2072 replies to this topic

[AplusWebMaster]

FYI...

Blockchain - phish
- https://myonlinesecu...chain-phishing/
4 Jan 2017 - "... don’t ever click-the-link in the email. If you do it will lead you to a website that looks at first glance like the genuine Blockchain website but you can clearly see in the address bar, that it is fake. Some versions of this and similar phish will ask you fill in the html ( webpage) form that comes attached to the email. The link-in-the-email goes to
  http:// 178.33.66.249 /~kudi/admin/blockchain/info/login.php ..   which is an OVH German server..

Screenshot: https://i2.wp.com/my...=1361,998&ssl=1

If you follow through, all they want is your email address and password but none of the other information that these phishing scams usually ask for:
> https://i2.wp.com/my...=1024,758&ssl=1.."

178.33.66.249: https://www.virustot...49/information/
> https://www.virustot...ef706/analysis/
Detection: 5/68
 

  

[AplusWebMaster]

FYI...

Fake 'New Invoice' SPAM - Cerber ransomware
- https://myonlinesecu...ber-ransomware/
5 Jan 2017 - "... an email with the subject of 'New Invoice #2768-16'... pretending to come from what I assume are  random companies, names and email addresses with a zip attachment containing a js file that eventually delivers Cerber ransomware... One of the emails looks like:
From: Janie Cain <asgard1234@ post .su>
Date:Thu 05/01/2017 17:25
Subject: New Invoice #2768-16
Attachment: info-inv.zip
    This email is being sent in order to inform you that a new invoice has been generated for your account.
    Please see the file that is attached.
    The file is password protected to protect your information.
    The password is 123456
    Thank you.
    Janie Cain

5 January 2017: info-inv.zip: Extracts to: info-inv.js - Current Virus total detections 12/54*
... Analysis by techhelplist[1] has found it to deliver Cerber ransomware. It downloads from 86.106.131.141 /10.mov  which is a renamed .exe file that if you try to run manually would open windows media player instead, although the script file will run it successfully (VirusTotal 3/45**) (Payload Security ***) (MALWR [4]). This Cerber version contacts -576- hosts... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://twitter.com/...105275580772353

* https://www.virustot...sis/1483646751/

** https://virustotal.c...642bb/analysis/

*** https://www.hybrid-a...vironmentId=100
Contacted Hosts (576)

4] https://malwr.com/an...WYzMTg5NjBhOGI/

86.106.131.141: https://www.virustot...41/information/
> https://www.virustot...cf181/analysis/
___

Tech support SCAM - DoS on Macs
- https://blog.malware...e-via-mail-app/
Jan 5, 2017 - "... yet another 'technique' that targets Mac OS users running Safari... second variant appears to still be capable of opening up iTunes, without any prompt in Safari... IOCs:
safari-get[.]com: Could not find an IP address for this domain name
safari-get[.]net: 111.118.212.86: https://www.virustot...86/information/
> https://www.virustot...29831/analysis/
safari-serverhost[.]com: Could not find an IP address for this domain name
safari-serverhost[.]net: 111.118.212.86 "
 

  

Edited by AplusWebMaster, 06 January 2017 - 07:20 AM.

[AplusWebMaster]

FYI...

Merry X-Mas Ransomware
- https://isc.sans.edu...l?storyid=21905
2017-01-09 - "... Merry X-Mas Ransomware was first reported as distributed through malicious spam (malspam) disguised as FTC consumer complaints*...
* https://myonlinesecu...t-notification/
3 Jan 2017
By Sunday 2017-01-08, I saw an updated version of the Merry X-Mas Ransomware distributed through malspam disguised as 'court attendance' notifications. The malspam was a -fake- notification to appear in court. Email headers indicate the sender's address was -spoofed- and the email came from a cloudapp .net domain associated with Microsoft:
> https://isc.sans.edu...ry-image-02.jpg
The -link- from the malspam downloaded a zip archive. The zip archive contained a Microsoft Word document with a malicious macro. If macros were enabled on the Word document, it downloaded and executed the ransomware.
Flow chart of the infection process:
> https://isc.sans.edu...ry-image-03.jpg
... IoCs follow:
    192.185.18.204 port 80 - neogenomes .com - GET /court/PlaintNote_12545_copy.zip  [initial zip download]
    81.4.123.67 port 443 - onion1 .host:443 - GET /temper/PGPClient.exe  [ransomware binary]
    168.235.98.160 port 443 - onion1 .pw  - POST /blog/index.php  [post-infection callback]
... Malspam with links to malware is a common threat. This is not an unusual method of malware distribution, and its holiday theme also fits the season... Still, we need to keep an ongoing dialog to promote awareness of this and other ransomware threats. Too many people continue to fall for it..."
(More detail at the isc URL above.)

192.185.18.204: https://www.virustot...04/information/

81.4.123.67: https://www.virustot...67/information/

168.235.98.160: https://www.virustot...60/information/
___

Fake 'Apple' SPAM - links to malware
- https://myonlinesecu...ber-ransomware/
9 Jan 2016 - "... an email with the subject of 'Apple latest security checks' pretending to come from Support@ App .com... Link goes to ‘http ://bellinghamontap .com/apple.zip’... Attachment: Link in email...

Screenshot: https://myonlinesecu...ck-1024x666.png

9 January 2017: apple.zip: Extracts to: apple.exe - Current Virus total detections 4/56*
Payload Security**. I am guessing from this report it is Cerber ransomware, by the number of IP addresses it contacts... The basic rule is NEVER open any attachment to an email -or- click-a-link in an email unless you are expecting it...."
* https://www.virustot...a8b7f/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (576)

bellinghamontap .com: 192.254.185.196: https://www.virustot...96/information/
> https://www.virustot...6007e/analysis/
 

  

Edited by AplusWebMaster, 09 January 2017 - 04:50 PM.

[AplusWebMaster]

FYI...

Fake 'Certificate UPDATE' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
10 Jan 2017 - "... an email with the subject of 'Certificate UPDATE' pretending to come from Administrator at your-own-email-address delivers Trickbot banking Trojan... One of the emails looks like:
From: Administrator <Administrator@ victim domain .tld >
Date: Tue 10/01/2017 01:25
Subject: Certificate UPDATE
Attachment: certificate.zip
    **********Important – Internal ONLY**********
    Your Web mail account Certificate is about to expire. Please update it.
    New Certificate is in attachment. Download and launch file.
    Certificate details:
    Filename:        Certificate.crt
    Key:                 6260-6233-GFPV-6072-UAAV-1048
    Domain:        ...
    MX record:     ...

10 January 2017: certificate.zip: Extracts to: Certificate_webmail.scr - Current Virus total detections 15/57*
Payload Security**... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484029988/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.47.139.102
36.37.176.6
201.236.219.180
144.76.203.79
___

Extortionists Wipe Databases, Victims Who-Pay-Up Get-Stiffed
- https://krebsonsecur...up-get-stiffed/
Jan 10, 2017 - "Tens of thousands of personal and possibly proprietary databases that were left accessible to the public online have just been -wiped- from the Internet, replaced with ransom-notes demanding payment for the return of the files. Adding insult to injury, it appears that virtually none-of-the-victims (who) have paid the ransom have gotten-their-files-back because multiple-fraudsters are now wise to the extortion attempts and are competing to replace-each-other’s-ransom notes.
At the eye of this developing data destruction maelstrom is an online database platform called MongoDB. Tens of thousands of organizations use MongoDB to store data, but it is easy to misconfigure and leave the database exposed online. If installed on a server with the default settings, for example, MongoDB allows anyone to browse the databases, download them, or even write over them and delete them..."
Shodan, a specialized search engine designed to find things that probably won’t be picked up by Google, lists the number of open, remotely accessible MongDB databases available as of Jan. 10, 2017
> https://krebsonsecur...shodanmongo.png
... Truth 1: “If you connect it to the Internet, someone will try to hack it.”
Truth 2: “If what you put on the Internet has value, someone will invest time and effort to steal it.”
Truth 3: “Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”
(More detail at the 1st krebsonsecurity URL at the top.)
 

  

Edited by AplusWebMaster, 10 January 2017 - 02:52 PM.

[AplusWebMaster]

FYI...

Fake 'Document' SPAM - delivers Trickbot
- https://myonlinesecu...nking-trojan-2/
11 Jan 2017 - "An email with the subject of 'Document from Vogel' (random name) pretending to come from the same random name at your-own-email-address with a malicious word doc attachment delivers Trickbot banking Trojan... The email looks like:
From: Michael Vogel <Michael.Vogel@ victim domain .tld >
Date: Wed 11/01/2017 06:59
Subject: Document from Vogel
To: admin@victim domain.tld  + 9 other names at my domain
Attachment: Vogel_1101_30.doc
    My company sent you a document. Check it attached.
     Regards,
    Michael Vogel
    G8 Education Limited

11 January 2017: Vogel_1101_30.doc - Current Virus total detections 9/55*
Payload Security**  shows a download of what pretends to be a png (image file) but is actually a renamed .exe file from ‘http ://artslogan .com.br/images/jhfkjsdhfntnt.png’ which is renamed by the script to yatzxwe.exe and automatically run (VirusTotal 12/57***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484121516/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
189.1.168.176
78.47.139.102
36.37.176.6
201.236.219.180
144.76.203.79

*** https://www.virustot...sis/1484091723/
___

Post-holiday spam campaign delivers Neutrino Bot
- https://blog.malware...s-neutrino-bot/
Jan 11, 2017 - "During the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as online criminals took a break from their malicious activities and popped the champagne to celebrate. It could also have been a time to regroup and plan new strategies for the upcoming year... over the weekend we observed a large new campaign purporting to be an email from ‘Microsoft Security Office’ with a link to a full security report (Microsoft.report.doc). This was somewhat unexpected, as typically the malicious Office files are directly attached to the email. Instead, the files are hosted on various servers with a short time to live window:
> https://blog.malware...17/01/email.png
The booby-trapped document asks users to enable-macros in order to launch the malicious code:
> https://blog.malware...cro_blocked.png
If the macro executes, the final payload will be downloaded and executed. This is Neutrino bot..."
IOCs:
Malicious doc:
agranfoundation[.]org/Microsoft[.]report[.]doc: 192.185.77.168
xn--hastabakc-2pbb[.]net/Microsoft[.]report[.]doc: 176.53.17.106
ecpi[.]ro/Microsoft[.]report[.]doc: 89.42.223.64
ilkhaberadana[.]com/Microsoft[.]report[.]doc: 159.253.46.194
cincote[.]com/Microsoft[.]report[.]doc: 192.185.145.46
mallsofjeddah[.]com/Microsoft[.]report[.]doc: 192.185.191.165
dianasoligorsk[.]by/Microsoft[.]report[.]doc: 178.124.131.21
8dd66dd191c9f0d2f4b5407e5d94e815e8007a3de21ab16de49be87ea8a92e8d
Neutrino bot:
www.endclothing[.]cu[.]cc/nn.exe: 137.74.93.42
87b7e57140e790b6602c461472ddc07abf66d07a3f534cdf293d4b73922406fe
b1ae6fc1b97db5a43327a3d7241d1e55b20108f00eb27c1b8aa855f92f71cb4b
ca64848f4c090846a94e0d128489b80b452e8c89c48e16a149d73ffe58b6b111
 

  

Edited by AplusWebMaster, 11 January 2017 - 12:38 PM.

[AplusWebMaster]

FYI...

Fake 'MoneyGram' SPAM - delivers Java Jacksbot
- https://myonlinesecu...urgent-request/
12 Jan 2017 - "... fake financial themed emails containing java adwind or Java Jacksbot attachments...previously mentioned... HERE*....
* https://myonlinesecu.../?s=java adwind
... This version is slightly unusual... has a html attachment with -links- for you to download the file yourself.

Screenshot: https://myonlinesecu...tion-email-.png

If you are unwise enough to open the html -attachment- you see a webpage looking like this:
> https://myonlinesecu...onfirmation.png
The page tries to automatically download the zip file, if that doesn’t work then the download button appears. That  goes to http ://dreamsbroker .com/Requested%20Missing-Confirmation%20of%20payment.zip which extracts to 2 identical but differently named java.jar files. Received documents And Customers identification.jar and Request Missing Transaction Details and Refrence.jar

12 January 2017: Received documents And Customers identification.jar (323kb) - Current Virus total detections 24/55*
Payload Security**. These malicious attachments have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484201418/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.243.41.200

dreamsbroker .com: 180.235.148.70: https://www.virustot...70/information/
___

'Phishy' sponsored tweets
- https://blog.malware...onsored-tweets/
Jan 12, 2016 - "Another day, another couple of rogue sponsored tweets [1], [2] which lead to phishing:
1] https://blog.malware...-card-phishing/
2] https://www.scmagazi...article/629182/
The account pushing the first phish has now been deleted, but it’s trivial to set up another one – and the phishing URL itself is -still- active, ready to be redeployed at a moment’s notice... site is located at
verifiedaccounts(dot)us
and – like the older versions of this scam – is all about getting yourself verified:
> https://blog.malware...ored-phish1.jpg
The site kicks things off by asking for username, email address, account type, phone number, year of account creation, and (finally) associated password. It’s not long before they’re sniffing around your wallet, too:
> https://blog.malware...ored-phish2.jpg
... We strongly advise all users of Twitter to be on their guard – just because a tweet is sponsored, doesn’t mean the content it leads to is legitimate. Be on your guard and don’t hand over login details, payment credentials, or anything else to sites -claiming- they can get you verified."

verifiedaccounts(dot)us: 192.185.128.203: https://www.virustot...03/information/
> https://www.virustot...a3883/analysis/
Detection ratio: 10/68
___

More Indian tech support SCAMS
- http://blog.dynamoo....gineer-and.html
12 Jan 2017 - "... huge upsurge in the number of Indian tech support scammers ringing, both at home and my place of work. For example.. this:
One common trick they use revolves around this hexadecimal number 888DCA60-FC0A-11CF-8F0F-00C04FD7D062. Either it's a signal that hackers are at your PC, or it's your secret router ID that only BT would know. The conversation goes something like this..
Victim: "But I don't get my internet from BT.."
Scammer: "BT provides all the internet connections for everyone else, including TalkTalk and Virgin Media."
Victim: "How do I know you're from BT?
Scammer: "There is a confidential Router ID that only BT will know. You can verify this to prove that we are BT."
The scammer then talks the victim through pressing -R then CMD (followed by OK) and then ASSOC (followed by RETURN). That simply produces a list of file associations (e.g. to say that .xlsx is an Excel spreadsheet). The line they want you to see is:
    .ZFSendToTarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}
This is just something to do with how Windows handles compressed files and folders. All Windows machines should have this entry, but it looks sufficiently scary about to impress at least some victims.
>> NEVER GIVE THESE PEOPLE ACCESS TO YOUR PC.
However, if you want to waste their time please do so.. if you work in IT you can probably play a convincingly dumb user. It seems that they will try for up to 40 minutes or so before they give up. Alternatively, say that you have to get your laptop out from somewhere and it is very slow and just put them on hold. Every minute of their time you can waste will stop them targeting other potential victims. And don't just ignore the call - report it. If you are in the UK you can report this sort of -scam- to Action Fraud* - it will certainly help law enforcement if they have an idea of how many potential victims there are."
* http://www.actionfra...uk/report_fraud
 

  

Edited by AplusWebMaster, 12 January 2017 - 03:58 PM.

[AplusWebMaster]

FYI...

Fake blank-body/no-subject SPAM - delivers Cerber
- https://myonlinesecu...ber-ransomware/
15 Jan 2017 - "I have been seeing these emails sporadically for the last month or so, but all previous versions have been corrupt... today’s actually has a working zip file. These arrive as a blank/empty email with no-subject pretending to come from asisianu@ pauleycreative .co.uk with a zip file containing a malicious word doc. They all actually come from asisianu at random email addresses, sometimes they spoof your-own-email-address, but always the 'From' address in the email is asisianu@pauleycreative .co.uk. This is Cerber ransomware... The email looks like:
From: asisianu@ pauleycreative .co.uk
Date: Sun 15/01/2017 06:54
Subject: none
Attachment:  EMAIL_31327_info.zip

Body content: Totally empty/blank

15 January 2017: 12412.doc - Current Virus total detections 9/56*. Payload Security** shows a download from
 http ://coolzeropa .top/admin.php?f=0.dat which is renamed by the script to rcica.exe (VirusTotal 7/58**).
This also drops a full screen set of instructions on how to decrypt and pay the ransom:
  _HOW_TO_DECRYPT_CDF8WC_.hta ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484469048/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (577)

*** https://www.virustot...sis/1484469369/

coolzeropa .top: 35.161.229.79: https://www.virustot...79/information/
84.200.34.99: https://www.virustot...99/information/
 

  

[AplusWebMaster]

FYI...

Blank-emails no-subject SPAM - deliver Locky and Kovter
- https://myonlinesecu...cky-and-kovter/
17 Jan 2017 - "... We are starting to see Locky, Kovter delivery emails trickling in this morning. The sites and payloads are the same as described in this post:
> https://myonlinesecu...nd-locky-sites/ 
It looks like the Locky gangs are gearing up for a mass malspam, but are getting the delivery systems fine tweaked and having a few problems. We always see errors and problems before a mass Locky onslaught. If they keep to the sites they have been using for the last month or so, it will be relatively easy to track them & block malware. The emails received so far today are totally-blank, no-subject. The zip attachment extracts to another zip before extracting to a supposedly .jse file. However these are not encoded javascript. They are just minimally obfuscated, in fact perfectly readable by a human:
From: charlie.wills@ 02glass .com
Date: Mon 16/01/2017 23:30  (arrived 07:35 utc 17/01/2017)
Subject: blank

Attachment: 38168891.zip extracts to 38168891.doc.zip extracts to 38168891.doc.jse  
VirusTotal 5/54* | Payload Security**
Payload:
1bin Locky:  https://www.virustot...sis/1484631951/
File name: a1.exe / Detection: 16/55

2.bin Kovter: https://www.virustot...sis/1484642102/
File name: 2.bin / Detection: 12/56

* https://www.virustot...sis/1484641911/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (171)
 

  

[AplusWebMaster]

FYI...

Fake 'ACH' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
18 Jan 2017 - "... an email spoofing ACH (Automated Clearing House) with the subject of 'Blocked Transaction Case No 255275283' coming or pretending to come from random companies, names and email addresses with rar attachment  extracting to a very heavily obfuscated .JS file delivers Locky ransomware after a long convoluted download system... One of the emails looks like:
From: Eufemia Quintyne <xefiuza03040150@ photogra .com>
Date: Wed 18/01/2017 14:08
Subject: Blocked Transaction. Case No 255275283
Attachment: doc_details.rar
    The Automated Clearing House transaction (ID: 058133683), recently initiated
    from your online banking account, was rejected by the other financial
    institution.
    Canceled ACH transaction
    ACH file Case ID     04123240
    Transaction Amount     1624.05 USD ...

18 January 2017:  doc_details.rar: Extracts to: doc_details.js - Current Virus total detections 7/54*
Payload Security** shows it drops another .js file (Payload Security ***) (VirusTotal 7/53[4]) which in turn downloads Locky ransomware from unwelcomeaz .top/2/56.exe (VirusTotal 9/55[5])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484760601/

** https://www.hybrid-a...vironmentId=100

*** https://www.hybrid-a...vironmentId=100
35.164.68.81
91.237.247.24
194.31.59.5
52.88.7.60
35.161.88.115

4] https://www.virustot...sis/1484757035/

5] https://www.virustot...sis/1484758078/

unwelcomeaz .top: 35.164.68.81: https://www.virustot...81/information/
54.149.186.25: https://www.virustot...25/information/
___

Fake 'signature required' SPAM - delivers hancitor
- https://myonlinesecu...ivers-hancitor/
18 Jan 2017 - "An email pretending to come from a firm of -lawyers- with the subject of 'RE: settlement' pretending to come from a random firm of lawyers with a link-that-downloads a malicious word doc delivers hancitor [1]...

Screenshot: https://myonlinesecu...1/bracewell.png

18 January 2017: contract_submit.doc - Current Virus total detections 3/53*. Payload Security**...
DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.fireeye....aka_chanit.html

* https://www.virustot...sis/1484759676/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.23.117.228
109.120.170.116
188.212.255.49
78.47.141.185
 

  

Edited by AplusWebMaster, 18 January 2017 - 02:55 PM.

[AplusWebMaster]

FYI...

Fake 'Insolvency Service' SPAM - delivers Cerber
- http://blog.dynamoo....cy-service.html
19 Jan 2017 - "This malware spam in unusual in many respects. The payload may be some sort of ransomware (UPDATE: this appears to be Cerber ).

Screenshot: https://3.bp.blogspo.../insolvency.png

Sample subjects are:
LSV 354EMPU31 -  Investigations Inquiry Reminder
JXI 647TESR39 -  Investigations Inquiry Reminder
SHV 622WYXP68 -  Investigations Inquiry Notice
QPY 661APWZ41 -  Investigations Inquiry Notice
FHF 338SYBV85 -  Investigations Inquiry Notice
EGY 318NHAR12 -  Investigations Inquiry Notification
IZJ 296CNWP92 -  Investigations Inquiry Notice
All the senders I have seen come from the chucktowncheckin .com domain. Furthermore, all of the sending servers are in the same /24: 194.87.216.* .. All the servers have names like kvm42.chapelnash .com in a network block controlled by Reg .ru in Russia. The link-in-the-email goes to some hacked WordPress site or other, then ends up on a subdomain of uk-insolvencydirect .com e.g. 2vo4 .uk-insolvencydirect .com/sending_data/in_cgi/bbwp/cases/Inquiry.php - this is a pretty convincing looking page spoofing the UK government, asking for a CAPTCHA to download the files:
> https://3.bp.blogspo...gov-uk-fake.png
Entering the CAPTCHA downloads a ZIP file (e.g. 3d6Zy.zip) containing a malicious Javascript (e.g. Inquiry Details.js)... Hybrid Analysis* of the script is rather interesting, not least because it performs NSLOOKUPs against OpenDNS servers (which is a really weird thing to do give that OpenDNS is a security tool). The script downloads a component from www .studiolegaleabbruzzese .com/wp-content/plugins/urxwhbnw3ez/flight_4832.pdf and then drops an EXE with an MD5 of e403129a69b5dcfff95362738ce8f241 and a detection rate of 5/53**. Narrowing the Hybrid Analysis down to just the dropped EXE, we can see these peculiar OpenDNS requests as the malware tries to reach out to:
soumakereceivedthiswith .ru (176.98.52.157 - FLP Sidorenko Aleksandr Aleksandrovich, Russia)
sectionpermiathefor .ru (151.0.42.255 - Online Technologies, Ukraine)
programuserandussource .ru (does not resolve)
maytermsmodiall .ru (does not resolve)
... I recommend that you block email traffic from:
194.87.216.0/24
-and- block web traffic to
uk-insolvencydirect .com
studiolegaleabbruzzese .com
176.98.52.157
151.0.42.255 "
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
62.149.142.206
208.118.235.148
208.67.222.222
5.58.153.190

** https://virustotal.c...1309e/analysis/
___

Verified Twitter accounts compromised ...
- https://blog.malware...-busy-spamming/
Jan 18, 2017 - "Verified Twitter accounts tend to be a little more secure than those belonging to non-verified users due to the amount of extra hoop jumping required to get one of those ticks in the first place. A number of security requirements, including providing a phone number and setting up 2FA, are all things a would-be verified Twitter user needs to do. In theory, it should be somewhat tricky to compromise those accounts – it wouldn’t really help Twitter if their theoretically appealing verified accounts were firing out Viagra spam all day long. Brand reputation and all that. And yet…in the space of a few hours last week, we had multiple verified users hitting the 'I’ve been compromised' wall of doom and gloom... 'rogue tweets' were, in theory, being sent to a combined audience of around 200,000+ people which could have been disastrous if the links had contained malicious files. Thankfully, these links were “just” porn spam and sunglasses, but the danger for something much worse is always present where a compromise is concerned. People trust the verified ticks in the same way they probably let their guard down around sponsored tweets, and in both cases a little trust can be a bad thing... scammers are doing it, always pay attention when your favorites start firing out URLs. Links are meant to be clicked, but that doesn’t mean we have to leap before looking – Twitter works best with shortened URLs, but you can usually see where they lead:
> https://blog.malware...ink-taking-you/
Whether you’re verified or not, keep your wits about you and have a hopefully stress free experience on that most popular of social networks."
 

  

Edited by AplusWebMaster, 19 January 2017 - 01:38 PM.

[AplusWebMaster]

FYI...

Fake 'Western Union' SPAM - delivers java Adwind/Jacksbot
- https://myonlinesecu...dwind-jacksbot/
20 Jan 2017 - "... -fake- financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE:
> https://myonlinesecu.../?s=java adwind
The email looks like:
From: WU-IT Department <csc.it.westernunion@ gmail .com>
Date: Fri 20/01/2017 02:02
Subject: WUPOS Agent Portal Upgrade For All Agents
Attachment: Update Manual & Agent Certificate .pdf
    Dear All,
    Western Union ,IT Department  data is posting upgrade for new version of WUPOS.Please  download attachment by clicking the link.as seen below, run the file and go ahead of checking western union intermediate screen
    Before doing that please read directives in attachments then map the Western Union user ID in the Symex application and proceed. Please let me know if you face any issue. Thanks & Regards, IT Department Western Union Internet United Kingdom PO Box 8252 London United Kingdom W6 0BX..."

Screenshot: https://myonlinesecu...gents-email.png

The attached PDF looks like:
> https://myonlinesecu...1/wupos_pdf.png

The link-in-the-PDF is to http ://phrantceena .com/wp-content/plugins/Update%20Manual%20&%20Agent%20Certificate%20.zip which will give you -2- identical (although named differently) java.jar files. Agent certificate & branch details..jar and Wupos manual and update file..jar ..

20 January 2017: Agent certificate & branch details..jar (323kb) Current Virus total detections 26/55*
Payload Security **... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1484897128/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.243.41.200

phrantceena .com: 66.147.244.127: https://www.virustot...27/information/
 

  

[AplusWebMaster]

FYI...

Sage 2.0 ransomeware
- https://isc.sans.edu...l?storyid=21959
2017-01-21 - "On Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber ransomware. That Friday it delivered ransomware I'd never seen before called 'Sage'. More specifically, it was 'Sage 2.0'... Sage is yet another family of ransomware in an already crowded field.  It was noted on BleepingComputer forums back in December 2016 [1, 2]...
1] https://www.bleeping...extension-sage/

2] https://www.bleeping...ort-help-topic/

... Emails from this particular campaign generally have -no- subject lines, and they always have -no- message text. The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware. Sometimes, I'll see a .js file instead of a Word document, but it does the same thing... attachments are often double-zipped. They contain -another- zip archive before you get to the Word document or .js file...
Example of a Word document with a malicious macro:
> https://isc.sans.edu...ry-image-05.jpg
Another example of the Word document with a malicious macro:
> https://isc.sans.edu...ry-image-06.jpg
The Word document macros or .js files are designed to download and install ransomware. In most cases on Friday, the ransomware was Sage 2.0... Under default settings, an infected Windows 7 host will present a UAC window before Sage continues any further. It keeps appearing until you click 'yes':
UAC pop-up caused by Sage: https://isc.sans.edu...ry-image-12.jpg
The infected Windows host has an image of the decryption instructions as the desktop background.  There's also an HTML file with the same instructions dropped to the desktop. The same HTML file is also dropped to any directory with encrypted files. ".sage" is the suffix for all encrypted files:
Desktop of an infected Windows host: https://isc.sans.edu...ry-image-13.jpg
... Following the decryption instructions should take you to a Tor-based domain with a decryptor screen.  On Friday, the cost to decrypt the files was $2,000 US dollars (or 2.22188 bitcoin):
The Sage 2.0 decryptor: https://isc.sans.edu...ry-image-15.jpg
... When the callback domains for Sage didn't resolve in DNS, the infected host sent UDP packets sent to over 7,000 IP addresses...
Below are IOCs for Sage 2.0 from Friday 2017-01-20:
Ransomware downloads caused by Word document macros or .js files:
    54.165.109.229 port 80 - smoeroota .top - GET /read.php?f=0.dat
    54.165.109.229 port 80 - newfoodas .top - GET /read.php?f=0.dat
    84.200.34.99 port 80 - fortycooola .top - GET /user.php?f=0.dat
Post-infection traffic:
    54.146.39.22 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
    66.23.246.239 port 80 - mbfce24rgn65bx3g .er29sl .in - POST /
    mbfce24rgn65bx3g .rzunt3u2 .com (DNS queries did not resolve)
    Various IP addresses, UDP port 13655 - possible P2P traffic...
... not sure how widely-distributed Sage ransomware is. I've only seen it from this one malspam campaign, and I've only seen it one day so far. I'm also not sure how effective this particular campaign is. It seems these emails can easily be -blocked- so few end users may have actually seen Sage 2.0. Still, Sage is another name in the wide variety of existing ransomware families. This illustrates how profitable ransomware remains for cyber criminals..."
(More detail at the isc URL at the top of this post.)
 

  

[AplusWebMaster]

FYI...

Fake 'Tiket alert' SPAM - delivers Locky
- https://myonlinesecu...cky-ransomware/
23 Jan 2017 - "An email spoofing the FBI with the subject of 'Tiket alert 331328222' pretending to come from random senders with a malicious word doc downloads locky ransomware... The email looks like:
From: Ngoc Trane <dpeupyl0386@ eiv .cl>
Date:  Mon 23/01/2017 13:14
Subject: Tiket alert 331328222
Attachment: information.doc
    From:   FBI service [dpeupyl0386@ fbi .com]
    Date:   Mon, 23 Jan 2017 14:14:09 +0100
    Subject:   Tiket alert
    Look at the attached file for more information.
    Assistant Vice President, FBI service
    Management Corporation

23 January 2017: information.doc - Current Virus total detections 5/54*
Payload Security** shows a download from http ://unwelcomeaz .top/2/56.exe (VirusTotal 3/56***).
Payload Security[4]. Last week this site[1] was delivering Locky ransomware, which is continuing today. It also looks like this Locky version is trying to download & install opera browser as well... The actual 56.exe pretends to be an adobe flash player 13 file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://myonlinesecu...cky-ransomware/

* https://www.virustot...sis/1485177870/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1485178446/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
46.17.40.234
52.88.7.60
54.240.162.210
35.161.88.115
91.198.174.192
91.198.174.208

unwelcomeaz .top: 35.164.68.81: https://www.virustot...81/information/
> https://www.virustot...0c689/analysis/
154.16.247.115: https://www.virustot...15/information/
> https://www.virustot...0c689/analysis/
 

  

Edited by AplusWebMaster, 24 January 2017 - 04:53 AM.

[AplusWebMaster]

FYI...

Fake 'Refund Unsuccessful' SPAM - delivers Locky
- https://myonlinesecu...delivers-locky/
24 Jan 2017 - "... an email with the subject of 'Refund Unsuccessful 03246113' (random numbers) pretending to come from random companies, names and email addresses with a word doc attachment in the format of which delivers Locky ransomware... The email looks like:
From: Stefania Collyer <heg64423837@ zinchospitality .com>
Date: Tue 24/01/2017 01:53
Subject:  Refund Unsuccessful  03246113
Attachment:  information.doc
    Your order has been cancelled, however we are not able to proceed with the
    refund of $ 1371.48
    All the information on your case 527312277 is listed in the document below.

Locky binary (virustotal 24/55*)
Macro (VirusTotal 26/55**)
Antivirus detections on these are still terrible, 24 hours after being submitted... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485240808/

** https://www.virustot...d001e/analysis/
___

Fake 'DHL Shipment' SPAM - delivers Cerber
- https://myonlinesecu...ber-ransomware/
24 Jan 2017 - "... an email with the subject of 'DHL Shipment Notification: 6349701436' pretending to come from DHL Customer Support <support@ dhl .com> delivers Cerber ransomware...

Screenshot: https://myonlinesecu...otification.png

There are several different named attachments with this campaign. _Dhl_expr. DATE20170120.zip   -EXPRESS -Date20170120.zip and probably other variants.
All extract to the same named .js file: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js...

9 January 2017: P_rek.zip: Extracts to: Pickup – DOMESTIC EXPRESS-Date,23 Jan 17.pdf.js
Current Virus total detections 9/54*. Payload Security** shows a download from
 http ://bonetlozano .com/kvst.exe (VirusTotal 7/56***) which from the network noise looks like Cerber ransomware, although neither Payload Security nor any Antivirus on Virus total detect it as Cerber... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485239971/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (695)

*** https://www.virustot...sis/1485168150/

bonetlozano .com: 217.76.130.248: https://www.virustot...48/information/
> https://www.virustot...2865c/analysis/
___

Fake 'Online-Shop' SPAM - delivers malware
- https://myonlinesecu...lspam-delivers/
24 Jan 2017 - "... email with the subject of 'Bestellung Online-Shop Auftr.Nr 02132596' (random numbers) coming or pretending to come from random companies, names and email addresses zip attachment containing a very heavily obfuscated JavaScript file which delivers an unknown malware... One of the emails looks like:
From: waldemar.wysocki@ gmx .de
Date: Tue 24/01/2017 10:53
Subject: Bestellung Online-Shop Auftr.Nr 02132596
Attachment: ea00ba32a5.zip
    Bestellung Nr.: 02132596 Datum: 24.01.2017

24 January 2017: -Bestellpositionen[alle Preise in EUR].zip: Extracts to: -Bestellpositionen[alle Preise in EUR].pdf.js - Current Virus total detections 1/55*
Payload Security** shows a download from volleymultdom .biz/fsgdhyrer6cdve8rv7hdsvkekvhbsdjh/cfhr.exe (VirusTotal 7/57***)... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485255695/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
162.144.125.170
212.2.153.190

*** https://www.virustot...c1684/analysis/

volleymultdom .biz: 162.144.125.170: https://www.virustot...70/information/
___

Fake 'Final payment' SPAM - delivers malware
- https://myonlinesecu...nknown-malware/
24 Jan 2017 - "... common email template pretending to come from HMRC, threatening enforcement action to recover unpaid tax... Update: being told this is Zurgop and Zbot spy...

Screenshot: https://myonlinesecu...ent-request.png

24 January 2017: Statement of Liabilities_7.doc - Current Virus total detections 3/54*
Payload Security** shows a download from http ://sergiosuarezgil .com/adobe_upd7.exe (VirusTotal 4/56***)
Payload Security[4].. nothing gives any real clue what it is or what it does... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485264589/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
198.20.102.131

*** https://www.virustot...sis/1485260445/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
23.63.140.108
193.104.215.58
185.162.9.59
212.227.91.231
104.87.224.175
82.192.75.161
37.252.227.51
178.77.120.104
169.50.71.245

sergiosuarezgil .com: 198.20.102.131: https://www.virustot...31/information/
> https://www.virustot...efedc/analysis/
6/64

email return URL: hmrcgsigov .org: 93.190.140.136: https://www.virustot...36/information/
Country - NL << Fraud
___

Android malware returns, gets >2M downloads on Google Play
- http://arstechnica.c...on-google-play/
1/23/2017 - "A virulent family of malware that infected more than 10 million Android devices last year has made a comeback, this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users. HummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the name given to a family of malicious apps researchers documented in July invading non-Google app markets. HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000 fraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per month in revenue..."
> http://blog.checkpoi...ingbad-returns/
 

  

Edited by AplusWebMaster, 24 January 2017 - 12:58 PM.

[AplusWebMaster]

FYI...

Fake 'DHL' SPAM - delivers banking Trojan
- https://myonlinesecu...banking-trojan/
25 Jan 2017 - "... an email with the subject of 'DHL prepared commercial invoice 9500238176 902694287308' (random numbers) pretending to come from ebillingcmf.td@ DHL .COM that delivers ursnif banking Trojan... One of the emails looks like:
From: ebillingcmf.td@ DHL .COM
Date: Wed 25/01/2017 07:49
Subject: DHL prepared commercial invoice 9500238176 902694287308
Attachment: Commercial.Form.25.01.2017.CVS.zip
    Attached notice amount customs charges
    Dear Customer,
    Attached your invoice in PDF format, dated 25/01/2017 and csv files for shipments and services provided by DHL Express.
    You can also display the details of his account and the historical invoices online.
    In case of substantial problems in the Annex, contact support at: support@dhl.com
    We expect to receive payment within the prescribed period, as indicated on the invoice.
    We send our thanks for having taken advantage of DHL Express services.
    Best regards,
    DHL Express

25 January 2017: Commercial.Form.25.01.2017.CVS.zip: Extracts to: Commercial.Form.25.01.2017.CVS.wsf
Current Virus total detections 7/54*. Payload Security** shows a download of an encrypted file from
 http :// www .cp4 .de/cp4/2401.exe ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485330508/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (16)
81.169.145.165
192.229.221.24
195.93.42.3
195.93.42.2
217.79.188.60
207.200.74.133
217.79.188.46
37.157.6.252
172.227.147.7
152.163.56.3
217.79.188.60
64.12.235.98
151.101.192.249
107.22.179.226
104.94.37.243
104.74.100.205
___

Sage 2 ransomware - spreading in UK via malspam emails
- https://myonlinesecu...malspam-emails/
25 Jan 2017 - "... new entry to the market. Sage 2.0 ransomware. They are using the same basic email template telling you the order was cancelled but cannot give a refund. There are also 'ACH Blocked transaction' emails also spreading the same sage 2.0 ransomware. The security community has been warning about Sage2.0 ransomware for a few days now, but today is the first day we have seen malspam emails targeting UK users. All the emails so far received have contained the same zip file containing a very heavily encoded/obfuscated javascript file document_1.zip - there also appear to be 2 other files with no names inside the zip that don’t automatically  extract and are probably there as padding or left over artefacts. They just appear to contain a list of txt characters, possibly a tracking identity or even the decryption key. I am attaching a couple of different document_1.zip versions to a zip file for researchers to look at P/W ”infected”
25 jan_sage2 zip. Some subjects seen include:
'    Refund Unsuccessful  26485806 ( random numbers)
    Blocked Transaction. Case No 15120544 ( random numbers)
    Re:
    Fw: '

One of the emails looks like:
Body content with 'Refund Unsuccessful' or 'FW' and 'RE:'
    Your order has been cancelled, however we are not able to proceed with the
    refund of $ 1460.01
    All the information on your case 652661070 is listed in the document below.
Body content with 'Blocked Transaction'. 'Case No nnnn'
    The Automated Clearing House transaction (ID: 085112046), recently initiated
    from your online banking account, was rejected by the other financial
    institution.
    Canceled ACH transaction
    ACH file Case ID     07677730
    Transaction Amount     1436.17 USD
    Sender e-mail     obqeygua57341@ scaledagile .com
    Reason of Termination     See attached statement

25 January 2017: document_1.zip: Extracts to: doc_details_jOiqRJ.js - Current Virus total detections 7/54*
Payload Security** doesn’t show any download or file action, but the VT comments by @techhelplist[3] shows a download of sage 2.0 from http ://affections .top/ff/55.exe (VirusTotal 9/56[4]). Payload Security[5]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1485324653/

** https://www.hybrid-a...vironmentId=100

3] https://twitter.com/...053746829291520

4] https://www.virustot...sis/1485304233/

5] https://www.hybrid-a...vironmentId=100
54.149.186.25: https://www.virustot...25/information/
> https://www.virustot...509d1/analysis/
 

  

Edited by AplusWebMaster, 25 January 2017 - 05:18 AM.