2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'XpressMoney' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
27 Feb 2017 - "We continue to be plagued daily by fake financial themed emails containing java adwind or Java Jacksbot attachments. I have previously mentioned many of these HERE[1]...
1] https://myonlinesecu.../?s=java adwind
This appears to be a newish Java Adwind version in this email... The email looks like:
From: XM.accounts@ xpressmoney .com <aproc@ xpressmoney .com>
Date: Mon 27/02/2017 00:56
Subject: Fwd: Reference: Xpress Money compliant report
Attachment: Details.zip
    Dear Agent,
    The attached Compliant report was issued on Thursday online by a customer about you. We will need your feedback as soon as possible before 24hours or your terminal will be blocked.
    Regards
    Nasir Usuman
    Regional Compliance Manager Pakistan & Afghanistan
    Global Compliance, Xpress Money ...

Email Headers: I have received -alot- of these early this morning in 2 waves. They are coming from 2 IP numbers/servers:
60.249.230.30: https://www.virustot...30/information/
Country: TW
83.243.41.200: https://www.virustot...00/information/
Country: DE
70.32.90.96: https://www.virustot...96/information/
Country: US
83.243.41.200: https://www.virustot...00/information/
Country: DE

hinet.net: Could not find an IP address for this domain name...

27 February 2017: REF.XPIN 742352XXXXXXXXX.jar (333kb) -  Current Virus total detections 13/57*
Payload Security** ... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1488178107/

** https://www.hybrid-a...vironmentId=100
 

  

Edited by AplusWebMaster, 27 February 2017 - 02:37 PM.

[AplusWebMaster]

FYI...

Fake 'debit card' – Phish
- https://myonlinesecu...twest-phishing/
2 Mar 2017 - "... many email clients, especially on a mobile phone or tablet, only show the NatWest and not the bit in <xxxx>. This one has a HTML page attachment, not even a link to the phishing site in the email body. The attachment has the -link- which goes to:
 http ://www .immosouverain .be/css/supst.html which -redirects- you to the actual phishing site:
 http ://planurday .in/css/WaL0eHW/4!@_1.php?s0=;87d929c328f8c62a231c1cc95057fb7087d929c328f8c62a231c1cc95057fb70

Screenshot: https://myonlinesecu...ons-NatWest.png

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email..."

immosouverain .be: 5.135.218.101: https://www.virustot...01/information/

planurday .in: 78.142.63.63: https://www.virustot...63/information/
 

  

[AplusWebMaster]

FYI...

'Free' AV coupon leads to tech support scam
- https://blog.malware...h-support-scam/
Mar 3, 2017  - "... This scheme is actually hosted on the same domain that was running the fake Windows support we described before and our assumption is that users are -redirected- to this coupon page via a similar malvertising campaign. It plays on special offers, discounts and time-limited deals to entice you to claim your product now, choosing between Norton or McAfee. After filling in your personal details (which are actually sent off to the crooks), a page simulates the offer being processed only to fail with an error message. Victims are mislead into thinking that their offer was redeemed, but that they -must- perform a final call to get it completed... This is where the tech support scam comes in. Once you call that number, you are routed to an Indian boiler room where one of many agents will take remote control of your computer to figure out what went wrong. (Un)shockingly, the -bogus- technician will identify severe problems that need an immediate fix... Despite the scam being about Norton, the technician brushes it off as useless when it comes to the real deal: “Junk is a kind of virus which is the most harmful virus“. With his technical expertise, he proceeds to highly recommend the most expensive plan, for a lifetime low price of $400. Of course, there is nothing there, it’s a pure rip-off where once they have your money, they couldn’t care less about helping you out (for a problem you didn’t have in the first place anyway)...There are other scam domains also hosted on this IP (166.62.1.15)... Instantpccare .com is familiar and related to a previous investigation* where the owner of that tech support company incriminated himself by posting a comment on our blog which shared the same IP address as the remote technician who had just scammed us. As always, please stay vigilant online when you see 'free coupons' or other similar offers. They often are the gateway to a whole of trouble..."
* https://blog.malware...pport-scammers/

> https://blog.malware...-support-scams/

166.62.1.15: https://www.virustot...15/information/

Related:
166.62.1.1: https://www.virustot....1/information/
___

Fake 'IRS Urgent' SPAM - delivers ransomware
- https://myonlinesecu...ers-ransomware/
3 Mar 2017 - "... an email with the subject of 'IRS Urgent Notification' pretending to come from Dick Richardson who pretends to be an IRS Tax Officer. I have seen dozens of these and they all come from random email addresses. Dick Richardson changes his job in different emails. Sometimes he is a tax officer or a Tax Specialist or Tax department manager as well as an official representative...
Update: I am reliably informed[1] this is Shade/Troldesh ransomware...
1] https://id-ransomwar...ea894b2e24d5e47
Other subjects include:
    Realty Tax Arrears – IRS
    Please Note – IRS Urgent Message
    IRS Urgent Message
    Overdue on Realty Tax ...

One of the emails looks like:
From: Dick Richardson <electric@ oceanicresources .co.uk>
Date: Thu 01/09/2016 19:22
Subject: IRS Urgent Notification
Attachment: link-in-email
    Dear Citizen,
    My name is Dick Richardson, I am the official representative of the Internal Revenue Service, Realty Tax Department.
    My office is responsible for notification of citizens, description of the tax system for them, supporting citizens on issues related to tax procedures, arrears, and payments, etc.
    In the present case, I have to notify you that you have the considerable tax arrears pertaining to your property. More specifically, there is the tax debt for your realty – the realty tax. Generally, we make no actions in case of such delays for 4-6 months, but in your context, the overdue period comes to 7 months. Thereby, we must take relevant measures to remedy the situation.
    Particularly for your convenience, our specialists have made the full and comprehensive report for you. It contains the full information regarding realty tax accrual, your debt (including the total amount), and the chart of overdue payments for each month of the arrears period.
    Please download the report directly from the official server of the IRS, going to the link:
     http ://radiotunes .co.uk/wp-content/plugins/simple-social-icons/index0.html
    Please study the document at the earliest possible moment. Actually, after receiving this message, you have only 1 day to contact your taxmanager and provide them with the information you get in the report in order to resolve the problem. Differently, significant charges and fines may apply.
    Best Regards,
    Dick Richardson,
    Realty Tax Division
    Internal Revenue Service ...

Realty.tax.division.xls.zip: Extracts to: Realty.tax.division.xls.js -  Current Virus total detections 5/56*
Payload Security**  shows a download from
  www .metropolisbangkok .com/assets/70958ae0/fonts/gcdf/templates/winscr.exe (VirusTotal 14/58***)...
There are loads of -other- sites in the body of alternative emails downloading the .js file...
The basic rule is NEVER open any attachment -or- link-in-an-email, unless you are expecting it..."
* https://www.virustot...sis/1488549054/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (15)

*** https://www.virustot...4efab/analysis/

radiotunes .co.uk: 192.138.189.151: https://www.virustot...51/information/
> https://www.virustot...cf70f/analysis/

metropolisbangkok .com: 27.254.96.21: https://www.virustot...21/information/
> https://www.virustot...833c2/analysis/
 

  

Edited by AplusWebMaster, 03 March 2017 - 04:09 PM.

[AplusWebMaster]

FYI...

Fake UPS, USPS, FedEx SPAM - deliver Cerber ransomware
- https://myonlinesecu...parcel-malspam/
4 Mar 2017 - "...  we are noticing that the 2 different malspammed versions of spoofed/faked 'UPS, USPS, FedEx failed to deliver your parcel' malspam are now distributing Cerber ransomware instead of Locky or Sage 2 along with Kovter... I am continuing to document the 2 versions... changes and different sites used to distribute them: HERE[a] and HERE[b]...
a] https://myonlinesecu...nd-locky-sites/

b] https://myonlinesecu...ltiple-malware/

The subjects all mention something about 'failing to deliver parcels' and includes:
    Courier was not able to deliver your parcel (ID0000333437, FedEx)
    Our UPS courier can not contact you (parcel #4633881)
    USPS issue #06914074: unable to delivery parcel
    Parcel #006514814 shipment problem, please review
    USPS parcel #3150281 delivery problem
    Courier was not able to deliver your parcel (ID006976677, USPS)
    Parcel 05836911 delivery notification, USPS
    New status of your UPS delivery (code: 6622630)
    Please recheck your delivery address (UPS parcel 004360910)
    Status of your USPS delivery ID: 158347377
    FedEx Parcel: 1st Attempt Unsuccessful
    Delivery Unsuccessful, Reason: No Answer
    Express FedEx Parcel #614617064, Current Status: Delivery Failed
 ... basically identical in the body of the email (the delivery service changes and switches between FedEx, UPS, USPS) ... The attachment is a zip file with a second zip inside it that extracts to a .js file. These have names like UPS-Parcel-ID-4633881.zip that extracts to UPS-Parcel-ID-4633881.doc.zip that extracts to UPS-Parcel-ID-4633881.doc.js...

Screenshot: https://myonlinesecu...s_v1_cerber.png

... Examples of this version VirusTotal [1-4/56] [2-15/59] [3-7/59] Payload Security [4] [5] [6]...

Currently the format is < site from array.top >/counter/?< variable m> where m is a long set of random looking characters hard coded in the js file. and the actual download comes from site name.top /counter/exe1.exe  Yesterday was Cerber. VirusTotal [7-3/55] [8-17/59]. Payload Security[9] and /counter/exe2.exe delivers Kovter (VirusTotal 10-10/59). Currently at the time of writing all the .top sites I have listed are down and not responding. As soon as the new set of emails arrive, I will post images of them with any changes."
1] https://www.virustot...sis/1488613659/
UPS-Parcel-ID-4633881.doc.js

2] https://www.virustot...sis/1488609050/
5d3fa709e29d.png

3] https://www.virustot...sis/1488609063/
fe3be7902ac8.png

4] https://www.hybrid-a...vironmentId=100
UPS-Parcel-ID-4633881.doc.js
Contacted Hosts (1234)

5] https://www.hybrid-a...vironmentId=100
fe3be7902ac8.png
Contacted Hosts (1088)

6] https://www.hybrid-a...vironmentId=100
5d3fa709e29d.png
Contacted Hosts (382)

7] https://www.virustot...sis/1488510919/
Delivery-Details.js

8] https://www.virustot...8b651/analysis/
carved_1.exe

9] https://www.hybrid-a...vironmentId=100
Contacted Hosts (1240)

10] https://www.virustot...sis/1488526482/
exe2[1].exe
 

  

[AplusWebMaster]

FYI...

Fake 'DVLA' SPAM - delivers Trojan
- https://myonlinesecu...banking-trojan/
6 Mar 2017 - "Following on from recent parking, speeding and companies investigations malspam delivering ursnif banking Trojan, todays example spoofs the DVLA and pretends to be a warning that you will be fined if you don’t report the change of keeper. They use email addresses and subjects that will scare, persuade or entice a user to read the email and open the attachment -or- follow the links-in-the-email... Following the link-in-the-email you get sent via a passthrough/redirect site where you eventually land on the fake/spoofed DVLA site...

Screenshot: https://myonlinesecu...nal-Warning.png

Case_10133-4.js - Current Virus total detections 5/56*. Payload Security** shows a download from
 http ://djphanton .de/Tatjanapolinski/wp-admin/network/MEJMhJDp/cs.pdf which is -not- a pdf but a renamed .exe file (VirusTotal 36/58***)... The basic rule is NEVER open any attachment -or- click-on-a-link in an email, unless you are expecting it..."
* https://www.virustot...sis/1488549054/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
27.254.96.21
128.31.0.39
193.23.244.244
212.51.143.20
51.254.112.52
95.215.61.4
195.154.97.160
178.62.43.5
178.33.107.109
104.200.16.227
195.169.125.226
217.79.178.60
213.197.22.124
85.214.115.214

*** https://www.virustot...4efab/analysis/

djphanton .de: 85.214.35.155: https://www.virustot...55/information/
> https://www.virustot...0bc39/analysis/
 

 

Edited by AplusWebMaster, 07 March 2017 - 06:14 AM.

[AplusWebMaster]

FYI...

Fake 'BENEFICIARY' SPAM - delivers java malware
- https://myonlinesecu...rs-java-adwind/
7 Mar 2017 - "... plagued daily by -fake- financial themed emails containing java adwind or Java Jacksbot attachments... we are seeing 2 slightly different delivery methods today both spoofing Orient Exchange Co. (L.L.C.)...
The 1st email looks like:
From: a.bouazza@ bkam .ma
Date: Tue 07/03/2017 09:34
Subject: BENEFICIARY REMITTANCE CONFIRMATION
Attachment: BENFICIARY REMITTANCE CONFIRMATION.zip
Body content:
    Dear agent,
    Please kindly Confirm the status of this transaction.
    The remitter demands for the payment record, because the beneficiary has
    filed a complaint against your remitting outlet.
    So Please kindly check the attached complaint form and reference of
    transaction if it was paid, Please report to us with receipt of
    transaction to clear your name.
    Thanking You,
    Orient Exchange Co. (L.L.C.)...

Version 1 (the attached zip): BENFICIARY REMITTANCE CONFIRMATION.jar (274kb) is using a 1 week old version of java adwind Trojan Current Virus total detections 14/57*: Payload Security** ...

The second version is slightly more devious and has a genuine PDF attachment that contains-a-link to dropbox
 ( https ://www.dropbox .com/s/jws0fszxa48c3sx/COMPLAIN%20OF%20UNPAID%20REMITTANCE.zip?dl=0) to download the zip file that contains 2 different copies of the java jar files...

Screenshot: https://myonlinesecu...dropbox-pdf.png

Version 2 (the dropbox) contains 2 identical java.jar files
 BENEFICIARY COMPLAINT FORM FILED AGAINST YOUR BRANCH.jar -and-
 CONFIRMATION AND REFRENCE OF THIS TRANSACTION NEEDED.jar (323kb) VirusTotal 25/56*** | Payload Security[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1488354204/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1488888491/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
83.243.41.200: https://www.virustot...00/information/
> https://www.virustot...dc1d0/analysis/
 

  

Edited by AplusWebMaster, 07 March 2017 - 08:06 AM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - delivers malware
- https://myonlinesecu...banking-trojan/
8 Mar 2017 - "An email with the subject of 'copy invoice 581652' pretending to come from Wes gatewood <Wes@ onehotcookiefranchise .com> with a malicious word doc attachment delivers what looks like Dridex banking Trojan... The email looks like:
From: Wes gatewood <Wes@ onehotcookiefranchise .com>
Date: Wed 08/03/2017 12:47
Subject: copy invoice 581652
Attachment: inv-0928(copy).doc
    Hi,
    Please see attached copy invoice 581652
    Wes gatewood
    Direct Tel: 01787 658153
    Fax: 01787 658153 ...

inv-0928(copy).doc - Current Virus total detections 5/57*: Payload Security** shows a download from  http ://birchwoodplaza .com/54gf3f (VirusTotal 9/59***) which I am guessing is Dridex... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1488977021/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
72.167.131.153
107.170.0.14
37.120.172.171
81.12.229.190

*** https://www.virustot...sis/1488970720/

birchwoodplaza .com: 72.167.131.153: https://www.virustot...53/information/
> https://www.virustot...b61cf/analysis/
 

  

[AplusWebMaster]

FYI...

Fake 'Receipt' SPAM - delivers Trojan
- https://myonlinesecu...roved-purchase/
13 Mar 2017 - "... a password protected docx file as the malware attachment, spoofing https ://www.eway .com.au/ a well known Australian Credit card Payment/processing  service. Without entering the password you cannot see the content of the word doc and that will -allow- it past antivirus checks...  an email with the subject of 'Receipt of APPROVED purchase' pretending to come from customer@ ewaystore .info with a malicious word doc or Excel XLS spreadsheet attachment delivers what looks like some sort of Zeus/Zbot/ Panda banking Trojan... However ewaystore .info was registered on 12 March 2017 by criminals:
- https://whois.domain.../ewaystore.info

Screenshot: https://myonlinesecu...oofed-email.png

The word doc looks like:
- https://myonlinesecu...us-word-doc.png

... Other subjects in this series seen so far include, some with and some without various numbers of exclamation marks:
    Receipt of APPROVED payment!
    Receipt of APPROVED purchase!
    Receipt of APPROVED purchase
    Receipt of APPROVED purchase at eWAY!!
    Receipt of APPROVED purchase!! ...

Order_326794.docx ... Luckily the contact who sent me this did manage to find the download which is
  http ://earlychildhoodconsulting .com.au/flash.exe (VirusTotal 8/60*). Payload Security** which in turn downloads groupcreatedt .at/pav/32.bin (VirusTotal 0/54***) which is encrypted and will be either data or needs to be decrypted by the flash.exe or the original docx file... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://virustotal.c...e0420/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
78.111.243.83
208.67.222.222

*** https://www.virustot...sis/1481049239/

earlychildhoodconsulting .com.au: 192.185.163.104: https://www.virustot...04/information/
> https://www.virustot...af87c/analysis/

groupcreatedt .at: 5.105.45.139
46.98.252.42
46.119.92.41
93.113.176.105
77.122.51.2
195.211.242.109
93.78.227.231
176.99.113.116
109.87.247.145
37.229.39.217
 

  

Edited by AplusWebMaster, 13 March 2017 - 11:41 AM.

[AplusWebMaster]

FYI...

Fake 'payment receipt' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
15 Mar 2017 - "... an email with the subject of 'Document:36365' coming from random companies, names and email addresses with a semi-random named zip attachment which delivers what looks like Dridex banking Trojan ... One of the emails looks like:
From: Susie <Susie@ novayaliniya .com>
Date: Wed 15/03/2017 09:35
Subject: Document:36365
Attachment: document_3332.zip
    Attached is the copy of your payment receipt.
    Susie

document_3332.zip: Extracts to: file_356.js - Current Virus total detections 0/56*
MALWR** shows a download of a txt file  from http ://mercurytdsconnectedvessel .com/hjg6657 which is renamed by the script to hjg6657.exe (VirusTotal 8/61***) MALWR[4]... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...c9b79/analysis/

** https://malwr.com/an...DE1MjE0NWM0ZjQ/

*** https://www.virustot...sis/1489573275/

4] https://malwr.com/an...zNkNmZkZDRlODQ/

mercurytdsconnectedvessel .com: 66.135.46.202: https://www.virustot...02/information/
> https://www.virustot...55bf7/analysis/
___

US accuses Russia of Yahoo hack
- http://www.cnbc.com/...s-tell-nbc.html
Mar 15, 2017 - "The Department of Justice indicted two Russian intelligence officers and two other people, on charges stemming from the hacking of at least half a billion Yahoo accounts. The defendants, including two officers of the Russian Federal Security Service, Dmitry Dokuchaev and Igor Sushchin, were able to gain information about "millions of subscribers" at Yahoo, Google, and other webmail providers, the Justice Department said. Dokuchaev and Sushchin paid co-conspirators Alexsey Belan and Karim Baratov to access email accounts, the Justice Department said... Dokuchaev and Sushchin paid co-conspirators Alexsey Belan and Karim Baratov to access email accounts, the Justice Department said... Acting Assistant Attorney General Mary McCord said that Belan is a 'notorious' criminal hacker — one of the FBI's most wanted — known for hacking U.S. e-commerce companies. Belan used the Yahoo attacks to launch spam campaigns, searched user communications for credit card and gift card numbers, and other schemes to 'line his own pockets with money', McCord said.
The FSB — an intelligence and law enforcement agency and a successor to the Soviet Union's KGB — used Belan to break into Yahoo's network instead of detaining him, McCord said. Baratov, a Canadian, was arrested on Tuesday, the DOJ said.
Yahoo disclosed two separate data breaches last year, both among the biggest in history. A 2013 attack revealed in December affected more than 1 billion user accounts. In a separate 2014 attack, disclosed in September, information was stolen from at least 500 million user accounts. The Justice Department said Wednesday's indictment concerned at least 500 million Yahoo accounts for which account information was stolen and at least 30 million Yahoo accounts for which account contents. Eighteen accounts with other providers, such as Google, were affected. Targets included Russian journalists, U.S. and Russian government officials and private-sector employees of financial, transportation and other companies, according to the Justice Department..."
- https://www.databrea...ahoo-intrusion/
Mar 15, 2017

> https://www.justice....oo-and-millions
Mar 15, 2017
> https://www.fbi.gov/...-intrusion-case
Mar 15, 2017

> https://www.fbi.gov/...r/alexsey-belan
 

  

Edited by AplusWebMaster, 16 March 2017 - 12:27 PM.

[AplusWebMaster]

FYI...

Fake 'Returned Sendout Transaction' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
16 Mar 2017 - "... This appears to be a newish Java Adwind version in this email, see below for details. The zip/Rar file contains -2- different sized and differently named java.jar files that both are slightly different Adwind versions...

Screenshot: https://myonlinesecu...Transaction.png

Benficiary details.jar (497kb) - Current Virus total detections 19/58*
Transaction Report.jar (267kb) - Current Virus total detections 18/59**
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1489657794/

** https://www.virustot...sis/1489657804/
 

  

[AplusWebMaster]

FYI...

Update to Fake 'FedEx, UPS and USPS' SPAM - delivers ransomware
- https://myonlinesecu...-simple-stupid/
18 Mar 2017 - "A quick update to  the never ending spoofed emails from 'FedEx, UPS and USPS cannot deliver your parcel' malspam that generally delivers Locky ransomware and Kovter with the occasional Nemucod ransomware or Cerber ransomware thrown into the mix... noticed a  slight change today where it looks like the “apprentice” coding the javascript file in the email -attachment- has tried to be too clever and resulted in a spectacular fail. Instead of the usual “counter.js” or “counter.txt ” that gives the current download sites and what malware to download & run it just gives the php interpreter file that they bundle with the malware downloads...
Update 18 March 2017: Another mistake from this gang today. Once again an incorrect “var m” is hardcoded in the js file attachment. MALWR* | Payload Security**. If “var m” ends in a character( a-z, A-Z)  you get the counter.txt telling you which sites to download from & what malware to download. If “var m” ends in a number 0-9 you either get an empty file or in the case of 1-5 various files associated with the malware kit. 1 is normally Locky, occasionally Cerber and very rarely has been sage ransomwares. 2 is always kovter. 3 and 4 are innocent php interpreter files that the malware uses to do its nefarious deeds. 5 (when it exists) is a php list of file types to encrypt. Some days or weeks 5 does not exist & the list of file types to encrypt is hard coded into one of the other files...
* https://malwr.com/an...GY2NGQzNjNkMmU/
Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
184.168.58.126
50.62.253.1
50.62.238.1
184.168.177.1
173.201.141.128

... all sites are downloading a 0 byte harmless empty file but if you do a little bit of simple editing of the javascript file and correct the apprentice’s mistake by removing the last digit to leave a character you get  MALWR*** | Payload Security[4] -both- showing crypted files and nemucod ransomware at work.
Direct downloads of the malware 1.exe (Locky) VirusTotal 13/62[5] | 2.exe (kovter) VirusTotal 16/62[6]
Currently counter/txt is nemucod ransomware, which delivers a very heavily obfuscated javascript file...
*** https://malwr.com/an...DBhMTQ3NTZhNmU/
Hosts
184.168.58.126
50.63.219.1

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts (423)

5] https://www.virustot...sis/1489825684/

6] https://www.virustot...sis/1489825694/

... you end up with this txt file on your desktop (and normally the same as a html desktop background) the bitcoin address and the download decryptor links are individual to each javascript attachment. -Every- email attachment has a randomly hard coded address, which is embedded inside the Var “m” in the javascript..."
 

  

[AplusWebMaster]

FYI...

Fake 'Western Union' SPAM - delivers java adwind
- https://myonlinesecu...rs-java-adwind/
20 Mar 2017 - "... a slightly different subject and email content to previous ones. Many Antiviruses on Virus Total detect these heuristically... The link-in-the-email does not go to dropbox but to a compromised website being used to spread this malware https ://www.opelhugg .com/components/Sendout Report.zip... As usual with these, the zip contains -2- differently named and different size java.jar files...

Screenshot: https://myonlinesecu...tion-Report.png

beneficiary and mtcn details.jar (272kb) - Current Virus total detections 15/59* MALWR**
Sender’s copy of pending transaction..jar (501kb) - Current Virus total detections 20/58***. MALWR[4]...
The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1489993883/

** https://malwr.com/an...TZkN2JjYTBmNTY/

*** https://www.virustot...sis/1489993897/

4] https://malwr.com/an...jdhMTgyNzExMDM/

opelhugg .com: 208.83.210.25: https://www.virustot...25/information/
> https://www.virustot...38ffe/analysis/
___

Fake 'Your order' SPAM - delivers Ramnit
- http://blog.dynamoo....spam-using.html
20 Mar 2017 - "... comes in using a broadly similar technique of including the potential victim's real home address while using apparently hijacked infrastructure (although in this case the hijacking isn't so elaborate).
    From: customerservice@ newshocks .com [mailto:customerservice@ newshocks .com]
    Sent: 15 March 2017 18:23
    Subject: [Redacted] Your order 003009 details
    Hello [redacted],
    We are delighted to confirm details of your recent order 003009. We will email you again as soon as the items you have chosen are on their way to you.
    If you have an online account with us, you can log in here to see the current status of your order.
    You will receive another e-mail from us when we have despatched your order.
    Information on order 003009 status here
    All prices include VAT at the current rate. A full VAT receipt will be included with your order.
    Delivery Address:
    [Name and address redacted]
    If you have any questions, or something about your order isn't right, please contact us. Or you can simply reply to this e-mail.
    Best regards and many thanks...

The newshocks .com domain used in the "From" field matches the sending server of rel209.newshocks .com (also mail.newshocks .com) on 185.141.164.209. This appears to be a legitimate but -unused- domain belonging to a distributor of car parts. The link-in-the-email goes to clipartwin .com/customers/customer-status-003009-verified which is currently 404ing so I can't tell what the payload is, although the previous payload appears to be Ramnit* or similar. This is using another -hijacked- but apparently legitimate web server. I don't know where the data has leaked from, but in this case the victim had lived at the address for the past four years.. so the leak cannot be ancient..."
* https://www.hybrid-a...vironmentId=100
Contacted Hosts
180.149.132.47
185.117.74.77
52.9.172.230

185.141.164.209: https://www.virustot...09/information/

newshocks .com: 143.95.232.95: https://www.virustot...95/information/

clipartwin .com: 198.54.115.198: https://www.virustot...98/information/
___

Twitter app spams... and Amazon surveys
- https://blog.malware...amazon-surveys/
Mar 20, 2017 - "... dodgy download links and random Zipfiles claiming to contain stolen nude photos and video clips, but today we’re going to look at one specific -spam- campaign aimed at Twitter users. The daisy chain begins with multiple links claiming to display stolen images of Paige, a well known WWE wrestler, caught up in the latest dump of files. With regards to two specific messages, we saw close to -300- over a 24 hour period (and it’s possible there were others we didn’t see). These appear to have been the most common:
> https://blog.malware...03/app-spam.jpg
... The Bit(dot)ly link, so far clicked close to 7,000 times, resolves to the following:
twitter(dot)specialoffers(dot)pw/funnyvideos/redirect(dot)php
That smoothly segues into an offered Twitter App install tied to a site called Viralnews(dot)com:
> https://blog.malware...app-install.jpg
... there’s one final -redirect- URL (a bit(dot)do address) which leads to an Amazon themed survey gift card page. Suffice to say, filling this in hands your personal information to marketers – and there’s no guarantee you’ll get any pictures at the end of it (and given the images have been stolen without permission, one might say the people jumping through hoops receive their just desserts in the form of a large helping of “nothing at all”)... it’s time to return to the app and see what it’s been up to on the Twitter account we installed it on:
> https://blog.malware...r-spam-pile.jpg
Automated spam posts, complete with yet more pictures used as bait. As freshly leaked pictures and video of celebrities continue to be dropped online, so too will scammers try to make capital out of image-hungry clickers. Apart from the fact that these images have been taken without permission so you really shouldn’t be hunting for them, anyone going digging on less than reputable sites is pretty much declaring open season on their computers. Do yourself a favor and leave this leak alone..."
 

 

Edited by AplusWebMaster, 20 March 2017 - 11:54 AM.

[AplusWebMaster]

FYI...

Canada/U.K. hit by Ramnit Trojan - malvertising
- https://blog.malware...ising-campaign/
Mar 21, 2017 - "Over the last few days we have observed an increase in malvertising activity coming from adult websites that have significant traffic (several million monthly visits each). Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously -redirect- users to the RIG exploit kit. This particular campaign abuses the ExoClick ad network (ExoClick was informed and took action to stop the fraudulent advertiser based on our reports) and, according to our telemetry, primarily targets Canada and the U.K. The ultimate payloads we collected during this time period were all the Ramnit information stealer (banking, FTP credentials, etc.) which despite a takedown in 2015 has rebounded and is quite active again... The payloads we collected via our honeypot were all the Ramnit Trojan, which is interesting considering the traffic flow from the TDS (Canada, U.K. being the most hits recorded in our telemetry)...
IOCs...
RIG EK IPs:
188.225.38.209
188.225.38.186
188.225.38.164
188.225.38.131
5.200.52.240"
(More detail at the malwarebytes URL above.)
___

'Important Notification' - phish
- https://myonlinesecu...-phishing-scam/
21 Mar 2017 - ".. my webmail is being blocked for spreading viruses, or so this -phishing- scam wants me (and you) to believe...

Screenshot: https://myonlinesecu...ail-blocked.png

The link goes to http ://ostelloforyou.altervista .org/modules/007008.php where it -redirects- to a page looking like a typical webmail login page on a Cpanel server http ://transcapital .com.ge/language/hgfghj/webmail/index.php where after you insert an email address and password are bounded on to a genuine Cpanel webmail login page on http ://jattours .com:2095/  which appears to be an innocent site picked at random and doesn’t give any indication of actually being hacked or compromised:
> https://myonlinesecu...bmail-login.png "

ostelloforyou.altervista .org: 104.28.14.157: https://www.virustot...57/information/
> https://www.virustot...5395f/analysis/
104.28.15.157: https://www.virustot...57/information/
> https://www.virustot...5395f/analysis/

transcapital .com.ge: 213.157.215.229: https://www.virustot...29/information/
> https://www.virustot...9300d/analysis/

jattours .com: 192.163.250.41: https://www.virustot...41/information/
 

  

Edited by AplusWebMaster, 22 March 2017 - 04:41 AM.

[AplusWebMaster]

FYI...

Fake 'Energy bill' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
22 Mar 2017 - "A blank-empty-email with the subject of 'Your GB Energy Supply bill 00077334 is attached' pretending to come from szaoi <szaoi@ 21cn .com> with a malicious word doc attachment delivers Dridex banking Trojan... The email looks like:
From: szaoi <szaoi@ 21cn .com>
Date: Wed 22/03/2017 11:14
Subject: Your GB Energy Supply bill 00077334  is attached
Attachment: bill 000309573.docm

Body content: totally blank/Empty

bill 000309573.docm - Current Virus total detections 11/59*. Payload Security** | Malwr***

Manual analysis shows a download of an encrypted file from one of these locations:
palmcoastcondo .net/de3f3
shadowdalestorage .com/de3f3
lpntornbook .com/de3f3
precisioncut .com.au/de3f3
... which is converted by the macros to polivan2.exe (VirusTotal 12/62[4]) (Payload Security[5]) (MALWR[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1490183915/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
52.0.119.245
8.8.247.36
107.170.0.14
37.120.172.171
81.12.229.190

*** https://malwr.com/an...2VkMjIzZjFkY2Q/
Hosts
52.0.119.245

4] https://www.virustot...sis/1490184702/

5] https://www.hybrid-a...vironmentId=100
8.8.247.36
107.170.0.14
37.120.172.171
81.12.229.190

6] https://malwr.com/an...DliZDRkZmRiMjM/
__

'Blank Slate' campaign pushing Cerber ransomware
- https://isc.sans.edu...nsomware/22215/
2017-03-22 - "Cerber ransomware has been a constant presence since it was first discovered in February 2016.  Since then, I've seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. I've also been tracking Cerber on a daily basis from malicious spam (malspam). Some malspam pushing Cerber is part of the 'Blank Slate' campaign. Why call it Blank Slate? Because the emails have -no- message text, and there's nothing to indicate what, exactly, the attachments are. Subject lines and attachment names are vague and usually consist of random numbers. An interesting aspect of this campaign is that the file attachments are double-zipped. There's a zip archive within the zip archive. Within that second zip archive, you'll find a malicious JavaScript (.js) file -or- a Microsoft Word document. These files are designed to infect a computer with ransomware...
> https://isc.sans.edu...ry-image-09.jpg
... Potential victims must open an attachment from a -blank- email, go through -two- zip archives, then double-click the final file. If the final file is a Word document, the victim must also enable-macros..."
(More detail at the isc URL at the top.)
 

  

Edited by AplusWebMaster, 23 March 2017 - 04:49 AM.

[AplusWebMaster]

FYI...

Word file targets -both- Windows and Mac OS X
- https://blog.fortine...crosoft-windows
Mar 22, 2017 - "... new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X -and- Microsoft Windows systems...
When the Word file is opened, it shows notifies victims to enable-the-Macro security option, which allows the malicious VBA code to be executed...
IoCs: URL:
hxxps ://sushi.vvlxpress .com:443/HA1QE
hxxps ://pizza.vvlxpress .com:443/kH-G5
hxxps ://pizza.vvlxpress .com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/
hxxps ://sushi.vvlxpress .com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/ "
(More detail at the fortinet URL above.)

vvlxpress .com: 184.168.221.63: https://www.virustot...63/information/
> https://www.virustot...5a0d7/analysis/

- https://www.helpnets...rd-windows-mac/
Mar 23, 2017 - "... The malicious Word file is currently flagged by nearly half of the malware engines used by VirusTotal*..."
* https://www.virustot...48a74/analysis/