwwlauo .pw/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
gqackht .biz/apache_handler.php  [hostname: vjc.kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
bgldptjuwwq .org/apache_handler.php
cxnlxkdkxxxt .xyz/apache_handler.php
rcahcieii .work/apache_handler.php
uxaoooxqqyuslylw .click/apache_handler.php
vwktvjgpmpntoso .su/apache_handler.php
upsoxhfqut .work/apache_handler.php
nqchuuvgldmxifjg .click/apache_handler.php
ofoclobdcpeeqw .biz/apache_handler.php
kfvigurtippypgw .pl/apache_handler.php
toescilgrgvtjcac .work/apache_handler.php
Recommended blocklist:
195.123.210.11
91.200.14.93
185.117.155.20
91.234.33.132 "

- https://myonlinesecu...delivers-locky/
29 Sep 2016 - "... Locky downloaders.. an email with the subject of 'Temporarily blocked' coming as usual from random companies, names and email addresses with a random named zip attachment containing a .WSF file... One of the  emails looks like:
From: Jarvis Mason <Mason.2892@ paneltek .ca>
Date: Thu 01/09/2016 19:22
Subject: Temporarily blocked
Attachment: debit_card_4b69ba102.zip
    Dear [redacted],
    this is to inform you that your Debit Card is temporarily blocked as there were unknown transactions made today.
    We attached the scan of transactions. Please confirm whether you made these transactions.
    King regards,
    Jarvis Mason
    Technical Manager – Online Banking ...

1 September 2016: ea00debit_card_4b69ba102.zip: Extracts to: debit card details 92CF6066.wsf
Current Virus total detections 6/54*. Payload Security** shows a download of an encrypted file from
 fhgmediaent .com/66aslu which is transformed by the script to 1lenb5SzGBo0mpu.dll (VirusTotal 10/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475140581/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.227.132.66
91.200.14.93
195.123.210.11
185.117.155.20
91.234.33.132

***  https://www.virustot...sis/1475141313/
___

Fake 'Receipt' xls SPAM - Locky
- http://blog.dynamoo....receiptxls.html
29 Sep 2016 - "This spam leads to Locky ransomware:
    From     rosalyn.gregory@ gmail .com
    Date     Thu, 29 Sep 2016 21:07:46 +0800
    Subject     Receipt 103-526

I cannot tell if there is any body text, however there is an -attachment- Receipt.xls which contains malicious code... that in the case of the sample I analysed downloads a binary from:
opmsk .ru/g76ub76
There will be -many- other download locations too. Automated analysis [1] [2] shows that this is Locky ransomware phoning home to:
89.108.83.45/apache_handler.php (Agava, Russia)
91.200.14.93/apache_handler.php [hostname: ef4bykov .example .com] (SKS-LUGAN, Ukraine)
xpcwwlauo .pw/apache_handler.php [hostname: vjc .kz] [91.234.33.132] (FOP Sedinkin Olexandr Valeriyovuch aka thehost .ua, Ukraine)
A malicious DLL is dropped with a detection rate of 6/57*. Malicious IPs and domains overlap quite a bit with this earlier attack**. This version of Locky encrypts files with a .odin extension...
Recommended blocklist:
89.108.83.45
91.200.14.93
91.234.33.132 "
1] https://malwr.com/an...jJjYmZhNTUyN2I/
Hosts
85.17.31.113
89.108.83.45

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
85.17.31.113
91.200.14.93
89.108.83.45
195.123.210.11
91.234.33.132

* https://www.virustot...sis/1475156266/

** http://blog.dynamoo....cked-leads.html
___

Fake 'New Order' SPAM - delivers Java Adwind
- https://myonlinesecu...rs-java-adwind/
29 Sep 2016 - "We continue to see Java Adwind Trojans daily... This one is an email with the subject of 'New Order' pretending to come from Claudia Schmiesing <claudia.schmiesing@ gmx .net> with a fuzzy unclear embedded image, that has a link hidden behind it, that when-clicked downloads a zip file containing a Java.jar file. This particular version is very badly detected. Java Adwind is normally quite well detected on Virus Total...

Screenshot: https://myonlinesecu...ng-1024x695.png

29 September 2016: flwfbq.zip: Extracts to: ORDER.jar  - Current Virus total detections 4/55*. MALWR**

This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustot...sis/1475172675/

** https://malwr.com/an...jZkODJlNWI3Mzg/
Hosts
23.105.131.212
 

  

Edited by AplusWebMaster, 29 September 2016 - 02:36 PM.