Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
FYI...
Fake 'Firewall Software' SPAM - leads to Locky
- http://blog.dynamoo....e-leads-to.html
9 Dec 2016 - "This spam appears to come from multiple senders and leads to Locky ransomware:
From: Herman Middleton
Date: 9 December 2016 at 07:40
Subject: Firewall Software
Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
Please check it out.
King Regards,
Herman Middleton
IT Support Manager
Attached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated. The Hybrid Analysis* and Malwr report** show that the script analysed downloads a component from welte .pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56***. That Hybrid Analysis also detections C2 traffic to:
107.181.187.97 /checkupdate [hostname: saluk1.example .com] (Total Server Solutions, US)
51.254.141.213 /checkupdate (OVH, France)
It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:
91.142.90.46 /checkupdate [hostname: mrn46.powerfulsecurities .com] (Miran, Russia)
195.123.209.23 /checkupdate [hostame: prujio .com] (Layer6, Latvia)
185.127.24.247 /checkupdate [hostname: free.example .com] (Informtehtrans, Russia)
176.121.14.95 /checkupdate (Rinet LLC, Ukraine)
185.46.11.236 /checkupdate (Agava, Russia)
178.159.42.248 /checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)
Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are at least a couple of bad /24 blocks in there.
Recommended blocklist:
51.254.141.213
91.142.90.46
107.181.187.97
176.121.14.95
178.159.42.248
185.46.11.0/24
185.127.24.247
195.123.209.0/24 "
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
79.96.68.245
107.181.187.97
178.159.42.248
51.254.141.213
54.239.168.239
91.198.174.192
91.198.174.208
** https://malwr.com/an...jQ1MmM2ODI0MTQ/
Hosts
79.96.68.245
*** https://virustotal.c...sis/1481273887/
- https://myonlinesecu...delivers-locky/
9 Dec 2016 - "... an email with the subject of 'Firewall Software' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment in the format of f_license_numbers.zip which delivers Locky ransomware... One of the emails looks like:
From: Curtis Jarvis <Jarvis.Curtis@ irishcitytours .com>
Date: Fri 09/12/2016 07:22
Subject: Firewall Software
Attachment: f_license_5875331.zip
Hey emis2000, it is Curtis. You’ve asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
Please check it out.
King Regards,
Curtis Jarvis
IT Support Manager
9 December 2016: f_license_5875331.zip: Extracts to: ~S911UGV716O1J3CSTB471C.js
Current Virus total detections 16/55*. MALWR** shows a download of an encrypted file from
http ://www .pgringette .ca/a8crrwrc2t which is converted by the script to z7dWO4eQFUHRtg.zk (VirusTotal 4/57***). Locky has recently started to use non standard file extensions on the binaries. Sometimes they are numbers like 342, 343, 552 or sometimes tdb or .zk. All of these are actually DLL files that rundll32.exe will run via the macro or VBS/JS/WSF scripting file telling it what to do... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1480616575/
** https://malwr.com/an...jEwMDhkMTFmYmM/
Hosts
69.28.199.160
*** https://www.virustot...sis/1481268678/
___
Fake 'See attached' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
9 Dec 2016 - "An email spoofing the Business Advisory Service Ltd with the subject of 'See attached – I will call you in 10 mins' (random times) with a malicious Excel XLS spreadsheet attachment delivers Locky Osiris ransomware...
Screenshot: https://i1.wp.com/my...=1024,547&ssl=1
9 December 2016: Invoice_392618_final.xlsm - Current Virus total detections *
MALWR** shows a download of an encrypted file from http ://djelixir .com/34f43 which is converted by the script to XtPmJmcsvIP1.dll (VirusTotal 10/56***). Payload Security [4]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
*
** https://malwr.com/an...TU2NDA1NmNmYjk/
Hosts
108.174.153.189
185.102.136.67
*** https://www.virustot...sis/1481278691/
4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
108.174.153.189
185.102.136.67
176.121.14.95
31.202.128.199
52.34.245.108
54.239.168.194
___
Another 'Apple phish' ...
- https://myonlinesecu...apple-phishing/
9 Dec 2016 - "... mass Apple phish today, telling you that you have added ghost00@ hotmail .com as a new rescue email address for your Apple ID and you need to verify it... received about 200 so far this morning, some of which are getting past spam filters...
Screenshot: https://i0.wp.com/my...=1024,588&ssl=1
The links in the body go to:
http ://opelpart .hu/media/system/swf/o.html
which -redirects- to numerous sites including:
http ://ushindicounselling .ca/winter/Itunes/apple/
http ://volleyballsaskatoon .ca/winter/Itunes/apple/
... There will no doubt be lots of other sites active in this phishing campaign... follow-the-link [DON'T] you see a webpage looking like this screenshot (taken form a previous example):
> https://i1.wp.com/my...=1024,565&ssl=1 "
opelpart .hu: 87.229.45.133: https://www.virustot...33/information/
ushindicounselling .ca: 67.212.91.221
volleyballsaskatoon .ca: 67.212.91.221: https://www.virustot...21/information/
___
Phish in-the-cloud ...
- http://www.darkreadi.../d/d-id/1327673
Dec 8, 2016 - "Everything else has gone to the cloud, so why not faux emails* and their malicious payloads?... phishing emails have become a way to infect desktops and servers with ransomware, which infosec professionals continually cite as their biggest ongoing concern and defense priority..."
* http://blog.imperva....-reined-in.html
Dec 6, 2016 - "Phishing is the starting point for most data breaches... cybercriminals are lowering the cost of phishing by enabling Phishing as-a-Service (PhaaS) using compromised web servers..."
> http://imperva.typep...32c51970c-800wi
___
400,000 phishing sites - every month in 2016
- https://www.helpnets...-observed-2016/
Dec 7, 2016 - "84 percent of phishing sites observed in 2016 existed for less than 24 hours, with an average life cycle of under 15 hours... data collected by Webroot*:
> https://www.helpnets...ng-122016-1.jpg "
* https://www.webroot....-for-christmas/
Dec 7, 2016 - "... Webroot has observed an average of over 400,000 phishing sites each month... Google, PayPal, Yahoo, and Apple are heavily targeted for attacks. Cybercriminals know to impersonate sites that people trust and use regularly... Google was impersonated in 21 percent of -all- phishing sites between January and September 2016, making it the most heavily targeted. Emails to avoid:
With the holiday season in full swing and the New Year fast approaching, hackers are up to their old tricks... we should all be wary of emails containing UPS, USPS, and FedEx shipping alerts; 401k/benefit enrollment notices; and miscellaneous tax documents from now through the end of January..."
Edited by AplusWebMaster, 09 December 2016 - 09:10 AM.
