2072 replies to this topic

[AplusWebMaster]

FYI...

Fake 'pdf attachment' SPAM - delivers Locky/Dridex
- https://myonlinesecu...df-attachments/
11 May 2017 - "... well used email template with subjects varying from with literally hundreds if not thousands of subjects. These generally deliver either Locky ransomware or Dridex banking Trojan.
    File_69348406
    PDF_9859
    Scan_2441975
    Document_11048
    Copy_9762
They -all- have a pdf attachment that drops a word doc with macros... all downloads from these locations which delivers an encrypted txt file that should be converted by the macro to a working.exe file but Payload security.... doesn’t seem able to convert it...
wipersdirect .com/f87346b
tending .info/f87346b
julian-g .ro/f87346b
I am being told this is a -new- ransomware called jaff ransomware*...
* https://twitter.com/...586080507424769
... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."

wipersdirect .com: 108.165.22.125: https://www.virustot...25/information/
> https://www.virustot...49ec3/analysis/

tending .info: 80.75.98.151: https://www.virustot...51/information/
> https://www.virustot...35742/analysis/

julian-g .ro: 86.35.15.215: https://www.virustot...15/information/
> https://www.virustot...82654/analysis/
___

Fake 'DHL Statements' SPAM - delivers js malware
- https://myonlinesecu...livers-malware/
11 May 2017 - "... an email with the subject of '6109175302 Statements x Requests Required' (random numbers)  pretending to come frombgyhub@ dhl .com with a zip attachment containing -2- differently named .js files which delivers some sort of malware...

Screenshot: https://myonlinesecu...ts-Required.png

TYPE OF GOODS_DECLARATION.zip: Extracts to: DECLARATION (FORM).PDF.js -and- TYPE OF GOODS DOC.pdf.js
 Current Virus total detections [1] [2]:  Payload Security [3] [4] shows a download from one or both of these locations:
  http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs which is renamed and autorun by the script (VirusTotal [5]) (Payload Security[6])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1494487534/

2] https://www.virustot...sis/1494487531/

3] https://www.hybrid-a...vironmentId=100

4] https://www.hybrid-a...vironmentId=100

5] https://www.virustot...sis/1494488118/

6] https://www.hybrid-a...vironmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustot...59/information/
> https://www.virustot...cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustot...99/information/
> https://www.virustot...0680e/analysis/
___

Malware spam with 'nm.pdf' attachment
- http://blog.dynamoo....attachment.html
11 May 2017 - "Currently underway is a malicious spam run with various subjects, for example:
Scan_5902
Document_10354
File_43359
Senders are random, and there is -no- body text. In -all- cases there is a PDF attached named nm.pdf with an MD5 of D4690177C76B5E86FBD9D6B8E8EE23ED -or- 6B305C5B59C235122FD8049B1C4C794D (and possibly more). Detection rates at VirusTotal are moderate [1] [2].
The PDF file contains an embedded Word .docm macro document. Hybrid Analysis [3] [4] is partly successful, but it shows a run-time error for the malicious code, but it does demonstrate that malicious .docm file is dropped with a detection rate of 15/58[5].
Putting the .docm file back into Hybrid Analysis and Malwr [6] [7] shows the same sort of results, namely a download from:
easysupport .us/f87346b ...
UPDATE: A contact pointed out this Hybrid Analysis[X] which looks like basically the same thing, only in this sample the download seems to work. Note the references to "jaff" in the report, which -matches- this Tweet[8] about something called "Jaff ransomware".
That report also gives two other locations to look out for:
trialinsider .com/f87346b
fkksjobnn43 .org/a5/
This currently gives a recommended blocklist of:
47.91.107.213
trialinsider .com
easysupport .us "
1] https://virustotal.c...sis/1494492097/

2] https://virustotal.c...sis/1494492251/

3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us
- https://www.virustot...28/information/
> https://www.virustot...de188/analysis/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
198.58.93.28 - easysupport .us

5] https://virustotal.c...sis/1494492613/

6] https://www.hybrid-a...vironmentId=100
198.58.93.28 - easysupport .us

> https://www.virustot...de188/analysis/

7] https://malwr.com/an...WY1NjU5ZDViNzk/

8] https://twitter.com/...597006363152385

X] https://www.hybrid-a...vironmentId=100
Contacted Hosts
107.154.168.227 - trialinsider .com
47.91.107.213 - fkksjobnn43 .org

trialinsider .com: 107.154.161.227: https://www.virustot...27/information/
> https://www.virustot...4291a/analysis/
107.154.168.227: https://www.virustot...27/information/
> https://www.virustot...4291a/analysis/

 

fkksjobnn43 .org: 47.91.107.213: https://www.virustot...13/information/
> https://www.virustot...4e012/analysis/
___

Fake 'DHL' SPAM - delivers Trojan
- https://myonlinesecu...banking-trojan/
11 May 2017 - "... an email with the subject of 'Fwd: DHL Redelivery Confirmation #574068024996' (random numbers) pretending to come from random companies, names and email addresses with a semi-random named zip attachment which delivers Ursnif banking Trojan...

Screenshot: https://myonlinesecu...-redelivery.png

request-redelivery-2017053299810.pdf.js - Current Virus total detections 1/57*. Payload Security** shows a download from one of both or these locations
  http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
 which is -renamed- and autorun by the script (VirusTotal 9/62***) (Payload Security[4])... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494500118/

** https://www.hybrid-a...vironmentId=100

*** https://www.virustot...sis/1494488118/

4] https://www.hybrid-a...vironmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustot...59/information/
> https://www.virustot...cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustot...99/information/
> https://www.virustot...0680e/analysis/
___

Fake 'invoice' SPAM - using docs with embedded ole objects
- https://myonlinesecu...ed-ole-objects/
11 May 2017 - "... banking Trojans. This one is using a different delivery method to try to throw us off track... this has a word docx attachment that contains an embedded ole object that when you click on the blurry  image in the word doc, thinking you are opening an invoice you actually open & run the embedded hidden .js file. This pretends to be an invoice coming from random senders:
> https://myonlinesecu...-ole-object.png

Screenshot: https://myonlinesecu...ozi-invoice.png

7398219046.docx - Current Virus total detections 2/58*. Payload Security** shows the dropped .js file but doesn’t make it available for download. I had to get that manually (VirusTotal 1/55***) (Payload Security[4]) which shows
 the same connections and download from one or both of these locations
  http ://schuetzen-neusalz .de/images/banners/gbfont.se -or- http ://wersy .net/cuts.vs
which is renamed and autorun by the script (VirusTotal 9/62[5]) (Payload Security[6])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script or an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494509580/

** https://www.hybrid-a...vironmentId=100

** https://www.virustot...sis/1494508789/

4] https://www.hybrid-a...vironmentId=100

5] https://www.virustot...sis/1494488118/

6] https://www.hybrid-a...vironmentId=100

schuetzen-neusalz .de: 85.13.146.159: https://www.virustot...59/information/
> https://www.virustot...cc5ce/analysis/

wersy .net: 217.29.53.99: https://www.virustot...99/information/
> https://www.virustot...0680e/analysis/
___

New ‘Jaff’ ransomware via Necurs ...
- https://blog.malware...asks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malware...17/05/email.png
...
> https://blog.malware.../Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malware...5/encrypted.png
...  the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
 

   

Edited by AplusWebMaster, 11 May 2017 - 02:28 PM.

[AplusWebMaster]

FYI...

Fake 'Scanned image' SPAM - delivers jaff ransomware
- https://myonlinesecu...aff-ransomware/
12 May 2017 - "An email with the subject of 'Scanned image' coming or pretending to come from random email addresses with a pdf attachment that contains an embedded malicious word doc delivers jaff ransomware...

Screenshot: https://myonlinesecu...d-image_pdf.png

20170512605164.pdf - which drops N5OSUHX.docm - Current Virus total detections [pdf*] [docm**]:
Payload Security [pdf...] [docm(4)] shows a download of an encrypted txt file from
 http ://trebleimp .com/77g643 which is converted to by the macro to ratchet20.exe ... It also shows a connection to
 http ://h552terriddows .com/a5/ which gives a created message...
>> Update: managed to get the ratchet20.exe file via:
> https://jbxcloud.joe...s/268338/1/html- (VirusTotal [5]) (Payload Security[6])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494559929/

** https://www.virustot...sis/1494562144/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
27.254.44.204
47.91.107.213

5] https://www.virustot...sis/1494559081/

6] https://www.hybrid-a...vironmentId=100

trebleimp .com: 27.254.44.204: https://www.virustot...04/information/
> https://www.virustot...4c8ba/analysis/

h552terriddows .com: 47.91.107.213: https://www.virustot...13/information/
> https://www.virustot...fcafd/analysis/
___

New ‘Jaff’ ransomware via Necurs ...
- https://blog.malware...asks-for-2-btc/
May 11, 2017 - "... yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns... Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page:
> https://blog.malware...17/05/email.png
...
> https://blog.malware.../Jaff_decoy.png
... this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing:
> https://blog.malware...5/encrypted.png
...  the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it."
___

U.K. Hospitals Hit - Widespread Ransomware Attack
- https://krebsonsecur...somware-attack/
May 12, 2017 - "At least 16 hospitals in the United Kingdom are being forced to divert emergency patients today after computer systems there were infected with ransomware... there are indications the malware may be spreading to vulnerable systems through a security hole in Windows that was recently patched by Microsoft:
Ransom note left behind on computers infected with the Wanna Decryptor ransomware strain.
Image: BleepingComputer
> https://krebsonsecur...nna-580x285.png
In a statement*, the U.K.’s National Health Service (NHS) said a number of NHS organizations had suffered ransomware attacks... According to CCN-CERT, that flaw is MS17-010**, a vulnerability in the Windows Server Message Block (SMB) service, which Windows computers rely upon to share files and printers across a local network. Malware that exploits SMB flaws could be extremely dangerous inside of corporate networks because the file-sharing component may help the ransomware spread rapidly from one infected machine to another..."
* https://www.digital....HS-cyber-attack

** https://technet.micr...y/ms17-010.aspx
March 14, 2017

 

   

Edited by AplusWebMaster, 12 May 2017 - 02:02 PM.

[AplusWebMaster]

FYI...

Indicators Associated With WannaCry Ransomware
- https://www.us-cert....lerts/TA17-132A
Last revised: May 15, 2017 - "... According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours... Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010* (link is external) vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 (link is external) operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails...
* https://technet.micr...y/ms17-010.aspx
March 14, 2017
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans...
Precautionary measures to mitigate ransomware threats include:
- Ensure anti-virus software is up-to-date.
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Scrutinize -links- contained in -e-mails- and do -not- open -attachments- included in unsolicited e-mails.
- Only download software – especially free software – from sites you know and trust.
- Enable automated patches for your operating system and Web browser..."
(More detail at the us-cert URL at the top of this post).

WannaCry/WannaCrypt Ransomware Summary
- https://isc.sans.edu...l?storyid=22420
2017-05-15
___

> http://blog.talosint...nacry.html#more
May 12, 2017 - "... Umbrella* prevents DNS resolution of the domains associated with malicious activity..."
* https://umbrella.cisco.com/
... aka 'OpenDNS' - FREE:
>> https://www.opendns..../?new=home-free

Test -after- setups: https://welcome.opendns.com/
___

Fake 'invoice' SPAM - delivers pdf attachment jaff ransomware
- https://myonlinesecu...eliver-malware/
15 May 2017 - "An email pretending to be an invoice coming from random senders with a PDF attachment that drops a malicious macro enabled word doc...
Update: confirmed as Jaff ransomware (VirusTotal 5/61*) (Payload Security**)...

Screenshot: https://myonlinesecu...ent-malspam.png

... An alternative docm file that was extracted confirms it to be jaff ransomware downloads
 ecuamiaflowers .com/hHGFjd encrypted txt (Payload Security[3]) (VirusTotal 13/56[4]) JoeSandbox[/5]... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494846406/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
47.91.107.213

3] https://www.hybrid-a...vironmentId=100
Contacted Hosts
107.180.14.32
47.91.107.213

4] https://www.virustot...sis/1494844454/

5] https://jbxcloud.joe...s/271421/1/html

ecuamiaflowers .com: 107.180.14.32: https://www.virustot...32/information/
> https://www.virustot...85814/analysis/

h552terriddows .com: 47.91.107.213: https://www.virustot...13/information/
> https://www.virustot...42c85/analysis/
 

  

Edited by AplusWebMaster, 15 May 2017 - 07:31 AM.

[AplusWebMaster]

FYI...

Fake 'invoice' SPAM - downloads Cerber ransomware
- https://myonlinesecu...eliver-malware/
16 May 2017 - "... an empty/blank email with the subject of 'Re: invoice 28769' coming or pretending to come from random companies, names and email addresses with a semi-random named zip attachment that contains another zip that in turn contains a .js file... downloads Cerber ransomware...

Screenshot: https://myonlinesecu...nvoice28769.png

... I am reliably informed[1] that with a couple of minor fixes to correct the malware developers mistakes this downloads Cerber ransomware from
 hxxp ://mdnchdbde .pw/search.php which delivers a file 1 (VirusTotal 6/59*) (Payload Security**)... 'certain that they will fix it in the next malspam run. These criminal gangs often send a small spam run out to “test the waters” and when they don’t get any expected result they double check & fix the errors ready for the next spam run.

262647732.zip: extracts to 27000_packed.zip: which in turn Extracts to: 27000.js
Current Virus total detections 0/57[3]:  Payload Security[4] Joebox[5] - none of the online sandboxes managed to get any download location or malware content from the .js file... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://twitter.com/...350538112016385

* https://www.virustot...sis/1494912080/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (1088)

3] https://www.virustot...sis/1494910036/

4] https://www.hybrid-a...vironmentId=100

5] https://jbxcloud.joe...s/271922/1/html

mdnchdbde .pw: 35.163.27.202: https://www.virustot...02/information/
> https://www.virustot...f809c/analysis/
___

Fake 'pdf attachments' SPAM - delivers Jaff ransomware
- https://myonlinesecu...aff-ransomware/
16 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Emailing: 2650032.pdf' (random numbers) pretending to come from random names at your-own-email-address that delivers Jaff ransomware...

Screenshot: https://myonlinesecu...2650032_pdf.png

2650032.pdf - Current Virus total detections 8/54*: Payload Security**... drops EYRCUD.docm
(VirusTotal 8/59***) (Payload Security[4])... downloads an encrypted txt file from
  http ://personalizar .net/Nbiyure3  which is converted by the script to galaperidol8.exe ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1494926923/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.88.57.70
47.91.107.213

*** https://www.virustot...sis/1494927173/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.88.57.70
47.91.107.213

personalizar .net: 81.88.57.70: https://www.virustot...70/information/
> https://www.virustot...774c2/analysis/
 

   

Edited by AplusWebMaster, 16 May 2017 - 08:13 AM.

[AplusWebMaster]

FYI...

Fake 'Secure Message' SPAM - delivers trickbot
- https://myonlinesecu...ivers-trickbot/
17 May 2017 - "An email with the subject of 'You have received a new Bankline Secure Message' pretending to come from Bankline RSA but actually coming from a look-a-like domain Bankline RSA <SecureMessage@ banklinersa .co.uk> with a malicious word doc attachment... delivering Trickbot banking Trojan...

Screenshot: https://myonlinesecu...ure-message.png

... criminals sending these have registered various domains that look like genuine bank domains. Normally there are 3 or 4 newly registered domains that imitate the bank or some message sending service that can easily be confused with a legitimate organisation in some way that send these. So far we have only found 1 domain today banklinersa .co.uk. As usual they are registered via Godaddy as registrar and for a change  the emails are sent via rackspace hosting not the usual citynetwork AB in Sweden. They are currently using IP numbers 104.130.29.210, 172.99.115.203, 172.99.115.216, 172.99.115.23, 104.239.169.15, 104.130.29.243, 104.130.29.245, 172.99.115.29...

SecureMessage.doc - Current Virus total detections 4/56*. Payload Security** downloads from
  http ://ocysf .org/wp-content/GktpotdC7dyTH1aoroa.png  which of course is -not- an image file but a renamed .exe file that gets -renamed- to a .exe and autorun (VirusTotal 10/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495019899/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
50.87.146.185
107.22.214.64
95.104.2.225
192.157.238.15

*** https://www.virustot...sis/1495019988/

ocysf .org: 50.87.146.185: https://www.virustot...85/information/
> https://www.virustot...d6f8a/analysis/
___

Adobe account - Phish
- https://myonlinesecu...text-data-urls/
17 May 2017 - "... 'thought this was going to be some newer malware delivery method, but it is only -phishing- for email credentials, which of course is also extremely serious and very bad.
NOTE: This phishing scam only works in Google Chrome. Internet Explorer will not open data:text/html urls and gives a 'cannot display' page message. Firefox refuses to display anything - just a white screen with the original url in the address bar...

Screenshot: https://myonlinesecu...shing-email.png

This email has a genuine PDF attachment that contains a blurred out image of an invoice with the prompt to view the Secured PDF Online Document on Adobe:
> https://myonlinesecu...ice1246_pdf.png
-If- you click on the blurred image you get a pop up warning  about links. When you follow the link inside the pdf it sends you to http ://tiny .cc/tis7ky which immediately -redirects- to
 http ://qualifiedplans .com/administrator/components/com_smartformer/plugins/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/phmho/
  where it downloads/opens a data:text url that displays a web page on your computer -not- an external site looking like:
> https://myonlinesecu...5/timed_out.png
After you press OK you get what looks-like an Adobe Business sign in page with what looks-like a download button. I inserted the usual set of fake details & pressed download, expecting some sort of malware to appear, but no it just -bounced- me on to the genuine Adobe page while your stolen data is sent to  http ://setas2016 .com/image/catalog/Katalog/files/pageConfig/PDF3/index/adobe.php
With a bit of digging around We have discovered the compete phish is also hosted on  http ://setas2016 .com/image/catalog/Katalog/files/pageConfig ...
> https://myonlinesecu...obe_sign_in.png
The data:text/html  file is available for download via Payload Security*. It is in the extracted files section named urlref_httptiny .cctis7ky ..."
* https://www.hybrid-a...vironmentId=100

setas2016 .com: 87.118.140.114: https://www.virustot...14/information/
> https://www.virustot...7fab9/analysis/
___

ICS-ALERT-17-135-01A
Indicators Associated With WannaCry Ransomware (Update A)
> https://ics-cert.us-...LERT-17-135-01A
Original release date: May 15, 2017 | Last revised: May 16, 2017
"... updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site..."
(More detail at the URL above.)
 

  

Edited by AplusWebMaster, 17 May 2017 - 08:28 AM.

[AplusWebMaster]

FYI...

Fake 'UPS' SPAM - delivers banking Trojan
- https://myonlinesecu...banking-trojan/
18 May 2017 - "... some are being delivered with the word -doc- attachment, but about half are just getting the email body with an -HTML- attachment which has the same details as the email body and no word doc attachment... the details with an email with the subject of 'Fwd: UPS Worldwide Saver Notification' pretending to come from various random names @ yahoo. es -or- .de -or- .pt -or- from random@ hotmail .es -or- de . We are also seeing a sprinking from other free webmail services like web .de with a malicious word doc attachment with a random number delivers ursnif banking Trojan. I am also seeing other parcel delivery companies like TNT and unnamed delivery services also being imitated and -spoofed- in this campaign. The TNT ones are zips with word docs inside. -All- of them today are using embedded OLE objects rather than macros to deliver Ursnif banking and password stealing Trojans.
Update: Now seeing some coming through with zip attachments containing .js files
Some subjects include:
    TNT Express – Documents – RL54413826 ( random numbers)
    Order Processed
    Export Scan
    Fwd: UPS Worldwide Saver Notification ...

Screenshot: https://myonlinesecu...dwide-saver.png

These word docs contain 2 images of what pretend to be another word doc and an xls file both pretending to be invoices, However they are embedded ole objects and drop 2 different named but identical .js files when clicked on:
> https://myonlinesecu...ole-objects.png
The TNT version has a slightly different email content and word attachment, although still downloading from the -same- urls as other versions:
> https://myonlinesecu...elivery-doc.png
...

doc60 for clearance.doc - Current Virus total detections 0/58*. Payload Security** drops a js file
(VirusTotal 1/22***) (Payload Security[4]) downloads from one of these 2 locations:
  http ://dacera .net/horizont.cv -or- http ://raimco .com/case.sub
and gets converted/renamed to a working .exe file (VirusTotal 9/61[5])

TNT version: RL82670483822.zip extracts to RL02993847001.doc VirusTotal 0/57[6]| Payload Security[7]

Zip/JS version: QPABA0MCY0D2.zip extracts to 1A029837T2990101.pdf.js VirusTotal 3/57[8]|
Payload Security[9] ... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495100198/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
2.17.22.36

*** https://www.virustot...sis/1495100566/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
54.149.71.19
77.104.189.47

5] https://www.virustot...8889a/analysis/

6] https://www.virustot...sis/1495101803/

7] https://www.hybrid-a...vironmentId=100

8] https://www.virustot...sis/1495102966/

9] https://www.hybrid-a...vironmentId=100

dacera .net: 54.149.71.19: https://www.virustot...19/information/
> https://www.virustot...49b60/analysis/

raimco .com: 77.104.189.47: https://www.virustot...47/information/
> https://www.virustot...8889a/analysis/

dacera .net/horizont.cv
> https://www.virustot...49b60/analysis/

raimco .com/case.sub
> https://www.virustot...ec432/analysis/
___

Fake 'FedEx' SPAM - delivers -kovter- malware
- https://myonlinesecu...w-using-macros/
18 May 2017 - ""An email with the subject of 'FedEx Parcel #262844740, Delivery Unsuccessful' pretending to come from FedEx Customer Service <tamawuv52640888@ soie. in> (random email addresses) with a malicious word doc attachment delivers multiple malware... 'used to seeing these -fake- FedEx and other parcel delivery services emails, but they usually contain zip files and js files. It is -unusual- to have word macro attachments...

Screenshot: https://myonlinesecu...ex-delivery.png

The instructions and image in the macro laden word doc have also -changed- from previous versions:
> https://myonlinesecu...elivery-doc.png

info_delivery.doc - Current Virus total detections 5/58*. Payload Security** shows a download from
  http ://regereeeeee .com/gate2.php?ff1 which appears to be a massive encrypted txt file (833kb) which appears to drop -kovter- (b215.exe ***) (VirusTotal 14/61[4])... This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet with either a macro script -or- an embedded OLE object that when run will infect you... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...c2b00/analysis/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts (424)

*** https://www.hybrid-a...c0183af2e4be850
Contacted Hosts (424)

4] https://www.virustot...sis/1495118313/

regereeeeee .com: 13.58.26.56: https://www.virustot...56/information/
> https://www.virustot...5b9d4/analysis/

> https://www.virustot...9c005/analysis/
___

WannaCry Fact Sheet
- https://www.us-cert....aCry-Fact-Sheet
Last revised: May 18, 2017
>> https://ics-cert.us-..._Ransomware.pdf
"... Systems that have installed the MS17-010 patch* are -not- vulnerable to the exploits..."
* https://technet.micr...y/ms17-010.aspx
March 14, 2017
 

   

Edited by AplusWebMaster, 19 May 2017 - 05:41 AM.

[AplusWebMaster]

FYI...

Fake 'blank' SPAM - doc/js attachment delivers ransomware
- https://myonlinesecu...2-0-ransomware/
21 May 2017 - "An empty/blank email with no subject pretending to come from jhavens@ mt .gov with a zip file that contains malicious word doc with an embedded OLE object delivers GlobeImposter 2.0 ransomware...
The email looks like:
From: jhavens@ mt .gov
Date: Sun 21/05/2017 13:34
Subject:  none
Attachment:  625855442530.zip
Body content:
    totally blank/empty

625855442530.zip - extracts to 1.doc - Current Virus total detections 0/56*. Payload Security**
 - drops a js file... (BR16E2~1 .JS) - VirusTotal 2/56[3] | Payload Security[4] downloads from
 http ://oldloverfg .top/admin.php?f=2 which gave yez348746.tae (VirusTotal 12/61[5]) | Payload Security[6]
While encrypting your files the js file drops this html file with instructions how to pay the ransom & retrieve your files. They are charging 1 bitcoin which is currently approx. $2000 USD...
> https://myonlinesecu...ransom-note.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495370663/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
47.91.93.208

3] https://www.virustot...sis/1495370901/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
47.91.93.208

5] https://www.virustot...sis/1495371343/

6] https://www.hybrid-a...vironmentId=100

oldloverfg .top: 47.91.93.208: https://www.virustot...08/information/
> https://www.virustot...94e46/analysis/
 

  

Edited by AplusWebMaster, 21 May 2017 - 12:28 PM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers ransomware
- https://myonlinesecu...aff-ransomware/
22 May 2017 - "... series of emails with pdf attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice 43412591' (random numbers) pretending to come from noreply@ random companies that delivers Jaff ransomware...

Screenshot: https://myonlinesecu...ce-43412591.png

43412591.PDF - Current Virus total detections 13/56*. Payload Security** - drops QDLCPQKK.doc
(VirusTotal 10/58[3]) (Payload Security [4]) downloads an encrypted txt file from
 http ://primary-ls .ru/jhg6fgh  which is converted by the script to buzinat8.exe (VirusTotal 7/58[5])
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
primary-ls .ru\jhg6fgh
brotexxshferrogd .net\af\jhg6fgh
herrossoidffr6644qa .top\af\jhg6fgh
joesrv .com\jhg6fgh
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495454756/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
141.8.195.87
217.29.63.199

3] https://www.virustot...sis/1495455867/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
141.8.195.87
217.29.63.199

5] https://www.virustot...sis/1495455099/

primary-ls .ru: 141.8.195.87: https://www.virustot...87/information/
> https://www.virustot...4d7c3/analysis/
 

   

[AplusWebMaster]

FYI...

Jaff ransomware gets a makeover: fake -invoice- theme
- https://isc.sans.edu...makeover/22446/
2017-05-24 - "Since 2017-05-11, a new ransomware named 'Jaff' has been distributed through malicious spam (malspam) from the 'Necurs botnet':
> https://securityinte...malicious-spam/
This malspam uses PDF -attachments- with 'embedded Word documents' containing -malicious- macros. Victims must open the PDF attachment, -agree- to open the embedded Word document, then -enable- macros on the embedded Word document to -infect- their Windows computers:
> https://isc.sans.edu...ry-image-01.jpg
Prior to -Jaff- we've seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push
-Locky- ransomware. Prior to that, this type of malspam was pushing -Dridex-. With all the recent news about
-WannaCry- ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now... The emails: This specific wave of malspam used a -fake- invoice theme... I collected -20- emails... these emails -all- have PDF attachments, and each one contains an embedded Word document. The Word document contains malicious-macros designed to -infect- a Windows computer:
> https://isc.sans.edu...ry-image-05.jpg
The embedded Word document with malicious macros:
> https://isc.sans.edu...ry-image-06.jpg
Follow the entire infection chain, and you'll see minimal network traffic compared to other types of malware.  The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host... My infected host asked for 0.35630347 bitcoin as a ransom payment:
> https://isc.sans.edu...ry-image-14.jpg
... Much of this malspam is easy to spot among the daily deluge of spam most organizations receive. However, this PDF attachment/embedded Word doc scheme is likely an attempt to bypass spam filtering... as long as it's profitable for the criminals behind it, we'll continue to see this type of malspam..."
> http://www.malware-t...5/24/index.html
(More detail at the isc URL at the top of this post.)
 

   

[AplusWebMaster]

FYI...

Fake 'receipt' SPAM - delivers Jaff ransomware
- https://myonlinesecu...ayments-emails/
25 May 2017 - "... emails with pdf attachments that drops a malicious macro enabled word doc is an email with various subjects along the line of 'receipt, payment, payment receipt' etc. (random numbers) pretending to come from donotreply@ random email addresses and companies that delivers Jaff ransomware...

Screenshot: https://myonlinesecu...eceipt-4830.png

P4830.pdf - Current Virus total detections 12/56*. Payload Security** drops ELMIRJX.doc
(VirusTotal 4/23[3]) (Payload Security[4]) downloads an encrypted txt file from
 http ://dreamybean .de/TrfHn4 which should be converted by the script to bruhadson8.exe (unfortunately payload security is showing this as a tiny data file, so something is going wrong there and there must be an anti-analysis element to the malware). There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1495710733/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.145.160

3] https://www.virustot...sis/1495710997/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
81.169.145.160

dreamybean .de: 81.169.145.160: https://www.virustot...60/information/
> https://www.virustot...61cf5/analysis/
> https://www.virustot...675f3/analysis/
___

Fake 'Reminder' SPAM - RTF file exploits deliver malware
- https://myonlinesecu...eliver-malware/
25 May 2017 - "... RTF files this time using the CVE-2017-0199* vulnerability that was fixed in April 2017** and again extra added protections by the May 2017 security updates***. If you haven’t got round to applying these essential patches yet, then go & do it NOW...
* https://nvd.nist.gov...l/CVE-2017-0199

** https://portal.msrc....y/CVE-2017-0199

*** https://portal.msrc....da-000d3a32fc99

... email with the subject of '2nd Reminder Final Demand – Notice of Legal Intention' pretending to come from creditcontrol@ bookatable .com with a malicious word doc attachment eventually delivers sharik/smoke loader after a convoluted download system involving .hta files and PowerShell...

Screenshot: https://myonlinesecu...table-email.png

294616_05152017.rtf - Current Virus total detections 28/57[1]. Payload Security[2] downloads an HTA file from
 http :// 185.162.8.231 :64646/logo.doc (VirusTotal 0/57[3]) which in turn uses powershell to download
 http :// 185.162.8.231 :64646/00001.exe (VirusTotal 48/59[4]) (Payload Security[5])... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1]  https://www.virustot...sis/1494977406/

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.162.8.231: https://www.virustot...31/information/
> https://www.virustot...8fd1a/analysis/
> https://www.virustot...655f4/analysis/

3] https://www.virustot...sis/1494854940/

4] https://www.virustot...sis/1495445391/

5] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.141.25.27
193.104.215.58
 

   

Edited by AplusWebMaster, 26 May 2017 - 09:07 AM.

[AplusWebMaster]

FYI...

Fake 'DHL' SPAM - delivers js malware
- https://myonlinesecu...ers-ransomware/
27 May 2017 - "... an email with the subject of 'DHL Tracking Number for shipment 97 93745 186' (random numbers)   pretending to come from DHL Corporation with a link in email body to download a file...
Update: Thanks to Antelox* we now have an unpacked version of the malware which is being detected as a corebot / zbot variant (VirusTotal 10/59**) ... Microsoft describes this as TrojanProxy: Win32/Malynfits.A***...
* https://twitter.com/...414436264071168
... after lots of different tweets and conversations, found this from Brad (MalwareTraffic) confirming corebot with a nice writeup by him:
> http://www.malware-t...5/26/index.html

** https://www.virustot...sis/1495880747/

*** https://www.microsof...tID=-2147245786

Screenshots(a): https://myonlinesecu...ilsystem_IE.png

(-b-): https://myonlinesecu...lmailsystem.png

invoice-0063827410370260857-000001870346531780753154078347.pdf.js - Current Virus total detections 5/56[1]
Payload Security[2] shows a download of various files from the same server one being auvrq.exe
(VirusTotal 20/61[3]) (Payload Security[4])... The link in email body (in the working versions) goes to
 http ://dhlmailsystem .com/documentdir/777126146374729609489374827 where you get slightly different behaviour depending on what browser you use to visit. If you use Internet Explorer or Google Chrome, you get a zip file containing a .js file. Using Firefox you get the .js file itself... you first see a page like this (-b-) with a message saying 'preparing download' with a countdown marker. When it reaches 0 the message becomes a -link- saying “click here to download if not started automatically” and the malware file is delivered... The basic rule is NEVER open any attachment -or- link in an email, unless you are expecting it..."
1] https://www.virustot...sis/1495836615/

2] https://www.hybrid-a...vironmentId=100
Contacted Hosts
89.223.27.247

3] https://www.virustot...sis/1495865017/

4] https://www.hybrid-a...vironmentId=100

dhlmailsystem .com: 89.223.27.247: https://www.virustot...47/information/
> https://www.virustot...72a6e/analysis/
 

   

[AplusWebMaster]

FYI...

Fake 'documents' SPAM - xls attachment delivers malware
- https://myonlinesecu...nknown-malware/
30 May 2017 - "An email with the subject of 'documents' pretending to come from random senders with a malicious word doc or Excel XLS spreadsheet attachment delivers malware... Some subjects in this malspam campaign include ...
    inv. payment
    documents

Screenshot: https://myonlinesecu...ment-austin.png

61759684.xls - Current Virus total detections 6/56*: Payload Security** wasn’t able to decode or decrypt the macro but a very quick & easy manual examination shows downloads from
 http ://cautiousvirus .com/mbtrf.exe (VirusTotal 7/60[3]) (Payload Security[4])... The macro in the xls document is trivially encoded by using reverse strings... Opening the XLS attachment gives this -fake- invoice:
> https://myonlinesecu...1759684_xls.png
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496135720/

** https://www.hybrid-a...vironmentId=100

3] https://www.virustot...4f973/analysis/

4] https://www.hybrid-a...vironmentId=100

cautiousvirus .com: 54.91.240.28: https://www.virustot...28/information/
> https://www.virustot...c12c0/analysis/
___

Fake 'Notification' SPAM - delivers malware
- https://myonlinesecu...livers-malware/
30 May 2017 - "An email with the subject of 'Notification of direct debit of fees' pretending to come from HM Land Registry but actually coming from a look-alike domain... with a malicious word doc attachment... -spoof- of a well known company, bank or public authority delivering malware...

Screenshot: https://myonlinesecu...bit-of-fees.png

Opening the word doc (in protected mode where it is safe) gives this which tries to convince you it is genuine:
> https://myonlinesecu...egistry-doc.png

apl053017_045894595.doc - Current Virus total detections 5/56*. Payload Security** shows a download from
  http ://200.7.105.13 /jpon13.exe (VirusTotal 7/60***)... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496147244/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
200.7.105.13
184.87.218.172
185.141.25.27

*** https://www.virustot...sis/1496137829/

200.7.105.13: https://www.virustot...13/information/
> https://www.virustot...137cb/analysis/
 

   

Edited by AplusWebMaster, 30 May 2017 - 12:00 PM.

[AplusWebMaster]

FYI...

Fake 'Flash Update' - malware
- https://myonlinesecu...imate-websites/
31 May 2017 - "... I was reading a page on my local newspaper... 'got a divert and a big red warning:
> https://myonlinesecu.../fake-flash.png
...  the page I was diverted to (a -fake- flash player update page) is
 https ://izaiye-interactive .net/6141452444727/01296f4851adb85de3a1ad2335c429c8/52ebc0f94a7674f6db533556c202e52f.html
... They are using a ssl prefix HTTPS but there is -no- padlock in the url to confirm this. An HTA file is automatically downloaded (or attempted to be) (VirusTotal 6/55*) (Payload Security**) - if allowed to run unfettered this hta file would download and autorun:
 https ://izaiye-interactive .net/6141452444727/1496218715917605/FlashPlayer.jse
(VirusTotal [3]) (Payload Security[4])... similar attack recently documented:
> https://myonlinesecu...-on-legit-site/
9 Apr 2017
...izaiye-interactive .net was registered yesterday on 30 May 2017 using what are obviously -fake- registrants details via PUBLICDOMAINREGISTRY .COM and hosted on 206.221.189.43 reliablesite .net ..."
* https://www.virustot...sis/1496218758/
FlashPlayer.hta

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
206.221.189.43

3] https://www.virustot...sis/1496219889/
FlashPlayer.jse

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
206.221.189.43
192.35.177.195
109.120.179.92
84.42.243.20
215.88.149.224
132.121.74.105
209.17.219.21

izaiye-interactive .net: Could not find an IP address for this domain name. (May have been taken down.)

206.221.189.43: https://www.virustot...43/information/
> https://www.virustot...0607d/analysis/

> https://www.virustot...94594/analysis/
 

   

Edited by AplusWebMaster, 31 May 2017 - 06:52 AM.

[AplusWebMaster]

FYI...

Fake 'FedEx USPS UPS' SPAM - delivers Kovter and ransomware
- https://myonlinesecu...and-ransomware/
1 Jun 2017 - "... malware via the “cannot deliver your parcel notifications” or “check where your parcel is”  
-spoofing- FedEx, DHL, UPS, USPS etc. have changed the delivery method. The emails are still very similar to the ones we are used to seeing with this sort of subject line:
    USPS issue #06914074: unable to delivery parcel
    Parcel #006514814 shipment problem, please review
    USPS parcel #3150281 delivery problem
    Courier was not able to deliver your parcel (ID006976677, USPS)
    Parcel 05836911 delivery notification, USPS
    Delivery Status Notification
... What has changed is the -attachment- to the emails contains the malware. These now contain an HTML attachment that when opened displays a webpage on your computer that pretends to be a Microsoft Word online website and says you need to download the 'MSOffice365 Webview Plugin update', with a -blurry-image- of scrambled writing in the background with this message prominantly displayed:
 'This document cannot be read in your browser. Download and install latest plugin version':
> https://i2.wp.com/my...bview.png?ssl=1

Email screenshot: https://i2.wp.com/my...ation.png?ssl=1

... 'previously described in THIS post from Mid April 2017* which shows the obfuscated/encoded nature of the files and how to decode/de-obfuscate them... At that time they linked to a remote website using the -fake- MSOffice365 scam. These malware gangs use a mix-and-match of different techniques to try to stay one step ahead of researchers and antivirus companies and gain more victims:
* https://myonlinesecu...vering-malware/
... Infection chain from 31 May 2017:
1. FedEx-Delivery-Details-ID-8AXP4QH0.doc.html attachment (VirusTotal 2/56[1]) (Payload Security[2])
2. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.zip extracts to:
3. Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js (VirusTotal 8/55[3]) (Payload Security[4])
  Counter.js (VirusTotal 5/56[5]) which downloads 2 files pretending to be png (image files that are -renamed- .exe files) 1.exe currently Cerber -Ransomware- (VirusTotal 8/61[6]) (Payload Security[7]) 2.exe currently Kovter
(VirusTotal 12/60[8]) (Payload Security[9]). The 5 sites embeded in the original webview plugin.js are:
leadsfunnel360 .com
khushsingh .com
kskazan .ru
moodachainzgear .com
thegreenbook .ca
... where you get counter.js ... that when decrypted gives these 5 sites:
sharplending .com
moodachainzgear .com
buildthenewcity .biz
valdigresta .com
leadsfunnel360 .com
... Where <sitename)/counter/?1 gives the Cerber ransomware and <sitename)/counter/?2 gives Kovter... the js files try to contact the sites in order they are listed. It then tries each combination of sitename/counter/etc. and if any site fails to respond, then moves to next site in the list and continues to do that until the counter.js & the actual malware files are downloaded-and-run on the victim’s computer... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
1] https://www.virustot...sis/1496239829/
FedEx-Delivery-Details-ID-8AXP4QH0.doc.html

2] https://www.hybrid-a...vironmentId=100

3] https://www.virustot...sis/1496240000/
Install-MSOffice365-WebView-Plugin-Update-0.165.11a.exe.js

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts (1279)

5] https://www.virustot...sis/1496296754/
COUNTER[1].js

6] https://www.virustot...sis/1496240581/
60[1].png

7] https://www.hybrid-a...vironmentId=100
Contacted Hosts (1089)

8] https://www.virustot...sis/1496240649/
11.exe

9] https://www.hybrid-a...vironmentId=100
Contacted Hosts (413)

leadsfunnel360 .com: 50.63.124.1: https://www.virustot....1/information/
> https://www.virustot...cfb18/analysis/
khushsingh .com: 72.167.131.40: https://www.virustot...40/information/
> https://www.virustot...3101d/analysis/
kskazan .ru: 87.236.19.130: https://www.virustot...30/information/
> https://www.virustot...213ca/analysis/
moodachainzgear .com: 173.201.92.128: https://www.virustot...28/information/
> https://www.virustot...5fc14/analysis/
thegreenbook .ca: 50.62.160.59: https://www.virustot...59/information/
> https://www.virustot...d1d29/analysis/

sharplending .com: 184.168.55.1: https://www.virustot....1/information/
> https://www.virustot...ff398/analysis/
moodachainzgear .com: 173.201.92.128: https://www.virustot...28/information/
> https://www.virustot...5fc14/analysis/
buildthenewcity .biz: 50.62.114.1: https://www.virustot....1/information/
> https://www.virustot...b047e/analysis/
valdigresta .com: 64.202.169.211: https://www.virustot...11/information/
> https://www.virustot...1b8b0/analysis/
leadsfunnel360 .com: 50.63.124.1: https://www.virustot....1/information/
> https://www.virustot...cfb18/analysis/
 

   

Edited by AplusWebMaster, 01 June 2017 - 09:33 AM.

[AplusWebMaster]

FYI...

Fake 'Invoice' SPAM - delivers Dridex
- https://myonlinesecu...banking-trojan/
2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is an email with the subject of 'Invoice INV-0790' (random numbers) pretending to come from random names and email address that delivers Dridex banking Trojan...

Screenshot: https://myonlinesecu...ce-inv-0790.png

Invoice INV-0790.pdf - Current Virus total detections 12/56*. Payload Security** drops 231GEOHJWMQN935.docm
(VirusTotal 10/59[3]) (Payload Security[4]) downloads an encrypted txt file from
 http ://lanphuong .vn\hH60bd which is converted by the script to miniramon8.exe
(VirusTotal 8/62[5]) (Payload Security[6]).
There are 4 hardcoded (slightly obfuscated) download sites in the macro (there will be more in other versions)
lanphuong .vn\hH60bd
newserniggrofg .net\af\hH60bd
resevesssetornument .com\af\hH60bd
mountmary .ca\hH60bd
... DO NOT follow the advice they give to enable macros or enable editing to see the content... The basic rule is NEVER open any attachment to an email, unless you are expecting it..."
* https://www.virustot...sis/1496395482/

** https://www.hybrid-a...vironmentId=100
Contacted Hosts
112.213.85.78
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147

3] https://www.virustot...sis/1496395712/

4] https://www.hybrid-a...vironmentId=100
Contacted Hosts
112.213.85.78
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147

5] https://www.virustot...sis/1496396221/

6] https://www.hybrid-a...vironmentId=100
Contacted Hosts
185.141.25.23
147.32.5.111
192.99.108.183
31.193.131.147

lanphuong .vn: 112.213.85.78: https://www.virustot...78/information/
> https://www.virustot...0a0ad/analysis/
___

Fake 'Message' SPAM - delivers Dridex
- https://myonlinesecu...-email-address/
2 Jun 2017 - "... emails with -pdf- attachments that drops a malicious macro enabled word doc is a blank/empty email with the subject of 'Message from KM_C224e' pretending to come from a -copier- at your email address that delivers Dridex banking Trojan...

Screenshot: https://myonlinesecu...om-KM_C224e.png

The payload & websites are exactly the -same- as described in today’s earlier Dridex malspam run using fake invoices*..."
* https://myonlinesecu...banking-trojan/
2 Jun 2017
 

   

Edited by AplusWebMaster, 02 June 2017 - 08:17 AM.