FYI...
Fake 'DHL' SPAM - js script
- http://blog.dynamoo....8878382814.html
2 May 2017 - "... another -fake- DHL message leading to an evil .js script.
From: DHL Parcel UK [redacted]
Sent: 02 May 2017 09:30
To: [redacted]
Subject: DHL Shipment 458878382814 Delivered
You can track this order by clicking on the following link:
https ://www .dhl .com/apps/dhltrack/?action=track&tracknumbers=458878382814&language=en&opco=FDEG&clientype=ivother
Please do not respond to this message. This email was sent from an unattended mailbox. This report was generated at approximately 08:15 am CDT on 02/05/2017.
All weights are estimated.
The shipment is scheduled for delivery on or before the scheduled delivery displayed above. DHL does not determine money-back guarantee or delay claim requests based on the scheduled delivery. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL customer support representative.
This tracking update has been sent to you by DHL on behalf of the Requestor [redacted]. DHL does not validate the authenticity of the requestor and does not validate, guarantee or warrant the authenticity of the request, the requestor's message, or the accuracy of this tracking update.
Standard transit is the date the package should be delivered by, based on the selected service, destination, and ship date. Limitations and exceptions may apply. Please see the DHL Service Guide for terms and conditions of service, including the DHL Money-Back Guarantee, or contact your DHL Customer Support representative.
In this case the link goes to parkpaladium .com/DHL24/18218056431/ and downloads a file
DHL-134843-May-02-2017-55038-8327373-1339347112.js . According to Malwr* and Hybrid Analysis** the script downloads a binary from
micromatrices .com/qwh7zxijifxsnxg20mlwa/ (77.92.78.38 - UK2, UK) and then subsequently attempts communication with
75.25.153.57 (AT&T, US)
79.170.95.202 (XL Internet Services, Netherlands)
87.106.148.126 (1&1, Germany)
78.47.56.162 (Mediaforge, Germany)
81.88.24.211 (dogado GmbH, Germany)
92.51.129.235 (Host Europe, Germany)
74.50.57.220 (RimuHosting, US)
The dropped binary has a VirusTotal detection rate of 10/60***.
Recommended blocklist:
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220 "
* https://malwr.com/an...jQyOTA1ZjM3MjM/
Hosts
77.92.78.38
79.170.95.202
** https://www.hybrid-a...vironmentId=100
Contacted Hosts
77.92.78.38
75.25.153.57
79.170.95.202
87.106.148.126
78.47.56.162
81.88.24.211
92.51.129.235
74.50.57.220
*** https://virustotal.c...sis/1493719562/
mlgih3wgw.exe
___
Fake 'Secure email' SPAM - delivers Trickbot
- https://myonlinesecu...banking-trojan/
2 May 2017 - "An email with the subject of 'Secure email message' pretending to come from Companies House but actually coming from a look alike domain <noreply@ cp-secure-message .co.uk> with a malicious word doc attachment is today’s latest spoof of a well known company, bank or public authority delivering Trickbot banking Trojan...
Screenshot: https://myonlinesecu...ure-message.png
SecureMessage.doc - Current Virus total detections 5/55*. Payload Security** shows a download from
http ://gestionbd .com/fr/QMjJrcCrHGW9sb6uF.png which of course is -not- an image file but a renamed .exe file that gets renamed to Epvuyf.exe and autorun (VirusTotal 8/61***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1493724795/
** https://www.hybrid-a...vironmentId=100
Contacted Hosts
216.138.226.110
50.19.97.123
186.208.111.188
82.146.94.86
*** https://www.virustot...sis/1493725297/
Epvuyf.exe
gestionbd .com: 216.138.226.110: https://www.virustot...10/information/
> https://www.virustot...15290/analysis/
___
Cerber Ransomware - evolution
- http://blog.trendmic...ware-evolution/
May 2, 2017 - "... enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries:
Top countries affected by Cerber:
> https://blog.trendmi...4/cerber6-1.jpg
Infection chain of Cerber Version 6:
> https://blog.trendmi...4/cerber6-2.jpg
Adding a time delay in the attack chain enables Cerber to elude traditional sandboxes, particularly those with time-out mechanisms or that wait for the final execution of the malware. Other JS files we saw ran powershell.exe (called by wscript.exe) whose parameter is a PowerShell script — the one responsible for downloading the ransomware and executing it in the system:
Sample Cerber 6-carrying spam email posing as a public postal service agency:
> https://blog.trendmi...4/cerber6-4.jpg
... Cerber was updated with the capability to integrate the infected system into botnets, which were employed to conduct distributed denial of service (DDoS) attacks. By July, a spam campaign was seen abusing cloud-based productivity platform Office 365 through Office documents embedded with a malicious macro that downloads and helps execute the ransomware. Exploit kits are also a key element in Cerber’s distribution. Cerber-related malvertising campaigns were observed in 2016 diverting users to Magnitude, Rig, and Neutrino — which has since gone private — exploit kits that target system or software vulnerabilities. This year, we’re seeing relatively new player Sundown exploit kit joining the fray... Cerber’s distribution methods remain consistent, we’ve seen newer variants delivered as self-extracting archives (SFX package) containing malicious Visual Basic Script (.VBS) and Dynamic-link library (.DLL) files that execute a rather intricate attack chain compared to other versions... it’s one of the signs of things to come for Cerber. It is not far-fetched for Cerber to emulate how Locky constantly changed email file attachments in its spam campaigns by expanding arrival vectors beyond JS files and PowerShell scripts — from JScript to HTML Application (.HTA) and compressed binary files (.BIN) — and exploiting file types that aren’t usually used to deliver malware... we’re currently seeing .HTA files being leveraged by a campaign that uses Cerber as payload. Our initial analysis indicates that the campaign, which we began monitoring by the third week of April, appears to be targeting Europe. We also found the same campaign attacking two Latin American countries. This campaign is notable for displaying Cerber’s ransom note in the local language of the infected system. It uses an .HTA file to show the online message/ransom note as well as detect the local language to be displayed...
Cerber’s evolution reflects the need for organizations and end users to be aware of today’s constantly evolving threats. End users risk losing money and their important personal files to ransomware; it also threatens organizations’ business operations, reputation, and bottom line. While there is no silver bullet against ransomware, keeping systems up-to-date, taking caution against unsolicited and suspicious emails, regularly backing up important files, and cultivating a culture of cybersecurity in the workplace are just some of the best practices for defending against ransomware. IT/system administrators and information security professionals can further defend their organization’s perimeter by incorporating additional layers of security against suspicious files, processes, applications, and network activity that can be exploited and leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers..."
(More detail at the trendmicro URL above.)
Edited by AplusWebMaster, 02 May 2017 - 02:55 PM.
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
