Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
FYI...
Fake 'Bill overdue' SPAM - delivers Locky
- https://myonlinesecu...y-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'Bill overdue' coming as usual from random companies, names and email addresses with a semi-random named zip attachment starting with detailed_bill containing a vbs file... One of the emails looks like:
From: Edmund Parks <Parks.390@ airtelbroadband .in>
Date: Thu 27/10/2016 09:11
Subject: Bill overdue
Attachment: detailed_bill_251752d.zip
This is from the Telephone Company to remind you that your bill is overdue. Please see the attached bill for the fine charge.
27 October 2016: detailed_bill_251752d.zip: Extracts to: detailed bill 1C938E2.vbs
Current Virus total detections 7/55*. MALWR** shows a download of an encrypted file from
http ://tahradeep .com/1tuqd which is transformed by the script to yNBjdb1LZklImF.dll (VirusTotal 11/57***).
C2 are http ://83.217.11.193 /linuxsucks.php | http ://91.201.42.24 /linuxsucks.php
Payload Security[4] shows a few different download locations for the encrypted files but no C2... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477556155/
** https://malwr.com/an...TE0YWZiMmM2ODU/
Hosts
67.171.65.64
91.201.42.24
83.217.11.193
*** https://www.virustot...sis/1477557085/
4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.171.65.64
119.29.37.110
122.114.89.157
- http://blog.dynamoo....-telephone.html
27 Oct 2016 - "This -fake- financial spam leads to Locky ransomware:
Subject: Bill overdue
From: Alexandria Maxwell
Date: Thursday, 27 October 2016, 9:35
This is from the Telephone Company to remind you that your bill is overdue.
Please see the attached bill for the fine charge.
The sender name varies. Attached is a ZIP file which in the sample I saw was named detailed_bill_a9ec14342.zip containing a malicious script... detailed bill C43A9.vbs. The Malwr Report* and Hybrid Analysis** for that script shows behaviour consistent with Locky ransomware, and my sources (thank you) tell me that the various scripts download...
(Long list of domain-names at the dynamoo URL above.)
... A DLL is dropped with a detection rate of 11/56***, and the malware then phones home to:
91.201.42.24/linuxsucks.php (RuWeb LLC, Russia)
83.217.11.193/linuxsucks.php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.230.211.150/linuxsucks.php [hostname: tarasik.freeopti .ru] (Optibit LLC, Russia)
Recommended blocklist:
91.201.42.24
83.217.11.193
91.230.211.150 "
* https://malwr.com/an...WZkNDI0YTNmMDM/
Hosts
92.53.96.20
91.201.42.24
83.217.11.193
** https://www.hybrid-a...vironmentId=100
Contacted Hosts
67.171.65.64
83.217.11.193
91.230.211.150
91.201.42.24
*** https://virustotal.c...sis/1477560896/
___
Fake 'Account Reactivation' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
27 Oct 2016 - "... -fake- financial themed emails containing java adwind attachments... The email looks like:
From: Npc@ westernunion .com <accounts@ petnet .com .ph>
Date: Thu 27/10/2016 04:56
Subject: Account Reactivation
Attachment: Account Reactivation.zip
Dear Agent,
Our security team has detected a hacking attempt on your account /Terminal . Luckily, the attempt has been blocked and the account/ terminal has been suspended with no financial loss.
Now in order to reactivate the account and avoid the recurrence of such incident, we strongly recommend that you follow the reactivation process attached and share the outcome with our security team copied.
Let us know if you have any questions.
Kind regards,
Zineb Abdouss
Sr. Regional Operations Specialist, North, and Western Asia
Western Union
7th floor, shore 13
1100 Boulevard Al Qods-Quartier Sidi Maarouf
20270 Casablanca – Morocco ...
27 October 2016: Account Reactivation manual.jar (119kb) - Current Virus total detections 22/56*. MALWR**...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477547372/
** https://malwr.com/an...DNlMjZmZGM3MzM/
Hosts
216.107.152.224
___
Fake 'Order Details' SPAM - delivers malware
- https://myonlinesecu...us-office-docs/
27 Oct 2016 - "An email with the subject of 'Re: Order Details' pretending to come from James Correy <jamescorrey@ gmail .com> with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs...
Update: I am reliably informed it is a pony dropper with the pony binary embedded inside the word doc using
http ://www .octpendant .org.in/chixthree-18oct-18nov/gate.php
27 October 2016: BL-06038711.DOC - Current Virus total detections 11/54*... a manual analysis of the macro enabled doc shows a connection to http ://travelinsider .com.au/021ygs7 which currently gives a php error... opens in Microsoft word with a message to 'enable editing to see content'... Payload Security** does show an informative download of an .exe file JF.cm d which VirusTotal 15/56*** detects...
> https://myonlinesecu...-1-1024x306.png
Screenshot: https://myonlinesecu...il-1024x621.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477547380/
** https://www.hybrid-a...vironmentId=100
*** https://www.virustot...sis/1477548223/
___
Fake 'E-TICKET' SPAM - leads to Locky
- http://blog.dynamoo....8-leads-to.html
27 Oct 2016 - "More Locky ransomware today..
From "Matthew standaloft"
Date Thu, 27 Oct 2016 15:20:27 +0530
Subject E-TICKET 41648
Dear Sir ,
Please find the attached E-ticket as per your requested.
Thanks & Regards ,
Matthew standaloft
Attached is a ZIP file containing a randonly-named .WSF script, downloading more evil... (according to my usual source):
(Long list of domain-names at the dynamoo URL above.)
... This drops a malicious DLL with a detection rate of 9/56*. The following C2 servers are contacts:
83.217.11.193/linuxsucks .php [hostname: artkoty.fortest .website] (Park-Web Ltd, Russia)
91.201.202.12/linuxsucks .php (FLP Anoprienko Artem Arkadevich aka host-ua .com, Ukraine)
213.159.214.86/linuxsucks .php (JSC Server, Russia)
Recommeded blocklist (also see this other spam run** today):
83.217.11.193
91.201.202.12
213.159.214.86 "
* https://www.virustot...28277/analysis/
** http://blog.dynamoo....-telephone.html
- https://myonlinesecu...y-thor-version/
27 Oct 2016 - "... Locky downloader... an email with the subject of 'E-TICKET 0385' (random numbers) coming as usual from random companies, names and email addresses with a semi-random numbered zip attachment that matches the subject number containing a random numbered wsf file... One of the emails looks like:
From: Jacqueline lewis <Jacqueline.lewis022@ pro-youthrodeo .org>
Date: Thu 01/09/2016 19:22
Subject: E-TICKET 0385
Attachment: 0385.zip
Dear Sir ,
Please find the attached E-ticket as per your requested.
Thanks & Regards ,
Jacqueline lewis
27 October 2016: 0385.zip: Extracts to: 8910682.wsf - Current Virus total detections 9/55*
MALWR** shows a download of an encrypted file from http ://139.162.29.193 /g67eihnrv?mieVBwvCQ=ExHBtOmHHgv
which is transformed by the script to mujVqbry1.dll (VirusTotal 9/56***). C2 is:
http ://83.217.11.193 /linuxsucks.php
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477560672/
** https://malwr.com/an...jQyZTI2YWRlM2U/
Hosts
139.162.29.193
83.217.11.193
*** https://www.virustot...sis/1477559703/
___
Fake 'Receipt' SPAM - delivers locky
- https://myonlinesecu...y-thor-version/
27 Oct 2016 - "... Locky downloader... a -blank- email with the subject of 'Receipt' 1578-92517 (random numbers) once again pretending to come from random names at Gmail .com with a semi-random named/numbered zip attachment matching the subject line containing a WSF file... One of the emails looks like:
From: ashley.baring@ gmail .com
Date: Thu 27/10/2016 15:15
Subject: Receipt 1578-92517
Attachment: Receipt 1578-92517.zip
Body content: completely blank/empty
27 October 2016: Receipt 1578-92517.zip: Extracts to: Receipt 89598-1810311.wsf
Current Virus total detections 13/55*. MALWR** shows a download of an encrypted file from
http ://www .acclaimenvironmental .co.uk/g67eihnrv?TCwKroMse=uwIrKcwhz which is transformed by the script to TQTOMcCTi1.dll (VirusTotal 7/57***). C2 http ://83.217.11.193 /linuxsucks.php. Payload Security[4] shows additional C2 locations... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1477578664/
** https://malwr.com/an...jNmM2YwNTlhZWY/
Hosts
89.145.76.9
83.217.11.193
*** https://www.virustot...sis/1477579336/
4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.145.76.9
213.159.214.86
83.217.11.193
91.201.202.12
192.42.116.41
52.32.150.180
54.192.11.30
___
US charges 61 defendants in call center SCAM based in India
- https://www.yahoo.co...-150417258.html
Oct 27, 2016 WASHINGTON (AP) — "It can be a frightening call to get. Callers posing as tax and immigration agents are threatening arrest, deportation or other punishment unless money is sent to help clear up what they say is a deportation warrant or to cover unpaid income taxes. The government says it's a scam — one that's tricked at least 15,000 people into shelling out more than $300 million. Now the Justice Department has charged 61 defendants in the United States and abroad in connection with a call center operation that officials say is based in India. Federal prosecutors have just unsealed an indictment detailing the case. Assistant Attorney General Leslie R. Caldwell says authorities served nine warrants in eight states and arrested 20 people in the international fraud and money laundering scheme investigation. The case includes five call center groups. Caldwell says the scam targeted the elderly and minorities, and extorted thousands of dollars from victims at a time. She says the money was laundered with the help of prepaid debit cards."
Edited by AplusWebMaster, 27 October 2016 - 12:59 PM.
