2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'Receipt' SPAM - delivers Locky – Odin
- https://myonlinesecu...ers-locky-odin/
30 Sep 2016 - "The Locky ransomware malware gang appear to be copying Dridex this week and going back to using word docs with embedded macros to deliver the ransomware... Locky downloaders.. a blank/empty email with the subject of 'Receipt' 45019-0740 (random numbers) pretending to come from random names at gmail .com with a random named word doc. The doc attachment name matches the subject line... One of the  emails looks like:
From: chandra.har?@ gmail .com
Date: Fri 30/09/2016 10:12
Subject: Receipt 45019-0740
Attachment: Receipt 45019-0740.doc

Body content: Totally Blank/Empty

30 September 2016: Receipt 45019-0740.doc - Current Virus total detections 9/55*
.. MALWR** shows a download of an encrypted file from http ://travelinsider .com.au/021ygs7
 which is transformed by the script to hupoas.dll (VirusTotal 8/57***). C2 is
 http ://149.202.52.215 /apache_handler.php . Payload Security[4] shows the multiple additional C2 sites. Neither online sandbox actually show any Locky screenshots today, but Malwr clearly shows odin files in the lists... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475226679/

** https://malwr.com/an...zRjNjkxNjdmNWE/
Hosts
203.98.84.123
89.108.83.45
149.202.52.215

*** https://www.virustot...sis/1475227548/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.98.84.123
89.108.83.45
91.200.14.93
149.202.52.215
185.43.4.143
___

Fake 'Parcel details' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
30 Sep 2016 - "... Locky downloaders.. an email pretending to be a DHL cannot deliver message with the subject of 'Parcel details' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with DHL_parcel containing a WSF file... fake/spoofed DHL (and other delivery companies) malspam emails... One of the  emails looks like:
From: DHL <Phelps.0827@ parket-ekonom .ru>
Date: Fri 30/09/2016 10:48
Subject: Parcel details
Attachment: DHL_parcel_06cda564b.zip
    Dear berkeley,
    We couldn’t deliver your parcel on September 30th because we couldn’t verify the given address.
    Attached is the shipment label. Please print it out to take the parcel from our office.
    Label-ID: acd8e33709cb62ea9825f9de779d1dfb8f6b566af6779b11928a9e053f
    Best Wishes,
    Reyes Phelps
    DHL Express Service

30 September 2016: DHL_parcel: Extracts to: DHL parcel 25514DCA.wsf - Current Virus total detections 7/55*
.. MALWR** seems unable to decode/decrypt these very heavily obfuscated scripting files. Payload Security*** shows a download of an encrypted file from fernandoarias .org/tmlvg7el which is transformed by the script to
a working Locky file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475228984/

** https://malwr.com/an...zZkODA4ZmU2YjE/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
91.186.0.7
52.34.245.108
52.222.157.47
52.41.235.21
 

  

Edited by AplusWebMaster, 30 September 2016 - 06:42 AM.

[AplusWebMaster]

FYI...

Fake 'Scan' SPAM - leads to Locky
- http://blog.dynamoo....52626-sent.html
3 Oct 2016 - "This -fake- document scan leads to Locky ransomware:
    From:    DAMON ASHBROOK
    Date:    3 October 2016 at 10:56
    Subject:    [Scan] 2016-1003 15:26:26
    --
    Sent with Genius Scan for iOS.

The name of the sender, the subject and the attachment name (in this case 2016-1003 15-26-26.xls) will vary somewhat. This Malwr analysis* shows some of the infection in action. Overall my sources tell me that the various malicious macros download...
(Long list of domain-names listed at the dynamoo URL above.)
C2 locations are:
149.202.52.215/apache_handler.php (OVH, France)
217.12.199.244/apache_handler.php (ITL, Ukraine)
logwudorlghdou .info/apache_handler.php
krmwgapkey .work/apache_handler.php
hruicryqytbmc .xyz/apache_handler.php
vswaagv .org/apache_handler.php
smskymrtssawsjb .org/apache_handler.php
wvandssbv .org/apache_handler.php
ytxsbkfjmyxglvt .click/apache_handler.php
rqybmggvssutf .xyz/apache_handler.php
qaemlwlsvqvgcmbke .click/apache_handler.php
btlyarobjohheg .ru/apache_handler.php
civjvjrjjlv .pw/apache_handler.php
xlarkvixnlelbsvxl .xyz/apache_handler.php
A DLL is dropped with a detection rate of 19/57**.
Recommended blocklist:
149.202.52.215
217.12.199.244 "
* https://malwr.com/an...2I1YzIyZWZkNGI/
Hosts
69.89.29.98
149.202.52.215

** https://www.virustot...sis/1475489696/
___

Fake 'please sign' SPAM - leads to Locky
- http://blog.dynamoo....s-to-locky.html
3 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
    Subject:     please sign
    From:     Ricardo Buchanan
    Date:     Monday, 3 October 2016, 10:27
    Hi [redacted],
    I have made the paperwork you asked me to prepare two days ago.
    Please check the attachment. It just needs your signature.
    Best Wishes,
    Ricardo Buchanan
    CEO

In the only sample I have seen so far, the attachment name is paperwork_scan_7069f18e6.zip containing a malicious script paperwork scan ~1EB91.wsf plus a junk file with a single letter name... obfuscated script... appears to download Locky ransomware. Analysis is pending.
UPDATE: This Hybrid Analysis* clearly shows Locky in action. According to my sources there are no C2s..."
(Long list of domain-names at the dynamoo URL above.)
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
65.49.80.83
165.246.165.245
52.34.245.108
52.85.184.19
63.245.215.95

- https://myonlinesecu...monday-morning/
3 Oct 2016 - "... loads of Locky today. We are seeing multiple subjects, emails and attachments. We are seeing XLS files and the typical .wsf files inside zips... email looks like:
From: KIETH WOOLDRIDGE <kieth.wooldridge.61@ kimiabiosciences .com> (random senders)
Date: Mon 03/10/2016 08:45
Subject: [Scan] 2016-1003 12:14:45
Attachment: 2016-1003 12-14-45.xls
    —
    Sent with Genius Scan for iOS.

... (another) version is:
From: Anita Ramsey <Ramsey.663@ equestrianarts .org>  (random senders)
Date: Mon 03/10/2016 09:51
Subject: please sign
Attachment: paperwork_scan_35886e2.zip  extracts to paperwork scan ~D45D50C5.wsf
    Hi [redacted],
    I have made the paperwork you asked me to prepare two days ago.
    Please check the attachment. It just needs your signature.
    Best Wishes,
    Anita Ramsey
    Head of Corporate Relations

MALWR [1] [2] [3] | VirusTotal [4][5][6] downloads from
 http ://mmm2.aaomg .com/jhg45s and http ://crossroadspd .com/jhg45s which will be converted to siluans.dll
(Virustotal 14/57*) or from ossiatzki .com/dyke9 which is converted to MMCnbLicrHhc.dll (virusTotal 14/57**)..
 Payload Security***... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://malwr.com/an...jZmYTI0ZWJlYmM/
Hosts
96.0.130.2
217.12.199.244

2] https://malwr.com/an...TNmNmU4ZWRjZmY/
Hosts
208.71.139.66
217.12.199.244

3] https://malwr.com/an...WVjOGJlMWJkMzE/

4] https://www.virustot...sis/1475484796/

5] https://www.virustot...sis/1475484485/

6] https://www.virustot...sis/1475484779/

* https://www.virustot...sis/1475479730/

** https://www.virustot...sis/1475479730/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts
111.221.40.34
54.218.66.17
52.85.184.121
 

  

Edited by AplusWebMaster, 03 October 2016 - 05:26 AM.

[AplusWebMaster]

FYI...

Fake 'Refund' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
4 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Refund' pretending to come from various randomly chosen delivery, parcel or postal companies with a semi random named zip attachment starting with refund containing a WSF file... a very small portion of the several hundred received in the last few minutes, so -Any- delivery company is likely to be spoofed.
Royal Mail
PostNL
Schenker AG
Japan Post Group
FedEx
DHL
DHL Express

One of the  emails looks like:
From: Royal Mail <Reynolds.21@ usacabs .com>
Date: Thu 01/09/2016 19:22
Subject: Refund
Attachment: refund_scan_a2e0a7b.zip
    Dear [redacted], please submit the return form to receive the refund.
    The parcel must have its original packaging. The return form is attached in this mail.
    Best regards,
    Elsa Reynolds
    Royal Mail

4 October 2016: refund_scan_a2e0a7b.zip: Extracts to: refund scan 392CDC4.wsf
 Current Virus total detections 8/54*. Payload Security** shows a download of an encrypted file from
 motos13 .com/w0bmffo which is transformed by the script to a working Locky file. Unfortunately Payload Security does not show or allow download of the file in the free web version. This looks like the version with no C2 ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475567273/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.93.240.134
52.85.184.21
52.41.235.21
___

Fake 'Bill for parcel' SPAM - delivers Locky – Odin
- https://myonlinesecu...ers-locky-odin/
4 Oct 2016 - "... Locky downloaders.. a -blank- email with the subject of 'Bill for parcel' 064983-04-10-2016 pretending to come  from no-reply @ random email addresses  with a random named zip attachment containing a WSF file. This version of Locky with an Odin-extension is using DLL files, whereas last night’s version* used .exe files.
* https://myonlinesecu...delivers-locky/
The subject line will always start with 'Bill' for then it will be either 'Parcel, Document, Documents, Papers' or other similar words then a random number then today’s date... One of the  emails looks like:
From: no-reply@ speroresources .com
Date: Tue 04/10/2016 08:04
Subject: Bill for parcel 064983-04-10-2016
Attachment: Bill 772-04-10-2016.zip

Body content: totally blank/empty

4 October 2016: Bill 772-04-10-2016.zip: Extracts to: Bill 3609756-04-10-2016.wsf
 Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
 http ://aluvista .com/erg7cbr?QJWtIXrQ=oUDSEKIWsF which is transformed by the script to WkOUeAz1.dll
(VirusTotal 7/56***). C2 is http ://158.255.6.115 /apache_handler.php - other C2 locations are shown in the Payload Security report[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475561395/

** https://malwr.com/an...WIzNmQyM2ViMzk/
Hosts
78.46.34.83
158.255.6.115

*** https://www.virustot...sis/1475567524/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.46.34.83
158.255.6.115
81.177.26.201
52.85.184.9
___

Fake 'Voicemail' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Voicemail' from [random name] [random number] <[random number]> [random time] pretending to come from voicemailandfax@ random email addresses  with a semi-random named zip attachment containing a HTA file... One of the  emails looks like:
From: SureVoIP <voicemailandfax@ nexgtech .com>
Date: Mon 03/10/2016 22:22
Subject: Voicemail from Sherri metcalf 00780261644 <00780261644> 00:01:40
Attachment: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip
    Message From “Sherri metcalf 00780261644” 00780261644
    Created: 2016.10.03 16:23:42
    Duration: 00:01:40 ...

3 October 2016: msg_dbf6-d46d-0134-fb2b-92a8c040c64d.zip: Extracts to: 0332451600272.hta
 Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
 acaciainvest .ro/98h86f?HmaeXAiu=CQDbSkNs which is transformed by the script to xsyMCaVC1.exe
(VirusTotal 5/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475531086/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
188.240.2.32
149.202.52.215
81.177.26.201
52.85.184.21

*** https://www.virustot...sis/1475531106/
___

Fake 'Travel Itinerary' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
3 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Travel Itinerary' pretending to come from random airline companies with a semi-random named zip attachment starting with 'Travel_Itinerary' containing a WSF file... I have seen these pretend to come from just about every airline in existence. Some received include:
Asiana Airlines <Flynn.92@ dsldevice .lan>
Swiss Air Lines <Hamilton.560@ dsldevice .lan>
Lufthansa <Cardenas.4568@ sewerlinereplacementrichmond .com>
Thai Airways <Mercer.030@ airtelbroadband .in>
Singapore Airlines <Burt.5051@ nbftv .no>
Cathay Pacific <Pacheco.074@ telecomitalia .it>
Turkish Airlines <Barker.585 @sabanet .ir>
Emirates <Flores.935@ deborahkellymft .com>
Virgin Australia <Terry.46@ philipskillman .com>
Qantas Airways <Weiss.213@ ceas .com.ve>

One of the  emails looks like:
From: Asiana Airlines <Flynn.92@ dsldevice .lan>
Date: Mon 03/10/2016 19:09
Subject: Travel Itinerary
Attachment: Travel_Itinerary-a884558.zip
    Dear [redacted]
    Thank you for flying with us! We attached the Travel Itinerary for Your booking number #3FD6F18.
    See the paid amount and flight information.
    Best regards,
    Stephan Flynn
    Asiana Airlines

3 October 2016: Travel_Itinerary-a884558.zip: Extracts to: Travel_Itinerary-4F2AD50.wsf
 Current Virus total detections 5/54*. MALWR is unable to fully analyse these and get any download links or payload. Payload Security** shows a download of an encrypted file from
 onlinesigortam .net/njahqfis which is transformed by the script to a working Locky file...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475518144/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
159.253.36.221
185.135.80.235
91.219.31.49
178.63.238.182
69.195.129.70
50.112.202.19
52.85.184.9
 

  

Edited by AplusWebMaster, 04 October 2016 - 06:56 AM.

[AplusWebMaster]

FYI...

Fake 'Document' SPAM - leads to Locky
- http://blog.dynamoo....m-leads-to.html
5 Oct 2016 - "I have only received a single sample of this spam, presumably it comes from random senders. There is no-body-text in my sample.
    Subject:     Document from Paige
    From:     Paige cuddie (Paige592035@ gmail .com)
    Date:     Wednesday, 5 October 2016, 9:37

In this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script... DOC-20161005-WA0002715.wsf. Automated analysis [1] [2] shows this sample downloads from:
euple .com/65rfgb?EfTazSrkG=eLKWKtL
There will be many other locations besides this. Those same reports show the malware (in this case Locky ransomware) phoning home to:
88.214.236.36 /apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100 /apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)
The sample I found downloaded a legitimate binary from ciscobinary.openh264 .org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.
Recommended blocklist:
88.214.236.0/23
109.248.59.0/24 "
1] https://malwr.com/an...mZkYjY3YzEyMWU/
Hosts
23.88.37.83
88.214.236.36

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.88.37.83
88.214.236.36
109.248.59.100
52.32.150.180
52.85.184.129
52.41.235.21
___

Fake 'complaint letter' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with complaint_letter_ containing a WSF file... note the misspelled/typo error in the email body, 'King regards'. We have seen that quite frequently... One of the  emails looks like:
From: Roxie Davis <Davis.863@ adsl.viettel .vn>
Date: Wed 05/10/2016 10:20
Subject:  complaint letter
Attachment: complaint_letter_cb9d039ea.zip
    Dear [redacted], client sent a complaint letter regarding the data file you provided.
    The letter is attached. Please review his concerns carefully and reply him as soon as possible.
    King regards,
    Roxie Davis

5 October 2016: complaint_letter_cb9d039ea.zip: complaint letter 4A683AD.wsf
Current Virus total detections 8/53*... Payload Security** shows a download of an encrypted file from
 upper-classmen .com/k1hd6 which is transformed by the script to RpKwxNZ92.dll (VirusTotal 8/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it...."
* https://www.virustot...sis/1475660416/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.138.189.69
109.248.59.100
88.214.236.36
217.12.223.78
109.248.59.164
91.219.31.49

*** https://www.virustot...sis/1475661773/
___

Fake 'Cancellation request' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
5 Oct 2016 - "... Locky downloaders.. an email with the subject of 'Cancellation request' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with  Cancellation_Form_ containing a .JS file... One of the  emails looks like:
From: Katharine Clayton <Clayton.892@ myfghinc .com>
Date: Wed 05/10/2016 19:40
Subject: Cancellation request
Attachment: Cancellation_Form_3805419.zip
    Dear [redacted], to cancel the request you made on October 4th, you need to fill out the cancellation form attached in this email.
    Contact us if you need further assistance.
    Best regards,
    Katharine Clayton
    Clients Support

5 October 2016: Cancellation_Form_3805419.zip: Extracts to: Cancellation Form 4FDE6.js
Current Virus total detections 9/54*. MALWR** shows a download of an encrypted file from
 http ://noisecontrols .com/dctpl4c which is transformed by the script to CSWzQT0oHGGp27m.dll
 (VirusTotal 11/56***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475693156/

** https://malwr.com/an...2FkODY5MWI3MjQ/
Hosts
101.100.175.250

*** https://www.virustot...sis/1475694004/
 

  

Edited by AplusWebMaster, 05 October 2016 - 02:17 PM.

[AplusWebMaster]

FYI...

Fake 'Your Order' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
6 Oct 2016 - "... Locky downloader.. an email with the subject of 'Your Order' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting order_details_ containing a .JS file... One of the  emails looks like:
From: Hilario Walton <Walton.571@ afirstclassmove .com>
Date: Thu 01/09/2016 19:22
Subject: Travel expense sheet
Attachment: order_details_bfa256b5.zip
    Your order has been proceeded. Attached is the invoice for your order A-1376657.
    Kindly keep the slip in case you would like to return or state your product’s warranty.

6 October 2016: order_details_bfa256b5.zip: Extracts to: Cancellation Form 0D582E2.js
Current Virus total detections 7/54*. MALWR** shows a download of an encrypted file from
  http ://pioneerschina .com/xwks4 which is transformed by the script to Prxa55gCpc.dll (VirusTotal 12/56***)
C2 http ://217.12.223.78 /apache_handler.php... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475741537/

** https://malwr.com/an...b86ec016cdab8ad
Hosts
69.195.71.128
217.12.223.78

*** https://www.virustot...sis/1475742167/

- http://blog.dynamoo....inevitable.html
6 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
    From:    Adrian Salinas
    Date:    6 October 2016 at 10:13
    Subject:    Your Order
    Your order has been proceeded. Attached is the invoice for your order A-6166964.
    Kindly keep the slip in case you would like to return or state your product's warranty.

Details will change from email to email. Attached is a ZIP file with a name similar to order_details_cb9782b.zip containing a malicious obfuscated javascript file named similarly to Cancellation Form 6328B32E.js
According to my source, these various scripts then download a component...
(Many domain-names listed at the dynamoo URL above.)
The malware then phones home to the following IPs (belonging pretty much to the usual suspects):
46.8.44.105 /apache_handler.php (Netart Group / Zomro, Ukraine)
91.219.28.76 /apache_handler.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
188.120.236.21 /apache_handler.php (TheFirst-RU, Russia)
217.12.223.78 /apache_handler.php (ITL, Ukraine)
46.183.221.134 /apache_handler.php (Dataclub, Latvia) ...
Recommended blocklist:
46.8.44.105
46.183.221.128/25
91.219.28.76
188.120.236.21
217.12.223.78 "
___

Fake 'Invoice' SPAM - .doc attachment leads to Locky
- http://blog.dynamoo....6-12345678.html
6 Oct 2016 - "This -fake- financial spam leads to malware:
    From:    invoices@ [redacted] .com
    Date:    6 October 2016 at 07:16
    Subject:    Invoice-365961-42888419-888-DE0628DA
    Dear Customer,
    Please find attached Invoice 42888419 for your attention.
    Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Credit Dept'
    ### This mail has been sent from an un-monitored mailbox ###

The name of the sender and reference numbers will change from email to email. Attached is a Word document with a name in a format similar to 20161006_42888419_Invoice.doc... The sample I sent for automated analysis [1] [2] downloads some data from:
eaglemouth .org/d5436gh
... my sources (thank you, you know who you are) that there are additional download locations at:
dabihfluky .com/d5436gh
fauseandre .net/d5436gh
This particular variant of Locky ransomware uses black hat hosting for this download location rather than a -hacked- legitimate site. All these domains are hosted on the following IPs:
62.84.69.75 (FiberLink Networks, Lebanon)
85.118.45.12 (Andrexen, France) ...
(Many domain-names listed at the dynamoo URL above.) ...
A DLL is dropped with a detection rate of 13/56*.
UPDATE: I completely forgot to include the C2. D'oh.
109.248.59.164 /apache_handler.php (Netart, Russia)
Recommended blocklist:
62.84.69.75
85.118.45.12
109.248.59.164 "
1] https://malwr.com/an...DcwN2E5ODBmMjU/
Hosts
85.118.45.12

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.84.69.75
109.248.59.164
52.32.150.180
54.192.203.206

* https://virustotal.c...sis/1475744035/
 

 

Edited by AplusWebMaster, 06 October 2016 - 04:33 AM.

[AplusWebMaster]

FYI...

Fake 'wrong paychecks' SPAM - delivers Locky/Odin
- https://myonlinesecu...ers-locky-odin/
7 Oct 2016 - "... Locky downloader.. an email with the subject of 'wrong paychecks' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with paychecks_  containing a .JS file... One of the  emails looks like:
From: Guy Bennett <Bennett.75@ janicerich .com>
Date: Thu 06/10/2016 22:17
Subject: wrong paychecks
Attachment: paychecks_43b3b18.zip
    Hey [redacted]. They send us the wrong paychecks. Attached is your paycheck arrived to my email by mistake.
    Please send mine back too.
    Best regards,
    Guy Bennett

7 October 2016: ea00paychecks_43b3b18.zip: Extracts to: paychecks exported 5648A20E.js
Current Virus total detections 11/54*. MALWR** shows a download of an encrypted file from
 http ://bdfxb .com/jp0zuso which is transformed by the script to YXljL8XPAjn.dll (VirusTotal 10/56***). Payload Security[4] shows multiple C2 and additional download locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1475801339/

** https://malwr.com/an...zg0OTJjN2NhMjU/
Hosts
182.92.220.92

*** https://www.virustot...sis/1475820102/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
31.210.120.156
185.82.217.98
185.75.46.122
185.154.13.182
95.213.179.232
69.195.129.70
 

  

[AplusWebMaster]

FYI...

Dridex - random subjects with cab files - SPAM
- https://myonlinesecu...with-cab-files/
11 Oct 2016 - "... an email with a variety of subjects along the lines of 'Form Sydnee I. Hahn' (initial word is either Form/Token/License/Certificate or other similar word followed by a name that matches the name in the body of the email, coming as usual from random companies, names and email addresses with a semi-random named cab file attachment (that matches the subject word) containing a .JS file (cab files are Microsoft specific archives (zip files) that are normally used for windows updates. Almost any unzipping tool will extract them, however windows explorer will natively extract and -autorun- any content inside a cab file if double clicked to open them.  This looks like Dridex today, rather than the Locky ransomware...
Update 09.30 UTC: A second run starting with a mix of .cab files and .zip files, possibly because many mail filtering systems including Mail Scanner used on a high proportion of Linux mail servers detects and warns about .cab files by default. Some servers are set to block them automatically. This server is set to warn about potentially dangerous file extensions but not block them (to certain domains only) so I can obtain malware samples to warn/alert and submit to anti-virus companies and help protect everybody. For every cab file that I have received so far, I also got a warning message to my postmaster/admin email address. The sort of subjects we are seeing include:
    Form Sydnee I. Hahn
    Token Jolie T. Barrett
    License Armando H. Bates
    Certificate Brittany T. Beach
    Archive Linda K. McLaughlin
    Papers Sylvia C. Price
    Agreement Dieter U. Vinson
    Report David W. Rogers
    Document Isaac Q. Lucas

One of the  emails looks like:
From: HilariSydnee I. Hahn <rtep.springvale@ ljh .com.au>
Date: Tue 11/10/2016 08:03
Subject: Form Sydnee I. Hahn
Attachment: Form.cab
    Good morning
    Please review your Form.
    I’m waiting for your reply
    Kindest regards
    Sydnee I. Hahn

An alternative body content:
    Hi
    Here is your Token.
    Pls inform me the answer as soon as posible
    Regards
    Jolie T. Barrett

An alternative body content:
    Greetings
    Here is your License.
    I’m still waiting for your answer
    Cain M. Rogers

11 October 2016: Form.cab: Extracts to: 20792.tmp - Current Virus total detections 0/55*
.. MALWR** shows a download from http ://www .mobilemanager .fr/log.khp which gave me 20792.tmp (VirusTotal 6/56***)
Detections are inconclusive but Payload Security[4] indicates that this is most probably Dridex banking Trojan, However that also shows an error in running the file with an unsupported system message. That might mean that there is a fault with the Dridex binary or more likely that the Dridex malware gang have added even more protections to their malware and stopping it running when a sandbox or VM is detected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476169831/

** https://malwr.com/an...jdlOTYxZDc3YmE/
Hosts
217.76.132.43

*** https://www.virustot...sis/1476170061/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
217.76.132.43
195.154.163.166
88.213.204.147
___

Potential Hurricane Matthew Phishing Scams
- https://www.us-cert....-Phishing-Scams
Oct 11, 2016 - "US-CERT warns users to remain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Matthew. Users are advised to exercise caution in handling any email with subject line, attachments, or hyperlinks related to Hurricane Matthew, even if it appears to originate from a trusted source. Fraudulent emails will often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from deceptive charitable organizations commonly appear after major natural disasters.
US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:
- Do not follow unsolicited web links in email messages.
- Use caution when opening email attachments. Refer to the Using Caution with Email Attachments Cyber Security Tip[1] for more information on safely handling email attachments.
- Keep antivirus and other computer software up-to-date.
- Refer to the Avoiding Social Engineering and Phishing Attacks Cyber Security Tip[2] for more information on social engineering attacks.
- Review the Federal Trade Commission information on Charity Scams[3].
- Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. You can find trusted contact information for many charities on the BBB National Charity Report Index[4]."
1] http://www.us-cert.g...s/ST04-010.html

2] http://www.us-cert.g...s/ST04-014.html

3] https://www.consumer...1-charity-scams

4] http://give.org/char...eviews/national
 

  

Edited by AplusWebMaster, 11 October 2016 - 12:26 PM.

[AplusWebMaster]

FYI...

Fake 'Payment - wire transfer' SPAM - delivers Java Adwind
- https://myonlinesecu...rs-java-adwind/
12 Oct 2016 - "... daily.. -fake- financial themed emails containing java adwind attachments...
This article[1] from a couple of years ago explains why you should remove it.
If you cannot remove it then it -must- be kept up-to-date[2] .. be extremely careful with what you download or open...
1] https://www.theguard...jack-technology
2] https://java.com/en/download/
... The email looks like:
From: Account <order@ coreadmin .eficaz .cl>
Date: Wed 12/10/2016 04:56
Subject: RE: Payment
Attachment: Details.zip
    Hi,
    Did you authorize any wire transfer to our account?
    We have received an amount of USD79,948.12 from your account and we do not know what this fund is for.
    We do not have any transaction with your company that we know about. So why making payment to us.
    Please see the attached remittance documents and double-check with your bank.
    We wait for your comment.
    Best Regards,
    Leo Lee,
    Navkar Corporation Ltd
    215 Lumpoo Road, Wadsampraya, Pranakorn
    Bangkok, 10200 Thialand ...

12 October 2016: details.jar (119kb) - Current Virus total detections 5/55*. Payload Security**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476250143/

** https://www.hybrid-a...vironmentId=100
 

 

[AplusWebMaster]

FYI...

WSF email attachments - latest malware delivery vehicle
- https://www.helpnets...lware-delivery/
Oct 13, 2016 - "Most users have by now learned not to open executable (.EXE), various MS Office, RTF and PDF files delivered via -unsolicited- emails, but malware peddlers are always trying out new ways to trick users, email filters and AV software... According to Symantec*, Windows Script Files (WSFs) are the latest file types to be exploited to deliver malware via email...
> https://www.helpnets...attachments.jpg
Number of blocked emails containing malicious WSF attachments by month "

Surge of email attacks using malicious WSF attachments
* https://www.symantec...wsf-attachments
12 Oct. 2016 - "Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files...
Malicious WSF files have been used in a number of recent major spam campaigns spreading Locky. For example, between October 3 and 4, Symantec blocked more than 1.3 million emails bearing the subject line "Travel Itinerary." The emails purported to come from a major airline and came with an attachment that consisted of a WSF file within a .zip archive. If the WSF file was allowed to run, Locky was installed on the victim's computer...
> Tips on protecting yourself from ransomware
  Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
  Always keep your security software up to date to protect yourself against any new variants of malware.
  Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email."
 

  

[AplusWebMaster]

FYI...

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
17 Oct 2016 - "An email with the subject of 'Final payment request' pretending to come from angela.fynan@ hmrc.gsi .gov.uk <info@ websitesage60 .us> with a malicious word doc attachment is another one from the current bot runs... I do not know exactly what malware this downloads... The website that the macro inside the malicious word doc connects to is not owned or controlled by HMRC or any other part of the UK government and has been registered to be used as a malware/fraud site http ://hmrc.gsigov .co.uk using false details:
- http://whois.domaintools.com/gsigov.co.uk .. on IP 185.81.113.102 ...

Screenshot: https://myonlinesecu...rc-1024x771.png

The word doc, which falsely states it was created in an earlier version of word and you 'should enable editing to view it', when opened safely pretends to be a VAT notice and surcharge liability and you need to pay £29,678:
> https://myonlinesecu...17-1024x800.png

17 October 2016: 18066000010075130101.doc - Current Virus total detections 4/54*. MALWR** shows a download from
 http ://hmrc.gsigov .co.uk/vat.exe (VirusTotal 4/56***). Payload Security [1] [2] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476717095/

** https://malwr.com/an...DUzNDBiZGU2MTg/
Hosts
185.81.113.102: https://www.virustot...02/information/
> https://www.virustot...b33a8/analysis/

*** https://www.virustot...sis/1476724305/

1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.81.113.102

2] https://www.hybrid-a...vironmentId=100
 

  

Edited by AplusWebMaster, 18 October 2016 - 05:33 AM.

[AplusWebMaster]

FYI...

Fake 'RE: P/O' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
19 Oct 2016 - "We continue to be plagued daily by -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Sales <order@ ncima-holding .ci>
Date: Tue 18/10/2016 18:28
Subject: RE: P/O
Attachment: NEW P.O.zip
    Attached is the Purchase order list
    please confirm so we can proceed.
    Thank you.
    ——————————-
    sent from my iPad ...

19 October 2016: New P.O.jar (273kb) - Current Virus total detections 9/56*. Payload Security**...
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476831444/

** https://www.hybrid-a...vironmentId=100
 

  

[AplusWebMaster]

FYI...

Fake 'Credit Note' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecu...banking-trojan/
20 Oct 2016 - "... an email with the subject of 'Credit Note CN-81553 from Nordstrom Inc (7907)' pretending to come from Accounts <message-service@ post. xero .com> with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the  emails looks like:
From: Accounts <message-service@ post. xero .com>
Date: Thu 20/10/2016 01:21
Subject: Credit Note CN-81553 from Nordstrom Inc (7907)
Attachment:CN_81274.zip
    Hi Orlando,
    Attached document is your credit note CN-81553 for 508.18 AUD.
    This has been allocated against invoice number.
    If you have any questions, please let us know.
    Thanks,
    Staff Leasing Inc.

20 October 2016: CN_81274.zip: Extracts to: CN-81274.scr - Current Virus total detections 17/57*
.. Payload Security** shows a download/drop of another file RXGp0aqU55eY5AnMxB.exe.exe (VirusTotal 8/57***)
Payload Security[4] .. appears to be dyre/trickloader banking Trojan ... This is another one of the  files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC/PDF/JPG or other common file instead of the .EXE/.JS file it really is, so making it much more likely for you to accidentally open it and be infected... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476937031/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.14.29.13
78.47.139.102
91.219.28.77

*** https://www.virustot...sis/1476932944/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77
80.79.114.179
___

Fake 'FedEx' SPAM - delivers ransomware
- https://myonlinesecu...ver-ransomware/
20 Oct 2016 - "We are seeing an uptick in the 'FedEx - unable to deliver' malspam emails this week... they are so common and I always get 1 or 2 every day.. today I am receiving quite an increase in numbers over the usual amount... With the holiday season quickly approaching and many more people shopping online, we will see a dramatic increase in these over the next few weeks and months as more people wait for their deliveries... The sort of subjects that you see with this malspam nemucod ransomware campaign which will always have random numbers include:
    Delivery Notification, ID 00898050
    Shipment delivery problem #0000613766
    Problem with parcel shipping, ID:0000857607
    Problems with item delivery, n.00000693983
    Unable to deliver your item, #0000274397

One of the  emails looks like:
From: FedEx Ground <wade.barry@ hosteriasanpatricio .com .ar> or FedEx 2Day A.M. <ruben.morris@ hosteriasanpatricio .com .ar>
Date: Thu 01/09/2016 19:22
Subject: Shipment delivery problem #0000613766  or Delivery Notification, ID 00898050
Attachment: FedEx_ID_0000613766.zip
    Dear Customer,
    We could not deliver your item.
    Please, open email attachment to print shipment label.
    Sincerely,
    Wade Barry,
    Sr. Support Agent.
Or
    Dear Customer,
    We could not deliver your item.
    Shipment Label is attached to email.
    Warm regards,
    Ruben Morris,
    Sr. Operation Manager.

20 October 2016: FedEx_ID_0000613766.zip: Extracts to: FedEx_ID_0000613766.doc.wsf
Current Virus total detections 25/55*: Payload Security** shows downloads of the usual multiple files from
  www .industrial-automation .at/counter/?ad=17MGS22ZVQcqSyHw4VU2NvC5SL4eCPhCJb&id=LZUB9RUv-KCRW63gDdZ5mD075Y_vJ1F6feiXr_Sv5Nbbhxr8QKIPLwoOhYdjCOIqaWV65TnMZepmeok-Renqlmw1ioeBLbM8&rnd=01
  (with a range from 01–04 that delivers different parts of the malware package)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476944618/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
212.152.181.199
___

Fake 'ACH Payment' SPAM - delivers trickbot/dyre banking Trojan
- https://myonlinesecu...banking-trojan/
20 Oct 2016 - "... an email with the subject of 'ACH Payment Notification' pretending to come from ap_vendor_pay2@ bankofamerica .com with a random named/numbered zip attachment containing an .scr file. The icon on this SCR file looks like an adobe PDF icon... One of the  emails looks like:
From: ap_vendor_pay2@ bankofamerica .com
Date: Thu 01/09/2016 19:22
Subject: ACH Payment Notification
Attachment: payment002828870.zip
    LOGICEASE SOLUTIONS INC       Vendor:10288253   Pay Dt: 20150903
    Pay Ref Num: 2000548044
    Please download and view payment document attached.
    Your invoice has been processed for payment by Bank of America Corporate Accounts Payable. The following items are included in this payment:
    The net amount deposited to account number ending   XXXX3195
    designated by you is           $1019.93
    IMPORTANT: AVAILABILITY OF FUNDS FOR WITHDRAWAL IS SUBJECT TO POSTING BY RECEIVING BANK (USUALLY WITHIN THREE BUSINESS DAYS)
    Please do not respond to this e-mail. Should you have questions, please contact the Purchasing, Payment & Reimbursement helpline at 888.550.7486.
    This message, and any attachments, is for the intended recipient’s only, may contain information that is privileged, confidential and/or proprietary and subject to important termsr. If you are not the intended recipient, please delete this message.

20 October 2016: payment002828870.zip: Extracts to: paymen1189d2028.scr . Current Virus total detections 8/56*
.. Payload Security** shows this is likely to be Trickbot/Dyre banking Trojan... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1476964410/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.47.139.102
91.219.28.77
 

  

Edited by AplusWebMaster, 20 October 2016 - 10:31 AM.

[AplusWebMaster]

FYI...

Fake 'Receipt' SPAM - leads to Locky
- http://blog.dynamoo....t-leads-to.html
24 Oct 2016 - "Locky ransomware activity has been quite minimal recently, but it seems to be back today. For example, spam with a format similar to the following is currently being sent out:
    Date: Mon, 24 Oct 2016 16:03:30 +0530
    From: christa.hazelgreave@ gmail .com
    Subject: Receipt 68-508

Sender name is a randomly-generated Gmail address. Attached is a ZIP file starting with the words "Receipt" matching the subject of the email contained within is a malicious HTA file with a name similar to Receipt 90592-310743.hta. You can see some of the malicious activity in this Hybrid Analysis*...
(List of domain-names at the dynamoo URL above.)
The malware is Locky ransomware phoning home to:
109.234.35.215/linuxsucks .php (McHost.ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy .example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host.ru] [185.102.136.77] (MGNHOST, Russia)
bwcfinnt .work/linuxsucks .php [208.100.26.234] (Steadfast, US) ...
Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
208.100.26.234 "
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
96.0.115.240
107.180.23.49
216.239.139.112
120.117.3.119

- https://myonlinesecu...shit-extension/
24 Oct 2016 - "... Locky downloader.. a blank/empty email with the subject of 'Receipt 00180-6477' (random numbers) pretending to come  from random  names at gmail .com with a semi-random named zip attachment starting with 'receipt' that matches the subject containing a random numbered wsf file starting with 'receipt'... One of the  emails looks like:
From: jennie.winzer@ gmail .com
Date: Mon 24/10/2016 15:05
Subject: Receipt 00180-6477
Attachment: Receipt 00180-6477.zip

Body content: Totally blank/empty

24 October 2016: Receipt 00180-6477.zip: Extracts to: Receipt 83357-830129.wsf
Current Virus total detections 11/55*.. MALWR** shows a download of an encrypted file from
  http ://beyondhorizon .net/076wc?EVgYCyg=JQHYinB which is transformed by the script to uYYRbVgee1.dll
(VirusTotal 6/57***). Payload Security[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477318650/

** https://malwr.com/an...mZlNDhkNzA4Yzc/
Hosts
192.185.96.52

*** https://www.virustot...sis/1477325610/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
192.185.96.52
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
208.100.26.234
___

Fake 'Complaint letter' SPAM - leads to Locky
- http://blog.dynamoo....r-leads-to.html
24 Oct 2016 - "This spam leads to Locky ransomware:
    From     "Justine Hodge"
    Date     Mon, 24 Oct 2016 19:27:53 +0600
    Subject     Complaint letter
    Dear [redacted],
    Client sent a complaint letter regarding the data file you provided.
    The letter is attached.
    Please review his concerns carefully and reply him as soon as possible.
    Best regards,
    Justine Hodge

The name of the sender varies. Attached is a ZIP file with a name similar to saved_letter_e154ddcc.zip containing a malicious .JS script with a name starting with "saved letter"... scripts download...
(Long list of domain-names at the dynamoo URL above.)
The malware phones home to the following URLs:
109.234.35.215/linuxsucks .php (McHost .ru, Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example .com] [91.200.14.124] (SKS-Lugan / Vhoster, Ukraine)
185.102.136.77/linuxsucks .php [hostname: artkoty.mgn-host .ru] [185.102.136.77] (MGNHOST, Russia)
81.177.22.221/linuxsucks.php (Netplace, Russia)...
... Recommended blocklist:
109.234.35.0/24
91.200.14.124
185.102.136.77
81.177.22.221 "

- https://myonlinesecu...shit-extension/
24 Oct 2016 - "... Locky downloader.. an email with the subject of 'Complaint letter' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with saved_letter containing a js file... One of the  emails looks like:
From: Mia Dickerson <Dickerson.0865@ pipelinemedia .com.au>
Date: Mon 24/10/2016 12:58
Subject: Complaint letter
Attachment: saved_letter_9ff72a60.zip
    Dear [redacted], Client sent a complaint letter regarding the data file you provided. The letter is attached. Please review his concerns carefully and reply him as soon as possible. Best regards, Mia Dickerson

24 October 2016: saved_letter_9ff72a60.zip: Extracts to: saved letter 9A2B8.js
Current Virus total detections 11/55*.. MALWR* shows a download of an encrypted file from
 http ://gruffcrimp .com/352gr0 which is transformed by the script to RuBjy2wiCxyLGr.dll (VirusTotal 9/57***).
Payload security[4] shows the download from
 adultmagstore .com/itc0h81 and the c2 from load of different servers -all- using /linuxsucks .php...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477310600/

** https://malwr.com/an...zRiM2U1NTNiNmU/
Hosts
67.171.65.64

*** https://www.virustot...sis/1477329868/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
66.154.71.36
81.177.22.221
185.102.136.77
91.200.14.124
109.234.35.215
69.195.129.70
___

Trick Bot – spread via malvertising ...
- https://blog.malware...ezas-successor/
Oct 24, 2016 - "... payload was spread via a malvertising campaign, involving Rig Exploit Kit:
> https://blog.malware...ising_chain.png
... After being deployed, Trick Bot copy itself into %APPDATA% and deletes the original sample... Trick Bot is composed of several layers. As usually, the first layer is used for the protection – it carries the encrypted payload and tries to hide it from AV software:
> https://blog.malware...10/schema-1.png
... Below we can see it’s decrypted form revealing the attacked online-banking systems:
> https://gist.githubu...5cb1de/dinj.xml
Conclusion: Trick Bot have many similarities with Dyreza, that are visible at the code design level as well as the communication protocol level. However, comparing the code of both, shows, that it has been rewritten from scratch. So far, Trick Bot does not have as many features as Dyreza bot. It may be possible, that the authors intentionally decided to make the main executable lightweight, and focus on making it dynamically expendable using downloaded modules. Another option is that it still not the final version. One thigh is sure – it is an interesting piece of work, written by professionals. Probability is very high, that it will become as popular as its predecessor."
Appendix: http://www.threatgee...connection.html– analysis of the TrickBot at Threat Geek Blog
'Trickbot C2s:
188.138.1.53 :8082
27.208.131.97 :443
37.109.52.75 :443
91.219.28.77 :443
193.9.28.24 :443
37.1.209.51 :443
138.201.44.28 :443
188.116.23.98 :443
104.250.138.194 :443
46.22.211.34 :443             
68.179.234.69 :443
5.12.28.0 :443
36.37.176.6 :443'
(More detail at the malwarebytes URL at the top of this post.)
 

  

Edited by AplusWebMaster, 24 October 2016 - 01:38 PM.

[AplusWebMaster]

FYI...

Fake 'Budget forecast' SPAM - delivers Locky
- https://myonlinesecu...shit-extension/
25 Oct 2016 - "... Locky downloader.. an email with the subject of 'Budget forecast' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with 'budget' containing a vbs file that pretends to be an Excel .XLS file... One of the  emails looks like:
From: Alejandra Rojas <Rojas.2910@ dsldevice .lan>
Date: Mon 24/10/2016 22:38
Subject: Budget forecast
Attachment: budget_xls_b71db945.zip
[redacted] asked me to send you the Budget forecast for next project. Please check and ask him if you are not clear with the task.

25 October 2016: budget_xls_b71db945.zip: Extracts to: budget 34A81F8A xls.vbs
Current Virus total detections 2/55*.. MALWR** shows a download of an encrypted file from
 http ://fannyfuff .com/7qx9pmdt which is transformed by the script to QoTcrNU2qu051Uv0.dll (VirusTotal 21/57***).
Neither MALWR nor Payload Security[4] are showing the encrypted files... That might be due to a sandbox/ VM protection in the malware or it might not have run properly. Earlier versions yesterday [1] [2] using WSF, JS or HTA delivery methods did run fully in the online sandboxes. The vbs versions might not... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477345935/

** https://malwr.com/an...mJkM2YxNGYyYzk/
Hosts
67.171.65.64
77.123.137.221
91.200.14.124
91.226.92.225
185.102.136.77
69.195.129.70

*** https://www.virustot...sis/1477378265/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
201.238.211.140
91.226.92.225
185.102.136.77
77.123.137.221
91.200.14.124
69.195.129.70

1] https://myonlinesecu...shit-extension/

2] https://myonlinesecu...shit-extension/
___

Fake 'Scan Data' SPAM - leads to Locky
- http://blog.dynamoo....file-image.html
25 Oct 2016 - "Perhaps minimalist spam works better - there is currently a Locky spam run with on of the subjects 'Blank / Document / File / Image / img / IMG / Pic / Picture / Scan Data' plus a number (e.g. "Picture 4") with a ZIP file attached matching the subject (e.g. Picture 4.zip) which in turn contains a malicious Javascript... There is no body text... These automated analyses [1] [2]... show that it is Locky...
(Long list of domain-names at the dynamoo URL above.)
... The URL is appended with a random query string, e.g. ?EsIemTBBP=LHvybwFTeh
A malicious DLL is dropped with an MD5 of 7a131fff8eaf144312494988300d7dc1 and a detection rate of 4/56*. The malware then phones home to one of the following locations:
185.127.27.100/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (JSC "Informtehtrans", Russia)
91.200.14.124/linuxsucks .php [hostname: artem.kotyuzhanskiy.example.com] (SKS-Lugan / VHoster, Ukraine)
77.123.137.221/linuxsucks .php (Volia DataCentre, Ukraine)
... Recommended blocklist:
185.127.27.100
91.200.14.124
77.123.137.221 "
1] https://www.hybrid-a...vironmentId=100
Contacted Hosts
103.247.11.115
46.105.246.22
91.200.14.124
185.127.27.100
77.123.137.221

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
203.190.54.3
91.200.14.124
77.123.137.221
185.127.27.100

* https://virustotal.c...sis/1477405965/

- https://myonlinesecu...delivers-locky/
25 Oct 2016 - "... Locky downloader... a blank empty email with a variety of subjects like scan, image, pic, doc etc. pretending to come form random names at Gmail .com with a zip attachment that matches the subject containing a js file... Some of the subjects seen include:
    Image 249
    Blank 962
    Document 7
     Pic 3
    Scan Data 405
    Picture 125
     File 11
    Doc 74
    img 7

One of the  emails looks like:
From: HUGH HALVERSON <hughhalverson94@ gmail .com>
Date: Tue 25/10/2016 14:47
Subject: Image 249
Attachment: Image 249.zip

Body content: totally empty/blank

25 October 2016: Image 249.zip: Extracts to: Pic 767.js - Current Virus total detections 9/54*
.. MALWR** shows a download of an encrypted file from
 http ://rajashekharkubasad .com/g76dbf?ettSsUhngke=NlfFMTpqoQa which is transformed by the script to WgNUiSSFP1.dll (VirusTotal 3/56***). Payload Security[4] shows this version is using .thor extension for the encrypted files... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477403985/

** https://malwr.com/an...zk3N2U0YzEyMjc/
Hosts
43.225.54.151

*** https://www.virustot...sis/1477405261/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
43.225.54.151
185.127.27.100
77.123.137.221
91.200.14.124
___

Fake 'Wrong model' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
25 Oct 2016 - "... Locky downloader... an email with the subject of 'Wrong model' coming as usual from random companies, names and email addresses with a semi random named zip attachment starting with fixed_invoice containing a vbs file... One of the  emails looks like:
From: Randal Burks <Burks.3744@ pocketgreens .com>
Date: Tue 25/10/2016 19:45
Subject: Wrong model
Attachment: fixed_invoice_74957728.zip
    We apologize for sending the wrong model of the product yesterday. Attached is the new invoice for your product No. 31066460.

25 October 2016: fixed_invoice_74957728.zip: Extracts to: fixed invoice 8A3254C.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
 http ://idesjot .net/3ab4af which is transformed by the script to B0HRoIuyMVXc7V.dll (VirusTotal 13/57***)...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477421251/

** https://malwr.com/an...Tc2YjI5MzgxMzA/
Hosts
67.171.65.64

*** https://www.virustot...sis/1477421558/
___

Another Day, Another Spam...
- https://isc.sans.edu...l?storyid=21635
2016-10-25 - "... attackers have always new ideas to deliver their malicious content to us... Attached to this mail, a malicious ZIP file with a .pif file inside. The file is in fact a PE file (MD5: 2aa0d2ae9f8492e2b4acda1270616393). The hash was unknown to VT but once uploaded, it was reported as a very old worm, nothing very malicious... The second example was received by one of our readers is a -fake- SharePoint notification:
> https://isc.sans.edu...epoint-spam.png
The link points to hxxp ://thekchencholing .org/.https/www/sharepoint.com/sites/shareddocument/SitePages/Home.aspx/index.php?wreply=YW5keS5nZXJhZXJ0c0BjZWdla2EuYmUN (the site has been cleaned up in the meantime). SharePoint is a common Microsoft tool used in big organizations and people could be lured by this kind of message. Most spam campaigns are easy to detect but some messages, when properly redacted, may lure the victim easily. We are never far from an unfortunate click. Stay safe!.."

thekchencholing .org: 180.210.205.66: https://www.virustot...66/information/
>> https://www.virustot...9b208/analysis/
 

 

Edited by AplusWebMaster, 25 October 2016 - 02:49 PM.

[AplusWebMaster]

FYI...

Fake 'Help Desk' SPAM - leads to Adwind
- http://blog.dynamoo....-help-desk.html
26 Oct 2016 - "Just by way of a change, here's some -malspam- that doesn't lead to Locky:

Screenshot: https://3.bp.blogspo...cB/s1600/wu.png

In this case, the link in the email goes to:
linamhost .com/host/Western_Union_Agent_Statement_and_summary_pdf.jar
This is a Java file - if you don't have Java installed on your PC (and why would you want this 1990s relic anyway?) then it -won't- run. VirusTotal* identifies it as the Adwind Backdoor**. The Malwr report[3] shows it attempting to contact:
boscpakloka .myvnc .com [158.69.56.128] (OVH, US)
A whole bunch of components are downloaded and frankly I haven't had time to look, but it shares characteristics with the one reported at Malware-Traffic-Analysis[4]. Check the Dropped Files section of the Malwr Report[3] for more. Personally, I recommend blocking -all- dynamic DNS domains such as myvnc .com in corporate environments. At the very least I recommend blocking 158.69.56.128."
* https://virustotal.c...sis/1477480451/

** https://www.f-secure...va_adwind.shtml

3] https://malwr.com/an...mYzMTdmNjg2MDE/
Hosts
158.69.56.128: https://www.virustot...28/information/
>> https://www.virustot...0e69c/analysis/

4] http://www.malware-t.../23/index2.html

myvnc .com: 8.23.224.108: https://www.virustot...08/information/
>> https://www.virustot...01802/analysis/
___

Fake 'Your order' SPAM - leads to Locky
- http://blog.dynamoo....r-has-been.html
26 Oct 2016 - "This curiously worded spam email leads to Locky ransomware:
    Subject:  Your order has been proceeded
    From:     Elijah Farrell
    Date:     Wednesday, 26 October 2016, 12:41
    Your order has been proceeded.
    Attached is the invoice for your order 2026326638.
    Kindly keep the slip in case you would like to return or state your product's warranty.

The name of the sender is randomly generated, as is the reference number. Attached is a ZIP file beginning with "order_details_" plus a random sequence, containing a malicious .VBS script with a similar name. The various scripts download a component... (thank you to my usual source for this)
(Long list of domain-names at the dynamoo URL above.)
The downloaded binary then phones home to:
78.46.170.94/linuxsucks .php [hostname: k-42 .ru] (Corem, Russia / Hetzner, Germany)
95.46.98.25/linuxsucks .php [hostname: 97623-vds-artem.kotyuzhanskiy.gmhost .hosting] (Mulgin Alexander Sergeevich aka GMHost, Ukraine)
91.226.92.225/linuxsucks .php [hostname: weblinks-3424 .ru] (Sobis, Russia)
It also tries to phone home...
Recommended blocklist:
78.46.170.64/27
95.46.98.0/23
91.226.92.225 "

- https://myonlinesecu...delivers-locky/
26 Oct 2016 - "... Locky downloader.. which is running concurrently with THIS[1] is an email with the subject of 'Your order has been proceeded' coming as usual from random companies, names and email addresses  with a semi-random named zip attachment starting with order_details containing a vbs file... typical subject line is 'Your order has been processed' -not- 'Your order has been proceeded'...
1] https://myonlinesecu...delivers-locky/
... One of the  emails looks like:
From: Alex Gonzalez <Gonzalez.46337@ solardelaluna .com>
Date: Wed 26/10/2016 12:35
Subject: Your order has been proceeded
Attachment: order_details_56f220432.zip
    Your order has been proceeded. Attached is the invoice for your order 9563076204. Kindly keep the slip in case you would like to return or state your product’s warranty.

26 October 2016: order_details_56f220432.zip: Extracts to: order details 144BAA.vbs
Current Virus total detections 6/54*. MALWR** shows a download of an encrypted file from
  http ://hankookm.com/lun77kyf which is transformed by the script to q3SAQ4aZNZ0p.dll ...
C2 are http ://95.46.98.25 /linuxsucks.php and http ://umjjvccteg .biz/linuxsucks.php
Payload Security[3] shows several others as well... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477482479/

** https://malwr.com/an...WRjYjkyMTBlNzE/
Hosts
101.79.129.33
95.46.98.25
78.46.170.94
91.226.92.225
69.195.129.70

3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
173.254.70.156
95.46.98.25
91.226.92.225
78.46.170.94
___

Fake 'Invoice' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
26 Oct 2016 - "... Locky downloader.. an email with the subject of 'Invoice-350797-93872806-090-9B5248A' (random numbers) pretending to come from invoice@ random companies and email addresses with a random numbered invoice zip attachment containing a jse file... One of the  emails looks like:
From: invoices@ greyport .net
Date: Wed 26/10/2016 12:35
Subject:  Invoice-350797-93872806-090-9B5248A
Attachment: 20161026_93872806_Invoice.zip
    Dear Customer,
    Please find attached Invoice 93872806 for your attention.
    Should you have any Invoice related queries please do not hesitate to contact either your designated Credit Controller or the Main Credit Dept. on 01635 279370.
    For Pricing or other general enquiries please contact your local Sales Team.
    Yours Faithfully,
    Credit Dept’ ...

26 October 2016: 20161026_93872806_Invoice.zip: Extracts to: 167402123_Invoice.jse
Current Virus total detections 7/55*. MALWR was unable to show any connections or downloads. Payload Security**  shows a download of an encrypted file from
  glyderm .com.ph/t76f3g?awKAvfeuvvV=PyooUmcME but doesn’t show or allow download of the actual Locky binary... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477481832/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.214.20.198
91.200.14.124
144.76.177.194
185.127.27.100
69.195.129.70
52.32.150.180
54.230.197.227
___

WhatsApp in-the-wild scams
- https://blog.malware...-the-wild-scam/
Oct 26, 2916

Other related post(s):
WhatsApp Elegant Gold Hits the Digital Catwalk
> https://blog.malware...igital-catwalk/
Don’t Get Stuck on WhatsApp Stickers…
> https://blog.malware...tsapp-stickers/
Scams, PUPs Target Would-be WhatsApp Voice Users
> https://blog.malware...pp-voice-users/
WhatsApp Hack Promises Messages, Delivers PUPs
> https://blog.malware...-delivers-pups/
WhatsApp Spam Campaign Leads to Malware
> https://blog.malware...ads-to-malware/
 

 

Edited by AplusWebMaster, 26 October 2016 - 02:52 PM.